Commit Graph

182 Commits

Author SHA1 Message Date
Joe Testa
772204ce8b Bumped version to v3.3.0. 2024-10-15 13:28:38 -04:00
Joe Testa
c0133a8d5f Listing built-in policies will now hide older versions, unless -v is used. 2024-10-11 15:43:09 -04:00
Joe Testa
3220043aaf Added note regarding hardening instructions. 2024-10-10 16:10:52 -04:00
Joe Testa
720150b471 Issue a warning if an out-dated policy is used. 2024-10-10 15:57:29 -04:00
Joe Testa
d0628f6eb4 Updated ext-info-c and ext-info-s key exchanges to include versions of OpenSSH they were first included in. (#291) 2024-10-07 17:41:39 -04:00
Joe Testa
1e060a94c0 Updated built-in server and client policies for Amazon Linux 2023. 2024-10-01 18:15:02 -04:00
Joe Testa
8563c2925b Updated built-in client policy for Debian 12. 2024-10-01 17:48:49 -04:00
Joe Testa
556306be5e Updated built-in client policy for Rocky Linux 9. 2024-10-01 17:39:42 -04:00
Joe Testa
7ab6d20454 Updated built-in client policy for Ubuntu 22.04. 2024-10-01 17:32:49 -04:00
Joe Testa
1f1a51d591 Updated Ubuntu 22.04 built-in policy. 2024-10-01 17:06:03 -04:00
Joe Testa
77a63de133 Updated Rocky Linux 9 built-in policy. 2024-10-01 16:21:23 -04:00
Joe Testa
cffa126277 Updated Debian 12 built-in policy. (#283) 2024-10-01 15:01:44 -04:00
Joe Testa
dc615cef7f Fixed DH rate testing on Windows. (#261) 2024-09-28 18:39:55 -04:00
Joe Testa
cb6142c609 Ignore mypy errors on colorama import. 2024-09-28 17:43:32 -04:00
Joe Testa
93b30b4258 Removed version-based CVE information. (#240) 2024-09-26 13:15:58 -04:00
Joe Testa
3b8a75e407 Server kex/host key parsing failures no longer output a stack trace unless in debug mode. 2024-09-25 17:34:18 -04:00
Joe Testa
2cd96f1785 Ensure ECDSA and DSS fingerprints are only output in verbose mode. Clean up Docker tests from merge of #286. 2024-09-25 17:05:17 -04:00
Daniel Lenski
a4b78b752e
Enable HostKeyTest to extract ECDSA and DSA keys (#286)
Their certificate-embedded counterparts are enabled as well.

As with RSA, it *is* possible for DSA keys to be of variable length (not
just 1024 bits), so I've added `{'variable_key_len': True}` to the relevant
`HOST_KEY_TYPES` entries, although this key-value pair is otherwise unused.
2024-09-25 16:57:03 -04:00
Joe Testa
e97bbd9782 Added Python 3.13 support. 2024-09-24 18:20:07 -04:00
Joe Testa
6d57c7c0f7 The -p/--port option will now set the default port for multi-host scans (specified with -T/--targets). (#294) 2024-09-24 16:42:53 -04:00
Joe Testa
ea3258151e Fixed invalid JSON output when a socket error occurs while performing a client audit. (#295) 2024-09-24 15:48:14 -04:00
Joe Testa
f9032c8277 Added built-in policy for OpenSSH 9.9. 2024-09-24 15:05:05 -04:00
Joe Testa
d7398baad7 Added two new key exchanges: mlkem768x25519-sha256, sntrup761x25519-sha512. 2024-09-19 17:40:49 -04:00
Joe Testa
4621d52223 Updated unknown algorithm message. 2024-09-19 17:01:37 -04:00
Joe Testa
2a7cb13895 Added grasshopper-ctr128 cipher. 2024-09-18 17:59:45 -04:00
Drew Noel
7752023dc2
Switch connect_ex result checks to use errno lookups (#289)
* Switch connect_ex result checks to errno lookups

* Return errno strings, clean up comment
2024-08-26 16:38:44 -04:00
Joe Testa
a6f02ae8e8 Added debugging output for key exchanges. 2024-08-26 16:25:32 -04:00
Daniel Lenski
bbbdf71e50
Recognize LANcom LCOS software and support ed448 key extraction (#277)
* Include raw hostkey bytes in debug output

* Recognize LANcom LCOS software and support extraction of ssh-ed448 key type

LANcom router devices appear to be primarily used in Germany (see [1]
for examples on the public Internet), and they appear to support the
`ssh-ed448` key type which is documented in [2], but which has never
been supported by any as-yet-released version of OpenSSH.

