A group of MIT researchers are working on protecting SSH from known_hosts address harvesting. A hypothetical worm that used SSH as a propagation vector would have a nice roadmap of systems to try from a users known_hosts.
One additional remedy, not mentioned in their article, would be for site administrators to change the name of the known_hosts file so that it wasn't in the same known location on every host. [Weak pun intended...]
Security through obscurity is bad. But what about security first, and then obscurity? (Or, perhaps more aptly, security first and then variability?)
if a worm were written today it would be programmed to iterate through each user's ~/.ssh/known_hosts file. What if, on my system, I'd recompiled OpenSSH to look at ~/.ssh/hosts_known or something not even under the ~/.ssh subdirectory (say, ~/.toothpaste)?
At first glance it would seem that this local mutation would inhibit the spread of the hypothetical worm somewhat. Even better would be to leave a fake known_hosts file around with a lot of bogus entries, or to a honey pot or tar pit.
Am I overlooking some danger or flaw in deviating from where the rest of the world stores the known_hosts file?
—Michael A. Cleverly
Friday, May 13, 2005 at 21:27
It may be interesting to work this out differently for each system - but it adds also a level of obscurity for the rest of people administering the site. It may lead to problems if not documented properly. Thanks, xmariachi