From edc363db609cab0ae76f5f661c9956dfcab003c2 Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Sun, 31 May 2020 11:42:06 -0400 Subject: [PATCH] Suppress recommendation of token host key types. --- README.md | 1 + ssh-audit.py | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index fd269ef..f895559 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,7 @@ $ snap install ssh-audit ## ChangeLog ### v2.2.1-dev (???) + - Suppress recommendation of token host key types. - Added 1 new host key types: `ssh-rsa1`. - Added 1 new ciphers: `blowfish`, `AEAD_AES_128_GCM`, `AEAD_AES_256_GCM`. - Added 2 new MACs: `chacha20-poly1305@openssh.com`, `hmac-sha3-224`. diff --git a/ssh-audit.py b/ssh-audit.py index 7aef36b..75f77e9 100755 --- a/ssh-audit.py +++ b/ssh-audit.py @@ -1837,7 +1837,8 @@ class SSH(object): # pylint: disable=too-few-public-methods if fc > 0: faults += pow(10, 2 - i) * fc if n not in alg_list: - if faults > 0 or (alg_type == 'key' and '-cert-' in n) or empty_version: + # Don't recommend certificate or token types; these will only appear in the server's list if they are fully configured & functional on the server. + if faults > 0 or (alg_type == 'key' and (('-cert-' in n) or (n.startswith('sk-')))) or empty_version: continue rec[sshv][alg_type]['add'][n] = 0 else: