Merge e3e3657f2b into ea117b203b

Because the `HostKeyTest` class was mutating its static/global
`HOST_KEY_TYPES` dict, this class could not actually be used more than once
in a single thread!

Rather than mutate this dict after parsing each key type
(`HOST_KEY_TYPES[host_key_type]['parsed'] = True`), the `perform_test`
method should simple add the parsed key types to a local `set()`.

README.md

@@ -217,6 +217,7 @@ For convenience, a web front-end on top of the command-line tool is available at
  - Added built-in policies for Ubuntu 24.04 LTS server and client, and OpenSSH 9.8.
  - Added IPv6 support for DHEat and connection rate tests.
  - Fixed crash when running with `-P` and `-T` options simultaneously.
+ - Fixed host key tests from only reporting a key type at most once despite multiple hosts supporting it; credit [Daniel Lenski](https://github.com/dlenskiSB).
 
 ### v3.2.0 (2024-04-22)
  - Added implementation of the DHEat denial-of-service attack (see `--dheat` option; [CVE-2002-20001](https://nvd.nist.gov/vuln/detail/CVE-2002-20001)).

src/ssh_audit/hostkeytest.py

@@ -40,7 +40,7 @@ class HostKeyTest:
     # Tracks the RSA host key types.  As of this writing, testing one in this family yields valid results for the rest.
     RSA_FAMILY = ['ssh-rsa', 'rsa-sha2-256', 'rsa-sha2-512']
 
-    # Dict holding the host key types we should extract & parse.  'cert' is True to denote that a host key type handles certificates (thus requires additional parsing).  'variable_key_len' is True for host key types that can have variable sizes (True only for RSA types, as the rest are of fixed-size).  After the host key type is fully parsed, the key 'parsed' is added with a value of True.
+    # Dict holding the host key types we should extract & parse.  'cert' is True to denote that a host key type handles certificates (thus requires additional parsing).  'variable_key_len' is True for host key types that can have variable sizes (True only for RSA types, as the rest are of fixed-size).
     HOST_KEY_TYPES = {
         'ssh-rsa':      {'cert': False, 'variable_key_len': True},
         'rsa-sha2-256': {'cert': False, 'variable_key_len': True},
@@ -93,6 +93,7 @@ class HostKeyTest:
     def perform_test(out: 'OutputBuffer', s: 'SSH_Socket', server_kex: 'SSH2_Kex', kex_str: str, kex_group: 'KexDH', host_key_types: Dict[str, Dict[str, bool]]) -> None:
         hostkey_modulus_size = 0
         ca_modulus_size = 0
+        parsed_host_key_types = set()
 
         # If the connection still exists, close it so we can test
         # using a clean slate (otherwise it may exist in a non-testable
@@ -106,7 +107,7 @@ class HostKeyTest:
             key_warn_comments = []
 
             # Skip those already handled (i.e.: those in the RSA family, as testing one tests them all).
-            if 'parsed' in host_key_types[host_key_type] and host_key_types[host_key_type]['parsed']:
+            if host_key_type in parsed_host_key_types:
                 continue
 
             # If this host key type is supported by the server, we test it.
@@ -216,7 +217,7 @@ class HostKeyTest:
                 # If this host key type is in the RSA family, then mark them all as parsed (since results in one are valid for them all).
                 if host_key_type in HostKeyTest.RSA_FAMILY:
                     for rsa_type in HostKeyTest.RSA_FAMILY:
-                        host_key_types[rsa_type]['parsed'] = True
+                        parsed_host_key_types.add(rsa_type)
 
                         # If the current key is a member of the RSA family, then populate all RSA family members with the same
                         # failure and/or warning comments.
@@ -228,7 +229,7 @@ class HostKeyTest:
                         db['key'][rsa_type][2].extend(key_warn_comments)
 
                 else:
-                    host_key_types[host_key_type]['parsed'] = True
+                    parsed_host_key_types.add(host_key_type)
                     db = SSH2_KexDB.get_db()
                     while len(db['key'][host_key_type]) < 3:
                         db['key'][host_key_type].append([])

src/ssh_audit/ssh_audit.py

@@ -458,7 +458,7 @@ def output_info(out: OutputBuffer, software: Optional['Software'], client_audit:
 
         # If any warnings or failures were given, print a link to the hardening guides.
         if any_problems:
-            out.warn('(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>')
+            out.warn('(nfo) For hardening guides on common OSes, please see: < https://www.ssh-audit.com/hardening_guides.html >')
 
         # Add any additional notes.
         for additional_note in additional_notes:
@@ -723,7 +723,7 @@ def output(out: OutputBuffer, aconf: AuditConf, banner: Optional[Banner], header
         # Build & write the JSON struct.
         out.info(json.dumps(build_struct(aconf.host + ":" + str(aconf.port), banner, cves, kex=kex, client_host=client_host, software=software, algorithms=algs, algorithm_recommendation_suppress_list=algorithm_recommendation_suppress_list, additional_notes=additional_notes), indent=4 if aconf.json_print_indent else None, sort_keys=True))
     elif len(unknown_algorithms) > 0:  # If we encountered any unknown algorithms, ask the user to report them.
-        out.warn("\n\n!!! WARNING: unknown algorithm(s) found!: %s.  Please email the full output above to the maintainer (jtesta@positronsecurity.com), or create a Github issue at <https://github.com/jtesta/ssh-audit/issues>.\n" % ','.join(unknown_algorithms))
+        out.warn("\n\n!!! WARNING: unknown algorithm(s) found!: %s.  Please email the full output above to the maintainer (jtesta@positronsecurity.com), or create a Github issue at < https://github.com/jtesta/ssh-audit/issues >.\n" % ','.join(unknown_algorithms))
 
     return program_retval