mirror of
https://github.com/jtesta/ssh-audit.git
synced 2025-06-21 18:23:40 +02:00
Fixed built-in policy formatting and filled in missing host key size information.
This commit is contained in:
@ -1,6 +1,31 @@
|
||||
{
|
||||
"errors": [],
|
||||
"errors": [
|
||||
{
|
||||
"actual": [
|
||||
"3072"
|
||||
],
|
||||
"expected_optional": [
|
||||
""
|
||||
],
|
||||
"expected_required": [
|
||||
"4096"
|
||||
],
|
||||
"mismatched_field": "Host key (rsa-sha2-256) sizes"
|
||||
},
|
||||
{
|
||||
"actual": [
|
||||
"3072"
|
||||
],
|
||||
"expected_optional": [
|
||||
""
|
||||
],
|
||||
"expected_required": [
|
||||
"4096"
|
||||
],
|
||||
"mismatched_field": "Host key (rsa-sha2-512) sizes"
|
||||
}
|
||||
],
|
||||
"host": "localhost",
|
||||
"passed": true,
|
||||
"policy": "Hardened OpenSSH Server v8.0 (version 1)"
|
||||
"passed": false,
|
||||
"policy": "Hardened OpenSSH Server v8.0 (version 2)"
|
||||
}
|
||||
|
@ -1,3 +1,13 @@
|
||||
Host: localhost:2222
|
||||
Policy: Hardened OpenSSH Server v8.0 (version 1)
|
||||
Result: [0;32m✔ Passed[0m
|
||||
Policy: Hardened OpenSSH Server v8.0 (version 2)
|
||||
Result: [0;31m❌ Failed![0m
|
||||
[0;33m
|
||||
Errors:
|
||||
* Host key (rsa-sha2-256) sizes did not match.
|
||||
- Expected: 4096
|
||||
- Actual: 3072
|
||||
|
||||
* Host key (rsa-sha2-512) sizes did not match.
|
||||
- Expected: 4096
|
||||
- Actual: 3072
|
||||
[0m
|
||||
|
@ -1,5 +1,29 @@
|
||||
{
|
||||
"errors": [
|
||||
{
|
||||
"actual": [
|
||||
"3072"
|
||||
],
|
||||
"expected_optional": [
|
||||
""
|
||||
],
|
||||
"expected_required": [
|
||||
"4096"
|
||||
],
|
||||
"mismatched_field": "Host key (rsa-sha2-256) sizes"
|
||||
},
|
||||
{
|
||||
"actual": [
|
||||
"3072"
|
||||
],
|
||||
"expected_optional": [
|
||||
""
|
||||
],
|
||||
"expected_required": [
|
||||
"4096"
|
||||
],
|
||||
"mismatched_field": "Host key (rsa-sha2-512) sizes"
|
||||
},
|
||||
{
|
||||
"actual": [
|
||||
"umac-64-etm@openssh.com",
|
||||
@ -26,5 +50,5 @@
|
||||
],
|
||||
"host": "localhost",
|
||||
"passed": false,
|
||||
"policy": "Hardened OpenSSH Server v8.0 (version 1)"
|
||||
"policy": "Hardened OpenSSH Server v8.0 (version 2)"
|
||||
}
|
||||
|
@ -1,8 +1,16 @@
|
||||
Host: localhost:2222
|
||||
Policy: Hardened OpenSSH Server v8.0 (version 1)
|
||||
Policy: Hardened OpenSSH Server v8.0 (version 2)
|
||||
Result: [0;31m❌ Failed![0m
|
||||
[0;33m
|
||||
Errors:
|
||||
* Host key (rsa-sha2-256) sizes did not match.
|
||||
- Expected: 4096
|
||||
- Actual: 3072
|
||||
|
||||
* Host key (rsa-sha2-512) sizes did not match.
|
||||
- Expected: 4096
|
||||
- Actual: 3072
|
||||
|
||||
* MACs did not match.
