Now SHA256 fingerprints are displayed for RSA and ED25519 host keys. Fixes #2.

2025-11-04 03:02:15 +01:00 · 2019-08-22 15:47:37 -04:00
parent ed11fc135b
commit af663da838
1 changed files with 128 additions and 81 deletions
--- a/ssh-audit.py
+++ b/ssh-audit.py
@@ -272,7 +272,10 @@ class OutputBuffer(list):
 		sys.stdout = self.__buf
 		return self
-	def flush(self):
+	def flush(self, sort_lines=False):
 		# Lines must be sorted in some cases to ensure consistent testing.
 		if sort_lines:
 			self.sort()
 		# type: () -> None
 		for line in self:
 			print(line)
@@ -322,7 +325,7 @@ class SSH2(object):  # pylint: disable=too-few-public-methods
 				'diffie-hellman-group18-sha512': [['7.3']],
 				'diffie-hellman-group-exchange-sha1': [['2.3.0', '6.6', None], [FAIL_OPENSSH67_UNSAFE], [WARN_HASH_WEAK]],
 				'diffie-hellman-group-exchange-sha256': [['4.4']],
-				'diffie-hellman-group-exchange-sha256@ssh.com': [['4.4']],
+				'diffie-hellman-group-exchange-sha256@ssh.com': [[]],
 				'ecdh-sha2-nistp256': [['5.7,d2013.62,l10.6.0'], [WARN_CURVES_WEAK]],
 				'ecdh-sha2-nistp384': [['5.7,d2013.62'], [WARN_CURVES_WEAK]],
 				'ecdh-sha2-nistp521': [['5.7,d2013.62'], [WARN_CURVES_WEAK]],
@@ -466,6 +469,7 @@ class SSH2(object):  # pylint: disable=too-few-public-methods
 			self.__rsa_key_sizes = {}
 			self.__dh_modulus_sizes = {}
 			self.__host_keys = {}
 		@property
 		def cookie(self):
@@ -516,6 +520,12 @@ class SSH2(object):  # pylint: disable=too-few-public-methods
 		def dh_modulus_sizes(self):
 			return self.__dh_modulus_sizes
 		def set_host_key(self, key_type, hostkey):
 			self.__host_keys[key_type] = hostkey
 		def host_keys(self):
 			return self.__host_keys
 		def write(self, wbuf):
 			# type: (WriteBuf) -> None
 			wbuf.write(self.cookie)
@@ -561,10 +571,22 @@ class SSH2(object):  # pylint: disable=too-few-public-methods
 			kex = cls(cookie, kex_algs, key_algs, cli, srv, follows, unused)
 			return kex
-	# Obtains RSA host keys and checks their size.
+	# Obtains host keys, checks their size, and derives their fingerprints.
-	class RSAKeyTest(object):
+	class HostKeyTest(object):
-		RSA_TYPES = ['ssh-rsa', 'rsa-sha2-256', 'rsa-sha2-512']
+		# Tracks the RSA host key types.  As of this writing, testing one in this family yields valid results for the rest.
-		RSA_CA_TYPES = ['ssh-rsa-cert-v01@openssh.com']
+		RSA_FAMILY = ['ssh-rsa', 'rsa-sha2-256', 'rsa-sha2-512']
 		# Dict holding the host key types we should extract & parse.  'cert' is True to denote that a host key type handles certificates (thus requires additional parsing).  'variable_key_len' is True for host key types that can have variable sizes (True only for RSA types, as the rest are of fixed-size).  After the host key type is fully parsed, the key 'parsed' is added with a value of True.
