Added warnings to all key exchanges that do not provide protection against quantum attacks.

This commit is contained in:
Joe Testa
2024-11-25 15:56:51 -05:00
parent a01baadfa8
commit 28a1e23986
26 changed files with 475 additions and 162 deletions

View File

@ -116,6 +116,9 @@
"info": [
"default key exchange from OpenSSH 7.4 to 8.9",
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -125,6 +128,9 @@
"info": [
"default key exchange from OpenSSH 6.5 to 7.3",
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -136,6 +142,9 @@
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -147,6 +156,9 @@
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -158,6 +170,9 @@
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -168,7 +183,8 @@
"available since OpenSSH 7.3, Dropbear SSH 2016.73"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
"2048-bit modulus only provides 112-bits of symmetric strength",
"does not provide protection against post-quantum attacks"
]
}
},
@ -182,7 +198,8 @@
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
"2048-bit modulus only provides 112-bits of symmetric strength",
"does not provide protection against post-quantum attacks"
]
}
},
@ -191,6 +208,9 @@
"notes": {
"info": [
"available since Dropbear SSH 2013.57"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
}
@ -349,12 +369,6 @@
"name": "twofish256-ctr",
"notes": ""
}
],
"kex": [
{
"name": "diffie-hellman-group16-sha512",
"notes": ""
}
]
}
},
@ -371,9 +385,21 @@
}
],
"kex": [
{
"name": "curve25519-sha256",
"notes": ""
},
{
"name": "curve25519-sha256@libssh.org",
"notes": ""
},
{
"name": "diffie-hellman-group14-sha256",
"notes": ""
},
{
"name": "kexguess2@matt.ucc.asn.au",
"notes": ""
}
],
"mac": [

View File

@ -5,22 +5,30 @@
(gen) compression: enabled (zlib@openssh.com)
# key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 `- [info] default key exchange from OpenSSH 7.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
 `- [info] default key exchange from OpenSSH 6.5 to 7.3
(kex) curve25519-sha256 -- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
`- [info] default key exchange from OpenSSH 7.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
`- [info] default key exchange from OpenSSH 6.5 to 7.3
(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
 `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
(kex) kexguess2@matt.ucc.asn.au -- [info] available since Dropbear SSH 2013.57
(kex) kexguess2@matt.ucc.asn.au -- [warn] does not provide protection against post-quantum attacks
`- [info] available since Dropbear SSH 2013.57
# host-key algorithms
(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
@ -74,13 +82,15 @@
(rec) -hmac-sha1-96 -- mac algorithm to remove 
(rec) -ssh-dss -- key algorithm to remove 
(rec) -ssh-rsa -- key algorithm to remove 
(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append 
(rec) +twofish128-ctr -- enc algorithm to append 
(rec) +twofish256-ctr -- enc algorithm to append 
(rec) -aes128-cbc -- enc algorithm to remove 
(rec) -aes256-cbc -- enc algorithm to remove 
(rec) -curve25519-sha256 -- kex algorithm to remove 
(rec) -curve25519-sha256@libssh.org -- kex algorithm to remove 
(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove 
(rec) -hmac-sha2-256 -- mac algorithm to remove 
(rec) -kexguess2@matt.ucc.asn.au -- kex algorithm to remove 
# additional info
(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>

View File

@ -173,6 +173,9 @@
],
"info": [
"available since OpenSSH 2.3.0"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -186,7 +189,8 @@
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
"2048-bit modulus only provides 112-bits of symmetric strength",
"does not provide protection against post-quantum attacks"
]
}
},
@ -201,6 +205,9 @@
"info": [
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
}

View File

@ -10,13 +10,16 @@
# key exchange algorithms
(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 2.3.0
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
 `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
 `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
 `- [fail] using broken SHA-1 hash algorithm
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9

View File

@ -195,6 +195,9 @@
],
"info": [
"available since OpenSSH 4.4"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -207,6 +210,9 @@
],
"info": [
"available since OpenSSH 2.3.0"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -220,7 +226,8 @@
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
"2048-bit modulus only provides 112-bits of symmetric strength",
"does not provide protection against post-quantum attacks"
]
}
},
@ -235,6 +242,9 @@
"info": [
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
}

View File

@ -6,15 +6,19 @@
# key exchange algorithms
(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 2.3.0
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
 `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
 `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
 `- [fail] using broken SHA-1 hash algorithm
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9

