diff --git a/README.md b/README.md index 4de79dc..974597d 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ Guides to harden server & client configuration can be found here: [https://www.s ## ChangeLog ### v2.1.2 (???) - Added Windows builds. - - Added 6 new host key types: `ecdsa-sha2-1.3.132.0.10`, `x509v3-sign-dss`, `x509v3-sign-rsa`, `x509v3-sign-rsa-sha256@ssh.com`, `x509v3-ssh-dss`, and `x509v3-ssh-rsa`. + - Added 10 new host key types: `ecdsa-sha2-1.3.132.0.10`, `x509v3-sign-dss`, `x509v3-sign-rsa`, `x509v3-sign-rsa-sha256@ssh.com`, `x509v3-ssh-dss`, `x509v3-ssh-rsa`, `sk-ecdsa-sha2-nistp256-cert-v01@openssh.com`, `sk-ecdsa-sha2-nistp256@openssh.com`, `sk-ssh-ed25519-cert-v01@openssh.com`, and `sk-ssh-ed25519@openssh.com`. - Added 18 new key exchanges: `diffie-hellman-group14-sha256@ssh.com`, `diffie-hellman-group15-sha256@ssh.com`, `diffie-hellman-group15-sha384@ssh.com`, `diffie-hellman-group16-sha384@ssh.com`, `diffie-hellman-group16-sha512@ssh.com`, `diffie-hellman-group18-sha512@ssh.com`, `ecdh-sha2-curve25519`, `ecdh-sha2-nistb233`, `ecdh-sha2-nistb409`, `ecdh-sha2-nistk163`, `ecdh-sha2-nistk233`, `ecdh-sha2-nistk283`, `ecdh-sha2-nistk409`, `ecdh-sha2-nistp192`, `ecdh-sha2-nistp224`, `ecdh-sha2-nistt571`, `gss-gex-sha1-`, and `gss-group1-sha1-`. - Added 3 new ciphers: `aes128-gcm`, `aes256-gcm`, and `chacha20-poly1305`. - Added 2 new MACs: `aes128-gcm` and `aes256-gcm`. diff --git a/ssh-audit.py b/ssh-audit.py index 66c845d..d5f8d18 100755 --- a/ssh-audit.py +++ b/ssh-audit.py @@ -342,7 +342,6 @@ class SSH2(object): # pylint: disable=too-few-public-methods 'gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==': [[], [], [WARN_HASH_WEAK]], 'gss-gex-sha1-': [[], [], [WARN_HASH_WEAK]], 'gss-group1-sha1-': [[], [], [WARN_HASH_WEAK]], - 'gss-group14-sha1-': [[], [], [WARN_HASH_WEAK]], 'gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==': [[], [], [WARN_HASH_WEAK]], 'gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==': [[]], @@ -416,6 +415,10 @@ class SSH2(object): # pylint: disable=too-few-public-methods 'rsa-sha2-512-cert-v01@openssh.com': [['7.8']], 'ssh-rsa-sha256@ssh.com': [[]], 'ecdsa-sha2-1.3.132.0.10': [[], [], [WARN_RNDSIG_KEY]], # ECDSA over secp256k1 (i.e.: the Bitcoin curve) + 'sk-ecdsa-sha2-nistp256-cert-v01@openssh.com': [['8.2'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]], + 'sk-ecdsa-sha2-nistp256@openssh.com': [['8.2'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]], + 'sk-ssh-ed25519-cert-v01@openssh.com': [['8.2']], + 'sk-ssh-ed25519@openssh.com': [['8.2']], }, 'enc': { 'none': [['1.2.2,d2013.56,l10.2'], [FAIL_PLAINTEXT]],