fix(connector-fabric): mandate ssh host key verification #663
Labels
bug
Something isn't working
Fabric
good-first-issue
Good for newcomers
Hacktoberfest
Hacktoberfest participants are welcome to take a stab at issues marked with this label.
Security
Related to existing or potential security vulnerabilities
Comments
petermetz
added
bug
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
The Fabric connector does not support host key verification at the moment while connecting to a server to deploy contracts.
This is a security hole that needs to be plugged so that production deployments don't have to wonder if they are being MITM'd while deploying new contracts.
To Reproduce
Try to MITM someone who is doing a Fabric contract deployment and observe that you can do it because there was no host key verification. Oops.
Expected behavior
MITM attempt should fail as long as you do not have complete access to the target machine.
Logs/Stack traces
N/AScreenshots
N/ACloud provider or hardware configuration:
Everywhere.
Operating system name, version, build:
Everywhere
Hyperledger Cactus release version or commit (git rev-parse --short HEAD):
0.4.0Hyperledger Cactus Plugins/Connectors Used
Fabric
Additional context
https://www.ssh.com/attack/man-in-the-middle
cc: @takeutak @sfuji822 @hartm @jonathan-m-hamilton @AzaharaC @jordigiam @kikoncuo
The text was updated successfully, but these errors were encountered: