Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSH Host key verification #34

Open
kronthto opened this issue Jan 23, 2022 · 0 comments
Open

SSH Host key verification #34

kronthto opened this issue Jan 23, 2022 · 0 comments

Comments

@kronthto
Copy link

https://github.com/sqlectron/sqlectron-db-core/blob/main/src/tunnel.ts

It appears the SSH tunnel implementation of sqlectron is not performing verification of the remote ssh host key (~/.ssh/known_hosts) and blindly accepts any connection, potentially compromising the login & all subsequent traffic if a MITM attack is in place.
I verified it by simulating a host key change and the tool still just blindly connected.

This comes from the underlying ssh2 lib, where it is only an optional option:

hostVerifier - (...) Default: (auto-accept if hostVerifier is not set)
https://github.com/mscdex/ssh2/blob/70f90f52ff2e8535a0b96834d8655db16bc6d6fd/README.md?plain=1#L927

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant