nixos/ssh: hash ssh_known_hosts file #93542
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for this change
This would harden the handling of SSH keys in NixOS a bit, without compromising usability imho.
Consider this use case: A NixOS machine is defined with
and then is deployed in a way, that the
*.nix
files don't end up on the remote host (e.g. by using NixOps or by building locally, copying the closure withnix copy
and then activating on the remote side).Now let's say an attacker gains access to that machine. Without this pull request they can easily see how to access
root@example.com
and derive from the existence of theknown_hosts
entry, that they might have access to that host. With this PR they only see hashed hosts, which would require them to figure out the remote URL by themselfes. That would make hopping from machine to machine and therefore compromising the whole network considerably harder.See also ssh-keygen(1):
At the same time I don't know of any good use cases to look at
/etc/ssh/ssh_known_hosts
and derive any legible information from that file. So no usability tradeoffs in sight for me. If there should the need arise, one could change this behaviour by introducing an option lkehashKnownHosts ? true
.Things done
Also I tested this commit for the past three months on my setup.
I didn't write a NixOS test, as
programs.ssh.knownHosts
isn't tested yet.sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)Pinging @aszlig @edolstra as they maintain the openssh test.
Pinging @Izorkin @alyssais @philandstuff @edef1c as the recently contributed to
nixos/modules/programs/ssh.nix
.