Security Audit Flags TOFU SSH Implementation as Critical First-Connection Vulnerability

A code review conducted on May 2, 2026, has identified a critical security flaw in ssh_manager.py that exposes panel-to-server communication to man-in-the-middle attacks. The file implements Trust On First Use authentication through Python's AutoAddPolicy, which automatically accepts and stores any host key presented during the first SSH connection without requiring administrative verification or out-of-band confirmation.

The vulnerability emerges from the inherent weakness of TOFU models: an attacker positioned between the panel and target server at the moment of initial connection can silently inject a malicious host key. Once stored, subsequent connections will trust the compromised key, allowing sustained interception of credentials and data traffic. The affected component handles SSH connection logic, and the risk is compounded by the absence of any mechanism for administrators to validate or reject fingerprints before trust is established.

The proposed remediation introduces a 'pending_fingerprint_confirmation' status that the API returns when adding a server, transmitting the actual host key fingerprint for explicit admin review. Only after administrator confirmation would the system proceed with storing the key and completing the connection. This approach eliminates the silent acceptance window and restores human oversight to a critical security decision point. The acceptance criteria explicitly require that no server be added to the trusted host list without affirmative admin action, directly addressing the TOFU blind spot identified in the original implementation.