Do not ignore SSH host validation

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Metadata

ID: go-security/ssh-ignore-keys

Language: Go

Severity: Warning

Category: Security

CWE: 295

Description

SSH host validation should never be ignored and always be enforced to avoid man-in-the-middle attacks.

Learn More

Non-Compliant Code Examples

package main

import (
	"golang.org/x/crypto/ssh"
)

func main() {
	_ =  ssh.InsecureIgnoreHostKey()
}

Compliant Code Examples

package main

import (
	"golang.org/x/crypto/ssh"
)

func main() {
	// Use a more secure approach instead of InsecureIgnoreHostKey
	hostKeyCallback, _ := ssh.NewKnownHostsCallback("/path/to/known_hosts")
}

package main

import (
	"golang.org/x/crypto/ssh"
)

func main() {
	// not valid in tests
	_ =  ssh.InsecureIgnoreHostKey()
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security
PREVIEWING: aliciascott/DOCS-10646-HA-Agent