On Thu, Nov 29, 2007 at 06:12:13PM +0100, Andrea Rossato wrote:
On Thu, Nov 29, 2007 at 05:50:30PM +0100, Dominik Bruhn wrote:
There seems one problem: The completion for the ssh-prompt is not working at all. Although I have no knowledge of haskell at all I think the code includes this completion but tries to read the ~/.ssh/known_hosts. This file exists but does not contain the ssh-hosts I connected to in cleartext so they get skipped. On the otherside the file ~/.xmonad_history contains all the hosts I conntected to but this file is not taken into account uppon completion.
The history is not used for completions: you may have wrong addresses in you history, or whatever, so I don't think completions using history is the way to go.
If it not possible to read the list of know hosts it is not possible to, ehm... create a list of know hosts. I see only two ways out of this problem: a second prompt function, something like sshPrompt', with an explicit list of know hosts: that would not be a flexible solution, but it could provide a solution for situations like yours.
A second way could be to actually reading that text. Which only requires to know how it is obfuscated (btw, why should I obfuscate the know hosts of my account?)
Do you think this second one is feasible? And what about the first?
The second is definitely not feasible. The known hosts are stored according to cryptographic hashes of the hosts themselves precisely to prevent someone from reading the known_hosts file and find out from it what hosts you have connected to. This feature of openssh can, however, be disabled with "HashKnownHosts no" in the ssh_config (also needed to make bash_completion work for ssh). The point of this feature is to prevent someone who has gained access to your account (and thus through keylogging to your private ssh key) from being able to easily compromise accounts on all other machines you access. It's a little silly, since the information is in .bash_history (or in this case .xmonad_history) anyways. The paranoid will also clear out those files, but for the non-paranoid, this feature of openssh gains essentially nothing in security (just forcing bot-writers to parse .bash_history, not too difficult, and this also would let them know what ports to connect to). Searching through .xmonad_history wouldn't be a bad workaround. If users get a typo in there, they could easily edit the history to remove that typo. But the best solution is to disable this feature in openssh. -- David Roundy Department of Physics Oregon State University