Bumped version to v3.3.0-dev.

Updated docker run command.
Set version to 3.2.0 for release.
2026-05-25 23:41:22 +02:00 · 2024-04-22 17:57:26 -04:00 · 2024-04-22 17:54:37 -04:00 · 2024-04-22 16:32:57 -04:00 · 2024-04-22 16:26:03 -04:00
3 changed files with 8 additions and 8 deletions
@@ -202,7 +202,7 @@ To install from Dockerhub:
 ```
 $ docker pull positronsecurity/ssh-audit
 ```
-(Then run with: `docker run -it -p 2222:2222 positronsecurity/ssh-audit 10.1.1.1`)
+(Then run with: `docker run -it --rm -p 2222:2222 positronsecurity/ssh-audit 10.1.1.1`)

 The status of various other platform packages can be found below (via Repology):

@@ -213,19 +213,19 @@ For convenience, a web front-end on top of the command-line tool is available at

 ## ChangeLog

-### v3.2.0-dev (???)
+### v3.2.0 (2024-04-22)
 - Added implementation of the DHEat denial-of-service attack (see `--dheat` option; [CVE-2002-20001](https://nvd.nist.gov/vuln/detail/CVE-2002-20001)).
 - Expanded filter of CBC ciphers to flag for the Terrapin vulnerability.  It now includes more rarely found ciphers.
- - Color output is disabled if the `NO_COLOR` environment variable is set (see https://no-color.org/).
 - Fixed parsing of `ecdsa-sha2-nistp*` CA signatures on host keys.  Additionally, they are now flagged as potentially back-doored, just as standard host keys are.
 - Gracefully handle rare exceptions (i.e.: crashes) while performing GEX tests.
- - Built-in policies now include a change log (use `-L -v` to view them).
- - Added built-in policies for Amazon Linux 2023, Debian 12, OpenSSH 9.7, and Rocky Linux 9.
 - The built-in man page (`-m`, `--manual`) is now available on Docker, PyPI, and Snap builds, in addition to the Windows build.
 - Snap builds are now architecture-independent.
 - Changed Docker base image from `python:3-slim` to `python:3-alpine`, resulting in a 59% reduction in image size; credit [Daniel Thamdrup](https://github.com/dallemon).
+ - Added built-in policies for Amazon Linux 2023, Debian 12, OpenSSH 9.7, and Rocky Linux 9.
+ - Built-in policies now include a change log (use `-L -v` to view them).
 - Custom policies now support the `allow_algorithm_subset_and_reordering` directive to allow targets to pass with a subset and/or re-ordered list of host keys, kex, ciphers, and MACs.  This allows for the creation of a baseline policy where targets can optionally implement stricter controls; partial credit [yannik1015](https://github.com/yannik1015).
 - Custom policies now support the `allow_larger_keys` directive to allow targets to pass with larger host keys, CA keys, and Diffie-Hellman keys.  This allows for the creation of a baseline policy where targets can optionally implement stricter controls; partial credit [Damian Szuberski](https://github.com/szubersk).
+ - Color output is disabled if the `NO_COLOR` environment variable is set (see https://no-color.org/).
 - Added 1 new key exchange algorithm: `gss-nistp384-sha384-*`.
 - Added 1 new cipher: `aes128-ocb@libassh.org`.

@@ -51,7 +51,7 @@ class DHEat:
    MAX_SAFE_RATE = 20.0

    # The warning added to DH algorithms in the UI when dh_rate_test determines that no throttling is being done.
-    DHEAT_WARNING = "Potentially insufficient connection throttling detected, resulting in possible vulnerability to the DHEat DoS attack (CVE-2002-20001).  {connections:d} connections were created in {time_elapsed:.3f} seconds, or {rate:.1f} conns/sec; server must respond with a rate less than {max_safe_rate:.1f} conns/sec per IPv4/IPv6 source address to be considered safe.  For rate-throttling options, please see <https://www.ssh-audit.com/hardening_guides.html>.  Suppress this test and message with the --skip-rate-test option."
+    DHEAT_WARNING = "Potentially insufficient connection throttling detected, resulting in possible vulnerability to the DHEat DoS attack (CVE-2002-20001).  {connections:d} connections were created in {time_elapsed:.3f} seconds, or {rate:.1f} conns/sec; server must respond with a rate less than {max_safe_rate:.1f} conns/sec per IPv4/IPv6 source address to be considered safe.  For rate-throttling options, please see <https://www.ssh-audit.com/hardening_guides.html>.  Be aware that using 'PerSourceMaxStartups 1' properly protects the server from this attack, but will cause this test to yield a false positive.  Suppress this test and message with the --skip-rate-test option."

    # List of the Diffie-Hellman group exchange algorithms this test supports.
    gex_algs = [
@@ -1,7 +1,7 @@
 """
   The MIT License (MIT)

-   Copyright (C) 2017-2023 Joe Testa (jtesta@positronsecurity.com)
+   Copyright (C) 2017-2024 Joe Testa (jtesta@positronsecurity.com)

   Permission is hereby granted, free of charge, to any person obtaining a copy
   of this software and associated documentation files (the "Software"), to deal
@@ -22,7 +22,7 @@
   THE SOFTWARE.
 """
 # The version to display.
-VERSION = 'v3.2.0-dev'
+VERSION = 'v3.3.0-dev'

 # SSH software to impersonate
 SSH_HEADER = 'SSH-{0}-OpenSSH_8.2'
Author	SHA1	Message	Date
Joe Testa	d19b154a46	Bumped version to v3.3.0-dev.	2024-04-22 17:57:26 -04:00
Joe Testa	c5d90106e8	Updated docker run command.	2024-04-22 17:54:37 -04:00
Joe Testa	68cf05d0ff	Set version to 3.2.0 for release.	2024-04-22 16:32:57 -04:00
Joe Testa	2d9ddabcad	Updated DHEat rate connection warning message.	2024-04-22 16:26:03 -04:00