Add Jfrog ignore

[EyalDelarea]

• All tests passed. If this feature is not already covered by the tests, I added new tests.
• All static analysis checks passed.
• This pull request is on the dev branch.
• I used gofmt for formatting the code before submitting the pull request.

---

[github-actions]

---

🐸 JFrog Frogbot

[github-actions]

{
		User: "admin",
		Auth: []ssh.AuthMethod{
			sshAuth,
		},
		//#nosec G106 -- Used to get ssh headers only.
		//jfrog:ignore
		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
	}

at auth/sshlogin.go (line 67)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity	Finding
Low	SSH key not verified properly, expired certificates may be accepted

Full description

Overview

SSH Keys Past Expiration is a vulnerability that occurs when SSH keys
used for authentication have expired. Expired keys can lead to
unauthorized access to systems and sensitive data, posing a security
risk to the organization.

Vulnerable example

package main

import (
    "golang.org/x/crypto/ssh"
    "net"
)

func main() {}

func insecureIgnoreHostKey() {
    _ = &ssh.ClientConfig{
        User:            "username",
        Auth:            []ssh.AuthMethod{nil},
        HostKeyCallback: ssh.InsecureIgnoreHostKey(),
    }
}

In this example, the InsecureIgnoreHostKey function is used to ignore
host key verification, which can lead to accepting expired or invalid
keys.

Remediation

package main

import (
    "golang.org/x/crypto/ssh"
    "net"
)

func main() {}

func secureHostKeyCallback() {
    publicKeyBytes, _ := ioutil.ReadFile("allowed_hostkey.pub")
    publicKey, _ := ssh.ParsePublicKey(publicKeyBytes)

    _ = &ssh.ClientConfig{
        User:            "username",
        Auth:            []ssh.AuthMethod{nil},
        HostKeyCallback: ssh.FixedHostKey(publicKey),
    }
}

By using allowed host keys and proper host key verification, we can
mitigate the risk of accepting expired or invalid SSH keys.

---

🐸 JFrog Frogbot