Is there a security risk to disclosing your SSH known_hosts file?

I'm speaking at a conference next week about some software tools I've created. My laptop will be shown on a projector screen during this presentation. The presentation will be videotaped and posted on youtube. If, for some reason, I have occasion to open and edit my ~/.ssh/known_hosts file during this presentation, should I disconnect the projector while doing so? Is there any security risk to disclosing my known_hosts file?


Solution 1:

The known_hosts file contains the trusted public keys for hosts you connected to in the past. These public keys can be obtained simply by trying to connect to these hosts. Therefore it is no security risk per se.

But: It contains a history of hosts you connected to. The information may be used by a potential attacker to footprint organization infrastructure for example. Also it informs potential attackers that you probably have access to certain hosts and that stealing your laptop will give them access as well.

Edit: To avoid showing your known_hosts file i recommend you use the ssh-keygen utility. ssh-keygen -R ssh1.example.org for example removes the trusted keys for ssh1.example.org from your known_hosts.

Solution 2:

There's nothing particularly dangerous about this. However, you may not wish to disclose this identifying information. Sometimes the existence of hosts is reveals good lines of attack for those inclined. You can either make use of HashKnownHosts, or you can edit the file without looking at it.


Blind edit:
sed -i 25d .ssh/known_hosts will delete line 25 without putting any contents on screen.

HashKnownHosts
Indicates that ssh(1) should hash host names and addresses when they are added to ~/.ssh/known_hosts. These hashed names may be used normally by ssh(1) and sshd(8), but they do not reveal identifying information should the file's contents be disclosed. The default is “no”. Note that existing names and addresses in known hosts files will not be converted automatically, but may be manually hashed using ssh-keygen(1).