From ca9baf80b8da2b4e15fed883bfdc4a8e5cee2347 Mon Sep 17 00:00:00 2001 From: Andris Raugulis Date: Tue, 5 Jan 2016 17:01:04 +0200 Subject: [PATCH] Fail on unsafe elliptic curves. --- ssh-audit.py | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/ssh-audit.py b/ssh-audit.py index fb9f291..6c5a2e8 100755 --- a/ssh-audit.py +++ b/ssh-audit.py @@ -164,9 +164,9 @@ KEX_DB = { 'diffie-hellman-group14-sha1': ['3.9,d0.53', [], [TEXT_HASH_WEAK]], 'diffie-hellman-group-exchange-sha1': ['2.3.0', [FAIL_OPENSSH67_UNSAFE], [TEXT_HASH_WEAK]], 'diffie-hellman-group-exchange-sha256': ['4.4', [], [TEXT_MODULUS_CUSTOM]], - 'ecdh-sha2-nistp256': ['5.7,d2013.62', [], [TEXT_CURVES_WEAK]], - 'ecdh-sha2-nistp384': ['5.7,d2013.62', [], [TEXT_CURVES_WEAK]], - 'ecdh-sha2-nistp521': ['5.7,d2013.62', [], [TEXT_CURVES_WEAK]], + 'ecdh-sha2-nistp256': ['5.7,d2013.62', [TEXT_CURVES_WEAK]], + 'ecdh-sha2-nistp384': ['5.7,d2013.62', [TEXT_CURVES_WEAK]], + 'ecdh-sha2-nistp521': ['5.7,d2013.62', [TEXT_CURVES_WEAK]], 'curve25519-sha256@libssh.org': ['6.5,d2013.62'], 'kexguess2@matt.ucc.asn.au': ['d2013.57'], }, @@ -175,16 +175,16 @@ KEX_DB = { 'ssh-ed25519-cert-v01@openssh.com': ['6.5'], 'ssh-rsa': ['2.5.0,d0.28'], 'ssh-dss': ['2.1.0,d0.28', [FAIL_OPENSSH70_WEAK], [TEXT_MODULUS_SIZE, TEXT_RNDSIG_KEY]], - 'ecdsa-sha2-nistp256': ['5.7,d2013.62', [], [TEXT_CURVES_WEAK, TEXT_RNDSIG_KEY]], - 'ecdsa-sha2-nistp384': ['5.7,d2013.62', [], [TEXT_CURVES_WEAK, TEXT_RNDSIG_KEY]], - 'ecdsa-sha2-nistp521': ['5.7,d2013.62', [], [TEXT_CURVES_WEAK, TEXT_RNDSIG_KEY]], + 'ecdsa-sha2-nistp256': ['5.7,d2013.62', [TEXT_CURVES_WEAK], [TEXT_RNDSIG_KEY]], + 'ecdsa-sha2-nistp384': ['5.7,d2013.62', [TEXT_CURVES_WEAK], [TEXT_RNDSIG_KEY]], + 'ecdsa-sha2-nistp521': ['5.7,d2013.62', [TEXT_CURVES_WEAK], [TEXT_RNDSIG_KEY]], 'ssh-rsa-cert-v00@openssh.com': ['5.4', [], [WARN_OPENSSH70_LEGACY]], 'ssh-dss-cert-v00@openssh.com': ['5.4', [FAIL_OPENSSH70_WEAK], [WARN_OPENSSH70_LEGACY, TEXT_MODULUS_SIZE, TEXT_RNDSIG_KEY]], 'ssh-rsa-cert-v01@openssh.com': ['5.6'], 'ssh-dss-cert-v01@openssh.com': ['5.6', [FAIL_OPENSSH70_WEAK], [TEXT_MODULUS_SIZE, TEXT_RNDSIG_KEY]], - 'ecdsa-sha2-nistp256-cert-v01@openssh.com': ['5.7', [], [TEXT_CURVES_WEAK, TEXT_RNDSIG_KEY]], - 'ecdsa-sha2-nistp384-cert-v01@openssh.com': ['5.7', [], [TEXT_CURVES_WEAK, TEXT_RNDSIG_KEY]], - 'ecdsa-sha2-nistp521-cert-v01@openssh.com': ['5.7', [], [TEXT_CURVES_WEAK, TEXT_RNDSIG_KEY]], + 'ecdsa-sha2-nistp256-cert-v01@openssh.com': ['5.7', [TEXT_CURVES_WEAK], [TEXT_RNDSIG_KEY]], + 'ecdsa-sha2-nistp384-cert-v01@openssh.com': ['5.7', [TEXT_CURVES_WEAK], [TEXT_RNDSIG_KEY]], + 'ecdsa-sha2-nistp521-cert-v01@openssh.com': ['5.7', [TEXT_CURVES_WEAK], [TEXT_RNDSIG_KEY]], }, 'enc': { '3des-cbc': ['1.2.2,d0.28', [FAIL_OPENSSH67_UNSAFE]],