Joe Testa
d7f8bf3e6d
Updated notes on OpenSSH default key exchanges. ( #258 )
2024-03-19 18:24:22 -04:00
Joe Testa
3d403b1d70
Updated availability of algorithms in Dropbear. ( #257 )
2024-03-19 15:47:09 -04:00
Joe Testa
9fae870260
Added allow_larger_keys flag to custom policies to control whether targets can have larger keys, and added Docker tests to complete work started in PR #242 .
2024-03-19 14:45:19 -04:00
Joe Testa
3c31934ac7
Added tests and other cleanups resulting from merging PR #252 .
2024-03-18 17:48:50 -04:00
Joe Testa
7b3402b207
Added note that sntrup761x25519-sha512@openssh.com is the default OpenSSH kex since version 9.0.
2024-03-15 17:24:21 -04:00
Joe Testa
b2f46eb71a
Added extra GSS wildcard matching test.
2024-03-15 17:05:40 -04:00
Joe Testa
15078aaea9
Built-in policies now include a change log.
2024-03-14 17:58:16 -04:00
Joe Testa
f0874af4cd
Split built-in policies from policy.py to builtin_policies.py.
2024-03-14 17:24:40 -04:00
Joe Testa
75dbc03a77
Added 'additional_notes' field to JSON output.
2023-12-19 18:03:07 -05:00
Joe Testa
c259a83782
Added note that when a target is properly configured against the Terrapin vulnerability that unpatched peers may still create vulnerable connections. Updated Ubuntu Server & Client 20.04 & 22.04 policies to include new key exchange markers related to Terrapin counter-measures.
2023-12-19 14:03:28 -05:00
Joe Testa
8e972c5e94
Added test for the Terrapin vulnerability (CVE-2023-48795) ( #227 ).
2023-12-18 18:24:49 -05:00
Joe Testa
f8e29674a3
Refined JSON notes output. Fixed Docker & Tox tests.
2023-09-05 16:36:54 -04:00
Joe Testa
38f9c21760
The color of all notes will be printed in green when the related algorithm is rated good.
2023-09-03 19:14:25 -04:00
Joe Testa
77cdb969b9
Fixed flake8 tests.
2023-09-03 16:25:26 -04:00
Joe Testa
199e75f6cd
Refined GEX testing against OpenSSH servers: when the fallback mechanism is suspected of being triggered, perform an additional test to obtain more accurate results.
2023-09-03 16:13:00 -04:00
Joe Testa
e2fc60cbb4
Updated README and test for resolve function.
2023-06-20 09:26:43 -04:00
Joe Testa
639f11a5e5
Results from concurrent scans against multiple hosts are no longer improperly combined ( #190 ).
2023-06-19 14:13:32 -04:00
Joe Testa
7f8d6b4d5b
Fixed built-in policy formatting and filled in missing host key size information.
2023-04-26 15:47:58 -04:00
Joe Testa
263267c5ad
Added support for mixed host key/CA key types (i.e.: RSA host keys signed by ED25519 CAs) ( #120 ).
2023-04-25 09:17:32 -04:00
Joe Testa
4f31304b66
Alphabetized algorithm database.
2023-03-28 12:09:25 -04:00
Joe Testa
dc083de87e
Added recommendations and CVE information to JSON output ( #122 ).
2023-03-24 18:48:36 -04:00
Joe Testa
cc9e4fbc4a
Generic failure/warning messages replaced with more specific reasons. SHA-1 algorithms now cause failures. CBC mode ciphers are now warnings instead of failures.
2023-03-23 21:36:02 -04:00
Joe Testa
992aa1b961
Added support for kex GSS wildcards ( #143 ).
2023-03-21 22:17:23 -04:00
Joe Testa
413dea60ae
Fixed docker tests affected by previous commit.
2023-03-21 14:58:00 -04:00
Joe Testa
71feaa191e
Add note regarding OpenSSH's 2048-bit GEX fallback, and suppress the related recommendation since the user cannot control it (partly related to #168 ).
2023-03-21 11:44:45 -04:00
Joe Testa
7bbf4cdff0
Fix tox tests.
2023-02-06 18:24:03 -05:00
Joe Testa
c9dc9a9c10
Now issues a warning when 2048-bit moduli are encountered.
