Fixes for Host key handling #87

wants to merge 6 commits into


None yet

2 participants


Hi Jeff,

please review + pull the patches against Paramiko we use in Python X2Go.

In Python X2Go I monkey patch the methods that get patched by the pull request. I would be glad, if I could stop monkey patching for Paramiko >= 1.8.0.

Thanks for taking over the Paramiko project.


sunweaver added some commits Oct 12, 2012
@sunweaver sunweaver Store hostname hashes in memory rathen than the non-hashed host entri…
…es. Also assures that the host entries in known_hosts get saved in hashed format as it is currently standard in OpenSSH.
@sunweaver sunweaver Assure that host entries in known_hosts files do not duplicate endles…
…sly if keys from known_hosts are loaded via HostKeys.load() more than once (e.g. for refreshing the list of known hosts during runtime).
@sunweaver sunweaver Load host entries from the known_hosts file(s) before writing the fil…
…e from RAM to disk. Avoids loss of host entries in case other SSH clients have written to the known_hosts file(s) meanwhile.
@sunweaver sunweaver do not write ,,garbage'' to known_hosts file(s) 72ba33e

@sunweaver can you provide me with some instructions for testing/verifying your changes? A changelog entry (in NEWS -- see the latest version of that file, as of tonight, in the 1.8 branch) would be great too!

I'm also curious if you think this could be related to #67.


Hi Jeff,

On Mo 15 Okt 2012 09:14:37 CEST Jeff Forcier wrote:

I'm also curious if you think this could be related to #67.

giving an answer to this one only for now. About your other question,
I will have to think about a bit.

This issue (#87) is a completely different cup of tea from issue #67.
Host name hashing in known_hosts files has nothing to do with the host
key algorithm in use on individual servers.

Host name hashing simply camouflages the hostnames, ports and public
host keys in the individual host entry lines of a known_hosts file so
that it becomes more difficult to analyse known_hosts files in case
such a file (or a machine with such a file on it) gets hijacked.



Finally got back to this - thanks again! I agree it's orthogonal to #67, so no worries.

Reviewed the changes and they all seem safe enough to merge in. Will tweak + merge in a bit.

@bitprophet bitprophet commented on the diff Apr 28, 2013
@@ -141,6 +141,8 @@ def add(self, hostname, keytype, key):
if (hostname in e.hostnames) and (e.key.get_name() == keytype):
e.key = key
+ if not hostname.startswith('|1|') and hash_hostname:
bitprophet Apr 28, 2013 Member

I don't see hash_hostname anywhere else in the codebase (even with your changes applied). As expected, that causes the test suite (python in projecy root) to fail. I don't think this particular change is required by the others so I'm backing it out for now.

Please submit a new PR if you want to fix that up & resubmit it - assume you were trying to implement a "always hash hostnames" feature as per the commit msg.

sunweaver May 8, 2013 Contributor

Hi Jeff,

the provided patch had an error. I am about to provide a patch that works. Basically, hash_hostname is a kwargs in HostKeyEntry.add(..., hash_hostname=True) .


@bitprophet bitprophet added a commit that referenced this pull request Apr 28, 2013
@bitprophet bitprophet Changelog re #87 6747d99

Rebased on latest master for now (hard call, decided to just go with master vs release branch). Also see comment. Thanks!

@bitprophet bitprophet closed this Apr 28, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment