I picked up a little book called SSH Mastery the other day. It’s a fairly short read, but quite interesting.
It mentioned one tip that happened to solve something that always bothered me—ssh keeps a ~/.ssh/known_hosts file with the host keys of all the machines you’ve connected to previously. It’s good for SSH, since it can verify that the host keys haven’t changed since you last connected, but it’s also a privacy and security risk, to have a file listing all the servers you have access to. Not exactly something that keeps me up at night, but a sub-optimal situation.
The book mentions that ssh can easily be changed to record a hash of the hostnames instead, with the directive HashKnownHosts yes. (But note that it’s not retroactive, though ssh-keygen has an option to encode the existing ones.)
The only downside is that this makes it impossible to periodically prune the contents of known_hosts of systems you no longer care about — though that probably won’t save you more than a few kB of disk space.
Thank you for your good blog as always.Have a great day today.