gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 15:01:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs(ssh): operator playbook for InsecureIgnoreHostKey design choice

Browse Source 
Closes Top-10 fix #7 of the 2026-05-02 deployment-target audit
re-run (see cowork/deployment-target-audit-2026-05-02-rerun/
RESULTS.md). Pre-fix, the SSH connector's
ssh.InsecureIgnoreHostKey() at internal/connector/target/ssh/
ssh.go (realSSHClient.Connect) had only an inline comment
justifying the design choice. An acquirer's diligence engineer
reading the connector cold pattern-matches "MITM hazard" without
seeing the comment.

This commit lands a doc-side operator playbook in
docs/connectors.md SSH section covering:

1. Why the connector accepts any host key (operator-configured
   target infrastructure; mirrors network scanner's
   InsecureSkipVerify and F5's Insecure flag).
2. Threat model the choice accepts (passive eavesdropper on
   operator-controlled network; layered SSH-key auth limits
   blast radius).
3. Threat model the choice does NOT accept (public-internet
   ephemeral hosts, multi-tenant networks, strict MITM-
   resistance regulatory requirements).
4. Mitigations operators can layer (custom SSHClient via
   NewWithClient + golang.org/x/crypto/ssh/knownhosts; SSH
   certificate authentication via @cert-authority pinning;
   network segmentation; per-target key rotation).
5. When to NOT use the SSH connector (regulatory environments,
   dynamic IPs, multi-tenant networks).
6. V3-Pro forward path (built-in known_hosts management,
   tracked in WORKSPACE-ROADMAP.md).

Inline comment in ssh.go realSSHClient.Connect updated to
forward-reference the new doc subsection (no logic change; same
HostKeyCallback: ssh.InsecureIgnoreHostKey() call).

Same shape Bundle 8 used for "Operator playbook: keytool argv
password exposure" in docs/connectors.md JavaKeystore section.

No code-behavior changes. No test changes.

Verified locally:
- gofmt / go vet clean.
- go test -short ./internal/connector/target/ssh/...  green.

Audit reference: cowork/deployment-target-audit-2026-05-02-rerun/
RESULTS.md Top-10 fix #7.
This commit is contained in:
shankar0123
2026-05-02 22:44:30 +00:00
parent 62f0a284be
commit b16e5b5e97
2 changed files with 48 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/connector/target/ssh/ssh.go
+11 -5
View File
@@ -668,11 +668,17 @@ func (c *realSSHClient) Connect(ctx context.Context) error {
User: c.config.User,
Auth: authMethods,
Timeout: time.Duration(c.config.Timeout) * time.Second,
// InsecureIgnoreHostKey is used intentionally: certctl deploys to known
// infrastructure (the operator explicitly configures each target host).
// This is the same security rationale as network scanner's InsecureSkipVerify
// and F5 connector's insecure flag. Host key verification would require
// an additional known_hosts management layer that is out of scope.
// InsecureIgnoreHostKey is used intentionally — see "Operator playbook:
// SSH host-key verification" in docs/connectors.md (SSH section) for
// the threat model accepted, the threat model rejected, available
// mitigations (custom HostKeyCallback via NewWithClient + known_hosts;
// SSH certificate authentication; network segmentation), and when not
// to use this connector. Same security rationale as the network
// scanner's InsecureSkipVerify and the F5 connector's insecure flag:
// certctl deploys to operator-configured target infrastructure on
// operator-controlled networks. Built-in known_hosts management is
// V3-Pro work (see WORKSPACE-ROADMAP.md). Top-10 fix #7 of the
// 2026-05-02 deployment-target audit re-run.
HostKeyCallback: ssh.InsecureIgnoreHostKey(),
}