From 929652c9b748c9c3e78d115282e5364b3283f095 Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Sat, 29 Apr 2023 11:59:50 -0400 Subject: [PATCH] Simplified host key test logic. --- README.md | 2 +- src/ssh_audit/hostkeytest.py | 15 +++++++-------- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 45b99c7..b6ecc8f 100644 --- a/README.md +++ b/README.md @@ -188,7 +188,7 @@ For convenience, a web front-end on top of the command-line tool is available at - JSON 'target' field now always includes port number; credit [tomatohater1337](https://github.com/tomatohater1337). - JSON output now includes recommendations and CVE data. - Mixed host key/CA key types (i.e.: RSA host keys signed with ED25519 CAs, etc.) are now properly handled. - - Warnings are now printed for 2048-bit moduli. + - Warnings are now printed for 2048-bit moduli; partial credit [Adam Russell](https://github.com/thecliguy). - SHA-1 algorithms now cause failures. - CBC mode ciphers are now warnings instead of failures. - Generic failure/warning messages replaced with more specific reasons (i.e.: 'using weak cipher' => 'using broken RC4 cipher'). diff --git a/src/ssh_audit/hostkeytest.py b/src/ssh_audit/hostkeytest.py index e1b4b1a..4db656a 100644 --- a/src/ssh_audit/hostkeytest.py +++ b/src/ssh_audit/hostkeytest.py @@ -213,20 +213,19 @@ class HostKeyTest: if host_key_type in HostKeyTest.RSA_FAMILY: for rsa_type in HostKeyTest.RSA_FAMILY: host_key_types[rsa_type]['parsed'] = True + # If the current key is a member of the RSA family, then populate all RSA family members with the same # failure and/or warning comments. while len(SSH2_KexDB.ALGORITHMS['key'][rsa_type]) < 3: SSH2_KexDB.ALGORITHMS['key'][rsa_type].append([]) - if key_fail_comments: - SSH2_KexDB.ALGORITHMS['key'][rsa_type][1].extend(key_fail_comments) - if key_warn_comments: - SSH2_KexDB.ALGORITHMS['key'][rsa_type][2].extend(key_warn_comments) + + SSH2_KexDB.ALGORITHMS['key'][rsa_type][1].extend(key_fail_comments) + SSH2_KexDB.ALGORITHMS['key'][rsa_type][2].extend(key_warn_comments) else: host_key_types[host_key_type]['parsed'] = True while len(SSH2_KexDB.ALGORITHMS['key'][host_key_type]) < 3: SSH2_KexDB.ALGORITHMS['key'][host_key_type].append([]) - if key_fail_comments: - SSH2_KexDB.ALGORITHMS['key'][host_key_type][1].extend(key_fail_comments) - if key_warn_comments: - SSH2_KexDB.ALGORITHMS['key'][host_key_type][2].extend(key_warn_comments) + + SSH2_KexDB.ALGORITHMS['key'][host_key_type][1].extend(key_fail_comments) + SSH2_KexDB.ALGORITHMS['key'][host_key_type][2].extend(key_warn_comments)