mirror of https://github.com/jtesta/ssh-audit.git
Ensure ECDSA and DSS fingerprints are only output in verbose mode. Clean up Docker tests from merge of #286.
This commit is contained in:
parent
a4b78b752e
commit
2cd96f1785
|
@ -229,6 +229,7 @@ For convenience, a web front-end on top of the command-line tool is available at
|
|||
- Fixed DHEat connection rate testing on MacOS X and BSD platforms; credit [Drew Noel](https://github.com/drewmnoel) and [Michael Osipov](https://github.com/michael-o).
|
||||
- Fixed invalid JSON output when a socket error occurs while performing a client audit.
|
||||
- When scanning multiple targets (using `-T`/`--targets`), the `-p`/`--port` option will now be used as the default port (set to 22 if `-p`/`--port` is not given). Hosts specified in the file can override this default with an explicit port number (i.e.: "host1:1234"). For example, when using `-T targets.txt -p 222`, all hosts in `targets.txt` that do not explicitly include a port number will default to 222; when using `-T targets.txt` (without `-p`), all hosts will use a default of 22.
|
||||
- Now reports ECDSA and DSS fingerprints when in verbose mode; partial credit [Daniel Lenski](https://github.com/dlenskiSB).
|
||||
- Added 1 new cipher: `grasshopper-ctr128`.
|
||||
- Added 2 new key exchanges: `mlkem768x25519-sha256`, `sntrup761x25519-sha512`.
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
"""
|
||||
The MIT License (MIT)
|
||||
|
||||
Copyright (C) 2017-2023 Joe Testa (jtesta@positronsecurity.com)
|
||||
Copyright (C) 2017-2024 Joe Testa (jtesta@positronsecurity.com)
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
|
@ -202,7 +202,7 @@ class HostKeyTest:
|
|||
cakey_warn_str = HostKeyTest.SMALL_ECC_MODULUS_WARNING
|
||||
|
||||
# Keys smaller than 2048 result in a failure. Keys smaller 3072 result in a warning. Update the database accordingly.
|
||||
if (cert is False) and (hostkey_modulus_size < hostkey_min_good):
|
||||
if (cert is False) and (hostkey_modulus_size < hostkey_min_good) and (host_key_type != 'ssh-dss'): # Skip ssh-dss, otherwise we get duplicate failure messages (SSH2_KexDB will always flag it).
|
||||
|
||||
# If the key is under 2048, add to the failure list.
|
||||
if hostkey_modulus_size < hostkey_min_warn:
|
||||
|
|
|
@ -360,11 +360,19 @@ def output_fingerprints(out: OutputBuffer, algs: Algorithms, is_json_output: boo
|
|||
fp_types = sorted(fps.keys())
|
||||
for fp_type in fp_types:
|
||||
fp = fps[fp_type]
|
||||
out.good('(fin) {}: {}'.format(fp_type, fp.sha256))
|
||||
|
||||
# Don't output any ECDSA or DSS fingerprints unless verbose mode is enabled.
|
||||
if fp_type.startswith("ecdsa-") or (fp_type == "ssh-dss"):
|
||||
if out.verbose:
|
||||
out.warn('(fin) {}: {} -- [info] this fingerprint type is insecure and should not be relied upon'.format(fp_type, fp.sha256))
|
||||
else:
|
||||
continue # If verbose mode is not enabled, skip this type entirely.
|
||||
else:
|
||||
out.good('(fin) {}: {}'.format(fp_type, fp.sha256))
|
||||
|
||||
# Output the MD5 hash too if verbose mode is enabled.
|
||||
if out.verbose:
|
||||
out.info('(fin) {}: {} -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case'.format(fp_type, fp.md5))
|
||||
out.warn('(fin) {}: {} -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case'.format(fp_type, fp.md5))
|
||||
|
||||
if not out.is_section_empty() and not is_json_output:
|
||||
out.head('# fingerprints')
|
||||
|
|
|
@ -78,6 +78,26 @@
|
|||
}
|
||||
],
|
||||
"fingerprints": [
|
||||
{
|
||||
"hash": "jdUfqoGCDOY1drQcoqIJm/pEix2r09hqwOs9E9GimZQ",
|
||||
"hash_alg": "SHA256",
|
||||
"hostkey": "ecdsa-sha2-nistp256"
|
||||
},
|
||||
{
|
||||
"hash": "98:27:f3:12:20:f6:23:6d:1a:00:2a:6c:71:7c:1e:6b",
|
||||
"hash_alg": "MD5",
|
||||
"hostkey": "ecdsa-sha2-nistp256"
|
||||
},
|
||||
{
|
||||
"hash": "NBzry0uMAX8BRsn4mv9CHpeivMOdwzGFEKrf6Hg7tIQ",
|
||||
"hash_alg": "SHA256",
|
||||
"hostkey": "ssh-dss"
|
||||
},
|
||||
{
|
||||
"hash": "16:60:9e:54:d7:1e:b3:0d:97:60:12:ad:fe:83:a2:40",
|
||||
"hash_alg": "MD5",
|
||||
"hostkey": "ssh-dss"
|
||||
},
|
||||
{
|
||||
"hash": "CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM",
|
||||
"hash_alg": "SHA256",
|
||||
|
|
|
@ -253,6 +253,16 @@
|
|||
}
|
||||
],
|
||||
"fingerprints": [
|
||||
{
|
||||
"hash": "sqDDYhzYz7YIQeFDc0WF8SeXtrEz+iwsV7d/FdIgztM",
|
||||
"hash_alg": "SHA256",
|
||||
"hostkey": "ssh-dss"
|
||||
},
|
||||
{
|
||||
"hash": "5c:de:62:f0:60:c8:93:13:87:71:78:95:56:3f:61:51",
|
||||
"hash_alg": "MD5",
|
||||
"hostkey": "ssh-dss"
|
||||
},
|
||||
{
|
||||
"hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4",
|
||||
"hash_alg": "SHA256",
|
||||
|
|
|
@ -240,6 +240,16 @@
|
|||
}
|
||||
],
|
||||
"fingerprints": [
|
||||
{
|
||||
"hash": "sqDDYhzYz7YIQeFDc0WF8SeXtrEz+iwsV7d/FdIgztM",
|
||||
"hash_alg": "SHA256",
|
||||
"hostkey": "ssh-dss"
|
||||
},
|
||||
{
|
||||
"hash": "5c:de:62:f0:60:c8:93:13:87:71:78:95:56:3f:61:51",
|
||||
"hash_alg": "MD5",
|
||||
"hostkey": "ssh-dss"
|
||||
},
|
||||
{
|
||||
"hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4",
|
||||
"hash_alg": "SHA256",
|
||||
|
|
|
@ -87,6 +87,16 @@
|
|||
}
|
||||
],
|
||||
"fingerprints": [
|
||||
{
|
||||
"hash": "Q6Llm0o4TrcUen4tnT2h4BDf2f+ina6dIJmVH8c40bg",
|
||||
"hash_alg": "SHA256",
|
||||
"hostkey": "ecdsa-sha2-nistp256"
|
||||
},
|
||||
{
|
||||
"hash": "cc:e0:80:84:5b:05:98:64:24:43:52:3b:17:c8:94:89",
|
||||
"hash_alg": "MD5",
|
||||
"hostkey": "ecdsa-sha2-nistp256"
|
||||
},
|
||||
{
|
||||
"hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU",
|
||||
"hash_alg": "SHA256",
|
||||
|
|
Loading…
Reference in New Issue