trailofbits.generic.ssh-disable-host-key-checking.ssh-disable-host-key-checking
trailofbits
Author
unknown
Download Count*
License
Found ssh
command disabling host key checking
Run Locally
Run in CI
Defintion
rules:
- id: ssh-disable-host-key-checking
message: Found `ssh` command disabling host key checking
languages:
- generic
severity: WARNING
metadata:
category: security
subcategory:
- audit
technology:
- shell
cwe: "CWE-295: Improper Certificate Validation"
confidence: MEDIUM
likelihood: MEDIUM
impact: HIGH
references:
- https://man7.org/linux/man-pages/man1/ssh.1.html
license: AGPL-3.0 license
vulnerability_class:
- Improper Authentication
pattern: ssh ... StrictHostKeyChecking=no
Examples
ssh-disable-host-key-checking.sh
#!/bin/bash
# ruleid: ssh-disable-host-key-checking
ssh -o StrictHostKeyChecking=no user@hostname
# ok: ssh-disable-host-key-checking
ssh user@hostname
Short Link: https://sg.run/2ZWd8