|
||||
- Expected: hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com
|
||||
- Actual: umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
|
||||
|
@ -45,6 +45,82 @@ class TestPolicy:
|
||||
version_str = " (version %s)" % Policy.BUILTIN_POLICIES[policy_name]['version']
|
||||
assert policy_name.endswith(version_str)
|
||||
|
||||
# Ensure that all required fields are present.
|
||||
required_fields = ['version', 'banner', 'compressions', 'host_keys', 'optional_host_keys', 'kex', 'ciphers', 'macs', 'hostkey_sizes', 'dh_modulus_sizes', 'server_policy']
|
||||
for field in required_fields:
|
||||
assert field in Policy.BUILTIN_POLICIES[policy_name]
|
||||
|
||||
# Ensure no extra fields are present.
|
||||
assert len(required_fields) == len(Policy.BUILTIN_POLICIES[policy_name])
|
||||
|
||||
# Ensure that at least one host key is defined.
|
||||
assert type(Policy.BUILTIN_POLICIES[policy_name]['host_keys']) == list
|
||||
assert len(Policy.BUILTIN_POLICIES[policy_name]['host_keys']) > 0
|
||||
|
||||
# Ensure that at least one key exchange is defined.
|
||||
assert type(Policy.BUILTIN_POLICIES[policy_name]['kex']) == list
|
||||
assert len(Policy.BUILTIN_POLICIES[policy_name]['kex']) > 0
|
||||
|
||||
# Ensure that at least one cipher is defined.
|
||||
assert type(Policy.BUILTIN_POLICIES[policy_name]['ciphers']) == list
|
||||
assert len(Policy.BUILTIN_POLICIES[policy_name]['ciphers']) > 0
|
||||
|
||||
# Ensure that at least one MAC is defined
|
||||
assert type(Policy.BUILTIN_POLICIES[policy_name]['macs']) == list
|
||||
assert len(Policy.BUILTIN_POLICIES[policy_name]['macs']) > 0
|
||||
|
||||
# These tests apply to server policies only.
|
||||
if Policy.BUILTIN_POLICIES[policy_name]['server_policy']:
|
||||
assert type(Policy.BUILTIN_POLICIES[policy_name]['hostkey_sizes']) == dict
|
||||
assert len(Policy.BUILTIN_POLICIES[policy_name]['hostkey_sizes']) > 0
|
||||
|
||||
# Examine all the hostkey_sizes entries...
|
||||
for hostkey_type in Policy.BUILTIN_POLICIES[policy_name]['hostkey_sizes']:
|
||||
hostkey_data = Policy.BUILTIN_POLICIES[policy_name]['hostkey_sizes'][hostkey_type]
|
||||
|
||||
# Ensure that 'hostkey_size' is always included and that it is an integer.
|
||||
assert 'hostkey_size' in hostkey_data
|
||||
assert type(hostkey_data['hostkey_size']) == int
|
||||
|
||||
# If this is an ed25519 host key, ensure its size is fixed at 256. If its an RSA host key, ensure the size is 4096.
|
||||
if hostkey_type.find('ed25519') != -1:
|
||||
assert int(hostkey_data['hostkey_size']) == 256
|
||||
elif hostkey_type.startswith('rsa-'):
|
||||
assert int(hostkey_data['hostkey_size']) == 4096
|
||||
else: # Catch unexpected host key types.
|
||||
assert False
|
||||
|
||||
# Ensure either that 'ca_key_type' and 'ca_key_size' are both present, or neither are. Fail cases when only one of the fields are present.
|
||||
assert (('ca_key_type' in hostkey_data) and ('ca_key_size' in hostkey_data)) or (('ca_key_type' not in hostkey_data) and ('ca_key_size' not in hostkey_data))
|
||||
|
||||
# Ensure that the ca_key_type is either ssh-rsa or ssh-ed25519.
|
||||
if 'ca_key_type' in hostkey_data:
|
||||
assert hostkey_data['ca_key_type'] in ['ssh-rsa', 'ssh-ed25519']
|
||||
|
||||
# Ensure RSA CA key sizes are fixed at 4096. Ensure ED25519 CA keys are 256.
|
||||
if 'ca_key_size' in hostkey_data:
|
||||
if 'ca_key_type' == 'ssh-rsa':
|
||||
assert hostkey_data['ca_key_size'] == 4096
|
||||
elif 'ca_key_type' == 'ssh-ed25519':
|
||||
assert hostkey_data['ca_key_size'] == 256
|
||||
|
||||
# Ensure that the 'dh_modulus_size' field is a dict.
|
||||
assert type(Policy.BUILTIN_POLICIES[policy_name]['dh_modulus_sizes']) == dict
|
||||
|
||||
# The 'dh_modulus_size' field should have either one entry, or be empty.
|
||||
assert len(Policy.BUILTIN_POLICIES[policy_name]['dh_modulus_sizes']) in range(0, 2) # The endpoint in range() is not inclusive
|
||||
|
||||
# If 'diffie-hellman-group-exchange-sha256' is in the kex list, ensure that it exists in the 'dh_modulus_sizes' entry. That entry must be defined for 2048 bits or larger.
|
||||
if 'diffie-hellman-group-exchange-sha256' in Policy.BUILTIN_POLICIES[policy_name]['kex']:
|
||||
assert 'diffie-hellman-group-exchange-sha256' in Policy.BUILTIN_POLICIES[policy_name]['dh_modulus_sizes']
|
||||
assert int(Policy.BUILTIN_POLICIES[policy_name]['dh_modulus_sizes']['diffie-hellman-group-exchange-sha256']) >= 2048
|
||||
|
||||
else: # Client-specific tests.
|
||||
|
||||
# These must be set to None for client policies, since they have no meaning otherwise.
|
||||
assert Policy.BUILTIN_POLICIES[policy_name]['hostkey_sizes'] is None
|
||||
assert Policy.BUILTIN_POLICIES[policy_name]['dh_modulus_sizes'] is None
|
||||
|
||||
# Ensure that each built-in policy can be loaded with Policy.load_builtin_policy().
|
||||
assert Policy.load_builtin_policy(policy_name) is not None
|
||||
|
||||
@ -68,7 +144,7 @@ ciphers = cipher_alg1, cipher_alg2, cipher_alg3
|
||||
macs = mac_alg1, mac_alg2, mac_alg3'''
|
||||
|
||||
policy = self.Policy(policy_data=policy_data)
|
||||
assert str(policy) == "Name: [Test Policy]\nVersion: [1]\nBanner: {undefined}\nCompressions: comp_alg1\nHost Keys: key_alg1\nOptional Host Keys: {undefined}\nKey Exchanges: kex_alg1, kex_alg2\nCiphers: cipher_alg1, cipher_alg2, cipher_alg3\nMACs: mac_alg1, mac_alg2, mac_alg3\nHost Key Sizes: {undefined}\nCA Key Sizes: {undefined}\nDH Modulus Sizes: {undefined}\nServer Policy: True"
|
||||
assert str(policy) == "Name: [Test Policy]\nVersion: [1]\nBanner: {undefined}\nCompressions: comp_alg1\nHost Keys: key_alg1\nOptional Host Keys: {undefined}\nKey Exchanges: kex_alg1, kex_alg2\nCiphers: cipher_alg1, cipher_alg2, cipher_alg3\nMACs: mac_alg1, mac_alg2, mac_alg3\nHost Key Sizes: {undefined}\nDH Modulus Sizes: {undefined}\nServer Policy: True"
|
||||
|
||||
|
||||
def test_policy_invalid_1(self):
|
||||
|
Reference in New Issue
Block a user