By default, entries in ~/.ssh/known_hosts disclosure on which servers a user as access to, allowing detailled attack against these servers. Depending on the affected infrastructure, this might be a privacy problem, too.
Force SSH to hash new entries in known_hosts (existing ones will not be converted) to avoid permission disclosure.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- config/ssh/ssh_config | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index b36909f85..9f7121c76 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -33,4 +33,7 @@ Host * # ensure only allowed authentication methods are used PreferredAuthentications publickey,keyboard-interactive,password
+ # hash entries in ~/.ssh/known_hosts file to avoid permission disclosure + HashKnownHosts yes + # EOF