Added support for mixed host key/CA key types (i.e.: RSA host keys signed by ED25519 CAs) (#120).

test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json

@@ -10,7 +10,7 @@
             "expected_required": [
                 "4096"
             ],
-            "mismatched_field": "RSA host key (ssh-rsa-cert-v01@openssh.com) sizes"
+            "mismatched_field": "Host key (ssh-rsa-cert-v01@openssh.com) sizes"
         },
         {
             "actual": [
@@ -22,7 +22,7 @@
             "expected_required": [
                 "4096"
             ],
-            "mismatched_field": "RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes"
+            "mismatched_field": "CA signature size (ssh-rsa)"
         }
     ],
     "host": "localhost",

test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt

@@ -1,13 +1,28 @@
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
 Host:   localhost:2222
 Policy: Docker poliicy: test10 (version 1)
 Result: ❌ Failed!
 
 Errors:
-  * RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match.
+  * CA signature size (ssh-rsa) did not match.
     - Expected: 4096
     - Actual:   1024
 
-  * RSA host key (ssh-rsa-cert-v01@openssh.com) sizes did not match.
+  * Host key (ssh-rsa-cert-v01@openssh.com) sizes did not match.
     - Expected: 4096
     - Actual:   3072
 

test/docker/expected_results/openssh_5.6p1_custom_policy_test7.txt

@@ -1,3 +1,18 @@
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
 Host:   localhost:2222
 Policy: Docker poliicy: test7 (version 1)
 Result: ✔ Passed

test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json

@@ -10,7 +10,7 @@
             "expected_required": [
                 "2048"
             ],
-            "mismatched_field": "RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes"
+            "mismatched_field": "CA signature size (ssh-rsa)"
         }
     ],
     "host": "localhost",

test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt

@@ -1,9 +1,24 @@
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
 Host:   localhost:2222
 Policy: Docker poliicy: test8 (version 1)
 Result: ❌ Failed!
 
 Errors:
-  * RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match.
+  * CA signature size (ssh-rsa) did not match.
     - Expected: 2048
     - Actual:   1024
 

test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json

@@ -10,7 +10,7 @@
             "expected_required": [
                 "4096"
             ],
-            "mismatched_field": "RSA host key (ssh-rsa-cert-v01@openssh.com) sizes"
+            "mismatched_field": "Host key (ssh-rsa-cert-v01@openssh.com) sizes"
         }
     ],
     "host": "localhost",

test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt

@@ -1,9 +1,24 @@
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
 Host:   localhost:2222
 Policy: Docker poliicy: test9 (version 1)
 Result: ❌ Failed!
 
 Errors:
-  * RSA host key (ssh-rsa-cert-v01@openssh.com) sizes did not match.
+  * Host key (ssh-rsa-cert-v01@openssh.com) sizes did not match.
     - Expected: 4096
     - Actual:   3072
 

test/docker/expected_results/openssh_5.6p1_test2.json

@@ -139,6 +139,7 @@
         },
         {
             "algorithm": "ssh-rsa-cert-v01@openssh.com",
+            "ca_algorithm": "ssh-rsa",
             "casize": 1024,
             "keysize": 1024
         }

test/docker/expected_results/openssh_5.6p1_test2.txt

@@ -40,10 +40,11 @@
                                             `- [fail] using small 1024-bit modulus
                                             `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
                                             `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
-(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/1024-bit CA) -- [fail] using broken SHA-1 hash algorithm
-                                                               `- [fail] using small 1024-bit modulus
-                                                               `- [info] available since OpenSSH 5.6
-                                                               `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/1024-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm
+                                                                   `- [fail] using small 1024-bit hostkey modulus
+                                                                   `- [fail] using small 1024-bit CA key modulus
+                                                                   `- [info] available since OpenSSH 5.6
+                                                                   `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
 
 # encryption algorithms (ciphers)
 (enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52

test/docker/expected_results/openssh_5.6p1_test3.json

@@ -139,6 +139,7 @@
         },
         {
             "algorithm": "ssh-rsa-cert-v01@openssh.com",
+            "ca_algorithm": "ssh-rsa",
             "casize": 3072,
             "keysize": 1024
         }

test/docker/expected_results/openssh_5.6p1_test3.txt

@@ -40,10 +40,10 @@
                                             `- [fail] using small 1024-bit modulus
                                             `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
                                             `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
-(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/3072-bit CA) -- [fail] using broken SHA-1 hash algorithm
-                                                               `- [fail] using small 1024-bit modulus
-                                                               `- [info] available since OpenSSH 5.6
-                                                               `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/3072-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm
+                                                                   `- [fail] using small 1024-bit hostkey modulus
+                                                                   `- [info] available since OpenSSH 5.6
+                                                                   `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
 
