mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-12-22 22:15:22 +01:00
491 lines
14 KiB
JSON
491 lines
14 KiB
JSON
{
|
|
"additional_notes": [],
|
|
"banner": {
|
|
"comments": null,
|
|
"protocol": "2.0",
|
|
"raw": "SSH-2.0-OpenSSH_5.6",
|
|
"software": "OpenSSH_5.6"
|
|
},
|
|
"compression": [
|
|
"none",
|
|
"zlib@openssh.com"
|
|
],
|
|
"cves": [],
|
|
"enc": [
|
|
{
|
|
"algorithm": "aes128-ctr",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 3.7, Dropbear SSH 0.52"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "aes192-ctr",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 3.7"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "aes256-ctr",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 3.7, Dropbear SSH 0.52"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "arcfour256",
|
|
"notes": {
|
|
"fail": [
|
|
"using broken RC4 cipher"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 4.2"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "arcfour128",
|
|
"notes": {
|
|
"fail": [
|
|
"using broken RC4 cipher"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 4.2"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "aes128-cbc",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
|
|
],
|
|
"warn": [
|
|
"using weak cipher mode"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "3des-cbc",
|
|
"notes": {
|
|
"fail": [
|
|
"using broken & deprecated 3DES cipher"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 1.2.2, Dropbear SSH 0.28"
|
|
],
|
|
"warn": [
|
|
"using weak cipher mode",
|
|
"using small 64-bit block size"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "blowfish-cbc",
|
|
"notes": {
|
|
"fail": [
|
|
"using weak & deprecated Blowfish cipher"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 1.2.2, Dropbear SSH 0.28"
|
|
],
|
|
"warn": [
|
|
"using weak cipher mode",
|
|
"using small 64-bit block size"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "cast128-cbc",
|
|
"notes": {
|
|
"fail": [
|
|
"using weak & deprecated CAST cipher"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 2.1.0"
|
|
],
|
|
"warn": [
|
|
"using weak cipher mode",
|
|
"using small 64-bit block size"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "aes192-cbc",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 2.3.0"
|
|
],
|
|
"warn": [
|
|
"using weak cipher mode"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "aes256-cbc",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 2.3.0, Dropbear SSH 0.47"
|
|
],
|
|
"warn": [
|
|
"using weak cipher mode"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "arcfour",
|
|
"notes": {
|
|
"fail": [
|
|
"using broken RC4 cipher"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 2.1.0"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "rijndael-cbc@lysator.liu.se",
|
|
"notes": {
|
|
"fail": [
|
|
"using deprecated & non-standardized Rijndael cipher"
|
|
],
|
|
"info": [
|
|
"disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
|
|
"available since OpenSSH 2.3.0"
|
|
],
|
|
"warn": [
|
|
"using weak cipher mode"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"fingerprints": [
|
|
{
|
|
"hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244",
|
|
"hash_alg": "SHA256",
|
|
"hostkey": "ssh-rsa"
|
|
},
|
|
{
|
|
"hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1",
|
|
"hash_alg": "MD5",
|
|
"hostkey": "ssh-rsa"
|
|
}
|
|
],
|
|
"kex": [
|
|
{
|
|
"algorithm": "diffie-hellman-group-exchange-sha256",
|
|
"keysize": 1024,
|
|
"notes": {
|
|
"fail": [
|
|
"using small 1024-bit modulus"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 4.4"
|
|
],
|
|
"warn": [
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "diffie-hellman-group-exchange-sha1",
|
|
"keysize": 1024,
|
|
"notes": {
|
|
"fail": [
|
|
"using small 1024-bit modulus"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 2.3.0"
|
|
],
|
|
"warn": [
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "diffie-hellman-group14-sha1",
|
|
"notes": {
|
|
"fail": [
|
|
"using broken SHA-1 hash algorithm"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 3.9, Dropbear SSH 0.53"
|
|
],
|
|
"warn": [
|
|
"2048-bit modulus only provides 112-bits of symmetric strength",
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "diffie-hellman-group1-sha1",
|
|
"notes": {
|
|
"fail": [
|
|
"using small 1024-bit modulus",
|
|
"vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
|
|
"using broken SHA-1 hash algorithm"
|
|
],
|
|
"info": [
|
|
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
|
|
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
|
|
],
|
|
"warn": [
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"key": [
|
|
{
|
|
"algorithm": "ssh-rsa",
|
|
"keysize": 3072,
|
|
"notes": {
|
|
"fail": [
|
|
"using broken SHA-1 hash algorithm"
|
|
],
|
|
"info": [
|
|
"deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
|
|
"available since OpenSSH 2.5.0, Dropbear SSH 0.28"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "ssh-rsa-cert-v01@openssh.com",
|
|
"ca_algorithm": "ssh-rsa",
|
|
"casize": 1024,
|
|
"keysize": 3072,
|
|
"notes": {
|
|
"fail": [
|
|
"using broken SHA-1 hash algorithm",
|
|
"using small 1024-bit CA key modulus"
|
|
],
|
|
"info": [
|
|
"deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
|
|
"available since OpenSSH 5.6"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"mac": [
|
|
{
|
|
"algorithm": "hmac-md5",
|
|
"notes": {
|
|
"fail": [
|
|
"using broken MD5 hash algorithm"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
|
|
],
|
|
"warn": [
|
|
"using encrypt-and-MAC mode"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "hmac-sha1",
|
|
"notes": {
|
|
"fail": [
|
|
"using broken SHA-1 hash algorithm"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
|
|
],
|
|
"warn": [
|
|
"using encrypt-and-MAC mode"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "umac-64@openssh.com",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 4.7"
|
|
],
|
|
"warn": [
|
|
"using encrypt-and-MAC mode",
|
|
"using small 64-bit tag size"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "hmac-ripemd160",
|
|
"notes": {
|
|
"fail": [
|
|
"using deprecated RIPEMD hash algorithm"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 2.5.0"
|
|
],
|
|
"warn": [
|
|
"using encrypt-and-MAC mode"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "hmac-ripemd160@openssh.com",
|
|
"notes": {
|
|
"fail": [
|
|
"using deprecated RIPEMD hash algorithm"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 2.1.0"
|
|
],
|
|
"warn": [
|
|
"using encrypt-and-MAC mode"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "hmac-sha1-96",
|
|
"notes": {
|
|
"fail": [
|
|
"using broken SHA-1 hash algorithm"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 2.5.0, Dropbear SSH 0.47"
|
|
],
|
|
"warn": [
|
|
"using encrypt-and-MAC mode"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "hmac-md5-96",
|
|
"notes": {
|
|
"fail": [
|
|
"using broken MD5 hash algorithm"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 2.5.0"
|
|
],
|
|
"warn": [
|
|
"using encrypt-and-MAC mode"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"recommendations": {
|
|
"critical": {
|
|
"chg": {
|
|
"kex": [
|
|
{
|
|
"name": "diffie-hellman-group-exchange-sha256",
|
|
"notes": "increase modulus size to 3072 bits or larger"
|
|
}
|
|
]
|
|
},
|
|
"del": {
|
|
"enc": [
|
|
{
|
|
"name": "3des-cbc",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "arcfour128",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "arcfour",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "arcfour256",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "blowfish-cbc",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "cast128-cbc",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "rijndael-cbc@lysator.liu.se",
|
|
"notes": ""
|
|
}
|
|
],
|
|
"kex": [
|
|
{
|
|
"name": "diffie-hellman-group14-sha1",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "diffie-hellman-group1-sha1",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "diffie-hellman-group-exchange-sha1",
|
|
"notes": ""
|
|
}
|
|
],
|
|
"key": [
|
|
{
|
|
"name": "ssh-rsa",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "ssh-rsa-cert-v01@openssh.com",
|
|
"notes": ""
|
|
}
|
|
],
|
|
"mac": [
|
|
{
|
|
"name": "hmac-md5",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "hmac-md5-96",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "hmac-ripemd160",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "hmac-ripemd160@openssh.com",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "hmac-sha1",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "hmac-sha1-96",
|
|
"notes": ""
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"warning": {
|
|
"del": {
|
|
"enc": [
|
|
{
|
|
"name": "aes128-cbc",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "aes192-cbc",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "aes256-cbc",
|
|
"notes": ""
|
|
}
|
|
],
|
|
"mac": [
|
|
{
|
|
"name": "umac-64@openssh.com",
|
|
"notes": ""
|
|
}
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"target": "localhost:2222"
|
|
}
|