mirror of
https://github.com/jtesta/ssh-audit.git
synced 2026-05-25 15:31:23 +02:00
Compare commits
3 Commits
782d245093
...
f5b1ca1543
| Author | SHA1 | Date | |
|---|---|---|---|
 dreizehnutters
|
f5b1ca1543 | ||
|
Joe Testa
|
ea117b203b | ||
|
Daniel Lenski
|
d8f8b7c57c |
@@ -217,6 +217,7 @@ For convenience, a web front-end on top of the command-line tool is available at
|
|||||||
- Added built-in policies for Ubuntu 24.04 LTS server and client, and OpenSSH 9.8.
|
- Added built-in policies for Ubuntu 24.04 LTS server and client, and OpenSSH 9.8.
|
||||||
- Added IPv6 support for DHEat and connection rate tests.
|
- Added IPv6 support for DHEat and connection rate tests.
|
||||||
- Fixed crash when running with `-P` and `-T` options simultaneously.
|
- Fixed crash when running with `-P` and `-T` options simultaneously.
|
||||||
|
- Fixed host key tests from only reporting a key type at most once despite multiple hosts supporting it; credit [Daniel Lenski](https://github.com/dlenskiSB).
|
||||||
|
|
||||||
### v3.2.0 (2024-04-22)
|
### v3.2.0 (2024-04-22)
|
||||||
- Added implementation of the DHEat denial-of-service attack (see `--dheat` option; [CVE-2002-20001](https://nvd.nist.gov/vuln/detail/CVE-2002-20001)).
|
- Added implementation of the DHEat denial-of-service attack (see `--dheat` option; [CVE-2002-20001](https://nvd.nist.gov/vuln/detail/CVE-2002-20001)).
|
||||||
|
|||||||
@@ -40,7 +40,7 @@ class HostKeyTest:
|
|||||||
# Tracks the RSA host key types. As of this writing, testing one in this family yields valid results for the rest.
|
# Tracks the RSA host key types. As of this writing, testing one in this family yields valid results for the rest.
|
||||||
RSA_FAMILY = ['ssh-rsa', 'rsa-sha2-256', 'rsa-sha2-512']
|
RSA_FAMILY = ['ssh-rsa', 'rsa-sha2-256', 'rsa-sha2-512']
|
||||||
|
|
||||||
# Dict holding the host key types we should extract & parse. 'cert' is True to denote that a host key type handles certificates (thus requires additional parsing). 'variable_key_len' is True for host key types that can have variable sizes (True only for RSA types, as the rest are of fixed-size). After the host key type is fully parsed, the key 'parsed' is added with a value of True.
|
# Dict holding the host key types we should extract & parse. 'cert' is True to denote that a host key type handles certificates (thus requires additional parsing). 'variable_key_len' is True for host key types that can have variable sizes (True only for RSA types, as the rest are of fixed-size).
|
||||||
HOST_KEY_TYPES = {
|
HOST_KEY_TYPES = {
|
||||||
'ssh-rsa': {'cert': False, 'variable_key_len': True},
|
'ssh-rsa': {'cert': False, 'variable_key_len': True},
|
||||||
'rsa-sha2-256': {'cert': False, 'variable_key_len': True},
|
'rsa-sha2-256': {'cert': False, 'variable_key_len': True},
|
||||||
@@ -103,6 +103,7 @@ class HostKeyTest:
|
|||||||
def perform_test(out: 'OutputBuffer', s: 'SSH_Socket', server_kex: 'SSH2_Kex', kex_str: str, kex_group: 'KexDH', host_key_types: Dict[str, Dict[str, bool]]) -> None:
|
def perform_test(out: 'OutputBuffer', s: 'SSH_Socket', server_kex: 'SSH2_Kex', kex_str: str, kex_group: 'KexDH', host_key_types: Dict[str, Dict[str, bool]]) -> None:
|
||||||
hostkey_modulus_size = 0
|
hostkey_modulus_size = 0
|
||||||
ca_modulus_size = 0
|
ca_modulus_size = 0
|
||||||
|
parsed_host_key_types = set()
|
||||||
|
|
||||||
# If the connection still exists, close it so we can test
|
# If the connection still exists, close it so we can test
|
||||||
# using a clean slate (otherwise it may exist in a non-testable
|
# using a clean slate (otherwise it may exist in a non-testable
|
||||||
@@ -116,7 +117,7 @@ class HostKeyTest:
|
|||||||
key_warn_comments = []
|
key_warn_comments = []
|
||||||
|
|
||||||
# Skip those already handled (i.e.: those in the RSA family, as testing one tests them all).
|
# Skip those already handled (i.e.: those in the RSA family, as testing one tests them all).
|
||||||
if 'parsed' in host_key_types[host_key_type] and host_key_types[host_key_type]['parsed']:
|
if host_key_type in parsed_host_key_types:
|
||||||
continue
|
continue
|
||||||
|
|
||||||
# If this host key type is supported by the server, we test it.
|
# If this host key type is supported by the server, we test it.
|
||||||
@@ -226,7 +227,7 @@ class HostKeyTest:
|
|||||||
# If this host key type is in the RSA family, then mark them all as parsed (since results in one are valid for them all).
|
# If this host key type is in the RSA family, then mark them all as parsed (since results in one are valid for them all).
|
||||||
if host_key_type in HostKeyTest.RSA_FAMILY:
|
if host_key_type in HostKeyTest.RSA_FAMILY:
|
||||||
for rsa_type in HostKeyTest.RSA_FAMILY:
|
for rsa_type in HostKeyTest.RSA_FAMILY:
|
||||||
host_key_types[rsa_type]['parsed'] = True
|
parsed_host_key_types.add(rsa_type)
|
||||||
|
|
||||||
# If the current key is a member of the RSA family, then populate all RSA family members with the same
|
# If the current key is a member of the RSA family, then populate all RSA family members with the same
|
||||||
# failure and/or warning comments.
|
# failure and/or warning comments.
|
||||||
@@ -238,7 +239,7 @@ class HostKeyTest:
|
|||||||
db['key'][rsa_type][2].extend(key_warn_comments)
|
db['key'][rsa_type][2].extend(key_warn_comments)
|
||||||
|
|
||||||
else:
|
else:
|
||||||
host_key_types[host_key_type]['parsed'] = True
|
parsed_host_key_types.add(host_key_type)
|
||||||
db = SSH2_KexDB.get_db()
|
db = SSH2_KexDB.get_db()
|
||||||
while len(db['key'][host_key_type]) < 3:
|
while len(db['key'][host_key_type]) < 3:
|
||||||
db['key'][host_key_type].append([])
|
db['key'][host_key_type].append([])
|
||||||
|
|||||||
Reference in New Issue
Block a user