[1] https://www.shodan.io/search?query=ssh+%22ed448%22
[2] https://datatracker.ietf.org/doc/html/rfc8709#name-public-key-format
2024-07-06 20:56:24 -04:00
dreizehnutters
bc2a89eb11
fix for https://github.com/jtesta/ssh-audit/issues/280 (#281)
* fix for https://github.com/jtesta/ssh-audit/issues/280

* changed json format to min. the damage for a change
2024-07-05 10:49:16 -04:00
Daniel Lenski
d8f8b7c57c
Make HostKeyTest class reusable (#278)
Because the `HostKeyTest` class was mutating its static/global
`HOST_KEY_TYPES` dict, this class could not actually be used more than once
in a single thread!

Rather than mutate this dict after parsing each key type
(`HOST_KEY_TYPES[host_key_type]['parsed'] = True`), the `perform_test`
method should simple add the parsed key types to a local `set()`.
2024-07-05 10:11:18 -04:00
Joe Testa
e42961fa9a Added built-in policy for OpenSSH 9.8. 2024-07-02 21:31:36 -04:00
Joe Testa
dcbc43acdf Fixed crash when running with '-P' and '-T' options simultaneously. (#273) 2024-07-02 20:56:11 -04:00
Joe Testa
87e22ae26b Added IPv6 support for DHEat and connection rate tests. (#269) 2024-06-29 19:05:20 -04:00
Joe Testa
46ec4e3edc Added built-in policies for Ubuntu 24.04 LTS server and client. 2024-04-29 19:11:47 -04:00
Joe Testa
d19b154a46 Bumped version to v3.3.0-dev. 2024-04-22 17:57:26 -04:00
Joe Testa
68cf05d0ff Set version to 3.2.0 for release. 2024-04-22 16:32:57 -04:00
Joe Testa
2d9ddabcad Updated DHEat rate connection warning message. 2024-04-22 16:26:03 -04:00
Joe Testa
986f83653d Added multi-line real-time output for connection rate testing. 2024-04-22 13:56:50 -04:00
Joe Testa
3c459f1428 Revised connection rate warning during standard audits. 2024-04-22 11:58:52 -04:00
Joe Testa
46b89fff2e Sockets now time out after 30 seconds during connection rate testing. 2024-04-21 17:05:57 -04:00
Joe Testa
81718d1948 Fixed non-interactive connection rate tests. Revised warning for lack of connection throttling. 2024-04-21 15:08:38 -04:00
Joe Testa
8124c8e443 Added aes128-ocb@libassh.org cipher. 2024-04-18 21:09:02 -04:00
Joe Testa
b9f569fdf8 Added warnings for Windows platform. 2024-04-18 20:51:14 -04:00
Joe Testa
9126ae7d9c Improved DHEat statistics output. 2024-04-18 20:01:28 -04:00
Joe Testa
8190fe59d0 Added implementation for DHEat denial-of-service attack (CVE-2002-20001). (#211, #217) 2024-04-18 13:58:13 -04:00
Joe Testa
d7f8bf3e6d Updated notes on OpenSSH default key exchanges. (#258) 2024-03-19 18:24:22 -04:00
Joe Testa
3d403b1d70 Updated availability of algorithms in Dropbear. (#257) 2024-03-19 15:47:09 -04:00
Joe Testa
9fae870260 Added allow_larger_keys flag to custom policies to control whether targets can have larger keys, and added Docker tests to complete work started in PR #242. 2024-03-19 14:45:19 -04:00
Damian Szuberski
20873db596
use less-than instead of not-equal when comparing key sizes (#242)
When evaluating policy compliance, use less-than operator so keys bigger
than expected (and hence very often better) don't fail policy
evaulation. This change reduces the amount of false-positives and allows
for more flexibility when hardening SSH installations.

Signed-off-by: szubersk <szuberskidamian@gmail.com>
2024-03-19 14:38:27 -04:00
Joe Testa
3c31934ac7 Added tests and other cleanups resulting from merging PR #252. 2024-03-18 17:48:50 -04:00