2023-02-06 16:27:30 -05:00
Joe Testa
b9520cbc25
Fixed pylint & flake8 warnings and errors.
2022-10-10 20:40:29 -04:00
Joe Testa
c6b8dc97e1
Fixed tests.
2022-02-21 21:48:10 -05:00
tomatohater1337
1f0b3acff2
Complete "target" in the JSON output with the port ( #123 )
...
* Complete "target" in JSON output with the port
The JSON output was not showing the port of the target which was scanned. This could be problematic when scanning a host with more than one ssh service running.
* Docker tests completet with the port of the scan target in the JSON output
2021-10-13 23:44:55 -04:00
Joe Testa
07862489c4
Added MD5 fingerprint hashes to verbose output.
2021-05-20 18:03:24 -04:00
Joe Testa
8e9fe20fac
SSH_Socket's constructor now takes an OutputBuffer for verbose & debugging output.
2021-03-02 11:25:37 -05:00
Joe Testa
b300ad1252
Refactored IPv4/6 preference logic to fix pylint warnings.
2021-02-23 16:05:01 -05:00
Joe Testa
1bbc3feb57
Added OpenSSH 8.5 built-in policy. Added sntrup761x25519-sha512@openssh.com kex.
2021-02-23 16:02:20 -05:00
Joe Testa
e0f0956edc
Added extra warnings for SSHv1. ( #6 )
2021-02-02 12:20:37 -05:00
Joe Testa
c49a0fb22f
Upgraded SHA-1 key signatures from warnings to failures. Added deprecation warning to ssh-rsa-cert-v00@openssh.com, ssh-rsa-cert-v01@openssh.com, x509v3-sign-rsa, and x509v3-ssh-rsa host key types.
2021-02-01 19:19:46 -05:00
Joe Testa
13d15baa2a
Added multi-threaded scanning support.
2021-02-01 13:10:06 -05:00
Joe Testa
0d9881966c
Added version check for OpenSSH user enumeration (CVE-2018-15473). ( #83 )
2020-11-05 20:24:09 -05:00
Joe Testa
c2da269f06
Added missing tests.
2020-10-21 19:40:22 -04:00
Joe Testa
175bd2cf66
Fixed recommendation output function from suppressing some algorithms inappropriately.
2020-10-20 21:34:34 -04:00
Joe Testa
ec48249deb
Now reports policy errors in an easier to read format. ( #63 )
2020-10-20 16:25:39 -04:00
Joe Testa
240b705d61
OpenSSH-portable patch level 1 now considered equivalent to stock OpenBSD version.
2020-10-20 13:17:32 -04:00
Joe Testa
83d8014a50
Fixed OpenSSH patch version comparison. ( #74 )
2020-10-19 18:49:52 -04:00
Joe Testa
046c866da4
Moved built-in policies from external files to internal database. ( #75 )
2020-10-19 17:27:37 -04:00
Joe Testa
1a5c0e7fad
Split ssh_audit.py into separate files ( #47 ).
2020-10-15 14:34:23 -04:00
Ganden Schaffner
b15664929f
Improve PyPI packaging ( #71 )
...
* Move files for better setup.py packaging
* Update setup.py and configs for src layout
* Run tests on setup.py build
In effect, this tests that the setup.py configuration is correct.
coverage combine and coverage:paths are added to keep the displayed
coverage paths as src/ssh_audit/*.py instead of
.tox/$envname/**/site-packages/ssh_audit/*.py
* Remove unnecessary encoding declarations
Python 3 defaults to UTF-8 encoding.
https://docs.python.org/3/reference/lexical_analysis.html#encoding-declarations
* Remove shebang from colorama type stubs
Shouldn't need to be an executable.
Related: git has this file tracked as chmod -x.
2020-10-11 14:03:02 -04:00
Joe Testa
632adc076a
Policy check output now prints port number, if applicable.
2020-09-27 11:48:15 -04:00
Joe Testa
936acfa37d
Added more structure to JSON result when policy errors are found.
2020-07-29 12:36:08 -04:00
Joe Testa
68a420ff00
Added policy support for optional host key types, like certificates and smart card-based types.
2020-07-15 14:32:14 -04:00
Joe Testa
b95969bbc0
Policy output now more clearly prints the policy version.
2020-07-14 17:38:15 -04:00