From 28a1e239868b0498330ce37fc151ee8a0d51b1ed Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Mon, 25 Nov 2024 15:56:51 -0500 Subject: [PATCH] Added warnings to all key exchanges that do not provide protection against quantum attacks. --- README.md | 1 + src/ssh_audit/ssh2_kexdb.py | 199 +++++++++--------- .../dropbear_2019.78_test1.json | 42 +++- .../dropbear_2019.78_test1.txt | 22 +- .../expected_results/openssh_4.0p1_test1.json | 9 +- .../expected_results/openssh_4.0p1_test1.txt | 3 + .../expected_results/openssh_5.6p1_test1.json | 12 +- .../expected_results/openssh_5.6p1_test1.txt | 4 + .../expected_results/openssh_5.6p1_test2.json | 12 +- .../expected_results/openssh_5.6p1_test2.txt | 4 + .../expected_results/openssh_5.6p1_test3.json | 12 +- .../expected_results/openssh_5.6p1_test3.txt | 4 + .../expected_results/openssh_5.6p1_test4.json | 12 +- .../expected_results/openssh_5.6p1_test4.txt | 4 + .../expected_results/openssh_5.6p1_test5.json | 12 +- .../expected_results/openssh_5.6p1_test5.txt | 4 + .../expected_results/openssh_8.0p1_test1.json | 54 ++++- .../expected_results/openssh_8.0p1_test1.txt | 31 ++- .../expected_results/openssh_8.0p1_test2.json | 54 ++++- .../expected_results/openssh_8.0p1_test2.txt | 31 ++- .../expected_results/openssh_8.0p1_test3.json | 37 +++- .../expected_results/openssh_8.0p1_test3.txt | 20 +- .../tinyssh_20190101_test1.json | 6 + .../tinyssh_20190101_test1.txt | 10 +- test/test_ssh2.py | 2 +- test/test_ssh2_kexdb.py | 36 ++++ 26 files changed, 475 insertions(+), 162 deletions(-) diff --git a/README.md b/README.md index 04e417e..0456e41 100644 --- a/README.md +++ b/README.md @@ -217,6 +217,7 @@ For convenience, a web front-end on top of the command-line tool is available at ## ChangeLog ### v3.4.0-dev + - Added warning to all key exchanges that do not include protections against quantum attacks due to the Harvest Now, Decrypt Later strategy (see https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later). - Migrated from deprecated `getopt` module to `argparse`; partial credit [oam7575](https://github.com/oam7575). ### v3.3.0 (2024-10-15) diff --git a/src/ssh_audit/ssh2_kexdb.py b/src/ssh_audit/ssh2_kexdb.py index c4b3291..2b15020 100644 --- a/src/ssh_audit/ssh2_kexdb.py +++ b/src/ssh_audit/ssh2_kexdb.py @@ -57,6 +57,7 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods WARN_CIPHER_MODE = 'using weak cipher mode' WARN_ENCRYPT_AND_MAC = 'using encrypt-and-MAC mode' WARN_EXPERIMENTAL = 'using experimental algorithm' + WARN_NOT_PQ_SAFE = 'does not provide protection against post-quantum attacks' WARN_RNDSIG_KEY = 'using weak random number generator could reveal the key' WARN_TAG_SIZE = 'using small 64-bit tag size' WARN_TAG_SIZE_96 = 'using small 96-bit tag size' @@ -84,117 +85,117 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods MASTER_DB: Dict[str, Dict[str, List[List[Optional[str]]]]] = { # Format: 'algorithm_name': [['version_first_appeared_in'], [reason_for_failure1, reason_for_failure2, ...], [warning1, warning2, ...], [info1, info2, ...]] 'kex': { - 'Curve25519SHA256': [[]], - 'curve25519-sha256': [['7.4,d2018.76'], [], [], [INFO_DEFAULT_OPENSSH_KEX_74_TO_89]], - 'curve25519-sha256@libssh.org': [['6.4,d2013.62,l10.6.0'], [], [], [INFO_DEFAULT_OPENSSH_KEX_65_TO_73]], - 'curve448-sha512': [[]], - 'curve448-sha512@libssh.org': [[]], - 'diffie-hellman-group14-sha1': [['3.9,d0.53,l10.6.0'], [FAIL_SHA1], [WARN_2048BIT_MODULUS]], - 'diffie-hellman-group14-sha224@ssh.com': [[]], - 'diffie-hellman-group14-sha256': [['7.3,d2016.73'], [], [WARN_2048BIT_MODULUS]], - 'diffie-hellman-group14-sha256@ssh.com': [[], [], [WARN_2048BIT_MODULUS]], - 'diffie-hellman-group15-sha256': [[]], - 'diffie-hellman-group15-sha256@ssh.com': [[]], - 'diffie-hellman-group15-sha384@ssh.com': [[]], - 'diffie-hellman-group15-sha512': [[]], - 'diffie-hellman-group16-sha256': [[]], - 'diffie-hellman-group16-sha384@ssh.com': [[]], - 'diffie-hellman-group16-sha512': [['7.3,d2016.73']], - 'diffie-hellman-group16-sha512@ssh.com': [[]], - 'diffie-hellman-group17-sha512': [[]], - 'diffie-hellman_group17-sha512': [[]], - 'diffie-hellman-group18-sha512': [['7.3']], - 'diffie-hellman-group18-sha512@ssh.com': [[]], - 'diffie-hellman-group1-sha1': [['2.3.0,d0.28,l10.2', '6.6', '6.9'], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1], [], [INFO_REMOVED_IN_OPENSSH69]], - 'diffie-hellman-group1-sha256': [[], [FAIL_1024BIT_MODULUS]], - 'diffie-hellman-group-exchange-sha1': [['2.3.0', '6.6', None], [FAIL_SHA1]], - 'diffie-hellman-group-exchange-sha224@ssh.com': [[]], - 'diffie-hellman-group-exchange-sha256': [['4.4']], - 'diffie-hellman-group-exchange-sha256@ssh.com': [[]], - 'diffie-hellman-group-exchange-sha384@ssh.com': [[]], - 'diffie-hellman-group-exchange-sha512@ssh.com': [[]], + 'Curve25519SHA256': [[], [], [WARN_NOT_PQ_SAFE]], + 'curve25519-sha256': [['7.4,d2018.76'], [], [WARN_NOT_PQ_SAFE], [INFO_DEFAULT_OPENSSH_KEX_74_TO_89]], + 'curve25519-sha256@libssh.org': [['6.4,d2013.62,l10.6.0'], [], [WARN_NOT_PQ_SAFE], [INFO_DEFAULT_OPENSSH_KEX_65_TO_73]], + 'curve448-sha512': [[], [], [WARN_NOT_PQ_SAFE]], + 'curve448-sha512@libssh.org': [[], [], [WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group14-sha1': [['3.9,d0.53,l10.6.0'], [FAIL_SHA1], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group14-sha224@ssh.com': [[], [], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group14-sha256': [['7.3,d2016.73'], [], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group14-sha256@ssh.com': [[], [], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group15-sha256': [[], [], [WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group15-sha256@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group15-sha384@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group15-sha512': [[], [], [WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group16-sha256': [[], [], [WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group16-sha384@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group16-sha512': [['7.3,d2016.73'], [], [WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group16-sha512@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group17-sha512': [[], [], [WARN_NOT_PQ_SAFE]], + 