fix(ssh): enable host key verification with known_hosts loading#48
Open
DeryFerd wants to merge 1 commit into
Open
fix(ssh): enable host key verification with known_hosts loading#48DeryFerd wants to merge 1 commit into
DeryFerd wants to merge 1 commit into
Conversation
- Replace AutoAddPolicy (silently accepts any host) with WarningPolicy - Add _load_host_keys() to load ~/.ssh/known_hosts and system known_hosts - Log warning when no known_hosts file found with ssh-keyscan hint - Unknown hosts still connect (backward compatible) but with warning - Add 3 tests verifying WarningPolicy and _load_host_keys method
ureh-terbalik
pushed a commit
to ureh-terbalik/evonic
that referenced
this pull request
May 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The SSH backend in
backend/tools/lib/backends/ssh_backend.pywas usingparamiko.AutoAddPolicy(), which silently accepts any host key presented by the remote server. No verification, no warning, no record. This makes every SSH workplace connection vulnerable to man-in-the-middle attacks — an attacker on the same network could intercept the connection, present their own host key, and capture all transmitted data including commands, file contents, and credentials.Two changes:
AutoAddPolicy()→WarningPolicy(). Unknown hosts still connect (backward compatible — we don't want to break existing setups on first run), but paramiko now logs a warning instead of silently accepting. This at least makes the risk visible in logs.New
_load_host_keys()method. Before connecting, the backend now tries to load known host keys from standard locations:~/.ssh/known_hostsfirst, then/etc/ssh/ssh_known_hostsand/etc/ssh/known_hostsas fallbacks. If a host key is found in one of these files and the remote server presents a different key, paramiko will reject the connection rather than accepting it. If no known_hosts file exists anywhere, it falls back toWarningPolicybehavior and logs a hint suggesting the user runssh-keyscan -H <host> >> ~/.ssh/known_hosts.This mirrors how the
sshCLI works by default — it trusts keys it has seen before and warns about new ones. The difference is that before this change, the SSH backend was effectively running withStrictHostKeyChecking noon every connection.For users who already have SSH workplaces configured: Their first connection after this upgrade will still succeed (via
WarningPolicy), but they'll see a warning in the logs. If they want full verification, they can pre-populate known_hosts by connecting once via thesshCLI or runningssh-keyscan.For new connections: Same behavior as before, just with a visible warning instead of silent acceptance.
Three tests verify that
WarningPolicyis used,AutoAddPolicyis gone, and the_load_host_keysmethod exists onSSHBackend.