elie/ssh-audit
1
0
Fork 0
mirror of https://github.com/jtesta/ssh-audit.git synced 2024-06-30 11:14:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Refined JSON notes output. Fixed Docker & Tox tests.

Browse Source
This commit is contained in:
Joe Testa 2023-09-05 16:36:54 -04:00
parent d3dd5a9cac
commit f8e29674a3
13 changed files with 2733 additions and 311 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -186,6 +186,7 @@ For convenience, a web front-end on top of the command-line tool is available at
- Refined GEX testing against OpenSSH servers: when the fallback mechanism is suspected of being triggered, perform an additional test to obtain more accurate results. - Refined GEX testing against OpenSSH servers: when the fallback mechanism is suspected of being triggered, perform an additional test to obtain more accurate results.
- The color of all notes will be printed in green when the related algorithm is rated good. - The color of all notes will be printed in green when the related algorithm is rated good.
- Prioritized host key certificate algorithms for Ubuntu 22.04 LTS client policy. - Prioritized host key certificate algorithms for Ubuntu 22.04 LTS client policy.
- Added failure, warning, and info notes to JSON output (note that this results in a breaking change to the banner protocol, "enc", and "mac" fields); credit [Bareq Al-Azzawi](https://github.com/BareqAZ).
- Added built-in policy for OpenSSH 9.4. - Added built-in policy for OpenSSH 9.4.
- Added 1 new key exchange: `curve448-sha512@libssh.org`. - Added 1 new key exchange: `curve448-sha512@libssh.org`.

40
src/ssh_audit/ssh_audit.py
View File

@ -901,26 +901,32 @@ def process_commandline(out: OutputBuffer, args: List[str], usage_cb: Callable[.
def build_struct(target_host: str, banner: Optional['Banner'], cves: List[Dict[str, Union[str, float]]], kex: Optional['SSH2_Kex'] = None, pkm: Optional['SSH1_PublicKeyMessage'] = None, client_host: Optional[str] = None, software: Optional[Software] = None, algorithms: Optional[Algorithms] = None, algorithm_recommendation_suppress_list: Optional[List[str]] = None) -> Any: # pylint: disable=too-many-arguments def build_struct(target_host: str, banner: Optional['Banner'], cves: List[Dict[str, Union[str, float]]], kex: Optional['SSH2_Kex'] = None, pkm: Optional['SSH1_PublicKeyMessage'] = None, client_host: Optional[str] = None, software: Optional[Software] = None, algorithms: Optional[Algorithms] = None, algorithm_recommendation_suppress_list: Optional[List[str]] = None) -> Any: # pylint: disable=too-many-arguments
def fetch_notes(algorithm, alg_type) -> dict: def fetch_notes(algorithm: str, alg_type: str) -> Dict[str, List[Optional[str]]]:
alg_db = SSH2_KexDB.ALGORITHMS '''Returns a dictionary containing the messages in the "fail", "warn", and "info" levels for this algorithm.'''
alg_db = SSH2_KexDB.get_db()
alg_info = {} alg_info = {}
if algorithm in alg_db[alg_type]: if algorithm in alg_db[alg_type]:
alg_desc = alg_db[alg_type][algorithm] alg_desc = alg_db[alg_type][algorithm]
ldesc = len(alg_desc) alg_desc_len = len(alg_desc)
for idx, level in enumerate(['fail', 'warn', 'info']):
if level == 'info': # If a list for the failure notes exists, add it to the return value. Similarly, add the related lists for the warnings and informational notes.
versions = alg_desc[0] if (alg_desc_len >= 2) and (len(alg_desc[1]) > 0):
since_text = Algorithm.get_since_text(versions) alg_info["fail"] = alg_desc[1]
if since_text is not None and len(since_text) > 0: if (alg_desc_len >= 3) and (len(alg_desc[2]) > 0):
alg_info['since'] = since_text alg_info["warn"] = alg_desc[2]
idx = idx + 1 if (alg_desc_len >= 4) and (len(alg_desc[3]) > 0):
if ldesc > idx: alg_info["info"] = alg_desc[3]
for t in alg_desc[idx]:
if t is None: # Add information about when this algorithm was implemented in OpenSSH/Dropbear.
continue since_text = Algorithm.get_since_text(alg_desc[0])
alg_info[level] = t if (since_text is not None) and (len(since_text) > 0):
# Add the "info" key with an empty list if the if-block above didn't create it already.
if "info" not in alg_info:
alg_info["info"] = []
alg_info["info"].append(since_text)
else: else:
alg_info['warn'] = 'Unknown Algorithm' alg_info["fail"] = [SSH2_KexDB.FAIL_UNKNOWN]
return alg_info return alg_info
banner_str = '' banner_str = ''
@ -989,7 +995,7 @@ def build_struct(target_host: str, banner: Optional['Banner'], cves: List[Dict[s
entry['casize'] = ca_size entry['casize'] = ca_size
res['key'].append(entry) res['key'].append(entry)
res['enc'] = [] res['enc'] = []
for algorithm in kex.server.encryption: for algorithm in kex.server.encryption:
alg_notes = fetch_notes(algorithm, 'enc') alg_notes = fetch_notes(algorithm, 'enc')
entry = { entry = {

232
test/docker/expected_results/dropbear_2019.78_test1.json
View File

@ -1,10 +1,7 @@
{ {
"banner": { "banner": {
"comments": null, "comments": null,
"protocol": [ "protocol": "2.0",
2,
0
],
"raw": "SSH-2.0-dropbear_2019.78", "raw": "SSH-2.0-dropbear_2019.78",
"software": "dropbear_2019.78" "software": "dropbear_2019.78"
}, },
@ -14,12 +11,70 @@
], ],
"cves": [], "cves": [],
"enc": [ "enc": [
"aes128-ctr", {
"aes256-ctr", "algorithm": "aes128-ctr",
"aes128-cbc", "notes": {
"aes256-cbc", "info": [
"3des-ctr", "available since OpenSSH 3.7, Dropbear SSH 0.52"
"3des-cbc" ]
}
},
{
"algorithm": "aes256-ctr",
"notes": {
"info": [
"available since OpenSSH 3.7, Dropbear SSH 0.52"
]
}
},
{
"algorithm": "aes128-cbc",
"notes": {
"info": [
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "aes256-cbc",
"notes": {
"info": [
"available since OpenSSH 2.3.0, Dropbear SSH 0.47"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "3des-ctr",
"notes": {
"fail": [
"using broken & deprecated 3DES cipher"
],
"info": [
"available since Dropbear SSH 0.52"
]
}
},
{
"algorithm": "3des-cbc",
"notes": {
"fail": [
"using broken & deprecated 3DES cipher"
],
"info": [
"available since OpenSSH 1.2.2, Dropbear SSH 0.28"
],
"warn": [
"using weak cipher mode",
"using small 64-bit block size"
]
}
}
], ],
"fingerprints": [ "fingerprints": [
{ {
@ -35,46 +90,175 @@
], ],
"kex": [ "kex": [
{ {
"algorithm": "curve25519-sha256" "algorithm": "curve25519-sha256",
"notes": {
"info": [
"default key exchange since OpenSSH 6.4",
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
]
}
}, },
{ {
"algorithm": "curve25519-sha256@libssh.org" "algorithm": "curve25519-sha256@libssh.org",
"notes": {
"info": [
"default key exchange since OpenSSH 6.4",
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
]
}
}, },
{ {
"algorithm": "ecdh-sha2-nistp521" "algorithm": "ecdh-sha2-nistp521",
"notes": {
"fail": [
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
]
}
}, },
{ {
"algorithm": "ecdh-sha2-nistp384" "algorithm": "ecdh-sha2-nistp384",
"notes": {
"fail": [
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
]
}
}, },
{ {
"algorithm": "ecdh-sha2-nistp256" "algorithm": "ecdh-sha2-nistp256",
"notes": {
"fail": [
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group14-sha256" "algorithm": "diffie-hellman-group14-sha256",
"notes": {
"info": [
"available since OpenSSH 7.3, Dropbear SSH 2016.73"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group14-sha1" "algorithm": "diffie-hellman-group14-sha1",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
]
}
}, },
{ {
"algorithm": "kexguess2@matt.ucc.asn.au" "algorithm": "kexguess2@matt.ucc.asn.au",
"notes": {
"info": [
"available since Dropbear SSH 2013.57"
]
}
} }
], ],
"key": [ "key": [
{ {
"algorithm": "ecdsa-sha2-nistp256" "algorithm": "ecdsa-sha2-nistp256",
"notes": {
"fail": [
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
],
"warn": [
"using weak random number generator could reveal the key"
]
}
}, },
{ {
"algorithm": "ssh-rsa", "algorithm": "ssh-rsa",
"keysize": 1024 "keysize": 1024,
"notes": {
"fail": [
"using broken SHA-1 hash algorithm",
"using small 1024-bit modulus"
],
"info": [
"deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
"available since OpenSSH 2.5.0, Dropbear SSH 0.28"
]
}
}, },
{ {
"algorithm": "ssh-dss" "algorithm": "ssh-dss",
"notes": {
"fail": [
"using small 1024-bit modulus"
],
"info": [
"disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
],
"warn": [
"using weak random number generator could reveal the key"
]
}
} }
], ],
"mac": [ "mac": [
"hmac-sha1-96", {
"hmac-sha1", "algorithm": "hmac-sha1-96",
"hmac-sha2-256" "notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 2.5.0, Dropbear SSH 0.47"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha1",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha2-256",
"notes": {
"info": [
"available since OpenSSH 5.9, Dropbear SSH 2013.56"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
}
], ],
"recommendations": { "recommendations": {
"critical": { "critical": {

