[Krypton-users] We just hashed your SSH known_hosts file

Kent Engström kent at nsc.liu.se
Thu Mar 27 17:28:05 CET 2014 

Dear Krypton Users,

SHORT VERSION

We just changed your ~/.ssh/known_hosts file (and similarly named files)
to improve security a wee bit. Do not be alarmed if that file has a
modification time around 16-17 CET today. Read more below if you want to
know more.

LONG VERSION

When you run ssh towards a server for the first time, the client saves
the server's public key in your ~/.ssh/known_hosts file. When you redo
it, it reads the file and checks that the public key has not changed.  A
changed server key could indicate an attack where somebody pretends to
be the server. More often in real life, it means that a systems
admininstrator reinstalled the OS without saving the host keys, but
please tell us if you see warnings about that, so we can help you
evaluate if it is a false alarm or not.

This functionality ensures that ~/.ssh/known_hosts will contain the
hosts you have logged into. That provides a simple (and automatic) way
for an attacker who have gained access to your account using stolen
passwords/keys to try to gain access to your accounts on other servers.

The SSH developers realized that, and provided a mechanism for hashing
the name stored in the known_hosts file, so you cannot get a list of
server names by scanning the file. You (and the ssh client) can get the
key for a server if you already know the name to look for.

We have been running with this hashing feature enabled since we took
Krypton into production. However, a lot of you had access to Gimle too,
where we had not turned the hashing on, and as the /home file system
was inherited from Gimle to Krypton, you had older unhashed entries in
your ~/.ssh/known_hosts files. We have fixed that by running "ssh-keygen
-H" on your behalf, to hash all entries in your known_hosts files.

If, for some reason, you need your old known_hosts file back, just
contact us at smhi-support at nsc.liu.se and we will sort it out.

-- 
Kent Engström, National Supercomputer Centre
kent at nsc.liu.se, +46 13 28 4444

More information about the Krypton-users mailing list