From 1ac4041c097913bcaf6036d9582415256f5dd1f4 Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Wed, 18 Mar 2020 12:19:05 -0400 Subject: [PATCH] Added one new host key type (ssh-rsa1) and one new cipher (blowfish). --- README.md | 4 ++++ ssh-audit.py | 5 ++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e4c267e..0584b2c 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,10 @@ $ snap install ssh-audit ``` ## ChangeLog +### v2.2.1-dev (???) + - Added 1 new host key types: `ssh-rsa1`. + - Added 1 new ciphers: `blowfish`. + ### v2.2.0 (2020-03-11) - Marked host key type `ssh-rsa` as weak due to [practical SHA-1 collisions](https://eprint.iacr.org/2020/014.pdf). - Added Windows builds. diff --git a/ssh-audit.py b/ssh-audit.py index 447d68d..3284213 100755 --- a/ssh-audit.py +++ b/ssh-audit.py @@ -28,7 +28,7 @@ from __future__ import print_function import base64, binascii, errno, hashlib, getopt, io, os, random, re, select, socket, struct, sys, json -VERSION = 'v2.2.0' +VERSION = 'v2.2.1-dev' SSH_HEADER = 'SSH-{0}-OpenSSH_8.0' # SSH software to impersonate if sys.version_info.major < 3: @@ -320,6 +320,7 @@ class SSH2(object): # pylint: disable=too-few-public-methods FAIL_DBEAR53_DISABLED = 'disabled since Dropbear SSH 0.53' FAIL_DEPRECATED_CIPHER = 'deprecated cipher' FAIL_WEAK_CIPHER = 'using weak cipher' + FAIL_WEAK_ALGORITHM = 'using weak/obsolete algorithm' FAIL_PLAINTEXT = 'no encryption/integrity' FAIL_DEPRECATED_MAC = 'deprecated MAC' WARN_CURVES_WEAK = 'using weak elliptic curves' @@ -389,6 +390,7 @@ class SSH2(object): # pylint: disable=too-few-public-methods 'ext-info-s': [[]], # Extension negotiation (RFC 8308) }, 'key': { + 'ssh-rsa1': [[], [FAIL_WEAK_ALGORITHM]], 'rsa-sha2-256': [['7.2']], 'rsa-sha2-512': [['7.2']], 'ssh-ed25519': [['6.5,l10.7.0']], @@ -428,6 +430,7 @@ class SSH2(object): # pylint: disable=too-few-public-methods '3des': [[], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH74_UNSAFE, WARN_CIPHER_WEAK, WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], '3des-cbc': [['1.2.2,d0.28,l10.2', '6.6', None], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH74_UNSAFE, WARN_CIPHER_WEAK, WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], '3des-ctr': [['d0.52'], [FAIL_WEAK_CIPHER]], + 'blowfish': [[], [FAIL_WEAK_ALGORITHM], [WARN_BLOCK_SIZE]], 'blowfish-cbc': [['1.2.2,d0.28,l10.2', '6.6,d0.52', '7.1,d0.52'], [FAIL_OPENSSH67_UNSAFE, FAIL_DBEAR53_DISABLED], [WARN_OPENSSH72_LEGACY, WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], 'blowfish-ctr': [[], [FAIL_OPENSSH67_UNSAFE, FAIL_DBEAR53_DISABLED], [WARN_OPENSSH72_LEGACY, WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], 'twofish-cbc': [['d0.28', 'd2014.66'], [FAIL_DBEAR67_DISABLED], [WARN_CIPHER_MODE]],