296
test/docker/expected_results/openssh_4.0p1_test1.json
View File

@ -1,10 +1,7 @@
{ {
"banner": { "banner": {
"comments": null, "comments": null,
"protocol": [ "protocol": "1.99",
1,
99
],
"raw": "SSH-1.99-OpenSSH_4.0", "raw": "SSH-1.99-OpenSSH_4.0",
"software": "OpenSSH_4.0" "software": "OpenSSH_4.0"
}, },
@ -125,17 +122,134 @@
} }
], ],
"enc": [ "enc": [
"aes128-cbc", {
"3des-cbc", "algorithm": "aes128-cbc",
"blowfish-cbc", "notes": {
"cast128-cbc", "info": [
"arcfour", "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
"aes192-cbc", ],
"aes256-cbc", "warn": [
"rijndael-cbc@lysator.liu.se", "using weak cipher mode"
"aes128-ctr", ]
"aes192-ctr", }
"aes256-ctr" },
{
"algorithm": "3des-cbc",
"notes": {
"fail": [
"using broken & deprecated 3DES cipher"
],
"info": [
"available since OpenSSH 1.2.2, Dropbear SSH 0.28"
],
"warn": [
"using weak cipher mode",
"using small 64-bit block size"
]
}
},
{
"algorithm": "blowfish-cbc",
"notes": {
"fail": [
"using weak & deprecated Blowfish cipher"
],
"info": [
"available since OpenSSH 1.2.2, Dropbear SSH 0.28"
],
"warn": [
"using weak cipher mode",
"using small 64-bit block size"
]
}
},
{
"algorithm": "cast128-cbc",
"notes": {
"fail": [
"using weak & deprecated CAST cipher"
],
"info": [
"available since OpenSSH 2.1.0"
],
"warn": [
"using weak cipher mode",
"using small 64-bit block size"
]
}
},
{
"algorithm": "arcfour",
"notes": {
"fail": [
"using broken RC4 cipher"
],
"info": [
"available since OpenSSH 2.1.0"
]
}
},
{
"algorithm": "aes192-cbc",
"notes": {
"info": [
"available since OpenSSH 2.3.0"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "aes256-cbc",
"notes": {
"info": [
"available since OpenSSH 2.3.0, Dropbear SSH 0.47"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "rijndael-cbc@lysator.liu.se",
"notes": {
"fail": [
"using deprecated & non-standardized Rijndael cipher"
],
"info": [
"disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
"available since OpenSSH 2.3.0"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "aes128-ctr",
"notes": {
"info": [
"available since OpenSSH 3.7, Dropbear SSH 0.52"
]
}
},
{
"algorithm": "aes192-ctr",
"notes": {
"info": [
"available since OpenSSH 3.7"
]
}
},
{
"algorithm": "aes256-ctr",
"notes": {
"info": [
"available since OpenSSH 3.7, Dropbear SSH 0.52"
]
}
}
], ],
"fingerprints": [ "fingerprints": [
{ {
@ -152,31 +266,161 @@
"kex": [ "kex": [
{ {
"algorithm": "diffie-hellman-group-exchange-sha1", "algorithm": "diffie-hellman-group-exchange-sha1",
"keysize": 1024 "keysize": 1024,
"notes": {
"fail": [
"using small 1024-bit modulus"
],
"info": [
"available since OpenSSH 2.3.0"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group14-sha1" "algorithm": "diffie-hellman-group14-sha1",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group1-sha1" "algorithm": "diffie-hellman-group1-sha1",
"notes": {
"fail": [
"using small 1024-bit modulus",
"vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
"using broken SHA-1 hash algorithm"
],
"info": [
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
]
}
} }
], ],
"key": [ "key": [
{ {
"algorithm": "ssh-rsa", "algorithm": "ssh-rsa",
"keysize": 1024 "keysize": 1024,
"notes": {
"fail": [
"using broken SHA-1 hash algorithm",
"using small 1024-bit modulus"
],
"info": [
"deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
"available since OpenSSH 2.5.0, Dropbear SSH 0.28"
]
}
}, },
{ {
"algorithm": "ssh-dss" "algorithm": "ssh-dss",
"notes": {
"fail": [
"using small 1024-bit modulus"
],
"info": [
"disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
],
"warn": [
"using weak random number generator could reveal the key"
]
}
} }
], ],
"mac": [ "mac": [
"hmac-md5", {
"hmac-sha1", "algorithm": "hmac-md5",
"hmac-ripemd160", "notes": {
"hmac-ripemd160@openssh.com", "fail": [
"hmac-sha1-96", "using broken MD5 hash algorithm"
"hmac-md5-96" ],
"info": [
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha1",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-ripemd160",
"notes": {
"fail": [
"using deprecated RIPEMD hash algorithm"
],
"info": [
"available since OpenSSH 2.5.0"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-ripemd160@openssh.com",
"notes": {
"fail": [
"using deprecated RIPEMD hash algorithm"
],
"info": [
"available since OpenSSH 2.1.0"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha1-96",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 2.5.0, Dropbear SSH 0.47"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-md5-96",
"notes": {
"fail": [
"using broken MD5 hash algorithm"
],
"info": [
"available since OpenSSH 2.5.0"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
}
], ],
"recommendations": { "recommendations": {
"critical": { "critical": {

343
test/docker/expected_results/openssh_5.6p1_test1.json
View File

@ -1,10 +1,7 @@
{ {
"banner": { "banner": {
"comments": null, "comments": null,
"protocol": [ "protocol": "2.0",
2,
0
],
"raw": "SSH-2.0-OpenSSH_5.6", "raw": "SSH-2.0-OpenSSH_5.6",
"software": "OpenSSH_5.6" "software": "OpenSSH_5.6"
}, },
@ -90,19 +87,156 @@
} }
], ],
"enc": [ "enc": [
"aes128-ctr", {
"aes192-ctr", "algorithm": "aes128-ctr",
"aes256-ctr", "notes": {
"arcfour256", "info": [
"arcfour128", "available since OpenSSH 3.7, Dropbear SSH 0.52"
"aes128-cbc", ]
"3des-cbc", }
"blowfish-cbc", },
"cast128-cbc", {
"aes192-cbc", "algorithm": "aes192-ctr",
"aes256-cbc", "notes": {
"arcfour", "info": [
"rijndael-cbc@lysator.liu.se" "available since OpenSSH 3.7"
]
}
},
{
"algorithm": "aes256-ctr",
"notes": {
"info": [
"available since OpenSSH 3.7, Dropbear SSH 0.52"
]
}
},
{
"algorithm": "arcfour256",
"notes": {
"fail": [
"using broken RC4 cipher"
],
"info": [
"available since OpenSSH 4.2"
]
}
},
{
"algorithm": "arcfour128",
"notes": {
"fail": [
"using broken RC4 cipher"
],
"info": [
"available since OpenSSH 4.2"
]
}
},
{
"algorithm": "aes128-cbc",
"notes": {
"info": [
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "3des-cbc",
"notes": {
"fail": [
"using broken & deprecated 3DES cipher"
],
"info": [
"available since OpenSSH 1.2.2, Dropbear SSH 0.28"
],
"warn": [
"using weak cipher mode",
"using small 64-bit block size"
]
}
},
{
"algorithm": "blowfish-cbc",
"notes": {
"fail": [
"using weak & deprecated Blowfish cipher"
],
"info": [
"available since OpenSSH 1.2.2, Dropbear SSH 0.28"
],
"warn": [
"using weak cipher mode",
"using small 64-bit block size"
]
}
},
{
"algorithm": "cast128-cbc",
"notes": {
"fail": [
"using weak & deprecated CAST cipher"
],
"info": [
"available since OpenSSH 2.1.0"
],
"warn": [
"using weak cipher mode",
"using small 64-bit block size"
]
}
},
{
"algorithm": "aes192-cbc",
"notes": {
"info": [
"available since OpenSSH 2.3.0"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "aes256-cbc",
"notes": {
"info": [
"available since OpenSSH 2.3.0, Dropbear SSH 0.47"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "arcfour",
"notes": {
"fail": [
"using broken RC4 cipher"
],
"info": [
"available since OpenSSH 2.1.0"
]
}
},
{
"algorithm": "rijndael-cbc@lysator.liu.se",
"notes": {
"fail": [
"using deprecated & non-standardized Rijndael cipher"
],
"info": [
"disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
"available since OpenSSH 2.3.0"
],
"warn": [
"using weak cipher mode"
]
}
}
], ],
"fingerprints": [ "fingerprints": [
{ {
@ -119,36 +253,185 @@
"kex": [ "kex": [
{ {
"algorithm": "diffie-hellman-group-exchange-sha256", "algorithm": "diffie-hellman-group-exchange-sha256",
"keysize": 1024 "keysize": 1024,
"notes": {
"fail": [
"using small 1024-bit modulus"
],
"info": [
"available since OpenSSH 4.4"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group-exchange-sha1", "algorithm": "diffie-hellman-group-exchange-sha1",
"keysize": 1024 "keysize": 1024,
"notes": {
"fail": [
"using small 1024-bit modulus"
],
"info": [
"available since OpenSSH 2.3.0"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group14-sha1" "algorithm": "diffie-hellman-group14-sha1",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group1-sha1" "algorithm": "diffie-hellman-group1-sha1",
"notes": {
"fail": [
"using small 1024-bit modulus",
"vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
"using broken SHA-1 hash algorithm"
],
"info": [
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
]
}
} }
], ],
"key": [ "key": [
{ {
"algorithm": "ssh-rsa", "algorithm": "ssh-rsa",
"keysize": 1024 "keysize": 1024,
"notes": {
"fail": [
"using broken SHA-1 hash algorithm",
"using small 1024-bit modulus"
],
"info": [
"deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
"available since OpenSSH 2.5.0, Dropbear SSH 0.28"
]
}
}, },
{ {
"algorithm": "ssh-dss" "algorithm": "ssh-dss",
"notes": {
"fail": [
"using small 1024-bit modulus"
],
"info": [
"disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
],
"warn": [
"using weak random number generator could reveal the key"
]
}
} }
], ],
"mac": [ "mac": [
"hmac-md5", {
"hmac-sha1", "algorithm": "hmac-md5",
"umac-64@openssh.com", "notes": {
"hmac-ripemd160", "fail": [
"hmac-ripemd160@openssh.com", "using broken MD5 hash algorithm"
"hmac-sha1-96", ],
"hmac-md5-96" "info": [
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha1",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "umac-64@openssh.com",
"notes": {
"info": [
"available since OpenSSH 4.7"
],
"warn": [
"using encrypt-and-MAC mode",
"using small 64-bit tag size"
]
}
},
{
"algorithm": "hmac-ripemd160",
"notes": {
"fail": [
"using deprecated RIPEMD hash algorithm"
],
"info": [
"available since OpenSSH 2.5.0"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-ripemd160@openssh.com",
"notes": {
"fail": [
"using deprecated RIPEMD hash algorithm"
],
"info": [
"available since OpenSSH 2.1.0"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha1-96",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 2.5.0, Dropbear SSH 0.47"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-md5-96",
"notes": {
"fail": [
"using broken MD5 hash algorithm"
],
"info": [
"available since OpenSSH 2.5.0"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
}
], ],
"recommendations": { "recommendations": {
"critical": { "critical": {

342
test/docker/expected_results/openssh_5.6p1_test2.json
View File

@ -1,10 +1,7 @@
{ {
"banner": { "banner": {
"comments": null, "comments": null,
"protocol": [ "protocol": "2.0",
2,
0
],
"raw": "SSH-2.0-OpenSSH_5.6", "raw": "SSH-2.0-OpenSSH_5.6",
"software": "OpenSSH_5.6" "software": "OpenSSH_5.6"
}, },
@ -90,19 +87,156 @@
} }
], ],
"enc": [ "enc": [
"aes128-ctr", {
"aes192-ctr", "algorithm": "aes128-ctr",
"aes256-ctr", "notes": {
"arcfour256", "info": [
"arcfour128", "available since OpenSSH 3.7, Dropbear SSH 0.52"
"aes128-cbc", ]
"3des-cbc", }
"blowfish-cbc", },
"cast128-cbc", {
"aes192-cbc", "algorithm": "aes192-ctr",
"aes256-cbc", "notes": {
"arcfour", "info": [
"rijndael-cbc@lysator.liu.se" "available since OpenSSH 3.7"
]
}
},
{
"algorithm": "aes256-ctr",
"notes": {
"info": [
"available since OpenSSH 3.7, Dropbear SSH 0.52"
]
}
},
{
"algorithm": "arcfour256",
"notes": {
"fail": [
"using broken RC4 cipher"
],
"info": [
"available since OpenSSH 4.2"
]
}
},
{
"algorithm": "arcfour128",
"notes": {
"fail": [
"using broken RC4 cipher"
],
"info": [
"available since OpenSSH 4.2"
]
}
},
{
"algorithm": "aes128-cbc",
"notes": {
"info": [
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "3des-cbc",
"notes": {
"fail": [
"using broken & deprecated 3DES cipher"
],
"info": [
"available since OpenSSH 1.2.2, Dropbear SSH 0.28"
],
"warn": [
"using weak cipher mode",
"using small 64-bit block size"
]
}
},
{
"algorithm": "blowfish-cbc",
"notes": {
"fail": [
"using weak & deprecated Blowfish cipher"
],
"info": [
"available since OpenSSH 1.2.2, Dropbear SSH 0.28"
],
"warn": [
"using weak cipher mode",
"using small 64-bit block size"
]
}
},
{
"algorithm": "cast128-cbc",
"notes": {
"fail": [
"using weak & deprecated CAST cipher"
],
"info": [
"available since OpenSSH 2.1.0"
],
"warn": [
"using weak cipher mode",
"using small 64-bit block size"
]
}
},
{
"algorithm": "aes192-cbc",
"notes": {
"info": [
"available since OpenSSH 2.3.0"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "aes256-cbc",
"notes": {
"info": [
"available since OpenSSH 2.3.0, Dropbear SSH 0.47"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "arcfour",
"notes": {
"fail": [
"using broken RC4 cipher"
],
"info": [
"available since OpenSSH 2.1.0"
]
}
},
{
"algorithm": "rijndael-cbc@lysator.liu.se",
"notes": {
"fail": [
"using deprecated & non-standardized Rijndael cipher"
],
"info": [
"disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
"available since OpenSSH 2.3.0"
],
"warn": [
"using weak cipher mode"
]
}
}
], ],
"fingerprints": [ "fingerprints": [
{ {
@ -119,39 +253,187 @@
"kex": [ "kex": [
{ {
"algorithm": "diffie-hellman-group-exchange-sha256", "algorithm": "diffie-hellman-group-exchange-sha256",
"keysize": 1024 "keysize": 1024,
"notes": {
"fail": [
"using small 1024-bit modulus"
],
"info": [
"available since OpenSSH 4.4"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group-exchange-sha1", "algorithm": "diffie-hellman-group-exchange-sha1",
"keysize": 1024 "keysize": 1024,
"notes": {
"fail": [
"using small 1024-bit modulus"
],
"info": [
"available since OpenSSH 2.3.0"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group14-sha1" "algorithm": "diffie-hellman-group14-sha1",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group1-sha1" "algorithm": "diffie-hellman-group1-sha1",
"notes": {
"fail": [
"using small 1024-bit modulus",
"vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
"using broken SHA-1 hash algorithm"
],
"info": [
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
]
}
} }
], ],
"key": [ "key": [
{ {
"algorithm": "ssh-rsa", "algorithm": "ssh-rsa",
"keysize": 1024 "keysize": 1024,
"notes": {
"fail": [
"using broken SHA-1 hash algorithm",
"using small 1024-bit modulus"
],
"info": [
"deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
"available since OpenSSH 2.5.0, Dropbear SSH 0.28"
]
}
}, },
{ {
"algorithm": "ssh-rsa-cert-v01@openssh.com", "algorithm": "ssh-rsa-cert-v01@openssh.com",
"ca_algorithm": "ssh-rsa", "ca_algorithm": "ssh-rsa",
"casize": 1024, "casize": 1024,
"keysize": 1024 "keysize": 1024,
"notes": {
"fail": [
"using broken SHA-1 hash algorithm",
"using small 1024-bit hostkey modulus",
"using small 1024-bit CA key modulus"
],
"info": [
"deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
"available since OpenSSH 5.6"
]
}
} }
], ],
"mac": [ "mac": [
"hmac-md5", {
"hmac-sha1", "algorithm": "hmac-md5",
"umac-64@openssh.com", "notes": {
"hmac-ripemd160", "fail": [
"hmac-ripemd160@openssh.com", "using broken MD5 hash algorithm"
"hmac-sha1-96", ],
"hmac-md5-96" "info": [
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha1",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "umac-64@openssh.com",
"notes": {
"info": [
"available since OpenSSH 4.7"
],
"warn": [
"using encrypt-and-MAC mode",
"using small 64-bit tag size"
]
}
},
{
"algorithm": "hmac-ripemd160",
"notes": {
"fail": [
"using deprecated RIPEMD hash algorithm"
],
"info": [
"available since OpenSSH 2.5.0"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-ripemd160@openssh.com",
"notes": {
"fail": [
"using deprecated RIPEMD hash algorithm"
],
"info": [
"available since OpenSSH 2.1.0"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha1-96",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 2.5.0, Dropbear SSH 0.47"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-md5-96",
"notes": {
"fail": [
"using broken MD5 hash algorithm"
],
"info": [
"available since OpenSSH 2.5.0"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
}
], ],
"recommendations": { "recommendations": {
"critical": { "critical": {

341
test/docker/expected_results/openssh_5.6p1_test3.json
View File

@ -1,10 +1,7 @@
{ {
"banner": { "banner": {
"comments": null, "comments": null,
"protocol": [ "protocol": "2.0",
2,
0
],
"raw": "SSH-2.0-OpenSSH_5.6", "raw": "SSH-2.0-OpenSSH_5.6",
"software": "OpenSSH_5.6" "software": "OpenSSH_5.6"
}, },
@ -90,19 +87,156 @@
} }
], ],
"enc": [ "enc": [
"aes128-ctr", {
"aes192-ctr", "algorithm": "aes128-ctr",
"aes256-ctr", "notes": {
"arcfour256", "info": [
"arcfour128", "available since OpenSSH 3.7, Dropbear SSH 0.52"
"aes128-cbc", ]
"3des-cbc", }
"blowfish-cbc", },
"cast128-cbc", {
"aes192-cbc", "algorithm": "aes192-ctr",
"aes256-cbc", "notes": {
"arcfour", "info": [
"rijndael-cbc@lysator.liu.se" "available since OpenSSH 3.7"
]
}
},
{
"algorithm": "aes256-ctr",
"notes": {
"info": [
"available since OpenSSH 3.7, Dropbear SSH 0.52"
]
}
},
{
"algorithm": "arcfour256",
"notes": {
"fail": [
"using broken RC4 cipher"
],
"info": [
"available since OpenSSH 4.2"
]
}
},
{
"algorithm": "arcfour128",
"notes": {
"fail": [
"using broken RC4 cipher"
],
"info": [
"available since OpenSSH 4.2"
]
}
},
{
"algorithm": "aes128-cbc",
"notes": {
"info": [
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "3des-cbc",
"notes": {
"fail": [
"using broken & deprecated 3DES cipher"
],
"info": [
"available since OpenSSH 1.2.2, Dropbear SSH 0.28"
],
"warn": [
"using weak cipher mode",
"using small 64-bit block size"
]
}
},
{
"algorithm": "blowfish-cbc",
"notes": {
"fail": [
"using weak & deprecated Blowfish cipher"
],
"info": [
"available since OpenSSH 1.2.2, Dropbear SSH 0.28"
],
"warn": [
"using weak cipher mode",
"using small 64-bit block size"
]
}
},
{
"algorithm": "cast128-cbc",
"notes": {
"fail": [
"using weak & deprecated CAST cipher"
],
"info": [
"available since OpenSSH 2.1.0"
],
"warn": [
"using weak cipher mode",
"using small 64-bit block size"
]
}
},
{
"algorithm": "aes192-cbc",
"notes": {
"info": [
"available since OpenSSH 2.3.0"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "aes256-cbc",
"notes": {
"info": [
"available since OpenSSH 2.3.0, Dropbear SSH 0.47"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "arcfour",
"notes": {
"fail": [
"using broken RC4 cipher"
],
"info": [
"available since OpenSSH 2.1.0"
]
}
},
{
"algorithm": "rijndael-cbc@lysator.liu.se",
"notes": {
"fail": [
"using deprecated & non-standardized Rijndael cipher"
],
"info": [
"disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
"available since OpenSSH 2.3.0"
],
"warn": [
"using weak cipher mode"
]
}
}
], ],
"fingerprints": [ "fingerprints": [
{ {
@ -119,39 +253,186 @@
"kex": [ "kex": [
{ {
"algorithm": "diffie-hellman-group-exchange-sha256", "algorithm": "diffie-hellman-group-exchange-sha256",
"keysize": 1024 "keysize": 1024,
"notes": {
"fail": [
"using small 1024-bit modulus"
],
"info": [
"available since OpenSSH 4.4"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group-exchange-sha1", "algorithm": "diffie-hellman-group-exchange-sha1",
"keysize": 1024 "keysize": 1024,
"notes": {
"fail": [
"using small 1024-bit modulus"
],
"info": [
"available since OpenSSH 2.3.0"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group14-sha1" "algorithm": "diffie-hellman-group14-sha1",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group1-sha1" "algorithm": "diffie-hellman-group1-sha1",
"notes": {
"fail": [
"using small 1024-bit modulus",
"vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
"using broken SHA-1 hash algorithm"
],
"info": [
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
]
}
} }
], ],
"key": [ "key": [
{ {
"algorithm": "ssh-rsa", "algorithm": "ssh-rsa",
"keysize": 1024 "keysize": 1024,
"notes": {
"fail": [
"using broken SHA-1 hash algorithm",
"using small 1024-bit modulus"
],
"info": [
"deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
"available since OpenSSH 2.5.0, Dropbear SSH 0.28"
]
}
}, },
{ {
"algorithm": "ssh-rsa-cert-v01@openssh.com", "algorithm": "ssh-rsa-cert-v01@openssh.com",
"ca_algorithm": "ssh-rsa", "ca_algorithm": "ssh-rsa",
"casize": 3072, "casize": 3072,
"keysize": 1024 "keysize": 1024,
"notes": {
"fail": [
"using broken SHA-1 hash algorithm",
"using small 1024-bit hostkey modulus"
],
"info": [
"deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
"available since OpenSSH 5.6"
]
}
} }
], ],
"mac": [ "mac": [
"hmac-md5", {
"hmac-sha1", "algorithm": "hmac-md5",
"umac-64@openssh.com", "notes": {
"hmac-ripemd160", "fail": [
"hmac-ripemd160@openssh.com", "using broken MD5 hash algorithm"
"hmac-sha1-96", ],
"hmac-md5-96" "info": [
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha1",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "umac-64@openssh.com",
"notes": {
"info": [
"available since OpenSSH 4.7"
],
"warn": [
"using encrypt-and-MAC mode",
"using small 64-bit tag size"
]
}
},
{
"algorithm": "hmac-ripemd160",
"notes": {
"fail": [
"using deprecated RIPEMD hash algorithm"
],
"info": [
"available since OpenSSH 2.5.0"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-ripemd160@openssh.com",
"notes": {
"fail": [
"using deprecated RIPEMD hash algorithm"
],
"info": [
"available since OpenSSH 2.1.0"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha1-96",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 2.5.0, Dropbear SSH 0.47"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-md5-96",
"notes": {
"fail": [
"using broken MD5 hash algorithm"
],
"info": [
"available since OpenSSH 2.5.0"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
}
], ],
"recommendations": { "recommendations": {
"critical": { "critical": {

340
test/docker/expected_results/openssh_5.6p1_test4.json
View File

@ -1,10 +1,7 @@
{ {
"banner": { "banner": {
"comments": null, "comments": null,
"protocol": [ "protocol": "2.0",
2,
0
],
"raw": "SSH-2.0-OpenSSH_5.6", "raw": "SSH-2.0-OpenSSH_5.6",
"software": "OpenSSH_5.6" "software": "OpenSSH_5.6"
}, },
@ -90,19 +87,156 @@
} }
], ],
"enc": [ "enc": [
"aes128-ctr", {
"aes192-ctr", "algorithm": "aes128-ctr",
"aes256-ctr", "notes": {
"arcfour256", "info": [
"arcfour128", "available since OpenSSH 3.7, Dropbear SSH 0.52"
"aes128-cbc", ]
"3des-cbc", }
"blowfish-cbc", },
"cast128-cbc", {
"aes192-cbc", "algorithm": "aes192-ctr",
"aes256-cbc", "notes": {
"arcfour", "info": [
"rijndael-cbc@lysator.liu.se" "available since OpenSSH 3.7"
]
}
},
{
"algorithm": "aes256-ctr",
"notes": {
"info": [
"available since OpenSSH 3.7, Dropbear SSH 0.52"
]
}
},
{
"algorithm": "arcfour256",
"notes": {
"fail": [
"using broken RC4 cipher"
],
"info": [
"available since OpenSSH 4.2"
]
}
},
{
"algorithm": "arcfour128",
"notes": {
"fail": [
"using broken RC4 cipher"
],
"info": [
"available since OpenSSH 4.2"
]
}
},
{
"algorithm": "aes128-cbc",
"notes": {
"info": [
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "3des-cbc",
"notes": {
"fail": [
"using broken & deprecated 3DES cipher"
],
"info": [
"available since OpenSSH 1.2.2, Dropbear SSH 0.28"
],
"warn": [
"using weak cipher mode",
"using small 64-bit block size"
]
}
},
{
"algorithm": "blowfish-cbc",
"notes": {
"fail": [
"using weak & deprecated Blowfish cipher"
],
"info": [
"available since OpenSSH 1.2.2, Dropbear SSH 0.28"
],
"warn": [
"using weak cipher mode",
"using small 64-bit block size"
]
}
},
{
"algorithm": "cast128-cbc",
"notes": {
"fail": [
"using weak & deprecated CAST cipher"
],
"info": [
"available since OpenSSH 2.1.0"
],
"warn": [
"using weak cipher mode",
"using small 64-bit block size"
]
}
},
{
"algorithm": "aes192-cbc",
"notes": {
"info": [
"available since OpenSSH 2.3.0"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "aes256-cbc",
"notes": {
"info": [
"available since OpenSSH 2.3.0, Dropbear SSH 0.47"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "arcfour",
"notes": {
"fail": [
"using broken RC4 cipher"
],
"info": [
"available since OpenSSH 2.1.0"
]
}
},
{
"algorithm": "rijndael-cbc@lysator.liu.se",
"notes": {
"fail": [
"using deprecated & non-standardized Rijndael cipher"
],
"info": [
"disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
"available since OpenSSH 2.3.0"
],
"warn": [
"using weak cipher mode"
]
}
}
], ],
"fingerprints": [ "fingerprints": [
{ {
@ -119,39 +253,185 @@
"kex": [ "kex": [
{ {
"algorithm": "diffie-hellman-group-exchange-sha256", "algorithm": "diffie-hellman-group-exchange-sha256",
"keysize": 1024 "keysize": 1024,
"notes": {
"fail": [
"using small 1024-bit modulus"
],
"info": [
"available since OpenSSH 4.4"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group-exchange-sha1", "algorithm": "diffie-hellman-group-exchange-sha1",
"keysize": 1024 "keysize": 1024,
"notes": {
"fail": [
"using small 1024-bit modulus"
],
"info": [
"available since OpenSSH 2.3.0"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group14-sha1" "algorithm": "diffie-hellman-group14-sha1",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group1-sha1" "algorithm": "diffie-hellman-group1-sha1",
"notes": {
"fail": [
"using small 1024-bit modulus",
"vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
"using broken SHA-1 hash algorithm"
],
"info": [
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
]
}
} }
], ],
"key": [ "key": [
{ {
"algorithm": "ssh-rsa", "algorithm": "ssh-rsa",
"keysize": 3072 "keysize": 3072,
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
"available since OpenSSH 2.5.0, Dropbear SSH 0.28"
]
}
}, },
{ {
"algorithm": "ssh-rsa-cert-v01@openssh.com", "algorithm": "ssh-rsa-cert-v01@openssh.com",
"ca_algorithm": "ssh-rsa", "ca_algorithm": "ssh-rsa",
"casize": 1024, "casize": 1024,
"keysize": 3072 "keysize": 3072,
"notes": {
"fail": [
"using broken SHA-1 hash algorithm",
"using small 1024-bit CA key modulus"
],
"info": [
"deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
"available since OpenSSH 5.6"
]
}
} }
], ],
"mac": [ "mac": [
"hmac-md5", {
"hmac-sha1", "algorithm": "hmac-md5",
"umac-64@openssh.com", "notes": {
"hmac-ripemd160", "fail": [
"hmac-ripemd160@openssh.com", "using broken MD5 hash algorithm"
"hmac-sha1-96", ],
"hmac-md5-96" "info": [
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha1",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "umac-64@openssh.com",
"notes": {
"info": [
"available since OpenSSH 4.7"
],
"warn": [
"using encrypt-and-MAC mode",
"using small 64-bit tag size"
]
}
},
{
"algorithm": "hmac-ripemd160",
"notes": {
"fail": [
"using deprecated RIPEMD hash algorithm"
],
"info": [
"available since OpenSSH 2.5.0"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-ripemd160@openssh.com",
"notes": {
"fail": [
"using deprecated RIPEMD hash algorithm"
],
"info": [
"available since OpenSSH 2.1.0"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha1-96",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 2.5.0, Dropbear SSH 0.47"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-md5-96",
"notes": {
"fail": [
"using broken MD5 hash algorithm"
],
"info": [
"available since OpenSSH 2.5.0"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
}
], ],
"recommendations": { "recommendations": {
"critical": { "critical": {

