From 619efc73495d464d9256ca2b4b1ff95adeb222ce Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Tue, 20 Oct 2020 17:39:34 -0400 Subject: [PATCH] Flag 'ssh-rsa-cert-v01@openssh.com' as unsafe due to SHA-1 hash. --- README.md | 1 + src/ssh_audit/algorithms.py | 2 +- src/ssh_audit/ssh2_kexdb.py | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 90283e4..579a064 100644 --- a/README.md +++ b/README.md @@ -158,6 +158,7 @@ For convenience, a web front-end on top of the command-line tool is available at ## ChangeLog ### v2.3.1-dev (???) + - Flag `ssh-rsa-cert-v01@openssh.com` as a failure due to SHA-1 hash. - Now parses public key sizes for `rsa-sha2-256-cert-v01@openssh.com` and `rsa-sha2-512-cert-v01@openssh.com` host key types. - Built-in policies now include CA key requirements (if certificates are in use). - Migrated pre-made policies from external files to internal database. diff --git a/src/ssh_audit/algorithms.py b/src/ssh_audit/algorithms.py index 2a9fe4a..3654991 100644 --- a/src/ssh_audit/algorithms.py +++ b/src/ssh_audit/algorithms.py @@ -179,7 +179,7 @@ class Algorithms: else: if faults == 0: continue - if n in ['diffie-hellman-group-exchange-sha256', 'rsa-sha2-256', 'rsa-sha2-512', 'ssh-rsa-cert-v01@openssh.com']: + if n in ['diffie-hellman-group-exchange-sha256', 'rsa-sha2-256', 'rsa-sha2-512', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com']: rec[sshv][alg_type]['chg'][n] = faults else: rec[sshv][alg_type]['del'][n] = faults diff --git a/src/ssh_audit/ssh2_kexdb.py b/src/ssh_audit/ssh2_kexdb.py index 40d1970..136be89 100644 --- a/src/ssh_audit/ssh2_kexdb.py +++ b/src/ssh_audit/ssh2_kexdb.py @@ -140,7 +140,7 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods 'x509v3-ssh-rsa': [[], [], [WARN_HASH_WEAK]], 'ssh-rsa-cert-v00@openssh.com': [['5.4', '6.9'], [FAIL_OPENSSH70_LEGACY], []], 'ssh-dss-cert-v00@openssh.com': [['5.4', '6.9'], [FAIL_1024BIT_MODULUS, FAIL_OPENSSH70_LEGACY], [WARN_RNDSIG_KEY]], - 'ssh-rsa-cert-v01@openssh.com': [['5.6']], + 'ssh-rsa-cert-v01@openssh.com': [['5.6'], [WARN_HASH_WEAK]], 'ssh-dss-cert-v01@openssh.com': [['5.6', '6.9'], [FAIL_1024BIT_MODULUS, FAIL_OPENSSH70_WEAK], [WARN_RNDSIG_KEY]], 'ecdsa-sha2-nistp256-cert-v01@openssh.com': [['5.7'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]], 'ecdsa-sha2-nistp384-cert-v01@openssh.com': [['5.7'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]],