From dc083de87e0ad20af154c8573e17675ca63af13b Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Fri, 24 Mar 2023 18:48:36 -0400 Subject: [PATCH] Added recommendations and CVE information to JSON output (#122). --- docker_test.sh | 6 +- src/ssh_audit/ssh_audit.py | 117 ++++++-- .../dropbear_2019.78_test1.json | 185 +++++++++++- .../expected_results/openssh_4.0p1_test1.json | 279 +++++++++++++++++- .../openssh_5.6p1_custom_policy_test1.json | 7 +- .../openssh_5.6p1_custom_policy_test10.json | 32 +- .../openssh_5.6p1_custom_policy_test2.json | 24 +- .../openssh_5.6p1_custom_policy_test3.json | 23 +- .../openssh_5.6p1_custom_policy_test4.json | 33 ++- .../openssh_5.6p1_custom_policy_test5.json | 32 +- .../openssh_5.6p1_custom_policy_test7.json | 7 +- .../openssh_5.6p1_custom_policy_test8.json | 20 +- .../openssh_5.6p1_custom_policy_test9.json | 20 +- .../expected_results/openssh_5.6p1_test1.json | 273 ++++++++++++++++- .../expected_results/openssh_5.6p1_test2.json | 275 ++++++++++++++++- .../expected_results/openssh_5.6p1_test3.json | 275 ++++++++++++++++- .../expected_results/openssh_5.6p1_test4.json | 275 ++++++++++++++++- .../expected_results/openssh_5.6p1_test5.json | 275 ++++++++++++++++- .../openssh_8.0p1_builtin_policy_test1.json | 7 +- .../openssh_8.0p1_builtin_policy_test2.json | 31 +- .../openssh_8.0p1_custom_policy_test11.json | 7 +- .../openssh_8.0p1_custom_policy_test12.json | 44 ++- .../openssh_8.0p1_custom_policy_test13.json | 7 +- .../openssh_8.0p1_custom_policy_test14.json | 20 +- .../openssh_8.0p1_custom_policy_test6.json | 7 +- .../expected_results/openssh_8.0p1_test1.json | 210 ++++++++++++- .../expected_results/openssh_8.0p1_test2.json | 192 +++++++++++- .../expected_results/openssh_8.0p1_test3.json | 107 ++++++- .../tinyssh_20190101_test1.json | 52 +++- test/test_build_struct.py | 2 +- 30 files changed, 2784 insertions(+), 60 deletions(-) diff --git a/docker_test.sh b/docker_test.sh index e2de550..b619368 100755 --- a/docker_test.sh +++ b/docker_test.sh @@ -472,7 +472,7 @@ run_test() { exit 1 fi - ./ssh-audit.py -j localhost:2222 > "$test_result_json" + ./ssh-audit.py -jj localhost:2222 > "$test_result_json" actual_retval=$? if [[ $actual_retval != "$expected_retval" ]]; then echo -e "${REDB}Unexpected return value. Expected: ${expected_retval}; Actual: ${actual_retval}${CLR}" @@ -616,8 +616,8 @@ run_policy_test() { exit 1 fi - #echo "Running: ./ssh-audit.py -P \"${policy_path}\" -j localhost:2222 > ${test_result_json}" - ./ssh-audit.py -P "${policy_path}" -j localhost:2222 > "${test_result_json}" + #echo "Running: ./ssh-audit.py -P \"${policy_path}\" -jj localhost:2222 > ${test_result_json}" + ./ssh-audit.py -P "${policy_path}" -jj localhost:2222 > "${test_result_json}" actual_exit_code=$? if [[ ${actual_exit_code} != "${expected_exit_code}" ]]; then echo -e "${test_name} ${REDB}FAILED${CLR} (expected exit code: ${expected_exit_code}; actual exit code: ${actual_exit_code}\n" diff --git a/src/ssh_audit/ssh_audit.py b/src/ssh_audit/ssh_audit.py index d80cba1..2ebbc37 100755 --- a/src/ssh_audit/ssh_audit.py +++ b/src/ssh_audit/ssh_audit.py @@ -227,10 +227,12 @@ def output_compatibility(out: OutputBuffer, algs: Algorithms, client_audit: bool out.good('(gen) compatibility: ' + ', '.join(comp_text)) -def output_security_sub(out: OutputBuffer, sub: str, software: Optional[Software], client_audit: bool, padlen: int) -> None: +def output_security_sub(out: OutputBuffer, sub: str, software: Optional[Software], client_audit: bool, padlen: int) -> List[Dict[str, Union[str, float]]]: + ret: List[Dict[str, Union[str, float]]] = [] + secdb = VersionVulnerabilityDB.CVE if sub == 'cve' else VersionVulnerabilityDB.TXT if software is None or software.product not in secdb: - return + return ret for line in secdb[software.product]: vfrom: str = '' vtill: str = '' @@ -258,17 +260,22 @@ def output_security_sub(out: OutputBuffer, sub: str, software: Optional[Software if cvss >= 8.0: out_func = out.fail out_func('(cve) {}{} -- (CVSSv2: {}) {}'.format(name, p, cvss, descr)) + ret.append({'name': name, 'cvssv2': cvss, 'description': descr}) else: descr = line[4] out.fail('(sec) {}{} -- {}'.format(name, p, descr)) + return ret + + +def output_security(out: OutputBuffer, banner: Optional[Banner], client_audit: bool, padlen: int, is_json_output: bool) -> List[Dict[str, Union[str, float]]]: + cves = [] -def output_security(out: OutputBuffer, banner: Optional[Banner], client_audit: bool, padlen: int, is_json_output: bool) -> None: with out: if banner is not None: software = Software.parse(banner) - output_security_sub(out, 'cve', software, client_audit, padlen) - output_security_sub(out, 'txt', software, client_audit, padlen) + cves = output_security_sub(out, 'cve', software, client_audit, padlen) + _ = output_security_sub(out, 'txt', software, client_audit, padlen) if banner.protocol[0] == 1: p = '' if out.batch else ' ' * (padlen - 14) out.fail('(sec) SSH v1 enabled{} -- SSH v1 can be exploited to recover plaintext passwords'.format(p)) @@ -277,6 +284,8 @@ def output_security(out: OutputBuffer, banner: Optional[Banner], client_audit: b out.flush_section() out.sep() + return cves + def output_fingerprints(out: OutputBuffer, algs: Algorithms, is_json_output: bool) -> None: with out: @@ -349,40 +358,35 @@ def output_recommendations(out: OutputBuffer, algs: Algorithms, algorithm_recomm ret = False return ret - for_server = True with out: - software, alg_rec = algs.get_recommendations(software, for_server) - for sshv in range(2, 0, -1): - if sshv not in alg_rec: - continue - for alg_type in ['kex', 'key', 'enc', 'mac']: - if alg_type not in alg_rec[sshv]: - continue - for action in ['del', 'add', 'chg']: - if action not in alg_rec[sshv][alg_type]: - continue - for name in alg_rec[sshv][alg_type][action]: + recommendations = get_algorithm_recommendations(algs, algorithm_recommendation_suppress_list, software, for_server=True) - # If this algorithm should be suppressed, skip it. - if name in algorithm_recommendation_suppress_list: - continue + for level in recommendations: # pylint: disable=consider-using-dict-items + for action in recommendations[level]: + for alg_type in recommendations[level][action]: + for alg_name_and_notes in recommendations[level][action][alg_type]: + name = alg_name_and_notes['name'] + notes = alg_name_and_notes['notes'] p = '' if out.batch else ' ' * (padlen - len(name)) - chg_additional_info = '' + if action == 'del': an, sg, fn = 'remove', '-', out.warn ret = False - if alg_rec[sshv][alg_type][action][name] >= 10: + if level == 'critical': fn = out.fail elif action == 'add': an, sg, fn = 'append', '+', out.good elif action == 'chg': an, sg, fn = 'change', '!', out.fail ret = False - chg_additional_info = ' (increase modulus size to 3072 bits or larger)' - b = '(SSH{})'.format(sshv) if sshv == 1 else '' - fm = '(rec) {0}{1}{2}-- {3} algorithm to {4}{5} {6}' - fn(fm.format(sg, name, p, alg_type, an, chg_additional_info, b)) + + if notes != '': + notes = " (%s)" % notes + + fm = '(rec) {0}{1}{2}-- {3} algorithm to {4}{5} ' + fn(fm.format(sg, name, p, alg_type, an, notes)) + if not out.is_section_empty() and not is_json_output: if software is not None: title = '(for {})'.format(software.display(False)) @@ -491,7 +495,7 @@ def output(out: OutputBuffer, aconf: AuditConf, banner: Optional[Banner], header out.flush_section() out.sep() maxlen = algs.maxlen + 1 - output_security(out, banner, client_audit, maxlen, aconf.json) + cves = output_security(out, banner, client_audit, maxlen, aconf.json) # Filled in by output_algorithms() with unidentified algs. unknown_algorithms: List[str] = [] if pkm is not None: @@ -521,7 +525,7 @@ def output(out: OutputBuffer, aconf: AuditConf, banner: Optional[Banner], header if aconf.json: out.reset() # Build & write the JSON struct. - out.info(json.dumps(build_struct(aconf.host + ":" + str(aconf.port), banner, kex=kex, client_host=client_host), indent=4 if aconf.json_print_indent else None, sort_keys=True)) + out.info(json.dumps(build_struct(aconf.host + ":" + str(aconf.port), banner, cves, kex=kex, client_host=client_host, software=software, algorithms=algs, algorithm_recommendation_suppress_list=algorithm_recommendation_suppress_list), indent=4 if aconf.json_print_indent else None, sort_keys=True)) elif len(unknown_algorithms) > 0: # If we encountered any unknown algorithms, ask the user to report them. out.warn("\n\n!!! WARNING: unknown algorithm(s) found!: %s. Please email the full output above to the maintainer (jtesta@positronsecurity.com), or create a Github issue at .\n" % ','.join(unknown_algorithms)) @@ -571,6 +575,55 @@ def evaluate_policy(out: OutputBuffer, aconf: AuditConf, banner: Optional['Banne return passed +def get_algorithm_recommendations(algs: Optional[Algorithms], algorithm_recommendation_suppress_list: Optional[List[str]], software: Optional[Software], for_server: bool = True) -> Dict[str, Any]: + '''Returns the algorithm recommendations.''' + ret: Dict[str, Any] = {} + + if algs is None or software is None: + return ret + + software, alg_rec = algs.get_recommendations(software, for_server) + for sshv in range(2, 0, -1): + if sshv not in alg_rec: + continue + for alg_type in ['kex', 'key', 'enc', 'mac']: + if alg_type not in alg_rec[sshv]: + continue + for action in ['del', 'add', 'chg']: + if action not in alg_rec[sshv][alg_type]: + continue + + for name in alg_rec[sshv][alg_type][action]: + + # If this algorithm should be suppressed, skip it. + if algorithm_recommendation_suppress_list is not None and name in algorithm_recommendation_suppress_list: + continue + + level = 'informational' + points = alg_rec[sshv][alg_type][action][name] + if points >= 10: + level = 'critical' + elif points >= 1: + level = 'warning' + + if level not in ret: + ret[level] = {} + + if action not in ret[level]: + ret[level][action] = {} + + if alg_type not in ret[level][action]: + ret[level][action][alg_type] = [] + + notes = '' + if action == 'chg': + notes = 'increase modulus size to 3072 bits or larger' + + ret[level][action][alg_type].append({'name': name, 'notes': notes}) + + return ret + + def list_policies(out: OutputBuffer) -> None: '''Prints a list of server & client policies.''' @@ -801,7 +854,7 @@ def process_commandline(out: OutputBuffer, args: List[str], usage_cb: Callable[. return aconf -def build_struct(target_host: str, banner: Optional['Banner'], kex: Optional['SSH2_Kex'] = None, pkm: Optional['SSH1_PublicKeyMessage'] = None, client_host: Optional[str] = None) -> Any: +def build_struct(target_host: str, banner: Optional['Banner'], cves: List[Dict[str, Union[str, float]]], kex: Optional['SSH2_Kex'] = None, pkm: Optional['SSH1_PublicKeyMessage'] = None, client_host: Optional[str] = None, software: Optional[Software] = None, algorithms: Optional[Algorithms] = None, algorithm_recommendation_suppress_list: Optional[List[str]] = None) -> Any: # pylint: disable=too-many-arguments banner_str = '' banner_protocol = None @@ -907,6 +960,12 @@ def build_struct(target_host: str, banner: Optional['Banner'], kex: Optional['SS 'fp': pkm_fp, }] + # Add in the CVE information. + res['cves'] = cves + + # Add in the recommendations. + res['recommendations'] = get_algorithm_recommendations(algorithms, algorithm_recommendation_suppress_list, software, for_server=True) + return res diff --git a/test/docker/expected_results/dropbear_2019.78_test1.json b/test/docker/expected_results/dropbear_2019.78_test1.json index 56efdda..03eac07 100644 --- a/test/docker/expected_results/dropbear_2019.78_test1.json +++ b/test/docker/expected_results/dropbear_2019.78_test1.json @@ -1 +1,184 @@ -{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-dropbear_2019.78", "software": "dropbear_2019.78"}, "compression": ["zlib@openssh.com", "none"], "enc": ["aes128-ctr", "aes256-ctr", "aes128-cbc", "aes256-cbc", "3des-ctr", "3des-cbc"], "fingerprints": [{"hash": "CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM", "hash_alg": "SHA256", "hostkey": "ssh-rsa"}, {"hash": "63:7f:54:f7:0a:28:7f:75:0b:f4:07:0b:fc:66:51:a2", "hash_alg": "MD5", "hostkey": "ssh-rsa"}], "kex": [{"algorithm": "curve25519-sha256"}, {"algorithm": "curve25519-sha256@libssh.org"}, {"algorithm": "ecdh-sha2-nistp521"}, {"algorithm": "ecdh-sha2-nistp384"}, {"algorithm": "ecdh-sha2-nistp256"}, {"algorithm": "diffie-hellman-group14-sha256"}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "kexguess2@matt.ucc.asn.au"}], "key": [{"algorithm": "ecdsa-sha2-nistp256"}, {"algorithm": "ssh-rsa", "keysize": 1024}, {"algorithm": "ssh-dss"}], "mac": ["hmac-sha1-96", "hmac-sha1", "hmac-sha2-256"], "target": "localhost:2222"} +{ + "banner": { + "comments": null, + "protocol": [ + 2, + 0 + ], + "raw": "SSH-2.0-dropbear_2019.78", + "software": "dropbear_2019.78" + }, + "compression": [ + "zlib@openssh.com", + "none" + ], + "cves": [], + "enc": [ + "aes128-ctr", + "aes256-ctr", + "aes128-cbc", + "aes256-cbc", + "3des-ctr", + "3des-cbc" + ], + "fingerprints": [ + { + "hash": "CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "63:7f:54:f7:0a:28:7f:75:0b:f4:07:0b:fc:66:51:a2", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "curve25519-sha256" + }, + { + "algorithm": "curve25519-sha256@libssh.org" + }, + { + "algorithm": "ecdh-sha2-nistp521" + }, + { + "algorithm": "ecdh-sha2-nistp384" + }, + { + "algorithm": "ecdh-sha2-nistp256" + }, + { + "algorithm": "diffie-hellman-group14-sha256" + }, + { + "algorithm": "diffie-hellman-group14-sha1" + }, + { + "algorithm": "kexguess2@matt.ucc.asn.au" + } + ], + "key": [ + { + "algorithm": "ecdsa-sha2-nistp256" + }, + { + "algorithm": "ssh-rsa", + "keysize": 1024 + }, + { + "algorithm": "ssh-dss" + } + ], + "mac": [ + "hmac-sha1-96", + "hmac-sha1", + "hmac-sha2-256" + ], + "recommendations": { + "critical": { + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "3des-ctr", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp256", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp384", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp521", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-rsa", + "notes": "" + }, + { + "name": "ssh-dss", + "notes": "" + }, + { + "name": "ecdsa-sha2-nistp256", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + } + ] + } + }, + "informational": { + "add": { + "enc": [ + { + "name": "twofish128-ctr", + "notes": "" + }, + { + "name": "twofish256-ctr", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group16-sha512", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha256", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha2-256", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_4.0p1_test1.json b/test/docker/expected_results/openssh_4.0p1_test1.json index 8223bea..fa2e46d 100644 --- a/test/docker/expected_results/openssh_4.0p1_test1.json +++ b/test/docker/expected_results/openssh_4.0p1_test1.json @@ -1 +1,278 @@ -{"banner": {"comments": null, "protocol": [1, 99], "raw": "SSH-1.99-OpenSSH_4.0", "software": "OpenSSH_4.0"}, "compression": ["none", "zlib"], "enc": ["aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "arcfour", "aes192-cbc", "aes256-cbc", "rijndael-cbc@lysator.liu.se", "aes128-ctr", "aes192-ctr", "aes256-ctr"], "fingerprints": [{"hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", "hash_alg": "SHA256", "hostkey": "ssh-rsa"}, {"hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a", "hash_alg": "MD5", "hostkey": "ssh-rsa"}], "kex": [{"algorithm": "diffie-hellman-group-exchange-sha1", "keysize": 1024}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "diffie-hellman-group1-sha1"}], "key": [{"algorithm": "ssh-rsa", "keysize": 1024}, {"algorithm": "ssh-dss"}], "mac": ["hmac-md5", "hmac-sha1", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"], "target": "localhost:2222"} +{ + "banner": { + "comments": null, + "protocol": [ + 1, + 99 + ], + "raw": "SSH-1.99-OpenSSH_4.0", + "software": "OpenSSH_4.0" + }, + "compression": [ + "none", + "zlib" + ], + "cves": [ + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames due to timing discrepancies", + "name": "CVE-2018-15473" + }, + { + "cvssv2": 5.3, + "description": "readonly bypass via sftp", + "name": "CVE-2017-15906" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + }, + { + "cvssv2": 5.5, + "description": "bypass command restrictions via crafted X11 forwarding data", + "name": "CVE-2016-3115" + }, + { + "cvssv2": 7.5, + "description": "cause DoS via triggering error condition (memory corruption)", + "name": "CVE-2014-1692" + }, + { + "cvssv2": 3.5, + "description": "leak data via debug messages", + "name": "CVE-2012-0814" + }, + { + "cvssv2": 3.5, + "description": "cause DoS via large value in certain length field (memory consumption)", + "name": "CVE-2011-5000" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via large number of connections (slot exhaustion)", + "name": "CVE-2010-5107" + }, + { + "cvssv2": 4.0, + "description": "cause DoS via crafted glob expression (CPU and memory consumption)", + "name": "CVE-2010-4755" + }, + { + "cvssv2": 7.5, + "description": "bypass authentication check via crafted values", + "name": "CVE-2010-4478" + }, + { + "cvssv2": 2.6, + "description": "recover plaintext data from ciphertext", + "name": "CVE-2008-5161" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via multiple login attempts (slot exhaustion)", + "name": "CVE-2008-4109" + }, + { + "cvssv2": 6.5, + "description": "bypass command restrictions via modifying session file", + "name": "CVE-2008-1657" + }, + { + "cvssv2": 6.9, + "description": "hijack forwarded X11 connections", + "name": "CVE-2008-1483" + }, + { + "cvssv2": 7.5, + "description": "privilege escalation via causing an X client to be trusted", + "name": "CVE-2007-4752" + }, + { + "cvssv2": 5.0, + "description": "discover valid usernames through different responses", + "name": "CVE-2007-2243" + }, + { + "cvssv2": 5.0, + "description": "discover valid usernames through different responses", + "name": "CVE-2006-5052" + }, + { + "cvssv2": 9.3, + "description": "cause DoS or execute arbitrary code (double free)", + "name": "CVE-2006-5051" + }, + { + "cvssv2": 7.8, + "description": "cause DoS via crafted packet (CPU consumption)", + "name": "CVE-2006-4924" + }, + { + "cvssv2": 4.6, + "description": "execute arbitrary code", + "name": "CVE-2006-0225" + }, + { + "cvssv2": 5.0, + "description": "leak data about authentication credentials", + "name": "CVE-2005-2798" + } + ], + "enc": [ + "aes128-cbc", + "3des-cbc", + "blowfish-cbc", + "cast128-cbc", + "arcfour", + "aes192-cbc", + "aes256-cbc", + "rijndael-cbc@lysator.liu.se", + "aes128-ctr", + "aes192-ctr", + "aes256-ctr" + ], + "fingerprints": [ + { + "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "diffie-hellman-group-exchange-sha1", + "keysize": 1024 + }, + { + "algorithm": "diffie-hellman-group14-sha1" + }, + { + "algorithm": "diffie-hellman-group1-sha1" + } + ], + "key": [ + { + "algorithm": "ssh-rsa", + "keysize": 1024 + }, + { + "algorithm": "ssh-dss" + } + ], + "mac": [ + "hmac-md5", + "hmac-sha1", + "hmac-ripemd160", + "hmac-ripemd160@openssh.com", + "hmac-sha1-96", + "hmac-md5-96" + ], + "recommendations": { + "critical": { + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "blowfish-cbc", + "notes": "" + }, + { + "name": "cast128-cbc", + "notes": "" + }, + { + "name": "arcfour", + "notes": "" + }, + { + "name": "rijndael-cbc@lysator.liu.se", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group1-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha1", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-rsa", + "notes": "" + }, + { + "name": "ssh-dss", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + }, + { + "name": "hmac-md5", + "notes": "" + }, + { + "name": "hmac-md5-96", + "notes": "" + }, + { + "name": "hmac-ripemd160", + "notes": "" + }, + { + "name": "hmac-ripemd160@openssh.com", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes192-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json index 52d9e38..6480bca 100644 --- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json @@ -1 +1,6 @@ -{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test1 (version 1)"} +{ + "errors": [], + "host": "localhost", + "passed": true, + "policy": "Docker policy: test1 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json index 7bf35ae..b07940c 100644 --- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json @@ -1 +1,31 @@ -{"errors": [{"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (ssh-rsa-cert-v01@openssh.com) sizes"}, {"actual": ["1024"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes"}], "host": "localhost", "passed": false, "policy": "Docker poliicy: test10 (version 1)"} +{ + "errors": [ + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "RSA host key (ssh-rsa-cert-v01@openssh.com) sizes" + }, + { + "actual": [ + "1024" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker poliicy: test10 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json index 4d39f6a..edf4254 100644 --- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json @@ -1 +1,23 @@ -{"errors": [{"actual": ["diffie-hellman-group-exchange-sha256", "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1"], "expected_optional": [""], "expected_required": ["kex_alg1", "kex_alg2"], "mismatched_field": "Key exchanges"}], "host": "localhost", "passed": false, "policy": "Docker policy: test2 (version 1)"} +{ + "errors": [ + { + "actual": [ + "diffie-hellman-group-exchange-sha256", + "diffie-hellman-group-exchange-sha1", + "diffie-hellman-group14-sha1", + "diffie-hellman-group1-sha1" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "kex_alg1", + "kex_alg2" + ], + "mismatched_field": "Key exchanges" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker policy: test2 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json index 519fc40..a98fa8d 100644 --- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json @@ -1 +1,22 @@ -{"errors": [{"actual": ["ssh-rsa", "ssh-dss"], "expected_optional": [""], "expected_required": ["ssh-rsa", "ssh-dss", "key_alg1"], "mismatched_field": "Host keys"}], "host": "localhost", "passed": false, "policy": "Docker policy: test3 (version 1)"} +{ + "errors": [ + { + "actual": [ + "ssh-rsa", + "ssh-dss" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "ssh-rsa", + "ssh-dss", + "key_alg1" + ], + "mismatched_field": "Host keys" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker policy: test3 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json index 83db23b..317f7e2 100644 --- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json @@ -1 +1,32 @@ -{"errors": [{"actual": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "expected_optional": [""], "expected_required": ["cipher_alg1", "cipher_alg2"], "mismatched_field": "Ciphers"}], "host": "localhost", "passed": false, "policy": "Docker policy: test4 (version 1)"} +{ + "errors": [ + { + "actual": [ + "aes128-ctr", + "aes192-ctr", + "aes256-ctr", + "arcfour256", + "arcfour128", + "aes128-cbc", + "3des-cbc", + "blowfish-cbc", + "cast128-cbc", + "aes192-cbc", + "aes256-cbc", + "arcfour", + "rijndael-cbc@lysator.liu.se" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "cipher_alg1", + "cipher_alg2" + ], + "mismatched_field": "Ciphers" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker policy: test4 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json index 3fbfe09..50c0b86 100644 --- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json @@ -1 +1,31 @@ -{"errors": [{"actual": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"], "expected_optional": [""], "expected_required": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac_alg1", "hmac-md5-96"], "mismatched_field": "MACs"}], "host": "localhost", "passed": false, "policy": "Docker policy: test5 (version 1)"} +{ + "errors": [ + { + "actual": [ + "hmac-md5", + "hmac-sha1", + "umac-64@openssh.com", + "hmac-ripemd160", + "hmac-ripemd160@openssh.com", + "hmac-sha1-96", + "hmac-md5-96" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "hmac-md5", + "hmac-sha1", + "umac-64@openssh.com", + "hmac-ripemd160", + "hmac-ripemd160@openssh.com", + "hmac_alg1", + "hmac-md5-96" + ], + "mismatched_field": "MACs" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker policy: test5 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json index cb4b860..dcc1d6c 100644 --- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json @@ -1 +1,6 @@ -{"errors": [], "host": "localhost", "passed": true, "policy": "Docker poliicy: test7 (version 1)"} +{ + "errors": [], + "host": "localhost", + "passed": true, + "policy": "Docker poliicy: test7 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json index a7fa650..391f224 100644 --- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json @@ -1 +1,19 @@ -{"errors": [{"actual": ["1024"], "expected_optional": [""], "expected_required": ["2048"], "mismatched_field": "RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes"}], "host": "localhost", "passed": false, "policy": "Docker poliicy: test8 (version 1)"} +{ + "errors": [ + { + "actual": [ + "1024" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "2048" + ], + "mismatched_field": "RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker poliicy: test8 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json index 6e9faec..b32dfe6 100644 --- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json @@ -1 +1,19 @@ -{"errors": [{"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (ssh-rsa-cert-v01@openssh.com) sizes"}], "host": "localhost", "passed": false, "policy": "Docker poliicy: test9 (version 1)"} +{ + "errors": [ + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "RSA host key (ssh-rsa-cert-v01@openssh.com) sizes" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker poliicy: test9 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_test1.json b/test/docker/expected_results/openssh_5.6p1_test1.json index c714a3b..65256b2 100644 --- a/test/docker/expected_results/openssh_5.6p1_test1.json +++ b/test/docker/expected_results/openssh_5.6p1_test1.json @@ -1 +1,272 @@ -{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_5.6", "software": "OpenSSH_5.6"}, "compression": ["none", "zlib@openssh.com"], "enc": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "fingerprints": [{"hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", "hash_alg": "SHA256", "hostkey": "ssh-rsa"}, {"hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a", "hash_alg": "MD5", "hostkey": "ssh-rsa"}], "kex": [{"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 1024}, {"algorithm": "diffie-hellman-group-exchange-sha1", "keysize": 1024}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "diffie-hellman-group1-sha1"}], "key": [{"algorithm": "ssh-rsa", "keysize": 1024}, {"algorithm": "ssh-dss"}], "mac": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"], "target": "localhost:2222"} +{ + "banner": { + "comments": null, + "protocol": [ + 2, + 0 + ], + "raw": "SSH-2.0-OpenSSH_5.6", + "software": "OpenSSH_5.6" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames due to timing discrepancies", + "name": "CVE-2018-15473" + }, + { + "cvssv2": 5.3, + "description": "readonly bypass via sftp", + "name": "CVE-2017-15906" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + }, + { + "cvssv2": 5.5, + "description": "bypass command restrictions via crafted X11 forwarding data", + "name": "CVE-2016-3115" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via crafted network traffic (out of bounds read)", + "name": "CVE-2016-1907" + }, + { + "cvssv2": 6.9, + "description": "privilege escalation via leveraging sshd uid", + "name": "CVE-2015-6564" + }, + { + "cvssv2": 1.9, + "description": "conduct impersonation attack", + "name": "CVE-2015-6563" + }, + { + "cvssv2": 5.8, + "description": "bypass environment restrictions via specific string before wildcard", + "name": "CVE-2014-2532" + }, + { + "cvssv2": 7.5, + "description": "cause DoS via triggering error condition (memory corruption)", + "name": "CVE-2014-1692" + }, + { + "cvssv2": 3.5, + "description": "leak data via debug messages", + "name": "CVE-2012-0814" + }, + { + "cvssv2": 3.5, + "description": "cause DoS via large value in certain length field (memory consumption)", + "name": "CVE-2011-5000" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via large number of connections (slot exhaustion)", + "name": "CVE-2010-5107" + }, + { + "cvssv2": 4.0, + "description": "cause DoS via crafted glob expression (CPU and memory consumption)", + "name": "CVE-2010-4755" + }, + { + "cvssv2": 7.5, + "description": "bypass authentication check via crafted values", + "name": "CVE-2010-4478" + } + ], + "enc": [ + "aes128-ctr", + "aes192-ctr", + "aes256-ctr", + "arcfour256", + "arcfour128", + "aes128-cbc", + "3des-cbc", + "blowfish-cbc", + "cast128-cbc", + "aes192-cbc", + "aes256-cbc", + "arcfour", + "rijndael-cbc@lysator.liu.se" + ], + "fingerprints": [ + { + "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 1024 + }, + { + "algorithm": "diffie-hellman-group-exchange-sha1", + "keysize": 1024 + }, + { + "algorithm": "diffie-hellman-group14-sha1" + }, + { + "algorithm": "diffie-hellman-group1-sha1" + } + ], + "key": [ + { + "algorithm": "ssh-rsa", + "keysize": 1024 + }, + { + "algorithm": "ssh-dss" + } + ], + "mac": [ + "hmac-md5", + "hmac-sha1", + "umac-64@openssh.com", + "hmac-ripemd160", + "hmac-ripemd160@openssh.com", + "hmac-sha1-96", + "hmac-md5-96" + ], + "recommendations": { + "critical": { + "chg": { + "kex": [ + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "increase modulus size to 3072 bits or larger" + } + ] + }, + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "blowfish-cbc", + "notes": "" + }, + { + "name": "cast128-cbc", + "notes": "" + }, + { + "name": "arcfour", + "notes": "" + }, + { + "name": "arcfour128", + "notes": "" + }, + { + "name": "arcfour256", + "notes": "" + }, + { + "name": "rijndael-cbc@lysator.liu.se", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group1-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha1", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-rsa", + "notes": "" + }, + { + "name": "ssh-dss", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + }, + { + "name": "hmac-md5", + "notes": "" + }, + { + "name": "hmac-md5-96", + "notes": "" + }, + { + "name": "hmac-ripemd160", + "notes": "" + }, + { + "name": "hmac-ripemd160@openssh.com", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes192-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ], + "mac": [ + { + "name": "umac-64@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_5.6p1_test2.json b/test/docker/expected_results/openssh_5.6p1_test2.json index 4ae1a2c..92343bb 100644 --- a/test/docker/expected_results/openssh_5.6p1_test2.json +++ b/test/docker/expected_results/openssh_5.6p1_test2.json @@ -1 +1,274 @@ -{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_5.6", "software": "OpenSSH_5.6"}, "compression": ["none", "zlib@openssh.com"], "enc": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "fingerprints": [{"hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", "hash_alg": "SHA256", "hostkey": "ssh-rsa"}, {"hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a", "hash_alg": "MD5", "hostkey": "ssh-rsa"}], "kex": [{"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 1024}, {"algorithm": "diffie-hellman-group-exchange-sha1", "keysize": 1024}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "diffie-hellman-group1-sha1"}], "key": [{"algorithm": "ssh-rsa", "keysize": 1024}, {"algorithm": "ssh-rsa-cert-v01@openssh.com", "casize": 1024, "keysize": 1024}], "mac": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"], "target": "localhost:2222"} +{ + "banner": { + "comments": null, + "protocol": [ + 2, + 0 + ], + "raw": "SSH-2.0-OpenSSH_5.6", + "software": "OpenSSH_5.6" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames due to timing discrepancies", + "name": "CVE-2018-15473" + }, + { + "cvssv2": 5.3, + "description": "readonly bypass via sftp", + "name": "CVE-2017-15906" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + }, + { + "cvssv2": 5.5, + "description": "bypass command restrictions via crafted X11 forwarding data", + "name": "CVE-2016-3115" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via crafted network traffic (out of bounds read)", + "name": "CVE-2016-1907" + }, + { + "cvssv2": 6.9, + "description": "privilege escalation via leveraging sshd uid", + "name": "CVE-2015-6564" + }, + { + "cvssv2": 1.9, + "description": "conduct impersonation attack", + "name": "CVE-2015-6563" + }, + { + "cvssv2": 5.8, + "description": "bypass environment restrictions via specific string before wildcard", + "name": "CVE-2014-2532" + }, + { + "cvssv2": 7.5, + "description": "cause DoS via triggering error condition (memory corruption)", + "name": "CVE-2014-1692" + }, + { + "cvssv2": 3.5, + "description": "leak data via debug messages", + "name": "CVE-2012-0814" + }, + { + "cvssv2": 3.5, + "description": "cause DoS via large value in certain length field (memory consumption)", + "name": "CVE-2011-5000" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via large number of connections (slot exhaustion)", + "name": "CVE-2010-5107" + }, + { + "cvssv2": 4.0, + "description": "cause DoS via crafted glob expression (CPU and memory consumption)", + "name": "CVE-2010-4755" + }, + { + "cvssv2": 7.5, + "description": "bypass authentication check via crafted values", + "name": "CVE-2010-4478" + } + ], + "enc": [ + "aes128-ctr", + "aes192-ctr", + "aes256-ctr", + "arcfour256", + "arcfour128", + "aes128-cbc", + "3des-cbc", + "blowfish-cbc", + "cast128-cbc", + "aes192-cbc", + "aes256-cbc", + "arcfour", + "rijndael-cbc@lysator.liu.se" + ], + "fingerprints": [ + { + "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 1024 + }, + { + "algorithm": "diffie-hellman-group-exchange-sha1", + "keysize": 1024 + }, + { + "algorithm": "diffie-hellman-group14-sha1" + }, + { + "algorithm": "diffie-hellman-group1-sha1" + } + ], + "key": [ + { + "algorithm": "ssh-rsa", + "keysize": 1024 + }, + { + "algorithm": "ssh-rsa-cert-v01@openssh.com", + "casize": 1024, + "keysize": 1024 + } + ], + "mac": [ + "hmac-md5", + "hmac-sha1", + "umac-64@openssh.com", + "hmac-ripemd160", + "hmac-ripemd160@openssh.com", + "hmac-sha1-96", + "hmac-md5-96" + ], + "recommendations": { + "critical": { + "chg": { + "kex": [ + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "increase modulus size to 3072 bits or larger" + } + ] + }, + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "blowfish-cbc", + "notes": "" + }, + { + "name": "cast128-cbc", + "notes": "" + }, + { + "name": "arcfour", + "notes": "" + }, + { + "name": "arcfour128", + "notes": "" + }, + { + "name": "arcfour256", + "notes": "" + }, + { + "name": "rijndael-cbc@lysator.liu.se", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group1-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha1", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-rsa", + "notes": "" + }, + { + "name": "ssh-rsa-cert-v01@openssh.com", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + }, + { + "name": "hmac-md5", + "notes": "" + }, + { + "name": "hmac-md5-96", + "notes": "" + }, + { + "name": "hmac-ripemd160", + "notes": "" + }, + { + "name": "hmac-ripemd160@openssh.com", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes192-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ], + "mac": [ + { + "name": "umac-64@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_5.6p1_test3.json b/test/docker/expected_results/openssh_5.6p1_test3.json index f9884d2..a2f20e9 100644 --- a/test/docker/expected_results/openssh_5.6p1_test3.json +++ b/test/docker/expected_results/openssh_5.6p1_test3.json @@ -1 +1,274 @@ -{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_5.6", "software": "OpenSSH_5.6"}, "compression": ["none", "zlib@openssh.com"], "enc": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "fingerprints": [{"hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", "hash_alg": "SHA256", "hostkey": "ssh-rsa"}, {"hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a", "hash_alg": "MD5", "hostkey": "ssh-rsa"}], "kex": [{"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 1024}, {"algorithm": "diffie-hellman-group-exchange-sha1", "keysize": 1024}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "diffie-hellman-group1-sha1"}], "key": [{"algorithm": "ssh-rsa", "keysize": 1024}, {"algorithm": "ssh-rsa-cert-v01@openssh.com", "casize": 3072, "keysize": 1024}], "mac": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"], "target": "localhost:2222"} +{ + "banner": { + "comments": null, + "protocol": [ + 2, + 0 + ], + "raw": "SSH-2.0-OpenSSH_5.6", + "software": "OpenSSH_5.6" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames due to timing discrepancies", + "name": "CVE-2018-15473" + }, + { + "cvssv2": 5.3, + "description": "readonly bypass via sftp", + "name": "CVE-2017-15906" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + }, + { + "cvssv2": 5.5, + "description": "bypass command restrictions via crafted X11 forwarding data", + "name": "CVE-2016-3115" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via crafted network traffic (out of bounds read)", + "name": "CVE-2016-1907" + }, + { + "cvssv2": 6.9, + "description": "privilege escalation via leveraging sshd uid", + "name": "CVE-2015-6564" + }, + { + "cvssv2": 1.9, + "description": "conduct impersonation attack", + "name": "CVE-2015-6563" + }, + { + "cvssv2": 5.8, + "description": "bypass environment restrictions via specific string before wildcard", + "name": "CVE-2014-2532" + }, + { + "cvssv2": 7.5, + "description": "cause DoS via triggering error condition (memory corruption)", + "name": "CVE-2014-1692" + }, + { + "cvssv2": 3.5, + "description": "leak data via debug messages", + "name": "CVE-2012-0814" + }, + { + "cvssv2": 3.5, + "description": "cause DoS via large value in certain length field (memory consumption)", + "name": "CVE-2011-5000" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via large number of connections (slot exhaustion)", + "name": "CVE-2010-5107" + }, + { + "cvssv2": 4.0, + "description": "cause DoS via crafted glob expression (CPU and memory consumption)", + "name": "CVE-2010-4755" + }, + { + "cvssv2": 7.5, + "description": "bypass authentication check via crafted values", + "name": "CVE-2010-4478" + } + ], + "enc": [ + "aes128-ctr", + "aes192-ctr", + "aes256-ctr", + "arcfour256", + "arcfour128", + "aes128-cbc", + "3des-cbc", + "blowfish-cbc", + "cast128-cbc", + "aes192-cbc", + "aes256-cbc", + "arcfour", + "rijndael-cbc@lysator.liu.se" + ], + "fingerprints": [ + { + "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 1024 + }, + { + "algorithm": "diffie-hellman-group-exchange-sha1", + "keysize": 1024 + }, + { + "algorithm": "diffie-hellman-group14-sha1" + }, + { + "algorithm": "diffie-hellman-group1-sha1" + } + ], + "key": [ + { + "algorithm": "ssh-rsa", + "keysize": 1024 + }, + { + "algorithm": "ssh-rsa-cert-v01@openssh.com", + "casize": 3072, + "keysize": 1024 + } + ], + "mac": [ + "hmac-md5", + "hmac-sha1", + "umac-64@openssh.com", + "hmac-ripemd160", + "hmac-ripemd160@openssh.com", + "hmac-sha1-96", + "hmac-md5-96" + ], + "recommendations": { + "critical": { + "chg": { + "kex": [ + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "increase modulus size to 3072 bits or larger" + } + ] + }, + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "blowfish-cbc", + "notes": "" + }, + { + "name": "cast128-cbc", + "notes": "" + }, + { + "name": "arcfour", + "notes": "" + }, + { + "name": "arcfour128", + "notes": "" + }, + { + "name": "arcfour256", + "notes": "" + }, + { + "name": "rijndael-cbc@lysator.liu.se", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group1-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha1", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-rsa", + "notes": "" + }, + { + "name": "ssh-rsa-cert-v01@openssh.com", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + }, + { + "name": "hmac-md5", + "notes": "" + }, + { + "name": "hmac-md5-96", + "notes": "" + }, + { + "name": "hmac-ripemd160", + "notes": "" + }, + { + "name": "hmac-ripemd160@openssh.com", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes192-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ], + "mac": [ + { + "name": "umac-64@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_5.6p1_test4.json b/test/docker/expected_results/openssh_5.6p1_test4.json index 894853b..2f3efa5 100644 --- a/test/docker/expected_results/openssh_5.6p1_test4.json +++ b/test/docker/expected_results/openssh_5.6p1_test4.json @@ -1 +1,274 @@ -{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_5.6", "software": "OpenSSH_5.6"}, "compression": ["none", "zlib@openssh.com"], "enc": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "fingerprints": [{"hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244", "hash_alg": "SHA256", "hostkey": "ssh-rsa"}, {"hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1", "hash_alg": "MD5", "hostkey": "ssh-rsa"}], "kex": [{"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 1024}, {"algorithm": "diffie-hellman-group-exchange-sha1", "keysize": 1024}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "diffie-hellman-group1-sha1"}], "key": [{"algorithm": "ssh-rsa", "keysize": 3072}, {"algorithm": "ssh-rsa-cert-v01@openssh.com", "casize": 1024, "keysize": 3072}], "mac": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"], "target": "localhost:2222"} +{ + "banner": { + "comments": null, + "protocol": [ + 2, + 0 + ], + "raw": "SSH-2.0-OpenSSH_5.6", + "software": "OpenSSH_5.6" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames due to timing discrepancies", + "name": "CVE-2018-15473" + }, + { + "cvssv2": 5.3, + "description": "readonly bypass via sftp", + "name": "CVE-2017-15906" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + }, + { + "cvssv2": 5.5, + "description": "bypass command restrictions via crafted X11 forwarding data", + "name": "CVE-2016-3115" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via crafted network traffic (out of bounds read)", + "name": "CVE-2016-1907" + }, + { + "cvssv2": 6.9, + "description": "privilege escalation via leveraging sshd uid", + "name": "CVE-2015-6564" + }, + { + "cvssv2": 1.9, + "description": "conduct impersonation attack", + "name": "CVE-2015-6563" + }, + { + "cvssv2": 