diff --git a/README.md b/README.md index 1d86336..5fbd0ef 100644 --- a/README.md +++ b/README.md @@ -57,11 +57,11 @@ Guides to harden server & client configuration can be found here: [https://www.s ## ChangeLog ### v2.1.2 (???) - - Marked host key type `ssh-rsa` as weak due to practical SHA-1 collisions. + - Marked host key type `ssh-rsa` as weak due to [practical SHA-1 collisions](https://eprint.iacr.org/2020/014.pdf). - Added Windows builds. - Added 10 new host key types: `ecdsa-sha2-1.3.132.0.10`, `x509v3-sign-dss`, `x509v3-sign-rsa`, `x509v3-sign-rsa-sha256@ssh.com`, `x509v3-ssh-dss`, `x509v3-ssh-rsa`, `sk-ecdsa-sha2-nistp256-cert-v01@openssh.com`, `sk-ecdsa-sha2-nistp256@openssh.com`, `sk-ssh-ed25519-cert-v01@openssh.com`, and `sk-ssh-ed25519@openssh.com`. - Added 18 new key exchanges: `diffie-hellman-group14-sha256@ssh.com`, `diffie-hellman-group15-sha256@ssh.com`, `diffie-hellman-group15-sha384@ssh.com`, `diffie-hellman-group16-sha384@ssh.com`, `diffie-hellman-group16-sha512@ssh.com`, `diffie-hellman-group18-sha512@ssh.com`, `ecdh-sha2-curve25519`, `ecdh-sha2-nistb233`, `ecdh-sha2-nistb409`, `ecdh-sha2-nistk163`, `ecdh-sha2-nistk233`, `ecdh-sha2-nistk283`, `ecdh-sha2-nistk409`, `ecdh-sha2-nistp192`, `ecdh-sha2-nistp224`, `ecdh-sha2-nistt571`, `gss-gex-sha1-`, and `gss-group1-sha1-`. - - Added 3 new ciphers: `aes128-gcm`, `aes256-gcm`, and `chacha20-poly1305`. + - Added 9 new ciphers: `camellia128-cbc`, `camellia128-ctr`, `camellia192-cbc`, `camellia192-ctr`, `camellia256-cbc`, `camellia256-ctr`, `aes128-gcm`, `aes256-gcm`, and `chacha20-poly1305`. - Added 2 new MACs: `aes128-gcm` and `aes256-gcm`. ### v2.1.1 (2019-11-26) diff --git a/ssh-audit.py b/ssh-audit.py index ef20b0d..bf3a7e3 100755 --- a/ssh-audit.py +++ b/ssh-audit.py @@ -467,6 +467,12 @@ class SSH2(object): # pylint: disable=too-few-public-methods 'aes256-gcm@openssh.com': [['6.2']], 'chacha20-poly1305': [[], [], [], [INFO_OPENSSH69_CHACHA]], 'chacha20-poly1305@openssh.com': [['6.5'], [], [], [INFO_OPENSSH69_CHACHA]], + 'camellia128-cbc': [[], [], [WARN_CIPHER_MODE]], + 'camellia128-ctr': [[]], + 'camellia192-cbc': [[], [], [WARN_CIPHER_MODE]], + 'camellia192-ctr': [[]], + 'camellia256-cbc': [[], [], [WARN_CIPHER_MODE]], + 'camellia256-ctr': [[]], }, 'mac': { 'none': [['d2013.56'], [FAIL_PLAINTEXT]], @@ -1795,25 +1801,27 @@ class SSH(object): # pylint: disable=too-few-public-methods rec[sshv][alg_type] = {'add': {}, 'del': {}, 'chg': {}} for n, alg_desc in alg_db[alg_type].items(): versions = alg_desc[0] + empty_version = False if len(versions) == 0 or versions[0] is None: - continue - matches = False - if unknown_software: - matches = True - for v in versions[0].split(','): - ssh_prefix, ssh_version, is_cli = SSH.Algorithm.get_ssh_version(v) - if not ssh_version: + empty_version = True + if not empty_version: + matches = False + if unknown_software: + matches = True + for v in versions[0].split(','): + ssh_prefix, ssh_version, is_cli = SSH.Algorithm.get_ssh_version(v) + if not ssh_version: + continue + if (software is not None) and (ssh_prefix != software.product): + continue + if is_cli and for_server: + continue + if (software is not None) and (software.compare_version(ssh_version) < 0): + continue + matches = True + break + if not matches: continue - if (software is not None) and (ssh_prefix != software.product): - continue - if is_cli and for_server: - continue - if (software is not None) and (software.compare_version(ssh_version) < 0): - continue - matches = True - break - if not matches: - continue adl, faults = len(alg_desc), 0 for i in range(1, 3): if not adl > i: @@ -1822,7 +1830,7 @@ class SSH(object): # pylint: disable=too-few-public-methods if fc > 0: faults += pow(10, 2 - i) * fc if n not in alg_list: - if faults > 0 or (alg_type == 'key' and '-cert-' in n): + if faults > 0 or (alg_type == 'key' and '-cert-' in n) or empty_version: continue rec[sshv][alg_type]['add'][n] = 0 else: