From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: [PATCH 2/3] SSH client configuration: Hash known_hosts entries
Date: Wed, 12 Sep 2018 19:50:44 +0200
Message-ID: <20180912175045.7636-2-peter.mueller@link38.eu>
In-Reply-To: <20180912175045.7636-1-peter.mueller@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7940547779822348662=="
List-Id: <development.lists.ipfire.org>

--===============7940547779822348662==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

By default, entries in ~/.ssh/known_hosts disclosure on which servers a
user as access to, allowing detailled attack against these servers.
Depending on the affected infrastructure, this might be a privacy
problem, too.

Force SSH to hash new entries in known_hosts (existing ones will not be
converted) to avoid permission disclosure.

Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
---
 config/ssh/ssh_config | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
index b36909f85..9f7121c76 100644
--- a/config/ssh/ssh_config
+++ b/config/ssh/ssh_config
@@ -33,4 +33,7 @@ Host *
         # ensure only allowed authentication methods are used
         PreferredAuthentications publickey,keyboard-interactive,password
 
+	# hash entries in ~/.ssh/known_hosts file to avoid permission disclosure
+	HashKnownHosts yes
+
 # EOF
-- 
2.16.4


--===============7940547779822348662==--