protect the known_host file from writing - good or bad idea?

1

I want to protect the known_host file from writing So I want to perform the following steps on my Linux red-hat server

Cp /dev/null   /root/.ssh/known_hosts
chattr +i /root/.ssh/known_hosts

I want to that that because I want to prevent the unsuccessfully login to any target machine and that because sometimes we get the warning - Remote Host Identification Has Changed error and login is failed

But I am not sure if my solution (writing protect on known_host ) is a good idea and what’s the negative affect on the Linux system ?

Or maybe this solution is a good solution to keep the known_host file as empty?

What the members here think about?

maihabunash

Posted 2015-02-13T12:41:29.117

Reputation: 479

Answers

1

IMHO It's not a good idea (see below).

The following command will remove the offending key of your host from the known_hosts

  ssh-keygen -R <host>

e.g. ssh-keygen -R my_old_client

Why this is not a good idea can be argued from man ssh (searching down you can read):

Additionally, the server must be able to verify the client's host key (see the description of /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts, below) for login to be permitted. This authentication method closes security holes due to IP spoofing, DNS spoofing, and routing spoofing. [Note to the administrator: /etc/hosts.equiv, ~/.rhosts, and the rlogin/rsh protocol in general, are inherently insecure and should be disabled if security is desired.]

Some words more: if ssh prompt you that the machine key it is changed usually it is because you reinstalled ssh on that machine, or maybe you forced a rebuild of the keys. However it's not anymore the ssh key that was used last time... it can be another computer that try to take that identity. If you are sure it's the same computer you can remove / update the offending key and go ahead.

Always from man ssh about how does it works:

ssh automatically maintains and checks a database containing identification for all hosts it has ever been used with.
Host keys are stored in ~/.ssh/known_hosts in the user's home directory. Additionally, the file /etc/ssh/ssh_known_hosts is automatically checked for known hosts. Any new hosts are automatically added to the user's file. If a host's identification ever changes, ssh warns about this and disables password authentication to prevent server spoofing or man-in-the-middle attacks, which could otherwise be used to circumvent the encryption.

The StrictHostKeyChecking option can be used to control logins to machines whose host key is not known or has changed.

Hastur

Posted 2015-02-13T12:41:29.117

Reputation: 15 043

from man ss i not see they wrote known_host – maihabunash – 2015-02-13T13:02:44.837

is it better to do StrictHostKeyChecking no in ssh config? – maihabunash – 2015-02-13T13:04:40.603

People usually do not reinstall ssh purging the key so often. If you correct one time the problem when it happens you will not face this problem again (at least for a long while) and you will not compromise the security. Updated answer – Hastur – 2015-02-13T13:13:12.157

StrictHostKeyChecking no and UserKnownHostsFile /dev/null will do the job , what you think? with this conf the file will stay empty – maihabunash – 2015-02-13T13:23:28.170

Asked: 2015-02-13T12:41:29.117

Viewed: 130 times

Active: 2015-02-13T13:11:44.287