Now issues a warning when 2048-bit moduli are encountered.

2025-09-07 20:32:58 +02:00 · 2023-02-06 16:27:30 -05:00
parent f9e00b6f2d
commit c9dc9a9c10
17 changed files with 93 additions and 42 deletions
--- a/src/ssh_audit/gextest.py
+++ b/src/ssh_audit/gextest.py
@ -1,7 +1,7 @@
 """
   The MIT License (MIT)

-   Copyright (C) 2017-2021 Joe Testa (jtesta@positronsecurity.com)
+   Copyright (C) 2017-2023 Joe Testa (jtesta@positronsecurity.com)

   Permission is hereby granted, free of charge, to any person obtaining a copy
   of this software and associated documentation files (the "Software"), to deal
@ -220,5 +220,18 @@ class GEXTest:
                            del lst[1]
                            lst.insert(1, [text])

+                    # Moduli smaller than 3072 get flagged as a warning.
+                    elif smallest_modulus < 3072:
+                        lst = SSH2_KexDB.ALGORITHMS['kex'][gex_alg]
+
+                        # Ensure that a warning list exists for us to append to, below.
+                        while len(lst) < 3:
+                            lst.append([])
+
+                        # Ensure this is only added once.
+                        text = '2048-bit modulus only provides 112-bits of symmetric strength'
+                        if text not in lst[2]:
+                            lst[2].append(text)
+
                if reconnect_failed:
                    break