From c185a25af115911e755d9a0f999512fad913fa4b Mon Sep 17 00:00:00 2001
From: Joe Testa <jtesta@positronsecurity.com>
Date: Wed, 28 Aug 2019 00:37:55 -0400
Subject: [PATCH] For unrecognized servers, only recommend algorithm changes &
 removals, not additions (since they can be very inaccurate).

---
 ssh-audit.py | 37 ++++++++++++++++++++++++-------------
 1 file changed, 24 insertions(+), 13 deletions(-)

diff --git a/ssh-audit.py b/ssh-audit.py
index 1ea93cd..ca4db6f 100755
--- a/ssh-audit.py
+++ b/ssh-audit.py
@@ -1681,21 +1681,27 @@ class SSH(object):  # pylint: disable=too-few-public-methods
 			             SSH.Product.DropbearSSH,
 			             SSH.Product.LibSSH,
 			             SSH.Product.TinySSH]
+			# Set to True if server is not one of vproducts, above.
+			unknown_software = False
 			if software is not None:
 				if software.product not in vproducts:
-					software = None
-			if software is None:
-				ssh_timeframe = self.get_ssh_timeframe(for_server)
-				for product in vproducts:
-					if product not in ssh_timeframe:
-						continue
-					version = ssh_timeframe.get_from(product, for_server)
-					if version is not None:
-						software = SSH.Software(None, product, version, None, None)
-						break
+					unknown_software = True
+#
+# The code below is commented out because it would try to guess what the server is,
+# usually resulting in wild & incorrect recommendations.
+#
+#			if software is None:
+#				ssh_timeframe = self.get_ssh_timeframe(for_server)
+#				for product in vproducts:
+#					if product not in ssh_timeframe:
+#						continue
+#					version = ssh_timeframe.get_from(product, for_server)
+#					if version is not None:
+#						software = SSH.Software(None, product, version, None, None)
+#						break
 			rec = {}  # type: Dict[int, Dict[str, Dict[str, Dict[str, int]]]]
 			if software is None:
-				return software, rec
+				unknown_software = True
 			for alg_pair in self.values:
 				sshv, alg_db = alg_pair.sshv, alg_pair.db
 				rec[sshv] = {}
@@ -1708,15 +1714,17 @@ class SSH(object):  # pylint: disable=too-few-public-methods
 						if len(versions) == 0 or versions[0] is None:
 							continue
 						matches = False
+						if unknown_software:
+							matches = True
 						for v in versions[0].split(','):
 							ssh_prefix, ssh_version, is_cli = SSH.Algorithm.get_ssh_version(v)
 							if not ssh_version:
 								continue
-							if ssh_prefix != software.product:
+							if (software is not None) and (ssh_prefix != software.product):
 								continue
 							if is_cli and for_server:
 								continue
-							if software.compare_version(ssh_version) < 0:
+							if (software is not None) and (software.compare_version(ssh_version) < 0):
 								continue
 							matches = True
 							break
@@ -1740,6 +1748,9 @@ class SSH(object):  # pylint: disable=too-few-public-methods
 								rec[sshv][alg_type]['chg'][n] = faults
 							else:
 								rec[sshv][alg_type]['del'][n] = faults
+					# If we are working with unknown software, drop all add recommendations, because we don't know if they're valid.
+					if unknown_software:
+						rec[sshv][alg_type]['add'] = {}
 					add_count = len(rec[sshv][alg_type]['add'])
 					del_count = len(rec[sshv][alg_type]['del'])
 					chg_count = len(rec[sshv][alg_type]['chg'])