From 120f8985395462c1c85d2f96b0137c129d3b2576 Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Mon, 26 Aug 2019 14:45:31 -0400 Subject: [PATCH] Added Dropbear test. --- docker_test.sh | 206 ++++++++++++++---- test/docker/Dockerfile | 2 + test/docker/dropbear_dss_host_key | Bin 0 -> 458 bytes test/docker/dropbear_ecdsa_host_key | Bin 0 -> 141 bytes test/docker/dropbear_rsa_host_key_1024 | Bin 0 -> 421 bytes test/docker/dropbear_rsa_host_key_3072 | Bin 0 -> 1189 bytes .../dropbear_2019.78_test1.txt | 82 +++++++ 7 files changed, 251 insertions(+), 39 deletions(-) create mode 100644 test/docker/dropbear_dss_host_key create mode 100644 test/docker/dropbear_ecdsa_host_key create mode 100644 test/docker/dropbear_rsa_host_key_1024 create mode 100644 test/docker/dropbear_rsa_host_key_3072 create mode 100644 test/docker/expected_results/dropbear_2019.78_test1.txt diff --git a/docker_test.sh b/docker_test.sh index 77e6bb6..548a676 100755 --- a/docker_test.sh +++ b/docker_test.sh @@ -15,7 +15,7 @@ # This is the docker tag for the image. If this tag doesn't exist, then we assume the # image is out of date, and generate a new one with this tag. -IMAGE_VERSION=1 +IMAGE_VERSION=2 # This is the name of our docker image. IMAGE_NAME=ssh-audit-test @@ -35,21 +35,52 @@ function check_if_docker_image_exists { } +# Uncompresses and compiles the specified version of Dropbear. +function compile_dropbear { + version=$1 + compile 'Dropbear' $version +} + + # Uncompresses and compiles the specified version of OpenSSH. function compile_openssh { - echo "Uncompressing $1..." - tar xzf openssh-$1.tar.gz + version=$1 + compile 'OpenSSH' $version +} - echo "Compiling $1..." - pushd openssh-$1 > /dev/null +function compile { + project=$1 + version=$2 + + tarball= + uncompress_options= + source_dir= + server_executable= + if [[ $project == 'OpenSSH' ]]; then + tarball="openssh-${version}.tar.gz" + uncompress_options="xzf" + source_dir="openssh-${version}" + server_executable=sshd + elif [[ $project == 'Dropbear' ]]; then + tarball="dropbear-${version}.tar.bz2" + uncompress_options="xjf" + source_dir="dropbear-${version}" + server_executable=dropbear + fi + + echo "Uncompressing ${project} ${version}..." + tar $uncompress_options $tarball + + echo "Compiling ${project} ${version}..." + pushd $source_dir > /dev/null ./configure && make -j 10 - if [[ ! -f "sshd" ]]; then - echo -e "${REDB}Error: sshd not built!${CLR}" + if [[ ! -f $server_executable ]]; then + echo -e "${REDB}Error: ${server_executable} not built!${CLR}" exit 1 fi - echo -e "\n${GREEN}Successfully built OpenSSH ${1}${CLR}\n" + echo -e "\n${GREEN}Successfully built ${project} ${version}${CLR}\n" popd > /dev/null } @@ -68,18 +99,24 @@ function create_docker_image { # Get the release key for OpenSSH. get_openssh_release_key + get_dropbear_release_key # Aside from checking the GPG signatures, we also compare against this known-good # SHA-256 hash just in case. get_openssh '4.0p1' '5adb9b2c2002650e15216bf94ed9db9541d9a17c96fcd876784861a8890bc92b' get_openssh '5.6p1' '538af53b2b8162c21a293bb004ae2bdb141abd250f61b4cea55244749f3c6c2b' get_openssh '8.0p1' 'bd943879e69498e8031eb6b7f44d08cdc37d59a7ab689aa0b437320c3481fd68' + get_dropbear '2019.78' '525965971272270995364a0eb01f35180d793182e63dd0b0c3eb0292291644a4' # Compile the versions of OpenSSH. compile_openssh '4.0p1' compile_openssh '5.6p1' compile_openssh '8.0p1' + # Compile the versions of Dropbear. + compile_dropbear '2019.78' + + # Rename the default config files so we know they are our originals. mv openssh-4.0p1/sshd_config sshd_config-4.0p1_orig mv openssh-5.6p1/sshd_config sshd_config-5.6p1_orig @@ -150,61 +187,122 @@ function create_openssh_config { } +# Downloads the Dropbear release key and adds it to the local keyring. +function get_dropbear_release_key { + get_release_key 'Dropbear' 'https://matt.ucc.asn.au/dropbear/releases/dropbear-key-2015.asc' 'F29C6773' 'F734 7EF2 EE2E 07A2 6762 8CA9 4493 1494 F29C 6773' +} + + # Downloads the OpenSSH release key and adds it to the local keyring. function get_openssh_release_key { - local release_key_fingerprint_expected='59C2 118E D206 D927 E667 EBE3 D3E5 F56B 6D92 0D30' + get_release_key 'OpenSSH' 'https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc' '6D920D30' '59C2 118E D206 D927 E667 EBE3 D3E5 F56B 6D92 0D30' +} - echo -e "\nGetting OpenSSH release key...\n" - wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc - echo -e "\nImporting OpenSSH release key...\n" - gpg --import RELEASE_KEY.asc +function get_release_key { + project=$1 + key_url=$2 + key_id=$3 + release_key_fingerprint_expected=$4 - local release_key_fingerprint_actual=`gpg --fingerprint 6D920D30` + echo -e "\nGetting ${project} release key...\n" + wget -O key.asc $2 + + echo -e "\nImporting ${project} release key...\n" + gpg --import key.asc + + rm key.asc + + local release_key_fingerprint_actual=`gpg --fingerprint ${key_id}` if [[ $release_key_fingerprint_actual != *"$release_key_fingerprint_expected"* ]]; then - echo -e "\n${REDB}Error: OpenSSH release key fingerprint does not match expected value!\n\tExpected: $release_key_fingerprint_expected\n\tActual: $release_key_fingerprint_actual\n\nTerminating.${CLR}" + echo -e "\n${REDB}Error: ${project} release key fingerprint does not match expected value!\n\tExpected: $release_key_fingerprint_expected\n\tActual: $release_key_fingerprint_actual\n\nTerminating.${CLR}" exit -1 fi - echo -e "\n\n${GREEN}OpenSSH release key matches expected value.${CLR}\n" + echo -e "\n\n${GREEN}${project} release key matches expected value.${CLR}\n" +} + + +# Downloads the specified version of Dropbear. +function get_dropbear { + version=$1 + tarball_checksum_expected=$2 + get_source 'Dropbear' $version $tarball_checksum_expected } # Downloads the specified version of OpenSSH. function get_openssh { - echo -e "\nGetting OpenSSH $1 sources...\n" - wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$1.tar.gz + version=$1 + tarball_checksum_expected=$2 + get_source 'OpenSSH' $version $tarball_checksum_expected +} - echo -e "\nGetting OpenSSH $1 signature...\n" - wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$1.tar.gz.asc - openssh_sig=openssh-$1.tar.gz.asc - # Older releases were .sigs. - if [[ ! -f $openssh_sig ]]; then - wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$1.tar.gz.sig - openssh_sig=openssh-$1.tar.gz.sig +function get_source { + project=$1 + version=$2 + tarball_checksum_expected=$3 + + base_url= + tarball= + sig= + signer= + if [[ $project == 'OpenSSH' ]]; then + base_url='https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/' + tarball="openssh-${version}.tar.gz" + sig="${tarball}.asc" + signer="Damien Miller " + elif [[ $project == 'Dropbear' ]]; then + base_url='https://matt.ucc.asn.au/dropbear/releases/' + tarball="dropbear-${version}.tar.bz2" + sig="${tarball}.asc" + signer="Dropbear SSH Release Signing " fi - local gpg_verify=`gpg --verify $openssh_sig openssh-$1.tar.gz 2>&1` - if [[ $gpg_verify != *"Good signature from \"Damien Miller "* ]]; then - echo -e "\n\n${REDB}Error: OpenSSH signature invalid!\n$gpg_verify\n\nTerminating.${CLR}" + echo -e "\nGetting ${project} ${version} sources...\n" + wget "${base_url}${tarball}" + + echo -e "\nGetting ${project} ${version} signature...\n" + wget "${base_url}${sig}" + + + # Older OpenSSH releases were .sigs. + if [[ ($project == 'OpenSSH') && (! -f $sig) ]]; then + wget ${base_url}openssh-${version}.tar.gz.sig + sig=openssh-${version}.tar.gz.sig + fi + + local gpg_verify=`gpg --verify ${sig} ${tarball} 2>&1` + if [[ $gpg_verify != *"Good signature from \"${signer}"* ]]; then + echo -e "\n\n${REDB}Error: ${project} signature invalid!\n$gpg_verify\n\nTerminating.${CLR}" exit -1 fi # Check GPG's return value. 0 denotes a valid signature, and 1 is returned # on invalid signatures. if [[ $? != 0 ]]; then - echo -e "\n\n${REDB}Error: OpenSSH signature invalid! Verification returned code: $?\n\nTerminating.${CLR}" + echo -e "\n\n${REDB}Error: ${project} signature invalid! Verification returned code: $?\n\nTerminating.${CLR}" exit -1 fi - echo -e "${GREEN}Signature on OpenSSH sources verified.${CLR}\n" + echo -e "${GREEN}Signature on ${project} sources verified.${CLR}\n" - local openssh_checksum_actual=`sha256sum openssh-$1.tar.gz | cut -f1 -d" "` - if [[ $openssh_checksum_actual != "$2" ]]; then - echo -e "${REDB}Error: OpenSSH checksum is invalid!\n Expected: $2\n Actual: $openssh_checksum_actual\n\n Terminating.${CLR}" + local checksum_actual=`sha256sum ${tarball} | cut -f1 -d" "` + if [[ $checksum_actual != $tarball_checksum_expected ]]; then + echo -e "${REDB}Error: ${project} checksum is invalid!\n Expected: ${tarball_checksum_expected}\n Actual: ${checksum_actual}\n\n Terminating.${CLR}" exit -1 fi +} + +# Runs a Dropbear test. Upon failure, a diff between the expected and actual results +# is shown, then the script immediately terminates. +function run_dropbear_test { + dropbear_version=$1 + test_number=$2 + options=$3 + + run_test 'Dropbear' $dropbear_version $test_number "$options" } @@ -214,15 +312,42 @@ function run_openssh_test { openssh_version=$1 test_number=$2 - cid=`docker run -d -p 2222:22 ${IMAGE_NAME}:${IMAGE_VERSION} /openssh/sshd-${openssh_version} -D -f /etc/ssh/sshd_config-${openssh_version}_${test_number}` + run_test 'OpenSSH' $openssh_version $test_number '' +} + + +function run_test { + server_type=$1 + version=$2 + test_number=$3 + options=$4 + + server_exec= + test_result= + expected_result= + test_name= + if [[ $server_type == 'OpenSSH' ]]; then + server_exec="/openssh/sshd-${version} -D -f /etc/ssh/sshd_config-${version}_${test_number}" + test_result="${TEST_RESULT_DIR}/openssh_${version}_${test_number}.txt" + expected_result="test/docker/expected_results/openssh_${version}_${test_number}.txt" + test_name="OpenSSH ${version} ${test_number}" + options= + elif [[ $server_type == 'Dropbear' ]]; then + server_exec="/dropbear/dropbear-${version} -F ${options}" + test_result="${TEST_RESULT_DIR}/dropbear_${version}_${test_number}.txt" + expected_result="test/docker/expected_results/dropbear_${version}_${test_number}.txt" + test_name="Dropbear ${version} ${test_number}" + fi + + cid=`docker run -d -p 2222:22 ${IMAGE_NAME}:${IMAGE_VERSION} ${server_exec}` if [[ $? != 0 ]]; then echo -e "${REDB}Failed to run docker image! (exit code: $?)${CLR}" exit 1 fi - ./ssh-audit.py localhost:2222 > ${TEST_RESULT_DIR}/openssh_${openssh_version}_${test_number}.txt + ./ssh-audit.py localhost:2222 > $test_result if [[ $? != 0 ]]; then - echo -e "${REDB}Failed to ssh-audit.py! (exit code: $?)${CLR}" + echo -e "${REDB}Failed to run ssh-audit.py! (exit code: $?)${CLR}" docker container stop $cid > /dev/null exit 1 fi @@ -233,16 +358,17 @@ function run_openssh_test { exit 1 fi - diff=`diff -u test/docker/expected_results/openssh_${openssh_version}_${test_number}.txt ${TEST_RESULT_DIR}/openssh_${openssh_version}_${test_number}.txt` + diff=`diff -u ${expected_result} ${test_result}` if [[ $? == 0 ]]; then - echo -e "OpenSSH ${openssh_version} ${test_number} ${GREEN}passed${CLR}." + echo -e "${test_name} ${GREEN}passed${CLR}." else - echo -e "OpenSSH ${openssh_version} ${test_number} ${REDB}FAILED${CLR}.\n\n${diff}\n" + echo -e "${test_name} ${REDB}FAILED${CLR}.\n\n${diff}\n" exit 1 fi } + # First check if docker is functional. docker version > /dev/null if [[ $? != 0 ]]; then @@ -276,6 +402,8 @@ echo run_openssh_test '8.0p1' 'test1' run_openssh_test '8.0p1' 'test2' run_openssh_test '8.0p1' 'test3' +echo +run_dropbear_test '2019.78' 'test1' '-r /etc/dropbear/dropbear_rsa_host_key_1024 -r /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_ecdsa_host_key' # The test functions above will terminate the script on failure, so if we reached here, # all tests are successful. diff --git a/test/docker/Dockerfile b/test/docker/Dockerfile index 41a62c2..1f2b05b 100644 --- a/test/docker/Dockerfile +++ b/test/docker/Dockerfile @@ -3,7 +3,9 @@ FROM ubuntu:16.04 COPY openssh-4.0p1/sshd /openssh/sshd-4.0p1 COPY openssh-5.6p1/sshd /openssh/sshd-5.6p1 COPY openssh-8.0p1/sshd /openssh/sshd-8.0p1 +COPY dropbear-2019.78/dropbear /dropbear/dropbear-2019.78 +COPY dropbear_*_host_key* /etc/dropbear/ COPY sshd_config* /etc/ssh/ COPY ssh_host_* /etc/ssh/ COPY ssh1_host_* /etc/ssh/ diff --git a/test/docker/dropbear_dss_host_key b/test/docker/dropbear_dss_host_key new file mode 100644 index 0000000000000000000000000000000000000000..3388632b0fc98e850d7ccf09cd6e8e2038360e55 GIT binary patch literal 458 zcmV;*0X6;r000Mbb7(DOb8`Ry0D%Co?vAb8N10T7&t5a7KnBrOWHzJcUMz$TRebBg zbS3B5a{g@0ZPPxUg57h>RivS8%#uM?Ga2c)1JpXT=r%vFt*#*P)%U zdRufUEj6F$ODd|8z%}SL{-PF#{x82#eMkzxR~@!<)mw9M5Jm*Vo+qc&gKp0N000#L z!OYNY%9>%c-+?rF2Z0$TN3T3p0001hG9|O=EkwE;+%sWMycr2(Dt@vV{7UXSb*Tw> z=--ghyKg!Q(crUCD2l?L?=#+H%%%}f8LyC+HWlX?Qr2@@)entgZa;PJ)$XmfZcH2IyQ2QVZ86tNVJ_iaU!`w0001h zD@H#-_1`-AMZDaov}tLx$NX;|{o|H$q4M-oS1rJe(*Q>!?o9(TU&!>;@AtHxH=PX%arH0l1S;6!Nt zyhK82*h2+mK$tr;GJ!{M}7DVyu8g*Q)c+{;%R{qXd4mh&aYWZt}N@cUg9kQCmzbVcr}Uc*Pe-9Q5s o8MdB3vg`V>vt9qP;th_8i|1aQpE#lK-=fQ>?QJ7gna|S%0PtcxC;$Ke literal 0 HcmV?d00001 diff --git a/test/docker/dropbear_rsa_host_key_1024 b/test/docker/dropbear_rsa_host_key_1024 new file mode 100644 index 0000000000000000000000000000000000000000..d9ce33192211f98e08d492e7419fe6af68740e1d GIT binary patch literal 421 zcmV;W0b2e5000Mbb7(Dcb724g00RL40RR91fdJmKFherJPd3s2qy(yadX!9QR|QKp z2rUd=1```2|XeA$H#38}1yf89A$4keNBd7F`-9>u2?%*j5-CA5ma zN($D>wktN-4*ZmPbIwrpic4Lispi+J$oVwq?7Zr5t>wfawS4vnciro?m=^xn4_Dqx zJSzYI0DuB9a9g6MyPf$kry8dZCO#FR!HPRH$Z6DDjIN}WWuHdrWJ3s@3xccQ@yyUL z2hE4V)eE_K*(Q(8qIcWd@06_r!i2r~u5RRa6)643pwLKTX zZO|qFQ*>8E31G23!SvoM;u7u+3l+?CQ*tyEqV=4MC_b4qmp002P% z;lX9go^~YC9+0NbWmx{*^Jew`cRo^lLD?UP6EU|6HT&i&SwV%6A_Z-vFXhDROSl&R PmW+ql0k`SljVV|k+jGO+ literal 0 HcmV?d00001 diff --git a/test/docker/dropbear_rsa_host_key_3072 b/test/docker/dropbear_rsa_host_key_3072 new file mode 100644 index 0000000000000000000000000000000000000000..006249a89e68a047e9f355312ccf79e8566f2c81 GIT binary patch literal 1189 zcmV;W1X}w5000Mbb7(Dcb724g00RL40RR92fdHDh-7vrii(-xoBNb5B`Sy9xkg!eY zTS*3L@_nYDzm!Cr9)7fE4l?w?8f!=u`J)!>v9)9~DgW>ex}E_W6`qI0Ca3s&_{-d4 z`eC6AARDHV6`qHCs*NdEXEJvekvliwPDk_D4~WMNXKE|s{6#F+ z$1JYslLZW3u7ifDh`Pwl`L-wSvR$D7cbv_Y+Bo{*Csm1Zfyr-~3|{_bu61XeEe8x| z=X7+6m6bLAYtu0O8M?EY2=TyA=BBUakBb#=SFUD#7un5w^^(&1xfF_=)+3~%`fC6H z0e}&FHA-jZgrJ&kZW*-_pok1Z!fqlR7&RvDuE72Y93rfFki}GiahEJWru2Sic~~4| zMU{|D73F(POeI94xfbPV-OVDUZjpa7GDX2Fksnkia~@U%=GtHXC2%*OiRGjwuOLwo zJg%?+(NHBDq}(&}l-8%u(Y^Gu&B)N|rMYzVch)|^`N#+I;qfPcG|0eU8*B3Bt*t@4 zlHs)nj6zQ`j*W%6{x+(VNh=kM*?yHi4hu9o)J}aoK3Zq9LOl+P@Uf=|4F&&qO?IJ}!4dAm>L4CQ6TrqAV{Bq=JdEyN3js0pU5wWfn%$$| zYHoFarfZn!dW8U=`IvL31UyhJqMQw%Dk<9)(6P90cQ6mV)w{n4kN`01+4Ys3(uxtb z+)D^ZIt-`RJQRQdm0H0$c>VLj`tbk&0Kov%L>OvdQw#PvarYX$kO}dyKdFKE%pQb0 zW{e0u9`ugUBN`~r>(KIqPlZZ%Os_qP{y{|2SB$lf#fCddWi;#65RO4xDD#89c;~%@ z++l6h05M6CB6R5-%bK5ea7>JJzY#9(fIZw+0BhM@F|^am zPHRTjDm-k))>zR1006-Nx|-KR2~sTt%TqY}zPDoOEn!cYKl}?oaGtElp&AFfx|ige zXJLxMzqmFyHyGPQD1xBJM6`wXN1b>Fc)9Q<+}dO=i}RST`@1`2VOd;{jtf%&Y6YPj zBopc~RgT`Wmurh$<)=eE4|SM2?`ThX8TR0J+6LC3z;J`_0%koKD0801BIRm`oM)S$ zk?d7>Dnx22rbw~{KNqoSGjB3Fy6@$kgt8 DS2su* literal 0 HcmV?d00001 diff --git a/test/docker/expected_results/dropbear_2019.78_test1.txt b/test/docker/expected_results/dropbear_2019.78_test1.txt new file mode 100644 index 0000000..9edb398 --- /dev/null +++ b/test/docker/expected_results/dropbear_2019.78_test1.txt @@ -0,0 +1,82 @@ +# general +(gen) banner: SSH-2.0-dropbear_2019.78 +(gen) software: Dropbear SSH 2019.78 +(gen) compatibility: OpenSSH 7.4+ (some functionality from 6.6), Dropbear SSH 2016.73+ +(gen) compression: enabled (zlib@openssh.com) + +# key exchange algorithms +(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4 +(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62 +(kex) ecdh-sha2-nistp521 -- [fail] using weak elliptic curves + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +(kex) ecdh-sha2-nistp384 -- [fail] using weak elliptic curves + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +(kex) ecdh-sha2-nistp256 -- [fail] using weak elliptic curves + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +(kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 +(kex) diffie-hellman-group14-sha1 -- [warn] using weak hashing algorithm + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 +(kex) kexguess2@matt.ucc.asn.au -- [info] available since Dropbear SSH 2013.57 + +# host-key algorithms +(key) ecdsa-sha2-nistp256 -- [fail] using weak elliptic curves + `- [warn] using weak random number generator could reveal the key + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +(key) ssh-rsa (1024-bit) -- [fail] using small 1024-bit modulus + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 +(key) ssh-dss -- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm + `- [warn] using small 1024-bit modulus + `- [warn] using weak random number generator could reveal the key + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 + +# encryption algorithms (ciphers) +(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 +(enc) aes128-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm + `- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 +(enc) aes256-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm + `- [warn] using weak cipher mode + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 +(enc) 3des-ctr -- [fail] using weak cipher + `- [info] available since Dropbear SSH 0.52 +(enc) 3des-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm + `- [warn] disabled (in client) since OpenSSH 7.4, unsafe algorithm + `- [warn] using weak cipher + `- [warn] using weak cipher mode + `- [warn] using small 64-bit block size + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 + +# message authentication code algorithms +(mac) hmac-sha1-96 -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm + `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm + `- [warn] using encrypt-and-MAC mode + `- [warn] using weak hashing algorithm + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47 +(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode + `- [warn] using weak hashing algorithm + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode + `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 + +# fingerprints +(fin) ssh-rsa: SHA256:CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM + +# algorithm recommendations (for Dropbear SSH 2019.78) +(rec) !ssh-rsa -- key algorithm to change (increase modulus size to 2048 bits or larger)  +(rec) -3des-cbc -- enc algorithm to remove  +(rec) -3des-ctr -- enc algorithm to remove  +(rec) -aes128-cbc -- enc algorithm to remove  +(rec) -aes256-cbc -- enc algorithm to remove  +(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove  +(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove  +(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove  +(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove  +(rec) -hmac-sha1-96 -- mac algorithm to remove  +(rec) -ssh-dss -- key algorithm to remove  +(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append  +(rec) +twofish128-ctr -- enc algorithm to append  +(rec) +twofish256-ctr -- enc algorithm to append  +(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove  +(rec) -hmac-sha1 -- mac algorithm to remove  +