Their certificate-embedded counterparts are enabled as well.
As with RSA, it *is* possible for DSA keys to be of variable length (not
just 1024 bits), so I've added `{'variable_key_len': True}` to the relevant
`HOST_KEY_TYPES` entries, although this key-value pair is otherwise unused.
* Include raw hostkey bytes in debug output
* Recognize LANcom LCOS software and support extraction of ssh-ed448 key type
LANcom router devices appear to be primarily used in Germany (see [1]
for examples on the public Internet), and they appear to support the
`ssh-ed448` key type which is documented in [2], but which has never
been supported by any as-yet-released version of OpenSSH.
[1] https://www.shodan.io/search?query=ssh+%22ed448%22
[2] https://datatracker.ietf.org/doc/html/rfc8709#name-public-key-format
Because the `HostKeyTest` class was mutating its static/global
`HOST_KEY_TYPES` dict, this class could not actually be used more than once
in a single thread!
Rather than mutate this dict after parsing each key type
(`HOST_KEY_TYPES[host_key_type]['parsed'] = True`), the `perform_test`
method should simple add the parsed key types to a local `set()`.
When evaluating policy compliance, use less-than operator so keys bigger
than expected (and hence very often better) don't fail policy
evaulation. This change reduces the amount of false-positives and allows
for more flexibility when hardening SSH installations.
Signed-off-by: szubersk <szuberskidamian@gmail.com>
* Added allowed policy fields
Added allowed fields for host keys kex ciphers and macs
* Adapted policy.py to newest dev version
* Added allow_algorithm_subset_and_reordering flag
* Removed allowed policy entries as they are redundant now
* Fixed call to append_error