339
test/docker/expected_results/openssh_5.6p1_test5.json
View File

@ -1,10 +1,7 @@
{ {
"banner": { "banner": {
"comments": null, "comments": null,
"protocol": [ "protocol": "2.0",
2,
0
],
"raw": "SSH-2.0-OpenSSH_5.6", "raw": "SSH-2.0-OpenSSH_5.6",
"software": "OpenSSH_5.6" "software": "OpenSSH_5.6"
}, },
@ -90,19 +87,156 @@
} }
], ],
"enc": [ "enc": [
"aes128-ctr", {
"aes192-ctr", "algorithm": "aes128-ctr",
"aes256-ctr", "notes": {
"arcfour256", "info": [
"arcfour128", "available since OpenSSH 3.7, Dropbear SSH 0.52"
"aes128-cbc", ]
"3des-cbc", }
"blowfish-cbc", },
"cast128-cbc", {
"aes192-cbc", "algorithm": "aes192-ctr",
"aes256-cbc", "notes": {
"arcfour", "info": [
"rijndael-cbc@lysator.liu.se" "available since OpenSSH 3.7"
]
}
},
{
"algorithm": "aes256-ctr",
"notes": {
"info": [
"available since OpenSSH 3.7, Dropbear SSH 0.52"
]
}
},
{
"algorithm": "arcfour256",
"notes": {
"fail": [
"using broken RC4 cipher"
],
"info": [
"available since OpenSSH 4.2"
]
}
},
{
"algorithm": "arcfour128",
"notes": {
"fail": [
"using broken RC4 cipher"
],
"info": [
"available since OpenSSH 4.2"
]
}
},
{
"algorithm": "aes128-cbc",
"notes": {
"info": [
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "3des-cbc",
"notes": {
"fail": [
"using broken & deprecated 3DES cipher"
],
"info": [
"available since OpenSSH 1.2.2, Dropbear SSH 0.28"
],
"warn": [
"using weak cipher mode",
"using small 64-bit block size"
]
}
},
{
"algorithm": "blowfish-cbc",
"notes": {
"fail": [
"using weak & deprecated Blowfish cipher"
],
"info": [
"available since OpenSSH 1.2.2, Dropbear SSH 0.28"
],
"warn": [
"using weak cipher mode",
"using small 64-bit block size"
]
}
},
{
"algorithm": "cast128-cbc",
"notes": {
"fail": [
"using weak & deprecated CAST cipher"
],
"info": [
"available since OpenSSH 2.1.0"
],
"warn": [
"using weak cipher mode",
"using small 64-bit block size"
]
}
},
{
"algorithm": "aes192-cbc",
"notes": {
"info": [
"available since OpenSSH 2.3.0"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "aes256-cbc",
"notes": {
"info": [
"available since OpenSSH 2.3.0, Dropbear SSH 0.47"
],
"warn": [
"using weak cipher mode"
]
}
},
{
"algorithm": "arcfour",
"notes": {
"fail": [
"using broken RC4 cipher"
],
"info": [
"available since OpenSSH 2.1.0"
]
}
},
{
"algorithm": "rijndael-cbc@lysator.liu.se",
"notes": {
"fail": [
"using deprecated & non-standardized Rijndael cipher"
],
"info": [
"disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
"available since OpenSSH 2.3.0"
],
"warn": [
"using weak cipher mode"
]
}
}
], ],
"fingerprints": [ "fingerprints": [
{ {
@ -119,39 +253,184 @@
"kex": [ "kex": [
{ {
"algorithm": "diffie-hellman-group-exchange-sha256", "algorithm": "diffie-hellman-group-exchange-sha256",
"keysize": 1024 "keysize": 1024,
"notes": {
"fail": [
"using small 1024-bit modulus"
],
"info": [
"available since OpenSSH 4.4"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group-exchange-sha1", "algorithm": "diffie-hellman-group-exchange-sha1",
"keysize": 1024 "keysize": 1024,
"notes": {
"fail": [
"using small 1024-bit modulus"
],
"info": [
"available since OpenSSH 2.3.0"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group14-sha1" "algorithm": "diffie-hellman-group14-sha1",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group1-sha1" "algorithm": "diffie-hellman-group1-sha1",
"notes": {
"fail": [
"using small 1024-bit modulus",
"vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
"using broken SHA-1 hash algorithm"
],
"info": [
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
]
}
} }
], ],
"key": [ "key": [
{ {
"algorithm": "ssh-rsa", "algorithm": "ssh-rsa",
"keysize": 3072 "keysize": 3072,
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
"available since OpenSSH 2.5.0, Dropbear SSH 0.28"
]
}
}, },
{ {
"algorithm": "ssh-rsa-cert-v01@openssh.com", "algorithm": "ssh-rsa-cert-v01@openssh.com",
"ca_algorithm": "ssh-rsa", "ca_algorithm": "ssh-rsa",
"casize": 3072, "casize": 3072,
"keysize": 3072 "keysize": 3072,
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
"available since OpenSSH 5.6"
]
}
} }
], ],
"mac": [ "mac": [
"hmac-md5", {
"hmac-sha1", "algorithm": "hmac-md5",
"umac-64@openssh.com", "notes": {
"hmac-ripemd160", "fail": [
"hmac-ripemd160@openssh.com", "using broken MD5 hash algorithm"
"hmac-sha1-96", ],
"hmac-md5-96" "info": [
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha1",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "umac-64@openssh.com",
"notes": {
"info": [
"available since OpenSSH 4.7"
],
"warn": [
"using encrypt-and-MAC mode",
"using small 64-bit tag size"
]
}
},
{
"algorithm": "hmac-ripemd160",
"notes": {
"fail": [
"using deprecated RIPEMD hash algorithm"
],
"info": [
"available since OpenSSH 2.5.0"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-ripemd160@openssh.com",
"notes": {
"fail": [
"using deprecated RIPEMD hash algorithm"
],
"info": [
"available since OpenSSH 2.1.0"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha1-96",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 2.5.0, Dropbear SSH 0.47"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-md5-96",
"notes": {
"fail": [
"using broken MD5 hash algorithm"
],
"info": [
"available since OpenSSH 2.5.0"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
}
], ],
"recommendations": { "recommendations": {
"critical": { "critical": {