View File

@ -185,6 +185,9 @@
],
"info": [
"available since OpenSSH 4.4"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -197,6 +200,9 @@
],
"info": [
"available since OpenSSH 2.3.0"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -210,7 +216,8 @@
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
"2048-bit modulus only provides 112-bits of symmetric strength",
"does not provide protection against post-quantum attacks"
]
}
},
@ -225,6 +232,9 @@
"info": [
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
}

View File

@ -6,15 +6,19 @@
# key exchange algorithms
(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 2.3.0
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
 `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
 `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
 `- [fail] using broken SHA-1 hash algorithm
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9

View File

@ -185,6 +185,9 @@
],
"info": [
"available since OpenSSH 4.4"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -197,6 +200,9 @@
],
"info": [
"available since OpenSSH 2.3.0"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -210,7 +216,8 @@
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
"2048-bit modulus only provides 112-bits of symmetric strength",
"does not provide protection against post-quantum attacks"
]
}
},
@ -225,6 +232,9 @@
"info": [
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
}

View File

@ -6,15 +6,19 @@
# key exchange algorithms
(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 2.3.0
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
 `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
 `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
 `- [fail] using broken SHA-1 hash algorithm
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9

View File

@ -185,6 +185,9 @@
],
"info": [
"available since OpenSSH 4.4"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -197,6 +200,9 @@
],
"info": [
"available since OpenSSH 2.3.0"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -210,7 +216,8 @@
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
"2048-bit modulus only provides 112-bits of symmetric strength",
"does not provide protection against post-quantum attacks"
]
}
},
@ -225,6 +232,9 @@
"info": [
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
}

View File

@ -6,15 +6,19 @@
# key exchange algorithms
(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 2.3.0
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
 `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
 `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
 `- [fail] using broken SHA-1 hash algorithm
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9

View File

@ -185,6 +185,9 @@
],
"info": [
"available since OpenSSH 4.4"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -197,6 +200,9 @@
],
"info": [
"available since OpenSSH 2.3.0"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -210,7 +216,8 @@
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
"2048-bit modulus only provides 112-bits of symmetric strength",
"does not provide protection against post-quantum attacks"
]
}
},
@ -225,6 +232,9 @@
"info": [
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
}

View File

@ -6,15 +6,19 @@
# key exchange algorithms
(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 2.3.0
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
 `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
 `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
 `- [fail] using broken SHA-1 hash algorithm
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9

View File

@ -104,6 +104,9 @@
"info": [
"default key exchange from OpenSSH 7.4 to 8.9",
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -113,6 +116,9 @@
"info": [
"default key exchange from OpenSSH 6.5 to 7.3",
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -124,6 +130,9 @@
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -135,6 +144,9 @@
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -146,6 +158,9 @@
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -156,6 +171,9 @@
"info": [
"OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).",
"available since OpenSSH 4.4"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -164,6 +182,9 @@
"notes": {
"info": [
"available since OpenSSH 7.3, Dropbear SSH 2016.73"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -172,6 +193,9 @@
"notes": {
"info": [
"available since OpenSSH 7.3"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -182,7 +206,8 @@
"available since OpenSSH 7.3, Dropbear SSH 2016.73"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
"2048-bit modulus only provides 112-bits of symmetric strength",
"does not provide protection against post-quantum attacks"
]
}
},
@ -196,7 +221,8 @@
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
"2048-bit modulus only provides 112-bits of symmetric strength",
"does not provide protection against post-quantum attacks"
]
}
}
@ -407,6 +433,14 @@
}
},
"warning": {
"chg": {
"kex": [
{
"name": "diffie-hellman-group-exchange-sha256",
"notes": "increase modulus size to 3072 bits or larger"
}
]
},
"del": {
"enc": [
{
@ -415,9 +449,25 @@
}
],
"kex": [
{
"name": "curve25519-sha256",
"notes": ""
},
{
"name": "curve25519-sha256@libssh.org",
"notes": ""
},
{
"name": "diffie-hellman-group14-sha256",
"notes": ""
},
{
"name": "diffie-hellman-group16-sha512",
"notes": ""
},
{
"name": "diffie-hellman-group18-sha512",
"notes": ""
}
],
"mac": [

