search

imthenachoman / How-To-Secure-A-Linux-Server

An evolving how-to guide for securing a Linux server.
Creative Commons Attribution Share Alike 4.0 International
17.09k stars 1.08k forks source link

HashKnownHosts set to yes #115

Closed Kataane closed 5 months ago

Kataane commented 5 months ago

Thanks for all your hard work.

I would like to clarify that nowhere did I find mention of HashKnownHosts and that it is better to set HashKnownHosts yes in ssh_config.

This is especially important when using public keys instead of password login. For example, if a server is used as a point of entry to another server via ssh.

You can read more about this in: mozilla OpenSSH server. mit edu about sshworm linux-audit serverfault

Maybe this will be useful to someone.

imthenachoman commented 5 months ago

Good catch. I'll add. Thanks.

klnstprx commented 4 months ago

Adding this line to /etc/ssh/sshd_config does not work for me:

sudo service sshd restart

Job for ssh.service failed because the control process exited with error code.
See "systemctl status ssh.service" and "journalctl -xeu ssh.service" for details.

systemctl status ssh.service

× ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Tue 2024-03-05 00:05:22 UTC; 11s ago
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 11172 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=255/EXCEPTION)
        CPU: 12ms

Mar 05 00:05:22 servertosh systemd[1]: ssh.service: Scheduled restart job, restart counter is at 5.
Mar 05 00:05:22 servertosh systemd[1]: Stopped OpenBSD Secure Shell server.
Mar 05 00:05:22 servertosh systemd[1]: ssh.service: Start request repeated too quickly.
Mar 05 00:05:22 servertosh systemd[1]: ssh.service: Failed with result 'exit-code'.
Mar 05 00:05:22 servertosh systemd[1]: Failed to start OpenBSD Secure Shell server.

sudo /usr/sbin/sshd -T

/etc/ssh/sshd_config: line 84: Bad configuration option: HashKnownHosts
/etc/ssh/sshd_config: terminating, 1 bad configuration options

removing it fixes the problem.

I think it is supposed to go into /etc/ssh/ssh_config

imthenachoman commented 4 months ago

Maybe only some versions support the config? When I man sshd_config, I do not see HashKnownHosts as an option?

imthenachoman commented 4 months ago

So this is an SSH client configuration, not a SSH server configuration. It is for /etc/ssh/ssh_config.