Git/ssh-audit
1
0
Fork 0
mirror of https://github.com/jtesta/ssh-audit.git synced 2025-10-31 05:25:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

RSA key size comments duplicated for all RSA sig algs (#182)

Browse Source 
* RSA key size comments duplicated for all RSA sig algs

* Save results on completion of testing a hostkey

* Revised list names because they operates against all keys now not just rsa.

* ensure all required fields added for non-rsa keys

* Correction to the saving of comments against non-rsa keys
This commit is contained in:
thecliguy
2023-04-29 16:39:29 +01:00
committed by GitHub
parent c33e7d9b72
commit e172932977
1 changed files with 27 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
src/ssh_audit/hostkeytest.py
View File

@@ -102,6 +102,9 @@ class HostKeyTest:
# For each host key type... # For each host key type...
for host_key_type in host_key_types: for host_key_type in host_key_types:
key_fail_comments = []
key_warn_comments = []
# Skip those already handled (i.e.: those in the RSA family, as testing one tests them all). # Skip those already handled (i.e.: those in the RSA family, as testing one tests them all).
if 'parsed' in host_key_types[host_key_type] and host_key_types[host_key_type]['parsed']: if 'parsed' in host_key_types[host_key_type] and host_key_types[host_key_type]['parsed']:
continue continue
@@ -184,42 +187,46 @@ class HostKeyTest:
# Keys smaller than 2048 result in a failure. Keys smaller 3072 result in a warning. Update the database accordingly. # Keys smaller than 2048 result in a failure. Keys smaller 3072 result in a warning. Update the database accordingly.
if (cert is False) and (hostkey_modulus_size < hostkey_min_good): if (cert is False) and (hostkey_modulus_size < hostkey_min_good):
alg_list = SSH2_KexDB.ALGORITHMS['key'][host_key_type]
# Ensure that failure & warning lists exist.
while len(alg_list) < 3:
alg_list.append([])
# If the key is under 2048, add to the failure list. # If the key is under 2048, add to the failure list.
if hostkey_modulus_size < hostkey_min_warn: if hostkey_modulus_size < hostkey_min_warn:
alg_list[1].append('using small %d-bit modulus' % hostkey_modulus_size) key_fail_comments.append('using small %d-bit modulus' % hostkey_modulus_size)
elif hostkey_warn_str not in alg_list[2]: # Issue a warning about 2048-bit moduli. elif hostkey_warn_str not in key_warn_comments: # Issue a warning about 2048-bit moduli.
alg_list[2].append(hostkey_warn_str) key_warn_comments.append(hostkey_warn_str)
elif (cert is True) and ((hostkey_modulus_size < hostkey_min_good) or (0 < ca_modulus_size < cakey_min_good)): elif (cert is True) and ((hostkey_modulus_size < hostkey_min_good) or (0 < ca_modulus_size < cakey_min_good)):
alg_list = SSH2_KexDB.ALGORITHMS['key'][host_key_type]
# Ensure that failure & warning lists exist.
while len(alg_list) < 3:
alg_list.append([])
# If the host key is smaller than 2048-bit/224-bit, flag this as a failure. # If the host key is smaller than 2048-bit/224-bit, flag this as a failure.
if hostkey_modulus_size < hostkey_min_warn: if hostkey_modulus_size < hostkey_min_warn:
alg_list[1].append('using small %d-bit hostkey modulus' % hostkey_modulus_size) key_fail_comments.append('using small %d-bit hostkey modulus' % hostkey_modulus_size)
# Otherwise, this is just a warning. # Otherwise, this is just a warning.
elif (hostkey_modulus_size < hostkey_min_good) and (hostkey_warn_str not in alg_list[2]): elif (hostkey_modulus_size < hostkey_min_good) and (hostkey_warn_str not in key_warn_comments):
alg_list[2].append(hostkey_warn_str) key_warn_comments.append(hostkey_warn_str)
# If the CA key is smaller than 2048-bit/224-bit, flag this as a failure. # If the CA key is smaller than 2048-bit/224-bit, flag this as a failure.
if 0 < ca_modulus_size < cakey_min_warn: if 0 < ca_modulus_size < cakey_min_warn:
alg_list[1].append('using small %d-bit CA key modulus' % ca_modulus_size) key_fail_comments.append('using small %d-bit CA key modulus' % ca_modulus_size)
# Otherwise, this is just a warning. # Otherwise, this is just a warning.
elif (0 < ca_modulus_size < cakey_min_good) and (cakey_warn_str not in alg_list[2]): elif (0 < ca_modulus_size < cakey_min_good) and (cakey_warn_str not in key_warn_comments):
alg_list[2].append(cakey_warn_str) key_warn_comments.append(cakey_warn_str)
# If this host key type is in the RSA family, then mark them all as parsed (since results in one are valid for them all). # If this host key type is in the RSA family, then mark them all as parsed (since results in one are valid for them all).
if host_key_type in HostKeyTest.RSA_FAMILY: if host_key_type in HostKeyTest.RSA_FAMILY:
for rsa_type in HostKeyTest.RSA_FAMILY: for rsa_type in HostKeyTest.RSA_FAMILY:
host_key_types[rsa_type]['parsed'] = True host_key_types[rsa_type]['parsed'] = True
# If the current key is a member of the RSA family, then populate all RSA family members with the same
# failure and/or warning comments.
while len(SSH2_KexDB.ALGORITHMS['key'][rsa_type]) < 3:
SSH2_KexDB.ALGORITHMS['key'][rsa_type].append([])
if key_fail_comments:
SSH2_KexDB.ALGORITHMS['key'][rsa_type][1].extend(key_fail_comments)
if key_warn_comments:
SSH2_KexDB.ALGORITHMS['key'][rsa_type][2].extend(key_warn_comments)
else: else:
host_key_types[host_key_type]['parsed'] = True host_key_types[host_key_type]['parsed'] = True
while len(SSH2_KexDB.ALGORITHMS['key'][host_key_type]) < 3:
SSH2_KexDB.ALGORITHMS['key'][host_key_type].append([])
if key_fail_comments:
SSH2_KexDB.ALGORITHMS['key'][host_key_type][1].extend(key_fail_comments)
if key_warn_comments:
SSH2_KexDB.ALGORITHMS['key'][host_key_type][2].extend(key_warn_comments)