Added 6 new host key types: 'spi-sign-rsa', 'ssh-ed448', 'x509v3-ecdsa-sha2-nistp256', 'x509v3-ecdsa-sha2-nistp384', 'x509v3-ecdsa-sha2-nistp521', 'x509v3-rsa2048-sha256'. Added 5 new key exchanges: 'gss-group14-sha256-', 'gss-group15-sha512-', 'gss-group16-sha512-', 'gss-nistp256-sha256-', 'gss-curve25519-sha256-'.

README.md

@@ -85,15 +85,15 @@ $ brew install ssh-audit
 ```
 
 ## ChangeLog
-### v2.2.1-dev (???)
+### v2.3.0 (???)
- - Created new man page (see ssh-audit.1 file).
+ - Created new man page (see `ssh-audit.1` file).
  - 1024-bit moduli upgraded from warnings to failures.
  - Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit [Jürgen Gmach](https://github.com/jugmac00).
  - Added feature to look up algorithms in internal database (see `--lookup`); credit [Adam Russell](https://github.com/thecliguy).
  - Suppress recommendation of token host key types.
  - Added check for use-after-free vulnerability in PuTTY v0.73.
- - Added 5 new host key types: `ssh-rsa1`, `ssh-dss-sha256@ssh.com`, `ssh-gost2001`, `ssh-gost2012-256`, `ssh-gost2012-512`.
+ - Added 11 new host key types: `ssh-rsa1`, `ssh-dss-sha256@ssh.com`, `ssh-gost2001`, `ssh-gost2012-256`, `ssh-gost2012-512`, `spki-sign-rsa`, `ssh-ed448`, `x509v3-ecdsa-sha2-nistp256`, `x509v3-ecdsa-sha2-nistp384`, `x509v3-ecdsa-sha2-nistp521`, `x509v3-rsa2048-sha256`.
- - Added 3 new key exchanges: `diffie-hellman-group1-sha256`, `kexAlgoCurve25519SHA256`, `Curve25519SHA256`.
+ - Added 8 new key exchanges: `diffie-hellman-group1-sha256`, `kexAlgoCurve25519SHA256`, `Curve25519SHA256`, `gss-group14-sha256-`, `gss-group15-sha512-`, `gss-group16-sha512-`, `gss-nistp256-sha256-`, `gss-curve25519-sha256-`.
  - Added 5 new ciphers: `blowfish`, `AEAD_AES_128_GCM`, `AEAD_AES_256_GCM`, `crypticore128@ssh.com`, `seed-cbc@ssh.com`.
  - Added 3 new MACs: `chacha20-poly1305@openssh.com`, `hmac-sha3-224`, `crypticore-mac@ssh.com`.
 

ssh-audit.py

@@ -764,8 +764,13 @@ class SSH2:  # pylint: disable=too-few-public-methods
                 'gss-group1-sha1-': [[], [FAIL_1024BIT_MODULUS], [WARN_HASH_WEAK]],
                 'gss-group14-sha1-': [[], [], [WARN_HASH_WEAK]],
                 'gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==': [[], [], [WARN_HASH_WEAK]],
+                'gss-group14-sha256-': [[]],
                 'gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==': [[]],
+                'gss-group15-sha512-': [[]],
                 'gss-group15-sha512-toWM5Slw5Ew8Mqkay+al2g==': [[]],
+                'gss-group16-sha512-': [[]],
+                'gss-nistp256-sha256-': [[], [WARN_CURVES_WEAK]],
+                'gss-curve25519-sha256-': [[]],
                 'diffie-hellman-group1-sha256': [[], [FAIL_1024BIT_MODULUS]],
                 'diffie-hellman-group14-sha1': [['3.9,d0.53,l10.6.0'], [], [WARN_HASH_WEAK]],
                 'diffie-hellman-group14-sha256': [['7.3,d2016.73']],
@@ -846,6 +851,12 @@ class SSH2:  # pylint: disable=too-few-public-methods
                 'ssh-gost2001': [[], [], [WARN_UNTRUSTED]],
                 'ssh-gost2012-256': [[], [], [WARN_UNTRUSTED]],
                 'ssh-gost2012-512': [[], [], [WARN_UNTRUSTED]],
+                'spi-sign-rsa': [[]],
+                'ssh-ed448': [[]],
+                'x509v3-ecdsa-sha2-nistp256': [[], [WARN_CURVES_WEAK]],
+                'x509v3-ecdsa-sha2-nistp384': [[], [WARN_CURVES_WEAK]],
+                'x509v3-ecdsa-sha2-nistp521': [[], [WARN_CURVES_WEAK]],
+                'x509v3-rsa2048-sha256': [[]],
             },
             'enc': {
                 'none': [['1.2.2,d2013.56,l10.2'], [FAIL_PLAINTEXT]],