Login
You're viewing the mstdn.social public feed.
  • Jul 1, 2026, 10:39 AM

    TIL: Ubuntu 26.04 *still* comes with `HashKnownHosts yes` in /etc/ssh/ssh_config

    (I had an interaction a couple of years ago where I was publicly annoyed that OpenSSH would set (I thought) HashKnownHosts by default, and one of the developers went "WTF? No, we don't?" at me, and then we discovered that Ubuntu sets this, which they didn't even know and don't recommend.)

    💬 2🔄 0⭐ 0

Replies

  • Jul 1, 2026, 11:12 AM

    @henryk out of curiosity, why is the Ubuntu recommendation to disable HashKnownHosts? On first glance it doesn’t sound like a stupid idea to hash the known hosts entries (e.g. to obfuscate them)… 🤔

    💬 1🔄 0⭐ 0
  • Jul 1, 2026, 11:32 AM

    @tisba Convenience mostly. You lose tab-completion for host names, for example. Or, in my case, new pubkey and I'd like a convenient directory of hosts to ssh-copy-id to.
    On the flip side the security benefits are marginal at best. Knowledge of the host is *not* the security boundary, having the key is the boundary. If hostnames really were secret, one would need to disable bash history too. And maybe other things.

    There *may* be circumstances were this is warranted, but it's not everywhere.

    💬 1🔄 0⭐ 0
  • Jul 1, 2026, 11:41 AM

    @henryk oh yes, good points, thank you! missing tab-completion would be quite anyoing.

    Thinking about it some more, there are most likely quite a few more places that contain host names. Even some kind of enumeration if probably also feasible. There typically isn't a ton of entropy in hostnames anyway.

    💬 0🔄 0⭐ 0
  • Jul 1, 2026, 11:27 AM

    @henryk interesting! I didn't find a source for that recommendation. I also like to rather have knowledge of what is in the list. Do you have a source you can reference?

    💬 1🔄 0⭐ 0
  • 💬 0🔄 0⭐ 0