Security: Server SSH connection test uses StrictHostKeyChecking=no

[Snider]

Description

The SSH connection test in Servers.php disables host key verification, making it vulnerable to man-in-the-middle attacks.

Location

• File: src/View/Modal/Admin/Servers.php
• Lines: 180-189

Issue

The current implementation uses:

• StrictHostKeyChecking=no

With this setting disabled, an attacker who can intercept network traffic could:

1. Present their own SSH server as the target
2. Capture the private key authentication attempt
3. Potentially gain access to the actual server

Recommendation

1. Store and verify host keys in a known_hosts file per workspace
2. On first connection, prompt the user to verify the host fingerprint
3. Use StrictHostKeyChecking=accept-new to accept on first connect and verify thereafter
4. Log host key changes as security events

Severity

Medium - Requires network-level access but could lead to credential theft