 # encryption algorithms (ciphers)
 (enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52

test/docker/expected_results/openssh_5.6p1_test4.json

@@ -139,6 +139,7 @@
         },
         {
             "algorithm": "ssh-rsa-cert-v01@openssh.com",
+            "ca_algorithm": "ssh-rsa",
             "casize": 1024,
             "keysize": 3072
         }

test/docker/expected_results/openssh_5.6p1_test4.txt

@@ -39,10 +39,10 @@
 (key) ssh-rsa (3072-bit)                    -- [fail] using broken SHA-1 hash algorithm
                                             `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
                                             `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
-(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/1024-bit CA) -- [fail] using broken SHA-1 hash algorithm
-                                                               `- [fail] using small 1024-bit modulus
-                                                               `- [info] available since OpenSSH 5.6
-                                                               `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/1024-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm
+                                                                   `- [fail] using small 1024-bit CA key modulus
+                                                                   `- [info] available since OpenSSH 5.6
+                                                                   `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
 
 # encryption algorithms (ciphers)
 (enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52

test/docker/expected_results/openssh_5.6p1_test5.json

@@ -139,6 +139,7 @@
         },
         {
             "algorithm": "ssh-rsa-cert-v01@openssh.com",
+            "ca_algorithm": "ssh-rsa",
             "casize": 3072,
             "keysize": 3072
         }

test/docker/expected_results/openssh_5.6p1_test5.txt

@@ -39,9 +39,9 @@
 (key) ssh-rsa (3072-bit)                    -- [fail] using broken SHA-1 hash algorithm
                                             `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
                                             `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
-(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/3072-bit CA) -- [fail] using broken SHA-1 hash algorithm
-                                                               `- [info] available since OpenSSH 5.6
-                                                               `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/3072-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm
+                                                                   `- [info] available since OpenSSH 5.6
+                                                                   `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
 
 # encryption algorithms (ciphers)
 (enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52

test/docker/expected_results/openssh_8.0p1_custom_policy_test11.txt

@@ -1,3 +1,12 @@
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
 Host:   localhost:2222
 Policy: Docker policy: test11 (version 1)
 Result: ✔ Passed

test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json

@@ -10,7 +10,7 @@
             "expected_required": [
                 "4096"
             ],
-            "mismatched_field": "RSA host key (rsa-sha2-256) sizes"
+            "mismatched_field": "Host key (rsa-sha2-256) sizes"
         },
         {
             "actual": [
@@ -22,7 +22,7 @@
             "expected_required": [
                 "4096"
             ],
-            "mismatched_field": "RSA host key (rsa-sha2-512) sizes"
+            "mismatched_field": "Host key (rsa-sha2-512) sizes"
         },
         {
             "actual": [
@@ -34,7 +34,7 @@
             "expected_required": [
                 "4096"
             ],
-            "mismatched_field": "RSA host key (ssh-rsa) sizes"
+            "mismatched_field": "Host key (ssh-rsa) sizes"
         }
     ],
     "host": "localhost",

test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt

@@ -1,17 +1,26 @@
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
 Host:   localhost:2222
 Policy: Docker policy: test12 (version 1)
 Result: ❌ Failed!
 
 Errors:
-  * RSA host key (rsa-sha2-256) sizes did not match.
+  * Host key (rsa-sha2-256) sizes did not match.
     - Expected: 4096
     - Actual:   3072
 
-  * RSA host key (rsa-sha2-512) sizes did not match.
+  * Host key (rsa-sha2-512) sizes did not match.
     - Expected: 4096
     - Actual:   3072
 
-  * RSA host key (ssh-rsa) sizes did not match.
+  * Host key (ssh-rsa) sizes did not match.
     - Expected: 4096
     - Actual:   3072
 

test/docker/expected_results/openssh_8.0p1_custom_policy_test13.txt

@@ -1,3 +1,15 @@
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
 Host:   localhost:2222
 Policy: Docker policy: test13 (version 1)
 Result: ✔ Passed

test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt

@@ -1,3 +1,15 @@
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
 Host:   localhost:2222
 Policy: Docker policy: test14 (version 1)
 Result: ❌ Failed!

test/docker/expected_results/openssh_8.0p1_test2.json

@@ -92,7 +92,9 @@
             "algorithm": "ssh-ed25519"
         },
         {
-            "algorithm": "ssh-ed25519-cert-v01@openssh.com"
+            "algorithm": "ssh-ed25519-cert-v01@openssh.com",
+            "ca_algorithm": "ssh-ed25519",
+            "casize": 256
         }
     ],
     "mac": [

test/docker/expected_results/openssh_8.0p1_test2.txt

@@ -34,7 +34,7 @@
 
 # host-key algorithms
 (key) ssh-ed25519                           -- [info] available since OpenSSH 6.5
-(key) ssh-ed25519-cert-v01@openssh.com      -- [info] available since OpenSSH 6.5
+(key) ssh-ed25519-cert-v01@openssh.com (256-bit cert/256-bit ssh-ed25519 CA) -- [info] available since OpenSSH 6.5
 
 # encryption algorithms (ciphers)
 (enc) chacha20-poly1305@openssh.com         -- [info] available since OpenSSH 6.5