elie/ssh-audit
1
0
Fork 0
mirror of https://github.com/jtesta/ssh-audit.git synced 2025-06-22 10:43:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ensure ECDSA and DSS fingerprints are only output in verbose mode. Clean up Docker tests from merge of #286.

Browse Source
This commit is contained in:
Joe Testa
2024-09-25 17:05:17 -04:00
parent a4b78b752e
commit 2cd96f1785
7 changed files with 63 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/ssh_audit/hostkeytest.py
View File

@ -1,7 +1,7 @@
"""
The MIT License (MIT)
Copyright (C) 2017-2023 Joe Testa (jtesta@positronsecurity.com)
Copyright (C) 2017-2024 Joe Testa (jtesta@positronsecurity.com)
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
@ -202,7 +202,7 @@ class HostKeyTest:
cakey_warn_str = HostKeyTest.SMALL_ECC_MODULUS_WARNING
# Keys smaller than 2048 result in a failure. Keys smaller 3072 result in a warning. Update the database accordingly.
if (cert is False) and (hostkey_modulus_size < hostkey_min_good):
if (cert is False) and (hostkey_modulus_size < hostkey_min_good) and (host_key_type != 'ssh-dss'): # Skip ssh-dss, otherwise we get duplicate failure messages (SSH2_KexDB will always flag it).
# If the key is under 2048, add to the failure list.
if hostkey_modulus_size < hostkey_min_warn:

12
src/ssh_audit/ssh_audit.py
View File

@ -360,11 +360,19 @@ def output_fingerprints(out: OutputBuffer, algs: Algorithms, is_json_output: boo
fp_types = sorted(fps.keys())
for fp_type in fp_types:
fp = fps[fp_type]
out.good('(fin) {}: {}'.format(fp_type, fp.sha256))
# Don't output any ECDSA or DSS fingerprints unless verbose mode is enabled.
if fp_type.startswith("ecdsa-") or (fp_type == "ssh-dss"):
if out.verbose:
out.warn('(fin) {}: {} -- [info] this fingerprint type is insecure and should not be relied upon'.format(fp_type, fp.sha256))
else:
continue # If verbose mode is not enabled, skip this type entirely.
else:
out.good('(fin) {}: {}'.format(fp_type, fp.sha256))
# Output the MD5 hash too if verbose mode is enabled.
if out.verbose:
out.info('(fin) {}: {} -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case'.format(fp_type, fp.md5))
out.warn('(fin) {}: {} -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case'.format(fp_type, fp.md5))
if not out.is_section_empty() and not is_json_output:
out.head('# fingerprints')