nixos/ssh: hash ssh_known_hosts file #93542
Conversation
From ssh-keygen(1): > -H Hash a known_hosts file. This replaces all hostnames and > addresses with hashed representations within the specified > file; the original content is moved to a file with a .old > suffix. These hashes may be used normally by ssh and sshd, > but they do not reveal identifying information should the > file's contents be disclosed. This option will not modify > existing hashed hostnames and is therefore safe to use on > files that mix hashed and non-hashed names.
erictapen
force-pushed
the
ssh-hash-known-hosts
branch
from
88eb1aa
to
4101780
Compare
|
+0 from me - I'm neither in favour nor against this change. It seems like an incredibly small benefit, but also an incredibly small cost. There is code out there to brute force hashed known hosts - John the Ripper (a password cracking tool) has a mode for cracking hashed known_hosts, and known hosts are in some ways an easier problem than passwords as they are not designed to be high entropy. Particularly private IPs (RFC 1918) can be enumarated, so hashing these provides little protection. Hostnames require a bit more thought, but you can easily feed a dictionary into it, and people are not going to be designing hostnames to be hard to guess. However I agree there is not a lot of cost to hashing the known hosts file, I can't really think of a useful use of keeping it plaintext in the specific case that it was generated as part of a nixos configuration (whereas I can think of uses for manually-managed known_hosts files, which doesn't apply here). Hence, to repeat myself, I'm +0 on this. |
|
I personally don't have much for or against. I'd turn this off on my dev machine, and don't rely on TOFU host-to-host SSH for production use, since I use host certificates signed by an SSH CA, which effectively hashes the host information. It's worth taking into account that the tab-completion for SSH hosts also relies on Do we have any feelings re: turning |
|
Thanks for your comments. I agree with your points, especially the one about bruteforceability of hashed known_hosts. I didn't really think about it, but of course, host names usually have not enough entropy to be meaningfully secured by a hash function. Maybe this is really the wrong place to harden, as it would provide a false sense of security. I'll close this PR. |
Motivation for this change
This would harden the handling of SSH keys in NixOS a bit, without compromising usability imho.
Consider this use case: A NixOS machine is defined with
and then is deployed in a way, that the
*.nixfiles don't end up on the remote host (e.g. by using NixOps or by building locally, copying the closure withnix copyand then activating on the remote side).Now let's say an attacker gains access to that machine. Without this pull request they can easily see how to access
root@example.comand derive from the existence of theknown_hostsentry, that they might have access to that host. With this PR they only see hashed hosts, which would require them to figure out the remote URL by themselfes. That would make hopping from machine to machine and therefore compromising the whole network considerably harder.See also ssh-keygen(1):
At the same time I don't know of any good use cases to look at
/etc/ssh/ssh_known_hostsand derive any legible information from that file. So no usability tradeoffs in sight for me. If there should the need arise, one could change this behaviour by introducing an option lkehashKnownHosts ? true.Things done
Also I tested this commit for the past three months on my setup.
I didn't write a NixOS test, as
programs.ssh.knownHostsisn't tested yet.sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)Pinging @aszlig @edolstra as they maintain the openssh test.
Pinging @Izorkin @alyssais @philandstuff @edef1c as the recently contributed to
nixos/modules/programs/ssh.nix.