311
test/docker/expected_results/openssh_8.0p1_test1.json
View File

@ -1,10 +1,7 @@
{ {
"banner": { "banner": {
"comments": null, "comments": null,
"protocol": [ "protocol": "2.0",
2,
0
],
"raw": "SSH-2.0-OpenSSH_8.0", "raw": "SSH-2.0-OpenSSH_8.0",
"software": "OpenSSH_8.0" "software": "OpenSSH_8.0"
}, },
@ -35,12 +32,55 @@
} }
], ],
"enc": [ "enc": [
"chacha20-poly1305@openssh.com", {
"aes128-ctr", "algorithm": "chacha20-poly1305@openssh.com",
"aes192-ctr", "notes": {
"aes256-ctr", "info": [
"aes128-gcm@openssh.com", "default cipher since OpenSSH 6.9",
"aes256-gcm@openssh.com" "available since OpenSSH 6.5"
]
}
},
{
"algorithm": "aes128-ctr",
"notes": {
"info": [
"available since OpenSSH 3.7, Dropbear SSH 0.52"
]
}
},
{
"algorithm": "aes192-ctr",
"notes": {
"info": [
"available since OpenSSH 3.7"
]
}
},
{
"algorithm": "aes256-ctr",
"notes": {
"info": [
"available since OpenSSH 3.7, Dropbear SSH 0.52"
]
}
},
{
"algorithm": "aes128-gcm@openssh.com",
"notes": {
"info": [
"available since OpenSSH 6.2"
]
}
},
{
"algorithm": "aes256-gcm@openssh.com",
"notes": {
"info": [
"available since OpenSSH 6.2"
]
}
}
], ],
"fingerprints": [ "fingerprints": [
{ {
@ -66,68 +106,269 @@
], ],
"kex": [ "kex": [
{ {
"algorithm": "curve25519-sha256" "algorithm": "curve25519-sha256",
"notes": {
"info": [
"default key exchange since OpenSSH 6.4",
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
]
}
}, },
{ {
"algorithm": "curve25519-sha256@libssh.org" "algorithm": "curve25519-sha256@libssh.org",
"notes": {
"info": [
"default key exchange since OpenSSH 6.4",
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
]
}
}, },
{ {
"algorithm": "ecdh-sha2-nistp256" "algorithm": "ecdh-sha2-nistp256",
"notes": {
"fail": [
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
]
}
}, },
{ {
"algorithm": "ecdh-sha2-nistp384" "algorithm": "ecdh-sha2-nistp384",
"notes": {
"fail": [
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
]
}
}, },
{ {
"algorithm": "ecdh-sha2-nistp521" "algorithm": "ecdh-sha2-nistp521",
"notes": {
"fail": [
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group-exchange-sha256", "algorithm": "diffie-hellman-group-exchange-sha256",
"keysize": 4096 "keysize": 4096,
"notes": {
"info": [
"OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).",
"available since OpenSSH 4.4"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group16-sha512" "algorithm": "diffie-hellman-group16-sha512",
"notes": {
"info": [
"available since OpenSSH 7.3, Dropbear SSH 2016.73"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group18-sha512" "algorithm": "diffie-hellman-group18-sha512",
"notes": {
"info": [
"available since OpenSSH 7.3"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group14-sha256" "algorithm": "diffie-hellman-group14-sha256",
"notes": {
"info": [
"available since OpenSSH 7.3, Dropbear SSH 2016.73"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group14-sha1" "algorithm": "diffie-hellman-group14-sha1",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
]
}
} }
], ],
"key": [ "key": [
{ {
"algorithm": "rsa-sha2-512", "algorithm": "rsa-sha2-512",
"keysize": 3072 "keysize": 3072,
"notes": {
"info": [
"available since OpenSSH 7.2"
]
}
}, },
{ {
"algorithm": "rsa-sha2-256", "algorithm": "rsa-sha2-256",
"keysize": 3072 "keysize": 3072,
"notes": {
"info": [
"available since OpenSSH 7.2"
]
}
}, },
{ {
"algorithm": "ssh-rsa", "algorithm": "ssh-rsa",
"keysize": 3072 "keysize": 3072,
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
"available since OpenSSH 2.5.0, Dropbear SSH 0.28"
]
}
}, },
{ {
"algorithm": "ecdsa-sha2-nistp256" "algorithm": "ecdsa-sha2-nistp256",
"notes": {
"fail": [
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
],
"warn": [
"using weak random number generator could reveal the key"
]
}
}, },
{ {
"algorithm": "ssh-ed25519" "algorithm": "ssh-ed25519",
"notes": {
"info": [
"available since OpenSSH 6.5"
]
}
} }
], ],
"mac": [ "mac": [
"umac-64-etm@openssh.com", {
"umac-128-etm@openssh.com", "algorithm": "umac-64-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com", "notes": {
"hmac-sha2-512-etm@openssh.com", "info": [
"hmac-sha1-etm@openssh.com", "available since OpenSSH 6.2"
"umac-64@openssh.com", ],
"umac-128@openssh.com", "warn": [
"hmac-sha2-256", "using small 64-bit tag size"
"hmac-sha2-512", ]
"hmac-sha1" }
},
{
"algorithm": "umac-128-etm@openssh.com",
"notes": {
"info": [
"available since OpenSSH 6.2"
]
}
},
{
"algorithm": "hmac-sha2-256-etm@openssh.com",
"notes": {
"info": [
"available since OpenSSH 6.2"
]
}
},
{
"algorithm": "hmac-sha2-512-etm@openssh.com",
"notes": {
"info": [
"available since OpenSSH 6.2"
]
}
},
{
"algorithm": "hmac-sha1-etm@openssh.com",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 6.2"
]
}
},
{
"algorithm": "umac-64@openssh.com",
"notes": {
"info": [
"available since OpenSSH 4.7"
],
"warn": [
"using encrypt-and-MAC mode",
"using small 64-bit tag size"
]
}
},
{
"algorithm": "umac-128@openssh.com",
"notes": {
"info": [
"available since OpenSSH 6.2"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha2-256",
"notes": {
"info": [
"available since OpenSSH 5.9, Dropbear SSH 2013.56"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha2-512",
"notes": {
"info": [
"available since OpenSSH 5.9, Dropbear SSH 2013.56"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha1",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
}
], ],
"recommendations": { "recommendations": {
"critical": { "critical": {

280
test/docker/expected_results/openssh_8.0p1_test2.json
View File

@ -1,10 +1,7 @@
{ {
"banner": { "banner": {
"comments": null, "comments": null,
"protocol": [ "protocol": "2.0",
2,
0
],
"raw": "SSH-2.0-OpenSSH_8.0", "raw": "SSH-2.0-OpenSSH_8.0",
"software": "OpenSSH_8.0" "software": "OpenSSH_8.0"
}, },
@ -35,12 +32,55 @@
} }
], ],
"enc": [ "enc": [
"chacha20-poly1305@openssh.com", {
"aes128-ctr", "algorithm": "chacha20-poly1305@openssh.com",
"aes192-ctr", "notes": {
"aes256-ctr", "info": [
"aes128-gcm@openssh.com", "default cipher since OpenSSH 6.9",
"aes256-gcm@openssh.com" "available since OpenSSH 6.5"
]
}
},
{
"algorithm": "aes128-ctr",
"notes": {
"info": [
"available since OpenSSH 3.7, Dropbear SSH 0.52"
]
}
},
{
"algorithm": "aes192-ctr",
"notes": {
"info": [
"available since OpenSSH 3.7"
]
}
},
{
"algorithm": "aes256-ctr",
"notes": {
"info": [
"available since OpenSSH 3.7, Dropbear SSH 0.52"
]
}
},
{
"algorithm": "aes128-gcm@openssh.com",
"notes": {
"info": [
"available since OpenSSH 6.2"
]
}
},
{
"algorithm": "aes256-gcm@openssh.com",
"notes": {
"info": [
"available since OpenSSH 6.2"
]
}
}
], ],
"fingerprints": [ "fingerprints": [
{ {
@ -56,58 +96,234 @@
], ],
"kex": [ "kex": [
{ {
"algorithm": "curve25519-sha256" "algorithm": "curve25519-sha256",
"notes": {
"info": [
"default key exchange since OpenSSH 6.4",
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
]
}
}, },
{ {
"algorithm": "curve25519-sha256@libssh.org" "algorithm": "curve25519-sha256@libssh.org",
"notes": {
"info": [
"default key exchange since OpenSSH 6.4",
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
]
}
}, },
{ {
"algorithm": "ecdh-sha2-nistp256" "algorithm": "ecdh-sha2-nistp256",
"notes": {
"fail": [
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
]
}
}, },
{ {
"algorithm": "ecdh-sha2-nistp384" "algorithm": "ecdh-sha2-nistp384",
"notes": {
"fail": [
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
]
}
}, },
{ {
"algorithm": "ecdh-sha2-nistp521" "algorithm": "ecdh-sha2-nistp521",
"notes": {
"fail": [
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group-exchange-sha256", "algorithm": "diffie-hellman-group-exchange-sha256",
"keysize": 4096 "keysize": 4096,
"notes": {
"info": [
"OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).",
"available since OpenSSH 4.4"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group16-sha512" "algorithm": "diffie-hellman-group16-sha512",
"notes": {
"info": [
"available since OpenSSH 7.3, Dropbear SSH 2016.73"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group18-sha512" "algorithm": "diffie-hellman-group18-sha512",
"notes": {
"info": [
"available since OpenSSH 7.3"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group14-sha256" "algorithm": "diffie-hellman-group14-sha256",
"notes": {
"info": [
"available since OpenSSH 7.3, Dropbear SSH 2016.73"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group14-sha1" "algorithm": "diffie-hellman-group14-sha1",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
]
}
} }
], ],
"key": [ "key": [
{ {
"algorithm": "ssh-ed25519" "algorithm": "ssh-ed25519",
"notes": {
"info": [
"available since OpenSSH 6.5"
]
}
}, },
{ {
"algorithm": "ssh-ed25519-cert-v01@openssh.com", "algorithm": "ssh-ed25519-cert-v01@openssh.com",
"ca_algorithm": "ssh-ed25519", "ca_algorithm": "ssh-ed25519",
"casize": 256 "casize": 256,
"notes": {
"info": [
"available since OpenSSH 6.5"
]
}
} }
], ],
"mac": [ "mac": [
"umac-64-etm@openssh.com", {
"umac-128-etm@openssh.com", "algorithm": "umac-64-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com", "notes": {
"hmac-sha2-512-etm@openssh.com", "info": [
"hmac-sha1-etm@openssh.com", "available since OpenSSH 6.2"
"umac-64@openssh.com", ],
"umac-128@openssh.com", "warn": [
"hmac-sha2-256", "using small 64-bit tag size"
"hmac-sha2-512", ]
"hmac-sha1" }
},
{
"algorithm": "umac-128-etm@openssh.com",
"notes": {
"info": [
"available since OpenSSH 6.2"
]
}
},
{
"algorithm": "hmac-sha2-256-etm@openssh.com",
"notes": {
"info": [
"available since OpenSSH 6.2"
]
}
},
{
"algorithm": "hmac-sha2-512-etm@openssh.com",
"notes": {
"info": [
"available since OpenSSH 6.2"
]
}
},
{
"algorithm": "hmac-sha1-etm@openssh.com",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 6.2"
]
}
},
{
"algorithm": "umac-64@openssh.com",
"notes": {
"info": [
"available since OpenSSH 4.7"
],
"warn": [
"using encrypt-and-MAC mode",
"using small 64-bit tag size"
]
}
},
{
"algorithm": "umac-128@openssh.com",
"notes": {
"info": [
"available since OpenSSH 6.2"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha2-256",
"notes": {
"info": [
"available since OpenSSH 5.9, Dropbear SSH 2013.56"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha2-512",
"notes": {
"info": [
"available since OpenSSH 5.9, Dropbear SSH 2013.56"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
},
{
"algorithm": "hmac-sha1",
"notes": {
"fail": [
"using broken SHA-1 hash algorithm"
],
"info": [
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
}
], ],
"recommendations": { "recommendations": {
"critical": { "critical": {

