sftp: warn the user if no host key validation is configured

Previously ssh.InsecureIgnoreHostKey() was set unconditionally as the
default HostKeyCallback with no indication to the user.

This logs a warning pointing users to the documentation on how to
enable host key validation.

See: https://github.com/rclone/rclone/security/code-scanning/167

backend/sftp/sftp.go

@@ -928,11 +928,10 @@ func NewFs(ctx context.Context, name, root string, m configmap.Mapper) (fs.Fs, e
 	// Set up sshConfig here from opt
 	// **NB** everything else should be setup in NewFsWithConnection
 	sshConfig := &ssh.ClientConfig{
-		User:            opt.User,
-		Auth:            []ssh.AuthMethod{},
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
-		Timeout:         time.Duration(f.ci.ConnectTimeout),
-		ClientVersion:   "SSH-2.0-" + f.ci.UserAgent,
+		User:          opt.User,
+		Auth:          []ssh.AuthMethod{},
+		Timeout:       time.Duration(f.ci.ConnectTimeout),
+		ClientVersion: "SSH-2.0-" + f.ci.UserAgent,
 	}
 
 	if len(opt.HostKeyAlgorithms) != 0 {
@@ -945,6 +944,14 @@ func NewFs(ctx context.Context, name, root string, m configmap.Mapper) (fs.Fs, e
 			return nil, fmt.Errorf("couldn't parse known_hosts_file: %w", err)
 		}
 		sshConfig.HostKeyCallback = hostcallback
+	} else {
+		// Set insecure HostKeyCallback if no known_hosts_file is
+		// configured. Rclone has no mechanism to manage
+		// known_hosts files so we can't enable host key
+		// validation by default. Users can enable it by setting
+		// known_hosts_file. See: https://rclone.org/sftp/#host-key-validation
+		sshConfig.HostKeyCallback = ssh.InsecureIgnoreHostKey()
+		fs.Logf(name, "No host key validation is being performed. Set known_hosts_file to enable it. See: https://rclone.org/sftp/#host-key-validation")
 	}
 
 	if opt.UseInsecureCipher && (opt.Ciphers != nil || opt.KeyExchange != nil) {