nms.csail.mit.edu/projects/ssh -> nms.csail.mit.edu/projects/ssh/
If you use SSH, your ssh client stores within your home directory a list that maps the host names and IP addresses of every remote host you have connected to with each host's public key. This database, known as known_ hosts file, has been used by attackers who compromise user accounts, ste al passwords and identity keys, and then use the list of hosts to identi fy targets on which the same password or key can be used to compromise a dditional accounts. It is also possible that worms could use known_hosts data to identify new targets. We have collected known_hosts data from 96 hosts, 14 of which ran the scr ipt as root and submitted data from all user accounts. In total, we rece ived 31,446 anonymized known_hosts entries from 2,077 user accounts. These known_hosts entries lead to a total of 8,009 on 88 valid /8 network s (55% of all valid /8 networks).
graph of these /8 networks, with institutional netw orks from which we've collected significant data separated out. The data collection script that was run on these hosts also parsed SSH2 i dentity key files to see what what fraction of these key files had the e ncryption flag set.
When collection is compl ete, you will be asked if you are willing to submit it to us and prompte d for a transmission method. If you are behind a firewall, we recommend email submission. Regardless of how the data is transmitted, it will be encrypted first. If you run the script from a user account, only data from that account wi ll be collected. If you can run the script as root, data on all users wi ll be collected. If you plan to run the script as root and use NIS and L DAP, there are additional steps required.
ssh/known_hosts * The anonymized IP address of the file server (if any) on which the us er's home directory is mounted * SSH and OS version information. ssh/ directory The last three items enable us to model how, when a host is compromised, the identity keys stored on it may be used to compromise other hosts.
README file describes in even greater detail which files collect-s sh reads and how the script encrypts the information it gathers to prese rve your privacy. The recently released version 40 of OpenSSH incorporates a known_hosts h ashing scheme. Upgrading to this version will give your system host hash ing capability. Unfortunately, the feature must be turned on manually vi a configuration options and each known_hosts file must be converted to a hashed format manually. To ease your transition to a hashed hosts confi guration, we have provided installation and configuration instructions f or enabling the hashing option and a conversion tool which will convert all known_hosts files on your system when run as superuser.
Instructions for upgrading to OpenSSH 40p1 and enabling hashed h osts on all other platforms Alternatively, if you are unwilling to upgrade to an entirely new version of OpenSSH, we have provided a patch to previous versions of OpenSSH (t ested for versions 39 and 39p1) that hashes host names and IP addresse s in the known_hosts file.
READMEhashed-hosts (included with the pa tch) provides a detailed description of the changes made, newly availabl e commands, and known_hosts conversion tool. It is important to note tha t the hashing scheme we originally implemented is not compatible with th at which has subsequently been included in OpenSSH 40 Therefore, if yo u choose to use our patch now and wish to later upgrade to OpenSSH 40, your users will be unable to use entries added to their known_hosts file s after applying the patch.
|
http://csua.com/feed/