Learn more about these different git repos.
Other Git URLs
Last week I discussed the SSH known_hosts work with Honza. I thought about the stuff on the weekend. The plan is to have a global known_hosts file which gets written by sssd. This means that all users on this system have access which means reveal information to a lot of people who might not have this detailed information. So the hostnames should be stored hashed in the known_hosts file.
This way they do not reveal identifying information should the file's contents be disclosed. OpenSSH supports hashing since quite some time now.
Normally it looks like this:
|1|dTVaYG/giqH3nvoLfGECyOsiMDs=|RzAc9qu1lG+3ZtajFbaVuL02SZA= ssh-rsa ... |1|base64(salt)|base64(hash)|
Here is some pseudo code for comparing it:
match_hashed_host(hostname, sourcehash) { salt = base64_decode(sourcehash + 3) hash = base64_decode(sourehash + strlen(salthash)) mac = sha1_hmac(hostname, salt) if (mac == hash) woohoo else cry }
Fields changed
description: Last week I discussed the SSH known_hosts work with Honza. I thought about the stuff on the weekend. The plan is to have a global known_hosts file which gets written by sssd. This means that all users on this system have access which means reveal information to a lot of people who might not have this detailed information. So the hostnames should be stored hashed in the known_hosts file. This way they do not reveal identifying information should the file's contents be disclosed. OpenSSH supports hashing since quite some time now.
match_hashed_host(hostname, sourcehash) {
salt = base64_decode(sourcehash + 3) hash = base64_decode(sourehash + strlen(salthash))
mac = sha1_hmac(hostname, salt)
if (mac == hash) woohoo else cry } => Last week I discussed the SSH known_hosts work with Honza. I thought about the stuff on the weekend. The plan is to have a global known_hosts file which gets written by sssd. This means that all users on this system have access which means reveal information to a lot of people who might not have this detailed information. So the hostnames should be stored hashed in the known_hosts file.
Normally it looks like this: {{{ |1|dTVaYG/giqH3nvoLfGECyOsiMDs=|RzAc9qu1lG+3ZtajFbaVuL02SZA= ssh-rsa ... |1|base64(salt)|base64(hash)| }}} Here is some pseudo code for comparing it:
{{{ match_hashed_host(hostname, sourcehash) {
if (mac == hash) woohoo else cry } }}}
milestone: SSSD SSH Cleanup => SSSD 1.9 beta
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=799928
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=799928 799928]
owner: somebody => jcholast status: new => assigned
patch: 0 => 1
Fixed by: - b35f20c - 4fa3ef8
resolution: => fixed status: assigned => closed
Metadata Update from @asn: - Issue assigned to jcholast - Issue set to the milestone: SSSD 1.9.0 beta 1
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2245
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.