118
test/docker/expected_results/openssh_8.0p1_test3.json
View File

@ -1,10 +1,7 @@
{ {
"banner": { "banner": {
"comments": null, "comments": null,
"protocol": [ "protocol": "2.0",
2,
0
],
"raw": "SSH-2.0-OpenSSH_8.0", "raw": "SSH-2.0-OpenSSH_8.0",
"software": "OpenSSH_8.0" "software": "OpenSSH_8.0"
}, },
@ -35,12 +32,55 @@
} }
], ],
"enc": [ "enc": [
"chacha20-poly1305@openssh.com", {
"aes256-gcm@openssh.com", "algorithm": "chacha20-poly1305@openssh.com",
"aes128-gcm@openssh.com", "notes": {
"aes256-ctr", "info": [
"aes192-ctr", "default cipher since OpenSSH 6.9",
"aes128-ctr" "available since OpenSSH 6.5"
]
}
},
{
"algorithm": "aes256-gcm@openssh.com",
"notes": {
"info": [
"available since OpenSSH 6.2"
]
}
},
{
"algorithm": "aes128-gcm@openssh.com",
"notes": {
"info": [
"available since OpenSSH 6.2"
]
}
},
{
"algorithm": "aes256-ctr",
"notes": {
"info": [
"available since OpenSSH 3.7, Dropbear SSH 0.52"
]
}
},
{
"algorithm": "aes192-ctr",
"notes": {
"info": [
"available since OpenSSH 3.7"
]
}
},
{
"algorithm": "aes128-ctr",
"notes": {
"info": [
"available since OpenSSH 3.7, Dropbear SSH 0.52"
]
}
}
], ],
"fingerprints": [ "fingerprints": [
{ {
@ -56,25 +96,69 @@
], ],
"kex": [ "kex": [
{ {
"algorithm": "curve25519-sha256" "algorithm": "curve25519-sha256",
"notes": {
"info": [
"default key exchange since OpenSSH 6.4",
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
]
}
}, },
{ {
"algorithm": "curve25519-sha256@libssh.org" "algorithm": "curve25519-sha256@libssh.org",
"notes": {
"info": [
"default key exchange since OpenSSH 6.4",
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
]
}
}, },
{ {
"algorithm": "diffie-hellman-group-exchange-sha256", "algorithm": "diffie-hellman-group-exchange-sha256",
"keysize": 4096 "keysize": 4096,
"notes": {
"info": [
"OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).",
"available since OpenSSH 4.4"
]
}
} }
], ],
"key": [ "key": [
{ {
"algorithm": "ssh-ed25519" "algorithm": "ssh-ed25519",
"notes": {
"info": [
"available since OpenSSH 6.5"
]
}
} }
], ],
"mac": [ "mac": [
"hmac-sha2-256-etm@openssh.com", {
"hmac-sha2-512-etm@openssh.com", "algorithm": "hmac-sha2-256-etm@openssh.com",
"umac-128-etm@openssh.com" "notes": {
"info": [
"available since OpenSSH 6.2"
]
}
},
{
"algorithm": "hmac-sha2-512-etm@openssh.com",
"notes": {
"info": [
"available since OpenSSH 6.2"
]
}
},
{
"algorithm": "umac-128-etm@openssh.com",
"notes": {
"info": [
"available since OpenSSH 6.2"
]
}
}
], ],
"recommendations": { "recommendations": {
"informational": { "informational": {

61
test/docker/expected_results/tinyssh_20190101_test1.json
View File

@ -1,10 +1,7 @@
{ {
"banner": { "banner": {
"comments": "", "comments": "",
"protocol": [ "protocol": "2.0",
2,
0
],
"raw": "", "raw": "",
"software": "tinyssh_noversion" "software": "tinyssh_noversion"
}, },
@ -13,7 +10,15 @@
], ],
"cves": [], "cves": [],
"enc": [ "enc": [
"chacha20-poly1305@openssh.com" {
"algorithm": "chacha20-poly1305@openssh.com",
"notes": {
"info": [
"default cipher since OpenSSH 6.9",
"available since OpenSSH 6.5"
]
}
}
], ],
"fingerprints": [ "fingerprints": [
{ {
@ -29,22 +34,58 @@
], ],
"kex": [ "kex": [
{ {
"algorithm": "curve25519-sha256" "algorithm": "curve25519-sha256",
"notes": {
"info": [
"default key exchange since OpenSSH 6.4",
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
]
}
}, },
{ {
"algorithm": "curve25519-sha256@libssh.org" "algorithm": "curve25519-sha256@libssh.org",
"notes": {
"info": [
"default key exchange since OpenSSH 6.4",
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
]
}
}, },
{ {
"algorithm": "sntrup4591761x25519-sha512@tinyssh.org" "algorithm": "sntrup4591761x25519-sha512@tinyssh.org",
"notes": {
"info": [
"the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security",
"available since OpenSSH 8.0"
],
"warn": [
"using experimental algorithm"
]
}
} }
], ],
"key": [ "key": [
{ {
"algorithm": "ssh-ed25519" "algorithm": "ssh-ed25519",
"notes": {
"info": [
"available since OpenSSH 6.5"
]
}
} }
], ],
"mac": [ "mac": [
"hmac-sha2-256" {
"algorithm": "hmac-sha2-256",
"notes": {
"info": [
"available since OpenSSH 5.9, Dropbear SSH 2013.56"
],
"warn": [
"using encrypt-and-MAC mode"
]
}
}
], ],
"recommendations": {}, "recommendations": {},
"target": "localhost:2222" "target": "localhost:2222"