Git
/
ssh-audit
mirror of https://github.com/jtesta/ssh-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
629 Commits 1 Branch 15 Tags 4.4 MiB
Commit Graph

149 Commits

Author SHA1 Message Date
Joe Testa 46ec4e3edc Added built-in policies for Ubuntu 24.04 LTS server and client. 2024-04-29 19:11:47 -04:00
Joe Testa d19b154a46 Bumped version to v3.3.0-dev. 2024-04-22 17:57:26 -04:00
Joe Testa 68cf05d0ff Set version to 3.2.0 for release. 2024-04-22 16:32:57 -04:00
Joe Testa 2d9ddabcad Updated DHEat rate connection warning message. 2024-04-22 16:26:03 -04:00
Joe Testa 986f83653d Added multi-line real-time output for connection rate testing. 2024-04-22 13:56:50 -04:00
Joe Testa 3c459f1428 Revised connection rate warning during standard audits. 2024-04-22 11:58:52 -04:00
Joe Testa 46b89fff2e Sockets now time out after 30 seconds during connection rate testing. 2024-04-21 17:05:57 -04:00
Joe Testa 81718d1948 Fixed non-interactive connection rate tests. Revised warning for lack of connection throttling. 2024-04-21 15:08:38 -04:00
Joe Testa 8124c8e443 Added aes128-ocb@libassh.org cipher. 2024-04-18 21:09:02 -04:00
Joe Testa b9f569fdf8 Added warnings for Windows platform. 2024-04-18 20:51:14 -04:00
Joe Testa 9126ae7d9c Improved DHEat statistics output. 2024-04-18 20:01:28 -04:00
Joe Testa 8190fe59d0 Added implementation for DHEat denial-of-service attack (CVE-2002-20001). (#211, #217) 2024-04-18 13:58:13 -04:00
Joe Testa d7f8bf3e6d Updated notes on OpenSSH default key exchanges. (#258) 2024-03-19 18:24:22 -04:00
Joe Testa 3d403b1d70 Updated availability of algorithms in Dropbear. (#257) 2024-03-19 15:47:09 -04:00
Joe Testa 9fae870260 Added allow_larger_keys flag to custom policies to control whether targets can have larger keys, and added Docker tests to complete work started in PR #242. 2024-03-19 14:45:19 -04:00
Damian Szuberski 20873db596
use less-than instead of not-equal when comparing key sizes (#242) 
When evaluating policy compliance, use less-than operator so keys bigger
than expected (and hence very often better) don't fail policy
evaulation. This change reduces the amount of false-positives and allows
for more flexibility when hardening SSH installations.

Signed-off-by: szubersk <szuberskidamian@gmail.com>
 2024-03-19 14:38:27 -04:00
Joe Testa 3c31934ac7 Added tests and other cleanups resulting from merging PR #252. 2024-03-18 17:48:50 -04:00
yannik1015 5bd925ffc6
[WIP] Adding allowed algorithms (#252) 
* Added allowed policy fields

