Merge aab105c398 into 8ee0deade1

2026-05-26 07:51:23 +02:00 · 2024-02-18 21:47:10 -07:00
5 changed files with 16 additions and 19 deletions
@@ -1,19 +1,16 @@
-# syntax=docker/dockerfile:latest
-FROM scratch AS files
+FROM python:3-slim

-# Copy ssh-audit code to temporary container
-COPY ssh-audit.py /
-COPY src/ /
-
-FROM python:3-alpine AS runtime
+WORKDIR /

 # Update the image to remediate any vulnerabilities.
-RUN apk upgrade -U --no-cache -a -l && \ 
-    # Remove suid & sgid bits from all files.
-    find / -xdev -perm /6000 -exec chmod ug-s {} \; 2> /dev/null || true
+RUN apt update && apt -y upgrade && apt -y dist-upgrade && rm -rf /var/lib/apt/lists/*

-# Copy the ssh-audit code from files container.
-COPY --from=files / /
+# Remove suid & sgid bits from all files.
+RUN find / -xdev -perm /6000 -exec chmod ug-s {} \; 2> /dev/null || true
+
+# Copy the ssh-audit code.
+COPY ssh-audit.py .
+COPY src/ .

 # Allow listening on 2222/tcp for client auditing.
 EXPOSE 2222
@@ -186,8 +186,6 @@ For convenience, a web front-end on top of the command-line tool is available at
 - The built-in man page (`-m`, `--manual`) is now available on Docker, PyPI, and Snap builds, in addition to the Windows build.
 - Snap builds are now architecture-independent.
 - Gracefully handle rare exceptions (i.e.: crashes) while performing GEX tests.
- - Added built-in policy for OpenSSH 9.7.
- - Changed Docker base image from `python:3-slim` to `python:3-alpine`, resulting in a 59% reduction in image size; credit [Daniel Thamdrup](https://github.com/dallemon).

 ### v3.1.0 (2023-12-20)
 - Added test for the Terrapin message prefix truncation vulnerability ([CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795)).
@@ -94,8 +94,6 @@ class Policy:

        'Hardened OpenSSH Server v9.6 (version 1)': {'version': '1', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-s', 'kex-strict-s-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},

-        'Hardened OpenSSH Server v9.7 (version 1)': {'version': '1', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-s', 'kex-strict-s-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
-

        # Ubuntu Client policies

@@ -365,8 +365,11 @@ def output_recommendations(out: OutputBuffer, algs: Algorithms, algorithm_recomm
        for cve_list in VersionVulnerabilityDB.CVE['PuTTY']:
            vuln_version = float(cve_list[1])
            cvssv2_severity = cve_list[4]
-            max_vuln_version = max(vuln_version, max_vuln_version)
-            max_cvssv2_severity = max(cvssv2_severity, max_cvssv2_severity)
+
+            if vuln_version > max_vuln_version:
+                max_vuln_version = vuln_version
+            if cvssv2_severity > max_cvssv2_severity:
+                max_cvssv2_severity = cvssv2_severity

        fn = out.warn
        if max_cvssv2_severity > 8.0:
@@ -246,7 +246,8 @@ class SSH_Socket(ReadBuf, WriteBuf):

    def send_banner(self, banner: str) -> None:
        self.send(banner.encode() + b'\r\n')
-        self.__state = max(self.__state, self.SM_BANNER_SENT)
+        if self.__state < self.SM_BANNER_SENT:
+            self.__state = self.SM_BANNER_SENT

    def ensure_read(self, size: int) -> None:
        while self.unread_len < size: