mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-11-25 12:01:40 +01:00
Added new ciphers (camellia128-cbc, camellia128-ctr, camellia192-cbc, camellia192-ctr, camellia256-cbc, camellia256-ctr). Fixed certain algorithms not appearing in the recommendations list (#16).
This commit is contained in:
parent
c043570879
commit
5292066e66
@ -57,11 +57,11 @@ Guides to harden server & client configuration can be found here: [https://www.s
|
|||||||
|
|
||||||
## ChangeLog
|
## ChangeLog
|
||||||
### v2.1.2 (???)
|
### v2.1.2 (???)
|
||||||
- Marked host key type `ssh-rsa` as weak due to practical SHA-1 collisions.
|
- Marked host key type `ssh-rsa` as weak due to [practical SHA-1 collisions](https://eprint.iacr.org/2020/014.pdf).
|
||||||
- Added Windows builds.
|
- Added Windows builds.
|
||||||
- Added 10 new host key types: `ecdsa-sha2-1.3.132.0.10`, `x509v3-sign-dss`, `x509v3-sign-rsa`, `x509v3-sign-rsa-sha256@ssh.com`, `x509v3-ssh-dss`, `x509v3-ssh-rsa`, `sk-ecdsa-sha2-nistp256-cert-v01@openssh.com`, `sk-ecdsa-sha2-nistp256@openssh.com`, `sk-ssh-ed25519-cert-v01@openssh.com`, and `sk-ssh-ed25519@openssh.com`.
|
- Added 10 new host key types: `ecdsa-sha2-1.3.132.0.10`, `x509v3-sign-dss`, `x509v3-sign-rsa`, `x509v3-sign-rsa-sha256@ssh.com`, `x509v3-ssh-dss`, `x509v3-ssh-rsa`, `sk-ecdsa-sha2-nistp256-cert-v01@openssh.com`, `sk-ecdsa-sha2-nistp256@openssh.com`, `sk-ssh-ed25519-cert-v01@openssh.com`, and `sk-ssh-ed25519@openssh.com`.
|
||||||
- Added 18 new key exchanges: `diffie-hellman-group14-sha256@ssh.com`, `diffie-hellman-group15-sha256@ssh.com`, `diffie-hellman-group15-sha384@ssh.com`, `diffie-hellman-group16-sha384@ssh.com`, `diffie-hellman-group16-sha512@ssh.com`, `diffie-hellman-group18-sha512@ssh.com`, `ecdh-sha2-curve25519`, `ecdh-sha2-nistb233`, `ecdh-sha2-nistb409`, `ecdh-sha2-nistk163`, `ecdh-sha2-nistk233`, `ecdh-sha2-nistk283`, `ecdh-sha2-nistk409`, `ecdh-sha2-nistp192`, `ecdh-sha2-nistp224`, `ecdh-sha2-nistt571`, `gss-gex-sha1-`, and `gss-group1-sha1-`.
|
- Added 18 new key exchanges: `diffie-hellman-group14-sha256@ssh.com`, `diffie-hellman-group15-sha256@ssh.com`, `diffie-hellman-group15-sha384@ssh.com`, `diffie-hellman-group16-sha384@ssh.com`, `diffie-hellman-group16-sha512@ssh.com`, `diffie-hellman-group18-sha512@ssh.com`, `ecdh-sha2-curve25519`, `ecdh-sha2-nistb233`, `ecdh-sha2-nistb409`, `ecdh-sha2-nistk163`, `ecdh-sha2-nistk233`, `ecdh-sha2-nistk283`, `ecdh-sha2-nistk409`, `ecdh-sha2-nistp192`, `ecdh-sha2-nistp224`, `ecdh-sha2-nistt571`, `gss-gex-sha1-`, and `gss-group1-sha1-`.
|
||||||
- Added 3 new ciphers: `aes128-gcm`, `aes256-gcm`, and `chacha20-poly1305`.
|
- Added 9 new ciphers: `camellia128-cbc`, `camellia128-ctr`, `camellia192-cbc`, `camellia192-ctr`, `camellia256-cbc`, `camellia256-ctr`, `aes128-gcm`, `aes256-gcm`, and `chacha20-poly1305`.
|
||||||
- Added 2 new MACs: `aes128-gcm` and `aes256-gcm`.
|
- Added 2 new MACs: `aes128-gcm` and `aes256-gcm`.
