Opened 10 years ago

Closed 10 years ago

#3389 enhancement closed duplicate (duplicate)

t.c.client.default known_hosts does not grok openssh's new hash-style entries

Reported by: ericf Owned by:
Priority: normal Milestone:
Component: conch Keywords:
Cc: Branch:


OpenSSH has, for some years, set HashKnownHosts to 'on' by default. This causes entries in the known_hosts file to be written with a hash of the host name. The goal is to prevent an attacker with access to a machine from getting access to a cleartext list of hostnames that could be used in by a worm. If one knows a hostname, it's possible to find its entry in the file (the normal use case for SSH), but if you're just trying to find hostnames, you cannot do so easily.

For full interoperability with OpenSSH, the conch.client.default functions that deal with the known_hosts file format need to understand hashed entries and also be capable of writing them (perhaps by using an option analogous to HashKnownHosts).

I've studied the C implementation of the hash algorithm and it's pretty straightforward. The only piece for which a python port isn't immediately obvious is the use of arc4random to create the random salt for the hash function. Python's crypto libs support arc4, but they don't seem to expose that particular function.

Change History (4)

comment:1 Changed 10 years ago by ericf

comment:2 Changed 10 years ago by ericf

looks like the choice of arc4random isn't all that significant. pycrypto's RandomPool would be perfectly fine as well.

comment:3 Changed 10 years ago by Glyph

Resolution: duplicate
Status: newclosed

This is a duplicate of #1376.

comment:4 Changed 8 years ago by <automation>

Owner: z3p deleted
Note: See TracTickets for help on using tickets.