 		HOST_KEY_TYPES = {
 			'ssh-rsa':      {'cert': False, 'variable_key_len': True},
 			'rsa-sha2-256': {'cert': False, 'variable_key_len': True},
 			'rsa-sha2-512': {'cert': False, 'variable_key_len': True},
 			'ssh-rsa-cert-v01@openssh.com':     {'cert': True, 'variable_key_len': True},
 			'ssh-ed25519':                      {'cert': False, 'variable_key_len': False},
 			'ssh-ed25519-cert-v01@openssh.com': {'cert': True,  'variable_key_len': False},
 		}
 		@staticmethod
 		def run(s, server_kex):
@@ -595,90 +617,90 @@ class SSH2(object):  # pylint: disable=too-few-public-methods
 					break
 			if kex_str is not None:
-				SSH2.RSAKeyTest.__test(s, server_kex, kex_str, kex_group, SSH2.RSAKeyTest.RSA_TYPES)
+				SSH2.HostKeyTest.__test(s, server_kex, kex_str, kex_group, SSH2.HostKeyTest.HOST_KEY_TYPES)
 				SSH2.RSAKeyTest.__test(s, server_kex, kex_str, kex_group, SSH2.RSAKeyTest.RSA_CA_TYPES, ca=True)
 		@staticmethod
-		def __test(s, server_kex, kex_str, kex_group, rsa_types, ca=False):
+		def __test(s, server_kex, kex_str, kex_group, host_key_types):
 			# If the server supports one of the RSA types, extract its key size.
 			hostkey_modulus_size = 0
 			ca_modulus_size = 0
 			ran_test = False
-			# If the connection is closed, re-open it and get the kex again.
+			# For each host key type...
-			if not s.is_connected():
+			for host_key_type in host_key_types:
-				s.connect()
+				# Skip those already handled (i.e.: those in the RSA family, as testing one tests them all).
-				unused = None # pylint: disable=unused-variable
+				if 'parsed' in host_key_types[host_key_type] and host_key_types[host_key_type]['parsed']:
-				unused, unused, err = s.get_banner()
+					continue
 				if err is not None:
 					s.close()
 					return
-				# Parse the server's initial KEX.
+				# If this host key type is supported by the server, we test it.
-				packet_type = 0 # pylint: disable=unused-variable
+				if host_key_type in server_kex.key_algorithms:
-				packet_type, payload = s.read_packet()
+					cert = host_key_types[host_key_type]['cert']
-				SSH2.Kex.parse(payload)
+					variable_key_len = host_key_types[host_key_type]['variable_key_len']
 					# If the connection is closed, re-open it and get the kex again.
 					if not s.is_connected():
 						s.connect()
 						unused = None # pylint: disable=unused-variable
 						unused, unused, err = s.get_banner()
 						if err is not None:
 							s.close()
 							return
-			for rsa_type in rsa_types:
+						# Parse the server's initial KEX.
-				if rsa_type in server_kex.key_algorithms:
+						packet_type = 0 # pylint: disable=unused-variable
-					ran_test = True
+						packet_type, payload = s.read_packet()
 						SSH2.Kex.parse(payload)
 					# Send the server our KEXINIT message, using only our
-					# selected kex and RSA type.  Send the server's own
+					# selected kex and host key type.  Send the server's own
 					# list of ciphers and MACs back to it (this doesn't
 					# matter, really).
-					client_kex = SSH2.Kex(os.urandom(16), [kex_str], [rsa_type], server_kex.client, server_kex.server, 0, 0)
+					client_kex = SSH2.Kex(os.urandom(16), [kex_str], [host_key_type], server_kex.client, server_kex.server, 0, 0)
 					s.write_byte(SSH.Protocol.MSG_KEXINIT)
 					client_kex.write(s)
 					s.send_packet()
 					# Do the initial DH exchange.  The server responds back
-					# with the host key and its length.  Bingo.
+					# with the host key and its length.  Bingo.  We also get back the host key fingerprint.
 					kex_group.send_init(s)
-					kex_group.recv_reply(s)
+					host_key = kex_group.recv_reply(s, variable_key_len)
 					server_kex.set_host_key(host_key_type, host_key)
 					hostkey_modulus_size = kex_group.get_hostkey_size()
 					ca_modulus_size = kex_group.get_ca_size()
-					# If we're not working with the CA types, we only need to
+					# Close the socket, as the connection has
-					# test one RSA key, since the others will all be the same.
