1

In ssh clients, file .ssh/knwon_hosts may use plain text (this happens, for example, in FreeBSD 12.0):

<ip_address> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEIlD8R6Kxj9CdToar+3ay4B0yE65dP0EYoRJjEEgLjmvCTIv59DBp+0j2z0+NM0hxxJew79i1bYuN02lEvT2/E=

or it may be hashed (as in Ubuntu 18.04):

|1|3Et6QShrP2OrD4tWdOGP3jy3YC4=|f2FrJ5tOjjmFSrGWyen1DokJyLc= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIyZLGNvIADWL5SSkohBmDCVpLUzAHNejqQAXP3SSY300YIdNKCn3jqGmFAJiKB1CY0HnVirgFjdAKpyw3+6yzo=

Question 1

Is it possible to obtain the plain text lines from an hashed known_hosts?

Ubuntu sshd manpage states that:

Only one hashed hostname may appear on a single line and none of the above negation or wildcard operators may be applied.

I am not sure about what it's meant here.

Question 2

Does that mean that addresses like 192.168.*.* can never be accepted in the hashed form of known_hosts, even when they are created as plain text and then manually hashed?

As in a previous question, I am using these clients: OpenSSH_7.8p1, OpenSSL 1.1.1a-freebsd 20 Nov 2018 and OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017.

BowPark
  • 4,895
  • Per Ulrich's answer, this is the reason they are known as "one way hash" functions. – 0xSheepdog May 27 '19 at 16:06
  • 1
    The difference is whether HashKnownHosts is set to yes or no in the configuration, not which distribution or unix-like OS you are using (although different distributions may set different values in the default ssh_config). – user4556274 May 27 '19 at 16:35

1 Answers1

5

No and yes, in that order. The purpose of hashing the line is to obscure the hosts that you have previously connected to, so it's the very purpose of the hash function to make it (for practical purposes) impossible to tell what hostname belongs to it.

By extension, you cannot really make wildcards work with hashed hostnames: if I want to connect to webhost47, and the lines are hashed, how do I even find out there's a line that matches webhost*? A hash is a trap door, I can only find that line by hashing webhost* and checking. But I'd also have to check for ?ebhost47, w?bhost47, ??bhost47, etc. etc., so that's not really reasonable.

(I guess the comment also means that you can't have 

hashblurb1,hashblurb2 ssh-rsa …

with hashed hostnames, even though you can have

hostname1,hostname2 ssh-rsa …

and I don't see a technical reason righ tnow why you couldn't have that.)

Ulrich Schwarz
  • 15,989
  • You are meaning: ssh doesn't know where and how I can have used a wildcard character while creating known_hosts. So, webhost*, ?ebhost47 and so on are all possible positions/usage of wildcards, which should be all checked, and it is unpractical. Did I understand correctly? And yes, hostname1,hostname2 ssh-rsa … is feasible (as suggested in this answer), but only when known_hosts is plain text, not hashed. – BowPark May 28 '19 at 08:38