'diffie-hellman_group17-sha512': [[], [], [WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group18-sha512': [['7.3'], [], [WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group18-sha512@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group1-sha1': [['2.3.0,d0.28,l10.2', '6.6', '6.9'], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1], [WARN_NOT_PQ_SAFE], [INFO_REMOVED_IN_OPENSSH69]], + 'diffie-hellman-group1-sha256': [[], [FAIL_1024BIT_MODULUS], [WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group-exchange-sha1': [['2.3.0', '6.6', None], [FAIL_SHA1], [WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group-exchange-sha224@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group-exchange-sha256': [['4.4'], [], [WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group-exchange-sha256@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group-exchange-sha384@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]], + 'diffie-hellman-group-exchange-sha512@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]], 'ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org': [[], [FAIL_NSA_BACKDOORED_CURVE]], 'ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org': [[], [FAIL_NSA_BACKDOORED_CURVE]], 'ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org': [[], [FAIL_NSA_BACKDOORED_CURVE]], - 'ecdh-sha2-1.2.840.10045.3.1.1': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE]], # NIST P-192 / secp192r1 - 'ecdh-sha2-1.2.840.10045.3.1.7': [[], [FAIL_NSA_BACKDOORED_CURVE]], # NIST P-256 / secp256r1 - 'ecdh-sha2-1.3.132.0.10': [[]], # ECDH over secp256k1 (i.e.: the Bitcoin curve) - 'ecdh-sha2-1.3.132.0.16': [[], [FAIL_UNPROVEN]], # sect283k1 - 'ecdh-sha2-1.3.132.0.1': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], # sect163k1 - 'ecdh-sha2-1.3.132.0.26': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], # sect233k1 - 'ecdh-sha2-1.3.132.0.27': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE]], # sect233r1 - 'ecdh-sha2-1.3.132.0.33': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE]], # NIST P-224 / secp224r1 - 'ecdh-sha2-1.3.132.0.34': [[], [FAIL_NSA_BACKDOORED_CURVE]], # NIST P-384 / secp384r1 - 'ecdh-sha2-1.3.132.0.35': [[], [FAIL_NSA_BACKDOORED_CURVE]], # NIST P-521 / secp521r1 - 'ecdh-sha2-1.3.132.0.36': [[], [FAIL_UNPROVEN]], # sect409k1 - 'ecdh-sha2-1.3.132.0.37': [[], [FAIL_NSA_BACKDOORED_CURVE]], # sect409r1 - 'ecdh-sha2-1.3.132.0.38': [[], [FAIL_UNPROVEN]], # sect571k1 + 'ecdh-sha2-1.2.840.10045.3.1.1': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # NIST P-192 / secp192r1 + 'ecdh-sha2-1.2.840.10045.3.1.7': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # NIST P-256 / secp256r1 + 'ecdh-sha2-1.3.132.0.10': [[], [], [WARN_NOT_PQ_SAFE]], # ECDH over secp256k1 (i.e.: the Bitcoin curve) + 'ecdh-sha2-1.3.132.0.16': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], # sect283k1 + 'ecdh-sha2-1.3.132.0.1': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]], # sect163k1 + 'ecdh-sha2-1.3.132.0.26': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]], # sect233k1 + 'ecdh-sha2-1.3.132.0.27': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # sect233r1 + 'ecdh-sha2-1.3.132.0.33': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # NIST P-224 / secp224r1 + 'ecdh-sha2-1.3.132.0.34': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # NIST P-384 / secp384r1 + 'ecdh-sha2-1.3.132.0.35': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # NIST P-521 / secp521r1 + 'ecdh-sha2-1.3.132.0.36': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], # sect409k1 + 'ecdh-sha2-1.3.132.0.37': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # sect409r1 + 'ecdh-sha2-1.3.132.0.38': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], # sect571k1 # Note: the base64 strings, according to draft 6 of RFC5656, is Base64(MD5(DER(OID))). The final RFC5656 dropped the base64 strings in favor of plain OID concatenation, but apparently some SSH servers implement them anyway. See: https://datatracker.ietf.org/doc/html/draft-green-secsh-ecc-06#section-9.2 - 'ecdh-sha2-4MHB+NBt3AlaSRQ7MnB4cg==': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], # sect163k1 - 'ecdh-sha2-5pPrSUQtIaTjUSt5VZNBjg==': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE]], # NIST P-192 / secp192r1 - 'ecdh-sha2-9UzNcgwTlEnSCECZa7V1mw==': [[], [FAIL_NSA_BACKDOORED_CURVE]], # NIST P-256 / secp256r1 - 'ecdh-sha2-brainpoolp256r1@genua.de': [[], [FAIL_UNPROVEN]], - 'ecdh-sha2-brainpoolp384r1@genua.de': [[], [FAIL_UNPROVEN]], - 'ecdh-sha2-brainpoolp521r1@genua.de': [[], [FAIL_UNPROVEN]], - 'ecdh-sha2-curve25519': [[], []], - 'ecdh-sha2-D3FefCjYoJ/kfXgAyLddYA==': [[], [FAIL_NSA_BACKDOORED_CURVE]], # sect409r1 - 'ecdh-sha2-h/SsxnLCtRBh7I9ATyeB3A==': [[], [FAIL_NSA_BACKDOORED_CURVE]], # NIST P-521 / secp521r1 - 'ecdh-sha2-m/FtSAmrV4j/Wy6RVUaK7A==': [[], [FAIL_UNPROVEN]], # sect409k1 - 'ecdh-sha2-mNVwCXAoS1HGmHpLvBC94w==': [[], [FAIL_UNPROVEN]], # sect571k1 - 'ecdh-sha2-nistb233': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], - 'ecdh-sha2-nistb409': [[], [FAIL_UNPROVEN]], - 'ecdh-sha2-nistk163': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], - 'ecdh-sha2-nistk233': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], - 'ecdh-sha2-nistk283': [[], [FAIL_UNPROVEN]], - 'ecdh-sha2-nistk409': [[], [FAIL_UNPROVEN]], - 'ecdh-sha2-nistp192': [[], [FAIL_NSA_BACKDOORED_CURVE]], - 'ecdh-sha2-nistp224': [[], [FAIL_NSA_BACKDOORED_CURVE]], - 'ecdh-sha2-nistp256': [['5.7,d2013.62,l10.6.0'], [FAIL_NSA_BACKDOORED_CURVE]], - 'ecdh-sha2-nistp384': [['5.7,d2013.62'], [FAIL_NSA_BACKDOORED_CURVE]], - 'ecdh-sha2-nistp521': [['5.7,d2013.62'], [FAIL_NSA_BACKDOORED_CURVE]], - 'ecdh-sha2-nistt571': [[], [FAIL_UNPROVEN]], - 'ecdh-sha2-qCbG5Cn/jjsZ7nBeR7EnOA==': [[FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE]], # sect233r1 - 'ecdh-sha2-qcFQaMAMGhTziMT0z+Tuzw==': [[], [FAIL_NSA_BACKDOORED_CURVE]], # NIST P-384 / secp384r1 - 'ecdh-sha2-VqBg4QRPjxx1EXZdV0GdWQ==': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_SMALL_ECC_MODULUS]], # NIST P-224 / secp224r1 - 'ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==': [[], [FAIL_UNPROVEN]], # sect283k1 - 'ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], # sect233k1 - 'ecmqv-sha2': [[], [FAIL_UNPROVEN]], + 'ecdh-sha2-4MHB+NBt3AlaSRQ7MnB4cg==': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]], # sect163k1 + 'ecdh-sha2-5pPrSUQtIaTjUSt5VZNBjg==': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # NIST P-192 / secp192r1 + 'ecdh-sha2-9UzNcgwTlEnSCECZa7V1mw==': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # NIST P-256 / secp256r1 + 'ecdh-sha2-brainpoolp256r1@genua.de': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], + 'ecdh-sha2-brainpoolp384r1@genua.de': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], + 'ecdh-sha2-brainpoolp521r1@genua.de': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], + 'ecdh-sha2-curve25519': [[], [], [WARN_NOT_PQ_SAFE]], + 'ecdh-sha2-D3FefCjYoJ/kfXgAyLddYA==': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # sect409r1 + 'ecdh-sha2-h/SsxnLCtRBh7I9ATyeB3A==': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # NIST P-521 / secp521r1 + 'ecdh-sha2-m/FtSAmrV4j/Wy6RVUaK7A==': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], # sect409k1 + 'ecdh-sha2-mNVwCXAoS1HGmHpLvBC94w==': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], # sect571k1 + 'ecdh-sha2-nistb233': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]], + 'ecdh-sha2-nistb409': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], + 'ecdh-sha2-nistk163': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]], + 'ecdh-sha2-nistk233': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]], + 'ecdh-sha2-nistk283': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], + 'ecdh-sha2-nistk409': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], + 'ecdh-sha2-nistp192': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], + 'ecdh-sha2-nistp224': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], + 'ecdh-sha2-nistp256': [['5.7,d2013.62,l10.6.0'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], + 'ecdh-sha2-nistp384': [['5.7,d2013.62'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], + 'ecdh-sha2-nistp521': [['5.7,d2013.62'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], + 'ecdh-sha2-nistt571': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], + 'ecdh-sha2-qCbG5Cn/jjsZ7nBeR7EnOA==': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # sect233r1 + 'ecdh-sha2-qcFQaMAMGhTziMT0z+Tuzw==': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # NIST P-384 / secp384r1 + 'ecdh-sha2-VqBg4QRPjxx1EXZdV0GdWQ==': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]], # NIST P-224 / secp224r1 + 'ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], # sect283k1 + 'ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]], # sect233k1 + 'ecmqv-sha2': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], 'ext-info-c': [['7.2'], [], [], [INFO_EXTENSION_NEGOTIATION]], # Extension negotiation (RFC 8308) 'ext-info-s': [['9.6'], [], [], [INFO_EXTENSION_NEGOTIATION]], # Extension negotiation (RFC 8308) 'kex-strict-c-v00@openssh.com': [[], [], [], [INFO_STRICT_KEX]], # Strict KEX marker (countermeasure for CVE-2023-48795). 'kex-strict-s-v00@openssh.com': [[], [], [], [INFO_STRICT_KEX]], # Strict KEX marker (countermeasure for CVE-2023-48795). # The GSS kex algorithms get special wildcard handling, since they include variable base64 data after their standard prefixes. - 'gss-13.3.132.0.10-sha256-*': [[], [FAIL_UNKNOWN]], - 'gss-curve25519-sha256-*': [[]], - 'gss-curve448-sha512-*': [[]], - 'gss-gex-sha1-*': [[], [FAIL_SHA1]], - 'gss-gex-sha256-*': [[]], - 'gss-group14-sha1-*': [[], [FAIL_SHA1], [WARN_2048BIT_MODULUS]], - 'gss-group14-sha256-*': [[], [], [WARN_2048BIT_MODULUS]], - 'gss-group15-sha512-*': [[]], - 'gss-group16-sha512-*': [[]], - 'gss-group17-sha512-*': [[]], - 'gss-group18-sha512-*': [[]], - 'gss-group1-sha1-*': [[], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1]], - 'gss-nistp256-sha256-*': [[], [FAIL_NSA_BACKDOORED_CURVE]], - 'gss-nistp384-sha256-*': [[], [FAIL_NSA_BACKDOORED_CURVE]], - 'gss-nistp384-sha384-*': [[], [FAIL_NSA_BACKDOORED_CURVE]], - 'gss-nistp521-sha512-*': [[], [FAIL_NSA_BACKDOORED_CURVE]], - 'kexAlgoCurve25519SHA256': [[]], - 'kexAlgoDH14SHA1': [[], [FAIL_SHA1], [WARN_2048BIT_MODULUS]], - 'kexAlgoDH1SHA1': [[], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1]], - 'kexAlgoECDH256': [[], [FAIL_NSA_BACKDOORED_CURVE]], - 'kexAlgoECDH384': [[], [FAIL_NSA_BACKDOORED_CURVE]], - 'kexAlgoECDH521': [[], [FAIL_NSA_BACKDOORED_CURVE]], - 'kexguess2@matt.ucc.asn.au': [['d2013.57']], - 'm383-sha384@libassh.org': [[], [FAIL_UNPROVEN]], - 'm511-sha512@libassh.org': [[], [FAIL_UNPROVEN]], + 'gss-13.3.132.0.10-sha256-*': [[], [FAIL_UNKNOWN], [WARN_NOT_PQ_SAFE]], + 'gss-curve25519-sha256-*': [[], [], [WARN_NOT_PQ_SAFE]], + 'gss-curve448-sha512-*': [[], [], [WARN_NOT_PQ_SAFE]], + 'gss-gex-sha1-*': [[], [FAIL_SHA1], [WARN_NOT_PQ_SAFE]], + 'gss-gex-sha256-*': [[], [], [WARN_NOT_PQ_SAFE]], + 'gss-group14-sha1-*': [[], [FAIL_SHA1], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]], + 'gss-group14-sha256-*': [[], [], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]], + 'gss-group15-sha512-*': [[], [], [WARN_NOT_PQ_SAFE]], + 'gss-group16-sha512-*': [[], [], [WARN_NOT_PQ_SAFE]], + 'gss-group17-sha512-*': [[], [], [WARN_NOT_PQ_SAFE]], + 'gss-group18-sha512-*': [[], [], [WARN_NOT_PQ_SAFE]], + 'gss-group1-sha1-*': [[], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1], [WARN_NOT_PQ_SAFE]], + 'gss-nistp256-sha256-*': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], + 'gss-nistp384-sha256-*': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], + 'gss-nistp384-sha384-*': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], + 'gss-nistp521-sha512-*': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], + 'kexAlgoCurve25519SHA256': [[], [], [WARN_NOT_PQ_SAFE]], + 'kexAlgoDH14SHA1': [[], [FAIL_SHA1], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]], + 'kexAlgoDH1SHA1': [[], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1], [WARN_NOT_PQ_SAFE]], + 'kexAlgoECDH256': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], + 'kexAlgoECDH384': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], + 'kexAlgoECDH521': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], + 'kexguess2@matt.ucc.asn.au': [['d2013.57'], [], [WARN_NOT_PQ_SAFE]], + 'm383-sha384@libassh.org': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], + 'm511-sha512@libassh.org': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], 'mlkem768x25519-sha256': [['9.9'], [], [], [INFO_HYBRID_PQ_X25519_KEX]], - 'rsa1024-sha1': [[], [FAIL_1024BIT_MODULUS, FAIL_SHA1]], - 'rsa2048-sha256': [[], [], [WARN_2048BIT_MODULUS]], - 'sm2kep-sha2-nistp256': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_UNTRUSTED]], + 'rsa1024-sha1': [[], [FAIL_1024BIT_MODULUS, FAIL_SHA1], [WARN_NOT_PQ_SAFE]], + 'rsa2048-sha256': [[], [], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]], + 'sm2kep-sha2-nistp256': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_UNTRUSTED], [WARN_NOT_PQ_SAFE]], 'sntrup4591761x25519-sha512@tinyssh.org': [['8.0', '8.4'], [], [WARN_EXPERIMENTAL], [INFO_WITHDRAWN_PQ_ALG]], 'sntrup761x25519-sha512': [['9.9'], [], [], [INFO_DEFAULT_OPENSSH_KEX_99, INFO_HYBRID_PQ_X25519_KEX]], 'sntrup761x25519-sha512@openssh.com': [['8.5'], [], [], [INFO_DEFAULT_OPENSSH_KEX_90_TO_98, INFO_HYBRID_PQ_X25519_KEX]], diff --git a/test/docker/expected_results/dropbear_2019.78_test1.json b/test/docker/expected_results/dropbear_2019.78_test1.json index 8204eb7..124859f 100644 --- a/test/docker/expected_results/dropbear_2019.78_test1.json +++ b/test/docker/expected_results/dropbear_2019.78_test1.json @@ -116,6 +116,9 @@ "info": [ "default key exchange from OpenSSH 7.4 to 8.9", "available since OpenSSH 7.4, Dropbear SSH 2018.76" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -125,6 +128,9 @@ "info": [ "default key exchange from OpenSSH 6.5 to 7.3", "available since OpenSSH 6.4, Dropbear SSH 2013.62" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -136,6 +142,9 @@ ], "info": [ "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -147,6 +156,9 @@ ], "info": [ "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -158,6 +170,9 @@ ], "info": [ "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -168,7 +183,8 @@ "available since OpenSSH 7.3, Dropbear SSH 2016.73" ], "warn": [ - "2048-bit modulus only provides 112-bits of symmetric strength" + "2048-bit modulus only provides 112-bits of symmetric strength", + "does not provide protection against post-quantum attacks" ] } }, @@ -182,7 +198,8 @@ "available since OpenSSH 3.9, Dropbear SSH 0.53" ], "warn": [ - "2048-bit modulus only provides 112-bits of symmetric strength" + "2048-bit modulus only provides 112-bits of symmetric strength", + "does not provide protection against post-quantum attacks" ] } }, @@ -191,6 +208,9 @@ "notes": { "info": [ "available since Dropbear SSH 2013.57" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } } @@ -349,12 +369,6 @@ "name": "twofish256-ctr", "notes": "" } - ], - "kex": [ - { - "name": "diffie-hellman-group16-sha512", - "notes": "" - } ] } }, @@ -371,9 +385,21 @@ } ], "kex": [ + { + "name": "curve25519-sha256", + "notes": "" + }, + { + "name": "curve25519-sha256@libssh.org", + "notes": "" + }, { "name": "diffie-hellman-group14-sha256", "notes": "" + }, + { + "name": "kexguess2@matt.ucc.asn.au", + "notes": "" } ], "mac": [ diff --git a/test/docker/expected_results/dropbear_2019.78_test1.txt b/test/docker/expected_results/dropbear_2019.78_test1.txt index d735dfb..e047589 100644 --- a/test/docker/expected_results/dropbear_2019.78_test1.txt +++ b/test/docker/expected_results/dropbear_2019.78_test1.txt @@ -5,22 +5,30 @@ (gen) compression: enabled (zlib@openssh.com) # key exchange algorithms -(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 - `- [info] default key exchange from OpenSSH 7.4 to 8.9 -(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 - `- [info] default key exchange from OpenSSH 6.5 to 7.3 +(kex) curve25519-sha256 -- [warn] does not provide protection against post-quantum attacks + `- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 + `- [info] default key exchange from OpenSSH 7.4 to 8.9 +(kex) curve25519-sha256@libssh.org -- [warn] does not provide protection against post-quantum attacks + `- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 + `- [info] default key exchange from OpenSSH 6.5 to 7.3 (kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm  `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 -(kex) kexguess2@matt.ucc.asn.au -- [info] available since Dropbear SSH 2013.57 +(kex) kexguess2@matt.ucc.asn.au -- [warn] does not provide protection against post-quantum attacks + `- [info] available since Dropbear SSH 2013.57 # host-key algorithms (key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency @@ -74,13 +82,15 @@ (rec) -hmac-sha1-96 -- mac algorithm to remove  (rec) -ssh-dss -- key algorithm to remove  (rec) -ssh-rsa -- key algorithm to remove  -(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append  (rec) +twofish128-ctr -- enc algorithm to append  (rec) +twofish256-ctr -- enc algorithm to append  (rec) -aes128-cbc -- enc algorithm to remove  (rec) -aes256-cbc -- enc algorithm to remove  +(rec) -curve25519-sha256 -- kex algorithm to remove  +(rec) -curve25519-sha256@libssh.org -- kex algorithm to remove  (rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove  (rec) -hmac-sha2-256 -- mac algorithm to remove  +(rec) -kexguess2@matt.ucc.asn.au -- kex algorithm to remove  # additional info (nfo) For hardening guides on common OSes, please see:  diff --git a/test/docker/expected_results/openssh_4.0p1_test1.json b/test/docker/expected_results/openssh_4.0p1_test1.json index fb77e34..553bcaa 100644 --- a/test/docker/expected_results/openssh_4.0p1_test1.json +++ b/test/docker/expected_results/openssh_4.0p1_test1.json @@ -173,6 +173,9 @@ ], "info": [ "available since OpenSSH 2.3.0" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -186,7 +189,8 @@ "available since OpenSSH 3.9, Dropbear SSH 0.53" ], "warn": [ - "2048-bit modulus only provides 112-bits of symmetric strength" + "2048-bit modulus only provides 112-bits of symmetric strength", + "does not provide protection against post-quantum attacks" ] } }, @@ -201,6 +205,9 @@ "info": [ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } } diff --git a/test/docker/expected_results/openssh_4.0p1_test1.txt b/test/docker/expected_results/openssh_4.0p1_test1.txt index 84a9629..5c3d67d 100644 --- a/test/docker/expected_results/openssh_4.0p1_test1.txt +++ b/test/docker/expected_results/openssh_4.0p1_test1.txt @@ -10,13 +10,16 @@ # key exchange algorithms (kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 2.3.0 (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm  `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 (kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus  `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)  `- [fail] using broken SHA-1 hash algorithm + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 diff --git a/test/docker/expected_results/openssh_5.6p1_test1.json b/test/docker/expected_results/openssh_5.6p1_test1.json index 715c3d5..c7af400 100644 --- a/test/docker/expected_results/openssh_5.6p1_test1.json +++ b/test/docker/expected_results/openssh_5.6p1_test1.json @@ -195,6 +195,9 @@ ], "info": [ "available since OpenSSH 4.4" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -207,6 +210,9 @@ ], "info": [ "available since OpenSSH 2.3.0" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -220,7 +226,8 @@ "available since OpenSSH 3.9, Dropbear SSH 0.53" ], "warn": [ - "2048-bit modulus only provides 112-bits of symmetric strength" + "2048-bit modulus only provides 112-bits of symmetric strength", + "does not provide protection against post-quantum attacks" ] } }, @@ -235,6 +242,9 @@ "info": [ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } } diff --git a/test/docker/expected_results/openssh_5.6p1_test1.txt b/test/docker/expected_results/openssh_5.6p1_test1.txt index 73756c6..d0e144c 100644 --- a/test/docker/expected_results/openssh_5.6p1_test1.txt +++ b/test/docker/expected_results/openssh_5.6p1_test1.txt @@ -6,15 +6,19 @@ # key exchange algorithms (kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 2.3.0 (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm  `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 (kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus  `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)  `- [fail] using broken SHA-1 hash algorithm + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 diff --git a/test/docker/expected_results/openssh_5.6p1_test2.json b/test/docker/expected_results/openssh_5.6p1_test2.json index 8e77280..98dba8a 100644 --- a/test/docker/expected_results/openssh_5.6p1_test2.json +++ b/test/docker/expected_results/openssh_5.6p1_test2.json @@ -185,6 +185,9 @@ ], "info": [ "available since OpenSSH 4.4" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -197,6 +200,9 @@ ], "info": [ "available since OpenSSH 2.3.0" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -210,7 +216,8 @@ "available since OpenSSH 3.9, Dropbear SSH 0.53" ], "warn": [ - "2048-bit modulus only provides 112-bits of symmetric strength" + "2048-bit modulus only provides 112-bits of symmetric strength", + "does not provide protection against post-quantum attacks" ] } }, @@ -225,6 +232,9 @@ "info": [ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } } diff --git a/test/docker/expected_results/openssh_5.6p1_test2.txt b/test/docker/expected_results/openssh_5.6p1_test2.txt index f984d14..6e3aff6 100644 --- a/test/docker/expected_results/openssh_5.6p1_test2.txt +++ b/test/docker/expected_results/openssh_5.6p1_test2.txt @@ -6,15 +6,19 @@ # key exchange algorithms (kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 2.3.0 (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm  `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 (kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus  `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)  `- [fail] using broken SHA-1 hash algorithm + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 diff --git a/test/docker/expected_results/openssh_5.6p1_test3.json b/test/docker/expected_results/openssh_5.6p1_test3.json index 96245bd..d4f051d 100644 --- a/test/docker/expected_results/openssh_5.6p1_test3.json +++ b/test/docker/expected_results/openssh_5.6p1_test3.json @@ -185,6 +185,9 @@ ], "info": [ "available since OpenSSH 4.4" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -197,6 +200,9 @@ ], "info": [ "available since OpenSSH 2.3.0" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -210,7 +216,8 @@ "available since OpenSSH 3.9, Dropbear SSH 0.53" ], "warn": [ - "2048-bit modulus only provides 112-bits of symmetric strength" + "2048-bit modulus only provides 112-bits of symmetric strength", + "does not provide protection against post-quantum attacks" ] } }, @@ -225,6 +232,9 @@ "info": [ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } } diff --git a/test/docker/expected_results/openssh_5.6p1_test3.txt b/test/docker/expected_results/openssh_5.6p1_test3.txt index 3a916b3..9416eb4 100644 --- a/test/docker/expected_results/openssh_5.6p1_test3.txt +++ b/test/docker/expected_results/openssh_5.6p1_test3.txt @@ -6,15 +6,19 @@ # key exchange algorithms (kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 2.3.0 (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm  `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 (kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus  `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)  `- [fail] using broken SHA-1 hash algorithm + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 diff --git a/test/docker/expected_results/openssh_5.6p1_test4.json b/test/docker/expected_results/openssh_5.6p1_test4.json index 176ecd3..d237249 100644 --- a/test/docker/expected_results/openssh_5.6p1_test4.json +++ b/test/docker/expected_results/openssh_5.6p1_test4.json @@ -185,6 +185,9 @@ ], "info": [ "available since OpenSSH 4.4" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -197,6 +200,9 @@ ], "info": [ "available since OpenSSH 2.3.0" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -210,7 +216,8 @@ "available since OpenSSH 3.9, Dropbear SSH 0.53" ], "warn": [ - "2048-bit modulus only provides 112-bits of symmetric strength" + "2048-bit modulus only provides 112-bits of symmetric strength", + "does not provide protection against post-quantum attacks" ] } }, @@ -225,6 +232,9 @@ "info": [ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } } diff --git a/test/docker/expected_results/openssh_5.6p1_test4.txt b/test/docker/expected_results/openssh_5.6p1_test4.txt index ff8a635..5e035b0 100644 --- a/test/docker/expected_results/openssh_5.6p1_test4.txt +++ b/test/docker/expected_results/openssh_5.6p1_test4.txt @@ -6,15 +6,19 @@ # key exchange algorithms (kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 2.3.0 (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm  `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 (kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus  `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)  `- [fail] using broken SHA-1 hash algorithm + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 diff --git a/test/docker/expected_results/openssh_5.6p1_test5.json b/test/docker/expected_results/openssh_5.6p1_test5.json index 7dc93eb..b98acab 100644 --- a/test/docker/expected_results/openssh_5.6p1_test5.json +++ b/test/docker/expected_results/openssh_5.6p1_test5.json @@ -185,6 +185,9 @@ ], "info": [ "available since OpenSSH 4.4" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -197,6 +200,9 @@ ], "info": [ "available since OpenSSH 2.3.0" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -210,7 +216,8 @@ "available since OpenSSH 3.9, Dropbear SSH 0.53" ], "warn": [ - "2048-bit modulus only provides 112-bits of symmetric strength" + "2048-bit modulus only provides 112-bits of symmetric strength", + "does not provide protection against post-quantum attacks" ] } }, @@ -225,6 +232,9 @@ "info": [ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } } diff --git a/test/docker/expected_results/openssh_5.6p1_test5.txt b/test/docker/expected_results/openssh_5.6p1_test5.txt index fddfbea..c44044d 100644 --- a/test/docker/expected_results/openssh_5.6p1_test5.txt +++ b/test/docker/expected_results/openssh_5.6p1_test5.txt @@ -6,15 +6,19 @@ # key exchange algorithms (kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 2.3.0 (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm  `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 (kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus  `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)  `- [fail] using broken SHA-1 hash algorithm + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 diff --git a/test/docker/expected_results/openssh_8.0p1_test1.json b/test/docker/expected_results/openssh_8.0p1_test1.json index 229b39b..f49867a 100644 --- a/test/docker/expected_results/openssh_8.0p1_test1.json +++ b/test/docker/expected_results/openssh_8.0p1_test1.json @@ -104,6 +104,9 @@ "info": [ "default key exchange from OpenSSH 7.4 to 8.9", "available since OpenSSH 7.4, Dropbear SSH 2018.76" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -113,6 +116,9 @@ "info": [ "default key exchange from OpenSSH 6.5 to 7.3", "available since OpenSSH 6.4, Dropbear SSH 2013.62" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -124,6 +130,9 @@ ], "info": [ "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -135,6 +144,9 @@ ], "info": [ "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -146,6 +158,9 @@ ], "info": [ "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -156,6 +171,9 @@ "info": [ "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).", "available since OpenSSH 4.4" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -164,6 +182,9 @@ "notes": { "info": [ "available since OpenSSH 7.3, Dropbear SSH 2016.73" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -172,6 +193,9 @@ "notes": { "info": [ "available since OpenSSH 7.3" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -182,7 +206,8 @@ "available since OpenSSH 7.3, Dropbear SSH 2016.73" ], "warn": [ - "2048-bit modulus only provides 112-bits of symmetric strength" + "2048-bit modulus only provides 112-bits of symmetric strength", + "does not provide protection against post-quantum attacks" ] } }, @@ -196,7 +221,8 @@ "available since OpenSSH 3.9, Dropbear SSH 0.53" ], "warn": [ - "2048-bit modulus only provides 112-bits of symmetric strength" + "2048-bit modulus only provides 112-bits of symmetric strength", + "does not provide protection against post-quantum attacks" ] } } @@ -407,6 +433,14 @@ } }, "warning": { + "chg": { + "kex": [ + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "increase modulus size to 3072 bits or larger" + } + ] + }, "del": { "enc": [ { @@ -415,9 +449,25 @@ } ], "kex": [ + { + "name": "curve25519-sha256", + "notes": "" + }, + { + "name": "curve25519-sha256@libssh.org", + "notes": "" + }, { "name": "diffie-hellman-group14-sha256", "notes": "" + }, + { + "name": "diffie-hellman-group16-sha512", + "notes": "" + }, + { + "name": "diffie-hellman-group18-sha512", + "notes": "" } ], "mac": [ diff --git a/test/docker/expected_results/openssh_8.0p1_test1.txt b/test/docker/expected_results/openssh_8.0p1_test1.txt index c3792cd..e591ed6 100644 --- a/test/docker/expected_results/openssh_8.0p1_test1.txt +++ b/test/docker/expected_results/openssh_8.0p1_test1.txt @@ -5,24 +5,34 @@ (gen) compression: enabled (zlib@openssh.com) # key exchange algorithms -(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 - `- [info] default key exchange from OpenSSH 7.4 to 8.9 -(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 - `- [info] default key exchange from OpenSSH 6.5 to 7.3 +(kex) curve25519-sha256 -- [warn] does not provide protection against post-quantum attacks + `- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 + `- [info] default key exchange from OpenSSH 7.4 to 8.9 +(kex) curve25519-sha256@libssh.org -- [warn] does not provide protection against post-quantum attacks + `- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 + `- [info] default key exchange from OpenSSH 6.5 to 7.3 (kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 -(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4 - `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). -(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 -(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 +(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [warn] does not provide protection against post-quantum attacks + `- [info] available since OpenSSH 4.4 + `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). +(kex) diffie-hellman-group16-sha512 -- [warn] does not provide protection against post-quantum attacks + `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 +(kex) diffie-hellman-group18-sha512 -- [warn] does not provide protection against post-quantum attacks + `- [info] available since OpenSSH 7.3 (kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm  `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 # host-key algorithms @@ -80,8 +90,13 @@ (rec) -hmac-sha1 -- mac algorithm to remove  (rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove  (rec) -ssh-rsa -- key algorithm to remove  +(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger)  (rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove  +(rec) -curve25519-sha256 -- kex algorithm to remove  +(rec) -curve25519-sha256@libssh.org -- kex algorithm to remove  (rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove  +(rec) -diffie-hellman-group16-sha512 -- kex algorithm to remove  +(rec) -diffie-hellman-group18-sha512 -- kex algorithm to remove  (rec) -hmac-sha2-256 -- mac algorithm to remove  (rec) -hmac-sha2-512 -- mac algorithm to remove  (rec) -umac-128@openssh.com -- mac algorithm to remove  diff --git a/test/docker/expected_results/openssh_8.0p1_test2.json b/test/docker/expected_results/openssh_8.0p1_test2.json