5.8, + "description": "bypass environment restrictions via specific string before wildcard", + "name": "CVE-2014-2532" + }, + { + "cvssv2": 7.5, + "description": "cause DoS via triggering error condition (memory corruption)", + "name": "CVE-2014-1692" + }, + { + "cvssv2": 3.5, + "description": "leak data via debug messages", + "name": "CVE-2012-0814" + }, + { + "cvssv2": 3.5, + "description": "cause DoS via large value in certain length field (memory consumption)", + "name": "CVE-2011-5000" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via large number of connections (slot exhaustion)", + "name": "CVE-2010-5107" + }, + { + "cvssv2": 4.0, + "description": "cause DoS via crafted glob expression (CPU and memory consumption)", + "name": "CVE-2010-4755" + }, + { + "cvssv2": 7.5, + "description": "bypass authentication check via crafted values", + "name": "CVE-2010-4478" + } + ], + "enc": [ + "aes128-ctr", + "aes192-ctr", + "aes256-ctr", + "arcfour256", + "arcfour128", + "aes128-cbc", + "3des-cbc", + "blowfish-cbc", + "cast128-cbc", + "aes192-cbc", + "aes256-cbc", + "arcfour", + "rijndael-cbc@lysator.liu.se" + ], + "fingerprints": [ + { + "hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 1024 + }, + { + "algorithm": "diffie-hellman-group-exchange-sha1", + "keysize": 1024 + }, + { + "algorithm": "diffie-hellman-group14-sha1" + }, + { + "algorithm": "diffie-hellman-group1-sha1" + } + ], + "key": [ + { + "algorithm": "ssh-rsa", + "keysize": 3072 + }, + { + "algorithm": "ssh-rsa-cert-v01@openssh.com", + "casize": 1024, + "keysize": 3072 + } + ], + "mac": [ + "hmac-md5", + "hmac-sha1", + "umac-64@openssh.com", + "hmac-ripemd160", + "hmac-ripemd160@openssh.com", + "hmac-sha1-96", + "hmac-md5-96" + ], + "recommendations": { + "critical": { + "chg": { + "kex": [ + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "increase modulus size to 3072 bits or larger" + } + ] + }, + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "blowfish-cbc", + "notes": "" + }, + { + "name": "cast128-cbc", + "notes": "" + }, + { + "name": "arcfour", + "notes": "" + }, + { + "name": "arcfour128", + "notes": "" + }, + { + "name": "arcfour256", + "notes": "" + }, + { + "name": "rijndael-cbc@lysator.liu.se", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group1-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha1", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-rsa", + "notes": "" + }, + { + "name": "ssh-rsa-cert-v01@openssh.com", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + }, + { + "name": "hmac-md5", + "notes": "" + }, + { + "name": "hmac-md5-96", + "notes": "" + }, + { + "name": "hmac-ripemd160", + "notes": "" + }, + { + "name": "hmac-ripemd160@openssh.com", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes192-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ], + "mac": [ + { + "name": "umac-64@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_5.6p1_test5.json b/test/docker/expected_results/openssh_5.6p1_test5.json index 8d47a3b..2b7a242 100644 --- a/test/docker/expected_results/openssh_5.6p1_test5.json +++ b/test/docker/expected_results/openssh_5.6p1_test5.json @@ -1 +1,274 @@ -{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_5.6", "software": "OpenSSH_5.6"}, "compression": ["none", "zlib@openssh.com"], "enc": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "fingerprints": [{"hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244", "hash_alg": "SHA256", "hostkey": "ssh-rsa"}, {"hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1", "hash_alg": "MD5", "hostkey": "ssh-rsa"}], "kex": [{"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 1024}, {"algorithm": "diffie-hellman-group-exchange-sha1", "keysize": 1024}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "diffie-hellman-group1-sha1"}], "key": [{"algorithm": "ssh-rsa", "keysize": 3072}, {"algorithm": "ssh-rsa-cert-v01@openssh.com", "casize": 3072, "keysize": 3072}], "mac": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"], "target": "localhost:2222"} +{ + "banner": { + "comments": null, + "protocol": [ + 2, + 0 + ], + "raw": "SSH-2.0-OpenSSH_5.6", + "software": "OpenSSH_5.6" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames due to timing discrepancies", + "name": "CVE-2018-15473" + }, + { + "cvssv2": 5.3, + "description": "readonly bypass via sftp", + "name": "CVE-2017-15906" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + }, + { + "cvssv2": 5.5, + "description": "bypass command restrictions via crafted X11 forwarding data", + "name": "CVE-2016-3115" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via crafted network traffic (out of bounds read)", + "name": "CVE-2016-1907" + }, + { + "cvssv2": 6.9, + "description": "privilege escalation via leveraging sshd uid", + "name": "CVE-2015-6564" + }, + { + "cvssv2": 1.9, + "description": "conduct impersonation attack", + "name": "CVE-2015-6563" + }, + { + "cvssv2": 5.8, + "description": "bypass environment restrictions via specific string before wildcard", + "name": "CVE-2014-2532" + }, + { + "cvssv2": 7.5, + "description": "cause DoS via triggering error condition (memory corruption)", + "name": "CVE-2014-1692" + }, + { + "cvssv2": 3.5, + "description": "leak data via debug messages", + "name": "CVE-2012-0814" + }, + { + "cvssv2": 3.5, + "description": "cause DoS via large value in certain length field (memory consumption)", + "name": "CVE-2011-5000" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via large number of connections (slot exhaustion)", + "name": "CVE-2010-5107" + }, + { + "cvssv2": 4.0, + "description": "cause DoS via crafted glob expression (CPU and memory consumption)", + "name": "CVE-2010-4755" + }, + { + "cvssv2": 7.5, + "description": "bypass authentication check via crafted values", + "name": "CVE-2010-4478" + } + ], + "enc": [ + "aes128-ctr", + "aes192-ctr", + "aes256-ctr", + "arcfour256", + "arcfour128", + "aes128-cbc", + "3des-cbc", + "blowfish-cbc", + "cast128-cbc", + "aes192-cbc", + "aes256-cbc", + "arcfour", + "rijndael-cbc@lysator.liu.se" + ], + "fingerprints": [ + { + "hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 1024 + }, + { + "algorithm": "diffie-hellman-group-exchange-sha1", + "keysize": 1024 + }, + { + "algorithm": "diffie-hellman-group14-sha1" + }, + { + "algorithm": "diffie-hellman-group1-sha1" + } + ], + "key": [ + { + "algorithm": "ssh-rsa", + "keysize": 3072 + }, + { + "algorithm": "ssh-rsa-cert-v01@openssh.com", + "casize": 3072, + "keysize": 3072 + } + ], + "mac": [ + "hmac-md5", + "hmac-sha1", + "umac-64@openssh.com", + "hmac-ripemd160", + "hmac-ripemd160@openssh.com", + "hmac-sha1-96", + "hmac-md5-96" + ], + "recommendations": { + "critical": { + "chg": { + "kex": [ + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "increase modulus size to 3072 bits or larger" + } + ] + }, + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "blowfish-cbc", + "notes": "" + }, + { + "name": "cast128-cbc", + "notes": "" + }, + { + "name": "arcfour", + "notes": "" + }, + { + "name": "arcfour128", + "notes": "" + }, + { + "name": "arcfour256", + "notes": "" + }, + { + "name": "rijndael-cbc@lysator.liu.se", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group1-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha1", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-rsa", + "notes": "" + }, + { + "name": "ssh-rsa-cert-v01@openssh.com", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + }, + { + "name": "hmac-md5", + "notes": "" + }, + { + "name": "hmac-md5-96", + "notes": "" + }, + { + "name": "hmac-ripemd160", + "notes": "" + }, + { + "name": "hmac-ripemd160@openssh.com", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes192-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ], + "mac": [ + { + "name": "umac-64@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json index f907cde..0c772a3 100644 --- a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json +++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json @@ -1 +1,6 @@ -{"errors": [], "host": "localhost", "passed": true, "policy": "Hardened OpenSSH Server v8.0 (version 1)"} +{ + "errors": [], + "host": "localhost", + "passed": true, + "policy": "Hardened OpenSSH Server v8.0 (version 1)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json index 49a13bc..696b454 100644 --- a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json +++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json @@ -1 +1,30 @@ -{"errors": [{"actual": ["umac-64-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1"], "expected_optional": [""], "expected_required": ["hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "umac-128-etm@openssh.com"], "mismatched_field": "MACs"}], "host": "localhost", "passed": false, "policy": "Hardened OpenSSH Server v8.0 (version 1)"} +{ + "errors": [ + { + "actual": [ + "umac-64-etm@openssh.com", + "umac-128-etm@openssh.com", + "hmac-sha2-256-etm@openssh.com", + "hmac-sha2-512-etm@openssh.com", + "hmac-sha1-etm@openssh.com", + "umac-64@openssh.com", + "umac-128@openssh.com", + "hmac-sha2-256", + "hmac-sha2-512", + "hmac-sha1" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "hmac-sha2-256-etm@openssh.com", + "hmac-sha2-512-etm@openssh.com", + "umac-128-etm@openssh.com" + ], + "mismatched_field": "MACs" + } + ], + "host": "localhost", + "passed": false, + "policy": "Hardened OpenSSH Server v8.0 (version 1)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json index 2e105ff..b6a8308 100644 --- a/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json @@ -1 +1,6 @@ -{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test11 (version 1)"} +{ + "errors": [], + "host": "localhost", + "passed": true, + "policy": "Docker policy: test11 (version 1)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json index 677fb96..2a21591 100644 --- a/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json @@ -1 +1,43 @@ -{"errors": [{"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (rsa-sha2-256) sizes"}, {"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (rsa-sha2-512) sizes"}, {"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (ssh-rsa) sizes"}], "host": "localhost", "passed": false, "policy": "Docker policy: test12 (version 1)"} +{ + "errors": [ + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "RSA host key (rsa-sha2-256) sizes" + }, + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "RSA host key (rsa-sha2-512) sizes" + }, + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "RSA host key (ssh-rsa) sizes" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker policy: test12 (version 1)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json index e412128..4f942bd 100644 --- a/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json @@ -1 +1,6 @@ -{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test13 (version 1)"} +{ + "errors": [], + "host": "localhost", + "passed": true, + "policy": "Docker policy: test13 (version 1)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json index e7a39f8..251f335 100644 --- a/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json @@ -1 +1,19 @@ -{"errors": [{"actual": ["2048"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes"}], "host": "localhost", "passed": false, "policy": "Docker policy: test14 (version 1)"} +{ + "errors": [ + { + "actual": [ + "2048" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker policy: test14 (version 1)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json index 04620b2..8804aae 100644 --- a/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json @@ -1 +1,6 @@ -{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test6 (version 1)"} +{ + "errors": [], + "host": "localhost", + "passed": true, + "policy": "Docker policy: test6 (version 1)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_test1.json b/test/docker/expected_results/openssh_8.0p1_test1.json index 59b9289..a87c9e2 100644 --- a/test/docker/expected_results/openssh_8.0p1_test1.json +++ b/test/docker/expected_results/openssh_8.0p1_test1.json @@ -1 +1,209 @@ -{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_8.0", "software": "OpenSSH_8.0"}, "compression": ["none", "zlib@openssh.com"], "enc": ["chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com"], "fingerprints": [{"hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU", "hash_alg": "SHA256", "hostkey": "ssh-ed25519"}, {"hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9", "hash_alg": "MD5", "hostkey": "ssh-ed25519"}, {"hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244", "hash_alg": "SHA256", "hostkey": "ssh-rsa"}, {"hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1", "hash_alg": "MD5", "hostkey": "ssh-rsa"}], "kex": [{"algorithm": "curve25519-sha256"}, {"algorithm": "curve25519-sha256@libssh.org"}, {"algorithm": "ecdh-sha2-nistp256"}, {"algorithm": "ecdh-sha2-nistp384"}, {"algorithm": "ecdh-sha2-nistp521"}, {"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 2048}, {"algorithm": "diffie-hellman-group16-sha512"}, {"algorithm": "diffie-hellman-group18-sha512"}, {"algorithm": "diffie-hellman-group14-sha256"}, {"algorithm": "diffie-hellman-group14-sha1"}], "key": [{"algorithm": "rsa-sha2-512", "keysize": 3072}, {"algorithm": "rsa-sha2-256", "keysize": 3072}, {"algorithm": "ssh-rsa", "keysize": 3072}, {"algorithm": "ecdsa-sha2-nistp256"}, {"algorithm": "ssh-ed25519"}], "mac": ["umac-64-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1"], "target": "localhost:2222"} +{ + "banner": { + "comments": null, + "protocol": [ + 2, + 0 + ], + "raw": "SSH-2.0-OpenSSH_8.0", + "software": "OpenSSH_8.0" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.0, + "description": "privilege escalation via supplemental groups", + "name": "CVE-2021-41617" + }, + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 7.8, + "description": "memory corruption and local code execution via pre-authentication integer overflow", + "name": "CVE-2019-16905" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + } + ], + "enc": [ + "chacha20-poly1305@openssh.com", + "aes128-ctr", + "aes192-ctr", + "aes256-ctr", + "aes128-gcm@openssh.com", + "aes256-gcm@openssh.com" + ], + "fingerprints": [ + { + "hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU", + "hash_alg": "SHA256", + "hostkey": "ssh-ed25519" + }, + { + "hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9", + "hash_alg": "MD5", + "hostkey": "ssh-ed25519" + }, + { + "hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "curve25519-sha256" + }, + { + "algorithm": "curve25519-sha256@libssh.org" + }, + { + "algorithm": "ecdh-sha2-nistp256" + }, + { + "algorithm": "ecdh-sha2-nistp384" + }, + { + "algorithm": "ecdh-sha2-nistp521" + }, + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 2048 + }, + { + "algorithm": "diffie-hellman-group16-sha512" + }, + { + "algorithm": "diffie-hellman-group18-sha512" + }, + { + "algorithm": "diffie-hellman-group14-sha256" + }, + { + "algorithm": "diffie-hellman-group14-sha1" + } + ], + "key": [ + { + "algorithm": "rsa-sha2-512", + "keysize": 3072 + }, + { + "algorithm": "rsa-sha2-256", + "keysize": 3072 + }, + { + "algorithm": "ssh-rsa", + "keysize": 3072 + }, + { + "algorithm": "ecdsa-sha2-nistp256" + }, + { + "algorithm": "ssh-ed25519" + } + ], + "mac": [ + "umac-64-etm@openssh.com", + "umac-128-etm@openssh.com", + "hmac-sha2-256-etm@openssh.com", + "hmac-sha2-512-etm@openssh.com", + "hmac-sha1-etm@openssh.com", + "umac-64@openssh.com", + "umac-128@openssh.com", + "hmac-sha2-256", + "hmac-sha2-512", + "hmac-sha1" + ], + "recommendations": { + "critical": { + "del": { + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp256", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp384", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp521", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-rsa", + "notes": "" + }, + { + "name": "ecdsa-sha2-nistp256", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-etm@openssh.com", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "kex": [ + { + "name": "diffie-hellman-group14-sha256", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha2-256", + "notes": "" + }, + { + "name": "hmac-sha2-512", + "notes": "" + }, + { + "name": "umac-64@openssh.com", + "notes": "" + }, + { + "name": "umac-128@openssh.com", + "notes": "" + }, + { + "name": "umac-64-etm@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_8.0p1_test2.json b/test/docker/expected_results/openssh_8.0p1_test2.json index 5ec7b2c..da0541b 100644 --- a/test/docker/expected_results/openssh_8.0p1_test2.json +++ b/test/docker/expected_results/openssh_8.0p1_test2.json @@ -1 +1,191 @@ -{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_8.0", "software": "OpenSSH_8.0"}, "compression": ["none", "zlib@openssh.com"], "enc": ["chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com"], "fingerprints": [{"hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU", "hash_alg": "SHA256", "hostkey": "ssh-ed25519"}, {"hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9", "hash_alg": "MD5", "hostkey": "ssh-ed25519"}], "kex": [{"algorithm": "curve25519-sha256"}, {"algorithm": "curve25519-sha256@libssh.org"}, {"algorithm": "ecdh-sha2-nistp256"}, {"algorithm": "ecdh-sha2-nistp384"}, {"algorithm": "ecdh-sha2-nistp521"}, {"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 