Insecure SSH Connection
Description
The application ignores host keys, which provide assurance that the client can prove the host is trusted. By ignoring these host keys, it is impossible for the client to validate the connection is to a trusted host.
Examples
Insecure Code
go
ssh.InsecureIgnoreHostKey(...)Secure Code
go
knownHostCallback, err := knownhosts.New("/home/user/.ssh/known_hosts")
config := &ssh.ClientConfig{
...
HostKeyCallback: knownHostCallback,
}Remediation
Use the knownhosts package to parse OpenSSH's known_hosts key database for the ssh.ClientConfig HostKeyCallback property.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0776 |
| Category | Auth |
| Severity | MEDIUM |
| CWE | CWE-322 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | ssh, authentication, known_hosts |
| OWASP | A2:2017-Broken Authentication, A07:2021-Identification and Authentication Failures |