elie/ssh-audit
1
0
Fork 0
mirror of https://github.com/jtesta/ssh-audit.git synced 2026-05-26 07:51:23 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie/ssh-audit:dc447c1ee2a8933abb9376004c38edde571922ab
Branches Tags
elie/ssh-audit:master
elie/ssh-audit:v3.3.0 elie/ssh-audit:v3.2.0 elie/ssh-audit:v3.1.0 elie/ssh-audit:v3.0.0 elie/ssh-audit:v2.9.0 elie/ssh-audit:v2.5.0 elie/ssh-audit:v2.4.0 elie/ssh-audit:v2.3.1 elie/ssh-audit:v2.3.0 elie/ssh-audit:v2.2.0 elie/ssh-audit:v2.1.1 elie/ssh-audit:v2.1.0 elie/ssh-audit:v2.0.0 elie/ssh-audit:v1.7.0 elie/ssh-audit:v1.6.0 elie/ssh-audit:v1.5.0
..
compare: elie/ssh-audit:0816d1fe48a93bd81b771f0cbd40d1a58249341a
Branches Tags
elie/ssh-audit:master
elie/ssh-audit:v3.3.0 elie/ssh-audit:v3.2.0 elie/ssh-audit:v3.1.0 elie/ssh-audit:v3.0.0 elie/ssh-audit:v2.9.0 elie/ssh-audit:v2.5.0 elie/ssh-audit:v2.4.0 elie/ssh-audit:v2.3.1 elie/ssh-audit:v2.3.0 elie/ssh-audit:v2.2.0 elie/ssh-audit:v2.1.1 elie/ssh-audit:v2.1.0 elie/ssh-audit:v2.0.0 elie/ssh-audit:v1.7.0 elie/ssh-audit:v1.6.0 elie/ssh-audit:v1.5.0

1 Commits
dc447c1ee2 .. 0816d1fe48

Author SHA1 Message Date
oam7575 0816d1fe48 Merge 5fbe94c4dd into 9fae870260 2024-03-19 14:48:05 -04:00
11 changed files with 48 additions and 49 deletions
Expand all files Collapse all files
src/ssh_audit/ssh2_kexdb.py
+6 -7
View File
@@ -62,8 +62,7 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods
WARN_TAG_SIZE_96 = 'using small 96-bit tag size' WARN_TAG_SIZE_96 = 'using small 96-bit tag size'
INFO_DEFAULT_OPENSSH_CIPHER = 'default cipher since OpenSSH 6.9' INFO_DEFAULT_OPENSSH_CIPHER = 'default cipher since OpenSSH 6.9'
INFO_DEFAULT_OPENSSH_KEX_65_TO_73 = 'default key exchange from OpenSSH 6.5 to 7.3' INFO_DEFAULT_OPENSSH_KEX_64_TO_89 = 'default key exchange from OpenSSH 6.4 to 8.9'
INFO_DEFAULT_OPENSSH_KEX_74_TO_89 = 'default key exchange from OpenSSH 7.4 to 8.9'
INFO_DEFAULT_OPENSSH_KEX_90 = 'default key exchange since OpenSSH 9.0' INFO_DEFAULT_OPENSSH_KEX_90 = 'default key exchange since OpenSSH 9.0'
INFO_DEPRECATED_IN_OPENSSH88 = 'deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8' INFO_DEPRECATED_IN_OPENSSH88 = 'deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8'
INFO_DISABLED_IN_DBEAR67 = 'disabled in Dropbear SSH 2015.67' INFO_DISABLED_IN_DBEAR67 = 'disabled in Dropbear SSH 2015.67'
@@ -118,8 +117,8 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods
# Format: 'algorithm_name': [['version_first_appeared_in'], [reason_for_failure1, reason_for_failure2, ...], [warning1, warning2, ...], [info1, info2, ...], [preference_weight]] # Format: 'algorithm_name': [['version_first_appeared_in'], [reason_for_failure1, reason_for_failure2, ...], [warning1, warning2, ...], [info1, info2, ...], [preference_weight]]
'kex': { 'kex': {
'Curve25519SHA256': [[], [], [], [], [STRONG_CURVE]], 'Curve25519SHA256': [[], [], [], [], [STRONG_CURVE]],
'curve25519-sha256': [['7.4,d2018.76'], [], [], [INFO_DEFAULT_OPENSSH_KEX_74_TO_89], [STRONG_CURVE]], 'curve25519-sha256': [['7.4,d2018.76'], [], [], [INFO_DEFAULT_OPENSSH_KEX_64_TO_89], [STRONG_CURVE]],
'curve25519-sha256@libssh.org': [['6.4,d2013.62,l10.6.0'], [], [], [INFO_DEFAULT_OPENSSH_KEX_65_TO_73], [STRONG_CURVE]], 'curve25519-sha256@libssh.org': [['6.4,d2013.62,l10.6.0'], [], [], [INFO_DEFAULT_OPENSSH_KEX_64_TO_89], [STRONG_CURVE]],
'curve448-sha512': [[], [], [], [], [GOOD_CURVE]], 'curve448-sha512': [[], [], [], [], [GOOD_CURVE]],
