mirror of
https://github.com/jtesta/ssh-audit.git
synced 2025-01-10 14:55:28 +01:00
For unrecognized servers, only recommend algorithm changes & removals, not additions (since they can be very inaccurate).
This commit is contained in:
parent
7221413567
commit
c185a25af1
37
ssh-audit.py
37
ssh-audit.py
@ -1681,21 +1681,27 @@ class SSH(object): # pylint: disable=too-few-public-methods
|
|||||||
SSH.Product.DropbearSSH,
|
SSH.Product.DropbearSSH,
|
||||||
SSH.Product.LibSSH,
|
SSH.Product.LibSSH,
|
||||||
SSH.Product.TinySSH]
|
SSH.Product.TinySSH]
|
||||||
|
# Set to True if server is not one of vproducts, above.
|
||||||
|
unknown_software = False
|
||||||
if software is not None:
|
if software is not None:
|
||||||
if software.product not in vproducts:
|
if software.product not in vproducts:
|
||||||
software = None
|
unknown_software = True
|
||||||
if software is None:
|
#
|
||||||
ssh_timeframe = self.get_ssh_timeframe(for_server)
|
# The code below is commented out because it would try to guess what the server is,
|
||||||
for product in vproducts:
|
# usually resulting in wild & incorrect recommendations.
|
||||||
if product not in ssh_timeframe:
|
#
|
||||||
continue
|
# if software is None:
|
||||||
version = ssh_timeframe.get_from(product, for_server)
|
# ssh_timeframe = self.get_ssh_timeframe(for_server)
|
||||||
if version is not None:
|
# for product in vproducts:
|
||||||
software = SSH.Software(None, product, version, None, None)
|
# if product not in ssh_timeframe:
|
||||||
break
|
# continue
|
||||||
|
# version = ssh_timeframe.get_from(product, for_server)
|
||||||
|
# if version is not None:
|
||||||
|
# software = SSH.Software(None, product, version, None, None)
|
||||||
|
# break
|
||||||
rec = {} # type: Dict[int, Dict[str, Dict[str, Dict[str, int]]]]
|
rec = {} # type: Dict[int, Dict[str, Dict[str, Dict[str, int]]]]
|
||||||
if software is None:
|
if software is None:
|
||||||
return software, rec
|
unknown_software = True
|
||||||
for alg_pair in self.values:
|
for alg_pair in self.values:
|
||||||
sshv, alg_db = alg_pair.sshv, alg_pair.db
|
sshv, alg_db = alg_pair.sshv, alg_pair.db
|
||||||
rec[sshv] = {}
|
rec[sshv] = {}
|
||||||
@ -1708,15 +1714,17 @@ class SSH(object): # pylint: disable=too-few-public-methods
|
|||||||
if len(versions) == 0 or versions[0] is None:
|
if len(versions) == 0 or versions[0] is None:
|
||||||
continue
|
continue
|
||||||
matches = False
|
matches = False
|
||||||
|
if unknown_software:
|
||||||
|
matches = True
|
||||||
for v in versions[0].split(','):
|
for v in versions[0].split(','):
|
||||||
ssh_prefix, ssh_version, is_cli = SSH.Algorithm.get_ssh_version(v)
|
ssh_prefix, ssh_version, is_cli = SSH.Algorithm.get_ssh_version(v)
|
||||||
if not ssh_version:
|
if not ssh_version:
|
||||||
continue
|
continue
|
||||||
if ssh_prefix != software.product:
|
if (software is not None) and (ssh_prefix != software.product):
|
||||||
continue
|
continue
|
||||||
if is_cli and for_server:
|
if is_cli and for_server:
|
||||||
continue
|
continue
|
||||||
if software.compare_version(ssh_version) < 0:
|
if (software is not None) and (software.compare_version(ssh_version) < 0):
|
||||||
continue
|
continue
|
||||||
matches = True
|
matches = True
|
||||||
break
|
break
|
||||||
@ -1740,6 +1748,9 @@ class SSH(object): # pylint: disable=too-few-public-methods
|
|||||||
rec[sshv][alg_type]['chg'][n] = faults
|
rec[sshv][alg_type]['chg'][n] = faults
|
||||||
else:
|
else:
|
||||||
rec[sshv][alg_type]['del'][n] = faults
|
rec[sshv][alg_type]['del'][n] = faults
|
||||||
|
# If we are working with unknown software, drop all add recommendations, because we don't know if they're valid.
|
||||||
|
if unknown_software:
|
||||||
|
rec[sshv][alg_type]['add'] = {}
|
||||||
add_count = len(rec[sshv][alg_type]['add'])
|
add_count = len(rec[sshv][alg_type]['add'])
|
||||||
del_count = len(rec[sshv][alg_type]['del'])
|
del_count = len(rec[sshv][alg_type]['del'])
|
||||||
chg_count = len(rec[sshv][alg_type]['chg'])
|
chg_count = len(rec[sshv][alg_type]['chg'])
|
||||||
|
Loading…
Reference in New Issue
Block a user