mirror of
https://github.com/jtesta/ssh-audit.git
synced 2026-05-26 16:01:23 +02:00
Compare commits
6 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Damian Szuberski
|
03c8d0f66f | ||
|
Peter Dave Hello
|
8ee0deade1 | ||
|
Joe Testa
|
699739d42a | ||
|
Joe Testa
|
a958fd1fec | ||
|
Joe Testa
|
c33f419224 | ||
|
Joe Testa
|
6ee4899b4f |
+1
-1
@@ -3,7 +3,7 @@ FROM python:3-slim
|
|||||||
WORKDIR /
|
WORKDIR /
|
||||||
|
|
||||||
# Update the image to remediate any vulnerabilities.
|
# Update the image to remediate any vulnerabilities.
|
||||||
RUN apt clean && apt update && apt -y dist-upgrade && apt clean && rm -rf /var/lib/apt/lists/*
|
RUN apt update && apt -y upgrade && apt -y dist-upgrade && rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
# Remove suid & sgid bits from all files.
|
# Remove suid & sgid bits from all files.
|
||||||
RUN find / -xdev -perm /6000 -exec chmod ug-s {} \; 2> /dev/null || true
|
RUN find / -xdev -perm /6000 -exec chmod ug-s {} \; 2> /dev/null || true
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
The MIT License (MIT)
|
The MIT License (MIT)
|
||||||
|
|
||||||
Copyright (C) 2017-2023 Joe Testa (jtesta@positronsecurity.com)
|
Copyright (C) 2017-2024 Joe Testa (jtesta@positronsecurity.com)
|
||||||
Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
|
Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -57,7 +57,8 @@ usage: ssh-audit.py [options] <host>
|
|||||||
-L, --list-policies list all the official, built-in policies
|
-L, --list-policies list all the official, built-in policies
|
||||||
--lookup=<alg1,alg2,...> looks up an algorithm(s) without
|
--lookup=<alg1,alg2,...> looks up an algorithm(s) without
|
||||||
connecting to a server
|
connecting to a server
|
||||||
-m, --manual print the man page (Windows only)
|
-m, --manual print the man page (Docker, PyPI, Snap, and Windows
|
||||||
|
builds only)
|
||||||
-M, --make-policy=<policy.txt> creates a policy based on the target server
|
-M, --make-policy=<policy.txt> creates a policy based on the target server
|
||||||
(i.e.: the target server has the ideal
|
(i.e.: the target server has the ideal
|
||||||
configuration that other servers should
|
configuration that other servers should
|
||||||
@@ -183,6 +184,8 @@ For convenience, a web front-end on top of the command-line tool is available at
|
|||||||
- Color output is disabled if the `NO_COLOR` environment variable is set (see https://no-color.org/).
|
- Color output is disabled if the `NO_COLOR` environment variable is set (see https://no-color.org/).
|
||||||
- Fixed parsing of ecdsa-sha2-nistp* CA signatures on host keys. Additionally, they are now flagged as potentially back-doored, just as standard host keys are.
|
- Fixed parsing of ecdsa-sha2-nistp* CA signatures on host keys. Additionally, they are now flagged as potentially back-doored, just as standard host keys are.
|
||||||
- The built-in man page (`-m`, `--manual`) is now available on Docker, PyPI, and Snap builds, in addition to the Windows build.
|
- The built-in man page (`-m`, `--manual`) is now available on Docker, PyPI, and Snap builds, in addition to the Windows build.
|
||||||
|
- Snap builds are now architecture-independent.
|
||||||
|
- Gracefully handle rare exceptions (i.e.: crashes) while performing GEX tests.
|
||||||
|
|
||||||
### v3.1.0 (2023-12-20)
|
### v3.1.0 (2023-12-20)
|
||||||
- Added test for the Terrapin message prefix truncation vulnerability ([CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795)).
|
- Added test for the Terrapin message prefix truncation vulnerability ([CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795)).
|
||||||
|
|||||||
@@ -8,6 +8,9 @@ description: |
|
|||||||
base: core22
|
base: core22
|
||||||
grade: stable
|
grade: stable
|
||||||
confinement: strict
|
confinement: strict
|
||||||
|
architectures:
|
||||||
|
- build-on: [amd64]
|
||||||
|
build-for: [all]
|
||||||
|
|
||||||
apps:
|
apps:
|
||||||
ssh-audit:
|
ssh-audit:
|
||||||
|
|||||||
@@ -21,6 +21,7 @@
|
|||||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||||
THE SOFTWARE.
|
THE SOFTWARE.
|
||||||
"""
|
"""
|
||||||
|
import struct
|
||||||
import traceback
|
import traceback
|
||||||
|
|
||||||
# pylint: disable=unused-import
|
# pylint: disable=unused-import
|
||||||
@@ -65,7 +66,7 @@ class GEXTest:
|
|||||||
# Parse the server's KEX.
|
# Parse the server's KEX.
|
||||||
_, payload = s.read_packet(2)
|
_, payload = s.read_packet(2)
|
||||||
SSH2_Kex.parse(out, payload)
|
SSH2_Kex.parse(out, payload)
|
||||||
except KexDHException:
|
except (KexDHException, struct.error):
|
||||||
out.v("Failed to parse server's kex. Stack trace:\n%s" % str(traceback.format_exc()), write_now=True)
|
out.v("Failed to parse server's kex. Stack trace:\n%s" % str(traceback.format_exc()), write_now=True)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user