SSH Password Assignment

ID

ssh_password_assignment

Severity

high

Vendor

-

Family

Generic secret

Description

The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption.

Security

This detector looks for ssh password in the form of variable assignments.

Accidentally checking-in the password to source control repositories could compromise your credentials.

Suspicious activity could be detected by auditing the server logs.

Examples

public class Test {

  private String strSshUser = "b@duser";
  private String strSshPassword = "kjgkofdu66i532ohn";
  private String strSshHost = "domain.ru";
  private int nSshPort = 2222;
}
<connection name="example" sshUser="b@duser" auth="foobared" port="6379" sshHost="domain.com" sshPassword="kjgkofdu66i532ohn" sshPort="221" host="redis_srv"/>

Mitigation / Fix

  1. Remove the credentials from the source code or committed configuration file.

  2. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://tools.ietf.org/html/rfc4251