go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key
Verifed by r2c
Community Favorite
semgrep
Author
124,504
Download Count*
License
Disabled host key verification detected. This allows man-in-the-middle attacks. Use the 'golang.org/x/crypto/ssh/knownhosts' package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it.
Run Locally
Run in CI
Defintion
rules:
- id: avoid-ssh-insecure-ignore-host-key
message: Disabled host key verification detected. This allows man-in-the-middle
attacks. Use the 'golang.org/x/crypto/ssh/knownhosts' package to do host
key verification. See
https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to
learn more about the problem and how to fix it.
metadata:
cwe:
- "CWE-322: Key Exchange without Entity Authentication"
owasp:
- A02:2021 - Cryptographic Failures
source-rule-url: https://github.com/securego/gosec
references:
- https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/
- https://gist.github.com/Skarlso/34321a230cf0245018288686c9e70b2d
category: security
technology:
- go
confidence: MEDIUM
subcategory:
- audit
likelihood: LOW
impact: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authentication
languages:
- go
severity: WARNING
pattern: ssh.InsecureIgnoreHostKey()
Examples
insecure_ssh.go
package main
import (
"golang.org/x/crypto/ssh"
)
func ok() {
var publicKey *rsa.PublicKey
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return nil, nil, err
}
publicKey = &privateKey.PublicKey
hostKey, _ := ssh.NewPublicKey(publicKey)
// ok: avoid-ssh-insecure-ignore-host-key
_ = ssh.FixedHostKey(hostKey);
}
func main() {
// ruleid: avoid-ssh-insecure-ignore-host-key
_ = ssh.InsecureIgnoreHostKey()
}
Short Link: https://sg.run/Yv6X