mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-12-23 06:27:41 +01:00
Added 2 key exchanges (ecdh-sha2-1.3.132.0.10, curve448-sha512), 1 host key type (ecdsa-sha2-1.3.132.0.10), and 2 MACs (hmac-sha2-256-96-etm@openssh.com, hmac-sha2-512-96-etm@openssh.com).
This commit is contained in:
parent
14af53cf04
commit
8c5493ae3e
@ -44,7 +44,9 @@ usage: ssh-audit.py [-1246pbnvlt] <host>
|
|||||||
## ChangeLog
|
## ChangeLog
|
||||||
### v2.1.0 (???)
|
### v2.1.0 (???)
|
||||||
- Fixed crash while scanning Solaris Sun_SSH.
|
- Fixed crash while scanning Solaris Sun_SSH.
|
||||||
- Added 2 new key exchanges: `gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==`, `diffie-hellman-group15-sha256`.
|
- Added 5 new key exchanges: `gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==`, `diffie-hellman-group15-sha256`, `ecdh-sha2-1.3.132.0.10`, `curve448-sha512`.
|
||||||
|
- Added 1 new host key type: `ecdsa-sha2-1.3.132.0.10`.
|
||||||
|
- Added 2 new MACs: `hmac-sha2-256-96-etm@openssh.com`, `hmac-sha2-512-96-etm@openssh.com`.
|
||||||
|
|
||||||
### v2.0.0 (2019-08-29)
|
### v2.0.0 (2019-08-29)
|
||||||
- Forked from https://github.com/arthepsy/ssh-audit (development was stalled, and developer went MIA).
|
- Forked from https://github.com/arthepsy/ssh-audit (development was stalled, and developer went MIA).
|
||||||
|
@ -312,6 +312,7 @@ class SSH2(object): # pylint: disable=too-few-public-methods
|
|||||||
WARN_CIPHER_WEAK = 'using weak cipher'
|
WARN_CIPHER_WEAK = 'using weak cipher'
|
||||||
WARN_ENCRYPT_AND_MAC = 'using encrypt-and-MAC mode'
|
WARN_ENCRYPT_AND_MAC = 'using encrypt-and-MAC mode'
|
||||||
WARN_TAG_SIZE = 'using small 64-bit tag size'
|
WARN_TAG_SIZE = 'using small 64-bit tag size'
|
||||||
|
WARN_TAG_SIZE_96 = 'using small 96-bit tag size'
|
||||||
WARN_EXPERIMENTAL = 'using experimental algorithm'
|
WARN_EXPERIMENTAL = 'using experimental algorithm'
|
||||||
|
|
||||||
ALGORITHMS = {
|
ALGORITHMS = {
|
||||||
@ -334,8 +335,10 @@ class SSH2(object): # pylint: disable=too-few-public-methods
|
|||||||
'ecdh-sha2-nistp256': [['5.7,d2013.62,l10.6.0'], [WARN_CURVES_WEAK]],
|
'ecdh-sha2-nistp256': [['5.7,d2013.62,l10.6.0'], [WARN_CURVES_WEAK]],
|
||||||
'ecdh-sha2-nistp384': [['5.7,d2013.62'], [WARN_CURVES_WEAK]],
|
'ecdh-sha2-nistp384': [['5.7,d2013.62'], [WARN_CURVES_WEAK]],
|
||||||
'ecdh-sha2-nistp521': [['5.7,d2013.62'], [WARN_CURVES_WEAK]],
|
'ecdh-sha2-nistp521': [['5.7,d2013.62'], [WARN_CURVES_WEAK]],
|
||||||
|
'ecdh-sha2-1.3.132.0.10': [[]], # ECDH over secp256k1 (i.e.: the Bitcoin curve)
|
||||||
'curve25519-sha256@libssh.org': [['6.5,d2013.62,l10.6.0']],
|
'curve25519-sha256@libssh.org': [['6.5,d2013.62,l10.6.0']],
|
||||||
'curve25519-sha256': [['7.4']],
|
'curve25519-sha256': [['7.4']],
|
||||||
|
'curve448-sha512': [[]],
|
||||||
'kexguess2@matt.ucc.asn.au': [['d2013.57']],
|
'kexguess2@matt.ucc.asn.au': [['d2013.57']],
|
||||||
'rsa1024-sha1': [[], [], [WARN_MODULUS_SIZE, WARN_HASH_WEAK]],
|
'rsa1024-sha1': [[], [], [WARN_MODULUS_SIZE, WARN_HASH_WEAK]],
|
||||||
'rsa2048-sha256': [[]],
|
'rsa2048-sha256': [[]],
|
||||||
@ -359,6 +362,7 @@ class SSH2(object): # pylint: disable=too-few-public-methods
|
|||||||
