diff --git a/docker_test.sh b/docker_test.sh index 36a4e2f..77e6bb6 100755 --- a/docker_test.sh +++ b/docker_test.sh @@ -71,20 +71,32 @@ function create_docker_image { # Aside from checking the GPG signatures, we also compare against this known-good # SHA-256 hash just in case. + get_openssh '4.0p1' '5adb9b2c2002650e15216bf94ed9db9541d9a17c96fcd876784861a8890bc92b' get_openssh '5.6p1' '538af53b2b8162c21a293bb004ae2bdb141abd250f61b4cea55244749f3c6c2b' get_openssh '8.0p1' 'bd943879e69498e8031eb6b7f44d08cdc37d59a7ab689aa0b437320c3481fd68' # Compile the versions of OpenSSH. + compile_openssh '4.0p1' compile_openssh '5.6p1' compile_openssh '8.0p1' # Rename the default config files so we know they are our originals. + mv openssh-4.0p1/sshd_config sshd_config-4.0p1_orig mv openssh-5.6p1/sshd_config sshd_config-5.6p1_orig mv openssh-8.0p1/sshd_config sshd_config-8.0p1_orig # Create the configurations for each test. + + # + # OpenSSH v4.0p1 + # + + # Test 1: Basic test. + create_openssh_config '4.0p1' 'test1' "HostKey /etc/ssh/ssh1_host_key\nHostKey /etc/ssh/ssh_host_rsa_key_1024\nHostKey /etc/ssh/ssh_host_dsa_key" + + # # OpenSSH v5.6p1 # @@ -164,8 +176,15 @@ function get_openssh { echo -e "\nGetting OpenSSH $1 signature...\n" wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$1.tar.gz.asc + openssh_sig=openssh-$1.tar.gz.asc - local gpg_verify=`gpg --verify openssh-$1.tar.gz.asc openssh-$1.tar.gz 2>&1` + # Older releases were .sigs. + if [[ ! -f $openssh_sig ]]; then + wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$1.tar.gz.sig + openssh_sig=openssh-$1.tar.gz.sig + fi + + local gpg_verify=`gpg --verify $openssh_sig openssh-$1.tar.gz 2>&1` if [[ $gpg_verify != *"Good signature from \"Damien Miller "* ]]; then echo -e "\n\n${REDB}Error: OpenSSH signature invalid!\n$gpg_verify\n\nTerminating.${CLR}" exit -1 @@ -246,12 +265,14 @@ TEST_RESULT_DIR=`mktemp -d /tmp/ssh-audit_test-results_XXXXXXXXXX` # Now run all the tests. echo -e "\nRunning tests..." +run_openssh_test '4.0p1' 'test1' +echo run_openssh_test '5.6p1' 'test1' run_openssh_test '5.6p1' 'test2' run_openssh_test '5.6p1' 'test3' run_openssh_test '5.6p1' 'test4' run_openssh_test '5.6p1' 'test5' -echo "" +echo run_openssh_test '8.0p1' 'test1' run_openssh_test '8.0p1' 'test2' run_openssh_test '8.0p1' 'test3' diff --git a/test/docker/Dockerfile b/test/docker/Dockerfile index 739be49..41a62c2 100644 --- a/test/docker/Dockerfile +++ b/test/docker/Dockerfile @@ -1,10 +1,12 @@ FROM ubuntu:16.04 +COPY openssh-4.0p1/sshd /openssh/sshd-4.0p1 COPY openssh-5.6p1/sshd /openssh/sshd-5.6p1 COPY openssh-8.0p1/sshd /openssh/sshd-8.0p1 COPY sshd_config* /etc/ssh/ COPY ssh_host_* /etc/ssh/ +COPY ssh1_host_* /etc/ssh/ COPY moduli_1024 /usr/local/etc/moduli COPY debug.sh /debug.sh diff --git a/test/docker/expected_results/openssh_4.0p1_test1.txt b/test/docker/expected_results/openssh_4.0p1_test1.txt new file mode 100644 index 0000000..33e1967 --- /dev/null +++ b/test/docker/expected_results/openssh_4.0p1_test1.txt @@ -0,0 +1,136 @@ +# general +(gen) banner: SSH-1.99-OpenSSH_4.0 +(gen) protocol SSH1 enabled +(gen) software: OpenSSH 4.0 +(gen) compatibility: OpenSSH 3.9-6.6, Dropbear SSH 0.53+ (some functionality from 0.52) +(gen) compression: enabled (zlib) + +# security +(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data +(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption) +(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages +(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption) +(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion) +(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption) +(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values +(cve) CVE-2008-5161 -- (CVSSv2: 2.6) recover plaintext data from ciphertext +(cve) CVE-2008-4109 -- (CVSSv2: 5.0) cause DoS via multiple login attempts (slot exhaustion) +(cve) CVE-2008-1657 -- (CVSSv2: 6.5) bypass command restrictions via modifying session file +(cve) CVE-2008-1483 -- (CVSSv2: 6.9) hijack forwarded X11 connections +(cve) CVE-2007-4752 -- (CVSSv2: 7.5) privilege escalation via causing an X client to be trusted +(cve) CVE-2007-2243 -- (CVSSv2: 5.0) discover valid usernames through different responses +(cve) CVE-2006-5052 -- (CVSSv2: 5.0) discover valid usernames through different responses +(cve) CVE-2006-5051 -- (CVSSv2: 9.3) cause DoS or execute arbitrary code (double free) +(cve) CVE-2006-4924 -- (CVSSv2: 7.8) cause DoS via crafted packet (CPU consumption) +(cve) CVE-2006-0225 -- (CVSSv2: 4.6) execute arbitrary code +(cve) CVE-2005-2798 -- (CVSSv2: 5.0) leak data about authentication credentials + +# key exchange algorithms +(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus + `- [warn] using weak hashing algorithm + `- [info] available since OpenSSH 2.3.0 +(kex) diffie-hellman-group14-sha1 -- [warn] using weak hashing algorithm + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 +(kex) diffie-hellman-group1-sha1 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm + `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack + `- [warn] using small 1024-bit modulus + `- [warn] using weak hashing algorithm + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 + +# host-key algorithms +(key) ssh-rsa (1024-bit) -- [fail] using small 1024-bit modulus + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 +(key) ssh-dss -- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm + `- [warn] using small 1024-bit modulus + `- [warn] using weak random number generator could reveal the key + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 + +# encryption algorithms (ciphers) +(enc) aes128-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm + `- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 +(enc) 3des-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm + `- [warn] disabled (in client) since OpenSSH 7.4, unsafe algorithm + `- [warn] using weak cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +(enc) blowfish-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm + `- [fail] disabled since Dropbear SSH 0.53 + `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +(enc) cast128-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm + `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 2.1.0 +(enc) arcfour -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm + `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm + `- [warn] using weak cipher + `- [info] available since OpenSSH 2.1.0 +(enc) aes192-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm + `- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0 +(enc) aes256-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm + `- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 +(enc) rijndael-cbc@lysator.liu.se -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm + `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm + `- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0 +(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) aes192-ctr -- [info] available since OpenSSH 3.7 +(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 + +# message authentication code algorithms +(mac) hmac-md5 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm + `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm + `- [warn] using encrypt-and-MAC mode + `- [warn] using weak hashing algorithm + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode + `- [warn] using weak hashing algorithm + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +(mac) hmac-ripemd160 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm + `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.5.0 +(mac) hmac-ripemd160@openssh.com -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm + `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm + `- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 2.1.0 +(mac) hmac-sha1-96 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm + `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm + `- [warn] using encrypt-and-MAC mode + `- [warn] using weak hashing algorithm + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47 +(mac) hmac-md5-96 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm + `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm + `- [warn] using encrypt-and-MAC mode + `- [warn] using weak hashing algorithm + `- [info] available since OpenSSH 2.5.0 + +# fingerprints +(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4 + +# algorithm recommendations (for OpenSSH 4.0) +(rec) !ssh-rsa -- key algorithm to change (increase modulus size to 2048 bits or larger)  +(rec) -3des-cbc -- enc algorithm to remove  +(rec) -aes128-cbc -- enc algorithm to remove  +(rec) -aes192-cbc -- enc algorithm to remove  +(rec) -aes256-cbc -- enc algorithm to remove  +(rec) -arcfour -- enc algorithm to remove  +(rec) -blowfish-cbc -- enc algorithm to remove  +(rec) -cast128-cbc -- enc algorithm to remove  +(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove  +(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove  +(rec) -hmac-md5 -- mac algorithm to remove  +(rec) -hmac-md5-96 -- mac algorithm to remove  +(rec) -hmac-ripemd160 -- mac algorithm to remove  +(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove  +(rec) -hmac-sha1-96 -- mac algorithm to remove  +(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove  +(rec) -ssh-dss -- key algorithm to remove  + diff --git a/test/docker/ssh1_host_key b/test/docker/ssh1_host_key new file mode 100644 index 0000000..c98971c Binary files /dev/null and b/test/docker/ssh1_host_key differ diff --git a/test/docker/ssh1_host_key.pub b/test/docker/ssh1_host_key.pub new file mode 100644 index 0000000..b66c66f --- /dev/null +++ b/test/docker/ssh1_host_key.pub @@ -0,0 +1 @@ +1024 35 150823875409720459951648542224727752099073441604930026287525797402159071426070997897033651155038337251362080634963146983947007228274330777134724953282680928153520263171933106732090266742784258910450489054624715996015082463159338507115031336180486071622718809324273851629938883104520608180885444242395900180011 root@ubuntu1604server