It appears this library is not performing verification of the remote ssh host key (~/.ssh/known_hosts) and blindly accepts any connection, potentially compromising the login & all subsequent traffic if a MITM attack is in place.
This comes from the underlying ssh2 lib, where it is only an optional option:
hostVerifier - (...) Default: (auto-accept if hostVerifier is not set)
https://github.com/mscdex/ssh2/blob/70f90f52ff2e8535a0b96834d8655db16bc6d6fd/README.md?plain=1#L927
I think there should at least be a way to opt-in to that (easiest: statically pass the hostkey) and a clear warning to make users aware of the risk.
It appears this library is not performing verification of the remote ssh host key (
~/.ssh/known_hosts) and blindly accepts any connection, potentially compromising the login & all subsequent traffic if a MITM attack is in place.This comes from the underlying ssh2 lib, where it is only an optional option:
I think there should at least be a way to opt-in to that (easiest: statically pass the hostkey) and a clear warning to make users aware of the risk.