Joe Testa
|
15078aaea9
|
Built-in policies now include a change log.
|
2024-03-14 17:58:16 -04:00 |
|
Joe Testa
|
064b55e0c2
|
Added 1 new key exchange algorithm: gss-nistp384-sha384-*
|
2024-03-14 16:01:48 -04:00 |
|
Joe Testa
|
a4f508374a
|
Updated README.
|
2024-03-12 21:13:10 -04:00 |
|
Joe Testa
|
3313046714
|
Added built-in policy for OpenSSH 9.7.
|
2024-03-12 20:23:55 -04:00 |
|
Joe Testa
|
699739d42a
|
Gracefully handle rare exceptions (i.e.: crashes) while performing GEX tests.
|
2024-02-17 13:44:06 -05:00 |
|
Joe Testa
|
a958fd1fec
|
Snap builds are now architecture-independent. (#232)
|
2024-02-17 12:54:28 -05:00 |
|
Joe Testa
|
c33f419224
|
Updated '-m', '--manual' description in README.
|
2024-02-16 23:16:07 -05:00 |
|
Joe Testa
|
20fbb706b0
|
The built-in man page (, ) is now available on Docker, PyPI, and Snap builds, in addition to the Windows build. (#231)
|
2024-02-16 22:40:53 -05:00 |
|
Joe Testa
|
73b669b49d
|
Fixed parsing of ecdsa-sha2-nistp* CA signatures on host keys. Additionally, they are now flagged as potentially back-doored, just as standard host keys are. (#239)
|
2024-02-16 21:58:51 -05:00 |
|
Joe Testa
|
f326d58068
|
Disable color when the NO_COLOR environment variable is set. (#234)
|
2024-01-28 18:17:49 -05:00 |
|
Joe Testa
|
fe65b5df8a
|
Added missing dev tag to Change Log: v3.2.0 -> v3.2.0-dev
|
2023-12-21 15:34:38 -05:00 |
|
Joe Testa
|
44393c56b3
|
Expanded filter of CBC ciphers to flag for the Terrapin vulnerability.
|
2023-12-21 15:30:43 -05:00 |
|
Joe Testa
|
dd91c2a41a
|
Bumped version to 3.1.0 in preparation for stable release. Updated Change Log in README.
|
2023-12-20 13:12:13 -05:00 |
|
Joe Testa
|
75dbc03a77
|
Added 'additional_notes' field to JSON output.
|
2023-12-19 18:03:07 -05:00 |
|
Joe Testa
|
c9412cbb88
|
Added built-in policies for OpenSSH 9.5 and 9.6.
|
2023-12-19 17:42:43 -05:00 |
|
Joe Testa
|
c259a83782
|
Added note that when a target is properly configured against the Terrapin vulnerability that unpatched peers may still create vulnerable connections. Updated Ubuntu Server & Client 20.04 & 22.04 policies to include new key exchange markers related to Terrapin counter-measures.
|
2023-12-19 14:03:28 -05:00 |
|
Joe Testa
|
8e972c5e94
|
Added test for the Terrapin vulnerability (CVE-2023-48795) (#227).
|
2023-12-18 18:24:49 -05:00 |
|
Joe Testa
|
965bcb6b18
|
Dropped support for Python 3.7.
|
2023-11-27 23:35:40 -05:00 |
|
Joe Testa
|
ba8e8a7e68
|
Re-organized option host key types for OpenSSH 9.2 to correspond with updated Debian 12 hardening guide.
|
2023-11-27 21:33:13 -05:00 |
|
Joe Testa
|
bad2c9cd8e
|
In Ubuntu 22.04 client policy, moved host key types and to the end of all certificate types.
|
2023-11-27 20:07:36 -05:00 |
|
Joe Testa
|
69e1e121fd
|
In server policies, reduced expected DH modulus sizes from 4096 to 3072 to match online hardening guides.
|
2023-11-27 19:15:18 -05:00 |
|
Joe Testa
|
d62e4cd80c
|
Added Python 3.12 to Tox tests.
|
2023-10-22 16:43:04 -04:00 |
|
Joe Testa
|
f517e03d9f
|
Bumped version to v3.0.0.
|
2023-09-07 07:45:07 -04:00 |
|
Joe Testa
|
6c64257d91
|
Updated README.
|
2023-09-06 22:37:06 -04:00 |
|
Joe Testa
|
e26597a7aa
|
Marked all NIST K-, B-, and T-curves as unproven since they are so rarely used. Added 12 new host keys: 'ecdsa-sha2-curve25519', 'ecdsa-sha2-nistb233', 'ecdsa-sha2-nistb409', 'ecdsa-sha2-nistk163', 'ecdsa-sha2-nistk233', 'ecdsa-sha2-nistk283', 'ecdsa-sha2-nistk409', 'ecdsa-sha2-nistp224', 'ecdsa-sha2-nistp192', 'ecdsa-sha2-nistt571', 'ssh-dsa', 'x509v3-sign-rsa-sha256'. Added 15 key exchanges: 'curve448-sha512@libssh.org', 'ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org', 'ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org', 'ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org', 'ecdh-sha2-brainpoolp256r1@genua.de', 'ecdh-sha2-brainpoolp384r1@genua.de', 'ecdh-sha2-brainpoolp521r1@genua.de', 'kexAlgoDH14SHA1', 'kexAlgoDH1SHA1', 'kexAlgoECDH256', 'kexAlgoECDH384', 'kexAlgoECDH521', 'sm2kep-sha2-nistp256', 'x25519-kyber-512r3-sha256-d00@amazon.com', 'x25519-kyber512-sha512@aws.amazon.com'. Added 8 new ciphers: 'aes192-gcm@openssh.com', 'cast128-12-cbc', 'cast128-12-cfb', 'cast128-12-ecb', 'cast128-12-ofb', 'des-cfb', 'des-ecb', 'des-ofb'. Added 14 new MACs: 'cbcmac-3des', 'cbcmac-aes', 'cbcmac-blowfish', 'cbcmac-des', 'cbcmac-rijndael', 'cbcmac-twofish', 'hmac-sha256-96', 'md5', 'md5-8', 'ripemd160', 'ripemd160-8', 'sha1', 'sha1-8', 'umac-128'.
|
2023-09-05 20:10:37 -04:00 |
|
Joe Testa
|
f8e29674a3
|
Refined JSON notes output. Fixed Docker & Tox tests.
|
2023-09-05 16:36:54 -04:00 |
|
Joe Testa
|
79ca4b2d8b
|
Updated README.
|
2023-09-05 14:22:35 -04:00 |
|
Joe Testa
|
38f9c21760
|
The color of all notes will be printed in green when the related algorithm is rated good.
|
2023-09-03 19:14:25 -04:00 |
|
Joe Testa
|
4e6169d0cb
|
Added built-in policy for OpenSSH 9.4.
|
2023-09-03 18:12:16 -04:00 |
|
Joe Testa
|
199e75f6cd
|
Refined GEX testing against OpenSSH servers: when the fallback mechanism is suspected of being triggered, perform an additional test to obtain more accurate results.
|
2023-09-03 16:13:00 -04:00 |
|
Joe Testa
|
3f2fdbaa3d
|
Fixed crash during GEX tests.
|
2023-07-11 11:08:42 -04:00 |
|
Joe Testa
|
83e90729e2
|
Updated README.
|
2023-06-20 16:12:30 -04:00 |
|
Joe Testa
|
e2fc60cbb4
|
Updated README and test for resolve function.
|
2023-06-20 09:26:43 -04:00 |
|
Joe Testa
|
639f11a5e5
|
Results from concurrent scans against multiple hosts are no longer improperly combined (#190).
|
2023-06-19 14:13:32 -04:00 |
|
Joe Testa
|
521a50a796
|
Added 'curve448-sha512@libssh.org' kex. (#195)
|
2023-06-19 10:35:13 -04:00 |
|
Joe Testa
|
3ba28b01e9
|
Added release date of v2.9.0.
|
2023-04-29 12:39:04 -04:00 |
|
Joe Testa
|
3c1451cfdc
|
Bumped version to v2.9.0.
|
2023-04-29 12:33:26 -04:00 |
|
Joe Testa
|
929652c9b7
|
Simplified host key test logic.
|
2023-04-29 11:59:50 -04:00 |
|
Joe Testa
|
c33e7d9b72
|
Added built-in policies for OpenSSH 8.8, 8.9, 9.0, 9.1, 9.2, and 9.3.