View File

@ -5,24 +5,34 @@
(gen) compression: enabled (zlib@openssh.com)
# key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 `- [info] default key exchange from OpenSSH 7.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
 `- [info] default key exchange from OpenSSH 6.5 to 7.3
(kex) curve25519-sha256 -- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
`- [info] default key exchange from OpenSSH 7.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
`- [info] default key exchange from OpenSSH 6.5 to 7.3
(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4
 `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 4.4
`- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
(kex) diffie-hellman-group16-sha512 -- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512 -- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
 `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
# host-key algorithms
@ -80,8 +90,13 @@
(rec) -hmac-sha1 -- mac algorithm to remove 
(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove 
(rec) -ssh-rsa -- key algorithm to remove 
(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) 
(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove 
(rec) -curve25519-sha256 -- kex algorithm to remove 
(rec) -curve25519-sha256@libssh.org -- kex algorithm to remove 
(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove 
(rec) -diffie-hellman-group16-sha512 -- kex algorithm to remove 
(rec) -diffie-hellman-group18-sha512 -- kex algorithm to remove 
(rec) -hmac-sha2-256 -- mac algorithm to remove 
(rec) -hmac-sha2-512 -- mac algorithm to remove 
(rec) -umac-128@openssh.com -- mac algorithm to remove 

View File

@ -84,6 +84,9 @@
"info": [
"default key exchange from OpenSSH 7.4 to 8.9",
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -93,6 +96,9 @@
"info": [
"default key exchange from OpenSSH 6.5 to 7.3",
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -104,6 +110,9 @@
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -115,6 +124,9 @@
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -126,6 +138,9 @@
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -136,6 +151,9 @@
"info": [
"OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).",
"available since OpenSSH 4.4"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -144,6 +162,9 @@
"notes": {
"info": [
"available since OpenSSH 7.3, Dropbear SSH 2016.73"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -152,6 +173,9 @@
"notes": {
"info": [
"available since OpenSSH 7.3"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -162,7 +186,8 @@
"available since OpenSSH 7.3, Dropbear SSH 2016.73"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
"2048-bit modulus only provides 112-bits of symmetric strength",
"does not provide protection against post-quantum attacks"
]
}
},
@ -176,7 +201,8 @@
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
"2048-bit modulus only provides 112-bits of symmetric strength",
"does not provide protection against post-quantum attacks"
]
}
}
@ -356,6 +382,14 @@
}
},
"warning": {
"chg": {
"kex": [
{
"name": "diffie-hellman-group-exchange-sha256",
"notes": "increase modulus size to 3072 bits or larger"
}
]
},
"del": {
"enc": [
{
@ -364,9 +398,25 @@
}
],
"kex": [
{
"name": "curve25519-sha256",
"notes": ""
},
{
"name": "curve25519-sha256@libssh.org",
"notes": ""
},
{
"name": "diffie-hellman-group14-sha256",
"notes": ""
},
{
"name": "diffie-hellman-group16-sha512",
"notes": ""
},
{
"name": "diffie-hellman-group18-sha512",
"notes": ""
}
],
"mac": [

View File

@ -5,24 +5,34 @@
(gen) compression: enabled (zlib@openssh.com)
# key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 `- [info] default key exchange from OpenSSH 7.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
 `- [info] default key exchange from OpenSSH 6.5 to 7.3
(kex) curve25519-sha256 -- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
`- [info] default key exchange from OpenSSH 7.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
`- [info] default key exchange from OpenSSH 6.5 to 7.3
(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4
 `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 4.4
`- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
(kex) diffie-hellman-group16-sha512 -- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512 -- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
 `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
# host-key algorithms
@ -72,8 +82,13 @@
(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove 
(rec) +rsa-sha2-256 -- key algorithm to append 
(rec) +rsa-sha2-512 -- key algorithm to append 
(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) 
(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove 
(rec) -curve25519-sha256 -- kex algorithm to remove 
(rec) -curve25519-sha256@libssh.org -- kex algorithm to remove 
(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove 
(rec) -diffie-hellman-group16-sha512 -- kex algorithm to remove 
(rec) -diffie-hellman-group18-sha512 -- kex algorithm to remove 
(rec) -hmac-sha2-256 -- mac algorithm to remove 
(rec) -hmac-sha2-512 -- mac algorithm to remove 
(rec) -umac-128@openssh.com -- mac algorithm to remove 

View File

@ -84,6 +84,9 @@
"info": [
"default key exchange from OpenSSH 7.4 to 8.9",
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -93,6 +96,9 @@
"info": [
"default key exchange from OpenSSH 6.5 to 7.3",
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -103,6 +109,9 @@
"info": [
"OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).",
"available since OpenSSH 4.4"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
}
@ -146,16 +155,6 @@
"recommendations": {
"informational": {
"add": {
"kex": [
{
"name": "diffie-hellman-group16-sha512",
"notes": ""
},
{
"name": "diffie-hellman-group18-sha512",
"notes": ""
}
],
"key": [
{
"name": "rsa-sha2-256",
@ -169,12 +168,30 @@
}
},
"warning": {
"chg": {
"kex": [
{
"name": "diffie-hellman-group-exchange-sha256",
"notes": "increase modulus size to 3072 bits or larger"
}
]
},
"del": {
"enc": [
{
"name": "chacha20-poly1305@openssh.com",
"notes": ""
}
],
"kex": [
{
"name": "curve25519-sha256",
"notes": ""
},
{
"name": "curve25519-sha256@libssh.org",
"notes": ""
}
]
}
}

