elie/ssh-audit
1
0
Fork 0
mirror of https://github.com/jtesta/ssh-audit.git synced 2025-11-04 03:02:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fixed return value processing and mypy warning in algorithm_lookup(). Updated help listing, man page, and README.

Browse Source
This commit is contained in:
Joe Testa
2020-08-11 19:28:53 -04:00
parent 86cb453928
commit c7ad1828d8
3 changed files with 14 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@@ -36,7 +36,8 @@ usage: ssh-audit.py [options] <host>
-j, --json JSON output -j, --json JSON output
-l, --level=<level> minimum output level (info|warn|fail) -l, --level=<level> minimum output level (info|warn|fail)
-L, --list-policies list all the official, built-in policies -L, --list-policies list all the official, built-in policies
--lookup=<alg> performs an algorithm lookup (accepts a comma separated list) --lookup=<alg1,alg2,...> looks up an algorithm(s) without
connecting to a server
-M, --make-policy=<policy.txt> creates a policy based on the target server -M, --make-policy=<policy.txt> creates a policy based on the target server
(i.e.: the target server has the ideal (i.e.: the target server has the ideal
configuration that other servers should configuration that other servers should
@@ -87,7 +88,8 @@ $ brew install ssh-audit
### v2.2.1-dev (???) ### v2.2.1-dev (???)
- Created new man page (see ssh-audit.1 file). - Created new man page (see ssh-audit.1 file).
- 1024-bit moduli upgraded from warnings to failures. - 1024-bit moduli upgraded from warnings to failures.
- Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit [Jürgen Gmach](https://github.com/jugmac00)). - Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit [Jürgen Gmach](https://github.com/jugmac00).
- Added feature to look up algorithms in internal database (see `--lookup`); credit [Adam Russell](https://github.com/thecliguy).
- Suppress recommendation of token host key types. - Suppress recommendation of token host key types.
- Added check for use-after-free vulnerability in PuTTY v0.73. - Added check for use-after-free vulnerability in PuTTY v0.73.
- Added 5 new host key types: `ssh-rsa1`, `ssh-dss-sha256@ssh.com`, `ssh-gost2001`, `ssh-gost2012-256`, `ssh-gost2012-512`. - Added 5 new host key types: `ssh-rsa1`, `ssh-dss-sha256@ssh.com`, `ssh-gost2001`, `ssh-gost2012-256`, `ssh-gost2012-512`.

5
ssh-audit.1
View File

@@ -61,6 +61,11 @@ Specify the minimum output level. Default is info.
.br .br
List all official, built-in policies for common systems. Their file paths can then be provided using -P/--policy=<path/to/policy.txt>. List all official, built-in policies for common systems. Their file paths can then be provided using -P/--policy=<path/to/policy.txt>.
.TP
.B \-\-lookup=<alg1,alg2,...>
.br
Look up the security information of an algorithm(s) in the internal database. Does not connect to a server.
.TP .TP
.B -M, \-\-make-policy=<policy.txt> .B -M, \-\-make-policy=<policy.txt>
.br .br

8
ssh-audit.py
View File

@@ -79,7 +79,7 @@ def usage(err: Optional[str] = None) -> None:
uout.info(' -j, --json JSON output') uout.info(' -j, --json JSON output')
uout.info(' -l, --level=<level> minimum output level (info|warn|fail)') uout.info(' -l, --level=<level> minimum output level (info|warn|fail)')
uout.info(' -L, --list-policies list all the official, built-in policies') uout.info(' -L, --list-policies list all the official, built-in policies')
uout.info(' --lookup=<alg> performs an algorithm lookup (accepts a comma separated list)') uout.info(' --lookup=<alg1,alg2,...> looks up an algorithm(s) without\n connecting to a server')
uout.info(' -M, --make-policy=<policy.txt> creates a policy based on the target server\n (i.e.: the target server has the ideal\n configuration that other servers should\n adhere to)') uout.info(' -M, --make-policy=<policy.txt> creates a policy based on the target server\n (i.e.: the target server has the ideal\n configuration that other servers should\n adhere to)')
uout.info(' -n, --no-colors disable colors') uout.info(' -n, --no-colors disable colors')
uout.info(' -p, --port=<port> port to connect') uout.info(' -p, --port=<port> port to connect')
@@ -580,7 +580,7 @@ class AuditConf:
aconf.target_file = a aconf.target_file = a
elif o in ('-L', '--list-policies'): elif o in ('-L', '--list-policies'):
aconf.list_policies = True aconf.list_policies = True
elif o in ('--lookup'): elif o == '--lookup':
aconf.lookup = a aconf.lookup = a
if len(args) == 0 and aconf.client_audit is False and aconf.target_file is None and aconf.list_policies is False and aconf.lookup == '': if len(args) == 0 and aconf.client_audit is False and aconf.target_file is None and aconf.list_policies is False and aconf.lookup == '':
@@ -3722,6 +3722,8 @@ def audit(aconf: AuditConf, sshv: Optional[int] = None, print_target: bool = Fal
def algorithm_lookup(alg_names: str) -> int: def algorithm_lookup(alg_names: str) -> int:
'''Looks up a comma-separated list of algorithms and outputs their security properties. Returns a PROGRAM_RETVAL_* flag.'''
retval = PROGRAM_RETVAL_GOOD
alg_types = { alg_types = {
'kex': 'key exchange algorithms', 'kex': 'key exchange algorithms',
'key': 'host-key algorithms', 'key': 'host-key algorithms',
@@ -3751,7 +3753,7 @@ def algorithm_lookup(alg_names: str) -> int:
for alg_type in alg_types: for alg_type in alg_types:
if len(algorithms_dict[alg_type]) > 0: if len(algorithms_dict[alg_type]) > 0:
title = str(alg_types.get(alg_type)) title = str(alg_types.get(alg_type))
retval = output_algorithms(title, adb, alg_type, algorithms_dict[alg_type], unknown_algorithms, False, PROGRAM_RETVAL_GOOD, padding) retval = output_algorithms(title, adb, alg_type, list(algorithms_dict[alg_type]), unknown_algorithms, False, retval, padding)
algorithms_dict_flattened = [ algorithms_dict_flattened = [
alg_name alg_name