index 8e18b30..330b46a 100644 --- a/test/docker/expected_results/openssh_8.0p1_test2.json +++ b/test/docker/expected_results/openssh_8.0p1_test2.json @@ -84,6 +84,9 @@ "info": [ "default key exchange from OpenSSH 7.4 to 8.9", "available since OpenSSH 7.4, Dropbear SSH 2018.76" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -93,6 +96,9 @@ "info": [ "default key exchange from OpenSSH 6.5 to 7.3", "available since OpenSSH 6.4, Dropbear SSH 2013.62" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -104,6 +110,9 @@ ], "info": [ "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -115,6 +124,9 @@ ], "info": [ "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -126,6 +138,9 @@ ], "info": [ "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -136,6 +151,9 @@ "info": [ "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).", "available since OpenSSH 4.4" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -144,6 +162,9 @@ "notes": { "info": [ "available since OpenSSH 7.3, Dropbear SSH 2016.73" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -152,6 +173,9 @@ "notes": { "info": [ "available since OpenSSH 7.3" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -162,7 +186,8 @@ "available since OpenSSH 7.3, Dropbear SSH 2016.73" ], "warn": [ - "2048-bit modulus only provides 112-bits of symmetric strength" + "2048-bit modulus only provides 112-bits of symmetric strength", + "does not provide protection against post-quantum attacks" ] } }, @@ -176,7 +201,8 @@ "available since OpenSSH 3.9, Dropbear SSH 0.53" ], "warn": [ - "2048-bit modulus only provides 112-bits of symmetric strength" + "2048-bit modulus only provides 112-bits of symmetric strength", + "does not provide protection against post-quantum attacks" ] } } @@ -356,6 +382,14 @@ } }, "warning": { + "chg": { + "kex": [ + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "increase modulus size to 3072 bits or larger" + } + ] + }, "del": { "enc": [ { @@ -364,9 +398,25 @@ } ], "kex": [ + { + "name": "curve25519-sha256", + "notes": "" + }, + { + "name": "curve25519-sha256@libssh.org", + "notes": "" + }, { "name": "diffie-hellman-group14-sha256", "notes": "" + }, + { + "name": "diffie-hellman-group16-sha512", + "notes": "" + }, + { + "name": "diffie-hellman-group18-sha512", + "notes": "" } ], "mac": [ diff --git a/test/docker/expected_results/openssh_8.0p1_test2.txt b/test/docker/expected_results/openssh_8.0p1_test2.txt index 7123eb3..65abfa9 100644 --- a/test/docker/expected_results/openssh_8.0p1_test2.txt +++ b/test/docker/expected_results/openssh_8.0p1_test2.txt @@ -5,24 +5,34 @@ (gen) compression: enabled (zlib@openssh.com) # key exchange algorithms -(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 - `- [info] default key exchange from OpenSSH 7.4 to 8.9 -(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 - `- [info] default key exchange from OpenSSH 6.5 to 7.3 +(kex) curve25519-sha256 -- [warn] does not provide protection against post-quantum attacks + `- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 + `- [info] default key exchange from OpenSSH 7.4 to 8.9 +(kex) curve25519-sha256@libssh.org -- [warn] does not provide protection against post-quantum attacks + `- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 + `- [info] default key exchange from OpenSSH 6.5 to 7.3 (kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 -(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4 - `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). -(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 -(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 +(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [warn] does not provide protection against post-quantum attacks + `- [info] available since OpenSSH 4.4 + `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). +(kex) diffie-hellman-group16-sha512 -- [warn] does not provide protection against post-quantum attacks + `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 +(kex) diffie-hellman-group18-sha512 -- [warn] does not provide protection against post-quantum attacks + `- [info] available since OpenSSH 7.3 (kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm  `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength + `- [warn] does not provide protection against post-quantum attacks `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 # host-key algorithms @@ -72,8 +82,13 @@ (rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove  (rec) +rsa-sha2-256 -- key algorithm to append  (rec) +rsa-sha2-512 -- key algorithm to append  +(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger)  (rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove  +(rec) -curve25519-sha256 -- kex algorithm to remove  +(rec) -curve25519-sha256@libssh.org -- kex algorithm to remove  (rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove  +(rec) -diffie-hellman-group16-sha512 -- kex algorithm to remove  +(rec) -diffie-hellman-group18-sha512 -- kex algorithm to remove  (rec) -hmac-sha2-256 -- mac algorithm to remove  (rec) -hmac-sha2-512 -- mac algorithm to remove  (rec) -umac-128@openssh.com -- mac algorithm to remove  diff --git a/test/docker/expected_results/openssh_8.0p1_test3.json b/test/docker/expected_results/openssh_8.0p1_test3.json index 76bdb64..070e6fb 100644 --- a/test/docker/expected_results/openssh_8.0p1_test3.json +++ b/test/docker/expected_results/openssh_8.0p1_test3.json @@ -84,6 +84,9 @@ "info": [ "default key exchange from OpenSSH 7.4 to 8.9", "available since OpenSSH 7.4, Dropbear SSH 2018.76" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -93,6 +96,9 @@ "info": [ "default key exchange from OpenSSH 6.5 to 7.3", "available since OpenSSH 6.4, Dropbear SSH 2013.62" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -103,6 +109,9 @@ "info": [ "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).", "available since OpenSSH 4.4" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } } @@ -146,16 +155,6 @@ "recommendations": { "informational": { "add": { - "kex": [ - { - "name": "diffie-hellman-group16-sha512", - "notes": "" - }, - { - "name": "diffie-hellman-group18-sha512", - "notes": "" - } - ], "key": [ { "name": "rsa-sha2-256", @@ -169,12 +168,30 @@ } }, "warning": { + "chg": { + "kex": [ + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "increase modulus size to 3072 bits or larger" + } + ] + }, "del": { "enc": [ { "name": "chacha20-poly1305@openssh.com", "notes": "" } + ], + "kex": [ + { + "name": "curve25519-sha256", + "notes": "" + }, + { + "name": "curve25519-sha256@libssh.org", + "notes": "" + } ] } } diff --git a/test/docker/expected_results/openssh_8.0p1_test3.txt b/test/docker/expected_results/openssh_8.0p1_test3.txt index 712451a..cceda01 100644 --- a/test/docker/expected_results/openssh_8.0p1_test3.txt +++ b/test/docker/expected_results/openssh_8.0p1_test3.txt @@ -5,12 +5,15 @@ (gen) compression: enabled (zlib@openssh.com) # key exchange algorithms -(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 - `- [info] default key exchange from OpenSSH 7.4 to 8.9 -(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 - `- [info] default key exchange from OpenSSH 6.5 to 7.3 -(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4 - `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). +(kex) curve25519-sha256 -- [warn] does not provide protection against post-quantum attacks + `- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 + `- [info] default key exchange from OpenSSH 7.4 to 8.9 +(kex) curve25519-sha256@libssh.org -- [warn] does not provide protection against post-quantum attacks + `- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 + `- [info] default key exchange from OpenSSH 6.5 to 7.3 +(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [warn] does not provide protection against post-quantum attacks + `- [info] available since OpenSSH 4.4 + `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). # host-key algorithms (key) ssh-ed25519 -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79 @@ -34,11 +37,12 @@ (fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU # algorithm recommendations (for OpenSSH 8.0) -(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append  -(rec) +diffie-hellman-group18-sha512 -- kex algorithm to append  (rec) +rsa-sha2-256 -- key algorithm to append  (rec) +rsa-sha2-512 -- key algorithm to append  +(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger)  (rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove  +(rec) -curve25519-sha256 -- kex algorithm to remove  +(rec) -curve25519-sha256@libssh.org -- kex algorithm to remove  # additional info (nfo) For hardening guides on common OSes, please see:  diff --git a/test/docker/expected_results/tinyssh_20190101_test1.json b/test/docker/expected_results/tinyssh_20190101_test1.json index e0efe0b..b978db1 100644 --- a/test/docker/expected_results/tinyssh_20190101_test1.json +++ b/test/docker/expected_results/tinyssh_20190101_test1.json @@ -43,6 +43,9 @@ "info": [ "default key exchange from OpenSSH 7.4 to 8.9", "available since OpenSSH 7.4, Dropbear SSH 2018.76" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, @@ -52,6 +55,9 @@ "info": [ "default key exchange from OpenSSH 6.5 to 7.3", "available since OpenSSH 6.4, Dropbear SSH 2013.62" + ], + "warn": [ + "does not provide protection against post-quantum attacks" ] } }, diff --git a/test/docker/expected_results/tinyssh_20190101_test1.txt b/test/docker/expected_results/tinyssh_20190101_test1.txt index 2dcc036..62f7c8d 100644 --- a/test/docker/expected_results/tinyssh_20190101_test1.txt +++ b/test/docker/expected_results/tinyssh_20190101_test1.txt @@ -4,10 +4,12 @@ (gen) compression: disabled # key exchange algorithms -(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 - `- [info] default key exchange from OpenSSH 7.4 to 8.9 -(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 - `- [info] default key exchange from OpenSSH 6.5 to 7.3 +(kex) curve25519-sha256 -- [warn] does not provide protection against post-quantum attacks + `- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 + `- [info] default key exchange from OpenSSH 7.4 to 8.9 +(kex) curve25519-sha256@libssh.org -- [warn] does not provide protection against post-quantum attacks + `- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 + `- [info] default key exchange from OpenSSH 6.5 to 7.3 (kex) sntrup4591761x25519-sha512@tinyssh.org -- [warn] using experimental algorithm `- [info] available since OpenSSH 8.0 `- [info] the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security diff --git a/test/test_ssh2.py b/test/test_ssh2.py index 2c1a636..1ff8f0a 100644 --- a/test/test_ssh2.py +++ b/test/test_ssh2.py @@ -165,7 +165,7 @@ class TestSSH2: self.audit(out, self._conf()) out.write() lines = output_spy.flush() - assert len(lines) == 78 + assert len(lines) == 74 def test_ssh2_server_invalid_first_packet(self, output_spy, virtual_socket): vsocket = virtual_socket diff --git a/test/test_ssh2_kexdb.py b/test/test_ssh2_kexdb.py index c4e3eb7..898a0c2 100644 --- a/test/test_ssh2_kexdb.py +++ b/test/test_ssh2_kexdb.py @@ -8,6 +8,7 @@ class Test_SSH2_KexDB: @pytest.fixture(autouse=True) def init(self): self.db = SSH2_KexDB.get_db() + self.pq_warning = SSH2_KexDB.WARN_NOT_PQ_SAFE def test_ssh2_kexdb(self): '''Ensures that the SSH2_KexDB.ALGORITHMS dictionary is in the right format.''' @@ -33,3 +34,38 @@ class Test_SSH2_KexDB: # The first entry denotes the versions when this algorithm was added to OpenSSH, Dropbear, and/or libssh, followed by when it was deprecated, and finally when it was removed. Hence it must have between 0 and 3 entries. added_entry = alg_data[0] assert 0 <= len(added_entry) <= 3 + + + def test_kex_pq_unsafe(self): + '''Ensures that all key exchange algorithms are marked as post-quantum unsafe, unless they appear in a whitelist.''' + + # These algorithms include protections against quantum attacks. + kex_pq_safe = [ + "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org", + "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org", + "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org", + "ext-info-c", + "ext-info-s", + "kex-strict-c-v00@openssh.com", + "kex-strict-s-v00@openssh.com", + "mlkem768x25519-sha256", + "sntrup4591761x25519-sha512@tinyssh.org", + "sntrup761x25519-sha512@openssh.com", + "sntrup761x25519-sha512", + "x25519-kyber-512r3-sha256-d00@amazon.com", + "x25519-kyber512-sha512@aws.amazon.com" + ] + + failures = [] + for kex_name in self.db['kex']: + + # Skip key exchanges that are PQ safe. + if kex_name in kex_pq_safe: + continue + + # Ensure all other kex exchanges have the proper PQ unsafe flag set in their warnings list. + alg_data = self.db['kex'][kex_name] + if len(alg_data) < 3 or self.pq_warning not in alg_data[2]: + failures.append(kex_name) + + assert failures == []