Joe Testa
9fae870260
Added allow_larger_keys flag to custom policies to control whether targets can have larger keys, and added Docker tests to complete work started in PR #242 .
2024-03-19 14:45:19 -04:00
Damian Szuberski
20873db596
use less-than instead of not-equal when comparing key sizes ( #242 )
...
When evaluating policy compliance, use less-than operator so keys bigger
than expected (and hence very often better) don't fail policy
evaulation. This change reduces the amount of false-positives and allows
for more flexibility when hardening SSH installations.
Signed-off-by: szubersk <szuberskidamian@gmail.com>
2024-03-19 14:38:27 -04:00
Joe Testa
3c31934ac7
Added tests and other cleanups resulting from merging PR #252 .
2024-03-18 17:48:50 -04:00
yannik1015
5bd925ffc6
[WIP] Adding allowed algorithms ( #252 )
...
* Added allowed policy fields
Added allowed fields for host keys kex ciphers and macs
* Adapted policy.py to newest dev version
* Added allow_algorithm_subset_and_reordering flag
* Removed allowed policy entries as they are redundant now
* Fixed call to append_error
2024-03-18 17:41:17 -04:00
Joe Testa
7b3402b207
Added note that sntrup761x25519-sha512@openssh.com is the default OpenSSH kex since version 9.0.
2024-03-15 17:24:21 -04:00
Joe Testa
b70fb0bc4c
Added built-in policies for Amazon Linux 2023, Debian 12, and Rocky Linux 9.
2024-03-15 16:24:36 -04:00
Joe Testa
db5104ecb8
Built-in policy change logs no longer printed within quotes.
2024-03-14 18:13:53 -04:00
Joe Testa
15078aaea9
Built-in policies now include a change log.
2024-03-14 17:58:16 -04:00
Joe Testa
f0874af4cd
Split built-in policies from policy.py to builtin_policies.py.
2024-03-14 17:24:40 -04:00
Joe Testa
064b55e0c2
Added 1 new key exchange algorithm: gss-nistp384-sha384-*
2024-03-14 16:01:48 -04:00
Joe Testa
cb0f6b63d7
Fixed new pylint warnings.
2024-03-12 20:46:39 -04:00
Joe Testa
3313046714
Added built-in policy for OpenSSH 9.7.
2024-03-12 20:23:55 -04:00
Joe Testa
699739d42a
Gracefully handle rare exceptions (i.e.: crashes) while performing GEX tests.
2024-02-17 13:44:06 -05:00
Joe Testa
20fbb706b0
The built-in man page (, ) is now available on Docker, PyPI, and Snap builds, in addition to the Windows build. ( #231 )
2024-02-16 22:40:53 -05:00
Joe Testa
73b669b49d
Fixed parsing of ecdsa-sha2-nistp* CA signatures on host keys. Additionally, they are now flagged as potentially back-doored, just as standard host keys are. ( #239 )
2024-02-16 21:58:51 -05:00
Joe Testa
f326d58068
Disable color when the NO_COLOR environment variable is set. ( #234 )
2024-01-28 18:17:49 -05:00
Joe Testa
b72f6a420f
Added note regarding general OpenSSH policies failing against platforms with back-ported features. ( #236 )
2024-01-28 17:37:21 -05:00
Joe Testa
44393c56b3
Expanded filter of CBC ciphers to flag for the Terrapin vulnerability.
2023-12-21 15:30:43 -05:00
Ville Skyttä
164356e776
Spelling fixes ( #233 )
2023-12-21 08:58:12 -05:00
Joe Testa
c8e075ad13
Bumped version number to v3.2.0-dev.
2023-12-20 15:41:03 -05:00
Joe Testa
dd91c2a41a
Bumped version to 3.1.0 in preparation for stable release. Updated Change Log in README.
2023-12-20 13:12:13 -05:00
Joe Testa
bef8c6c0f7
Updated notes on fixing Terrapin vulnerability.
2023-12-20 12:11:55 -05:00
Joe Testa
75dbc03a77
Added 'additional_notes' field to JSON output.
2023-12-19 18:03:07 -05:00
Joe Testa
c9412cbb88
Added built-in policies for OpenSSH 9.5 and 9.6.
2023-12-19 17:42:43 -05:00
Joe Testa
a0f99942a2
Don't recommend enabling the chacha & CBC ciphers, nor ETM MACs in case the user disabled them to address the Terrapin vulnerability. ( #229 )
2023-12-19 17:16:58 -05:00
Joe Testa
c259a83782
Added note that when a target is properly configured against the Terrapin vulnerability that unpatched peers may still create vulnerable connections. Updated Ubuntu Server & Client 20.04 & 22.04 policies to include new key exchange markers related to Terrapin counter-measures.
2023-12-19 14:03:28 -05:00
Joe Testa
8e972c5e94
Added test for the Terrapin vulnerability (CVE-2023-48795) ( #227 ).
2023-12-18 18:24:49 -05:00
Joe Testa
ba8e8a7e68
Re-organized option host key types for OpenSSH 9.2 to correspond with updated Debian 12 hardening guide.
2023-11-27 21:33:13 -05:00
Joe Testa
bad2c9cd8e
In Ubuntu 22.04 client policy, moved host key types and to the end of all certificate types.
