What are the security implications of paramiko RejectPolicy, AutoAddPolicy, WarningPolicy

Question

Can someone explain the difference between them? In specific are there any security concern for example with the AutoAddPolicy? Thanks in advance

Answer 1

These "MissingHostKeyPolicies" are security policies used to determine how to handle a "host key" (i.e. the server's public ssh key) that has not been established as "known" (i.e. trusted).

RejectPolicy is the only secure policy.

AutoAddPolicy and WarningPolicy both open you up to the potential for man-in-the-middle attacks.

To understand this, let's look at ssh:

In an ssh connection, both the server has a public ssh key that it sends to the client (that's you). This public key can be used to uniquely identify the server and authoritatively validate that the content is actually coming from that server.

When you use ssh in an interactive session, if you have never connected to a server before, you will see this message:

C:\>ssh x.y.z.com
The authenticity of host 'x.y.z.com' can't be established. 
RSA key fingerprint is SHA256:6E5SThbpng6kJWxiKwGl7EXUp1IGOng6kCsRLvRomT. 
Are you sure you want to continue connecting (yes/no)?

If you select "yes", the hostname/public-key are added to a file called 'known_hosts' in your .ssh directory (Typically at ~/.ssh/known_hosts or %userprofile%\.ssh\known_hosts). Then the next time you connect, it will not need to prompt you again because it is a "known" host. If you select "yes" without verifying the information, there is a potential for a man-in-the-middle attack.

If you select "no", then the connection is rejected.

Paramiko assumes that you will not be around to answer this question, so it has policies.

RejectPolicy rejects the connection if the hostname/public-key are not found in a host-keys file.

AutoAddPolicy accepts any connection, no matter what. In addition to that, it also saves the host/public-key to the host-keys.

WarningPolicy is just like AutoAddPolicy, except it doesn't save the host/public-key to the host-keys, and it also prints out a little warning message that will probably be ignored (if it is seen at all).

Here is an example of securely connecting to a host that allows anonymous connections:

with paramiko.SSHClient() as ssh_client:
    ssh_client.load_host_keys(os.path.expanduser("~/.ssh/known_hosts"))
    ssh_client.set_missing_host_key_policy(paramiko.RejectPolicy())
    ssh_client.connect(host)

RejectPolicy is the only secure policy, but it can also sometimes be inconvenient, depending on how often you have to update your 'known_hosts'.