From 3300c60aaa3603f1683fba9454e792e270672055 Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Fri, 14 Oct 2022 23:21:09 -0400 Subject: [PATCH] Added 'ssh-xmss@openssh.com' and 'ssh-xmss-cert-v01@openssh.com' experimental host keys (#146). --- README.md | 2 +- src/ssh_audit/ssh2_kexdb.py | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 196a099..fe1b449 100644 --- a/README.md +++ b/README.md @@ -180,7 +180,7 @@ For convenience, a web front-end on top of the command-line tool is available at - Added `-g` and `--gex-test` for granular GEX modulus size tests; credit [Adam Russell](https://github.com/thecliguy). - Snap packages now print more user-friendly error messages when permission errors are encountered. - JSON 'target' field now always includes port number; credit [tomatohater1337](https://github.com/tomatohater1337). - - Added 1 new host key: `webauthn-sk-ecdsa-sha2-nistp256@openssh.com`. + - Added 3 new host keys: `ssh-xmss@openssh.com`, `ssh-xmss-cert-v01@openssh.com`, `webauthn-sk-ecdsa-sha2-nistp256@openssh.com`. - Added 24 new key exchanges: `ecdh-sha2-1.3.132.0.1`, `ecdh-sha2-1.2.840.10045.3.1.1`, `ecdh-sha2-1.3.132.0.33`, `ecdh-sha2-1.3.132.0.26`, `ecdh-sha2-1.3.132.0.27`, `ecdh-sha2-1.2.840.10045.3.1.7`, `ecdh-sha2-1.3.132.0.16`, `ecdh-sha2-1.3.132.0.34`, `ecdh-sha2-1.3.132.0.36`, `ecdh-sha2-1.3.132.0.37`, `ecdh-sha2-1.3.132.0.35`, `ecdh-sha2-1.3.132.0.38`, `ecdh-sha2-4MHB+NBt3AlaSRQ7MnB4cg==`, `ecdh-sha2-5pPrSUQtIaTjUSt5VZNBjg==`, `ecdh-sha2-VqBg4QRPjxx1EXZdV0GdWQ==`, `ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==`, `ecdh-sha2-qCbG5Cn/jjsZ7nBeR7EnOA==`, `ecdh-sha2-9UzNcgwTlEnSCECZa7V1mw==`, `ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==`, `ecdh-sha2-qcFQaMAMGhTziMT0z+Tuzw==`, `ecdh-sha2-m/FtSAmrV4j/Wy6RVUaK7A==`, `ecdh-sha2-D3FefCjYoJ/kfXgAyLddYA==`, `ecdh-sha2-h/SsxnLCtRBh7I9ATyeB3A==`, `ecdh-sha2-mNVwCXAoS1HGmHpLvBC94w==`. - Added 1 new MAC: `hmac-sha1-96@openssh.com`. diff --git a/src/ssh_audit/ssh2_kexdb.py b/src/ssh_audit/ssh2_kexdb.py index 047fbd7..536946b 100644 --- a/src/ssh_audit/ssh2_kexdb.py +++ b/src/ssh_audit/ssh2_kexdb.py @@ -197,6 +197,8 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods 'x509v3-ecdsa-sha2-nistp521': [[], [WARN_CURVES_WEAK]], 'x509v3-rsa2048-sha256': [[]], 'webauthn-sk-ecdsa-sha2-nistp256@openssh.com': [['8.3'], [WARN_CURVES_WEAK]], + 'ssh-xmss@openssh.com': [['7.7'], [WARN_EXPERIMENTAL]], + 'ssh-xmss-cert-v01@openssh.com': [['7.7'], [WARN_EXPERIMENTAL]], }, 'enc': { 'none': [['1.2.2,d2013.56,l10.2'], [FAIL_PLAINTEXT]],