mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-11-25 20:11:40 +01:00
Add warnings for Kex and Ciphers.
This commit is contained in:
parent
3b4d96e885
commit
e8fd13e2d8
38
ssh-audit.py
38
ssh-audit.py
@ -152,15 +152,21 @@ FAIL_OPENSSH31_REMOVE = 'removed since OpenSSH 3.1'
|
|||||||
FAIL_DBEAR67_DISABLED = 'disabled since Dropbear SSH 2015.67'
|
FAIL_DBEAR67_DISABLED = 'disabled since Dropbear SSH 2015.67'
|
||||||
FAIL_DBEAR53_DISABLED = 'disabled since Dropbear SSH 0.53'
|
FAIL_DBEAR53_DISABLED = 'disabled since Dropbear SSH 0.53'
|
||||||
|
|
||||||
|
TEXT_CURVES_WEAK = 'using weak elliptic curves'
|
||||||
|
TEXT_RNDSIG_KEY = 'using weak random number generator could reveal the key'
|
||||||
|
TEXT_MODULUS_SIZE = 'using modulus with small (1024) bit size'
|
||||||
|
TEXT_MODULUS_CUSTOM = 'using modulus with custom (possibly weak) bit sizes'
|
||||||
|
TEXT_HASH_WEAK = 'using weak hashing algorithm'
|
||||||
|
|
||||||
KEX_DB = {
|
KEX_DB = {
|
||||||
'kex': {
|
'kex': {
|
||||||
'diffie-hellman-group1-sha1': ['2.3.0,d0.28', [FAIL_OPENSSH67_UNSAFE, FAIL_OPENSSH70_LOGJAM]],
|
'diffie-hellman-group1-sha1': ['2.3.0,d0.28', [FAIL_OPENSSH67_UNSAFE, FAIL_OPENSSH70_LOGJAM], [TEXT_MODULUS_SIZE, TEXT_HASH_WEAK]],
|
||||||
'diffie-hellman-group14-sha1': ['3.9,d0.53'],
|
'diffie-hellman-group14-sha1': ['3.9,d0.53', [], [TEXT_HASH_WEAK]],
|
||||||
'diffie-hellman-group-exchange-sha1': ['2.3.0', [FAIL_OPENSSH67_UNSAFE]],
|
'diffie-hellman-group-exchange-sha1': ['2.3.0', [FAIL_OPENSSH67_UNSAFE], [TEXT_HASH_WEAK]],
|
||||||
'diffie-hellman-group-exchange-sha256': ['4.4'],
|
'diffie-hellman-group-exchange-sha256': ['4.4', [], [TEXT_MODULUS_CUSTOM]],
|
||||||
'ecdh-sha2-nistp256': ['5.7,d2013.62'],
|
'ecdh-sha2-nistp256': ['5.7,d2013.62', [], [TEXT_CURVES_WEAK]],
|
||||||
'ecdh-sha2-nistp384': ['5.7,d2013.62'],
|
'ecdh-sha2-nistp384': ['5.7,d2013.62', [], [TEXT_CURVES_WEAK]],
|
||||||
'ecdh-sha2-nistp521': ['5.7,d2013.62'],
|
'ecdh-sha2-nistp521': ['5.7,d2013.62', [], [TEXT_CURVES_WEAK]],
|
||||||
'curve25519-sha256@libssh.org': ['6.5,d2013.62'],
|
'curve25519-sha256@libssh.org': ['6.5,d2013.62'],
|
||||||
'kexguess2@matt.ucc.asn.au': ['d2013.57'],
|
'kexguess2@matt.ucc.asn.au': ['d2013.57'],
|
||||||
},
|
},
|
||||||
@ -168,17 +174,17 @@ KEX_DB = {
|
|||||||
'ssh-ed25519': ['6.5'],
|
'ssh-ed25519': ['6.5'],
|
||||||
'ssh-ed25519-cert-v01@openssh.com': ['6.5'],
|
'ssh-ed25519-cert-v01@openssh.com': ['6.5'],
|
||||||
'ssh-rsa': ['2.5.0,d0.28'],
|
'ssh-rsa': ['2.5.0,d0.28'],
|
||||||
'ssh-dss': ['2.1.0,d0.28', [FAIL_OPENSSH70_WEAK]],
|
'ssh-dss': ['2.1.0,d0.28', [FAIL_OPENSSH70_WEAK], [TEXT_MODULUS_SIZE, TEXT_RNDSIG_KEY]],
|
||||||
'ecdsa-sha2-nistp256': ['5.7,d2013.62'],
|
'ecdsa-sha2-nistp256': ['5.7,d2013.62', [], [TEXT_CURVES_WEAK, TEXT_RNDSIG_KEY]],
|
||||||
'ecdsa-sha2-nistp384': ['5.7,d2013.62'],
|
'ecdsa-sha2-nistp384': ['5.7,d2013.62', [], [TEXT_CURVES_WEAK, TEXT_RNDSIG_KEY]],
|
||||||
'ecdsa-sha2-nistp521': ['5.7,d2013.62'],
|
'ecdsa-sha2-nistp521': ['5.7,d2013.62', [], [TEXT_CURVES_WEAK, TEXT_RNDSIG_KEY]],
|
||||||
'ssh-rsa-cert-v00@openssh.com': ['5.4', [], [WARN_OPENSSH70_LEGACY]],
|
'ssh-rsa-cert-v00@openssh.com': ['5.4', [], [WARN_OPENSSH70_LEGACY]],
|
||||||
'ssh-dss-cert-v00@openssh.com': ['5.4', [FAIL_OPENSSH70_WEAK], [WARN_OPENSSH70_LEGACY]],
|
'ssh-dss-cert-v00@openssh.com': ['5.4', [FAIL_OPENSSH70_WEAK], [WARN_OPENSSH70_LEGACY, TEXT_MODULUS_SIZE, TEXT_RNDSIG_KEY]],
|
||||||
'ssh-rsa-cert-v01@openssh.com': ['5.6'],
|
'ssh-rsa-cert-v01@openssh.com': ['5.6'],
|
||||||
'ssh-dss-cert-v01@openssh.com': ['5.6', [FAIL_OPENSSH70_WEAK]],
|
'ssh-dss-cert-v01@openssh.com': ['5.6', [FAIL_OPENSSH70_WEAK], [TEXT_MODULUS_SIZE, TEXT_RNDSIG_KEY]],
|
||||||
'ecdsa-sha2-nistp256-cert-v01@openssh.com': ['5.7'],
|
'ecdsa-sha2-nistp256-cert-v01@openssh.com': ['5.7', [], [TEXT_CURVES_WEAK, TEXT_RNDSIG_KEY]],
|
||||||
'ecdsa-sha2-nistp384-cert-v01@openssh.com': ['5.7'],
|
'ecdsa-sha2-nistp384-cert-v01@openssh.com': ['5.7', [], [TEXT_CURVES_WEAK, TEXT_RNDSIG_KEY]],
|
||||||
'ecdsa-sha2-nistp521-cert-v01@openssh.com': ['5.7'],
|
'ecdsa-sha2-nistp521-cert-v01@openssh.com': ['5.7', [], [TEXT_CURVES_WEAK, TEXT_RNDSIG_KEY]],
|
||||||
},
|
},
|
||||||
'enc': {
|
'enc': {
|
||||||
'3des-cbc': ['1.2.2,d0.28', [FAIL_OPENSSH67_UNSAFE]],
|
'3des-cbc': ['1.2.2,d0.28', [FAIL_OPENSSH67_UNSAFE]],
|
||||||
|
Loading…
Reference in New Issue
Block a user