kielabokkie
commented
2 years ago Thanks for reporting this issue @derekm. I'll see if I can get this integrated in the next major version.
Open derekm opened 2 years ago
kielabokkie
commented
2 years ago Thanks for reporting this issue @derekm. I'll see if I can get this integrated in the next major version.
Keyscanning the hostname for its known hosts entry each time this action is used defeats the security provided by SSH host keys.
If an attacker takes over the host, the keyscan will find their malicious key, and the Actions workflow won't detect that an attacker has commandeered the target host.
If the known host public key comes from a secret the user/developer has configured, then they're confirming that this key should be their target's key, and if their target's key changes, the workflow will fail with a "host validation error," indicating the presence of an attacker or else a new key that the user/developer needs to update.
Keyscanning is convenient, but bad for security.
Known hosts entry should come from a GitHub Actions Secret as best practice.