mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-12-22 14:05:22 +01:00
Added warnings to all key exchanges that do not provide protection against quantum attacks.
This commit is contained in:
parent
a01baadfa8
commit
28a1e23986
@ -217,6 +217,7 @@ For convenience, a web front-end on top of the command-line tool is available at
|
||||
## ChangeLog
|
||||
|
||||
### v3.4.0-dev
|
||||
- Added warning to all key exchanges that do not include protections against quantum attacks due to the Harvest Now, Decrypt Later strategy (see https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later).
|
||||
- Migrated from deprecated `getopt` module to `argparse`; partial credit [oam7575](https://github.com/oam7575).
|
||||
|
||||
### v3.3.0 (2024-10-15)
|
||||
|
@ -57,6 +57,7 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods
|
||||
WARN_CIPHER_MODE = 'using weak cipher mode'
|
||||
WARN_ENCRYPT_AND_MAC = 'using encrypt-and-MAC mode'
|
||||
WARN_EXPERIMENTAL = 'using experimental algorithm'
|
||||
WARN_NOT_PQ_SAFE = 'does not provide protection against post-quantum attacks'
|
||||
WARN_RNDSIG_KEY = 'using weak random number generator could reveal the key'
|
||||
WARN_TAG_SIZE = 'using small 64-bit tag size'
|
||||
WARN_TAG_SIZE_96 = 'using small 96-bit tag size'
|
||||
@ -84,117 +85,117 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods
|
||||
MASTER_DB: Dict[str, Dict[str, List[List[Optional[str]]]]] = {
|
||||
# Format: 'algorithm_name': [['version_first_appeared_in'], [reason_for_failure1, reason_for_failure2, ...], [warning1, warning2, ...], [info1, info2, ...]]
|
||||
'kex': {
|
||||
'Curve25519SHA256': [[]],
|
||||
'curve25519-sha256': [['7.4,d2018.76'], [], [], [INFO_DEFAULT_OPENSSH_KEX_74_TO_89]],
|
||||
'curve25519-sha256@libssh.org': [['6.4,d2013.62,l10.6.0'], [], [], [INFO_DEFAULT_OPENSSH_KEX_65_TO_73]],
|
||||
'curve448-sha512': [[]],
|
||||
'curve448-sha512@libssh.org': [[]],
|
||||
'diffie-hellman-group14-sha1': [['3.9,d0.53,l10.6.0'], [FAIL_SHA1], [WARN_2048BIT_MODULUS]],
|
||||
'diffie-hellman-group14-sha224@ssh.com': [[]],
|
||||
'diffie-hellman-group14-sha256': [['7.3,d2016.73'], [], [WARN_2048BIT_MODULUS]],
|
||||
'diffie-hellman-group14-sha256@ssh.com': [[], [], [WARN_2048BIT_MODULUS]],
|
||||
'diffie-hellman-group15-sha256': [[]],
|
||||
'diffie-hellman-group15-sha256@ssh.com': [[]],
|
||||
'diffie-hellman-group15-sha384@ssh.com': [[]],
|
||||
'diffie-hellman-group15-sha512': [[]],
|
||||
'diffie-hellman-group16-sha256': [[]],
|
||||
'diffie-hellman-group16-sha384@ssh.com': [[]],
|
||||
'diffie-hellman-group16-sha512': [['7.3,d2016.73']],
|
||||
'diffie-hellman-group16-sha512@ssh.com': [[]],
|
||||
'diffie-hellman-group17-sha512': [[]],
|
||||
'diffie-hellman_group17-sha512': [[]],
|
||||
'diffie-hellman-group18-sha512': [['7.3']],
|
||||
'diffie-hellman-group18-sha512@ssh.com': [[]],
|
||||
'diffie-hellman-group1-sha1': [['2.3.0,d0.28,l10.2', '6.6', '6.9'], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1], [], [INFO_REMOVED_IN_OPENSSH69]],
|
||||
'diffie-hellman-group1-sha256': [[], [FAIL_1024BIT_MODULUS]],
|
||||
'diffie-hellman-group-exchange-sha1': [['2.3.0', '6.6', None], [FAIL_SHA1]],
|
||||
'diffie-hellman-group-exchange-sha224@ssh.com': [[]],
|
||||
'diffie-hellman-group-exchange-sha256': [['4.4']],
|
||||
'diffie-hellman-group-exchange-sha256@ssh.com': [[]],
|
||||
'diffie-hellman-group-exchange-sha384@ssh.com': [[]],
|
||||
'diffie-hellman-group-exchange-sha512@ssh.com': [[]],
|
||||
'Curve25519SHA256': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'curve25519-sha256': [['7.4,d2018.76'], [], [WARN_NOT_PQ_SAFE], [INFO_DEFAULT_OPENSSH_KEX_74_TO_89]],
|
||||
'curve25519-sha256@libssh.org': [['6.4,d2013.62,l10.6.0'], [], [WARN_NOT_PQ_SAFE], [INFO_DEFAULT_OPENSSH_KEX_65_TO_73]],
|
||||
'curve448-sha512': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'curve448-sha512@libssh.org': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group14-sha1': [['3.9,d0.53,l10.6.0'], [FAIL_SHA1], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group14-sha224@ssh.com': [[], [], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group14-sha256': [['7.3,d2016.73'], [], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group14-sha256@ssh.com': [[], [], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group15-sha256': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group15-sha256@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group15-sha384@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group15-sha512': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group16-sha256': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group16-sha384@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group16-sha512': [['7.3,d2016.73'], [], [WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group16-sha512@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group17-sha512': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman_group17-sha512': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group18-sha512': [['7.3'], [], [WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group18-sha512@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group1-sha1': [['2.3.0,d0.28,l10.2', '6.6', '6.9'], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1], [WARN_NOT_PQ_SAFE], [INFO_REMOVED_IN_OPENSSH69]],
