The potential danger of SSH known hosts

A group of MIT researchers are working on protecting SSH from known_hosts address harvesting. A hypothetical worm that used SSH as a propagation vector would have a nice roadmap of systems to try from a users known_hosts.

One additional remedy, not mentioned in their article, would be for site administrators to change the name of the known_hosts file so that it wasn't in the same known location on every host. [Weak pun intended...]

Security through obscurity is bad. But what about security first, and then obscurity? (Or, perhaps more aptly, security first and then variability?)

if a worm were written today it would be programmed to iterate through each user's ~/.ssh/known_hosts file. What if, on my system, I'd recompiled OpenSSH to look at ~/.ssh/hosts_known or something not even under the ~/.ssh subdirectory (say, ~/.toothpaste)?

At first glance it would seem that this local mutation would inhibit the spread of the hypothetical worm somewhat. Even better would be to leave a fake known_hosts file around with a lot of bogus entries, or to a honey pot or tar pit.

Am I overlooking some danger or flaw in deviating from where the rest of the world stores the known_hosts file?

—Michael A. Cleverly
Friday, May 13, 2005 at 21:27

Comment