Added 2 new ciphers: 'rijndael-cbc@ssh.com', 'cast128-12-cbc@ssh.com'. Added 21 new host key types: .

2025-06-23 11:04:31 +02:00 · 2023-02-02 18:57:53 -05:00
parent 984ea1eee3
commit 433c7e779d
2 changed files with 25 additions and 2 deletions
--- a/src/ssh_audit/ssh2_kexdb.py
+++ b/src/ssh_audit/ssh2_kexdb.py
@ -234,6 +234,27 @@ class SSH2_KexDB:  # pylint: disable=too-few-public-methods
            'null': [[], [FAIL_PLAINTEXT]],
            'pgp-sign-dss': [[], [FAIL_1024BIT_MODULUS]],
            'pgp-sign-rsa': [[], [FAIL_1024BIT_MODULUS]],
+            'spki-sign-dss': [[], [FAIL_1024BIT_MODULUS]],
+            'spki-sign-rsa': [[], [FAIL_1024BIT_MODULUS]],
+            'ssh-dss-sha224@ssh.com': [[], [FAIL_1024BIT_MODULUS]],
+            'ssh-dss-sha384@ssh.com': [[], [FAIL_1024BIT_MODULUS]],
+            'ssh-dss-sha512@ssh.com': [[], [FAIL_1024BIT_MODULUS]],
+            'ssh-ed448-cert-v01@openssh.com': [[], [], [], [INFO_NEVER_IMPLEMENTED_IN_OPENSSH]],
+            'ssh-rsa-sha224@ssh.com': [[]],
+            'ssh-rsa-sha2-256': [[]],
+            'ssh-rsa-sha2-512': [[]],
+            'ssh-rsa-sha384@ssh.com': [[]],
+            'ssh-rsa-sha512@ssh.com': [[]],
+            'x509v3-ecdsa-sha2-1.3.132.0.10': [[], [FAIL_UNKNOWN]],
+            'x509v3-sign-dss-sha1': [[], [FAIL_1024BIT_MODULUS, FAIL_HASH_WEAK]],
+            'x509v3-sign-dss-sha224@ssh.com': [[], [FAIL_1024BIT_MODULUS]],
+            'x509v3-sign-dss-sha256@ssh.com': [[], [FAIL_1024BIT_MODULUS]],
+            'x509v3-sign-dss-sha384@ssh.com': [[], [FAIL_1024BIT_MODULUS]],
+            'x509v3-sign-dss-sha512@ssh.com': [[], [FAIL_1024BIT_MODULUS]],
+            'x509v3-sign-rsa-sha1': [[], [FAIL_HASH_WEAK]],
+            'x509v3-sign-rsa-sha224@ssh.com': [[]],
+            'x509v3-sign-rsa-sha384@ssh.com': [[]],
+            'x509v3-sign-rsa-sha512@ssh.com': [[]],
        },
        'enc': {
            'none': [['1.2.2,d2013.56,l10.2'], [FAIL_PLAINTEXT]],
@ -275,6 +296,7 @@ class SSH2_KexDB:  # pylint: disable=too-few-public-methods
            'rijndael192-cbc': [['2.3.0', '3.0.2'], [FAIL_OPENSSH31_REMOVE], [WARN_CIPHER_MODE]],
            'rijndael256-cbc': [['2.3.0', '3.0.2'], [FAIL_OPENSSH31_REMOVE], [WARN_CIPHER_MODE]],
            'rijndael-cbc@lysator.liu.se': [['2.3.0', '6.6', '7.1'], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, WARN_CIPHER_MODE]],
+            'rijndael-cbc@ssh.com': [[], [FAIL_DEPRECATED_CIPHER], [WARN_CIPHER_MODE]],
            'aes128-ctr': [['3.7,d0.52,l10.4.1']],
            'aes192-ctr': [['3.7,l10.4.1']],
            'aes256-ctr': [['3.7,d0.52,l10.4.1']],
@ -309,6 +331,7 @@ class SSH2_KexDB:  # pylint: disable=too-few-public-methods
            'cast128-cfb': [[], [FAIL_DEPRECATED_CIPHER], [WARN_CIPHER_MODE]],
            'cast128-ecb': [[], [FAIL_DEPRECATED_CIPHER], [WARN_CIPHER_MODE]],
            'cast128-ofb': [[], [FAIL_DEPRECATED_CIPHER], [WARN_CIPHER_MODE]],
+            'cast128-12-cbc@ssh.com': [[], [FAIL_DEPRECATED_CIPHER], [WARN_CIPHER_MODE]],
            'idea-cfb': [[], [FAIL_DEPRECATED_CIPHER], [WARN_CIPHER_MODE]],
            'idea-ecb': [[], [FAIL_DEPRECATED_CIPHER], [WARN_CIPHER_MODE]],
            'idea-ofb': [[], [FAIL_DEPRECATED_CIPHER], [WARN_CIPHER_MODE]],