mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-11-22 02:21:40 +01:00
Updated notes on OpenSSH default key exchanges. (#258)
This commit is contained in:
parent
3d403b1d70
commit
d7f8bf3e6d
@ -62,7 +62,8 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods
|
|||||||
WARN_TAG_SIZE_96 = 'using small 96-bit tag size'
|
WARN_TAG_SIZE_96 = 'using small 96-bit tag size'
|
||||||
|
|
||||||
INFO_DEFAULT_OPENSSH_CIPHER = 'default cipher since OpenSSH 6.9'
|
INFO_DEFAULT_OPENSSH_CIPHER = 'default cipher since OpenSSH 6.9'
|
||||||
INFO_DEFAULT_OPENSSH_KEX_64_TO_89 = 'default key exchange from OpenSSH 6.4 to 8.9'
|
INFO_DEFAULT_OPENSSH_KEX_65_TO_73 = 'default key exchange from OpenSSH 6.5 to 7.3'
|
||||||
|
INFO_DEFAULT_OPENSSH_KEX_74_TO_89 = 'default key exchange from OpenSSH 7.4 to 8.9'
|
||||||
INFO_DEFAULT_OPENSSH_KEX_90 = 'default key exchange since OpenSSH 9.0'
|
INFO_DEFAULT_OPENSSH_KEX_90 = 'default key exchange since OpenSSH 9.0'
|
||||||
INFO_DEPRECATED_IN_OPENSSH88 = 'deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8'
|
INFO_DEPRECATED_IN_OPENSSH88 = 'deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8'
|
||||||
INFO_DISABLED_IN_DBEAR67 = 'disabled in Dropbear SSH 2015.67'
|
INFO_DISABLED_IN_DBEAR67 = 'disabled in Dropbear SSH 2015.67'
|
||||||
@ -82,8 +83,8 @@ class SSH2_KexDB: # pylint: disable=too-few-public-methods
|
|||||||
# Format: 'algorithm_name': [['version_first_appeared_in'], [reason_for_failure1, reason_for_failure2, ...], [warning1, warning2, ...], [info1, info2, ...]]
|
# Format: 'algorithm_name': [['version_first_appeared_in'], [reason_for_failure1, reason_for_failure2, ...], [warning1, warning2, ...], [info1, info2, ...]]
|
||||||
'kex': {
|
'kex': {
|
||||||
'Curve25519SHA256': [[]],
|
'Curve25519SHA256': [[]],
|
||||||
'curve25519-sha256': [['7.4,d2018.76'], [], [], [INFO_DEFAULT_OPENSSH_KEX_64_TO_89]],
|
'curve25519-sha256': [['7.4,d2018.76'], [], [], [INFO_DEFAULT_OPENSSH_KEX_74_TO_89]],
|
||||||
'curve25519-sha256@libssh.org': [['6.4,d2013.62,l10.6.0'], [], [], [INFO_DEFAULT_OPENSSH_KEX_64_TO_89]],
|
'curve25519-sha256@libssh.org': [['6.4,d2013.62,l10.6.0'], [], [], [INFO_DEFAULT_OPENSSH_KEX_65_TO_73]],
|
||||||
'curve448-sha512': [[]],
|
'curve448-sha512': [[]],
|
||||||
'curve448-sha512@libssh.org': [[]],
|
'curve448-sha512@libssh.org': [[]],
|
||||||
'diffie-hellman-group14-sha1': [['3.9,d0.53,l10.6.0'], [FAIL_SHA1], [WARN_2048BIT_MODULUS]],
|
'diffie-hellman-group14-sha1': [['3.9,d0.53,l10.6.0'], [FAIL_SHA1], [WARN_2048BIT_MODULUS]],
|
||||||
|
@ -96,7 +96,7 @@
|
|||||||
"algorithm": "curve25519-sha256",
|
"algorithm": "curve25519-sha256",
|
||||||
"notes": {
|
"notes": {
|
||||||
"info": [
|
"info": [
|
||||||
"default key exchange from OpenSSH 6.4 to 8.9",
|
"default key exchange from OpenSSH 7.4 to 8.9",
|
||||||
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
|
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
@ -105,7 +105,7 @@
|
|||||||
"algorithm": "curve25519-sha256@libssh.org",
|
"algorithm": "curve25519-sha256@libssh.org",
|
||||||
"notes": {
|
"notes": {
|
||||||
"info": [
|
"info": [
|
||||||
"default key exchange from OpenSSH 6.4 to 8.9",
|
"default key exchange from OpenSSH 6.5 to 7.3",
|
||||||
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
|
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
@ -6,9 +6,9 @@
|
|||||||
|
|
||||||
[0;36m# key exchange algorithms[0m
|
[0;36m# key exchange algorithms[0m
|
||||||
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
||||||
[0;32m `- [info] default key exchange from OpenSSH 6.4 to 8.9[0m
|
[0;32m `- [info] default key exchange from OpenSSH 7.4 to 8.9[0m
|
||||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
||||||
[0;32m `- [info] default key exchange from OpenSSH 6.4 to 8.9[0m
|
[0;32m `- [info] default key exchange from OpenSSH 6.5 to 7.3[0m
|
||||||
[0;31m(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
[0;31m(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||||
[0;31m(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
[0;31m(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||||
|
@ -115,7 +115,7 @@
|
|||||||
"algorithm": "curve25519-sha256",
|
"algorithm": "curve25519-sha256",
|
||||||
"notes": {
|
"notes": {
|
||||||
"info": [
|
"info": [
|
||||||
"default key exchange from OpenSSH 6.4 to 8.9",
|
"default key exchange from OpenSSH 7.4 to 8.9",
|
||||||
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
|
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
@ -124,7 +124,7 @@
|
|||||||
"algorithm": "curve25519-sha256@libssh.org",
|
"algorithm": "curve25519-sha256@libssh.org",
|
||||||
"notes": {
|
"notes": {
|
||||||
"info": [
|
"info": [
|
||||||
"default key exchange from OpenSSH 6.4 to 8.9",
|
"default key exchange from OpenSSH 6.5 to 7.3",
|
||||||
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
|
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
@ -12,9 +12,9 @@
|
|||||||
|
|
||||||
[0;36m# key exchange algorithms[0m
|
[0;36m# key exchange algorithms[0m
|
||||||
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
||||||
[0;32m `- [info] default key exchange from OpenSSH 6.4 to 8.9[0m
|
[0;32m `- [info] default key exchange from OpenSSH 7.4 to 8.9[0m
|
||||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
||||||
[0;32m `- [info] default key exchange from OpenSSH 6.4 to 8.9[0m
|
[0;32m `- [info] default key exchange from OpenSSH 6.5 to 7.3[0m
|
||||||
[0;31m(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
[0;31m(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||||
[0;31m(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
[0;31m(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||||
|
@ -105,7 +105,7 @@
|
|||||||
"algorithm": "curve25519-sha256",
|
"algorithm": "curve25519-sha256",
|
||||||
"notes": {
|
"notes": {
|
||||||
"info": [
|
"info": [
|
||||||
"default key exchange from OpenSSH 6.4 to 8.9",
|
"default key exchange from OpenSSH 7.4 to 8.9",
|
||||||
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
|
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
@ -114,7 +114,7 @@
|
|||||||
"algorithm": "curve25519-sha256@libssh.org",
|
"algorithm": "curve25519-sha256@libssh.org",
|
||||||
"notes": {
|
"notes": {
|
||||||
"info": [
|
"info": [
|
||||||
"default key exchange from OpenSSH 6.4 to 8.9",
|
"default key exchange from OpenSSH 6.5 to 7.3",
|
||||||
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
|
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
@ -12,9 +12,9 @@
|
|||||||
|
|
||||||
[0;36m# key exchange algorithms[0m
|
[0;36m# key exchange algorithms[0m
|
||||||
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
||||||
[0;32m `- [info] default key exchange from OpenSSH 6.4 to 8.9[0m
|
[0;32m `- [info] default key exchange from OpenSSH 7.4 to 8.9[0m
|
||||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
||||||
[0;32m `- [info] default key exchange from OpenSSH 6.4 to 8.9[0m
|
[0;32m `- [info] default key exchange from OpenSSH 6.5 to 7.3[0m
|
||||||
[0;31m(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
[0;31m(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
|
||||||
[0;31m(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
[0;31m(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
|
||||||
|
@ -105,7 +105,7 @@
|
|||||||
"algorithm": "curve25519-sha256",
|
"algorithm": "curve25519-sha256",
|
||||||
"notes": {
|
"notes": {
|
||||||
"info": [
|
"info": [
|
||||||
"default key exchange from OpenSSH 6.4 to 8.9",
|
"default key exchange from OpenSSH 7.4 to 8.9",
|
||||||
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
|
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
@ -114,7 +114,7 @@
|
|||||||
"algorithm": "curve25519-sha256@libssh.org",
|
"algorithm": "curve25519-sha256@libssh.org",
|
||||||
"notes": {
|
"notes": {
|
||||||
"info": [
|
"info": [
|
||||||
"default key exchange from OpenSSH 6.4 to 8.9",
|
"default key exchange from OpenSSH 6.5 to 7.3",
|
||||||
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
|
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
@ -12,9 +12,9 @@
|
|||||||
|
|
||||||
[0;36m# key exchange algorithms[0m
|
[0;36m# key exchange algorithms[0m
|
||||||
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
||||||
[0;32m `- [info] default key exchange from OpenSSH 6.4 to 8.9[0m
|
[0;32m `- [info] default key exchange from OpenSSH 7.4 to 8.9[0m
|
||||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
||||||
[0;32m `- [info] default key exchange from OpenSSH 6.4 to 8.9[0m
|
[0;32m `- [info] default key exchange from OpenSSH 6.5 to 7.3[0m
|
||||||
[0;32m(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4[0m
|
[0;32m(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4[0m
|
||||||
[0;32m `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).[0m
|
[0;32m `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).[0m
|
||||||
|
|
||||||
|
@ -43,7 +43,7 @@
|
|||||||
"algorithm": "curve25519-sha256",
|
"algorithm": "curve25519-sha256",
|
||||||
"notes": {
|
"notes": {
|
||||||
"info": [
|
"info": [
|
||||||
"default key exchange from OpenSSH 6.4 to 8.9",
|
"default key exchange from OpenSSH 7.4 to 8.9",
|
||||||
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
|
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
@ -52,7 +52,7 @@
|
|||||||
"algorithm": "curve25519-sha256@libssh.org",
|
"algorithm": "curve25519-sha256@libssh.org",
|
||||||
"notes": {
|
"notes": {
|
||||||
"info": [
|
"info": [
|
||||||
"default key exchange from OpenSSH 6.4 to 8.9",
|
"default key exchange from OpenSSH 6.5 to 7.3",
|
||||||
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
|
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
@ -5,9 +5,9 @@
|
|||||||
|
|
||||||
[0;36m# key exchange algorithms[0m
|
[0;36m# key exchange algorithms[0m
|
||||||
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m
|
||||||
[0;32m `- [info] default key exchange from OpenSSH 6.4 to 8.9[0m
|
[0;32m `- [info] default key exchange from OpenSSH 7.4 to 8.9[0m
|
||||||
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m
|
||||||
[0;32m `- [info] default key exchange from OpenSSH 6.4 to 8.9[0m
|
[0;32m `- [info] default key exchange from OpenSSH 6.5 to 7.3[0m
|
||||||
[0;33m(kex) sntrup4591761x25519-sha512@tinyssh.org -- [warn] using experimental algorithm[0m
|
[0;33m(kex) sntrup4591761x25519-sha512@tinyssh.org -- [warn] using experimental algorithm[0m
|
||||||
`- [info] available since OpenSSH 8.0
|
`- [info] available since OpenSSH 8.0
|
||||||
`- [info] the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security
|
`- [info] the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security
|
||||||
|
Loading…
Reference in New Issue
Block a user