2048}, {"algorithm": "diffie-hellman-group16-sha512"}, {"algorithm": "diffie-hellman-group18-sha512"}, {"algorithm": "diffie-hellman-group14-sha256"}, {"algorithm": "diffie-hellman-group14-sha1"}], "key": [{"algorithm": "ssh-ed25519"}, {"algorithm": "ssh-ed25519-cert-v01@openssh.com"}], "mac": ["umac-64-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1"], "target": "localhost:2222"} +{ + "banner": { + "comments": null, + "protocol": [ + 2, + 0 + ], + "raw": "SSH-2.0-OpenSSH_8.0", + "software": "OpenSSH_8.0" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.0, + "description": "privilege escalation via supplemental groups", + "name": "CVE-2021-41617" + }, + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 7.8, + "description": "memory corruption and local code execution via pre-authentication integer overflow", + "name": "CVE-2019-16905" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + } + ], + "enc": [ + "chacha20-poly1305@openssh.com", + "aes128-ctr", + "aes192-ctr", + "aes256-ctr", + "aes128-gcm@openssh.com", + "aes256-gcm@openssh.com" + ], + "fingerprints": [ + { + "hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU", + "hash_alg": "SHA256", + "hostkey": "ssh-ed25519" + }, + { + "hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9", + "hash_alg": "MD5", + "hostkey": "ssh-ed25519" + } + ], + "kex": [ + { + "algorithm": "curve25519-sha256" + }, + { + "algorithm": "curve25519-sha256@libssh.org" + }, + { + "algorithm": "ecdh-sha2-nistp256" + }, + { + "algorithm": "ecdh-sha2-nistp384" + }, + { + "algorithm": "ecdh-sha2-nistp521" + }, + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 2048 + }, + { + "algorithm": "diffie-hellman-group16-sha512" + }, + { + "algorithm": "diffie-hellman-group18-sha512" + }, + { + "algorithm": "diffie-hellman-group14-sha256" + }, + { + "algorithm": "diffie-hellman-group14-sha1" + } + ], + "key": [ + { + "algorithm": "ssh-ed25519" + }, + { + "algorithm": "ssh-ed25519-cert-v01@openssh.com" + } + ], + "mac": [ + "umac-64-etm@openssh.com", + "umac-128-etm@openssh.com", + "hmac-sha2-256-etm@openssh.com", + "hmac-sha2-512-etm@openssh.com", + "hmac-sha1-etm@openssh.com", + "umac-64@openssh.com", + "umac-128@openssh.com", + "hmac-sha2-256", + "hmac-sha2-512", + "hmac-sha1" + ], + "recommendations": { + "critical": { + "del": { + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp256", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp384", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp521", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-etm@openssh.com", + "notes": "" + } + ] + } + }, + "informational": { + "add": { + "key": [ + { + "name": "rsa-sha2-256", + "notes": "" + }, + { + "name": "rsa-sha2-512", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "kex": [ + { + "name": "diffie-hellman-group14-sha256", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha2-256", + "notes": "" + }, + { + "name": "hmac-sha2-512", + "notes": "" + }, + { + "name": "umac-64@openssh.com", + "notes": "" + }, + { + "name": "umac-128@openssh.com", + "notes": "" + }, + { + "name": "umac-64-etm@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_8.0p1_test3.json b/test/docker/expected_results/openssh_8.0p1_test3.json index 9967ed4..20079c9 100644 --- a/test/docker/expected_results/openssh_8.0p1_test3.json +++ b/test/docker/expected_results/openssh_8.0p1_test3.json @@ -1 +1,106 @@ -{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_8.0", "software": "OpenSSH_8.0"}, "compression": ["none", "zlib@openssh.com"], "enc": ["chacha20-poly1305@openssh.com", "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr", "aes128-ctr"], "fingerprints": [{"hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU", "hash_alg": "SHA256", "hostkey": "ssh-ed25519"}, {"hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9", "hash_alg": "MD5", "hostkey": "ssh-ed25519"}], "kex": [{"algorithm": "curve25519-sha256"}, {"algorithm": "curve25519-sha256@libssh.org"}, {"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 2048}], "key": [{"algorithm": "ssh-ed25519"}], "mac": ["hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "umac-128-etm@openssh.com"], "target": "localhost:2222"} +{ + "banner": { + "comments": null, + "protocol": [ + 2, + 0 + ], + "raw": "SSH-2.0-OpenSSH_8.0", + "software": "OpenSSH_8.0" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.0, + "description": "privilege escalation via supplemental groups", + "name": "CVE-2021-41617" + }, + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 7.8, + "description": "memory corruption and local code execution via pre-authentication integer overflow", + "name": "CVE-2019-16905" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + } + ], + "enc": [ + "chacha20-poly1305@openssh.com", + "aes256-gcm@openssh.com", + "aes128-gcm@openssh.com", + "aes256-ctr", + "aes192-ctr", + "aes128-ctr" + ], + "fingerprints": [ + { + "hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU", + "hash_alg": "SHA256", + "hostkey": "ssh-ed25519" + }, + { + "hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9", + "hash_alg": "MD5", + "hostkey": "ssh-ed25519" + } + ], + "kex": [ + { + "algorithm": "curve25519-sha256" + }, + { + "algorithm": "curve25519-sha256@libssh.org" + }, + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 2048 + } + ], + "key": [ + { + "algorithm": "ssh-ed25519" + } + ], + "mac": [ + "hmac-sha2-256-etm@openssh.com", + "hmac-sha2-512-etm@openssh.com", + "umac-128-etm@openssh.com" + ], + "recommendations": { + "informational": { + "add": { + "kex": [ + { + "name": "diffie-hellman-group16-sha512", + "notes": "" + }, + { + "name": "diffie-hellman-group18-sha512", + "notes": "" + } + ], + "key": [ + { + "name": "rsa-sha2-256", + "notes": "" + }, + { + "name": "rsa-sha2-512", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/tinyssh_20190101_test1.json b/test/docker/expected_results/tinyssh_20190101_test1.json index 8ddf7e1..53d0521 100644 --- a/test/docker/expected_results/tinyssh_20190101_test1.json +++ b/test/docker/expected_results/tinyssh_20190101_test1.json @@ -1 +1,51 @@ -{"banner": {"comments": "", "protocol": [2, 0], "raw": "", "software": "tinyssh_noversion"}, "compression": ["none"], "enc": ["chacha20-poly1305@openssh.com"], "fingerprints": [{"hash": "89ocln1x7KNqnMgWffGoYtD70ksJ4FrH7BMJHa7SrwU", "hash_alg": "SHA256", "hostkey": "ssh-ed25519"}, {"hash": "dd:9c:6d:f9:b0:8c:af:fa:c2:65:81:5d:5d:56:f8:21", "hash_alg": "MD5", "hostkey": "ssh-ed25519"}], "kex": [{"algorithm": "curve25519-sha256"}, {"algorithm": "curve25519-sha256@libssh.org"}, {"algorithm": "sntrup4591761x25519-sha512@tinyssh.org"}], "key": [{"algorithm": "ssh-ed25519"}], "mac": ["hmac-sha2-256"], "target": "localhost:2222"} +{ + "banner": { + "comments": "", + "protocol": [ + 2, + 0 + ], + "raw": "", + "software": "tinyssh_noversion" + }, + "compression": [ + "none" + ], + "cves": [], + "enc": [ + "chacha20-poly1305@openssh.com" + ], + "fingerprints": [ + { + "hash": "89ocln1x7KNqnMgWffGoYtD70ksJ4FrH7BMJHa7SrwU", + "hash_alg": "SHA256", + "hostkey": "ssh-ed25519" + }, + { + "hash": "dd:9c:6d:f9:b0:8c:af:fa:c2:65:81:5d:5d:56:f8:21", + "hash_alg": "MD5", + "hostkey": "ssh-ed25519" + } + ], + "kex": [ + { + "algorithm": "curve25519-sha256" + }, + { + "algorithm": "curve25519-sha256@libssh.org" + }, + { + "algorithm": "sntrup4591761x25519-sha512@tinyssh.org" + } + ], + "key": [ + { + "algorithm": "ssh-ed25519" + } + ], + "mac": [ + "hmac-sha2-256" + ], + "recommendations": {}, + "target": "localhost:2222" +} diff --git a/test/test_build_struct.py b/test/test_build_struct.py index 6365019..ce00142 100644 --- a/test/test_build_struct.py +++ b/test/test_build_struct.py @@ -35,7 +35,7 @@ def test_prevent_runtime_error_regression(ssh_audit, kex): kex.set_host_key("ssh-rsa7", b"\x00\x00\x00\x07ssh-rsa\x00\x00\x00") kex.set_host_key("ssh-rsa8", b"\x00\x00\x00\x07ssh-rsa\x00\x00\x00") - rv = ssh_audit.build_struct('localhost', banner=None, kex=kex) + rv = ssh_audit.build_struct('localhost', None, [], kex=kex) assert len(rv["fingerprints"]) == (9 * 2) # Each host key generates two hash fingerprints: one using SHA256, and one using MD5.