\fBssh-audit\fP analyzes the configuration of SSH servers & clients, then warns the user of weak, obsolete, and/or untested cryptographic primitives. It is very useful for hardening SSH tunnels, which by default tend to be optimized for compatibility, not security.
See <https://www.ssh\-audit.com/> for official hardening guides for common platforms.
.SHOPTIONS
.TP
.B-h,\-\-help
.br
Print short summary of options.
.TP
.B-1,\-\-ssh1
.br
Only perform an audit using SSH protocol version 1.
.TP
.B-2,\-\-ssh2
.br
Only perform an audit using SSH protocol version 2.
.TP
.B-4,\-\-ipv4
.br
Prioritize the usage of IPv4.
.TP
.B-6,\-\-ipv6
.br
Prioritize the usage of IPv6.
.TP
.B-b,\-\-batch
.br
Enables grepable output.
.TP
.B-c,\-\-client\-audit
.br
Starts a server on port 2222 to audit client software configuration. Use -p/--port=<port> to change port and -t/--timeout=<secs> to change listen timeout.
Diffie-Hellman requires the client and server to agree on a generator value and a modulus value. In the "Group Exchange" implementation of Diffie-Hellman, the client specifies the size of the modulus in bits by providing the server with minimum, preferred and maximum values. The server then finds a group that best matches the client's request, returning the corresponding generator and modulus. For a full explanation of this process see RFC 4419 and its successors.
Creates a policy based on the target server. Useful when other servers should be compared to the target server's custom configuration (i.e.: a cluster environment). Note that the resulting policy can be edited manually.
.TP
.B-n,\-\-no-colors
.br
Disable color output.
.TP
.B-p,\-\-port=<port>
.br
The TCP port to connect to when auditing a server, or the port to listen on when auditing a client.
Runs a policy audit against a target using the specified policy (see \fBPOLICY AUDIT\fP section for detailed description of this mode of operation). Combine with -c/--client-audit to audit a client configuration instead of a server. Use -L/--list-policies to list all official, built-in policies for common systems.
.TP
.B-t,\-\-timeout=<secs>
.br
The timeout, in seconds, for creating connections and reading data from the socket. Default is 5.
By default, \fBssh-audit\fP performs a standard audit. That is, it enumerates all host key types, key exchanges, ciphers, MACs, and other information, then color-codes them in output to the user. Cryptographic primitives with potential issues are displayed in yellow; primitives with serious flaws are displayed in red.
When the -P/--policy option is used, \fBssh-audit\fP performs a policy audit. The target's host key types, key exchanges, ciphers, MACs, and other information is compared to a set of expected values defined in the specified policy file. If everything matches, only a short message stating a passing result is reported. Otherwise, the field(s) that did not match are reported.
The set of official built-in policies can be viewed with -L/--list-policies. Multiple servers can be audited with -T/--targets=<servers.txt>. Custom policies can be made from an ideal target server with -M/--make-policy=<custom_policy.txt>.
