The potential danger of SSH known hosts

(Printer friendly version)

A group of MIT researchers are working on protecting SSH from known_hosts address harvesting. A hypothetical worm that used SSH as a propagation vector would have a nice roadmap of systems to try from a users known_hosts.

One additional remedy, not mentioned in their article, would be for site administrators to change the name of the known_hosts file so that it wasn't in the same known location on every host. [Weak pun intended...]

Security through obscurity is bad. But what about security first, and then obscurity? (Or, perhaps more aptly, security first and then variability?)

if a worm were written today it would be programmed to iterate through each user's ~/.ssh/known_hosts file. What if, on my system, I'd recompiled OpenSSH to look at ~/.ssh/hosts_known or something not even under the ~/.ssh subdirectory (say, ~/.toothpaste)?

At first glance it would seem that this local mutation would inhibit the spread of the hypothetical worm somewhat. Even better would be to leave a fake known_hosts file around with a lot of bogus entries, or to a honey pot or tar pit.

Am I overlooking some danger or flaw in deviating from where the rest of the world stores the known_hosts file?

—Michael A. Cleverly

Comment

xmariachi: [ mail | www | link ]
It may be interesting to work this out differently for each system - but it adds also a level of obscurity for the rest of people administering the site. It may lead to problems if not documented properly. Thanks, xmariachi

Wed, 30 Sep 2009, 04:21

Leave a comment

Name:  
Email: (optional)
URL: (optional)

Your comment: