mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-11-22 02:21:40 +01:00
use less-than instead of not-equal when comparing key sizes (#242)
When evaluating policy compliance, use less-than operator so keys bigger than expected (and hence very often better) don't fail policy evaulation. This change reduces the amount of false-positives and allows for more flexibility when hardening SSH installations. Signed-off-by: szubersk <szuberskidamian@gmail.com>
This commit is contained in:
parent
3c31934ac7
commit
20873db596
@ -367,11 +367,11 @@ macs = %s
|
|||||||
hostkey_types = list(self._hostkey_sizes.keys())
|
hostkey_types = list(self._hostkey_sizes.keys())
|
||||||
hostkey_types.sort() # Sorted to make testing output repeatable.
|
hostkey_types.sort() # Sorted to make testing output repeatable.
|
||||||
for hostkey_type in hostkey_types:
|
for hostkey_type in hostkey_types:
|
||||||
expected_hostkey_size = self._hostkey_sizes[hostkey_type]['hostkey_size']
|
expected_hostkey_size = cast(int, self._hostkey_sizes[hostkey_type]['hostkey_size'])
|
||||||
server_host_keys = kex.host_keys()
|
server_host_keys = kex.host_keys()
|
||||||
if hostkey_type in server_host_keys:
|
if hostkey_type in server_host_keys:
|
||||||
actual_hostkey_size = server_host_keys[hostkey_type]['hostkey_size']
|
actual_hostkey_size = cast(int, server_host_keys[hostkey_type]['hostkey_size'])
|
||||||
if actual_hostkey_size != expected_hostkey_size:
|
if actual_hostkey_size < expected_hostkey_size:
|
||||||
ret = False
|
ret = False
|
||||||
self._append_error('Host key (%s) sizes' % hostkey_type, [str(expected_hostkey_size)], None, [str(actual_hostkey_size)])
|
self._append_error('Host key (%s) sizes' % hostkey_type, [str(expected_hostkey_size)], None, [str(actual_hostkey_size)])
|
||||||
|
|
||||||
@ -387,7 +387,7 @@ macs = %s
|
|||||||
ret = False
|
ret = False
|
||||||
self._append_error('CA signature type', [expected_ca_key_type], None, [actual_ca_key_type])
|
self._append_error('CA signature type', [expected_ca_key_type], None, [actual_ca_key_type])
|
||||||
# Ensure that the actual and expected signature sizes match.
|
# Ensure that the actual and expected signature sizes match.
|
||||||
elif actual_ca_key_size != expected_ca_key_size:
|
elif actual_ca_key_size < expected_ca_key_size:
|
||||||
ret = False
|
ret = False
|
||||||
self._append_error('CA signature size (%s)' % actual_ca_key_type, [str(expected_ca_key_size)], None, [str(actual_ca_key_size)])
|
self._append_error('CA signature size (%s)' % actual_ca_key_type, [str(expected_ca_key_size)], None, [str(actual_ca_key_size)])
|
||||||
|
|
||||||
@ -446,7 +446,7 @@ macs = %s
|
|||||||
expected_dh_modulus_size = self._dh_modulus_sizes[dh_modulus_type]
|
expected_dh_modulus_size = self._dh_modulus_sizes[dh_modulus_type]
|
||||||
if dh_modulus_type in kex.dh_modulus_sizes():
|
if dh_modulus_type in kex.dh_modulus_sizes():
|
||||||
actual_dh_modulus_size = kex.dh_modulus_sizes()[dh_modulus_type]
|
actual_dh_modulus_size = kex.dh_modulus_sizes()[dh_modulus_type]
|
||||||
if expected_dh_modulus_size != actual_dh_modulus_size:
|
if expected_dh_modulus_size > actual_dh_modulus_size:
|
||||||
ret = False
|
ret = False
|
||||||
self._append_error('Group exchange (%s) modulus sizes' % dh_modulus_type, [str(expected_dh_modulus_size)], None, [str(actual_dh_modulus_size)])
|
self._append_error('Group exchange (%s) modulus sizes' % dh_modulus_type, [str(expected_dh_modulus_size)], None, [str(actual_dh_modulus_size)])
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user