Key exchange without entity authentication

• Rule ID: go_gosec_crypto_insecure_ignore_host_key
• Languages: go
• Source: insecure_ignore_host_key.yml

Description

The security vulnerability identified pertains to the application neglecting the verification of host keys during SSH connections. Host keys are crucial for confirming the server's identity, preventing Man-in-the-Middle (MitM) attacks where an attacker could impersonate the server. When these keys are ignored, the client cannot guarantee the authenticity of the server it connects to.

Remediation

To mitigate this risk, it is essential to implement proper host key checking:

✅ Implement Host Key Verification

Use the knownhosts package from Go's x/crypto/ssh to validate server keys against known hosts. This mirrors the functionality found in OpenSSH.

✅ Avoid Disabling Host Key Checking

Never disable host key checking in production code. While it might be convenient for testing, it opens up security vulnerabilities.

❌ Do Not Use InsecureIgnoreHostKey

Although available, using ssh.InsecureIgnoreHostKey as a HostKeyCallback function should be strictly avoided as it does not offer any form of host validation.

Below is a code snippet showing how to set up an SSH ClientConfig in Go to use the knownhosts callback for server verification:

Resources

• GoDoc for x/crypto/ssh
• Secure use of SSH - OpenSSH

Associated CWE

• CWE-322: Key Exchange without Entity Authentication

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_crypto_insecure_ignore_host_key

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_crypto_insecure_ignore_host_key