Added allowed fields for host keys kex ciphers and macs

* Adapted policy.py to newest dev version

* Added allow_algorithm_subset_and_reordering flag

* Removed allowed policy entries as they are redundant now

* Fixed call to append_error
 2024-03-18 17:41:17 -04:00
Joe Testa 7b3402b207 Added note that sntrup761x25519-sha512@openssh.com is the default OpenSSH kex since version 9.0. 2024-03-15 17:24:21 -04:00
Joe Testa b70fb0bc4c Added built-in policies for Amazon Linux 2023, Debian 12, and Rocky Linux 9. 2024-03-15 16:24:36 -04:00
Joe Testa db5104ecb8 Built-in policy change logs no longer printed within quotes. 2024-03-14 18:13:53 -04:00
Joe Testa 15078aaea9 Built-in policies now include a change log. 2024-03-14 17:58:16 -04:00
Joe Testa f0874af4cd Split built-in policies from policy.py to builtin_policies.py. 2024-03-14 17:24:40 -04:00
Joe Testa 064b55e0c2 Added 1 new key exchange algorithm: gss-nistp384-sha384-* 2024-03-14 16:01:48 -04:00
Joe Testa cb0f6b63d7 Fixed new pylint warnings. 2024-03-12 20:46:39 -04:00
Joe Testa 3313046714 Added built-in policy for OpenSSH 9.7. 2024-03-12 20:23:55 -04:00
Joe Testa 699739d42a Gracefully handle rare exceptions (i.e.: crashes) while performing GEX tests. 2024-02-17 13:44:06 -05:00
Joe Testa 20fbb706b0 The built-in man page (, ) is now available on Docker, PyPI, and Snap builds, in addition to the Windows build. (#231) 2024-02-16 22:40:53 -05:00
Joe Testa 73b669b49d Fixed parsing of ecdsa-sha2-nistp* CA signatures on host keys. Additionally, they are now flagged as potentially back-doored, just as standard host keys are. (#239) 2024-02-16 21:58:51 -05:00
Joe Testa f326d58068 Disable color when the NO_COLOR environment variable is set. (#234) 2024-01-28 18:17:49 -05:00
Joe Testa b72f6a420f Added note regarding general OpenSSH policies failing against platforms with back-ported features. (#236) 2024-01-28 17:37:21 -05:00
Joe Testa 44393c56b3 Expanded filter of CBC ciphers to flag for the Terrapin vulnerability. 2023-12-21 15:30:43 -05:00
Ville Skyttä 164356e776
Spelling fixes (#233) 2023-12-21 08:58:12 -05:00
Joe Testa c8e075ad13 Bumped version number to v3.2.0-dev. 2023-12-20 15:41:03 -05:00
Joe Testa dd91c2a41a Bumped version to 3.1.0 in preparation for stable release. Updated Change Log in README. 2023-12-20 13:12:13 -05:00
Joe Testa bef8c6c0f7 Updated notes on fixing Terrapin vulnerability. 2023-12-20 12:11:55 -05:00
Joe Testa 75dbc03a77 Added 'additional_notes' field to JSON output. 2023-12-19 18:03:07 -05:00
Joe Testa c9412cbb88 Added built-in policies for OpenSSH 9.5 and 9.6. 2023-12-19 17:42:43 -05:00
Joe Testa a0f99942a2 Don't recommend enabling the chacha & CBC ciphers, nor ETM MACs in case the user disabled them to address the Terrapin vulnerability. (#229) 2023-12-19 17:16:58 -05:00
Joe Testa c259a83782 Added note that when a target is properly configured against the Terrapin vulnerability that unpatched peers may still create vulnerable connections. Updated Ubuntu Server & Client 20.04 & 22.04 policies to include new key exchange markers related to Terrapin counter-measures. 2023-12-19 14:03:28 -05:00
Joe Testa 8e972c5e94 Added test for the Terrapin vulnerability (CVE-2023-48795) (#227). 2023-12-18 18:24:49 -05:00
Joe Testa ba8e8a7e68 Re-organized option host key types for OpenSSH 9.2 to correspond with updated Debian 12 hardening guide. 2023-11-27 21:33:13 -05:00
Joe Testa bad2c9cd8e In Ubuntu 22.04 client policy, moved host key types and to the end of all certificate types. 2023-11-27 20:07:36 -05:00
Joe Testa 69e1e121fd In server policies, reduced expected DH modulus sizes from 4096 to 3072 to match online hardening guides. 2023-11-27 19:15:18 -05:00
Joe Testa 02ab487232 Bumped version to v3.1.0-dev. 2023-09-07 08:57:59 -04:00
Joe Testa f517e03d9f Bumped version to v3.0.0. 2023-09-07 07:45:07 -04:00
Joe Testa e26597a7aa Marked all NIST K-, B-, and T-curves as unproven since they are so rarely used. Added 12 new host keys: 'ecdsa-sha2-curve25519', 'ecdsa-sha2-nistb233', 'ecdsa-sha2-nistb409', 'ecdsa-sha2-nistk163', 'ecdsa-sha2-nistk233', 'ecdsa-sha2-nistk283', 'ecdsa-sha2-nistk409', 'ecdsa-sha2-nistp224', 'ecdsa-sha2-nistp192', 'ecdsa-sha2-nistt571', 'ssh-dsa', 'x509v3-sign-rsa-sha256'. Added 15 key exchanges: 'curve448-sha512@libssh.org', 'ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org', 'ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org', 'ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org', 'ecdh-sha2-brainpoolp256r1@genua.de', 'ecdh-sha2-brainpoolp384r1@genua.de', 'ecdh-sha2-brainpoolp521r1@genua.de', 'kexAlgoDH14SHA1', 'kexAlgoDH1SHA1', 'kexAlgoECDH256', 'kexAlgoECDH384', 'kexAlgoECDH521', 'sm2kep-sha2-nistp256', 'x25519-kyber-512r3-sha256-d00@amazon.com', 'x25519-kyber512-sha512@aws.amazon.com'. Added 8 new ciphers: 'aes192-gcm@openssh.com', 'cast128-12-cbc', 'cast128-12-cfb', 'cast128-12-ecb', 'cast128-12-ofb', 'des-cfb', 'des-ecb', 'des-ofb'. Added 14 new MACs: 'cbcmac-3des', 'cbcmac-aes', 'cbcmac-blowfish', 'cbcmac-des', 'cbcmac-rijndael', 'cbcmac-twofish', 'hmac-sha256-96', 'md5', 'md5-8', 'ripemd160', 'ripemd160-8', 'sha1', 'sha1-8', 'umac-128'. 2023-09-05 20:10:37 -04:00
Joe Testa f8e29674a3 Refined JSON notes output. Fixed Docker & Tox tests. 2023-09-05 16:36:54 -04:00
Bareq d3dd5a9cac
Improved JSON output (#185) 2023-09-05 16:16:23 -04:00
Joe Testa 884ef645f8 Prioritized certificate host key types for Ubuntu 22.04 client policy. (#193) 2023-09-05 14:01:51 -04:00