https://bugzilla.mindrot.org/show_bug.cgi?id=3703
Bug ID: 3703
Summary: HashKnownHost deprecation
Product: Portable OpenSSH
Version: 9.4p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-b...@mindrot.org
Reporter: dbely...@redhat.com
Probable HashKnownHost deprecation was discussed in
https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-January/039871.html
Damien proposed the following road map back then:
=======
I'd prefer to remove hostname hashing. It's a pointless obscurity
measure, and the most it can ever offer is protection against casual
shoulder-surfing disclosure[*]
I wish I never added it. I consider it the most stupid thing I've ever
done to OpenSSH :(
As far as what a concrete migration plan would look like, maybe
something
like:
1) Add an ObscureKnownHostnames option that, instead of hashing, simply
base64-encodes the hostnames. This provides the same level of
protection as the current option. Recommend this instead of
HashKnownHosts in the manual.
2) (later) Add a deprecation warning to HashKnownHosts
3) (later still) Remove the HashKnownHosts option (or make it an alias
to ObscureKnownHostnames)
4) (later again) Warn when known_hosts contains a hashed hostname
5) (finally) rip out the hostname hashing code entirely.
-d
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
