Instructions for patching OpenSSH on OpenBSD

First, please consider participating in our data collection study to measure the potential dangers of leaving the host names and addresses in your known_hosts files unencrypted. We ask you to consider this now as once you've patched and converted into hashed host address format you will no longer be able to participate in the study.

The following four steps will install the hashed host address patch and convert your existing known_hosts files to hashed host address format.

  1. You will need to download:

    Alternatively, you can download the above files via command line if you have wget:

  2. Issue the following commands to unpack the OpenSSH source, apply our patch, and build the patched OpenSSH:
    tar zxf openssh-3.9.tgz
    gunzip openssh-3.9-hashed-hosts-20050214.patch.gz
    patch -p0 < openssh-3.9-hashed-hosts-20050214.patch
    cd ssh
    make obj
    make cleandir
    make depend
  3. Install while running as root. This will replace your existing OpenSSH binaries.
    make install
  4. To obtain the security benefits of the patch, you will need to convert your system's known_hosts files to the hashed hosts format.

    The script will attempt to locate each user's known_hosts file and convert it to hashed hosts format. In order to do this correctly, the script must be run as root. Backup copies of the original files will be encrypted and placed in the same directory as the originals. You will want to use a pass phrase that is not used elsewhere on your system. If you need to access the backup files, or if you have any problems running the script, look at the README file and the script's -h (help) option for more information.

NMS HomeProjectsPeoplePapersSoftware


M. I. T. Computer Science and Artificial Intelligence Laboratory · 32 Vassar Street · Cambridge, MA 02139 · USA