From d9298647d91c52e1ee9ac448e43a7fea1c69bdbe Mon Sep 17 00:00:00 2001 From: "Audun V. Nes" Date: Wed, 27 Jul 2022 21:01:41 +0200 Subject: [PATCH] ssh: reject unknown host keys when using Python SSH impl (#2932) In the Secure Shell (SSH) protocol, host keys are used to verify the identity of remote hosts. Accepting unknown host keys may leave the connection open to man-in-the-middle attacks. Do not accept unknown host keys. In particular, do not set the default missing host key policy for the Paramiko library to either AutoAddPolicy or WarningPolicy. Both of these policies continue even when the host key is unknown. The default setting of RejectPolicy is secure because it throws an exception when it encounters an unknown host key. Reference: https://cwe.mitre.org/data/definitions/295.html NOTE: This only affects SSH connections using the native Python SSH implementation (Paramiko), when `use_ssh_client=False` (default). If using the system SSH client (`use_ssh_client=True`), the host configuration (e.g. `~/.ssh/config`) will apply. Signed-off-by: Audun Nes --- docker/transport/sshconn.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/transport/sshconn.py b/docker/transport/sshconn.py index ba8c11d1f..4f748f75a 100644 --- a/docker/transport/sshconn.py +++ b/docker/transport/sshconn.py @@ -215,7 +215,7 @@ def _create_paramiko_client(self, base_url): self.ssh_params['key_filename'] = host_config['identityfile'] self.ssh_client.load_system_host_keys() - self.ssh_client.set_missing_host_key_policy(paramiko.WarningPolicy()) + self.ssh_client.set_missing_host_key_policy(paramiko.RejectPolicy()) def _connect(self): if self.ssh_client: