You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Aug 26, 2025. It is now read-only.
It appears this library is not performing verification of the remote ssh host key (~/.ssh/known_hosts) and blindly accepts any connection, potentially compromising the login & all subsequent traffic if a MITM attack is in place.
This comes from the underlying ssh2 lib, where it is only an optional option:
It appears this library is not performing verification of the remote ssh host key (
~/.ssh/known_hosts) and blindly accepts any connection, potentially compromising the login & all subsequent traffic if a MITM attack is in place.This comes from the underlying ssh2 lib, where it is only an optional option:
I think there should at least be a way to opt-in to that (easiest: statically pass the hostkey) and a clear warning to make users aware of the risk.