Git/ssh-audit
1
0
Fork 0
mirror of https://github.com/jtesta/ssh-audit.git synced 2025-10-30 21:15:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Added note that sntrup761x25519-sha512@openssh.com is the default OpenSSH kex since version 9.0.

Browse Source
This commit is contained in:
Joe Testa
2024-03-15 17:24:21 -04:00
parent b2f46eb71a
commit 7b3402b207
11 changed files with 25 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/ssh_audit/ssh2_kexdb.py
View File

@@ -62,7 +62,8 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods
WARN_TAG_SIZE_96 = 'using small 96-bit tag size' WARN_TAG_SIZE_96 = 'using small 96-bit tag size'
INFO_DEFAULT_OPENSSH_CIPHER = 'default cipher since OpenSSH 6.9' INFO_DEFAULT_OPENSSH_CIPHER = 'default cipher since OpenSSH 6.9'
INFO_DEFAULT_OPENSSH_KEX = 'default key exchange since OpenSSH 6.4' INFO_DEFAULT_OPENSSH_KEX_64_TO_89 = 'default key exchange from OpenSSH 6.4 to 8.9'
INFO_DEFAULT_OPENSSH_KEX_90 = 'default key exchange since OpenSSH 9.0'
INFO_DEPRECATED_IN_OPENSSH88 = 'deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8' INFO_DEPRECATED_IN_OPENSSH88 = 'deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8'
INFO_DISABLED_IN_DBEAR67 = 'disabled in Dropbear SSH 2015.67' INFO_DISABLED_IN_DBEAR67 = 'disabled in Dropbear SSH 2015.67'
INFO_DISABLED_IN_OPENSSH70 = 'disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0' INFO_DISABLED_IN_OPENSSH70 = 'disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0'
@@ -81,8 +82,8 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods
# Format: 'algorithm_name': [['version_first_appeared_in'], [reason_for_failure1, reason_for_failure2, ...], [warning1, warning2, ...], [info1, info2, ...]] # Format: 'algorithm_name': [['version_first_appeared_in'], [reason_for_failure1, reason_for_failure2, ...], [warning1, warning2, ...], [info1, info2, ...]]
'kex': { 'kex': {
'Curve25519SHA256': [[]], 'Curve25519SHA256': [[]],
'curve25519-sha256': [['7.4,d2018.76'], [], [], [INFO_DEFAULT_OPENSSH_KEX]], 'curve25519-sha256': [['7.4,d2018.76'], [], [], [INFO_DEFAULT_OPENSSH_KEX_64_TO_89]],
'curve25519-sha256@libssh.org': [['6.4,d2013.62,l10.6.0'], [], [], [INFO_DEFAULT_OPENSSH_KEX]], 'curve25519-sha256@libssh.org': [['6.4,d2013.62,l10.6.0'], [], [], [INFO_DEFAULT_OPENSSH_KEX_64_TO_89]],
'curve448-sha512': [[]], 'curve448-sha512': [[]],
'curve448-sha512@libssh.org': [[]], 'curve448-sha512@libssh.org': [[]],
'diffie-hellman-group14-sha1': [['3.9,d0.53,l10.6.0'], [FAIL_SHA1], [WARN_2048BIT_MODULUS]], 'diffie-hellman-group14-sha1': [['3.9,d0.53,l10.6.0'], [FAIL_SHA1], [WARN_2048BIT_MODULUS]],
@@ -191,7 +192,7 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods
'rsa2048-sha256': [[], [], [WARN_2048BIT_MODULUS]], 'rsa2048-sha256': [[], [], [WARN_2048BIT_MODULUS]],
'sm2kep-sha2-nistp256': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_UNTRUSTED]], 'sm2kep-sha2-nistp256': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_UNTRUSTED]],
'sntrup4591761x25519-sha512@tinyssh.org': [['8.0', '8.4'], [], [WARN_EXPERIMENTAL], [INFO_WITHDRAWN_PQ_ALG]], 'sntrup4591761x25519-sha512@tinyssh.org': [['8.0', '8.4'], [], [WARN_EXPERIMENTAL], [INFO_WITHDRAWN_PQ_ALG]],
'sntrup761x25519-sha512@openssh.com': [['8.5'], [], []], 'sntrup761x25519-sha512@openssh.com': [['8.5'], [], [], [INFO_DEFAULT_OPENSSH_KEX_90]],
'x25519-kyber-512r3-sha256-d00@amazon.com': [[]], 'x25519-kyber-512r3-sha256-d00@amazon.com': [[]],
'x25519-kyber512-sha512@aws.amazon.com': [[]], 'x25519-kyber512-sha512@aws.amazon.com': [[]],
}, },

4
test/docker/expected_results/dropbear_2019.78_test1.json
View File

@@ -96,7 +96,7 @@
"algorithm": "curve25519-sha256", "algorithm": "curve25519-sha256",
"notes": { "notes": {
"info": [ "info": [
"default key exchange since OpenSSH 6.4", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 7.4, Dropbear SSH 2018.76" "available since OpenSSH 7.4, Dropbear SSH 2018.76"
] ]
} }
@@ -105,7 +105,7 @@
"algorithm": "curve25519-sha256@libssh.org", "algorithm": "curve25519-sha256@libssh.org",
"notes": { "notes": {
"info": [ "info": [
"default key exchange since OpenSSH 6.4", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 6.4, Dropbear SSH 2013.62" "available since OpenSSH 6.4, Dropbear SSH 2013.62"
] ]
} }

4
test/docker/expected_results/dropbear_2019.78_test1.txt
View File

@@ -6,9 +6,9 @@
# key exchange algorithms # key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 `- [info] default key exchange since OpenSSH 6.4  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
 `- [info] default key exchange since OpenSSH 6.4  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency

4
test/docker/expected_results/openssh_8.0p1_test1.json
View File

@@ -115,7 +115,7 @@
"algorithm": "curve25519-sha256", "algorithm": "curve25519-sha256",
"notes": { "notes": {
"info": [ "info": [
"default key exchange since OpenSSH 6.4", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 7.4, Dropbear SSH 2018.76" "available since OpenSSH 7.4, Dropbear SSH 2018.76"
] ]
} }
@@ -124,7 +124,7 @@
"algorithm": "curve25519-sha256@libssh.org", "algorithm": "curve25519-sha256@libssh.org",
"notes": { "notes": {
"info": [ "info": [
"default key exchange since OpenSSH 6.4", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 6.4, Dropbear SSH 2013.62" "available since OpenSSH 6.4, Dropbear SSH 2013.62"
] ]
} }

4
test/docker/expected_results/openssh_8.0p1_test1.txt
View File

@@ -12,9 +12,9 @@
# key exchange algorithms # key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 `- [info] default key exchange since OpenSSH 6.4  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
 `- [info] default key exchange since OpenSSH 6.4  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency

4
test/docker/expected_results/openssh_8.0p1_test2.json
View File

@@ -105,7 +105,7 @@
"algorithm": "curve25519-sha256", "algorithm": "curve25519-sha256",
"notes": { "notes": {
"info": [ "info": [
"default key exchange since OpenSSH 6.4", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 7.4, Dropbear SSH 2018.76" "available since OpenSSH 7.4, Dropbear SSH 2018.76"
] ]
} }
@@ -114,7 +114,7 @@
"algorithm": "curve25519-sha256@libssh.org", "algorithm": "curve25519-sha256@libssh.org",
"notes": { "notes": {
"info": [ "info": [
"default key exchange since OpenSSH 6.4", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 6.4, Dropbear SSH 2013.62" "available since OpenSSH 6.4, Dropbear SSH 2013.62"
] ]
} }

4
test/docker/expected_results/openssh_8.0p1_test2.txt
View File

@@ -12,9 +12,9 @@
# key exchange algorithms # key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 `- [info] default key exchange since OpenSSH 6.4  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
 `- [info] default key exchange since OpenSSH 6.4  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency (kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency

4
test/docker/expected_results/openssh_8.0p1_test3.json
View File

@@ -105,7 +105,7 @@
"algorithm": "curve25519-sha256", "algorithm": "curve25519-sha256",
"notes": { "notes": {
"info": [ "info": [
"default key exchange since OpenSSH 6.4", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 7.4, Dropbear SSH 2018.76" "available since OpenSSH 7.4, Dropbear SSH 2018.76"
] ]
} }
@@ -114,7 +114,7 @@
"algorithm": "curve25519-sha256@libssh.org", "algorithm": "curve25519-sha256@libssh.org",
"notes": { "notes": {
"info": [ "info": [
"default key exchange since OpenSSH 6.4", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 6.4, Dropbear SSH 2013.62" "available since OpenSSH 6.4, Dropbear SSH 2013.62"
] ]
} }

4
test/docker/expected_results/openssh_8.0p1_test3.txt
View File

@@ -12,9 +12,9 @@
# key exchange algorithms # key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 `- [info] default key exchange since OpenSSH 6.4  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
 `- [info] default key exchange since OpenSSH 6.4  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4
 `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).  `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).

4
test/docker/expected_results/tinyssh_20190101_test1.json
View File

@@ -43,7 +43,7 @@
"algorithm": "curve25519-sha256", "algorithm": "curve25519-sha256",
"notes": { "notes": {
"info": [ "info": [
"default key exchange since OpenSSH 6.4", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 7.4, Dropbear SSH 2018.76" "available since OpenSSH 7.4, Dropbear SSH 2018.76"
] ]
} }
@@ -52,7 +52,7 @@
"algorithm": "curve25519-sha256@libssh.org", "algorithm": "curve25519-sha256@libssh.org",
"notes": { "notes": {
"info": [ "info": [
"default key exchange since OpenSSH 6.4", "default key exchange from OpenSSH 6.4 to 8.9",
"available since OpenSSH 6.4, Dropbear SSH 2013.62" "available since OpenSSH 6.4, Dropbear SSH 2013.62"
] ]
} }

4
test/docker/expected_results/tinyssh_20190101_test1.txt
View File

@@ -5,9 +5,9 @@
# key exchange algorithms # key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 `- [info] default key exchange since OpenSSH 6.4  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
 `- [info] default key exchange since OpenSSH 6.4  `- [info] default key exchange from OpenSSH 6.4 to 8.9
(kex) sntrup4591761x25519-sha512@tinyssh.org -- [warn] using experimental algorithm (kex) sntrup4591761x25519-sha512@tinyssh.org -- [warn] using experimental algorithm
`- [info] available since OpenSSH 8.0 `- [info] available since OpenSSH 8.0
`- [info] the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security `- [info] the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security