known_hosts vulnerability?

Gabriel M. Elder eldergabriel at
Thu May 19 05:30:38 EST 2005

Hey all,

I came across a security news article, referenced by, at

talking about an SSH weakness involving the known_hosts file. I
apologize if this issue has already been addressed, but the mailing list
archives didn't turn up anything when i tried searching for something
relevant. So; not to knee-jerk or anything, but is anyone currently
looking into this? Does this need to be addressed, or has it already
been taken care of? Offhand, on a scale of 0 - 11, this would seem to
rate kinda high, ~7. Am i off-base?

>From the article: "a known_hosts hashing scheme proposed by MIT has been
implemented in OpenSSH 4.0 and in a patch for earlier versions of SSH".
Looking at my own ~/.ssh/known_hosts file, the entries appear to be
encrypted, by default; i assume this is a Good Thing. Installed ssh
package = openssh-server-3.9p1-8.0.1. Shall i now resume my warm fuzzies
and assume all is snug and secure in openssh-land?

More information about the openssh-unix-dev mailing list