|
||||
'diffie-hellman-group1-sha256': [[], [FAIL_1024BIT_MODULUS], [WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group-exchange-sha1': [['2.3.0', '6.6', None], [FAIL_SHA1], [WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group-exchange-sha224@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group-exchange-sha256': [['4.4'], [], [WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group-exchange-sha256@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group-exchange-sha384@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'diffie-hellman-group-exchange-sha512@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org': [[], [FAIL_NSA_BACKDOORED_CURVE]],
|
||||
'ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org': [[], [FAIL_NSA_BACKDOORED_CURVE]],
|
||||
'ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org': [[], [FAIL_NSA_BACKDOORED_CURVE]],
|
||||
'ecdh-sha2-1.2.840.10045.3.1.1': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE]], # NIST P-192 / secp192r1
|
||||
'ecdh-sha2-1.2.840.10045.3.1.7': [[], [FAIL_NSA_BACKDOORED_CURVE]], # NIST P-256 / secp256r1
|
||||
'ecdh-sha2-1.3.132.0.10': [[]], # ECDH over secp256k1 (i.e.: the Bitcoin curve)
|
||||
'ecdh-sha2-1.3.132.0.16': [[], [FAIL_UNPROVEN]], # sect283k1
|
||||
'ecdh-sha2-1.3.132.0.1': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], # sect163k1
|
||||
'ecdh-sha2-1.3.132.0.26': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], # sect233k1
|
||||
'ecdh-sha2-1.3.132.0.27': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE]], # sect233r1
|
||||
'ecdh-sha2-1.3.132.0.33': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE]], # NIST P-224 / secp224r1
|
||||
'ecdh-sha2-1.3.132.0.34': [[], [FAIL_NSA_BACKDOORED_CURVE]], # NIST P-384 / secp384r1
|
||||
'ecdh-sha2-1.3.132.0.35': [[], [FAIL_NSA_BACKDOORED_CURVE]], # NIST P-521 / secp521r1
|
||||
'ecdh-sha2-1.3.132.0.36': [[], [FAIL_UNPROVEN]], # sect409k1
|
||||
'ecdh-sha2-1.3.132.0.37': [[], [FAIL_NSA_BACKDOORED_CURVE]], # sect409r1
|
||||
'ecdh-sha2-1.3.132.0.38': [[], [FAIL_UNPROVEN]], # sect571k1
|
||||
'ecdh-sha2-1.2.840.10045.3.1.1': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # NIST P-192 / secp192r1
|
||||
'ecdh-sha2-1.2.840.10045.3.1.7': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # NIST P-256 / secp256r1
|
||||
'ecdh-sha2-1.3.132.0.10': [[], [], [WARN_NOT_PQ_SAFE]], # ECDH over secp256k1 (i.e.: the Bitcoin curve)
|
||||
'ecdh-sha2-1.3.132.0.16': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], # sect283k1
|
||||
'ecdh-sha2-1.3.132.0.1': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]], # sect163k1
|
||||
'ecdh-sha2-1.3.132.0.26': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]], # sect233k1
|
||||
'ecdh-sha2-1.3.132.0.27': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # sect233r1
|
||||
'ecdh-sha2-1.3.132.0.33': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # NIST P-224 / secp224r1
|
||||
'ecdh-sha2-1.3.132.0.34': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # NIST P-384 / secp384r1
|
||||
'ecdh-sha2-1.3.132.0.35': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # NIST P-521 / secp521r1
|
||||
'ecdh-sha2-1.3.132.0.36': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], # sect409k1
|
||||
'ecdh-sha2-1.3.132.0.37': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # sect409r1
|
||||
'ecdh-sha2-1.3.132.0.38': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], # sect571k1
|
||||
|
||||
# Note: the base64 strings, according to draft 6 of RFC5656, is Base64(MD5(DER(OID))). The final RFC5656 dropped the base64 strings in favor of plain OID concatenation, but apparently some SSH servers implement them anyway. See: https://datatracker.ietf.org/doc/html/draft-green-secsh-ecc-06#section-9.2
|
||||
'ecdh-sha2-4MHB+NBt3AlaSRQ7MnB4cg==': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], # sect163k1
|
||||
'ecdh-sha2-5pPrSUQtIaTjUSt5VZNBjg==': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE]], # NIST P-192 / secp192r1
|
||||
'ecdh-sha2-9UzNcgwTlEnSCECZa7V1mw==': [[], [FAIL_NSA_BACKDOORED_CURVE]], # NIST P-256 / secp256r1
|
||||
'ecdh-sha2-brainpoolp256r1@genua.de': [[], [FAIL_UNPROVEN]],
|
||||
'ecdh-sha2-brainpoolp384r1@genua.de': [[], [FAIL_UNPROVEN]],
|
||||
'ecdh-sha2-brainpoolp521r1@genua.de': [[], [FAIL_UNPROVEN]],
|
||||
'ecdh-sha2-curve25519': [[], []],
|
||||
'ecdh-sha2-D3FefCjYoJ/kfXgAyLddYA==': [[], [FAIL_NSA_BACKDOORED_CURVE]], # sect409r1
|
||||
'ecdh-sha2-h/SsxnLCtRBh7I9ATyeB3A==': [[], [FAIL_NSA_BACKDOORED_CURVE]], # NIST P-521 / secp521r1
|
||||
