Key exchange without entity authentication
- Rule ID: go_gosec_crypto_insecure_ignore_host_key
- Languages: go
- Source: insecure_ignore_host_key.yml
The security vulnerability identified pertains to the application neglecting the verification of host keys during SSH connections. Host keys are crucial for confirming the server's identity, preventing Man-in-the-Middle (MitM) attacks where an attacker could impersonate the server. When these keys are ignored, the client cannot guarantee the authenticity of the server it connects to.
To mitigate this risk, it is essential to implement proper host key checking:
✅ Implement Host Key Verification
knownhosts package from Go's
x/crypto/ssh to validate server keys against known hosts. This mirrors the functionality found in OpenSSH.
✅ Avoid Disabling Host Key Checking
Never disable host key checking in production code. While it might be convenient for testing, it opens up security vulnerabilities.
❌ Do Not Use
Although available, using
ssh.InsecureIgnoreHostKey as a
HostKeyCallback function should be strictly avoided as it does not offer any form of host validation.
Below is a code snippet showing how to set up an SSH
ClientConfig in Go to use the
knownhosts callback for server verification:
OWASP Top 10
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=go_gosec_crypto_insecure_ignore_host_key
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=go_gosec_crypto_insecure_ignore_host_key
Ready to take the next step? Learn more about Bearer Cloud.