fix: SftpUploader uses StrictHostKeyChecking=no — vulnerable to MITM #182

Open
opened 2026-06-29 14:39:48 +00:00 by jmiller · 3 comments
Owner

Summary

SftpUploader.php:210,238 passes -o StrictHostKeyChecking=no to both scp and ssh commands. This disables SSH host key verification on every connection, making SFTP uploads vulnerable to man-in-the-middle attacks.

Location

  • src/Engine/SftpUploader.php:210 (buildScpCommand)
  • src/Engine/SftpUploader.php:238 (buildSshCommand)

Fix

Change to StrictHostKeyChecking=accept-new — trusts on first connect, rejects if the key changes. Optionally allow users to provide a known_hosts path in the profile config.

## Summary `SftpUploader.php:210,238` passes `-o StrictHostKeyChecking=no` to both scp and ssh commands. This disables SSH host key verification on every connection, making SFTP uploads vulnerable to man-in-the-middle attacks. ## Location - `src/Engine/SftpUploader.php:210` (buildScpCommand) - `src/Engine/SftpUploader.php:238` (buildSshCommand) ## Fix Change to `StrictHostKeyChecking=accept-new` — trusts on first connect, rejects if the key changes. Optionally allow users to provide a known_hosts path in the profile config.
jmiller added the component: remote label 2026-06-29 14:39:48 +00:00
Author
Owner

Branch created: feature/182-fix-sftpuploader-uses-stricthostkeycheck

git fetch origin
git checkout feature/182-fix-sftpuploader-uses-stricthostkeycheck
Branch created: [`feature/182-fix-sftpuploader-uses-stricthostkeycheck`](https://git.mokoconsulting.tech/MokoConsulting/MokoSuiteBackup/src/branch/feature/182-fix-sftpuploader-uses-stricthostkeycheck) ```bash git fetch origin git checkout feature/182-fix-sftpuploader-uses-stricthostkeycheck ```
Author
Owner

🔍 Deep-dive triage (code @ 02.56.05) — VALID.

src/Engine/SftpUploader.php:210 (buildScpCommand) and :238 (buildSshCommand) both hardcode -o StrictHostKeyChecking=no — host-key verification is disabled on every scp/ssh invocation (MITM on backup uploads: archive exfiltration/tampering + exposure of key/password auth to an impostor host).

Severity: Medium.
Fix: switch both to StrictHostKeyChecking=accept-new (TOFU); optionally support an operator-supplied known_hosts path in the remote params via -o UserKnownHostsFile=….

🔍 **Deep-dive triage** (code @ 02.56.05) — **VALID.** `src/Engine/SftpUploader.php:210` (`buildScpCommand`) and `:238` (`buildSshCommand`) both hardcode `-o StrictHostKeyChecking=no` — host-key verification is disabled on every scp/ssh invocation (MITM on backup uploads: archive exfiltration/tampering + exposure of key/password auth to an impostor host). **Severity:** Medium. **Fix:** switch both to `StrictHostKeyChecking=accept-new` (TOFU); optionally support an operator-supplied `known_hosts` path in the remote params via `-o UserKnownHostsFile=…`.
Author
Owner

Still present in 02.56.05 — keep open.

SftpUploader.php:210 (buildScpCommand) and :238 (buildSshCommand) both hardcode '-o', 'StrictHostKeyChecking=no', leaving uploads open to MITM. Recommend StrictHostKeyChecking=accept-new plus an optional profile-supplied known_hosts path.

Still present in 02.56.05 — keep open. `SftpUploader.php:210` (`buildScpCommand`) and `:238` (`buildSshCommand`) both hardcode `'-o', 'StrictHostKeyChecking=no'`, leaving uploads open to MITM. Recommend `StrictHostKeyChecking=accept-new` plus an optional profile-supplied `known_hosts` path.
Sign in to join this conversation.