[xmonad] Ssh-Prompt: Completion

David Roundy droundy at darcs.net
Thu Nov 29 12:20:42 EST 2007

On Thu, Nov 29, 2007 at 06:12:13PM +0100, Andrea Rossato wrote:
> On Thu, Nov 29, 2007 at 05:50:30PM +0100, Dominik Bruhn wrote:
> > There seems one problem: The completion for the ssh-prompt is not
> > working at all. Although I have no knowledge of haskell at all I think
> > the code includes this completion but tries to read the
> > ~/.ssh/known_hosts. This file exists but does not contain the ssh-hosts
> > I connected to in cleartext so they get skipped. On the otherside the
> > file ~/.xmonad_history contains all the hosts I conntected to but this
> > file is not taken into account uppon completion.
> The history is not used for completions: you may have wrong addresses
> in you history, or whatever, so I don't think completions using
> history is the way to go.
> If it not possible to read the list of know hosts it is not possible
> to, ehm... create a list of know hosts. I see only two ways out of
> this problem: a second prompt function, something like sshPrompt',
> with an explicit list of know hosts: that would not be a flexible
> solution, but it could provide a solution for situations like yours.
> A second way could be to actually reading that text. Which only
> requires to know how it is obfuscated (btw, why should I obfuscate the
> know hosts of my account?)
> Do you think this second one is feasible? And what about the first?

The second is definitely not feasible.  The known hosts are stored
according to cryptographic hashes of the hosts themselves precisely to
prevent someone from reading the known_hosts file and find out from it what
hosts you have connected to.  This feature of openssh can, however, be
disabled with "HashKnownHosts no" in the ssh_config (also needed to make
bash_completion work for ssh).

The point of this feature is to prevent someone who has gained access to
your account (and thus through keylogging to your private ssh key) from
being able to easily compromise accounts on all other machines you access.
It's a little silly, since the information is in .bash_history (or in this
case .xmonad_history) anyways.  The paranoid will also clear out those
files, but for the non-paranoid, this feature of openssh gains essentially
nothing in security (just forcing bot-writers to parse .bash_history, not
too difficult, and this also would let them know what ports to connect to).

Searching through .xmonad_history wouldn't be a bad workaround.  If users
get a typo in there, they could easily edit the history to remove that
typo.  But the best solution is to disable this feature in openssh.
David Roundy
Department of Physics
Oregon State University

More information about the xmonad mailing list