Instructions for installing OpenSSH 4.0p1 and enabling hashed hosts on UNIX (except OpenBSD) and MacOS 10.x

The following steps will install the OpenSSH 4.0p1, enable host address hashing, and convert your existing known_hosts files to hashed host address format.

  1. You will need to download:

    Alternatively, you can download the above files via command line if you have wget:

    wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.0p1.tar.gz
    
  2. Issue the following commands to unpack the OpenSSH source, apply our patch, and build the patched OpenSSH:

    tar zxf openssh-4.0p1.tar.gz
    cd openssh-4.0p1
    ./configure --prefix=/usr --sysconfdir=/etc/ssh
    make
    
      
    (or "gzip -d collect-ssh.tar.gz;tar xvf collect-ssh.tar")
    
    (your local prefix and sysconfdir arguments may differ)
    

  3. Install and enable known_hosts hashing for all system users while running as root. This will replace your existing OpenSSH binaries.

    make install
    echo "Host *" >> /etc/ssh/ssh_config
    echo "HashKnownHosts yes" >> /etc/ssh/ssh_config
    
      
    
    (or in the path specified by the sysconfdir argument to configure)
    

  4. To obtain the security benefits of known_hosts hashing, you will need to convert your system's known_hosts files to the hashed hosts format. To this end we have provided two versions of a script that performs this conversion procedure, one version which includes functionality to contribute data to our study and a version that does not. Choose from the two sets of instructions below depending on whether you would like the option to submit data to our anonymized research study, the goal of which is to measure the potential dangers of leaving the host names and addresses in your known_hosts files unencrypted. We ask you to consider this now as once you've converted your known_hosts addresses to hashed host format it will no longer be possible to collect this data. Data will not be submitted to our servers without your additional consent during the collection process.

    1. If you would like to contribute data to our study:

      1. You will need to download the script and some necessary perl modules:

        Alternatively, you can download the above files via command line if you have wget:

        wget http://nms.lcs.mit.edu/projects/ssh/convert_known_hosts-4.0.tar.gz
        
      2. The convert_known_hosts.pl script will attempt to locate each user's known_hosts file and convert it to hashed hosts format. In order to do this correctly, the script must be run as root. Backup copies of the original files will be encrypted and placed in the same directory as the originals. You will want to use a pass phrase that is not used elsewhere on your system. Before running convert_known_hosts.pl, you must run the script build-CR.sh in order to build (in place) the Crypt::Rijndael and Digest::SHA1 perl modules if they are not already available on your system. If you need to access the backup files, or if you have any problems running the script, look at the README file and the script's -h (help) option for more information.
        tar zxf convert_known_hosts-4.0.tar.gz
        cd convert_known_hosts
        sh build-CR.sh
        perl convert_known_hosts-4.0.pl
        
        
    2. If you would NOT like to contribute data to our study:

      1. You will need to download the script:

        Alternatively, you can download the above files via command line if you have wget:

        wget http://nms.lcs.mit.edu/projects/ssh/convert_known_hosts-4.0.pl
        
      2. The convert_known_hosts.pl script will attempt to locate each user's known_hosts file and convert it to hashed hosts format. In order to do this correctly, the script must be run as root. Backup copies of the original files will be encrypted and placed in the same directory as the originals. You will want to use a pass phrase that is not used elsewhere on your system. If you need to access the backup files, or if you have any problems running the script, look at the README file and the script's -h (help) option for more information.
        perl convert_known_hosts-4.0.pl


    NMS HomeProjectsPeoplePapersSoftware

    CSAILE E C SM I T

    M. I. T. Computer Science and Artificial Intelligence Laboratory · 32 Vassar Street · Cambridge, MA 02139 · USA