Do not ignore SSH host validation

Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST Rules > Do not ignore SSH host validation

Metadata

ID: go-security/ssh-ignore-keys

Language: Go

Severity: Warning

Category: Security

CWE: 295

Related CWEs:

Description

SSH host validation should never be ignored and always be enforced to avoid man-in-the-middle attacks.

Learn More

CWE-295: Improper Certificate Validation

Non-Compliant Code Examples

package main

import (
	"golang.org/x/crypto/ssh"
)

func main() {
	_ =  ssh.InsecureIgnoreHostKey()
}

Compliant Code Examples

package main

import (
	"golang.org/x/crypto/ssh"
)

func main() {
	// Use a more secure approach instead of InsecureIgnoreHostKey
	hostKeyCallback, _ := ssh.NewKnownHostsCallback("/path/to/known_hosts")
}

package main

import (
	"golang.org/x/crypto/ssh"
)

func main() {
	// not valid in tests
	_ =  ssh.InsecureIgnoreHostKey()
}