2023-11-27 20:07:36 -05:00
Joe Testa
69e1e121fd
In server policies, reduced expected DH modulus sizes from 4096 to 3072 to match online hardening guides.
2023-11-27 19:15:18 -05:00
Joe Testa
02ab487232
Bumped version to v3.1.0-dev.
2023-09-07 08:57:59 -04:00
Joe Testa
f517e03d9f
Bumped version to v3.0.0.
2023-09-07 07:45:07 -04:00
Joe Testa
e26597a7aa
Marked all NIST K-, B-, and T-curves as unproven since they are so rarely used. Added 12 new host keys: 'ecdsa-sha2-curve25519', 'ecdsa-sha2-nistb233', 'ecdsa-sha2-nistb409', 'ecdsa-sha2-nistk163', 'ecdsa-sha2-nistk233', 'ecdsa-sha2-nistk283', 'ecdsa-sha2-nistk409', 'ecdsa-sha2-nistp224', 'ecdsa-sha2-nistp192', 'ecdsa-sha2-nistt571', 'ssh-dsa', 'x509v3-sign-rsa-sha256'. Added 15 key exchanges: 'curve448-sha512@libssh.org', 'ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org', 'ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org', 'ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org', 'ecdh-sha2-brainpoolp256r1@genua.de', 'ecdh-sha2-brainpoolp384r1@genua.de', 'ecdh-sha2-brainpoolp521r1@genua.de', 'kexAlgoDH14SHA1', 'kexAlgoDH1SHA1', 'kexAlgoECDH256', 'kexAlgoECDH384', 'kexAlgoECDH521', 'sm2kep-sha2-nistp256', 'x25519-kyber-512r3-sha256-d00@amazon.com', 'x25519-kyber512-sha512@aws.amazon.com'. Added 8 new ciphers: 'aes192-gcm@openssh.com', 'cast128-12-cbc', 'cast128-12-cfb', 'cast128-12-ecb', 'cast128-12-ofb', 'des-cfb', 'des-ecb', 'des-ofb'. Added 14 new MACs: 'cbcmac-3des', 'cbcmac-aes', 'cbcmac-blowfish', 'cbcmac-des', 'cbcmac-rijndael', 'cbcmac-twofish', 'hmac-sha256-96', 'md5', 'md5-8', 'ripemd160', 'ripemd160-8', 'sha1', 'sha1-8', 'umac-128'.
2023-09-05 20:10:37 -04:00
Joe Testa
f8e29674a3
Refined JSON notes output. Fixed Docker & Tox tests.
2023-09-05 16:36:54 -04:00
Bareq
d3dd5a9cac
Improved JSON output ( #185 )
2023-09-05 16:16:23 -04:00
Joe Testa
884ef645f8
Prioritized certificate host key types for Ubuntu 22.04 client policy. ( #193 )
2023-09-05 14:01:51 -04:00
Joe Testa
38f9c21760
The color of all notes will be printed in green when the related algorithm is rated good.
2023-09-03 19:14:25 -04:00
Joe Testa
4e6169d0cb
Added built-in policy for OpenSSH 9.4.
2023-09-03 18:12:16 -04:00
Joe Testa
199e75f6cd
Refined GEX testing against OpenSSH servers: when the fallback mechanism is suspected of being triggered, perform an additional test to obtain more accurate results.
2023-09-03 16:13:00 -04:00
Joe Testa
3f2fdbaa3d
Fixed crash during GEX tests.
2023-07-11 11:08:42 -04:00
thecliguy
83f9e48271
Recommendation output now respects level ( #196 )
2023-06-20 16:09:37 -04:00
Dani Cuesta
a74c3abdde
Removed sys.exit from _resolve in ssh_socket.py ( #187 )
...
Changed (and documented) _resolve so the application does not quit when a hostname cannot be resolved.
Adapted connect function to expect incoming exceptions from _resolve
This fixes issue #186
2023-06-20 09:21:06 -04:00
Joe Testa
e99cb0b579
Now prints the reason why socket listening operations fail.
2023-06-20 08:43:11 -04:00
Joe Testa
639f11a5e5
Results from concurrent scans against multiple hosts are no longer improperly combined ( #190 ).
2023-06-19 14:13:32 -04:00
Joe Testa
521a50a796
Added 'curve448-sha512@libssh.org' kex. ( #195 )
2023-06-19 10:35:13 -04:00
Joe Testa
2d5a97841f
Bumped version to 3.0.0-dev.
2023-04-29 14:46:07 -04:00
Joe Testa
3c1451cfdc
Bumped version to v2.9.0.
2023-04-29 12:33:26 -04:00
Joe Testa
929652c9b7
Simplified host key test logic.
2023-04-29 11:59:50 -04:00
thecliguy
e172932977
RSA key size comments duplicated for all RSA sig algs ( #182 )
...
* RSA key size comments duplicated for all RSA sig algs
* Save results on completion of testing a hostkey
* Revised list names because they operates against all keys now not just rsa.
* ensure all required fields added for non-rsa keys
* Correction to the saving of comments against non-rsa keys
2023-04-29 11:39:29 -04:00
Joe Testa
c33e7d9b72
Added built-in policies for OpenSSH 8.8, 8.9, 9.0, 9.1, 9.2, and 9.3.
2023-04-27 21:40:47 -04:00