diff --git a/README.md b/README.md index c53fb5b..33ff246 100644 --- a/README.md +++ b/README.md @@ -79,7 +79,7 @@ $ brew install ssh-audit - Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit [Jürgen Gmach](https://github.com/jugmac00)). - Suppress recommendation of token host key types. - Added check for use-after-free vulnerability in PuTTY v0.73. - - Added 2 new host key types: `ssh-rsa1`, `ssh-dss-sha256@ssh.com`. + - Added 5 new host key types: `ssh-rsa1`, `ssh-dss-sha256@ssh.com`, `ssh-gost2001`, `ssh-gost2012-256`, `ssh-gost2012-512`. - Added 1 new key exchange: `diffie-hellman-group1-sha256`. - Added 5 new ciphers: `blowfish`, `AEAD_AES_128_GCM`, `AEAD_AES_256_GCM`, `crypticore128@ssh.com`, `seed-cbc@ssh.com`. - Added 3 new MACs: `chacha20-poly1305@openssh.com`, `hmac-sha3-224`, `crypticore-mac@ssh.com`. diff --git a/ssh-audit.py b/ssh-audit.py index cc07bac..685b122 100755 --- a/ssh-audit.py +++ b/ssh-audit.py @@ -659,6 +659,7 @@ class SSH2: # pylint: disable=too-few-public-methods WARN_TAG_SIZE_96 = 'using small 96-bit tag size' WARN_EXPERIMENTAL = 'using experimental algorithm' WARN_OBSOLETE = 'using obsolete algorithm' + WARN_UNTRUSTED = 'using untrusted algorithm' ALGORITHMS = { # Format: 'algorithm_name': [['version_first_appeared_in'], [reason_for_failure1, reason_for_failure2, ...], [warning1, warning2, ...]] @@ -747,6 +748,9 @@ class SSH2: # pylint: disable=too-few-public-methods 'sk-ecdsa-sha2-nistp256@openssh.com': [['8.2'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]], 'sk-ssh-ed25519-cert-v01@openssh.com': [['8.2']], 'sk-ssh-ed25519@openssh.com': [['8.2']], + 'ssh-gost2001': [[], [], [WARN_UNTRUSTED]], + 'ssh-gost2012-256': [[], [], [WARN_UNTRUSTED]], + 'ssh-gost2012-512': [[], [], [WARN_UNTRUSTED]], }, 'enc': { 'none': [['1.2.2,d2013.56,l10.2'], [FAIL_PLAINTEXT]],