From 1eedf4a4f165232c053be638545644f04e540cbd Mon Sep 17 00:00:00 2001 From: DuckDuckWhale Date: Sat, 22 Oct 2022 00:20:12 -0700 Subject: [PATCH] SSH: HashKnownHosts=no HashKnownHosts provides an appearance of security but is actually [easily crackable](https://github.com/chris408/known_hosts-hashcat) and doesn't prevent leakage from other sources, such as the shell history or SSH config. Most importantly, it makes properly maintaining the list tedious and error-prone by making it hard to remove changed keys and impossible to remove obsolete entries, therefore possibly weakening security. Security should be enforced by password-protecting SSH keys instead. --- auto/ssh/config | 1 + 1 file changed, 1 insertion(+) diff --git a/auto/ssh/config b/auto/ssh/config index 98a1863..25a160a 100644 --- a/auto/ssh/config +++ b/auto/ssh/config @@ -1,3 +1,4 @@ Host * ForwardX11Trusted no + HashKnownHosts no IdentitiesOnly yes