elie/ssh-audit
1
0
Fork 0
mirror of https://github.com/jtesta/ssh-audit.git synced 2026-05-25 23:41:22 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie/ssh-audit:27f215d687dcf150a178fc1f909fb0a19a7058b8
Branches Tags
elie/ssh-audit:master
elie/ssh-audit:v3.3.0 elie/ssh-audit:v3.2.0 elie/ssh-audit:v3.1.0 elie/ssh-audit:v3.0.0 elie/ssh-audit:v2.9.0 elie/ssh-audit:v2.5.0 elie/ssh-audit:v2.4.0 elie/ssh-audit:v2.3.1 elie/ssh-audit:v2.3.0 elie/ssh-audit:v2.2.0 elie/ssh-audit:v2.1.1 elie/ssh-audit:v2.1.0 elie/ssh-audit:v2.0.0 elie/ssh-audit:v1.7.0 elie/ssh-audit:v1.6.0 elie/ssh-audit:v1.5.0
..
compare: elie/ssh-audit:c042d7ab4abfd8ed4ff0edebc692c3c14545f836
Branches Tags
elie/ssh-audit:master
elie/ssh-audit:v3.3.0 elie/ssh-audit:v3.2.0 elie/ssh-audit:v3.1.0 elie/ssh-audit:v3.0.0 elie/ssh-audit:v2.9.0 elie/ssh-audit:v2.5.0 elie/ssh-audit:v2.4.0 elie/ssh-audit:v2.3.1 elie/ssh-audit:v2.3.0 elie/ssh-audit:v2.2.0 elie/ssh-audit:v2.1.1 elie/ssh-audit:v2.1.0 elie/ssh-audit:v2.0.0 elie/ssh-audit:v1.7.0 elie/ssh-audit:v1.6.0 elie/ssh-audit:v1.5.0

1 Commits
27f215d687 .. c042d7ab4a

Author SHA1 Message Date
Manfred Kaiser c042d7ab4a Merge 3116c2e678 into e42961fa9a 2024-07-02 21:35:57 -04:00
24 changed files with 24 additions and 58 deletions
Expand all files Collapse all files
README.md
-3
View File
@@ -216,10 +216,7 @@ For convenience, a web front-end on top of the command-line tool is available at
### v3.3.0-dev (???)
- Added built-in policies for Ubuntu 24.04 LTS server and client, and OpenSSH 9.8.
- Added IPv6 support for DHEat and connection rate tests.
- Added TCP port information to JSON policy scan results; credit [Fabian Malte Kopp](https://github.com/dreizehnutters).
- Added LANcom LCOS server recognition and Ed448 key extraction; credit [Daniel Lenski](https://github.com/dlenskiSB).
- Fixed crash when running with `-P` and `-T` options simultaneously.
- Fixed host key tests from only reporting a key type at most once despite multiple hosts supporting it; credit [Daniel Lenski](https://github.com/dlenskiSB).
### v3.2.0 (2024-04-22)
- Added implementation of the DHEat denial-of-service attack (see `--dheat` option; [CVE-2002-20001](https://nvd.nist.gov/vuln/detail/CVE-2002-20001)).
src/ssh_audit/hostkeytest.py
+4 -9
View File
@@ -40,7 +40,7 @@ class HostKeyTest:
# Tracks the RSA host key types. As of this writing, testing one in this family yields valid results for the rest.
RSA_FAMILY = ['ssh-rsa', 'rsa-sha2-256', 'rsa-sha2-512']
# Dict holding the host key types we should extract & parse. 'cert' is True to denote that a host key type handles certificates (thus requires additional parsing). 'variable_key_len' is True for host key types that can have variable sizes (True only for RSA types, as the rest are of fixed-size).
# Dict holding the host key types we should extract & parse. 'cert' is True to denote that a host key type handles certificates (thus requires additional parsing). 'variable_key_len' is True for host key types that can have variable sizes (True only for RSA types, as the rest are of fixed-size). After the host key type is fully parsed, the key 'parsed' is added with a value of True.
HOST_KEY_TYPES = {
'ssh-rsa': {'cert': False, 'variable_key_len': True},
'rsa-sha2-256': {'cert': False, 'variable_key_len': True},
@@ -52,9 +52,6 @@ class HostKeyTest:
'ssh-ed25519': {'cert': False, 'variable_key_len': False},
'ssh-ed25519-cert-v01@openssh.com': {'cert': True, 'variable_key_len': False},
'ssh-ed448': {'cert': False, 'variable_key_len': False},
# 'ssh-ed448-cert-v01@openssh.com': {'cert': True, 'variable_key_len': False},
}
TWO2K_MODULUS_WARNING = '2048-bit modulus only provides 112-bits of symmetric strength'
@@ -96,7 +93,6 @@ class HostKeyTest:
def perform_test(out: 'OutputBuffer', s: 'SSH_Socket', server_kex: 'SSH2_Kex', kex_str: str, kex_group: 'KexDH', host_key_types: Dict[str, Dict[str, bool]]) -> None:
hostkey_modulus_size = 0
ca_modulus_size = 0
parsed_host_key_types = set()
# If the connection still exists, close it so we can test
# using a clean slate (otherwise it may exist in a non-testable
@@ -110,7 +106,7 @@ class HostKeyTest:
key_warn_comments = []
# Skip those already handled (i.e.: those in the RSA family, as testing one tests them all).
if host_key_type in parsed_host_key_types:
if 'parsed' in host_key_types[host_key_type] and host_key_types[host_key_type]['parsed']:
continue
# If this host key type is supported by the server, we test it.
@@ -161,7 +157,6 @@ class HostKeyTest:
ca_key_type = kex_group.get_ca_type()
ca_modulus_size = kex_group.get_ca_size()
out.d("Hostkey type: [%s]; hostkey size: %u; CA type: [%s]; CA modulus size: %u" % (host_key_type, hostkey_modulus_size, ca_key_type, ca_modulus_size), write_now=True)
out.d("Raw hostkey bytes (%d): [%s]" % (len(raw_hostkey_bytes), raw_hostkey_bytes.hex()), write_now=True)
# Record all the host key info.
server_kex.set_host_key(host_key_type, raw_hostkey_bytes, hostkey_modulus_size, ca_key_type, ca_modulus_size)
@@ -221,7 +216,7 @@ class HostKeyTest:
# If this host key type is in the RSA family, then mark them all as parsed (since results in one are valid for them all).
if host_key_type in HostKeyTest.RSA_FAMILY:
for rsa_type in HostKeyTest.RSA_FAMILY:
parsed_host_key_types.add(rsa_type)
host_key_types[rsa_type]['parsed'] = True
# If the current key is a member of the RSA family, then populate all RSA family members with the same
# failure and/or warning comments.
@@ -233,7 +228,7 @@ class HostKeyTest:
db['key'][rsa_type][2].extend(key_warn_comments)
else:
parsed_host_key_types.add(host_key_type)
host_key_types[host_key_type]['parsed'] = True
db = SSH2_KexDB.get_db()
while len(db['key'][host_key_type]) < 3:
db['key'][host_key_type].append([])
src/ssh_audit/kexdh.py
-3
View File
@@ -134,9 +134,6 @@ class KexDH: # pragma: nocover
if self.__hostkey_type == 'ssh-ed25519':
self.out.d("%s has a fixed host key modulus of 32." % self.__hostkey_type)
self.__hostkey_n_len = 32
elif self.__hostkey_type == 'ssh-ed448':
self.out.d("%s has a fixed host key modulus of 57." % self.__hostkey_type)
self.__hostkey_n_len = 57
else:
# Here is the modulus size & actual modulus of the host key public key.
hostkey_n, self.__hostkey_n_len, ptr = KexDH.__get_bytes(hostkey, ptr)
src/ssh_audit/software.py
-4
View File
@@ -224,8 +224,4 @@ class Software:
mx = re.match(r'^PuTTY_Release_(.*)', software)
if mx:
return cls(None, Product.PuTTY, mx.group(1), None, None)
mx = re.match(r'^lancom(.*)', software)
if mx:
v, p = 'LANcom', 'LCOS sshd'
return cls(v, p, mx.group(1), None, None)
return None
src/ssh_audit/ssh_audit.py
+1 -1
View File
@@ -735,7 +735,7 @@ def evaluate_policy(out: OutputBuffer, aconf: AuditConf, banner: Optional['Banne
passed, error_struct, error_str = aconf.policy.evaluate(banner, kex)
if aconf.json:
json_struct = {'host': aconf.host, 'port': aconf.port, 'policy': aconf.policy.get_name_and_version(), 'passed': passed, 'errors': error_struct}
json_struct = {'host': aconf.host, 'policy': aconf.policy.get_name_and_version(), 'passed': passed, 'errors': error_struct}
out.info(json.dumps(json_struct, indent=4 if aconf.json_print_indent else None, sort_keys=True))
else:
spacing = ''
test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json
+1 -2
View File
@@ -2,6 +2,5 @@
"errors": [],
"host": "localhost",
"passed": true,
"policy": "Docker policy: test1 (version 1)",
"port": 2222
"policy": "Docker policy: test1 (version 1)"
}
test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json
+1 -2
View File
@@ -27,6 +27,5 @@
],
"host": "localhost",
"passed": false,
"policy": "Docker poliicy: test10 (version 1)",
"port": 2222
"policy": "Docker poliicy: test10 (version 1)"
}
test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json
+1 -2
View File
@@ -19,6 +19,5 @@
],
"host": "localhost",
"passed": false,
"policy": "Docker policy: test2 (version 1)",
"port": 2222
"policy": "Docker policy: test2 (version 1)"
}
test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json
+1 -2
View File
@@ -18,6 +18,5 @@
],
"host": "localhost",
"passed": false,
"policy": "Docker policy: test3 (version 1)",
"port": 2222
"policy": "Docker policy: test3 (version 1)"
}
test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json
+1 -2
View File
@@ -28,6 +28,5 @@
],
"host": "localhost",
"passed": false,
"policy": "Docker policy: test4 (version 1)",
"port": 2222
"policy": "Docker policy: test4 (version 1)"
}
test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json
+1 -2
View File
@@ -27,6 +27,5 @@
],
"host": "localhost",
"passed": false,
"policy": "Docker policy: test5 (version 1)",
"port": 2222
"policy": "Docker policy: test5 (version 1)"
}
test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json
+1 -2
View File
@@ -2,6 +2,5 @@
"errors": [],
"host": "localhost",
"passed": true,
"policy": "Docker poliicy: test7 (version 1)",
"port": 2222
"policy": "Docker poliicy: test7 (version 1)"
}
test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json
+1 -2
View File
@@ -15,6 +15,5 @@
],
"host": "localhost",
"passed": false,
"policy": "Docker poliicy: test8 (version 1)",
"port": 2222
"policy": "Docker poliicy: test8 (version 1)"
}
test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json
+1 -2
View File
@@ -15,6 +15,5 @@
],
"host": "localhost",
"passed": false,
"policy": "Docker poliicy: test9 (version 1)",
"port": 2222
"policy": "Docker poliicy: test9 (version 1)"
}
test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json
+1 -2
View File
@@ -39,6 +39,5 @@
],
"host": "localhost",
"passed": false,
"policy": "Hardened OpenSSH Server v8.0 (version 4)",
"port": 2222
"policy": "Hardened OpenSSH Server v8.0 (version 4)"
}
test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json
+1 -2
View File
@@ -62,6 +62,5 @@
],
"host": "localhost",
"passed": false,
"policy": "Hardened OpenSSH Server v8.0 (version 4)",
"port": 2222
"policy": "Hardened OpenSSH Server v8.0 (version 4)"
}
test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json
+1 -2
View File
@@ -2,6 +2,5 @@
"errors": [],
"host": "localhost",
"passed": true,
"policy": "Docker policy: test11 (version 1)",
"port": 2222
"policy": "Docker policy: test11 (version 1)"
}
test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json
+1 -2
View File
@@ -39,6 +39,5 @@
],
"host": "localhost",
"passed": false,
"policy": "Docker policy: test12 (version 1)",
"port": 2222
"policy": "Docker policy: test12 (version 1)"
}
test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json
+1 -2
View File
@@ -2,6 +2,5 @@
"errors": [],
"host": "localhost",
"passed": true,
"policy": "Docker policy: test13 (version 1)",
"port": 2222
"policy": "Docker policy: test13 (version 1)"
}
test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json
+1 -2
View File
@@ -15,6 +15,5 @@
],
"host": "localhost",
"passed": false,
"policy": "Docker policy: test14 (version 1)",
"port": 2222
"policy": "Docker policy: test14 (version 1)"
}
test/docker/expected_results/openssh_8.0p1_custom_policy_test15.json
+1 -2
View File
@@ -2,6 +2,5 @@
"errors": [],
"host": "localhost",
"passed": true,
"policy": "Docker policy: test15 (version 1)",
"port": 2222
"policy": "Docker policy: test15 (version 1)"
}
test/docker/expected_results/openssh_8.0p1_custom_policy_test16.json
+1 -2
View File
@@ -82,6 +82,5 @@
],
"host": "localhost",
"passed": false,
"policy": "Docker policy: test16 (version 1)",
"port": 2222
"policy": "Docker policy: test16 (version 1)"
}
test/docker/expected_results/openssh_8.0p1_custom_policy_test17.json
+1 -2
View File
@@ -2,6 +2,5 @@
"errors": [],
"host": "localhost",
"passed": true,
"policy": "Docker policy: test17 (version 1)",
"port": 2222
"policy": "Docker policy: test17 (version 1)"
}
test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json
+1 -2
View File
@@ -2,6 +2,5 @@
"errors": [],
"host": "localhost",
"passed": true,
"policy": "Docker policy: test6 (version 1)",
"port": 2222
"policy": "Docker policy: test6 (version 1)"
}