GSC-G106 · Audit the use of `ssh.InsecureIgnoreHostKey` function

Audit the use of ssh.InsecureIgnoreHostKey function GSC-G106

Security

Minor

5 days ago — 2 years old

Use of ssh InsecureIgnoreHostKey should be audited

65	config := ssh.ClientConfig{
66		User:            user,
67		Auth:            auths,
68		HostKeyCallback: ssh.InsecureIgnoreHostKey(),69	}
70
71	addr := fmt.Sprintf("%s:%d", ipAddr, port)

Use of ssh InsecureIgnoreHostKey should be audited

go/conn.go

65	config := ssh.ClientConfig{
66		User:            user,
67		Auth:            auths,
68		HostKeyCallback: ssh.InsecureIgnoreHostKey(),69	}
70
71	addr := fmt.Sprintf("%s:%d", ipAddr, port)

Description

InsecureIgnoreHostKey is used to accept any host key. It should not be used for production code.

ssh.InsecureIgnoreHostKey(), the function simply returns a nil which has no host key checking handling and hence insecure. It is not recommended to configure your client to use ssh.InsecureIgnoreHostKey() in production. Instead, secure configuration should be used to prevent server spoofing or man-in-the-middle attacks, which could otherwise be used to circumvent the encryption.

Bad practice

package main

import "golang.org/x/crypto/ssh"

func main() {
    // SSH's Client Configuration
    isc := &ssh.ClientConfig{
        User:            "user",
        Auth:            []ssh.AuthMethod{ssh.Password("pass")},
        HostKeyCallback: ssh.InsecureIgnoreHostKey(),
    }
}

package main

import (
    "encoding/base64"
    "fmt"
    "net"
    "os"

    "golang.org/x/crypto/ssh"
)

func keyString(pk ssh.PublicKey) string {
    return pk.Type() + " " + base64.StdEncoding.EncodeToString(pk.Marshal())
}

func TrustedHostKeyCallback(key string) ssh.HostKeyCallback {
    if key == "" {
        return func(_ string, _ net.Addr, k ssh.PublicKey) error {
            fmt.Fprintf(os.Stderr, "[WARN] SSH key verification is not in effect (Fix by adding trustedKey: %q)
", keyString(k))
            return nil
        }
    }

    return func(_ string, _ net.Addr, k ssh.PublicKey) error {
        if ks := keyString(k); key != ks {
            return fmt.Errorf("[ERROR] SSH key verification: expected %q but got %q", key, ks)
        }
        return nil
    }
}

func main() {
    // Server Key
    hostKey := "dummy-host-key"

    // SSH's Client Configuration
    ssc := &ssh.ClientConfig{
        User:            "user",
        Auth:            []ssh.AuthMethod{ssh.Password("pass")},
        HostKeyCallback: TrustedHostKeyCallback(hostKey),
    }

}

References

CWE-322

QuackatronHQ / Gigarepo

Bad practice

Recommended

References