Some brief notes on OpenSSH's known_hosts hashing

July 29, 2010

A number of current distributions of OpenSSH default to storing host names and IP addresses in ~/.ssh/known_hosts in a hashed form, in order to make it harder for an intruder to work out where else you have an account on that you access from this system (this is the HashKnownHosts option for ssh). Since I recently wound up digging into this and the details are underdocumented, here's what I know about how this works.

The summary is that this is your traditional one-way cryptographic hash. The specific hash is a SHA1-based HMAC, but I strongly suggest not writing any code that knows that. The host name or IP address is treated like a password and hashed together with a random salt; both the salt and the HMAC result are stored in the known_hosts line. Matching the line later is done by extracting the salt, HMAC'ing your candidate hostname with it, and seeing if you got the same encrypted result.

(The salt appears to have relatively strong randomness.)

This means that checking to see if a particular host is present in a known_hosts file requires computing a separate HMAC for each line in the file. I imagine that this is not a problem in practice since most people have relatively short known_hosts files and SHA1 HMAC is relatively fast. As with unencrypted hostnames, it's possible to have multiple entries for a given host in known_hosts, each with a different key; if all of the hostnames are hashed, this may not be at all obvious.

(See sshd(8) for how multiple entries for a single host work. The short answer is that OpenSSH considers itself to have found a known host key if any of them match.)

This all means that hashed known_hosts files are system independent and will continue working fine when moved to a different host.

(As it turned out, the problem I was seeing was because my new test system had a different system known hosts file. Once I fixed that, everything worked, but I almost went off on a complete wild goose chase worrying about potential system dependent hashing of known_hosts. Having a hashed known_hosts did make it less obvious that the other host's key wasn't even in it, though.)

Written on 29 July 2010.
« My Fedora 8 problem: upgrading
A little modern Unix twitch »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Jul 29 01:55:39 2010
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.