trailofbits.generic.ssh-disable-host-key-checking.ssh-disable-host-key-checking

trailofbits

Author

unknown

Download Count*

CC BY-NC-SA 4.0

License

Found ssh command disabling host key checking

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: ssh-disable-host-key-checking
    message: Found `ssh` command disabling host key checking
    languages:
      - generic
    severity: WARNING
    metadata:
      category: security
      subcategory:
        - audit
      technology:
        - shell
      cwe: "CWE-295: Improper Certificate Validation"
      confidence: MEDIUM
      likelihood: MEDIUM
      impact: HIGH
      references:
        - https://man7.org/linux/man-pages/man1/ssh.1.html
      license: AGPL-3.0 license
      vulnerability_class:
        - Improper Authentication
    pattern: ssh ... StrictHostKeyChecking=no

Examples

ssh-disable-host-key-checking.sh

#!/bin/bash

# ruleid: ssh-disable-host-key-checking
ssh -o StrictHostKeyChecking=no user@hostname

# ok: ssh-disable-host-key-checking
ssh user@hostname

Short Link: https://sg.run/2ZWd8