SSH Tip: Hash known_hosts names

Posted on by

I picked up a little book called SSH Mastery the other day. It’s a fairly short read, but quite interesting.

It mentioned one tip that happened to solve something that always bothered me—ssh keeps a ~/.ssh/known_hosts file with the host keys of all the machines you’ve connected to previously. It’s good for SSH, since it can verify that the host keys haven’t changed since you last connected, but it’s also a privacy and security risk, to have a file listing all the servers you have access to. Not exactly something that keeps me up at night, but a sub-optimal situation.

The book mentions that ssh can easily be changed to record a hash of the hostnames instead, with the directive HashKnownHosts yes. (But note that it’s not retroactive, though ssh-keygen has an option to encode the existing ones.)

The only downside is that this makes it impossible to periodically prune the contents of known_hosts of systems you no longer care about — though that probably won’t save you more than a few kB of disk space.

One thought on “SSH Tip: Hash known_hosts names

Leave a Reply

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks: 

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax