Commit: 2f26d91 · Finding: GEN-01
Problem
.github/workflows/deploy.yml:40-74 installs sshpass and authenticates every scp/ssh to production with:
sshpass -p '${{ secrets.DEPLOY_PASSWORD }}'
scp -o StrictHostKeyChecking=no ... root@willow.intendednull.com:...Three compounded risks:
- Password auth instead of key auth — password on the command line can leak via
/proc, ps, shell history.
StrictHostKeyChecking=no — trivially MITM-able on first connect or if the host key rotates.root@ login — no least-privilege separation; any successful auth is full host compromise.
Fix
- Switch to an SSH deploy key stored in
secrets.DEPLOY_KEY, loaded via webfactory/ssh-agent@<sha>.
- Remove
-o StrictHostKeyChecking=no; pin known_hosts instead (store ssh-keyscan output in a secret).
- Use a dedicated
deploy user, not root@ — keep sudo for the few systemctl calls if needed.
Obvious fix — will be auto-PR'd (host key capture + key swap can be done in one PR).
Commit:
2f26d91· Finding:GEN-01Problem
.github/workflows/deploy.yml:40-74installssshpassand authenticates every scp/ssh to production with:Three compounded risks:
/proc,ps, shell history.StrictHostKeyChecking=no— trivially MITM-able on first connect or if the host key rotates.root@login — no least-privilege separation; any successful auth is full host compromise.Fix
secrets.DEPLOY_KEY, loaded viawebfactory/ssh-agent@<sha>.-o StrictHostKeyChecking=no; pinknown_hostsinstead (storessh-keyscanoutput in a secret).deployuser, notroot@— keepsudofor the fewsystemctlcalls if needed.Obvious fix — will be auto-PR'd (host key capture + key swap can be done in one PR).