mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-12-23 06:27:41 +01:00
Flag 'ssh-rsa-cert-v01@openssh.com' as unsafe due to SHA-1 hash.
This commit is contained in:
parent
ec48249deb
commit
619efc7349
@ -158,6 +158,7 @@ For convenience, a web front-end on top of the command-line tool is available at
|
|||||||
|
|
||||||
## ChangeLog
|
## ChangeLog
|
||||||
### v2.3.1-dev (???)
|
### v2.3.1-dev (???)
|
||||||
|
- Flag `ssh-rsa-cert-v01@openssh.com` as a failure due to SHA-1 hash.
|
||||||
- Now parses public key sizes for `rsa-sha2-256-cert-v01@openssh.com` and `rsa-sha2-512-cert-v01@openssh.com` host key types.
|
- Now parses public key sizes for `rsa-sha2-256-cert-v01@openssh.com` and `rsa-sha2-512-cert-v01@openssh.com` host key types.
|
||||||
- Built-in policies now include CA key requirements (if certificates are in use).
|
- Built-in policies now include CA key requirements (if certificates are in use).
|
||||||
- Migrated pre-made policies from external files to internal database.
|
- Migrated pre-made policies from external files to internal database.
|
||||||
|
@ -179,7 +179,7 @@ class Algorithms:
|
|||||||
else:
|
else:
|
||||||
if faults == 0:
|
if faults == 0:
|
||||||
continue
|
continue
|
||||||
if n in ['diffie-hellman-group-exchange-sha256', 'rsa-sha2-256', 'rsa-sha2-512', 'ssh-rsa-cert-v01@openssh.com']:
|
if n in ['diffie-hellman-group-exchange-sha256', 'rsa-sha2-256', 'rsa-sha2-512', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com']:
|
||||||
rec[sshv][alg_type]['chg'][n] = faults
|
rec[sshv][alg_type]['chg'][n] = faults
|
||||||
else:
|
else:
|
||||||
rec[sshv][alg_type]['del'][n] = faults
|
rec[sshv][alg_type]['del'][n] = faults
|
||||||
|
@ -140,7 +140,7 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods
|
|||||||
'x509v3-ssh-rsa': [[], [], [WARN_HASH_WEAK]],
|
'x509v3-ssh-rsa': [[], [], [WARN_HASH_WEAK]],
|
||||||
'ssh-rsa-cert-v00@openssh.com': [['5.4', '6.9'], [FAIL_OPENSSH70_LEGACY], []],
|
'ssh-rsa-cert-v00@openssh.com': [['5.4', '6.9'], [FAIL_OPENSSH70_LEGACY], []],
|
||||||
'ssh-dss-cert-v00@openssh.com': [['5.4', '6.9'], [FAIL_1024BIT_MODULUS, FAIL_OPENSSH70_LEGACY], [WARN_RNDSIG_KEY]],
|
'ssh-dss-cert-v00@openssh.com': [['5.4', '6.9'], [FAIL_1024BIT_MODULUS, FAIL_OPENSSH70_LEGACY], [WARN_RNDSIG_KEY]],
|
||||||
'ssh-rsa-cert-v01@openssh.com': [['5.6']],
|
'ssh-rsa-cert-v01@openssh.com': [['5.6'], [WARN_HASH_WEAK]],
|
||||||
'ssh-dss-cert-v01@openssh.com': [['5.6', '6.9'], [FAIL_1024BIT_MODULUS, FAIL_OPENSSH70_WEAK], [WARN_RNDSIG_KEY]],
|
'ssh-dss-cert-v01@openssh.com': [['5.6', '6.9'], [FAIL_1024BIT_MODULUS, FAIL_OPENSSH70_WEAK], [WARN_RNDSIG_KEY]],
|
||||||
'ecdsa-sha2-nistp256-cert-v01@openssh.com': [['5.7'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]],
|
'ecdsa-sha2-nistp256-cert-v01@openssh.com': [['5.7'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]],
|
||||||
'ecdsa-sha2-nistp384-cert-v01@openssh.com': [['5.7'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]],
|
'ecdsa-sha2-nistp384-cert-v01@openssh.com': [['5.7'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]],
|
||||||
|
Loading…
Reference in New Issue
Block a user