OpenSSH client keep a fingerprint of servers to which connections (ssh-client) have been made. Such fingerprints are stored in .ssh/know_hosts and are automatically compared with the current server fingerprint on connection acknowledgment.
Hence, the .ssh/known_hosts file is crucial to system security against man-in-the-middle attack in a networked environment. This file is also a very very good vector of attack on system administrator computer and hashing the content of the file is a good practices. Especially with the current wave of big bugs hitting GNU/Linux systems.
The first step is to enable hashing of the new fingerprints:
# cat /etc/ssh/ssh_config
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication no
GSSAPIDelegateCredentials no
TCPKeepAlive yes
ServerAliveInterval 60
The “HashKnownHosts yes” configuration option is the way to go - it is a general setting affecting all users on your system (Host *). If you don’t have access to the central ssh_config option, don’t forget you have personalized user setting in .ssh/config.
This enable the hashing of future fingerprints. To modify your actual file, use the following ssh-keygen command. Your unmodified know_hosts will be save as know_hosts.old .
# ssh-keygen -H -f .ssh/know_hosts
Have fun, stay safe.
Did you guys know that there is 3 types of plagues ? That there is only one bone that isn’t articulated to any others, called the “Hyoid Bone” ?
Its really impressive the stuff we learn that we really don’t need to know!
Got contacted by a Citrix (XEN) representant today… they finally did their homework and do some follow-up on sales/potential customer.
This is well planned because VMWare is having some very big problems and their solution really suck. Summary, if you have this specific version [ESX 3.5 Update 2 ISO], you should really not shut-down your VM.
