Improper Certificate Validation Using paramiko Moduleβ
PY512
improper_certificate_validation
CWE-295
β οΈ Warning or βοΈ Error
π Professional Plan
The paramiko package includes a number of standard methods for accessing
SSH servers. A client should always verify the host key of the SSH server
in order to avoid a number of security risks including:
- Man-in-the-middle attacks
- Session hijacking
- Data theft
In the case of a host key that is unknown to the client, the policy should be set to no longer proceed with the connection.
Exampleβ
from paramiko import client
ssh_client = client.SSHClient()
ssh_client.set_missing_host_key_policy(client.AutoAddPolicy)
Remediationβ
Set the missing host key policy to RejectPolicy in order to reject a
connection if the host key is unknown to the client.
from paramiko import client
ssh_client = client.SSHClient()
ssh_client.set_missing_host_key_policy(client.RejectPolicy)
False Positivesβ
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY512) or
rule category name (improper_certificate_validation).
- Using rule ID
- Using category name
fix
from paramiko import client
ssh_client = client.SSHClient()
# suppress: PY512
ssh_client.set_missing_host_key_policy(client.AutoAddPolicy)
fix
from paramiko import client
ssh_client = client.SSHClient()
# suppress: improper_certificate_validation
ssh_client.set_missing_host_key_policy(client.AutoAddPolicy)