+					# been put in a state that later tests can't use.
-					if ca is False:
+					s.close()
 						break
-			if hostkey_modulus_size > 0 or ca_modulus_size > 0:
+					# If the host key modulus or CA modulus was successfully parsed, check to see that its a safe size.
-				# Set the hostkey size for all RSA key types since 'ssh-rsa',
+					if hostkey_modulus_size > 0 or ca_modulus_size > 0:
-				# 'rsa-sha2-256', etc. are all using the same host key.
+						# Set the hostkey size for all RSA key types since 'ssh-rsa',
-				# Note, however, that this may change in the future.
+						# 'rsa-sha2-256', etc. are all using the same host key.
-				if ca is False:
+						# Note, however, that this may change in the future.
-					for rsa_type in rsa_types:
+						if cert is False and host_key_type in SSH2.HostKeyTest.RSA_FAMILY:
-						server_kex.set_rsa_key_size(rsa_type, hostkey_modulus_size)
+							for rsa_type in SSH2.HostKeyTest.RSA_FAMILY:
-				else:
+								server_kex.set_rsa_key_size(rsa_type, hostkey_modulus_size)
-					server_kex.set_rsa_key_size(rsa_type, hostkey_modulus_size, ca_modulus_size)
+						elif cert is True:
 							server_kex.set_rsa_key_size(host_key_type, hostkey_modulus_size, ca_modulus_size)
-				# Keys smaller than 2048 result in a failure.
+						# Keys smaller than 2048 result in a failure.  Update the database accordingly.
-				fail = False
+						if (cert is False) and (hostkey_modulus_size < 2048):
-				if hostkey_modulus_size < 2048 or (ca_modulus_size < 2048 and ca_modulus_size > 0):
+							for rsa_type in SSH2.HostKeyTest.RSA_FAMILY:
-					fail = True
+								alg_list = SSH2.KexDB.ALGORITHMS['key'][rsa_type]
 								alg_list.append(['using small %d-bit modulus' % hostkey_modulus_size])
 						elif (cert is True) and ((hostkey_modulus_size < 2048) or (ca_modulus_size > 0 and ca_modulus_size < 2048)):
 							alg_list = SSH2.KexDB.ALGORITHMS['key'][host_key_type]
 							min_modulus = min(hostkey_modulus_size, ca_modulus_size)
 							min_modulus = min_modulus if min_modulus > 0 else max(hostkey_modulus_size, ca_modulus_size)
 							alg_list.append(['using small %d-bit modulus' % min_modulus])
-				# If this is a bad key size, update the database accordingly.
+					# If this host key type is in the RSA family, then mark them all as parsed (since results in one are valid for them all).
-				if fail:
+					if host_key_type in SSH2.HostKeyTest.RSA_FAMILY:
-					if ca is False:
+						for rsa_type in SSH2.HostKeyTest.RSA_FAMILY:
-						for rsa_type in SSH2.RSAKeyTest.RSA_TYPES:
+							host_key_types[rsa_type]['parsed'] = True
 							alg_list = SSH2.KexDB.ALGORITHMS['key'][rsa_type]
 							alg_list.append(['using small %d-bit modulus' % hostkey_modulus_size])
 					else:
-						alg_list = SSH2.KexDB.ALGORITHMS['key'][rsa_type]
+						host_key_types[host_key_type]['parsed'] = True
 						min_modulus = min(hostkey_modulus_size, ca_modulus_size)
 						min_modulus = min_modulus if min_modulus > 0 else max(hostkey_modulus_size, ca_modulus_size)
 						alg_list.append(['using small %d-bit modulus' % min_modulus])
 			# If we ran any tests, close the socket, as the connection has
 			# been put in a state that later tests can't use.
 			if ran_test:
 				s.close()
