ssh-no-host-key-verification (S507)#
Derived from the flake8-bandit linter.
This rule is unstable and in preview. The --preview flag is required for use.
What it does#
Checks for uses of policies disabling SSH verification in Paramiko.
Why is this bad?#
By default, Paramiko checks the identity of remote host when establishing an SSH connection. Disabling the verification might lead to the client connecting to a malicious host, without the client knowing.
Example#
from paramiko import client
ssh_client = client.SSHClient()
ssh_client.set_missing_host_key_policy(client.AutoAddPolicy)
Use instead:
from paramiko import client
ssh_client = client.SSHClient()
ssh_client.set_missing_host_key_policy()