elie/ssh-audit
1
0
Fork 0
mirror of https://github.com/jtesta/ssh-audit.git synced 2025-11-04 11:12:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Added one new host key type (ssh-rsa1) and one new cipher (blowfish).

Browse Source
This commit is contained in:
Joe Testa
2020-03-18 12:19:05 -04:00
parent b70f4061cc
commit 1ac4041c09
2 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -69,6 +69,10 @@ $ snap install ssh-audit
``` ```
## ChangeLog ## ChangeLog
### v2.2.1-dev (???)
- Added 1 new host key types: `ssh-rsa1`.
- Added 1 new ciphers: `blowfish`.
### v2.2.0 (2020-03-11) ### v2.2.0 (2020-03-11)
- Marked host key type `ssh-rsa` as weak due to [practical SHA-1 collisions](https://eprint.iacr.org/2020/014.pdf). - Marked host key type `ssh-rsa` as weak due to [practical SHA-1 collisions](https://eprint.iacr.org/2020/014.pdf).
- Added Windows builds. - Added Windows builds.

5
ssh-audit.py
View File

@@ -28,7 +28,7 @@ from __future__ import print_function
import base64, binascii, errno, hashlib, getopt, io, os, random, re, select, socket, struct, sys, json import base64, binascii, errno, hashlib, getopt, io, os, random, re, select, socket, struct, sys, json
VERSION = 'v2.2.0' VERSION = 'v2.2.1-dev'
SSH_HEADER = 'SSH-{0}-OpenSSH_8.0' # SSH software to impersonate SSH_HEADER = 'SSH-{0}-OpenSSH_8.0' # SSH software to impersonate
if sys.version_info.major < 3: if sys.version_info.major < 3:
@@ -320,6 +320,7 @@ class SSH2(object): # pylint: disable=too-few-public-methods
FAIL_DBEAR53_DISABLED = 'disabled since Dropbear SSH 0.53' FAIL_DBEAR53_DISABLED = 'disabled since Dropbear SSH 0.53'
FAIL_DEPRECATED_CIPHER = 'deprecated cipher' FAIL_DEPRECATED_CIPHER = 'deprecated cipher'
FAIL_WEAK_CIPHER = 'using weak cipher' FAIL_WEAK_CIPHER = 'using weak cipher'
FAIL_WEAK_ALGORITHM = 'using weak/obsolete algorithm'
FAIL_PLAINTEXT = 'no encryption/integrity' FAIL_PLAINTEXT = 'no encryption/integrity'
FAIL_DEPRECATED_MAC = 'deprecated MAC' FAIL_DEPRECATED_MAC = 'deprecated MAC'
WARN_CURVES_WEAK = 'using weak elliptic curves' WARN_CURVES_WEAK = 'using weak elliptic curves'
@@ -389,6 +390,7 @@ class SSH2(object): # pylint: disable=too-few-public-methods
'ext-info-s': [[]], # Extension negotiation (RFC 8308) 'ext-info-s': [[]], # Extension negotiation (RFC 8308)
}, },
'key': { 'key': {
'ssh-rsa1': [[], [FAIL_WEAK_ALGORITHM]],
'rsa-sha2-256': [['7.2']], 'rsa-sha2-256': [['7.2']],
'rsa-sha2-512': [['7.2']], 'rsa-sha2-512': [['7.2']],
'ssh-ed25519': [['6.5,l10.7.0']], 'ssh-ed25519': [['6.5,l10.7.0']],
@@ -428,6 +430,7 @@ class SSH2(object): # pylint: disable=too-few-public-methods
'3des': [[], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH74_UNSAFE, WARN_CIPHER_WEAK, WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], '3des': [[], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH74_UNSAFE, WARN_CIPHER_WEAK, WARN_CIPHER_MODE, WARN_BLOCK_SIZE]],
'3des-cbc': [['1.2.2,d0.28,l10.2', '6.6', None], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH74_UNSAFE, WARN_CIPHER_WEAK, WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], '3des-cbc': [['1.2.2,d0.28,l10.2', '6.6', None], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH74_UNSAFE, WARN_CIPHER_WEAK, WARN_CIPHER_MODE, WARN_BLOCK_SIZE]],
'3des-ctr': [['d0.52'], [FAIL_WEAK_CIPHER]], '3des-ctr': [['d0.52'], [FAIL_WEAK_CIPHER]],
'blowfish': [[], [FAIL_WEAK_ALGORITHM], [WARN_BLOCK_SIZE]],
'blowfish-cbc': [['1.2.2,d0.28,l10.2', '6.6,d0.52', '7.1,d0.52'], [FAIL_OPENSSH67_UNSAFE, FAIL_DBEAR53_DISABLED], [WARN_OPENSSH72_LEGACY, WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], 'blowfish-cbc': [['1.2.2,d0.28,l10.2', '6.6,d0.52', '7.1,d0.52'], [FAIL_OPENSSH67_UNSAFE, FAIL_DBEAR53_DISABLED], [WARN_OPENSSH72_LEGACY, WARN_CIPHER_MODE, WARN_BLOCK_SIZE]],
'blowfish-ctr': [[], [FAIL_OPENSSH67_UNSAFE, FAIL_DBEAR53_DISABLED], [WARN_OPENSSH72_LEGACY, WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], 'blowfish-ctr': [[], [FAIL_OPENSSH67_UNSAFE, FAIL_DBEAR53_DISABLED], [WARN_OPENSSH72_LEGACY, WARN_CIPHER_MODE, WARN_BLOCK_SIZE]],
'twofish-cbc': [['d0.28', 'd2014.66'], [FAIL_DBEAR67_DISABLED], [WARN_CIPHER_MODE]], 'twofish-cbc': [['d0.28', 'd2014.66'], [FAIL_DBEAR67_DISABLED], [WARN_CIPHER_MODE]],