DeepSec: default SSH password is offered before none-auth

[chaliy]

Source: DeepSec Rust-focused direct pass 20260507013924-5f4812745ba339b2.

Severity: HIGH
Confidence: medium
File: crates/bashkit/src/builtins/ssh/russh_handler.rs:139
Slug: secrets-exposure

Finding

The code comment says authentication tries none first, then key, then password, but the implementation attempts public-key auth when a key is present and password auth when target.password is present, only falling back to authenticate_none when no credentials exist.

Because cmd.rs supplies SshConfig::default_password to user-selected SSH/SCP/SFTP targets, a script can cause the configured password to be offered to any allowlisted host/user. If strict host-key checking is disabled for public SSH services, or if a broad trusted key setup is used, a malicious allowlisted SSH server can harvest that password even if it would have accepted none-auth.

Suggested Fix

Attempt authenticate_none before any credential.

Scope default credentials to explicit host/user allowlist entries. Do not offer default_password or default_private_key to arbitrary user-selected hosts/users just because the host string passed the connection allowlist.