|
2023-04-27 21:40:47 -04:00 |
|
Joe Testa
|
0074fcc1af
|
Rolled back Windows multithreading crash fix, as upgrading from Python v3.9 to v3.11 may have fixed the root cause. (#152)
|
2023-04-26 21:55:40 -04:00 |
|
Joe Testa
|
1eab4ab0e6
|
Updated README.
|
2023-04-26 15:49:45 -04:00 |
|
Joe Testa
|
a5f5e0dab2
|
Updated changelog.
|
2023-04-25 10:25:06 -04:00 |
|
Joe Testa
|
263267c5ad
|
Added support for mixed host key/CA key types (i.e.: RSA host keys signed by ED25519 CAs) (#120).
|
2023-04-25 09:17:32 -04:00 |
|
Joe Testa
|
6f05a2c6b5
|
Updated README.
|
2023-03-25 14:15:53 -04:00 |
|
Joe Testa
|
784d412148
|
Added Repology table.
|
2023-03-24 19:22:45 -04:00 |
|
Joe Testa
|
cc9e4fbc4a
|
Generic failure/warning messages replaced with more specific reasons. SHA-1 algorithms now cause failures. CBC mode ciphers are now warnings instead of failures.
|
2023-03-23 21:36:02 -04:00 |
|
Joe Testa
|
c9dc9a9c10
|
Now issues a warning when 2048-bit moduli are encountered.
|
2023-02-06 16:27:30 -05:00 |
|
Joe Testa
|
433c7e779d
|
Added 2 new ciphers: 'rijndael-cbc@ssh.com', 'cast128-12-cbc@ssh.com'. Added 21 new host key types: .
|
2023-02-02 18:57:53 -05:00 |
|
Joe Testa
|
984ea1eee3
|
Added the following 9 new host key types: 'dsa2048-sha224@libassh.org', 'dsa2048-sha256@libassh.org', 'dsa3072-sha256@libassh.org', 'ecdsa-sha2-1.3.132.0.10-cert-v01@openssh.com', 'eddsa-e382-shake256@libassh.org', 'eddsa-e521-shake256@libassh.org', 'null', 'pgp-sign-dss', 'pgp-sign-rsa'. Added the following 22 new key exchange algorithms: 'diffie-hellman-group-exchange-sha224@ssh.com', 'diffie-hellman-group-exchange-sha384@ssh.com', 'diffie-hellman-group14-sha224@ssh.com', 'diffie-hellman_group17-sha512', 'ecmqv-sha2', 'gss-13.3.132.0.10-sha256-*', 'gss-curve25519-sha256-*', 'gss-curve448-sha512-*', 'gss-gex-sha1-*', 'gss-gex-sha256-*', 'gss-group1-sha1-*', 'gss-group14-sha1-*', 'gss-group14-sha256-*', 'gss-group15-sha512-*', 'gss-group16-sha512-*', 'gss-group17-sha512-*', 'gss-group18-sha512-*', 'gss-nistp256-sha256-*', 'gss-nistp384-sha256-*', 'gss-nistp521-sha512-*', 'm383-sha384@libassh.org', 'm511-sha512@libassh.org'. Added the following 26 new ciphers: '3des-cfb', '3des-ecb', '3des-ofb', 'blowfish-cfb', 'blowfish-ecb', 'blowfish-ofb', 'camellia128-cbc@openssh.org', 'camellia128-ctr@openssh.org', 'camellia192-cbc@openssh.org', 'camellia192-ctr@openssh.org', 'camellia256-cbc@openssh.org', 'camellia256-ctr@openssh.org', 'cast128-cfb', 'cast128-ecb', 'cast128-ofb', 'idea-cfb', 'idea-ecb', 'idea-ofb', 'seed-ctr@ssh.com', 'serpent128-gcm@libassh.org', 'serpent256-gcm@libassh.org', 'twofish-cfb', 'twofish-ecb', 'twofish-ofb', 'twofish128-gcm@libassh.org', 'twofish256-gcm@libassh.org'. Added the following 4 new HMAC algorithms: 'hmac-sha224@ssh.com', 'hmac-sha256-2@ssh.com', 'hmac-sha384@ssh.com', 'hmac-whirlpool'.
|
2023-02-02 18:30:40 -05:00 |
|
Joe Testa
|
0b905a7fdd
|
Added Ubuntu Client 22.04 hardening policy.
|
2023-02-01 19:29:54 -05:00 |
|