From 0b034b8226b315e4c59e6b2b7375a6b60a1f43a0 Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Mon, 26 Aug 2019 14:44:35 -0400 Subject: [PATCH] Marked 3des-ctr as a weak cipher. --- ssh-audit.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ssh-audit.py b/ssh-audit.py index 5f138e0..0797f95 100755 --- a/ssh-audit.py +++ b/ssh-audit.py @@ -360,7 +360,7 @@ class SSH2(object): # pylint: disable=too-few-public-methods 'des-cbc': [[], [FAIL_WEAK_CIPHER], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], 'des-cbc-ssh1': [[], [FAIL_WEAK_CIPHER], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], '3des-cbc': [['1.2.2,d0.28,l10.2', '6.6', None], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH74_UNSAFE, WARN_CIPHER_WEAK, WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], - '3des-ctr': [['d0.52']], + '3des-ctr': [['d0.52'], [FAIL_WEAK_CIPHER]], 'blowfish-cbc': [['1.2.2,d0.28,l10.2', '6.6,d0.52', '7.1,d0.52'], [FAIL_OPENSSH67_UNSAFE, FAIL_DBEAR53_DISABLED], [WARN_OPENSSH72_LEGACY, WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], 'blowfish-ctr': [[], [FAIL_OPENSSH67_UNSAFE, FAIL_DBEAR53_DISABLED], [WARN_OPENSSH72_LEGACY, WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], 'twofish-cbc': [['d0.28', 'd2014.66'], [FAIL_DBEAR67_DISABLED], [WARN_CIPHER_MODE]], @@ -2683,6 +2683,9 @@ def output_fingerprints(algs, sha256=True): if algs.ssh2kex is not None: host_keys = algs.ssh2kex.host_keys() for host_key_type in algs.ssh2kex.host_keys(): + if host_keys[host_key_type] is None: + continue + fp = SSH.Fingerprint(host_keys[host_key_type]) # Workaround for Python's order-indifference in dicts. We might get a random RSA type (ssh-rsa, rsa-sha2-256, or rsa-sha2-512), so running the tool against the same server three times may give three different host key types here. So if we have any RSA type, we will simply hard-code it to 'ssh-rsa'.