elie/ssh-audit
1
0
Fork 0
mirror of https://github.com/jtesta/ssh-audit.git synced 2025-10-31 17:41:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

Simplified host key test logic.

Browse Source
This commit is contained in:
Joe Testa
2023-04-29 11:59:50 -04:00
parent e172932977
commit 929652c9b7
2 changed files with 8 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -188,7 +188,7 @@ For convenience, a web front-end on top of the command-line tool is available at
- JSON 'target' field now always includes port number; credit [tomatohater1337](https://github.com/tomatohater1337). - JSON 'target' field now always includes port number; credit [tomatohater1337](https://github.com/tomatohater1337).
- JSON output now includes recommendations and CVE data. - JSON output now includes recommendations and CVE data.
- Mixed host key/CA key types (i.e.: RSA host keys signed with ED25519 CAs, etc.) are now properly handled. - Mixed host key/CA key types (i.e.: RSA host keys signed with ED25519 CAs, etc.) are now properly handled.
- Warnings are now printed for 2048-bit moduli. - Warnings are now printed for 2048-bit moduli; partial credit [Adam Russell](https://github.com/thecliguy).
- SHA-1 algorithms now cause failures. - SHA-1 algorithms now cause failures.
- CBC mode ciphers are now warnings instead of failures. - CBC mode ciphers are now warnings instead of failures.
- Generic failure/warning messages replaced with more specific reasons (i.e.: 'using weak cipher' => 'using broken RC4 cipher'). - Generic failure/warning messages replaced with more specific reasons (i.e.: 'using weak cipher' => 'using broken RC4 cipher').

15
src/ssh_audit/hostkeytest.py
View File

@@ -213,20 +213,19 @@ class HostKeyTest:
if host_key_type in HostKeyTest.RSA_FAMILY: if host_key_type in HostKeyTest.RSA_FAMILY:
for rsa_type in HostKeyTest.RSA_FAMILY: for rsa_type in HostKeyTest.RSA_FAMILY:
host_key_types[rsa_type]['parsed'] = True host_key_types[rsa_type]['parsed'] = True
# If the current key is a member of the RSA family, then populate all RSA family members with the same # If the current key is a member of the RSA family, then populate all RSA family members with the same
# failure and/or warning comments. # failure and/or warning comments.
while len(SSH2_KexDB.ALGORITHMS['key'][rsa_type]) < 3: while len(SSH2_KexDB.ALGORITHMS['key'][rsa_type]) < 3:
SSH2_KexDB.ALGORITHMS['key'][rsa_type].append([]) SSH2_KexDB.ALGORITHMS['key'][rsa_type].append([])
if key_fail_comments:
SSH2_KexDB.ALGORITHMS['key'][rsa_type][1].extend(key_fail_comments) SSH2_KexDB.ALGORITHMS['key'][rsa_type][1].extend(key_fail_comments)
if key_warn_comments: SSH2_KexDB.ALGORITHMS['key'][rsa_type][2].extend(key_warn_comments)
SSH2_KexDB.ALGORITHMS['key'][rsa_type][2].extend(key_warn_comments)
else: else:
host_key_types[host_key_type]['parsed'] = True host_key_types[host_key_type]['parsed'] = True
while len(SSH2_KexDB.ALGORITHMS['key'][host_key_type]) < 3: while len(SSH2_KexDB.ALGORITHMS['key'][host_key_type]) < 3:
SSH2_KexDB.ALGORITHMS['key'][host_key_type].append([]) SSH2_KexDB.ALGORITHMS['key'][host_key_type].append([])
if key_fail_comments:
SSH2_KexDB.ALGORITHMS['key'][host_key_type][1].extend(key_fail_comments) SSH2_KexDB.ALGORITHMS['key'][host_key_type][1].extend(key_fail_comments)
if key_warn_comments: SSH2_KexDB.ALGORITHMS['key'][host_key_type][2].extend(key_warn_comments)
SSH2_KexDB.ALGORITHMS['key'][host_key_type][2].extend(key_warn_comments)