From 38f9c21760a36db136d666d049537fac4423084e Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Sun, 3 Sep 2023 19:14:25 -0400 Subject: [PATCH] The color of all notes will be printed in green when the related algorithm is rated good. --- README.md | 1 + src/ssh_audit/ssh_audit.py | 9 +++++++-- test/docker/expected_results/dropbear_2019.78_test1.txt | 4 ++-- test/docker/expected_results/openssh_8.0p1_test1.txt | 8 ++++---- test/docker/expected_results/openssh_8.0p1_test2.txt | 8 ++++---- test/docker/expected_results/openssh_8.0p1_test3.txt | 8 ++++---- test/docker/expected_results/tinyssh_20190101_test1.txt | 6 +++--- 7 files changed, 25 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 10b3c84..790944b 100644 --- a/README.md +++ b/README.md @@ -184,6 +184,7 @@ For convenience, a web front-end on top of the command-line tool is available at - Algorithm recommendations resulting from warnings are now printed in yellow instead of red; credit [Adam Russell](https://github.com/thecliguy). - Fixed crash during GEX tests. - Refined GEX testing against OpenSSH servers: when the fallback mechanism is suspected of being triggered, perform an additional test to obtain more accurate results. + - The color of all notes will be printed in green when the related algorithm is rated good. - Added built-in policy for OpenSSH 9.4. - Added 1 new key exchange: `curve448-sha512@libssh.org`. diff --git a/src/ssh_audit/ssh_audit.py b/src/ssh_audit/ssh_audit.py index 9ef843f..35c8952 100755 --- a/src/ssh_audit/ssh_audit.py +++ b/src/ssh_audit/ssh_audit.py @@ -195,6 +195,7 @@ def output_algorithm(out: OutputBuffer, alg_db: Dict[str, Dict[str, List[List[Op alg_name = alg_name_with_size if alg_name_with_size is not None else alg_name first = True + use_good_for_all = False for level, text in texts: if level == 'fail': program_retval = exitcodes.FAILURE @@ -203,9 +204,13 @@ def output_algorithm(out: OutputBuffer, alg_db: Dict[str, Dict[str, List[List[Op f = getattr(out, level) comment = (padding + ' -- [' + level + '] ' + text) if text != '' else '' + + # If the first algorithm's comment is an 'info', this implies that it is rated good. Hence, the out.good() function should be used to write all subsequent notes for this algorithm as well. + if (first and level == 'info') or use_good_for_all: + f = out.good + use_good_for_all = True + if first: - if first and level == 'info': - f = out.good f(prefix + alg_name + comment) first = False else: # pylint: disable=else-if-used diff --git a/test/docker/expected_results/dropbear_2019.78_test1.txt b/test/docker/expected_results/dropbear_2019.78_test1.txt index e84bef4..c0d5dfc 100644 --- a/test/docker/expected_results/dropbear_2019.78_test1.txt +++ b/test/docker/expected_results/dropbear_2019.78_test1.txt @@ -6,9 +6,9 @@ # key exchange algorithms (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 - `- [info] default key exchange since OpenSSH 6.4 + `- [info] default key exchange since OpenSSH 6.4 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 - `- [info] default key exchange since OpenSSH 6.4 + `- [info] default key exchange since OpenSSH 6.4 (kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency diff --git a/test/docker/expected_results/openssh_8.0p1_test1.txt b/test/docker/expected_results/openssh_8.0p1_test1.txt index f726233..cfc28fc 100644 --- a/test/docker/expected_results/openssh_8.0p1_test1.txt +++ b/test/docker/expected_results/openssh_8.0p1_test1.txt @@ -12,9 +12,9 @@ # key exchange algorithms (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 - `- [info] default key exchange since OpenSSH 6.4 + `- [info] default key exchange since OpenSSH 6.4 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 - `- [info] default key exchange since OpenSSH 6.4 + `- [info] default key exchange since OpenSSH 6.4 (kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency @@ -22,7 +22,7 @@ (kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4 - `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). + `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 (kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength @@ -44,7 +44,7 @@ # encryption algorithms (ciphers) (enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5 - `- [info] default cipher since OpenSSH 6.9 + `- [info] default cipher since OpenSSH 6.9 (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes192-ctr -- [info] available since OpenSSH 3.7 (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 diff --git a/test/docker/expected_results/openssh_8.0p1_test2.txt b/test/docker/expected_results/openssh_8.0p1_test2.txt index d0ab838..f365a8f 100644 --- a/test/docker/expected_results/openssh_8.0p1_test2.txt +++ b/test/docker/expected_results/openssh_8.0p1_test2.txt @@ -12,9 +12,9 @@ # key exchange algorithms (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 - `- [info] default key exchange since OpenSSH 6.4 + `- [info] default key exchange since OpenSSH 6.4 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 - `- [info] default key exchange since OpenSSH 6.4 + `- [info] default key exchange since OpenSSH 6.4 (kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency @@ -22,7 +22,7 @@ (kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4 - `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). + `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 (kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength @@ -37,7 +37,7 @@ # encryption algorithms (ciphers) (enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5 - `- [info] default cipher since OpenSSH 6.9 + `- [info] default cipher since OpenSSH 6.9 (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes192-ctr -- [info] available since OpenSSH 3.7 (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 diff --git a/test/docker/expected_results/openssh_8.0p1_test3.txt b/test/docker/expected_results/openssh_8.0p1_test3.txt index e3475d7..f41df08 100644 --- a/test/docker/expected_results/openssh_8.0p1_test3.txt +++ b/test/docker/expected_results/openssh_8.0p1_test3.txt @@ -12,18 +12,18 @@ # key exchange algorithms (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 - `- [info] default key exchange since OpenSSH 6.4 + `- [info] default key exchange since OpenSSH 6.4 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 - `- [info] default key exchange since OpenSSH 6.4 + `- [info] default key exchange since OpenSSH 6.4 (kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4 - `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). + `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). # host-key algorithms (key) ssh-ed25519 -- [info] available since OpenSSH 6.5 # encryption algorithms (ciphers) (enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5 - `- [info] default cipher since OpenSSH 6.9 + `- [info] default cipher since OpenSSH 6.9 (enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2 (enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2 (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 diff --git a/test/docker/expected_results/tinyssh_20190101_test1.txt b/test/docker/expected_results/tinyssh_20190101_test1.txt index a11ae53..e9b827c 100644 --- a/test/docker/expected_results/tinyssh_20190101_test1.txt +++ b/test/docker/expected_results/tinyssh_20190101_test1.txt @@ -5,9 +5,9 @@ # key exchange algorithms (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 - `- [info] default key exchange since OpenSSH 6.4 + `- [info] default key exchange since OpenSSH 6.4 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 - `- [info] default key exchange since OpenSSH 6.4 + `- [info] default key exchange since OpenSSH 6.4 (kex) sntrup4591761x25519-sha512@tinyssh.org -- [warn] using experimental algorithm `- [info] available since OpenSSH 8.0 `- [info] the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security @@ -17,7 +17,7 @@ # encryption algorithms (ciphers) (enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5 - `- [info] default cipher since OpenSSH 6.9 + `- [info] default cipher since OpenSSH 6.9 # message authentication code algorithms (mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode