Missing verification of host keys

• Rule ID: go_gosec_crypto_insecure_ignore_host_key
• Languages: go
• Source: insecure_ignore_host_key.yml

Description

Lacking verification of host key during SSH connections compromises the security of your application. Host keys are essential for verifying the server's identity to prevent Man-in-the-Middle (MitM) attacks, where an attacker could pose as the server. Without this verification, there's no way to ensure the server's authenticity.

Remediations

• Do not use ssh.InsecureIgnoreHostKey as a HostKeyCallback function. This method bypasses any form of host validation, making your application vulnerable to attacks.
• Do implement host key verification. For example, use the knownhosts package from Go's x/crypto/ssh to check server keys against a list of known hosts, similar to OpenSSH's approach.
• Do not disable host key checking in your production code. While it might seem convenient for development or testing environments, it significantly increases the risk of security breaches.

References

• GoDoc for x/crypto/ssh
• Secure use of SSH - OpenSSH

Associated CWE

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_crypto_insecure_ignore_host_key

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_crypto_insecure_ignore_host_key