Loading...
Loading...
With HP-UX Secure Shell A.08.10.003 (or later), login takes 2 to 4 times longer than with A.07.40.xxx (or earlier) if client user has large .ssh/known_hosts (with thousands of records or more).
HP-UX 11i v3 servers running HP-UX Secure Shell (T1471AA) A.09.30.00x or A.08.10.00x.
With HP-UX secure shell A.08.10.00x, there is a change on the libc call used to read the known_hosts file that uses extra synchronization, resulting in noticeable login delay with a large .ssh/known_hosts.With HP-UX secure shell A.09.30.00x, the login delay in A.08.10.00x has been addressed. But this version has adopted CVE-2020-14145 mitigation changes from OpenSSH 8.5, which performs extra processing on known_hosts file and takes more time. As a result, login time is still much longer than that with A.7.40.xxx (or earlier).To mitigate the ineffectiveness in large known_hosts file management, one of the following OpenSSH options may be used to tune host key management. (For more background on these options, refer to OpenSSH 8.5 release notes.)Options on openssh are available to tune host key management: (reference: man ssh_config):1. Avoiding known_hosts update if current configuration has already set“StrictHostKeyChecking=no”:With “StrictHostKeyChecking=no”, checking of host keys is disabled but the known_hosts file still needs to be updated with any key server will propose, causing the same login delays as without this option.The option “UserKnownHostFile=/dev/null” may be used in conjunction with "StrictHostKeyChecking=no" to avoid any known_hosts update, since server host keys will not be used to check remote server signature.WARNING:Using “StrictHostKeyChecking=no” is not recommended from security standpoint, since it can open the door to any type of man-in-the-middle attack2. Splitting the large known_hosts file into small ones based on host keys:Different hosts keys will be stored in different files.The optionUserKnownHostsFilecan be used, as shown in the examples below, to save keys for different peer servers in separate files in $HOME/.ssh/splitkh directory:-“ UserKnownHostsFile=%d/.ssh/splitkh/kh_%C”With the above option, known_hosts filename TOKEN%Cwill be replaced by sha1(hostname,remotename,remoteport,remoteuser). A possible side effect is that different known_hosts files will be updated for different port/user on the same host.-“UserKnownHostsFile=%d/.ssh/splitkh/kh_%h”known host filename TOKEN%hwill be replaced by remotename, so this will lower the benefit of hashed known_hosts.Note: With those two options, the number of split known_hosts files may become large in a single directory. In such case, listing the directory will take long.3. Custom known host key processing:The optionKnownHostsCommandcan be used to specify a command to execute a custom-made script, with TOKEN(s) as arguments, for more efficient known host key processing, for example using a database.The above options to mitigate the longer login time may be added on command line, with -o prefix, in $HOME/.ssh/config for per user configuration, or in /etc/opt/ssh/ssh_config for global configuration.For further questions in implementing the above options, consult yourHPE support representatives.
Operating Systems Affected:Not Applicable
Click on a version to see all relevant bugs
Hewlett Packard Enterprise Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.