'ecdsa-sha2-nistp384-cert-v01@openssh.com': [['5.7'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]],
|
'ecdsa-sha2-nistp384-cert-v01@openssh.com': [['5.7'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]],
|
||||||
'ecdsa-sha2-nistp521-cert-v01@openssh.com': [['5.7'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]],
|
'ecdsa-sha2-nistp521-cert-v01@openssh.com': [['5.7'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]],
|
||||||
'ssh-rsa-sha256@ssh.com': [[]],
|
'ssh-rsa-sha256@ssh.com': [[]],
|
||||||
|
'ecdsa-sha2-1.3.132.0.10': [[], [], [WARN_RNDSIG_KEY]], # ECDSA over secp256k1 (i.e.: the Bitcoin curve)
|
||||||
},
|
},
|
||||||
'enc': {
|
'enc': {
|
||||||
'none': [['1.2.2,d2013.56,l10.2'], [FAIL_PLAINTEXT]],
|
'none': [['1.2.2,d2013.56,l10.2'], [FAIL_PLAINTEXT]],
|
||||||
@ -410,6 +414,7 @@ class SSH2(object): # pylint: disable=too-few-public-methods
|
|||||||
'hmac-sha2-384': [[], [], [WARN_ENCRYPT_AND_MAC]],
|
'hmac-sha2-384': [[], [], [WARN_ENCRYPT_AND_MAC]],
|
||||||
'hmac-sha2-512': [['5.9,d2013.56,l10.7.0'], [], [WARN_ENCRYPT_AND_MAC]],
|
'hmac-sha2-512': [['5.9,d2013.56,l10.7.0'], [], [WARN_ENCRYPT_AND_MAC]],
|
||||||
'hmac-sha2-512-96': [['5.9', '6.0'], [FAIL_OPENSSH61_REMOVE], [WARN_ENCRYPT_AND_MAC]],
|
'hmac-sha2-512-96': [['5.9', '6.0'], [FAIL_OPENSSH61_REMOVE], [WARN_ENCRYPT_AND_MAC]],
|
||||||
|
'hmac-sha2-256-96-etm@openssh.com': [[]],
|
||||||
'hmac-sha3-256': [[], [], [WARN_ENCRYPT_AND_MAC]],
|
'hmac-sha3-256': [[], [], [WARN_ENCRYPT_AND_MAC]],
|
||||||
'hmac-sha3-384': [[], [], [WARN_ENCRYPT_AND_MAC]],
|
'hmac-sha3-384': [[], [], [WARN_ENCRYPT_AND_MAC]],
|
||||||
'hmac-sha3-512': [[], [], [WARN_ENCRYPT_AND_MAC]],
|
'hmac-sha3-512': [[], [], [WARN_ENCRYPT_AND_MAC]],
|
||||||
@ -425,6 +430,8 @@ class SSH2(object): # pylint: disable=too-few-public-methods
|
|||||||
'umac-128@openssh.com': [['6.2'], [], [WARN_ENCRYPT_AND_MAC]],
|
'umac-128@openssh.com': [['6.2'], [], [WARN_ENCRYPT_AND_MAC]],
|
||||||
'hmac-sha1-etm@openssh.com': [['6.2'], [], [WARN_HASH_WEAK]],
|
'hmac-sha1-etm@openssh.com': [['6.2'], [], [WARN_HASH_WEAK]],
|
||||||
'hmac-sha1-96-etm@openssh.com': [['6.2', '6.6', None], [FAIL_OPENSSH67_UNSAFE], [WARN_HASH_WEAK]],
|
'hmac-sha1-96-etm@openssh.com': [['6.2', '6.6', None], [FAIL_OPENSSH67_UNSAFE], [WARN_HASH_WEAK]],
|
||||||
|
'hmac-sha2-256-96-etm@openssh.com': [[], [], [WARN_TAG_SIZE_96]], # Despite the @openssh.com tag, it doesn't appear that this was ever shipped with OpenSSH; it is only implemented in AsyncSSH (?).
|
||||||
|
'hmac-sha2-512-96-etm@openssh.com': [[], [], [WARN_TAG_SIZE_96]], # Despite the @openssh.com tag, it doesn't appear that this was ever shipped with OpenSSH; it is only implemented in AsyncSSH (?).
|
||||||
'hmac-sha2-256-etm@openssh.com': [['6.2']],
|
'hmac-sha2-256-etm@openssh.com': [['6.2']],
|
||||||
'hmac-sha2-512-etm@openssh.com': [['6.2']],
|
'hmac-sha2-512-etm@openssh.com': [['6.2']],
|
||||||
'hmac-md5-etm@openssh.com': [['6.2', '6.6', '7.1'], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, WARN_HASH_WEAK]],
|
'hmac-md5-etm@openssh.com': [['6.2', '6.6', '7.1'], [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, WARN_HASH_WEAK]],
|
||||||
|
Loading…
Reference in New Issue
Block a user