'curve448-sha512@libssh.org': [[], [], [], [], [GOOD_CURVE]], 'curve448-sha512@libssh.org': [[], [], [], [], [GOOD_CURVE]],
'diffie-hellman-group14-sha1': [['3.9,d0.53,l10.6.0'], [FAIL_SHA1], [WARN_2048BIT_MODULUS], [], [WEIGHT_FAIL]], 'diffie-hellman-group14-sha1': [['3.9,d0.53,l10.6.0'], [FAIL_SHA1], [WARN_2048BIT_MODULUS], [], [WEIGHT_FAIL]],
@@ -259,7 +258,7 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods
'null': [[], [FAIL_PLAINTEXT], [], [], [WEIGHT_FAIL]], 'null': [[], [FAIL_PLAINTEXT], [], [], [WEIGHT_FAIL]],
'pgp-sign-dss': [[], [FAIL_1024BIT_MODULUS], [], [], [WEIGHT_FAIL]], 'pgp-sign-dss': [[], [FAIL_1024BIT_MODULUS], [], [], [WEIGHT_FAIL]],
'pgp-sign-rsa': [[], [FAIL_1024BIT_MODULUS], [], [], [WEIGHT_FAIL]], 'pgp-sign-rsa': [[], [FAIL_1024BIT_MODULUS], [], [], [WEIGHT_FAIL]],
'rsa-sha2-256': [['7.2,d2020.79'], [], [], [], [2000]], 'rsa-sha2-256': [['7.2'], [], [], [], [2000]],
'rsa-sha2-256-cert-v01@openssh.com': [['7.8'], [], [], [], [NEVER_SUGGEST_ALG]], 'rsa-sha2-256-cert-v01@openssh.com': [['7.8'], [], [], [], [NEVER_SUGGEST_ALG]],
'rsa-sha2-512': [['7.2'], [], [], [], [2200]], 'rsa-sha2-512': [['7.2'], [], [], [], [2200]],
'rsa-sha2-512-cert-v01@openssh.com': [['7.8'], [], [], [], [NEVER_SUGGEST_ALG]], 'rsa-sha2-512-cert-v01@openssh.com': [['7.8'], [], [], [], [NEVER_SUGGEST_ALG]],
@@ -278,7 +277,7 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods
'ssh-dss-sha256@ssh.com': [[], [FAIL_1024BIT_MODULUS], [], [], [WEIGHT_FAIL]], 'ssh-dss-sha256@ssh.com': [[], [FAIL_1024BIT_MODULUS], [], [], [WEIGHT_FAIL]],
'ssh-dss-sha384@ssh.com': [[], [FAIL_1024BIT_MODULUS], [], [], [WEIGHT_FAIL]], 'ssh-dss-sha384@ssh.com': [[], [FAIL_1024BIT_MODULUS], [], [], [WEIGHT_FAIL]],
'ssh-dss-sha512@ssh.com': [[], [FAIL_1024BIT_MODULUS], [], [], [WEIGHT_FAIL]], 'ssh-dss-sha512@ssh.com': [[], [FAIL_1024BIT_MODULUS], [], [], [WEIGHT_FAIL]],
'ssh-ed25519': [['6.5,d2020.79,l10.7.0'], [], [], [], [2000]], 'ssh-ed25519': [['6.5,l10.7.0'], [], [], [], [2000]],
'ssh-ed25519-cert-v01@openssh.com': [['6.5'], [], [], [], [NEVER_SUGGEST_ALG]], 'ssh-ed25519-cert-v01@openssh.com': [['6.5'], [], [], [], [NEVER_SUGGEST_ALG]],
'ssh-ed448': [[], [], [], [], [1500]], 'ssh-ed448': [[], [], [], [], [1500]],
'ssh-ed448-cert-v01@openssh.com': [[], [], [], [INFO_NEVER_IMPLEMENTED_IN_OPENSSH], [NEVER_SUGGEST_ALG]], 'ssh-ed448-cert-v01@openssh.com': [[], [], [], [INFO_NEVER_IMPLEMENTED_IN_OPENSSH], [NEVER_SUGGEST_ALG]],
@@ -371,7 +370,7 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods
'cast128-ecb': [[], [FAIL_CAST], [WARN_CIPHER_MODE], [], [WEIGHT_FAIL]], 'cast128-ecb': [[], [FAIL_CAST], [WARN_CIPHER_MODE], [], [WEIGHT_FAIL]],
'cast128-ofb': [[], [FAIL_CAST], [WARN_CIPHER_MODE], [], [WEIGHT_FAIL]], 'cast128-ofb': [[], [FAIL_CAST], [WARN_CIPHER_MODE], [], [WEIGHT_FAIL]],
'chacha20-poly1305': [[], [], [], [INFO_DEFAULT_OPENSSH_CIPHER], [WEIGHT_CHACHA]], 'chacha20-poly1305': [[], [], [], [INFO_DEFAULT_OPENSSH_CIPHER], [WEIGHT_CHACHA]],
'chacha20-poly1305@openssh.com': [['6.5,d2020.79'], [], [], [INFO_DEFAULT_OPENSSH_CIPHER], [WEIGHT_CHACHA]], 'chacha20-poly1305@openssh.com': [['6.5'], [], [], [INFO_DEFAULT_OPENSSH_CIPHER], [WEIGHT_CHACHA]],
'crypticore128@ssh.com': [[], [FAIL_UNPROVEN], [], [], [WEIGHT_FAIL]], 'crypticore128@ssh.com': [[], [FAIL_UNPROVEN], [], [], [WEIGHT_FAIL]],
'des-cbc': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE], [], [WEIGHT_FAIL]], 'des-cbc': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE], [], [WEIGHT_FAIL]],
'des-cfb': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE], [], [WEIGHT_FAIL]], 'des-cfb': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE], [], [WEIGHT_FAIL]],
test/docker/expected_results/dropbear_2019.78_test1.json
+2 -2
View File
@@ -96,7 +96,7 @@
"algorithm": "curve25519-sha256", "algorithm": "curve25519-sha256",
"notes": { "notes": {
"info": [ "info": [
"default key exchange from OpenSSH 7.4 to 8.9", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 7.4, Dropbear SSH 2018.76" "available since OpenSSH 7.4, Dropbear SSH 2018.76"
] ]
} }
@@ -105,7 +105,7 @@
"algorithm": "curve25519-sha256@libssh.org", "algorithm": "curve25519-sha256@libssh.org",
"notes": { "notes": {
"info": [ "info": [
"default key exchange from OpenSSH 6.5 to 7.3", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 6.4, Dropbear SSH 2013.62" "available since OpenSSH 6.4, Dropbear SSH 2013.62"
] ]
} }
test/docker/expected_results/dropbear_2019.78_test1.txt
+2 -2
View File
@@ -6,9 +6,9 @@
# key exchange algorithms # key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 `- [info] default key exchange from OpenSSH 7.4 to 8.9  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
 `- [info] default key exchange from OpenSSH 6.5 to 7.3  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
test/docker/expected_results/openssh_8.0p1_test1.json
+5 -5
View File
@@ -40,7 +40,7 @@
"notes": { "notes": {
"info": [ "info": [
"default cipher since OpenSSH 6.9", "default cipher since OpenSSH 6.9",
"available since OpenSSH 6.5, Dropbear SSH 2020.79" "available since OpenSSH 6.5"
], ],
"warn": [ "warn": [
"vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation" "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation"
@@ -115,7 +115,7 @@
"algorithm": "curve25519-sha256", "algorithm": "curve25519-sha256",
"notes": { "notes": {
"info": [ "info": [
"default key exchange from OpenSSH 7.4 to 8.9", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 7.4, Dropbear SSH 2018.76" "available since OpenSSH 7.4, Dropbear SSH 2018.76"
] ]
} }
@@ -124,7 +124,7 @@
"algorithm": "curve25519-sha256@libssh.org", "algorithm": "curve25519-sha256@libssh.org",
"notes": { "notes": {
"info": [ "info": [
"default key exchange from OpenSSH 6.5 to 7.3", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 6.4, Dropbear SSH 2013.62" "available since OpenSSH 6.4, Dropbear SSH 2013.62"
] ]
} }
@@ -229,7 +229,7 @@
"keysize": 3072, "keysize": 3072,
"notes": { "notes": {
"info": [ "info": [
"available since OpenSSH 7.2, Dropbear SSH 2020.79" "available since OpenSSH 7.2"
] ]
} }
}, },
@@ -264,7 +264,7 @@
"algorithm": "ssh-ed25519", "algorithm": "ssh-ed25519",
"notes": { "notes": {
"info": [ "info": [
"available since OpenSSH 6.5, Dropbear SSH 2020.79" "available since OpenSSH 6.5"
] ]
} }
} }
test/docker/expected_results/openssh_8.0p1_test1.txt
+6 -6
View File
@@ -1,7 +1,7 @@
# general # general
(gen) banner: SSH-2.0-OpenSSH_8.0 (gen) banner: SSH-2.0-OpenSSH_8.0
(gen) software: OpenSSH 8.0 (gen) software: OpenSSH 8.0
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2020.79+ (gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
(gen) compression: enabled (zlib@openssh.com) (gen) compression: enabled (zlib@openssh.com)
# security # security
@@ -12,9 +12,9 @@
# key exchange algorithms # key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 `- [info] default key exchange from OpenSSH 7.4 to 8.9  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
 `- [info] default key exchange from OpenSSH 6.5 to 7.3  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
@@ -33,18 +33,18 @@
# host-key algorithms # host-key algorithms
(key) rsa-sha2-512 (3072-bit) -- [info] available since OpenSSH 7.2 (key) rsa-sha2-512 (3072-bit) -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 (3072-bit) -- [info] available since OpenSSH 7.2, Dropbear SSH 2020.79 (key) rsa-sha2-256 (3072-bit) -- [info] available since OpenSSH 7.2
(key) ssh-rsa (3072-bit) -- [fail] using broken SHA-1 hash algorithm (key) ssh-rsa (3072-bit) -- [fail] using broken SHA-1 hash algorithm
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
`- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
 `- [warn] using weak random number generator could reveal the key  `- [warn] using weak random number generator could reveal the key
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79 (key) ssh-ed25519 -- [info] available since OpenSSH 6.5
# encryption algorithms (ciphers) # encryption algorithms (ciphers)
(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
`- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79 `- [info] available since OpenSSH 6.5
`- [info] default cipher since OpenSSH 6.9 `- [info] default cipher since OpenSSH 6.9
(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr -- [info] available since OpenSSH 3.7 (enc) aes192-ctr -- [info] available since OpenSSH 3.7
test/docker/expected_results/openssh_8.0p1_test2.json
+4 -4
View File
@@ -40,7 +40,7 @@
"notes": { "notes": {
"info": [ "info": [
"default cipher since OpenSSH 6.9", "default cipher since OpenSSH 6.9",
"available since OpenSSH 6.5, Dropbear SSH 2020.79" "available since OpenSSH 6.5"
], ],
"warn": [ "warn": [
"vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation" "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation"
@@ -105,7 +105,7 @@
"algorithm": "curve25519-sha256", "algorithm": "curve25519-sha256",
"notes": { "notes": {
"info": [ "info": [
"default key exchange from OpenSSH 7.4 to 8.9", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 7.4, Dropbear SSH 2018.76" "available since OpenSSH 7.4, Dropbear SSH 2018.76"
] ]
} }
@@ -114,7 +114,7 @@
"algorithm": "curve25519-sha256@libssh.org", "algorithm": "curve25519-sha256@libssh.org",
"notes": { "notes": {
"info": [ "info": [
"default key exchange from OpenSSH 6.5 to 7.3", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 6.4, Dropbear SSH 2013.62" "available since OpenSSH 6.4, Dropbear SSH 2013.62"
] ]
} }
@@ -209,7 +209,7 @@
"algorithm": "ssh-ed25519", "algorithm": "ssh-ed25519",
"notes": { "notes": {
"info": [ "info": [
"available since OpenSSH 6.5, Dropbear SSH 2020.79" "available since OpenSSH 6.5"
] ]
} }
}, },
test/docker/expected_results/openssh_8.0p1_test2.txt
+5 -5
View File
@@ -1,7 +1,7 @@
# general # general
(gen) banner: SSH-2.0-OpenSSH_8.0 (gen) banner: SSH-2.0-OpenSSH_8.0
(gen) software: OpenSSH 8.0 (gen) software: OpenSSH 8.0
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2020.79+ (gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
(gen) compression: enabled (zlib@openssh.com) (gen) compression: enabled (zlib@openssh.com)
# security # security
@@ -12,9 +12,9 @@
# key exchange algorithms # key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 `- [info] default key exchange from OpenSSH 7.4 to 8.9  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
 `- [info] default key exchange from OpenSSH 6.5 to 7.3  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
@@ -32,12 +32,12 @@
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
# host-key algorithms # host-key algorithms
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79 (key) ssh-ed25519 -- [info] available since OpenSSH 6.5
(key) ssh-ed25519-cert-v01@openssh.com (256-bit cert/256-bit ssh-ed25519 CA) -- [info] available since OpenSSH 6.5 (key) ssh-ed25519-cert-v01@openssh.com (256-bit cert/256-bit ssh-ed25519 CA) -- [info] available since OpenSSH 6.5
# encryption algorithms (ciphers) # encryption algorithms (ciphers)
(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
`- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79 `- [info] available since OpenSSH 6.5
`- [info] default cipher since OpenSSH 6.9 `- [info] default cipher since OpenSSH 6.9
(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr -- [info] available since OpenSSH 3.7 (enc) aes192-ctr -- [info] available since OpenSSH 3.7
test/docker/expected_results/openssh_8.0p1_test3.json
+4 -4
View File
@@ -40,7 +40,7 @@
"notes": { "notes": {
"info": [ "info": [
"default cipher since OpenSSH 6.9", "default cipher since OpenSSH 6.9",
"available since OpenSSH 6.5, Dropbear SSH 2020.79" "available since OpenSSH 6.5"
], ],
"warn": [ "warn": [
"vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation" "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation"
@@ -105,7 +105,7 @@
"algorithm": "curve25519-sha256", "algorithm": "curve25519-sha256",
"notes": { "notes": {
"info": [ "info": [
"default key exchange from OpenSSH 7.4 to 8.9", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 7.4, Dropbear SSH 2018.76" "available since OpenSSH 7.4, Dropbear SSH 2018.76"
] ]
} }
@@ -114,7 +114,7 @@
"algorithm": "curve25519-sha256@libssh.org", "algorithm": "curve25519-sha256@libssh.org",
"notes": { "notes": {
"info": [ "info": [
"default key exchange from OpenSSH 6.5 to 7.3", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 6.4, Dropbear SSH 2013.62" "available since OpenSSH 6.4, Dropbear SSH 2013.62"
] ]
} }
@@ -135,7 +135,7 @@
"algorithm": "ssh-ed25519", "algorithm": "ssh-ed25519",
"notes": { "notes": {
"info": [ "info": [
"available since OpenSSH 6.5, Dropbear SSH 2020.79" "available since OpenSSH 6.5"
] ]
} }
} }
test/docker/expected_results/openssh_8.0p1_test3.txt
+5 -5
View File
@@ -1,7 +1,7 @@
# general # general
(gen) banner: SSH-2.0-OpenSSH_8.0 (gen) banner: SSH-2.0-OpenSSH_8.0
(gen) software: OpenSSH 8.0 (gen) software: OpenSSH 8.0
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2020.79+ (gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
(gen) compression: enabled (zlib@openssh.com) (gen) compression: enabled (zlib@openssh.com)
# security # security
@@ -12,18 +12,18 @@
# key exchange algorithms # key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 `- [info] default key exchange from OpenSSH 7.4 to 8.9  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
 `- [info] default key exchange from OpenSSH 6.5 to 7.3  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4
 `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).  `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
# host-key algorithms # host-key algorithms
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79 (key) ssh-ed25519 -- [info] available since OpenSSH 6.5
# encryption algorithms (ciphers) # encryption algorithms (ciphers)
(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
`- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79 `- [info] available since OpenSSH 6.5
`- [info] default cipher since OpenSSH 6.9 `- [info] default cipher since OpenSSH 6.9
(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2 (enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2 (enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2
test/docker/expected_results/tinyssh_20190101_test1.json
+4 -4
View File
@@ -18,7 +18,7 @@
"notes": { "notes": {
"info": [ "info": [
"default cipher since OpenSSH 6.9", "default cipher since OpenSSH 6.9",
"available since OpenSSH 6.5, Dropbear SSH 2020.79" "available since OpenSSH 6.5"
], ],
"warn": [ "warn": [
"vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation" "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation"
@@ -43,7 +43,7 @@
"algorithm": "curve25519-sha256", "algorithm": "curve25519-sha256",
"notes": { "notes": {
"info": [ "info": [
"default key exchange from OpenSSH 7.4 to 8.9", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 7.4, Dropbear SSH 2018.76" "available since OpenSSH 7.4, Dropbear SSH 2018.76"
] ]
} }
@@ -52,7 +52,7 @@
"algorithm": "curve25519-sha256@libssh.org", "algorithm": "curve25519-sha256@libssh.org",
"notes": { "notes": {
"info": [ "info": [
"default key exchange from OpenSSH 6.5 to 7.3", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 6.4, Dropbear SSH 2013.62" "available since OpenSSH 6.4, Dropbear SSH 2013.62"
] ]
} }
@@ -75,7 +75,7 @@
"algorithm": "ssh-ed25519", "algorithm": "ssh-ed25519",
"notes": { "notes": {
"info": [ "info": [
"available since OpenSSH 6.5, Dropbear SSH 2020.79" "available since OpenSSH 6.5"
] ]
} }
} }
test/docker/expected_results/tinyssh_20190101_test1.txt
+5 -5
View File
@@ -1,23 +1,23 @@
# general # general
(gen) software: TinySSH noversion (gen) software: TinySSH noversion
(gen) compatibility: OpenSSH 8.0-8.4, Dropbear SSH 2020.79+ (gen) compatibility: OpenSSH 8.0-8.4, Dropbear SSH 2018.76+
(gen) compression: disabled (gen) compression: disabled
# key exchange algorithms # key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 `- [info] default key exchange from OpenSSH 7.4 to 8.9  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
 `- [info] default key exchange from OpenSSH 6.5 to 7.3  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) sntrup4591761x25519-sha512@tinyssh.org -- [warn] using experimental algorithm (kex) sntrup4591761x25519-sha512@tinyssh.org -- [warn] using experimental algorithm
`- [info] available since OpenSSH 8.0 `- [info] available since OpenSSH 8.0
`- [info] the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security `- [info] the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security
# host-key algorithms # host-key algorithms
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79 (key) ssh-ed25519 -- [info] available since OpenSSH 6.5
# encryption algorithms (ciphers) # encryption algorithms (ciphers)
(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation (enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
`- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79 `- [info] available since OpenSSH 6.5
`- [info] default cipher since OpenSSH 6.9 `- [info] default cipher since OpenSSH 6.9
# message authentication code algorithms # message authentication code algorithms