'ecdh-sha2-m/FtSAmrV4j/Wy6RVUaK7A==': [[], [FAIL_UNPROVEN]], # sect409k1
|
||||
'ecdh-sha2-mNVwCXAoS1HGmHpLvBC94w==': [[], [FAIL_UNPROVEN]], # sect571k1
|
||||
'ecdh-sha2-nistb233': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]],
|
||||
'ecdh-sha2-nistb409': [[], [FAIL_UNPROVEN]],
|
||||
'ecdh-sha2-nistk163': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]],
|
||||
'ecdh-sha2-nistk233': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]],
|
||||
'ecdh-sha2-nistk283': [[], [FAIL_UNPROVEN]],
|
||||
'ecdh-sha2-nistk409': [[], [FAIL_UNPROVEN]],
|
||||
'ecdh-sha2-nistp192': [[], [FAIL_NSA_BACKDOORED_CURVE]],
|
||||
'ecdh-sha2-nistp224': [[], [FAIL_NSA_BACKDOORED_CURVE]],
|
||||
'ecdh-sha2-nistp256': [['5.7,d2013.62,l10.6.0'], [FAIL_NSA_BACKDOORED_CURVE]],
|
||||
'ecdh-sha2-nistp384': [['5.7,d2013.62'], [FAIL_NSA_BACKDOORED_CURVE]],
|
||||
'ecdh-sha2-nistp521': [['5.7,d2013.62'], [FAIL_NSA_BACKDOORED_CURVE]],
|
||||
'ecdh-sha2-nistt571': [[], [FAIL_UNPROVEN]],
|
||||
'ecdh-sha2-qCbG5Cn/jjsZ7nBeR7EnOA==': [[FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE]], # sect233r1
|
||||
'ecdh-sha2-qcFQaMAMGhTziMT0z+Tuzw==': [[], [FAIL_NSA_BACKDOORED_CURVE]], # NIST P-384 / secp384r1
|
||||
'ecdh-sha2-VqBg4QRPjxx1EXZdV0GdWQ==': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_SMALL_ECC_MODULUS]], # NIST P-224 / secp224r1
|
||||
'ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==': [[], [FAIL_UNPROVEN]], # sect283k1
|
||||
'ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], # sect233k1
|
||||
'ecmqv-sha2': [[], [FAIL_UNPROVEN]],
|
||||
'ecdh-sha2-4MHB+NBt3AlaSRQ7MnB4cg==': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]], # sect163k1
|
||||
'ecdh-sha2-5pPrSUQtIaTjUSt5VZNBjg==': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # NIST P-192 / secp192r1
|
||||
'ecdh-sha2-9UzNcgwTlEnSCECZa7V1mw==': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # NIST P-256 / secp256r1
|
||||
'ecdh-sha2-brainpoolp256r1@genua.de': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
|
||||
'ecdh-sha2-brainpoolp384r1@genua.de': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
|
||||
'ecdh-sha2-brainpoolp521r1@genua.de': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
|
||||
'ecdh-sha2-curve25519': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'ecdh-sha2-D3FefCjYoJ/kfXgAyLddYA==': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # sect409r1
|
||||
'ecdh-sha2-h/SsxnLCtRBh7I9ATyeB3A==': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # NIST P-521 / secp521r1
|
||||
'ecdh-sha2-m/FtSAmrV4j/Wy6RVUaK7A==': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], # sect409k1
|
||||
'ecdh-sha2-mNVwCXAoS1HGmHpLvBC94w==': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], # sect571k1
|
||||
'ecdh-sha2-nistb233': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]],
|
||||
'ecdh-sha2-nistb409': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
|
||||
'ecdh-sha2-nistk163': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]],
|
||||
'ecdh-sha2-nistk233': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]],
|
||||
'ecdh-sha2-nistk283': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
|
||||
'ecdh-sha2-nistk409': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
|
||||
'ecdh-sha2-nistp192': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
|
||||
'ecdh-sha2-nistp224': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
|
||||
'ecdh-sha2-nistp256': [['5.7,d2013.62,l10.6.0'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
|
||||
'ecdh-sha2-nistp384': [['5.7,d2013.62'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
|
||||
'ecdh-sha2-nistp521': [['5.7,d2013.62'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
|
||||
'ecdh-sha2-nistt571': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
|
||||
'ecdh-sha2-qCbG5Cn/jjsZ7nBeR7EnOA==': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # sect233r1
|
||||
'ecdh-sha2-qcFQaMAMGhTziMT0z+Tuzw==': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]], # NIST P-384 / secp384r1
|
||||
'ecdh-sha2-VqBg4QRPjxx1EXZdV0GdWQ==': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]], # NIST P-224 / secp224r1
|
||||
'ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]], # sect283k1
|
||||
'ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]], # sect233k1
|
||||
'ecmqv-sha2': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
|
||||
'ext-info-c': [['7.2'], [], [], [INFO_EXTENSION_NEGOTIATION]], # Extension negotiation (RFC 8308)
|
||||
'ext-info-s': [['9.6'], [], [], [INFO_EXTENSION_NEGOTIATION]], # Extension negotiation (RFC 8308)
|
||||
'kex-strict-c-v00@openssh.com': [[], [], [], [INFO_STRICT_KEX]], # Strict KEX marker (countermeasure for CVE-2023-48795).
|
||||
'kex-strict-s-v00@openssh.com': [[], [], [], [INFO_STRICT_KEX]], # Strict KEX marker (countermeasure for CVE-2023-48795).
|
||||
|
||||
# The GSS kex algorithms get special wildcard handling, since they include variable base64 data after their standard prefixes.
|
||||
'gss-13.3.132.0.10-sha256-*': [[], [FAIL_UNKNOWN]],
|
||||
'gss-curve25519-sha256-*': [[]],
|
||||
'gss-curve448-sha512-*': [[]],
|
||||
'gss-gex-sha1-*': [[], [FAIL_SHA1]],
|
||||
'gss-gex-sha256-*': [[]],
|
||||
'gss-group14-sha1-*': [[], [FAIL_SHA1], [WARN_2048BIT_MODULUS]],
|
||||
'gss-group14-sha256-*': [[], [], [WARN_2048BIT_MODULUS]],
|
||||
'gss-group15-sha512-*': [[]],
|
||||
'gss-group16-sha512-*': [[]],
|
||||
'gss-group17-sha512-*': [[]],
|
||||
'gss-group18-sha512-*': [[]],
|
||||
'gss-group1-sha1-*': [[], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1]],
|
||||
'gss-nistp256-sha256-*': [[], [FAIL_NSA_BACKDOORED_CURVE]],
|
||||
'gss-nistp384-sha256-*': [[], [FAIL_NSA_BACKDOORED_CURVE]],
|
||||
'gss-nistp384-sha384-*': [[], [FAIL_NSA_BACKDOORED_CURVE]],
|
||||
'gss-nistp521-sha512-*': [[], [FAIL_NSA_BACKDOORED_CURVE]],
|
||||
'kexAlgoCurve25519SHA256': [[]],
|
||||
'kexAlgoDH14SHA1': [[], [FAIL_SHA1], [WARN_2048BIT_MODULUS]],
|
||||
'kexAlgoDH1SHA1': [[], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1]],
|
||||
'kexAlgoECDH256': [[], [FAIL_NSA_BACKDOORED_CURVE]],
|
||||
'kexAlgoECDH384': [[], [FAIL_NSA_BACKDOORED_CURVE]],
|
||||
'kexAlgoECDH521': [[], [FAIL_NSA_BACKDOORED_CURVE]],
|
||||
'kexguess2@matt.ucc.asn.au': [['d2013.57']],
|
||||
'm383-sha384@libassh.org': [[], [FAIL_UNPROVEN]],
|
||||
'm511-sha512@libassh.org': [[], [FAIL_UNPROVEN]],
|
||||
'gss-13.3.132.0.10-sha256-*': [[], [FAIL_UNKNOWN], [WARN_NOT_PQ_SAFE]],
|
||||
'gss-curve25519-sha256-*': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'gss-curve448-sha512-*': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'gss-gex-sha1-*': [[], [FAIL_SHA1], [WARN_NOT_PQ_SAFE]],
|
||||
'gss-gex-sha256-*': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'gss-group14-sha1-*': [[], [FAIL_SHA1], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]],
|
||||
'gss-group14-sha256-*': [[], [], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]],
|
||||
'gss-group15-sha512-*': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'gss-group16-sha512-*': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'gss-group17-sha512-*': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'gss-group18-sha512-*': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'gss-group1-sha1-*': [[], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1], [WARN_NOT_PQ_SAFE]],
|
||||
'gss-nistp256-sha256-*': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
|
||||
'gss-nistp384-sha256-*': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
|
||||
'gss-nistp384-sha384-*': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
|
||||
'gss-nistp521-sha512-*': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
|
||||
'kexAlgoCurve25519SHA256': [[], [], [WARN_NOT_PQ_SAFE]],
|
||||
'kexAlgoDH14SHA1': [[], [FAIL_SHA1], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]],
|
||||
'kexAlgoDH1SHA1': [[], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1], [WARN_NOT_PQ_SAFE]],
|
||||
'kexAlgoECDH256': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
|
||||
'kexAlgoECDH384': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
|
||||
'kexAlgoECDH521': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
|
||||
'kexguess2@matt.ucc.asn.au': [['d2013.57'], [], [WARN_NOT_PQ_SAFE]],
|
||||
'm383-sha384@libassh.org': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
|
||||
'm511-sha512@libassh.org': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
|
||||
'mlkem768x25519-sha256': [['9.9'], [], [], [INFO_HYBRID_PQ_X25519_KEX]],
|
||||
'rsa1024-sha1': [[], [FAIL_1024BIT_MODULUS, FAIL_SHA1]],
|
||||
'rsa2048-sha256': [[], [], [WARN_2048BIT_MODULUS]],
|
||||
'sm2kep-sha2-nistp256': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_UNTRUSTED]],
|
||||
'rsa1024-sha1': [[], [FAIL_1024BIT_MODULUS, FAIL_SHA1], [WARN_NOT_PQ_SAFE]],
|
||||
'rsa2048-sha256': [[], [], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]],
|
||||
'sm2kep-sha2-nistp256': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_UNTRUSTED], [WARN_NOT_PQ_SAFE]],
|
||||
'sntrup4591761x25519-sha512@tinyssh.org': [['8.0', '8.4'], [], [WARN_EXPERIMENTAL], [INFO_WITHDRAWN_PQ_ALG]],
|
||||
'sntrup761x25519-sha512': [['9.9'], [], [], [INFO_DEFAULT_OPENSSH_KEX_99, INFO_HYBRID_PQ_X25519_KEX]],
|
||||
'sntrup761x25519-sha512@openssh.com': [['8.5'], [], [], [INFO_DEFAULT_OPENSSH_KEX_90_TO_98, INFO_HYBRID_PQ_X25519_KEX]],
|
||||
|
@ -116,6 +116,9 @@
|
||||
"info": [
|
||||
"default key exchange from OpenSSH 7.4 to 8.9",
|
||||
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -125,6 +128,9 @@
|
||||
"info": [
|
||||
"default key exchange from OpenSSH 6.5 to 7.3",
|
||||
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -136,6 +142,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -147,6 +156,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -158,6 +170,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -168,7 +183,8 @@
|
||||
"available since OpenSSH 7.3, Dropbear SSH 2016.73"
|
||||
],
|
||||
"warn": [
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength"
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength",
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -182,7 +198,8 @@
|
||||
"available since OpenSSH 3.9, Dropbear SSH 0.53"
|
||||
],
|
||||
"warn": [
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength"
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength",
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -191,6 +208,9 @@
|
||||
"notes": {
|
||||
"info": [
|
||||
"available since Dropbear SSH 2013.57"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
}
|
||||
@ -349,12 +369,6 @@
|
||||
"name": "twofish256-ctr",
|
||||
"notes": ""
|
||||
}
|
||||
],
|
||||
"kex": [
|
||||
{
|
||||
"name": "diffie-hellman-group16-sha512",
|
||||
"notes": ""
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -371,9 +385,21 @@
|
||||
}
|
||||
],
|
||||
"kex": [
|
||||
{
|
||||
"name": "curve25519-sha256",
|
||||
"notes": ""
|
||||
},
|
||||
{
|
||||
"name": "curve25519-sha256@libssh.org",
|
||||
"notes": ""
|
||||
},
|
||||
{
|
||||
"name": "diffie-hellman-group14-sha256",
|
||||
"notes": ""
|
||||
},
|
||||
{
|
||||
"name": "kexguess2@matt.ucc.asn.au",
|
||||
"notes": ""
|
||||
}
|
||||
],
|
||||
"mac": [
|
||||
|
@ -5,22 +5,30 @@
|
||||
[0;32m(gen) compression: enabled (zlib@openssh.com)[0m
|
||||
|
||||
[0;36m# key exchange algorithms[0m
|
||||
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
||||
[0;32m `- [info] default key exchange from OpenSSH 7.4 to 8.9[0m
|
||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
||||
[0;32m `- [info] default key exchange from OpenSSH 6.5 to 7.3[0m
|
||||
[0;33m(kex) curve25519-sha256 -- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
|
||||
`- [info] default key exchange from OpenSSH 7.4 to 8.9
|
||||
[0;33m(kex) curve25519-sha256@libssh.org -- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
|
||||
`- [info] default key exchange from OpenSSH 6.5 to 7.3
|
||||
[0;31m(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;31m(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;31m(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;33m(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
|
||||
[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
|
||||
[0;32m(kex) kexguess2@matt.ucc.asn.au -- [info] available since Dropbear SSH 2013.57[0m
|
||||
[0;33m(kex) kexguess2@matt.ucc.asn.au -- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since Dropbear SSH 2013.57
|
||||
|
||||
[0;36m# host-key algorithms[0m
|
||||
[0;31m(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
@ -74,13 +82,15 @@
|
||||
[0;31m(rec) -hmac-sha1-96 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -ssh-dss -- key algorithm to remove [0m
|
||||
[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m
|
||||
[0;32m(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append [0m
|
||||
[0;32m(rec) +twofish128-ctr -- enc algorithm to append [0m
|
||||
[0;32m(rec) +twofish256-ctr -- enc algorithm to append [0m
|
||||
[0;33m(rec) -aes128-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -aes256-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -curve25519-sha256 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -curve25519-sha256@libssh.org -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha2-256 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -kexguess2@matt.ucc.asn.au -- kex algorithm to remove [0m
|
||||
|
||||
[0;36m# additional info[0m
|
||||
[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m
|
||||
|
@ -173,6 +173,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 2.3.0"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -186,7 +189,8 @@
|
||||
"available since OpenSSH 3.9, Dropbear SSH 0.53"
|
||||
],
|
||||
"warn": [
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength"
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength",
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -201,6 +205,9 @@
|
||||
"info": [
|
||||
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
|
||||
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
@ -10,13 +10,16 @@
|
||||
|
||||
[0;36m# key exchange algorithms[0m
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
|
||||
[0;31m(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus[0m
|
||||
[0;31m `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m
|
||||
[0;31m `- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
|
||||
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
|
||||
|
||||
|
@ -195,6 +195,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 4.4"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -207,6 +210,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 2.3.0"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -220,7 +226,8 @@
|
||||
"available since OpenSSH 3.9, Dropbear SSH 0.53"
|
||||
],
|
||||
"warn": [
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength"
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength",
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -235,6 +242,9 @@
|
||||
"info": [
|
||||
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
|
||||
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
@ -6,15 +6,19 @@
|
||||
|
||||
[0;36m# key exchange algorithms[0m
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 4.4
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
|
||||
[0;31m(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus[0m
|
||||
[0;31m `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m
|
||||
[0;31m `- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
|
||||
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
|
||||
|
||||
|
@ -185,6 +185,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 4.4"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -197,6 +200,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 2.3.0"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -210,7 +216,8 @@
|
||||
"available since OpenSSH 3.9, Dropbear SSH 0.53"
|
||||
],
|
||||
"warn": [
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength"
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength",
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -225,6 +232,9 @@
|
||||
"info": [
|
||||
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
|
||||
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
@ -6,15 +6,19 @@
|
||||
|
||||
[0;36m# key exchange algorithms[0m
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 4.4
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
|
||||
[0;31m(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus[0m
|
||||
[0;31m `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m
|
||||
[0;31m `- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
|
||||
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
|
||||
|
||||
|
@ -185,6 +185,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 4.4"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -197,6 +200,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 2.3.0"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -210,7 +216,8 @@
|
||||
"available since OpenSSH 3.9, Dropbear SSH 0.53"
|
||||
],
|
||||
"warn": [
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength"
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength",
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -225,6 +232,9 @@
|
||||
"info": [
|
||||
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
|
||||
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
@ -6,15 +6,19 @@
|
||||
|
||||
[0;36m# key exchange algorithms[0m
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 4.4
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
|
||||
[0;31m(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus[0m
|
||||
[0;31m `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m
|
||||
[0;31m `- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
