Do not ignore SSH host validation

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: go-security/ssh-ignore-keys

Language: Go

Severity: Warning

Category: Security

CWE: 295

Description

SSH host validation should never be ignored and always be enforced to avoid man-in-the-middle attacks.

Learn More

Non-Compliant Code Examples

package main

import (
	"golang.org/x/crypto/ssh"
)

func main() {
	_ =  ssh.InsecureIgnoreHostKey()
}

Compliant Code Examples

package main

import (
	"golang.org/x/crypto/ssh"
)

func main() {
	// Use a more secure approach instead of InsecureIgnoreHostKey
	hostKeyCallback, _ := ssh.NewKnownHostsCallback("/path/to/known_hosts")
}

package main

import (
	"golang.org/x/crypto/ssh"
)

func main() {
	// not valid in tests
	_ =  ssh.InsecureIgnoreHostKey()
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security
PREVIEWING: rob.carlan/rabbitmq-integration-metric-enhancements