mirror of
https://github.com/jtesta/ssh-audit.git
synced 2025-06-21 18:23:40 +02:00
Generic failure/warning messages replaced with more specific reasons. SHA-1 algorithms now cause failures. CBC mode ciphers are now warnings instead of failures.
This commit is contained in:
@ -6,59 +6,55 @@
|
||||
|
||||
[0;36m# key exchange algorithms[0m
|
||||
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62[0m
|
||||
[0;31m(kex) ecdh-sha2-nistp521 -- [fail] using weak elliptic curves[0m
|
||||
`- [info] default key exchange since OpenSSH 6.4
|
||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
||||
`- [info] default key exchange since OpenSSH 6.4
|
||||
[0;31m(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;31m(kex) ecdh-sha2-nistp384 -- [fail] using weak elliptic curves[0m
|
||||
[0;31m(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;31m(kex) ecdh-sha2-nistp256 -- [fail] using weak elliptic curves[0m
|
||||
[0;31m(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;33m(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
`- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
|
||||
[0;33m(kex) diffie-hellman-group14-sha1 -- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
|
||||
[0;32m(kex) kexguess2@matt.ucc.asn.au -- [info] available since Dropbear SSH 2013.57[0m
|
||||
|
||||
[0;36m# host-key algorithms[0m
|
||||
[0;31m(key) ecdsa-sha2-nistp256 -- [fail] using weak elliptic curves[0m
|
||||
[0;31m(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
[0;33m `- [warn] using weak random number generator could reveal the key[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;31m(key) ssh-rsa (1024-bit) -- [fail] using weak hashing algorithm[0m
|
||||
[0;31m(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;31m `- [fail] using small 1024-bit modulus[0m
|
||||
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
|
||||
`- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
|
||||
[0;31m(key) ssh-dss -- [fail] using small 1024-bit modulus[0m
|
||||
[0;31m `- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm[0m
|
||||
[0;33m `- [warn] using weak random number generator could reveal the key[0m
|
||||
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
|
||||
`- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
|
||||
|
||||
[0;36m# encryption algorithms (ciphers)[0m
|
||||
[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
[0;31m(enc) aes128-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes128-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
|
||||
[0;31m(enc) aes256-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes256-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
|
||||
[0;31m(enc) 3des-ctr -- [fail] using weak cipher[0m
|
||||
[0;31m(enc) 3des-ctr -- [fail] using broken & deprecated 3DES cipher[0m
|
||||
`- [info] available since Dropbear SSH 0.52
|
||||
[0;31m(enc) 3des-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.4, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m `- [warn] using small 64-bit block size[0m
|
||||
`- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
|
||||
|
||||
[0;36m# message authentication code algorithms[0m
|
||||
[0;31m(mac) hmac-sha1-96 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
|
||||
[0;33m(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
|
||||
[0;33m(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
|
||||
@ -69,21 +65,21 @@
|
||||
[0;36m# algorithm recommendations (for Dropbear SSH 2019.78)[0m
|
||||
[0;31m(rec) -3des-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -3des-ctr -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes128-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes256-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1-96 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -ssh-dss -- key algorithm to remove [0m
|
||||
[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m
|
||||
[0;32m(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append [0m
|
||||
[0;32m(rec) +twofish128-ctr -- enc algorithm to append [0m
|
||||
[0;32m(rec) +twofish256-ctr -- enc algorithm to append [0m
|
||||
[0;33m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -aes128-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -aes256-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha2-256 -- mac algorithm to remove [0m
|
||||
|
||||
[0;36m# additional info[0m
|
||||
|
@ -32,92 +32,73 @@
|
||||
|
||||
[0;36m# key exchange algorithms[0m
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
[0;33m(kex) diffie-hellman-group14-sha1 -- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
|
||||
[0;31m(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus[0m
|
||||
[0;31m `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;31m `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
[0;31m `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m
|
||||
[0;31m `- [fail] using broken SHA-1 hash algorithm[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
|
||||
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
|
||||
|
||||
[0;36m# host-key algorithms[0m
|
||||
[0;31m(key) ssh-rsa (1024-bit) -- [fail] using weak hashing algorithm[0m
|
||||
[0;31m(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;31m `- [fail] using small 1024-bit modulus[0m
|
||||
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
|
||||
`- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
|
||||
[0;31m(key) ssh-dss -- [fail] using small 1024-bit modulus[0m
|
||||
[0;31m `- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm[0m
|
||||
[0;33m `- [warn] using weak random number generator could reveal the key[0m
|
||||
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
|
||||
`- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
|
||||
|
||||
[0;36m# encryption algorithms (ciphers)[0m
|
||||
[0;31m(enc) aes128-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes128-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
|
||||
[0;31m(enc) 3des-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.4, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m `- [warn] using small 64-bit block size[0m
|
||||
`- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
|
||||
[0;31m(enc) blowfish-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;31m `- [fail] disabled since Dropbear SSH 0.53[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m `- [warn] using small 64-bit block size[0m
|
||||
`- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
|
||||
[0;31m(enc) cast128-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m `- [warn] using small 64-bit block size[0m
|
||||
`- [info] available since OpenSSH 2.1.0
|
||||
[0;31m(enc) arcfour -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) arcfour -- [fail] using broken RC4 cipher[0m
|
||||
`- [info] available since OpenSSH 2.1.0
|
||||
[0;31m(enc) aes192-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes192-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
[0;31m(enc) aes256-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes256-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
|
||||
[0;31m(enc) rijndael-cbc@lysator.liu.se -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
`- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
|
||||
[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
[0;32m(enc) aes192-ctr -- [info] available since OpenSSH 3.7[0m
|
||||
[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
|
||||
[0;36m# message authentication code algorithms[0m
|
||||
[0;31m(mac) hmac-md5 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
|
||||
[0;33m(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
|
||||
[0;31m(mac) hmac-ripemd160 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.5.0
|
||||
[0;31m(mac) hmac-ripemd160@openssh.com -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.1.0
|
||||
[0;31m(mac) hmac-sha1-96 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
|
||||
[0;31m(mac) hmac-md5-96 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.5.0
|
||||
|
||||
[0;36m# fingerprints[0m
|
||||
@ -125,24 +106,24 @@
|
||||
|
||||
[0;36m# algorithm recommendations (for OpenSSH 4.0)[0m
|
||||
[0;31m(rec) -3des-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes128-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes192-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes256-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -arcfour -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -blowfish-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -cast128-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-md5 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-md5-96 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-ripemd160 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1-96 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -ssh-dss -- key algorithm to remove [0m
|
||||
[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m
|
||||
[0;33m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -aes128-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -aes192-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -aes256-cbc -- enc algorithm to remove [0m
|
||||
|
||||
[0;36m# additional info[0m
|
||||
[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m
|
||||
|
@ -25,103 +25,80 @@
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
`- [info] available since OpenSSH 4.4
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
[0;33m(kex) diffie-hellman-group14-sha1 -- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
|
||||
[0;31m(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus[0m
|
||||
[0;31m `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;31m `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
[0;31m `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m
|
||||
[0;31m `- [fail] using broken SHA-1 hash algorithm[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
|
||||
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
|
||||
|
||||
[0;36m# host-key algorithms[0m
|
||||
[0;31m(key) ssh-rsa (1024-bit) -- [fail] using weak hashing algorithm[0m
|
||||
[0;31m(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;31m `- [fail] using small 1024-bit modulus[0m
|
||||
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
|
||||
`- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
|
||||
[0;31m(key) ssh-dss -- [fail] using small 1024-bit modulus[0m
|
||||
[0;31m `- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm[0m
|
||||
[0;33m `- [warn] using weak random number generator could reveal the key[0m
|
||||
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
|
||||
`- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
|
||||
|
||||
[0;36m# encryption algorithms (ciphers)[0m
|
||||
[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
[0;32m(enc) aes192-ctr -- [info] available since OpenSSH 3.7[0m
|
||||
[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
[0;31m(enc) arcfour256 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) arcfour256 -- [fail] using broken RC4 cipher[0m
|
||||
`- [info] available since OpenSSH 4.2
|
||||
[0;31m(enc) arcfour128 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) arcfour128 -- [fail] using broken RC4 cipher[0m
|
||||
`- [info] available since OpenSSH 4.2
|
||||
[0;31m(enc) aes128-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes128-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
|
||||
[0;31m(enc) 3des-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.4, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m `- [warn] using small 64-bit block size[0m
|
||||
`- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
|
||||
[0;31m(enc) blowfish-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;31m `- [fail] disabled since Dropbear SSH 0.53[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m `- [warn] using small 64-bit block size[0m
|
||||
`- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
|
||||
[0;31m(enc) cast128-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m `- [warn] using small 64-bit block size[0m
|
||||
`- [info] available since OpenSSH 2.1.0
|
||||
[0;31m(enc) aes192-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes192-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
[0;31m(enc) aes256-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes256-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
|
||||
[0;31m(enc) arcfour -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) arcfour -- [fail] using broken RC4 cipher[0m
|
||||
`- [info] available since OpenSSH 2.1.0
|
||||
[0;31m(enc) rijndael-cbc@lysator.liu.se -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
`- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
|
||||
|
||||
[0;36m# message authentication code algorithms[0m
|
||||
[0;31m(mac) hmac-md5 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
|
||||
[0;33m(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
|
||||
[0;33m(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using small 64-bit tag size[0m
|
||||
`- [info] available since OpenSSH 4.7
|
||||
[0;31m(mac) hmac-ripemd160 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.5.0
|
||||
[0;31m(mac) hmac-ripemd160@openssh.com -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.1.0
|
||||
[0;31m(mac) hmac-sha1-96 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
|
||||
[0;31m(mac) hmac-md5-96 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.5.0
|
||||
|
||||
[0;36m# fingerprints[0m
|
||||
@ -130,9 +107,6 @@
|
||||
[0;36m# algorithm recommendations (for OpenSSH 5.6)[0m
|
||||
[0;31m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) [0m
|
||||
[0;31m(rec) -3des-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes128-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes192-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes256-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -arcfour -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -arcfour128 -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -arcfour256 -- enc algorithm to remove [0m
|
||||
@ -140,16 +114,19 @@
|
||||
[0;31m(rec) -cast128-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-md5 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-md5-96 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-ripemd160 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1-96 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -ssh-dss -- key algorithm to remove [0m
|
||||
[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m
|
||||
[0;33m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -aes128-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -aes192-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -aes256-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -umac-64@openssh.com -- mac algorithm to remove [0m
|
||||
|
||||
[0;36m# additional info[0m
|
||||
|
@ -25,23 +25,22 @@
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
`- [info] available since OpenSSH 4.4
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
[0;33m(kex) diffie-hellman-group14-sha1 -- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
|
||||
[0;31m(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus[0m
|
||||
[0;31m `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;31m `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
[0;31m `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m
|
||||
[0;31m `- [fail] using broken SHA-1 hash algorithm[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
|
||||
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
|
||||
|
||||
[0;36m# host-key algorithms[0m
|
||||
[0;31m(key) ssh-rsa (1024-bit) -- [fail] using weak hashing algorithm[0m
|
||||
[0;31m(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;31m `- [fail] using small 1024-bit modulus[0m
|
||||
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
|
||||
`- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
|
||||
[0;31m(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/1024-bit CA) -- [fail] using weak hashing algorithm[0m
|
||||
[0;31m(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/1024-bit CA) -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;31m `- [fail] using small 1024-bit modulus[0m
|
||||
`- [info] available since OpenSSH 5.6
|
||||
`- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
|
||||
@ -50,78 +49,56 @@
|
||||
[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
[0;32m(enc) aes192-ctr -- [info] available since OpenSSH 3.7[0m
|
||||
[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
[0;31m(enc) arcfour256 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) arcfour256 -- [fail] using broken RC4 cipher[0m
|
||||
`- [info] available since OpenSSH 4.2
|
||||
[0;31m(enc) arcfour128 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) arcfour128 -- [fail] using broken RC4 cipher[0m
|
||||
`- [info] available since OpenSSH 4.2
|
||||
[0;31m(enc) aes128-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes128-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
|
||||
[0;31m(enc) 3des-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.4, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m `- [warn] using small 64-bit block size[0m
|
||||
`- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
|
||||
[0;31m(enc) blowfish-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;31m `- [fail] disabled since Dropbear SSH 0.53[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m `- [warn] using small 64-bit block size[0m
|
||||
`- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
|
||||
[0;31m(enc) cast128-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m `- [warn] using small 64-bit block size[0m
|
||||
`- [info] available since OpenSSH 2.1.0
|
||||
[0;31m(enc) aes192-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes192-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
[0;31m(enc) aes256-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes256-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
|
||||
[0;31m(enc) arcfour -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) arcfour -- [fail] using broken RC4 cipher[0m
|
||||
`- [info] available since OpenSSH 2.1.0
|
||||
[0;31m(enc) rijndael-cbc@lysator.liu.se -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
`- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
|
||||
|
||||
[0;36m# message authentication code algorithms[0m
|
||||
[0;31m(mac) hmac-md5 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
|
||||
[0;33m(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
|
||||
[0;33m(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using small 64-bit tag size[0m
|
||||
`- [info] available since OpenSSH 4.7
|
||||
[0;31m(mac) hmac-ripemd160 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.5.0
|
||||
[0;31m(mac) hmac-ripemd160@openssh.com -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.1.0
|
||||
[0;31m(mac) hmac-sha1-96 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
|
||||
[0;31m(mac) hmac-md5-96 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.5.0
|
||||
|
||||
[0;36m# fingerprints[0m
|
||||
@ -130,9 +107,6 @@
|
||||
[0;36m# algorithm recommendations (for OpenSSH 5.6)[0m
|
||||
[0;31m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) [0m
|
||||
[0;31m(rec) -3des-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes128-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes192-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes256-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -arcfour -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -arcfour128 -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -arcfour256 -- enc algorithm to remove [0m
|
||||
@ -140,16 +114,19 @@
|
||||