View File

@ -5,12 +5,15 @@
(gen) compression: enabled (zlib@openssh.com)
# key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 `- [info] default key exchange from OpenSSH 7.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
 `- [info] default key exchange from OpenSSH 6.5 to 7.3
(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4
 `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
(kex) curve25519-sha256 -- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
`- [info] default key exchange from OpenSSH 7.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
`- [info] default key exchange from OpenSSH 6.5 to 7.3
(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 4.4
`- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
# host-key algorithms
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79
@ -34,11 +37,12 @@
(fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU
# algorithm recommendations (for OpenSSH 8.0)
(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append 
(rec) +diffie-hellman-group18-sha512 -- kex algorithm to append 
(rec) +rsa-sha2-256 -- key algorithm to append 
(rec) +rsa-sha2-512 -- key algorithm to append 
(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) 
(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove 
(rec) -curve25519-sha256 -- kex algorithm to remove 
(rec) -curve25519-sha256@libssh.org -- kex algorithm to remove 
# additional info
(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>

View File

@ -43,6 +43,9 @@
"info": [
"default key exchange from OpenSSH 7.4 to 8.9",
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
@ -52,6 +55,9 @@
"info": [
"default key exchange from OpenSSH 6.5 to 7.3",
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},

View File

@ -4,10 +4,12 @@
(gen) compression: disabled
# key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 `- [info] default key exchange from OpenSSH 7.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
 `- [info] default key exchange from OpenSSH 6.5 to 7.3
(kex) curve25519-sha256 -- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
`- [info] default key exchange from OpenSSH 7.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
`- [info] default key exchange from OpenSSH 6.5 to 7.3
(kex) sntrup4591761x25519-sha512@tinyssh.org -- [warn] using experimental algorithm
`- [info] available since OpenSSH 8.0
`- [info] the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security

View File

@ -165,7 +165,7 @@ class TestSSH2:
self.audit(out, self._conf())
out.write()
lines = output_spy.flush()
assert len(lines) == 78
assert len(lines) == 74
def test_ssh2_server_invalid_first_packet(self, output_spy, virtual_socket):
vsocket = virtual_socket

View File

@ -8,6 +8,7 @@ class Test_SSH2_KexDB:
@pytest.fixture(autouse=True)
def init(self):
self.db = SSH2_KexDB.get_db()
self.pq_warning = SSH2_KexDB.WARN_NOT_PQ_SAFE
def test_ssh2_kexdb(self):
'''Ensures that the SSH2_KexDB.ALGORITHMS dictionary is in the right format.'''
@ -33,3 +34,38 @@ class Test_SSH2_KexDB:
# The first entry denotes the versions when this algorithm was added to OpenSSH, Dropbear, and/or libssh, followed by when it was deprecated, and finally when it was removed. Hence it must have between 0 and 3 entries.
added_entry = alg_data[0]
assert 0 <= len(added_entry) <= 3
def test_kex_pq_unsafe(self):
'''Ensures that all key exchange algorithms are marked as post-quantum unsafe, unless they appear in a whitelist.'''
# These algorithms include protections against quantum attacks.
kex_pq_safe = [
"ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org",
"ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org",
"ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org",
"ext-info-c",
"ext-info-s",
"kex-strict-c-v00@openssh.com",
"kex-strict-s-v00@openssh.com",
"mlkem768x25519-sha256",
"sntrup4591761x25519-sha512@tinyssh.org",
"sntrup761x25519-sha512@openssh.com",
"sntrup761x25519-sha512",
"x25519-kyber-512r3-sha256-d00@amazon.com",
"x25519-kyber512-sha512@aws.amazon.com"
]
failures = []
for kex_name in self.db['kex']:
# Skip key exchanges that are PQ safe.
if kex_name in kex_pq_safe:
continue
# Ensure all other kex exchanges have the proper PQ unsafe flag set in their warnings list.
alg_data = self.db['kex'][kex_name]
if len(alg_data) < 3 or self.pq_warning not in alg_data[2]:
failures.append(kex_name)
assert failures == []