From 4cae6aff431c7d82f46af0e2ecc51355f4acca33 Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Sat, 26 Sep 2020 19:32:19 -0400 Subject: [PATCH] Added 6 new host key types: 'spi-sign-rsa', 'ssh-ed448', 'x509v3-ecdsa-sha2-nistp256', 'x509v3-ecdsa-sha2-nistp384', 'x509v3-ecdsa-sha2-nistp521', 'x509v3-rsa2048-sha256'. Added 5 new key exchanges: 'gss-group14-sha256-', 'gss-group15-sha512-', 'gss-group16-sha512-', 'gss-nistp256-sha256-', 'gss-curve25519-sha256-'. --- README.md | 8 ++++---- ssh-audit.py | 11 +++++++++++ 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index e5be5f5..c7eb1ec 100644 --- a/README.md +++ b/README.md @@ -85,15 +85,15 @@ $ brew install ssh-audit ``` ## ChangeLog -### v2.2.1-dev (???) - - Created new man page (see ssh-audit.1 file). +### v2.3.0 (???) + - Created new man page (see `ssh-audit.1` file). - 1024-bit moduli upgraded from warnings to failures. - Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit [Jürgen Gmach](https://github.com/jugmac00). - Added feature to look up algorithms in internal database (see `--lookup`); credit [Adam Russell](https://github.com/thecliguy). - Suppress recommendation of token host key types. - Added check for use-after-free vulnerability in PuTTY v0.73. - - Added 5 new host key types: `ssh-rsa1`, `ssh-dss-sha256@ssh.com`, `ssh-gost2001`, `ssh-gost2012-256`, `ssh-gost2012-512`. - - Added 3 new key exchanges: `diffie-hellman-group1-sha256`, `kexAlgoCurve25519SHA256`, `Curve25519SHA256`. + - Added 11 new host key types: `ssh-rsa1`, `ssh-dss-sha256@ssh.com`, `ssh-gost2001`, `ssh-gost2012-256`, `ssh-gost2012-512`, `spki-sign-rsa`, `ssh-ed448`, `x509v3-ecdsa-sha2-nistp256`, `x509v3-ecdsa-sha2-nistp384`, `x509v3-ecdsa-sha2-nistp521`, `x509v3-rsa2048-sha256`. + - Added 8 new key exchanges: `diffie-hellman-group1-sha256`, `kexAlgoCurve25519SHA256`, `Curve25519SHA256`, `gss-group14-sha256-`, `gss-group15-sha512-`, `gss-group16-sha512-`, `gss-nistp256-sha256-`, `gss-curve25519-sha256-`. - Added 5 new ciphers: `blowfish`, `AEAD_AES_128_GCM`, `AEAD_AES_256_GCM`, `crypticore128@ssh.com`, `seed-cbc@ssh.com`. - Added 3 new MACs: `chacha20-poly1305@openssh.com`, `hmac-sha3-224`, `crypticore-mac@ssh.com`. diff --git a/ssh-audit.py b/ssh-audit.py index b7ac667..da93560 100755 --- a/ssh-audit.py +++ b/ssh-audit.py @@ -764,8 +764,13 @@ class SSH2: # pylint: disable=too-few-public-methods 'gss-group1-sha1-': [[], [FAIL_1024BIT_MODULUS], [WARN_HASH_WEAK]], 'gss-group14-sha1-': [[], [], [WARN_HASH_WEAK]], 'gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==': [[], [], [WARN_HASH_WEAK]], + 'gss-group14-sha256-': [[]], 'gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==': [[]], + 'gss-group15-sha512-': [[]], 'gss-group15-sha512-toWM5Slw5Ew8Mqkay+al2g==': [[]], + 'gss-group16-sha512-': [[]], + 'gss-nistp256-sha256-': [[], [WARN_CURVES_WEAK]], + 'gss-curve25519-sha256-': [[]], 'diffie-hellman-group1-sha256': [[], [FAIL_1024BIT_MODULUS]], 'diffie-hellman-group14-sha1': [['3.9,d0.53,l10.6.0'], [], [WARN_HASH_WEAK]], 'diffie-hellman-group14-sha256': [['7.3,d2016.73']], @@ -846,6 +851,12 @@ class SSH2: # pylint: disable=too-few-public-methods 'ssh-gost2001': [[], [], [WARN_UNTRUSTED]], 'ssh-gost2012-256': [[], [], [WARN_UNTRUSTED]], 'ssh-gost2012-512': [[], [], [WARN_UNTRUSTED]], + 'spi-sign-rsa': [[]], + 'ssh-ed448': [[]], + 'x509v3-ecdsa-sha2-nistp256': [[], [WARN_CURVES_WEAK]], + 'x509v3-ecdsa-sha2-nistp384': [[], [WARN_CURVES_WEAK]], + 'x509v3-ecdsa-sha2-nistp521': [[], [WARN_CURVES_WEAK]], + 'x509v3-rsa2048-sha256': [[]], }, 'enc': { 'none': [['1.2.2,d2013.56,l10.2'], [FAIL_PLAINTEXT]],