[0;31m(rec) -cast128-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-md5 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-md5-96 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-ripemd160 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1-96 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m
|
||||
[0;31m(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove [0m
|
||||
[0;33m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -aes128-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -aes192-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -aes256-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -umac-64@openssh.com -- mac algorithm to remove [0m
|
||||
|
||||
[0;36m# additional info[0m
|
||||
|
@ -25,23 +25,22 @@
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
`- [info] available since OpenSSH 4.4
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
[0;33m(kex) diffie-hellman-group14-sha1 -- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
|
||||
[0;31m(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus[0m
|
||||
[0;31m `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;31m `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
[0;31m `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m
|
||||
[0;31m `- [fail] using broken SHA-1 hash algorithm[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
|
||||
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
|
||||
|
||||
[0;36m# host-key algorithms[0m
|
||||
[0;31m(key) ssh-rsa (1024-bit) -- [fail] using weak hashing algorithm[0m
|
||||
[0;31m(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;31m `- [fail] using small 1024-bit modulus[0m
|
||||
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
|
||||
`- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
|
||||
[0;31m(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/3072-bit CA) -- [fail] using weak hashing algorithm[0m
|
||||
[0;31m(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/3072-bit CA) -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;31m `- [fail] using small 1024-bit modulus[0m
|
||||
`- [info] available since OpenSSH 5.6
|
||||
`- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
|
||||
@ -50,78 +49,56 @@
|
||||
[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
[0;32m(enc) aes192-ctr -- [info] available since OpenSSH 3.7[0m
|
||||
[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
[0;31m(enc) arcfour256 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) arcfour256 -- [fail] using broken RC4 cipher[0m
|
||||
`- [info] available since OpenSSH 4.2
|
||||
[0;31m(enc) arcfour128 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) arcfour128 -- [fail] using broken RC4 cipher[0m
|
||||
`- [info] available since OpenSSH 4.2
|
||||
[0;31m(enc) aes128-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes128-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
|
||||
[0;31m(enc) 3des-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.4, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m `- [warn] using small 64-bit block size[0m
|
||||
`- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
|
||||
[0;31m(enc) blowfish-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;31m `- [fail] disabled since Dropbear SSH 0.53[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m `- [warn] using small 64-bit block size[0m
|
||||
`- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
|
||||
[0;31m(enc) cast128-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m `- [warn] using small 64-bit block size[0m
|
||||
`- [info] available since OpenSSH 2.1.0
|
||||
[0;31m(enc) aes192-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes192-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
[0;31m(enc) aes256-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes256-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
|
||||
[0;31m(enc) arcfour -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) arcfour -- [fail] using broken RC4 cipher[0m
|
||||
`- [info] available since OpenSSH 2.1.0
|
||||
[0;31m(enc) rijndael-cbc@lysator.liu.se -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
`- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
|
||||
|
||||
[0;36m# message authentication code algorithms[0m
|
||||
[0;31m(mac) hmac-md5 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
|
||||
[0;33m(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
|
||||
[0;33m(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using small 64-bit tag size[0m
|
||||
`- [info] available since OpenSSH 4.7
|
||||
[0;31m(mac) hmac-ripemd160 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.5.0
|
||||
[0;31m(mac) hmac-ripemd160@openssh.com -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.1.0
|
||||
[0;31m(mac) hmac-sha1-96 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
|
||||
[0;31m(mac) hmac-md5-96 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.5.0
|
||||
|
||||
[0;36m# fingerprints[0m
|
||||
@ -130,9 +107,6 @@
|
||||
[0;36m# algorithm recommendations (for OpenSSH 5.6)[0m
|
||||
[0;31m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) [0m
|
||||
[0;31m(rec) -3des-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes128-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes192-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes256-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -arcfour -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -arcfour128 -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -arcfour256 -- enc algorithm to remove [0m
|
||||
@ -140,16 +114,19 @@
|
||||
[0;31m(rec) -cast128-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-md5 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-md5-96 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-ripemd160 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1-96 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m
|
||||
[0;31m(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove [0m
|
||||
[0;33m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -aes128-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -aes192-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -aes256-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -umac-64@openssh.com -- mac algorithm to remove [0m
|
||||
|
||||
[0;36m# additional info[0m
|
||||
|
@ -25,22 +25,21 @@
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
`- [info] available since OpenSSH 4.4
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
[0;33m(kex) diffie-hellman-group14-sha1 -- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
|
||||
[0;31m(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus[0m
|
||||
[0;31m `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;31m `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
[0;31m `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m
|
||||
[0;31m `- [fail] using broken SHA-1 hash algorithm[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
|
||||
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
|
||||
|
||||
[0;36m# host-key algorithms[0m
|
||||
[0;31m(key) ssh-rsa (3072-bit) -- [fail] using weak hashing algorithm[0m
|
||||
[0;31m(key) ssh-rsa (3072-bit) -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
|
||||
`- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
|
||||
[0;31m(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/1024-bit CA) -- [fail] using weak hashing algorithm[0m
|
||||
[0;31m(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/1024-bit CA) -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;31m `- [fail] using small 1024-bit modulus[0m
|
||||
`- [info] available since OpenSSH 5.6
|
||||
`- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
|
||||
@ -49,78 +48,56 @@
|
||||
[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
[0;32m(enc) aes192-ctr -- [info] available since OpenSSH 3.7[0m
|
||||
[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
[0;31m(enc) arcfour256 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) arcfour256 -- [fail] using broken RC4 cipher[0m
|
||||
`- [info] available since OpenSSH 4.2
|
||||
[0;31m(enc) arcfour128 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) arcfour128 -- [fail] using broken RC4 cipher[0m
|
||||
`- [info] available since OpenSSH 4.2
|
||||
[0;31m(enc) aes128-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes128-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
|
||||
[0;31m(enc) 3des-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.4, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m `- [warn] using small 64-bit block size[0m
|
||||
`- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
|
||||
[0;31m(enc) blowfish-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;31m `- [fail] disabled since Dropbear SSH 0.53[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m `- [warn] using small 64-bit block size[0m
|
||||
`- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
|
||||
[0;31m(enc) cast128-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m `- [warn] using small 64-bit block size[0m
|
||||
`- [info] available since OpenSSH 2.1.0
|
||||
[0;31m(enc) aes192-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes192-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
[0;31m(enc) aes256-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes256-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
|
||||
[0;31m(enc) arcfour -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) arcfour -- [fail] using broken RC4 cipher[0m
|
||||
`- [info] available since OpenSSH 2.1.0
|
||||
[0;31m(enc) rijndael-cbc@lysator.liu.se -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
`- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
|
||||
|
||||
[0;36m# message authentication code algorithms[0m
|
||||
[0;31m(mac) hmac-md5 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
|
||||
[0;33m(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
|
||||
[0;33m(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using small 64-bit tag size[0m
|
||||
`- [info] available since OpenSSH 4.7
|
||||
[0;31m(mac) hmac-ripemd160 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.5.0
|
||||
[0;31m(mac) hmac-ripemd160@openssh.com -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.1.0
|
||||
[0;31m(mac) hmac-sha1-96 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
|
||||
[0;31m(mac) hmac-md5-96 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.5.0
|
||||
|
||||
[0;36m# fingerprints[0m
|
||||
@ -129,9 +106,6 @@
|
||||
[0;36m# algorithm recommendations (for OpenSSH 5.6)[0m
|
||||
[0;31m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) [0m
|
||||
[0;31m(rec) -3des-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes128-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes192-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes256-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -arcfour -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -arcfour128 -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -arcfour256 -- enc algorithm to remove [0m
|
||||
@ -139,16 +113,19 @@
|
||||
[0;31m(rec) -cast128-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-md5 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-md5-96 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-ripemd160 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1-96 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m
|
||||
[0;31m(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove [0m
|
||||
[0;33m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -aes128-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -aes192-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -aes256-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -umac-64@openssh.com -- mac algorithm to remove [0m
|
||||
|
||||
[0;36m# additional info[0m
|
||||
|
@ -25,22 +25,21 @@
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
`- [info] available since OpenSSH 4.4
|
||||
[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
[0;33m(kex) diffie-hellman-group14-sha1 -- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
|
||||
[0;31m(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus[0m
|
||||
[0;31m `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;31m `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
[0;31m `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m
|
||||
[0;31m `- [fail] using broken SHA-1 hash algorithm[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
|
||||
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
|
||||
|
||||
[0;36m# host-key algorithms[0m
|
||||
[0;31m(key) ssh-rsa (3072-bit) -- [fail] using weak hashing algorithm[0m
|
||||
[0;31m(key) ssh-rsa (3072-bit) -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
|
||||
`- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
|
||||
[0;31m(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/3072-bit CA) -- [fail] using weak hashing algorithm[0m
|
||||
[0;31m(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/3072-bit CA) -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
`- [info] available since OpenSSH 5.6
|
||||
`- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
|
||||
|
||||
@ -48,78 +47,56 @@
|
||||
[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
[0;32m(enc) aes192-ctr -- [info] available since OpenSSH 3.7[0m
|
||||
[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
[0;31m(enc) arcfour256 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) arcfour256 -- [fail] using broken RC4 cipher[0m
|
||||
`- [info] available since OpenSSH 4.2
|
||||
[0;31m(enc) arcfour128 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) arcfour128 -- [fail] using broken RC4 cipher[0m
|
||||
`- [info] available since OpenSSH 4.2
|
||||
[0;31m(enc) aes128-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes128-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
|
||||
[0;31m(enc) 3des-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.4, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m `- [warn] using small 64-bit block size[0m
|
||||
`- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
|
||||
[0;31m(enc) blowfish-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;31m `- [fail] disabled since Dropbear SSH 0.53[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m `- [warn] using small 64-bit block size[0m
|
||||
`- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
|
||||
[0;31m(enc) cast128-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m `- [warn] using small 64-bit block size[0m
|
||||
`- [info] available since OpenSSH 2.1.0
|
||||
[0;31m(enc) aes192-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes192-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
[0;31m(enc) aes256-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
[0;33m(enc) aes256-cbc -- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
|
||||
[0;31m(enc) arcfour -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;33m `- [warn] using weak cipher[0m
|
||||
[0;31m(enc) arcfour -- [fail] using broken RC4 cipher[0m
|
||||
`- [info] available since OpenSSH 2.1.0
|
||||
[0;31m(enc) rijndael-cbc@lysator.liu.se -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher[0m
|
||||
[0;33m `- [warn] using weak cipher mode[0m
|
||||
`- [info] available since OpenSSH 2.3.0
|
||||
`- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
|
||||
|
||||
[0;36m# message authentication code algorithms[0m
|
||||
[0;31m(mac) hmac-md5 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
|
||||
[0;33m(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
|
||||
[0;33m(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using small 64-bit tag size[0m
|
||||
`- [info] available since OpenSSH 4.7
|
||||
[0;31m(mac) hmac-ripemd160 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.5.0
|
||||
[0;31m(mac) hmac-ripemd160@openssh.com -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.1.0
|
||||
[0;31m(mac) hmac-sha1-96 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
|
||||
[0;31m(mac) hmac-md5-96 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
|
||||
[0;33m `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm[0m
|
||||
[0;31m(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
`- [info] available since OpenSSH 2.5.0
|
||||
|
||||
[0;36m# fingerprints[0m
|
||||
@ -128,9 +105,6 @@
|
||||
[0;36m# algorithm recommendations (for OpenSSH 5.6)[0m
|
||||
[0;31m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) [0m
|
||||
[0;31m(rec) -3des-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes128-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes192-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -aes256-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -arcfour -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -arcfour128 -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -arcfour256 -- enc algorithm to remove [0m
|
||||
@ -138,16 +112,19 @@
|
||||
[0;31m(rec) -cast128-cbc -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-md5 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-md5-96 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-ripemd160 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1-96 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove [0m
|
||||
[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m
|
||||
[0;31m(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove [0m
|
||||
[0;33m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -aes128-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -aes192-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -aes256-cbc -- enc algorithm to remove [0m
|
||||
[0;33m(rec) -umac-64@openssh.com -- mac algorithm to remove [0m
|
||||
|
||||
[0;36m# additional info[0m
|
||||
|
@ -12,12 +12,14 @@
|
||||
|
||||
[0;36m# key exchange algorithms[0m
|
||||
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62[0m
|
||||
[0;31m(kex) ecdh-sha2-nistp256 -- [fail] using weak elliptic curves[0m
|
||||
`- [info] default key exchange since OpenSSH 6.4
|
||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
||||
`- [info] default key exchange since OpenSSH 6.4
|
||||
[0;31m(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;31m(kex) ecdh-sha2-nistp384 -- [fail] using weak elliptic curves[0m
|
||||
[0;31m(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;31m(kex) ecdh-sha2-nistp521 -- [fail] using weak elliptic curves[0m
|
||||
[0;31m(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;33m(kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
`- [info] available since OpenSSH 4.4
|
||||
@ -26,24 +28,24 @@
|
||||
[0;32m(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3[0m
|
||||
[0;33m(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
`- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
|
||||
[0;33m(kex) diffie-hellman-group14-sha1 -- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
|
||||
|
||||
[0;36m# host-key algorithms[0m
|
||||
[0;32m(key) rsa-sha2-512 (3072-bit) -- [info] available since OpenSSH 7.2[0m
|
||||
[0;32m(key) rsa-sha2-256 (3072-bit) -- [info] available since OpenSSH 7.2[0m
|
||||
[0;31m(key) ssh-rsa (3072-bit) -- [fail] using weak hashing algorithm[0m
|
||||
[0;31m(key) ssh-rsa (3072-bit) -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
|
||||
`- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
|
||||
[0;31m(key) ecdsa-sha2-nistp256 -- [fail] using weak elliptic curves[0m
|
||||
[0;31m(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
[0;33m `- [warn] using weak random number generator could reveal the key[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;32m(key) ssh-ed25519 -- [info] available since OpenSSH 6.5[0m
|
||||
|
||||
[0;36m# encryption algorithms (ciphers)[0m
|
||||
[0;32m(enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5[0m
|
||||
`- [info] default cipher since OpenSSH 6.9.
|
||||
`- [info] default cipher since OpenSSH 6.9
|
||||
[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
[0;32m(enc) aes192-ctr -- [info] available since OpenSSH 3.7[0m
|
||||
[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
@ -56,7 +58,7 @@
|
||||
[0;32m(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2[0m
|
||||
[0;32m(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2[0m
|
||||
[0;32m(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2[0m
|
||||
[0;33m(mac) hmac-sha1-etm@openssh.com -- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(mac) hmac-sha1-etm@openssh.com -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
`- [info] available since OpenSSH 6.2
|
||||
[0;33m(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using small 64-bit tag size[0m
|
||||
@ -67,8 +69,8 @@
|
||||
`- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
|
||||
[0;33m(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
|
||||
[0;33m(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
|
||||
|
||||
[0;36m# fingerprints[0m
|
||||
@ -76,15 +78,15 @@
|
||||
[0;32m(fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244[0m
|
||||
|
||||
[0;36m# algorithm recommendations (for OpenSSH 8.0)[0m
|
||||
[0;31m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m
|
||||
[0;33m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha2-256 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha2-512 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -umac-128@openssh.com -- mac algorithm to remove [0m
|
||||
|
@ -12,12 +12,14 @@
|
||||
|
||||
[0;36m# key exchange algorithms[0m
|
||||
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62[0m
|
||||
[0;31m(kex) ecdh-sha2-nistp256 -- [fail] using weak elliptic curves[0m
|
||||
`- [info] default key exchange since OpenSSH 6.4
|
||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
||||
`- [info] default key exchange since OpenSSH 6.4
|
||||
[0;31m(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;31m(kex) ecdh-sha2-nistp384 -- [fail] using weak elliptic curves[0m
|
||||
[0;31m(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;31m(kex) ecdh-sha2-nistp521 -- [fail] using weak elliptic curves[0m
|
||||
[0;31m(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||
[0;33m(kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
`- [info] available since OpenSSH 4.4
|
||||
@ -26,7 +28,7 @@
|
||||
[0;32m(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3[0m
|
||||
[0;33m(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
`- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
|
||||
[0;33m(kex) diffie-hellman-group14-sha1 -- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
|
||||
|
||||
@ -36,7 +38,7 @@
|
||||
|
||||
[0;36m# encryption algorithms (ciphers)[0m
|
||||
[0;32m(enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5[0m
|
||||
`- [info] default cipher since OpenSSH 6.9.
|
||||
`- [info] default cipher since OpenSSH 6.9
|
||||
[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
[0;32m(enc) aes192-ctr -- [info] available since OpenSSH 3.7[0m
|
||||
[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
@ -49,7 +51,7 @@
|
||||
[0;32m(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2[0m
|
||||
[0;32m(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2[0m
|
||||
[0;32m(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2[0m
|
||||
[0;33m(mac) hmac-sha1-etm@openssh.com -- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(mac) hmac-sha1-etm@openssh.com -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
`- [info] available since OpenSSH 6.2
|
||||
[0;33m(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using small 64-bit tag size[0m
|
||||
@ -60,23 +62,23 @@
|
||||
`- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
|
||||
[0;33m(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
|
||||
[0;33m(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode[0m
|
||||
[0;33m `- [warn] using weak hashing algorithm[0m
|
||||
[0;31m(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm[0m
|
||||
[0;33m `- [warn] using encrypt-and-MAC mode[0m
|
||||
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
|
||||
|
||||
[0;36m# fingerprints[0m
|
||||
[0;32m(fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU[0m
|
||||
|
||||
[0;36m# algorithm recommendations (for OpenSSH 8.0)[0m
|
||||
[0;31m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;31m(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove [0m
|
||||
[0;32m(rec) +rsa-sha2-256 -- key algorithm to append [0m
|
||||
[0;32m(rec) +rsa-sha2-512 -- key algorithm to append [0m
|
||||
[0;33m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha1 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha2-256 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -hmac-sha2-512 -- mac algorithm to remove [0m
|
||||
[0;33m(rec) -umac-128@openssh.com -- mac algorithm to remove [0m
|
||||
|
@ -12,7 +12,9 @@
|
||||
|
||||
[0;36m# key exchange algorithms[0m
|
||||
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62[0m
|
||||
`- [info] default key exchange since OpenSSH 6.4
|
||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
||||
`- [info] default key exchange since OpenSSH 6.4
|
||||
[0;33m(kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
|
||||
`- [info] available since OpenSSH 4.4
|
||||
`- [info] A bug in OpenSSH causes it to fall back to a 2048-bit modulus regardless of server configuration (https://bugzilla.mindrot.org/show_bug.cgi?id=2793)
|
||||
@ -22,7 +24,7 @@
|
||||
|
||||
[0;36m# encryption algorithms (ciphers)[0m
|
||||
[0;32m(enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5[0m
|
||||
`- [info] default cipher since OpenSSH 6.9.
|
||||
`- [info] default cipher since OpenSSH 6.9
|
||||
[0;32m(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2[0m
|
||||
[0;32m(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2[0m
|
||||
[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
|
||||
|
@ -5,16 +5,19 @@
|
||||
|
||||
[0;36m# key exchange algorithms[0m
|
||||
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62[0m
|
||||
`- [info] default key exchange since OpenSSH 6.4
|
||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
||||
`- [info] default key exchange since OpenSSH 6.4
|
||||
[0;33m(kex) sntrup4591761x25519-sha512@tinyssh.org -- [warn] using experimental algorithm[0m
|
||||
`- [info] available since OpenSSH 8.0
|
||||
`- [info] the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security
|
||||
|
||||
[0;36m# host-key algorithms[0m
|
||||
[0;32m(key) ssh-ed25519 -- [info] available since OpenSSH 6.5[0m
|
||||
|
||||
[0;36m# encryption algorithms (ciphers)[0m
|
||||
[0;32m(enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5[0m
|
||||
`- [info] default cipher since OpenSSH 6.9.
|
||||
`- [info] default cipher since OpenSSH 6.9
|
||||
|
||||
[0;36m# message authentication code algorithms[0m
|
||||
[0;33m(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode[0m
|
||||
|
@ -164,7 +164,7 @@ class TestSSH2:
|
||||
self.audit(out, self._conf())
|
||||
out.write()
|
||||
lines = output_spy.flush()
|
||||
assert len(lines) == 73
|
||||
assert len(lines) == 70
|
||||
|
||||
def test_ssh2_server_invalid_first_packet(self, output_spy, virtual_socket):
|
||||
vsocket = virtual_socket
|
||||
|
35
test/test_ssh2_kexdb.py
Normal file
35
test/test_ssh2_kexdb.py
Normal file
@ -0,0 +1,35 @@
|
||||
import pytest
|
||||
|
||||
from ssh_audit.ssh2_kexdb import SSH2_KexDB
|
||||
|
||||
|
||||
class Test_SSH2_KexDB:
|
||||
|
||||
@pytest.fixture(autouse=True)
|
||||
def init(self):
|
||||
self.db = SSH2_KexDB.ALGORITHMS
|
||||
|
||||
def test_ssh2_kexdb(self):
|
||||
'''Ensures that the SSH2_KexDB.ALGORITHMS dictionary is in the right format.'''
|
||||
|
||||
db_keys = list(self.db.keys())
|
||||
db_keys.sort()
|
||||
|
||||
# Ensure only these keys exist in the database.
|
||||
assert db_keys == ['enc', 'kex', 'key', 'mac']
|
||||
|
||||
# For 'enc', 'kex', etc...
|
||||
for alg_type in self.db:
|
||||
|
||||
# Iterate over algorithms within this type (i.e.: all 'enc' algorithms, all 'kex' algorithms, etc).
|
||||
for alg_name in self.db[alg_type]:
|
||||
|
||||
# Get the list of failures, warnings, etc., for this algorithm.
|
||||
alg_data = self.db[alg_type][alg_name]
|
||||
|
||||
# This list must be between 1 and 4 entries long.
|
||||
assert 1 <= len(alg_data) <= 4
|
||||
|
||||
# The first entry denotes the versions when this algorithm was added to OpenSSH, Dropbear, and/or libssh, followed by when it was deprecated, and finally when it was removed. Hence it must have between 0 and 3 entries.
|
||||
added_entry = alg_data[0]
|
||||
assert 0 <= len(added_entry) <= 3
|
Reference in New Issue
Block a user