mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-11-22 10:31:41 +01:00
Added 'ssh-dss-sha256@ssh.com' host key type, 'crypticore128@ssh.com' and 'seed-cbc@ssh.com' ciphers, and 'crypticore-mac@ssh.com' MAC.
This commit is contained in:
parent
01ec6b0b37
commit
282770e698
@ -78,10 +78,10 @@ $ brew install ssh-audit
|
|||||||
- 1024-bit moduli upgraded from warnings to failures.
|
- 1024-bit moduli upgraded from warnings to failures.
|
||||||
- Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit [Jürgen Gmach](https://github.com/jugmac00)).
|
- Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit [Jürgen Gmach](https://github.com/jugmac00)).
|
||||||
- Suppress recommendation of token host key types.
|
- Suppress recommendation of token host key types.
|
||||||
- Added 1 new host key type: `ssh-rsa1`.
|
- Added 2 new host key types: `ssh-rsa1`, `ssh-dss-sha256@ssh.com`.
|
||||||
- Added 1 new key exchange: `diffie-hellman-group1-sha256`.
|
- Added 1 new key exchange: `diffie-hellman-group1-sha256`.
|
||||||
- Added 3 new ciphers: `blowfish`, `AEAD_AES_128_GCM`, `AEAD_AES_256_GCM`.
|
- Added 5 new ciphers: `blowfish`, `AEAD_AES_128_GCM`, `AEAD_AES_256_GCM`, `crypticore128@ssh.com`, `seed-cbc@ssh.com`.
|
||||||
- Added 2 new MACs: `chacha20-poly1305@openssh.com`, `hmac-sha3-224`.
|
- Added 3 new MACs: `chacha20-poly1305@openssh.com`, `hmac-sha3-224`, `crypticore-mac@ssh.com`.
|
||||||
|
|
||||||
### v2.2.0 (2020-03-11)
|
### v2.2.0 (2020-03-11)
|
||||||
- Marked host key type `ssh-rsa` as weak due to [practical SHA-1 collisions](https://eprint.iacr.org/2020/014.pdf).
|
- Marked host key type `ssh-rsa` as weak due to [practical SHA-1 collisions](https://eprint.iacr.org/2020/014.pdf).
|
||||||
|
@ -624,6 +624,7 @@ class SSH2: # pylint: disable=too-few-public-methods
|
|||||||
FAIL_PLAINTEXT = 'no encryption/integrity'
|
FAIL_PLAINTEXT = 'no encryption/integrity'
|
||||||
FAIL_DEPRECATED_MAC = 'deprecated MAC'
|
FAIL_DEPRECATED_MAC = 'deprecated MAC'
|
||||||
FAIL_1024BIT_MODULUS = 'using small 1024-bit modulus'
|
FAIL_1024BIT_MODULUS = 'using small 1024-bit modulus'
|
||||||
|
FAIL_UNPROVEN = 'using unproven algorithm'
|
||||||
WARN_CURVES_WEAK = 'using weak elliptic curves'
|
WARN_CURVES_WEAK = 'using weak elliptic curves'
|
||||||
WARN_RNDSIG_KEY = 'using weak random number generator could reveal the key'
|
WARN_RNDSIG_KEY = 'using weak random number generator could reveal the key'
|
||||||
WARN_HASH_WEAK = 'using weak hashing algorithm'
|
WARN_HASH_WEAK = 'using weak hashing algorithm'
|
||||||
@ -634,6 +635,7 @@ class SSH2: # pylint: disable=too-few-public-methods
|
|||||||
WARN_TAG_SIZE = 'using small 64-bit tag size'
|
WARN_TAG_SIZE = 'using small 64-bit tag size'
|
||||||
WARN_TAG_SIZE_96 = 'using small 96-bit tag size'
|
WARN_TAG_SIZE_96 = 'using small 96-bit tag size'
|
||||||
WARN_EXPERIMENTAL = 'using experimental algorithm'
|
WARN_EXPERIMENTAL = 'using experimental algorithm'
|
||||||
|
WARN_OBSOLETE = 'using obsolete algorithm'
|
||||||
|
|
||||||
ALGORITHMS = {
|
ALGORITHMS = {
|
||||||
# Format: 'algorithm_name': [['version_first_appeared_in'], [reason_for_failure1, reason_for_failure2, ...], [warning1, warning2, ...]]
|
# Format: 'algorithm_name': [['version_first_appeared_in'], [reason_for_failure1, reason_for_failure2, ...], [warning1, warning2, ...]]
|
||||||
@ -717,6 +719,7 @@ class SSH2: # pylint: disable=too-few-public-methods
|
|||||||
'rsa-sha2-256-cert-v01@openssh.com': [['7.8']],
|
'rsa-sha2-256-cert-v01@openssh.com': [['7.8']],
|
||||||
'rsa-sha2-512-cert-v01@openssh.com': [['7.8']],
|
'rsa-sha2-512-cert-v01@openssh.com': [['7.8']],
|
||||||
'ssh-rsa-sha256@ssh.com': [[]],
|
'ssh-rsa-sha256@ssh.com': [[]],
|
||||||
|
'ssh-dss-sha256@ssh.com': [[], [FAIL_1024BIT_MODULUS]],
|
||||||
'sk-ecdsa-sha2-nistp256-cert-v01@openssh.com': [['8.2'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]],
|
'sk-ecdsa-sha2-nistp256-cert-v01@openssh.com': [['8.2'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]],
|
||||||
'sk-ecdsa-sha2-nistp256@openssh.com': [['8.2'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]],
|
'sk-ecdsa-sha2-nistp256@openssh.com': [['8.2'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]],
|
||||||
'sk-ssh-ed25519-cert-v01@openssh.com': [['8.2']],
|
'sk-ssh-ed25519-cert-v01@openssh.com': [['8.2']],
|
||||||
@ -778,6 +781,8 @@ class SSH2: # pylint: disable=too-few-public-methods
|
|||||||
'camellia192-ctr': [[]],
|
'camellia192-ctr': [[]],
|
||||||
'camellia256-cbc': [[], [], [WARN_CIPHER_MODE]],
|
'camellia256-cbc': [[], [], [WARN_CIPHER_MODE]],
|
||||||
'camellia256-ctr': [[]],
|
'camellia256-ctr': [[]],
|
||||||
|
'crypticore128@ssh.com': [[], [FAIL_UNPROVEN]],
|
||||||
|
'seed-cbc@ssh.com': [[], [], [WARN_OBSOLETE, WARN_CIPHER_MODE]],
|
||||||
},
|
},
|
||||||
'mac': {
|
'mac': {
|
||||||
'none': [['d2013.56'], [FAIL_PLAINTEXT]],
|
'none': [['d2013.56'], [FAIL_PLAINTEXT]],
|
||||||
@ -822,6 +827,7 @@ class SSH2: # pylint: disable=too-few-public-methods
|
|||||||
'aes128-gcm': [[]],
|
'aes128-gcm': [[]],
|
||||||
'aes256-gcm': [[]],
|
'aes256-gcm': [[]],
|
||||||
'chacha20-poly1305@openssh.com': [[]], # Despite the @openssh.com tag, this was never shipped as a MAC in OpenSSH (only as a cipher); it is only implemented as a MAC in Syncplify.
|
'chacha20-poly1305@openssh.com': [[]], # Despite the @openssh.com tag, this was never shipped as a MAC in OpenSSH (only as a cipher); it is only implemented as a MAC in Syncplify.
|
||||||
|
'crypticore-mac@ssh.com': [[], [FAIL_UNPROVEN]],
|
||||||
}
|
}
|
||||||
} # type: Dict[str, Dict[str, List[List[Optional[str]]]]]
|
} # type: Dict[str, Dict[str, List[List[Optional[str]]]]]
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user