diff --git a/README.md b/README.md index 109b2e8..e5be5f5 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,8 @@ usage: ssh-audit.py [options] -j, --json JSON output -l, --level= minimum output level (info|warn|fail) -L, --list-policies list all the official, built-in policies - --lookup= performs an algorithm lookup (accepts a comma separated list) + --lookup= looks up an algorithm(s) without + connecting to a server -M, --make-policy= creates a policy based on the target server (i.e.: the target server has the ideal configuration that other servers should @@ -87,7 +88,8 @@ $ brew install ssh-audit ### v2.2.1-dev (???) - Created new man page (see ssh-audit.1 file). - 1024-bit moduli upgraded from warnings to failures. - - Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit [Jürgen Gmach](https://github.com/jugmac00)). + - Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit [Jürgen Gmach](https://github.com/jugmac00). + - Added feature to look up algorithms in internal database (see `--lookup`); credit [Adam Russell](https://github.com/thecliguy). - Suppress recommendation of token host key types. - Added check for use-after-free vulnerability in PuTTY v0.73. - Added 5 new host key types: `ssh-rsa1`, `ssh-dss-sha256@ssh.com`, `ssh-gost2001`, `ssh-gost2012-256`, `ssh-gost2012-512`. diff --git a/ssh-audit.1 b/ssh-audit.1 index b3685a9..b292032 100644 --- a/ssh-audit.1 +++ b/ssh-audit.1 @@ -61,6 +61,11 @@ Specify the minimum output level. Default is info. .br List all official, built-in policies for common systems. Their file paths can then be provided using -P/--policy=. +.TP +.B \-\-lookup= +.br +Look up the security information of an algorithm(s) in the internal database. Does not connect to a server. + .TP .B -M, \-\-make-policy= .br diff --git a/ssh-audit.py b/ssh-audit.py index 9a4d3d8..6d617f6 100755 --- a/ssh-audit.py +++ b/ssh-audit.py @@ -79,7 +79,7 @@ def usage(err: Optional[str] = None) -> None: uout.info(' -j, --json JSON output') uout.info(' -l, --level= minimum output level (info|warn|fail)') uout.info(' -L, --list-policies list all the official, built-in policies') - uout.info(' --lookup= performs an algorithm lookup (accepts a comma separated list)') + uout.info(' --lookup= looks up an algorithm(s) without\n connecting to a server') uout.info(' -M, --make-policy= creates a policy based on the target server\n (i.e.: the target server has the ideal\n configuration that other servers should\n adhere to)') uout.info(' -n, --no-colors disable colors') uout.info(' -p, --port= port to connect') @@ -580,7 +580,7 @@ class AuditConf: aconf.target_file = a elif o in ('-L', '--list-policies'): aconf.list_policies = True - elif o in ('--lookup'): + elif o == '--lookup': aconf.lookup = a if len(args) == 0 and aconf.client_audit is False and aconf.target_file is None and aconf.list_policies is False and aconf.lookup == '': @@ -3722,6 +3722,8 @@ def audit(aconf: AuditConf, sshv: Optional[int] = None, print_target: bool = Fal def algorithm_lookup(alg_names: str) -> int: + '''Looks up a comma-separated list of algorithms and outputs their security properties. Returns a PROGRAM_RETVAL_* flag.''' + retval = PROGRAM_RETVAL_GOOD alg_types = { 'kex': 'key exchange algorithms', 'key': 'host-key algorithms', @@ -3751,7 +3753,7 @@ def algorithm_lookup(alg_names: str) -> int: for alg_type in alg_types: if len(algorithms_dict[alg_type]) > 0: title = str(alg_types.get(alg_type)) - retval = output_algorithms(title, adb, alg_type, algorithms_dict[alg_type], unknown_algorithms, False, PROGRAM_RETVAL_GOOD, padding) + retval = output_algorithms(title, adb, alg_type, list(algorithms_dict[alg_type]), unknown_algorithms, False, retval, padding) algorithms_dict_flattened = [ alg_name