From edc363db609cab0ae76f5f661c9956dfcab003c2 Mon Sep 17 00:00:00 2001
From: Joe Testa <jtesta@positronsecurity.com>
Date: Sun, 31 May 2020 11:42:06 -0400
Subject: [PATCH] Suppress recommendation of token host key types.

---
 README.md    | 1 +
 ssh-audit.py | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index fd269ef..f895559 100644
--- a/README.md
+++ b/README.md
@@ -70,6 +70,7 @@ $ snap install ssh-audit
 
 ## ChangeLog
 ### v2.2.1-dev (???)
+ - Suppress recommendation of token host key types.
  - Added 1 new host key types: `ssh-rsa1`.
  - Added 1 new ciphers: `blowfish`, `AEAD_AES_128_GCM`, `AEAD_AES_256_GCM`.
  - Added 2 new MACs: `chacha20-poly1305@openssh.com`, `hmac-sha3-224`.
diff --git a/ssh-audit.py b/ssh-audit.py
index 7aef36b..75f77e9 100755
--- a/ssh-audit.py
+++ b/ssh-audit.py
@@ -1837,7 +1837,8 @@ class SSH(object):  # pylint: disable=too-few-public-methods
 							if fc > 0:
 								faults += pow(10, 2 - i) * fc
 						if n not in alg_list:
-							if faults > 0 or (alg_type == 'key' and '-cert-' in n) or empty_version:
+							# Don't recommend certificate or token types; these will only appear in the server's list if they are fully configured & functional on the server.
+							if faults > 0 or (alg_type == 'key' and (('-cert-' in n) or (n.startswith('sk-')))) or empty_version:
 								continue
 							rec[sshv][alg_type]['add'][n] = 0
 						else: