From d834074378f8c56935203eff8fb5db0ca33f2b0a Mon Sep 17 00:00:00 2001 From: Andris Raugulis Date: Mon, 7 Mar 2016 12:58:13 +0200 Subject: [PATCH] Use OpenSSH 7.2 banner. Add OpenSSH 7.2 warning messages. Fix OpenSSH 7.0 failure messages. Add forgotten failure on rijndael-cbc. Bump version. --- ssh-audit.py | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/ssh-audit.py b/ssh-audit.py index 358130d..f56f51c 100755 --- a/ssh-audit.py +++ b/ssh-audit.py @@ -26,13 +26,13 @@ from __future__ import print_function import os, io, sys, socket, struct -SSH_BANNER = 'SSH-2.0-OpenSSH_7.1' +SSH_BANNER = 'SSH-2.0-OpenSSH_7.2' SOCK_CONN_TIMEOUT = 3.0 SOCK_READ_TIMEOUT = 5.0 def usage(): p = os.path.basename(sys.argv[0]) - out.head('# {0} v1.0.20160105, moo@arthepsy.eu'.format(p)) + out.head('# {0} v1.0.20160207, moo@arthepsy.eu'.format(p)) out.info('\nusage: {} [-nv] host[:port]\n'.format(p)) out.info(' -v verbose') out.info(' -n disable colors' + os.linesep) @@ -141,8 +141,8 @@ def get_ssh_ver(versions): tv.append('OpenSSH {0}'.format(v)) return 'available since ' + ', '.join(tv).rstrip(', ') -WARN_OPENSSH72_LEGACY = 'removed (in client) since OpenSSH 7.2, legacy algorithm' -WARN_OPENSSH70_LEGACY = 'removed since OpenSSH 7.0, legacy algorithm' +WARN_OPENSSH72_LEGACY = 'disabled (in client) since OpenSSH 7.2, legacy algorithm' +FAIL_OPENSSH70_LEGACY = 'removed since OpenSSH 7.0, legacy algorithm' FAIL_OPENSSH70_WEAK = 'removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm' FAIL_OPENSSH70_LOGJAM = 'disabled (in client) since OpenSSH 7.0, logjam attack' INFO_OPENSSH69_CHACHA = 'default cipher since OpenSSH 6.9.' @@ -177,6 +177,8 @@ KEX_DB = { 'kexguess2@matt.ucc.asn.au': ['d2013.57'], }, 'key': { + 'rsa-sha2-256': ['7.2'], + 'rsa-sha2-512': ['7.2'], 'ssh-ed25519': ['6.5'], 'ssh-ed25519-cert-v01@openssh.com': ['6.5'], 'ssh-rsa': ['2.5.0,d0.28'], @@ -184,8 +186,8 @@ KEX_DB = { 'ecdsa-sha2-nistp256': ['5.7,d2013.62', [TEXT_CURVES_WEAK], [TEXT_RNDSIG_KEY]], 'ecdsa-sha2-nistp384': ['5.7,d2013.62', [TEXT_CURVES_WEAK], [TEXT_RNDSIG_KEY]], 'ecdsa-sha2-nistp521': ['5.7,d2013.62', [TEXT_CURVES_WEAK], [TEXT_RNDSIG_KEY]], - 'ssh-rsa-cert-v00@openssh.com': ['5.4', [], [WARN_OPENSSH70_LEGACY]], - 'ssh-dss-cert-v00@openssh.com': ['5.4', [FAIL_OPENSSH70_WEAK], [WARN_OPENSSH70_LEGACY, TEXT_MODULUS_SIZE, TEXT_RNDSIG_KEY]], + 'ssh-rsa-cert-v00@openssh.com': ['5.4', [FAIL_OPENSSH70_LEGACY], []], + 'ssh-dss-cert-v00@openssh.com': ['5.4', [FAIL_OPENSSH70_LEGACY], [TEXT_MODULUS_SIZE, TEXT_RNDSIG_KEY]], 'ssh-rsa-cert-v01@openssh.com': ['5.6'], 'ssh-dss-cert-v01@openssh.com': ['5.6', [FAIL_OPENSSH70_WEAK], [TEXT_MODULUS_SIZE, TEXT_RNDSIG_KEY]], 'ecdsa-sha2-nistp256-cert-v01@openssh.com': ['5.7', [TEXT_CURVES_WEAK], [TEXT_RNDSIG_KEY]], @@ -212,7 +214,7 @@ KEX_DB = { 'rijndael128-cbc': ['2.3.0', [FAIL_OPENSSH31_REMOVE], [TEXT_CIPHER_MODE]], 'rijndael192-cbc': ['2.3.0', [FAIL_OPENSSH31_REMOVE], [TEXT_CIPHER_MODE]], 'rijndael256-cbc': ['2.3.0', [FAIL_OPENSSH31_REMOVE], [TEXT_CIPHER_MODE]], - 'rijndael-cbc@lysator.liu.se': ['2.3.0', [], [WARN_OPENSSH72_LEGACY, TEXT_CIPHER_MODE]], + 'rijndael-cbc@lysator.liu.se': ['2.3.0', [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, TEXT_CIPHER_MODE]], 'aes128-ctr': ['3.7,d0.52'], 'aes192-ctr': ['3.7'], 'aes256-ctr': ['3.7,d0.52'], @@ -223,24 +225,24 @@ KEX_DB = { 'mac': { 'none': ['d2013.56', [FAIL_PLAINTEXT]], 'hmac-sha1': ['2.1.0,d0.28', [], [TEXT_ENCRYPT_AND_MAC, TEXT_HASH_WEAK]], - 'hmac-sha1-96': ['2.5.0,d0.47', [FAIL_OPENSSH67_UNSAFE], [TEXT_ENCRYPT_AND_MAC, TEXT_HASH_WEAK]], + 'hmac-sha1-96': ['2.5.0,d0.47', [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, TEXT_ENCRYPT_AND_MAC, TEXT_HASH_WEAK]], 'hmac-sha2-256': ['5.9,d2013.56', [], [TEXT_ENCRYPT_AND_MAC]], 'hmac-sha2-256-96': ['5.9', [FAIL_OPENSSH61_REMOVE], [TEXT_ENCRYPT_AND_MAC]], 'hmac-sha2-512': ['5.9,d2013.56', [], [TEXT_ENCRYPT_AND_MAC]], 'hmac-sha2-512-96': ['5.9', [FAIL_OPENSSH61_REMOVE], [TEXT_ENCRYPT_AND_MAC]], 'hmac-md5': ['2.1.0,d0.28', [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, TEXT_ENCRYPT_AND_MAC, TEXT_HASH_WEAK]], 'hmac-md5-96': ['2.5.0', [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, TEXT_ENCRYPT_AND_MAC, TEXT_HASH_WEAK]], - 'hmac-ripemd160': ['2.5.0', [FAIL_OPENSSH67_UNSAFE], [TEXT_ENCRYPT_AND_MAC]], - 'hmac-ripemd160@openssh.com': ['2.1.0', [FAIL_OPENSSH67_UNSAFE], [TEXT_ENCRYPT_AND_MAC]], + 'hmac-ripemd160': ['2.5.0', [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, TEXT_ENCRYPT_AND_MAC]], + 'hmac-ripemd160@openssh.com': ['2.1.0', [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, TEXT_ENCRYPT_AND_MAC]], 'umac-64@openssh.com': ['4.7', [], [TEXT_ENCRYPT_AND_MAC, TEXT_TAG_SIZE]], 'umac-128@openssh.com': ['6.2', [], [TEXT_ENCRYPT_AND_MAC]], - 'hmac-sha1-etm@openssh.com': ['6.2', [], [TEXT_HASH_WEAK]], + 'hmac-sha1-etm@openssh.com': ['6.2', [], [WARN_OPENSSH72_LEGACY, TEXT_HASH_WEAK]], 'hmac-sha1-96-etm@openssh.com': ['6.2', [FAIL_OPENSSH67_UNSAFE], [TEXT_HASH_WEAK]], 'hmac-sha2-256-etm@openssh.com': ['6.2'], 'hmac-sha2-512-etm@openssh.com': ['6.2'], 'hmac-md5-etm@openssh.com': ['6.2', [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, TEXT_HASH_WEAK]], 'hmac-md5-96-etm@openssh.com': ['6.2', [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY, TEXT_HASH_WEAK]], - 'hmac-ripemd160-etm@openssh.com': ['6.2', [FAIL_OPENSSH67_UNSAFE]], + 'hmac-ripemd160-etm@openssh.com': ['6.2', [FAIL_OPENSSH67_UNSAFE], [WARN_OPENSSH72_LEGACY]], 'umac-64-etm@openssh.com': ['6.2', [], [TEXT_TAG_SIZE]], 'umac-128-etm@openssh.com': ['6.2'], }