elie/ssh-audit
1
0
Fork 0
mirror of https://github.com/jtesta/ssh-audit.git synced 2025-11-03 18:52:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
700 Commits 1 Branch 16 Tags
master
Commit Graph

142 Commits

Author SHA1 Message Date
Joe Testa
f821565ff9 Renamed hardeningguides.py. 2025-09-01 17:39:07 -04:00
Joe Testa
c900874406 Added policy option to allow host key subsets and/or reorderings. 2025-09-01 16:22:40 -04:00
Joe Testa
0382cf9b2d Aside from linking to online hardening guides, mention that built-in guides are also available. 2025-08-30 16:26:57 -04:00
Joe Testa
970d747dcb Smoothed out some rough edges from PR #307. 2025-08-17 16:34:32 -04:00
oam7575
1c0d3d5df1 print config v2 Issue #191 (#307) 
* print config v2

 - printconfig script
 - test_printconfig for tox testing
 - update globals for GUIDES_UPDATED date value
 - update ssh_audit for print_config argument and checks

* pr307 update 1

* pr307 update 2

* pr307 - attempt 2

* Update ssh_audit.py

Missed a TAB
 2025-08-17 16:05:14 -04:00
Joe Testa
11a902cb14 Removed SSHv1 support (#298). 2025-07-26 19:57:11 -04:00
Joe Testa
5ddd8cca5b Added 2 new key exchanges: mlkem768nistp256-sha256, mlkem1024nistp384-sha384. 2025-04-18 18:29:18 -04:00
Joe Testa
e318787a5c Batch mode no longer automatically enables verbose mode. 2024-12-05 10:06:58 -05:00
Joe Testa
28a1e23986 Added warnings to all key exchanges that do not provide protection against quantum attacks. 2024-11-25 15:56:51 -05:00
Joe Testa
a01baadfa8 Additional cleanups after merging #304. 2024-11-22 12:28:02 -05:00
Joe Testa
c0133a8d5f Listing built-in policies will now hide older versions, unless -v is used. 2024-10-11 15:43:09 -04:00
Joe Testa
720150b471 Issue a warning if an out-dated policy is used. 2024-10-10 15:57:29 -04:00
Joe Testa
93b30b4258 Removed version-based CVE information. (#240) 2024-09-26 13:15:58 -04:00
Joe Testa
2cd96f1785 Ensure ECDSA and DSS fingerprints are only output in verbose mode. Clean up Docker tests from merge of #286. 2024-09-25 17:05:17 -04:00
Joe Testa
92db5f0138 Updated docker tests and README due to merge of PR #281. 2024-07-05 10:53:00 -04:00
Joe Testa
8190fe59d0 Added implementation for DHEat denial-of-service attack (CVE-2002-20001). (#211, #217) 2024-04-18 13:58:13 -04:00
Joe Testa
d7f8bf3e6d Updated notes on OpenSSH default key exchanges. (#258) 2024-03-19 18:24:22 -04:00
Joe Testa
3d403b1d70 Updated availability of algorithms in Dropbear. (#257) 2024-03-19 15:47:09 -04:00
Joe Testa
9fae870260 Added allow_larger_keys flag to custom policies to control whether targets can have larger keys, and added Docker tests to complete work started in PR #242. 2024-03-19 14:45:19 -04:00
Joe Testa
3c31934ac7 Added tests and other cleanups resulting from merging PR #252. 2024-03-18 17:48:50 -04:00
Joe Testa
7b3402b207 Added note that sntrup761x25519-sha512@openssh.com is the default OpenSSH kex since version 9.0. 2024-03-15 17:24:21 -04:00
Joe Testa
b2f46eb71a Added extra GSS wildcard matching test. 2024-03-15 17:05:40 -04:00
Joe Testa
15078aaea9 Built-in policies now include a change log. 2024-03-14 17:58:16 -04:00
Joe Testa
f0874af4cd Split built-in policies from policy.py to builtin_policies.py. 2024-03-14 17:24:40 -04:00
Joe Testa
75dbc03a77 Added 'additional_notes' field to JSON output. 2023-12-19 18:03:07 -05:00
Joe Testa
c259a83782 Added note that when a target is properly configured against the Terrapin vulnerability that unpatched peers may still create vulnerable connections. Updated Ubuntu Server & Client 20.04 & 22.04 policies to include new key exchange markers related to Terrapin counter-measures. 2023-12-19 14:03:28 -05:00
Joe Testa
8e972c5e94 Added test for the Terrapin vulnerability (CVE-2023-48795) (#227). 2023-12-18 18:24:49 -05:00
Joe Testa
f8e29674a3 Refined JSON notes output. Fixed Docker & Tox tests. 2023-09-05 16:36:54 -04:00
Joe Testa
38f9c21760 The color of all notes will be printed in green when the related algorithm is rated good. 2023-09-03 19:14:25 -04:00
Joe Testa
77cdb969b9 Fixed flake8 tests. 2023-09-03 16:25:26 -04:00
Joe Testa
199e75f6cd Refined GEX testing against OpenSSH servers: when the fallback mechanism is suspected of being triggered, perform an additional test to obtain more accurate results. 2023-09-03 16:13:00 -04:00
Joe Testa
e2fc60cbb4 Updated README and test for resolve function. 2023-06-20 09:26:43 -04:00
Joe Testa
639f11a5e5 Results from concurrent scans against multiple hosts are no longer improperly combined (#190). 2023-06-19 14:13:32 -04:00
Joe Testa
7f8d6b4d5b Fixed built-in policy formatting and filled in missing host key size information. 2023-04-26 15:47:58 -04:00
Joe Testa
263267c5ad Added support for mixed host key/CA key types (i.e.: RSA host keys signed by ED25519 CAs) (#120). 2023-04-25 09:17:32 -04:00
Joe Testa
4f31304b66 Alphabetized algorithm database. 2023-03-28 12:09:25 -04:00
Joe Testa
dc083de87e Added recommendations and CVE information to JSON output (#122). 2023-03-24 18:48:36 -04:00
Joe Testa
cc9e4fbc4a Generic failure/warning messages replaced with more specific reasons. SHA-1 algorithms now cause failures. CBC mode ciphers are now warnings instead of failures. 2023-03-23 21:36:02 -04:00
Joe Testa
992aa1b961 Added support for kex GSS wildcards (#143). 2023-03-21 22:17:23 -04:00
Joe Testa
413dea60ae Fixed docker tests affected by previous commit. 2023-03-21 14:58:00 -04:00
Joe Testa
71feaa191e Add note regarding OpenSSH's 2048-bit GEX fallback, and suppress the related recommendation since the user cannot control it (partly related to #168). 2023-03-21 11:44:45 -04:00
Joe Testa
7bbf4cdff0 Fix tox tests. 2023-02-06 18:24:03 -05:00
Joe Testa
c9dc9a9c10 Now issues a warning when 2048-bit moduli are encountered. 2023-02-06 16:27:30 -05:00
Joe Testa
b9520cbc25 Fixed pylint & flake8 warnings and errors. 2022-10-10 20:40:29 -04:00
Joe Testa
c6b8dc97e1 Fixed tests. 2022-02-21 21:48:10 -05:00
tomatohater1337
1f0b3acff2 Complete "target" in the JSON output with the port (#123) 
* Complete "target" in JSON output with the port

The JSON output was not showing the port of the target which was scanned. This could be problematic when scanning a host with more than one ssh service running.

* Docker tests completet with the port of the scan target in the JSON output
 2021-10-13 23:44:55 -04:00
Joe Testa
07862489c4 Added MD5 fingerprint hashes to verbose output. 2021-05-20 18:03:24 -04:00
Joe Testa
8e9fe20fac SSH_Socket's constructor now takes an OutputBuffer for verbose & debugging output. 2021-03-02 11:25:37 -05:00
Joe Testa
b300ad1252 Refactored IPv4/6 preference logic to fix pylint warnings. 2021-02-23 16:05:01 -05:00
Joe Testa
1bbc3feb57 Added OpenSSH 8.5 built-in policy. Added sntrup761x25519-sha512@openssh.com kex. 2021-02-23 16:02:20 -05:00