|
||||
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
|
||||
|
||||
|
@ -185,6 +185,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 4.4"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -197,6 +200,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 2.3.0"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -210,7 +216,8 @@
|
||||
"available since OpenSSH 3.9, Dropbear SSH 0.53"
|
||||
],
|
||||
"warn": [
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength"
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength",
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -225,6 +232,9 @@
|
||||
"info": [
|
||||
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
|
||||
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
@ -6,15 +6,19 @@
|
||||
|
||||
[0;36m# key exchange algorithms[0m
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 4.4
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
|
||||
[0;31m(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus[0m
|
||||
[0;31m `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m
|
||||
[0;31m `- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
|
||||
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
|
||||
|
||||
|
@ -185,6 +185,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 4.4"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -197,6 +200,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 2.3.0"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -210,7 +216,8 @@
|
||||
"available since OpenSSH 3.9, Dropbear SSH 0.53"
|
||||
],
|
||||
"warn": [
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength"
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength",
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -225,6 +232,9 @@
|
||||
"info": [
|
||||
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
|
||||
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
@ -6,15 +6,19 @@
|
||||
|
||||
[0;36m# key exchange algorithms[0m
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 4.4
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
|
||||
[0;31m(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus[0m
|
||||
[0;31m `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m
|
||||
[0;31m `- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
|
||||
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
|
||||
|
||||
|
@ -104,6 +104,9 @@
|
||||
"info": [
|
||||
"default key exchange from OpenSSH 7.4 to 8.9",
|
||||
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -113,6 +116,9 @@
|
||||
"info": [
|
||||
"default key exchange from OpenSSH 6.5 to 7.3",
|
||||
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -124,6 +130,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -135,6 +144,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -146,6 +158,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -156,6 +171,9 @@
|
||||
"info": [
|
||||
"OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).",
|
||||
"available since OpenSSH 4.4"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -164,6 +182,9 @@
|
||||
"notes": {
|
||||
"info": [
|
||||
"available since OpenSSH 7.3, Dropbear SSH 2016.73"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -172,6 +193,9 @@
|
||||
"notes": {
|
||||
"info": [
|
||||
"available since OpenSSH 7.3"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -182,7 +206,8 @@
|
||||
"available since OpenSSH 7.3, Dropbear SSH 2016.73"
|
||||
],
|
||||
"warn": [
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength"
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength",
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -196,7 +221,8 @@
|
||||
"available since OpenSSH 3.9, Dropbear SSH 0.53"
|
||||
],
|
||||
"warn": [
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength"
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength",
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
}
|
||||
@ -407,6 +433,14 @@
|
||||
}
|
||||
},
|
||||
"warning": {
|
||||
"chg": {
|
||||
"kex": [
|
||||
{
|
||||
"name": "diffie-hellman-group-exchange-sha256",
|
||||
"notes": "increase modulus size to 3072 bits or larger"
|
||||
}
|
||||
]
|
||||
},
|
||||
"del": {
|
||||
"enc": [
|
||||
{
|
||||
@ -415,9 +449,25 @@
|
||||
}
|
||||
],
|
||||
"kex": [
|
||||
{
|
||||
"name": "curve25519-sha256",
|
||||
"notes": ""
|
||||
},
|
||||
{
|
||||
"name": "curve25519-sha256@libssh.org",
|
||||
"notes": ""
|
||||
},
|
||||
{
|
||||
"name": "diffie-hellman-group14-sha256",
|
||||
"notes": ""
|
||||
},
|
||||
{
|
||||
"name": "diffie-hellman-group16-sha512",
|
||||
"notes": ""
|
||||
},
|
||||
{
|
||||
"name": "diffie-hellman-group18-sha512",
|
||||
"notes": ""
|
||||
}
|
||||
],
|
||||
"mac": [
|
||||
|
@ -5,24 +5,34 @@
|
||||
[0;32m(gen) compression: enabled (zlib@openssh.com)[0m
|
||||
|
||||
[0;36m# key exchange algorithms[0m
|
||||
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
||||
[0;32m `- [info] default key exchange from OpenSSH 7.4 to 8.9[0m
|
||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
||||
[0;32m `- [info] default key exchange from OpenSSH 6.5 to 7.3[0m
|
||||
[0;33m(kex) curve25519-sha256 -- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
|
||||
`- [info] default key exchange from OpenSSH 7.4 to 8.9
|
||||
[0;33m(kex) curve25519-sha256@libssh.org -- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
|
||||
`- [info] default key exchange from OpenSSH 6.5 to 7.3
|
||||
[0;31m(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;31m(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;31m(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;32m(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4[0m
|
||||
[0;32m `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).[0m
|
||||
[0;32m(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73[0m
|
||||
[0;32m(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3[0m
|
||||
[0;33m(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 4.4
|
||||
`- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
|
||||
[0;33m(kex) diffie-hellman-group16-sha512 -- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
|
||||
[0;33m(kex) diffie-hellman-group18-sha512 -- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 7.3
|
||||
[0;33m(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
|
||||
[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
|
||||
|
||||
[0;36m# host-key algorithms[0m
|
||||
@ -80,8 +90,13 @@
|
||||
[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m
|
||||
[0;33m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) [0m
|
||||
[0;33m(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -curve25519-sha256 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -curve25519-sha256@libssh.org -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -diffie-hellman-group16-sha512 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -diffie-hellman-group18-sha512 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha2-256 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha2-512 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -umac-128@openssh.com -- mac algorithm to remove [0m
|
||||
|
@ -84,6 +84,9 @@
|
||||
"info": [
|
||||
"default key exchange from OpenSSH 7.4 to 8.9",
|
||||
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -93,6 +96,9 @@
|
||||
"info": [
|
||||
"default key exchange from OpenSSH 6.5 to 7.3",
|
||||
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -104,6 +110,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -115,6 +124,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -126,6 +138,9 @@
|
||||
],
|
||||
"info": [
|
||||
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -136,6 +151,9 @@
|
||||
"info": [
|
||||
"OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).",
|
||||
"available since OpenSSH 4.4"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -144,6 +162,9 @@
|
||||
"notes": {
|
||||
"info": [
|
||||
"available since OpenSSH 7.3, Dropbear SSH 2016.73"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -152,6 +173,9 @@
|
||||
"notes": {
|
||||
"info": [
|
||||
"available since OpenSSH 7.3"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -162,7 +186,8 @@
|
||||
"available since OpenSSH 7.3, Dropbear SSH 2016.73"
|
||||
],
|
||||
"warn": [
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength"
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength",
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -176,7 +201,8 @@
|
||||
"available since OpenSSH 3.9, Dropbear SSH 0.53"
|
||||
],
|
||||
"warn": [
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength"
|
||||
"2048-bit modulus only provides 112-bits of symmetric strength",
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
}
|
||||
@ -356,6 +382,14 @@
|
||||
}
|
||||
},
|
||||
"warning": {
|
||||
"chg": {
|
||||
"kex": [
|
||||
{
|
||||
"name": "diffie-hellman-group-exchange-sha256",
|
||||
"notes": "increase modulus size to 3072 bits or larger"
|
||||
}
|
||||
]
|
||||
},
|
||||
"del": {
|
||||
"enc": [
|
||||
{
|
||||
@ -364,9 +398,25 @@
|
||||
}
|
||||
],
|
||||
"kex": [
|
||||
{
|
||||
"name": "curve25519-sha256",
|
||||
"notes": ""
|
||||
},
|
||||
{
|
||||
"name": "curve25519-sha256@libssh.org",
|
||||
"notes": ""
|
||||
},
|
||||
{
|
||||
"name": "diffie-hellman-group14-sha256",
|
||||
"notes": ""
|
||||
},
|
||||
{
|
||||
"name": "diffie-hellman-group16-sha512",
|
||||
"notes": ""
|
||||
},
|
||||
{
|
||||
"name": "diffie-hellman-group18-sha512",
|
||||
"notes": ""
|
||||
}
|
||||
],
|
||||
"mac": [
|
||||
|
@ -5,24 +5,34 @@
|
||||
[0;32m(gen) compression: enabled (zlib@openssh.com)[0m
|
||||
|
||||
[0;36m# key exchange algorithms[0m
|
||||
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
||||
[0;32m `- [info] default key exchange from OpenSSH 7.4 to 8.9[0m
|
||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
||||
[0;32m `- [info] default key exchange from OpenSSH 6.5 to 7.3[0m
|
||||
[0;33m(kex) curve25519-sha256 -- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
|
||||
`- [info] default key exchange from OpenSSH 7.4 to 8.9
|
||||
[0;33m(kex) curve25519-sha256@libssh.org -- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
|
||||
`- [info] default key exchange from OpenSSH 6.5 to 7.3
|
||||
[0;31m(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;31m(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;31m(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;32m(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4[0m
|
||||
[0;32m `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).[0m
|
||||
[0;32m(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73[0m
|
||||
[0;32m(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3[0m
|
||||
[0;33m(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 4.4
|
||||
`- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
|
||||
[0;33m(kex) diffie-hellman-group16-sha512 -- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
|
||||
[0;33m(kex) diffie-hellman-group18-sha512 -- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 7.3
|
||||
[0;33m(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
|
||||
[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
|
||||
|
||||
[0;36m# host-key algorithms[0m
|
||||
@ -72,8 +82,13 @@
|
||||
[0;31m(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove [0m
|
||||
[0;32m(rec) +rsa-sha2-256 -- key algorithm to append [0m
|
||||
[0;32m(rec) +rsa-sha2-512 -- key algorithm to append [0m
|
||||
[0;33m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) [0m
|
||||
[0;33m(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -curve25519-sha256 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -curve25519-sha256@libssh.org -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -diffie-hellman-group16-sha512 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -diffie-hellman-group18-sha512 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha2-256 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha2-512 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -umac-128@openssh.com -- mac algorithm to remove [0m
|
||||
|
@ -84,6 +84,9 @@
|
||||
"info": [
|
||||
"default key exchange from OpenSSH 7.4 to 8.9",
|
||||
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -93,6 +96,9 @@
|
||||
"info": [
|
||||
"default key exchange from OpenSSH 6.5 to 7.3",
|
||||
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -103,6 +109,9 @@
|
||||
"info": [
|
||||
"OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).",
|
||||
"available since OpenSSH 4.4"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
}
|
||||
@ -146,16 +155,6 @@
|
||||
"recommendations": {
|
||||
"informational": {
|
||||
"add": {
|
||||
"kex": [
|
||||
{
|
||||
"name": "diffie-hellman-group16-sha512",
|
||||
"notes": ""
|
||||
},
|
||||
{
|
||||
"name": "diffie-hellman-group18-sha512",
|
||||
"notes": ""
|
||||
}
|
||||
],
|
||||
"key": [
|
||||
{
|
||||
"name": "rsa-sha2-256",
|
||||
@ -169,12 +168,30 @@
|
||||
}
|
||||
},
|
||||
"warning": {
|
||||
"chg": {
|
||||
"kex": [
|
||||
{
|
||||
"name": "diffie-hellman-group-exchange-sha256",
|
||||
"notes": "increase modulus size to 3072 bits or larger"
|
||||
}
|
||||
]
|
||||
},
|
||||
"del": {
|
||||
"enc": [
|
||||
{
|
||||
"name": "chacha20-poly1305@openssh.com",
|
||||
"notes": ""
|
||||
}
|
||||
],
|
||||
"kex": [
|
||||
{
|
||||
"name": "curve25519-sha256",
|
||||
"notes": ""
|
||||
},
|
||||
{
|
||||
"name": "curve25519-sha256@libssh.org",
|
||||
"notes": ""
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
@ -5,12 +5,15 @@
|
||||
[0;32m(gen) compression: enabled (zlib@openssh.com)[0m
|
||||
|
||||
[0;36m# key exchange algorithms[0m
|
||||
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
||||
[0;32m `- [info] default key exchange from OpenSSH 7.4 to 8.9[0m
|
||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
||||
[0;32m `- [info] default key exchange from OpenSSH 6.5 to 7.3[0m
|
||||
[0;32m(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4[0m
|
||||
[0;32m `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).[0m
|
||||
[0;33m(kex) curve25519-sha256 -- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
|
||||
`- [info] default key exchange from OpenSSH 7.4 to 8.9
|
||||
[0;33m(kex) curve25519-sha256@libssh.org -- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
|
||||
`- [info] default key exchange from OpenSSH 6.5 to 7.3
|
||||
[0;33m(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 4.4
|
||||
`- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
|
||||
|
||||
[0;36m# host-key algorithms[0m
|
||||
[0;32m(key) ssh-ed25519 -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79[0m
|
||||
@ -34,11 +37,12 @@
|
||||
[0;32m(fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU[0m
|
||||
|
||||
[0;36m# algorithm recommendations (for OpenSSH 8.0)[0m
|
||||
[0;32m(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append [0m
|
||||
[0;32m(rec) +diffie-hellman-group18-sha512 -- kex algorithm to append [0m
|
||||
[0;32m(rec) +rsa-sha2-256 -- key algorithm to append [0m
|
||||
[0;32m(rec) +rsa-sha2-512 -- key algorithm to append [0m
|
||||
[0;33m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) [0m
|
||||
[0;33m(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -curve25519-sha256 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -curve25519-sha256@libssh.org -- kex algorithm to remove [0m
|
||||
|
||||
[0;36m# additional info[0m
|
||||
[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m
|
||||
|
@ -43,6 +43,9 @@
|
||||
"info": [
|
||||
"default key exchange from OpenSSH 7.4 to 8.9",
|
||||
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
@ -52,6 +55,9 @@
|
||||
"info": [
|
||||
"default key exchange from OpenSSH 6.5 to 7.3",
|
||||
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
|
||||
],
|
||||
"warn": [
|
||||
"does not provide protection against post-quantum attacks"
|
||||
]
|
||||
}
|
||||
},
|
||||
|
@ -4,10 +4,12 @@
|
||||
[0;32m(gen) compression: disabled[0m
|
||||
|
||||
[0;36m# key exchange algorithms[0m
|
||||
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
||||
[0;32m `- [info] default key exchange from OpenSSH 7.4 to 8.9[0m
|
||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
||||
[0;32m `- [info] default key exchange from OpenSSH 6.5 to 7.3[0m
|
||||
[0;33m(kex) curve25519-sha256 -- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
|
||||
`- [info] default key exchange from OpenSSH 7.4 to 8.9
|
||||
[0;33m(kex) curve25519-sha256@libssh.org -- [warn] does not provide protection against post-quantum attacks[0m
|
||||
`- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
|
||||
`- [info] default key exchange from OpenSSH 6.5 to 7.3
|
||||
[0;33m(kex) sntrup4591761x25519-sha512@tinyssh.org -- [warn] using experimental algorithm[0m
|
||||
`- [info] available since OpenSSH 8.0
|
||||
`- [info] the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security
|
||||
|
@ -165,7 +165,7 @@ class TestSSH2:
|
||||
self.audit(out, self._conf())
|
||||
out.write()
|
||||
lines = output_spy.flush()
|
||||
assert len(lines) == 78
|
||||
assert len(lines) == 74
|
||||
|
||||
def test_ssh2_server_invalid_first_packet(self, output_spy, virtual_socket):
|
||||
vsocket = virtual_socket
|
||||
|
@ -8,6 +8,7 @@ class Test_SSH2_KexDB:
|
||||
@pytest.fixture(autouse=True)
|
||||
def init(self):
|
||||
self.db = SSH2_KexDB.get_db()
|
||||
self.pq_warning = SSH2_KexDB.WARN_NOT_PQ_SAFE
|
||||
|
||||
def test_ssh2_kexdb(self):
|
||||
'''Ensures that the SSH2_KexDB.ALGORITHMS dictionary is in the right format.'''
|
||||
@ -33,3 +34,38 @@ class Test_SSH2_KexDB:
|
||||
# The first entry denotes the versions when this algorithm was added to OpenSSH, Dropbear, and/or libssh, followed by when it was deprecated, and finally when it was removed. Hence it must have between 0 and 3 entries.
|
||||
added_entry = alg_data[0]
|
||||
assert 0 <= len(added_entry) <= 3
|
||||
|
||||
|
||||
def test_kex_pq_unsafe(self):
|
||||
'''Ensures that all key exchange algorithms are marked as post-quantum unsafe, unless they appear in a whitelist.'''
|
||||
|
||||
# These algorithms include protections against quantum attacks.
|
||||
kex_pq_safe = [
|
||||
"ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org",
|
||||
"ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org",
|
||||
"ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org",
|
||||
"ext-info-c",
|
||||
"ext-info-s",
|
||||
"kex-strict-c-v00@openssh.com",
|
||||
"kex-strict-s-v00@openssh.com",
|
||||
"mlkem768x25519-sha256",
|
||||
"sntrup4591761x25519-sha512@tinyssh.org",
|
||||
"sntrup761x25519-sha512@openssh.com",
|
||||
"sntrup761x25519-sha512",
|
||||
"x25519-kyber-512r3-sha256-d00@amazon.com",
|
||||
"x25519-kyber512-sha512@aws.amazon.com"
|
||||
]
|
||||
|
||||
failures = []
|
||||
for kex_name in self.db['kex']:
|
||||
|
||||
# Skip key exchanges that are PQ safe.
|
||||
if kex_name in kex_pq_safe:
|
||||
continue
|
||||
|
||||
# Ensure all other kex exchanges have the proper PQ unsafe flag set in their warnings list.
|
||||
alg_data = self.db['kex'][kex_name]
|
||||
if len(alg_data) < 3 or self.pq_warning not in alg_data[2]:
|
||||
failures.append(kex_name)
|
||||
|
||||
assert failures == []
|
||||
|
Loading…
Reference in New Issue
Block a user