|
||||||
|
|
||||||
### v2.1.1 (2019-11-26)
|
### v2.1.1 (2019-11-26)
|
||||||
|
44
ssh-audit.py
44
ssh-audit.py
@ -467,6 +467,12 @@ class SSH2(object): # pylint: disable=too-few-public-methods
|
|||||||
'aes256-gcm@openssh.com': [['6.2']],
|
'aes256-gcm@openssh.com': [['6.2']],
|
||||||
'chacha20-poly1305': [[], [], [], [INFO_OPENSSH69_CHACHA]],
|
'chacha20-poly1305': [[], [], [], [INFO_OPENSSH69_CHACHA]],
|
||||||
'chacha20-poly1305@openssh.com': [['6.5'], [], [], [INFO_OPENSSH69_CHACHA]],
|
'chacha20-poly1305@openssh.com': [['6.5'], [], [], [INFO_OPENSSH69_CHACHA]],
|
||||||
|
'camellia128-cbc': [[], [], [WARN_CIPHER_MODE]],
|
||||||
|
'camellia128-ctr': [[]],
|
||||||
|
'camellia192-cbc': [[], [], [WARN_CIPHER_MODE]],
|
||||||
|
'camellia192-ctr': [[]],
|
||||||
|
'camellia256-cbc': [[], [], [WARN_CIPHER_MODE]],
|
||||||
|
'camellia256-ctr': [[]],
|
||||||
},
|
},
|
||||||
'mac': {
|
'mac': {
|
||||||
'none': [['d2013.56'], [FAIL_PLAINTEXT]],
|
'none': [['d2013.56'], [FAIL_PLAINTEXT]],
|
||||||
@ -1795,25 +1801,27 @@ class SSH(object): # pylint: disable=too-few-public-methods
|
|||||||
rec[sshv][alg_type] = {'add': {}, 'del': {}, 'chg': {}}
|
rec[sshv][alg_type] = {'add': {}, 'del': {}, 'chg': {}}
|
||||||
for n, alg_desc in alg_db[alg_type].items():
|
for n, alg_desc in alg_db[alg_type].items():
|
||||||
versions = alg_desc[0]
|
versions = alg_desc[0]
|
||||||
|
empty_version = False
|
||||||
if len(versions) == 0 or versions[0] is None:
|
if len(versions) == 0 or versions[0] is None:
|
||||||
continue
|
empty_version = True
|
||||||
matches = False
|
if not empty_version:
|
||||||
if unknown_software:
|
matches = False
|
||||||
matches = True
|
if unknown_software:
|
||||||
for v in versions[0].split(','):
|
matches = True
|
||||||
ssh_prefix, ssh_version, is_cli = SSH.Algorithm.get_ssh_version(v)
|
for v in versions[0].split(','):
|
||||||
if not ssh_version:
|
ssh_prefix, ssh_version, is_cli = SSH.Algorithm.get_ssh_version(v)
|
||||||
|
if not ssh_version:
|
||||||
|
continue
|
||||||
|
if (software is not None) and (ssh_prefix != software.product):
|
||||||
|
continue
|
||||||
|
if is_cli and for_server:
|
||||||
|
continue
|
||||||
|
if (software is not None) and (software.compare_version(ssh_version) < 0):
|
||||||
|
continue
|
||||||
|
matches = True
|
||||||
|
break
|
||||||
|
if not matches:
|
||||||
continue
|
continue
|
||||||
if (software is not None) and (ssh_prefix != software.product):
|
|
||||||
continue
|
|
||||||
if is_cli and for_server:
|
|
||||||
continue
|
|
||||||
if (software is not None) and (software.compare_version(ssh_version) < 0):
|
|
||||||
continue
|
|
||||||
matches = True
|
|
||||||
break
|
|
||||||
if not matches:
|
|
||||||
continue
|
|
||||||
adl, faults = len(alg_desc), 0
|
adl, faults = len(alg_desc), 0
|
||||||
for i in range(1, 3):
|
for i in range(1, 3):
|
||||||
if not adl > i:
|
if not adl > i:
|
||||||
@ -1822,7 +1830,7 @@ class SSH(object): # pylint: disable=too-few-public-methods
|
|||||||
if fc > 0:
|
if fc > 0:
|
||||||
faults += pow(10, 2 - i) * fc
|
faults += pow(10, 2 - i) * fc
|
||||||
if n not in alg_list:
|
if n not in alg_list:
|
||||||
if faults > 0 or (alg_type == 'key' and '-cert-' in n):
|
if faults > 0 or (alg_type == 'key' and '-cert-' in n) or empty_version:
|
||||||
continue
|
continue
|
||||||
rec[sshv][alg_type]['add'][n] = 0
|
rec[sshv][alg_type]['add'][n] = 0
|
||||||
else:
|
else:
|
||||||
|
Loading…
Reference in New Issue
Block a user