 	# Performs DH group exchanges to find what moduli are supported, and checks
 	# their size.
@@ -733,21 +755,21 @@ class SSH2(object):  # pylint: disable=too-few-public-methods
 					if SSH2.GEXTest.reconnect(s, gex_alg) is False:
 						break
 					kex_group = GEX_ALGS[gex_alg]()
 					smallest_modulus = -1
 					# First try a range of weak sizes.
 					try:
 						kex_group.send_init_gex(s, 512, 1024, 1536)
-						kex_group.recv_reply(s)
+						kex_group.recv_reply(s, False)
 						# Its been observed that servers will return a group
 						# larger than the requested max.  So just because we
 						# got here, doesn't mean the server is vulnerable...
 						smallest_modulus = kex_group.get_dh_modulus_size()
-					except Exception: # pylint: disable=bare-except
+
-						x = 1 # pylint: disable=unused-variable
+					except Exception as e: # pylint: disable=bare-except
 						pass
 					finally:
 						s.close()
@@ -766,10 +788,12 @@ class SSH2(object):  # pylint: disable=too-few-public-methods
 						try:
 							kex_group.send_init_gex(s, bits, bits, bits)
-							kex_group.recv_reply(s)
+							kex_group.recv_reply(s, False)
 							smallest_modulus = kex_group.get_dh_modulus_size()
-						except Exception: # pylint: disable=bare-except
+						except Exception as e: # pylint: disable=bare-except
-							x = 1 # pylint: disable=unused-variable
+							#import traceback
 							#print(traceback.format_exc())
 							pass
 						finally:
 							# The server is in a state that is not re-testable,
 							# so there's nothing else to do with this open
@@ -2132,6 +2156,7 @@ class KexDH(object):  # pragma: nocover
 		self.__f = 0
 		self.__h_sig = 0
 	def set_params(self, g, p):
 		self.__g = g
 		self.__p = p
@@ -2150,8 +2175,9 @@ class KexDH(object):  # pragma: nocover
 		s.send_packet()
 	# Parse a KEXDH_REPLY or KEXDH_GEX_REPLY message from the server.  This
-	# Contains the host key, among other things.
+	# contains the host key, among other things.  Function returns the host
-	def recv_reply(self, s):
+	# key blob (from which the fingerprint can be calculated).
 	def recv_reply(self, s, parse_host_key_size=True):
 		packet_type, payload = s.read_packet(2)
 		if packet_type != -1 and packet_type not in [SSH.Protocol.MSG_KEXDH_REPLY, SSH.Protocol.MSG_KEXDH_GEX_REPLY]:
 			# TODO: change Exception to something more specific.
@@ -2160,7 +2186,7 @@ class KexDH(object):  # pragma: nocover
 			# A connection error occurred.  We can't parse anything, so just
 			# return.  The host key modulus (and perhaps certificate modulus)
 			# will remain at length 0.
-			return
+			return None
 		hostkey_len = f_len = h_sig_len = 0  # pylint: disable=unused-variable
 		hostkey_type_len = hostkey_e_len = 0 # pylint: disable=unused-variable
@@ -2178,6 +2204,11 @@ class KexDH(object):  # pragma: nocover
 		# Get the host key blob, F, and signature.
 		ptr = 0
 		hostkey, hostkey_len, ptr = KexDH.__get_bytes(payload, ptr)
 		# If we are not supposed to parse the host key size (i.e.: it is a type that is of fixed size such as ed25519), then stop here.
 		if not parse_host_key_size:
 			return hostkey
 		self.__f, f_len, ptr = KexDH.__get_bytes(payload, ptr)
 		self.__h_sig, h_sig_len, ptr = KexDH.__get_bytes(payload, ptr)
@@ -2254,6 +2285,7 @@ class KexDH(object):  # pragma: nocover
 				# CA's modulus.  Bingo.
 				ca_key_n, self.__ca_n_len, ptr = KexDH.__get_bytes(ca_key, ptr)
 		return hostkey
 	@staticmethod
 	def __get_bytes(buf, ptr):
@@ -2639,20 +2671,35 @@ def output_security(banner, padlen):
 		out.sep()
-def output_fingerprint(algs, sha256=True, padlen=0):
+def output_fingerprints(algs, sha256=True):
 	# type: (SSH.Algorithms, bool, int) -> None
 	with OutputBuffer() as obuf:
 		fps = []
 		if algs.ssh1kex is not None:
 			name = 'ssh-rsa1'
 			fp = SSH.Fingerprint(algs.ssh1kex.host_key_fingerprint_data)
-			bits = algs.ssh1kex.host_key_bits
+			#bits = algs.ssh1kex.host_key_bits
-			fps.append((name, fp, bits))
+			fps.append((name, fp))
 		if algs.ssh2kex is not None:
 			host_keys = algs.ssh2kex.host_keys()
 			for host_key_type in algs.ssh2kex.host_keys():
 				fp = SSH.Fingerprint(host_keys[host_key_type])
 				# Workaround for Python's order-indifference in dicts.  We might get a random RSA type (ssh-rsa, rsa-sha2-256, or rsa-sha2-512), so running the tool against the same server three times may give three different host key types here.  So if we have any RSA type, we will simply hard-code it to 'ssh-rsa'.
 				if host_key_type in SSH2.HostKeyTest.RSA_FAMILY:
 					host_key_type = 'ssh-rsa'
 				# Skip over certificate host types (or we would return invalid fingerprints).
 				if '-cert-' not in host_key_type:
 					fps.append((host_key_type, fp))
 		# Similarly, the host keys can be processed in random order due to Python's order-indifference in dicts.  So we sort this list before printing; this makes automated testing possible.
 		fps = sorted(fps)
 		for fpp in fps:
-			name, fp, bits = fpp
+			name, fp = fpp
 			fpo = fp.sha256 if sha256 else fp.md5
-			p = '' if out.batch else ' ' * (padlen - len(name))
+			#p = '' if out.batch else ' ' * (padlen - len(name))
-			out.good('(fin) {0}{1} -- {2} {3}'.format(name, p, bits, fpo))
+			#out.good('(fin) {0}{1} -- {2} {3}'.format(name, p, bits, fpo))
 			out.good('(fin) {0}: {1}'.format(name, fpo))
 	if len(obuf) > 0:
 		out.head('# fingerprints')
 		obuf.flush()
@@ -2694,7 +2741,7 @@ def output_recommendations(algs, software, padlen=0):
 		else:
 			title = ''
 		out.head('# algorithm recommendations {0}'.format(title))
-		obuf.flush()
+		obuf.flush(True) # Sort the output so that it is always stable (needed for repeatable testing).
 		out.sep()
@@ -2752,8 +2799,8 @@ def output(banner, header, kex=None, pkm=None):
 		output_algorithms(title, adb, atype, kex.server.encryption, unknown_algorithms, maxlen)
 		title, atype = 'message authentication code algorithms', 'mac'
 		output_algorithms(title, adb, atype, kex.server.mac, unknown_algorithms, maxlen)
 	output_fingerprints(algs, True)
 	output_recommendations(algs, software, maxlen)
 	output_fingerprint(algs, True, maxlen)
 	# If we encountered any unknown algorithms, ask the user to report them.
 	if len(unknown_algorithms) > 0:
@@ -2933,7 +2980,7 @@ def audit(aconf, sshv=None):
 		output(banner, header, pkm=pkm)
 	elif sshv == 2:
 		kex = SSH2.Kex.parse(payload)
-		SSH2.RSAKeyTest.run(s, kex)
+		SSH2.HostKeyTest.run(s, kex)
 		SSH2.GEXTest.run(s, kex)
 		output(banner, header, kex=kex)