Git
/
ssh-audit
mirror of https://github.com/jtesta/ssh-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
629 Commits 1 Branch 15 Tags 4.4 MiB
Commit Graph

629 Commits

Author SHA1 Message Date
Joe Testa a0f99942a2 Don't recommend enabling the chacha & CBC ciphers, nor ETM MACs in case the user disabled them to address the Terrapin vulnerability. (#229) 2023-12-19 17:16:58 -05:00
Joe Testa c259a83782 Added note that when a target is properly configured against the Terrapin vulnerability that unpatched peers may still create vulnerable connections. Updated Ubuntu Server & Client 20.04 & 22.04 policies to include new key exchange markers related to Terrapin counter-measures. 2023-12-19 14:03:28 -05:00
Joe Testa 8e972c5e94 Added test for the Terrapin vulnerability (CVE-2023-48795) (#227). 2023-12-18 18:24:49 -05:00
Joe Testa 46eb970376 Removed Python 3.7 from Github Actions testing. 2023-11-27 23:39:48 -05:00
Joe Testa 965bcb6b18 Dropped support for Python 3.7. 2023-11-27 23:35:40 -05:00
Joe Testa ba8e8a7e68 Re-organized option host key types for OpenSSH 9.2 to correspond with updated Debian 12 hardening guide. 2023-11-27 21:33:13 -05:00
Joe Testa bad2c9cd8e In Ubuntu 22.04 client policy, moved host key types and to the end of all certificate types. 2023-11-27 20:07:36 -05:00
Joe Testa 69e1e121fd In server policies, reduced expected DH modulus sizes from 4096 to 3072 to match online hardening guides. 2023-11-27 19:15:18 -05:00
Oleksii 848052df68
Add cleanup for apt cache files (#215) 
* Add cleanup for apt cache files

Adding this command decreases the size of the image.

ssh-audit-new                                           latest                 0c391ba567ee   39 minutes ago   157MB
ssh-audit-old                                           latest                 a425e0043125   40 minutes ago   176MB

* Fix Dockerfile

Forgot to add logical "and" (&&)
 2023-10-23 13:51:47 -04:00
Joe Testa d62e4cd80c Added Python 3.12 to Tox tests. 2023-10-22 16:43:04 -04:00
Joe Testa 2809ff464a Added --rm to docker run commands so stopped containers are automatically removed. 2023-09-12 08:38:07 -04:00
Joe Testa 02ab487232 Bumped version to v3.1.0-dev. 2023-09-07 08:57:59 -04:00
Joe Testa d62acd688e Updated Docker Makefile and packaging instructions. 2023-09-07 08:57:39 -04:00
Joe Testa f517e03d9f Bumped version to v3.0.0. 2023-09-07 07:45:07 -04:00
Joe Testa 6c64257d91 Updated README. 2023-09-06 22:37:06 -04:00
Sebastian Cohnen 982c0b4c72
Docker: Build multi-arch container images for amd64, arm64 and arm/v7 (#194) 
* builds multi-arch container images for linux/{amd64,arm64,arm/v7}

* adds local-build build target for easier local testing
 2023-09-06 22:32:18 -04:00
Joe Testa e26597a7aa Marked all NIST K-, B-, and T-curves as unproven since they are so rarely used. Added 12 new host keys: 'ecdsa-sha2-curve25519', 'ecdsa-sha2-nistb233', 'ecdsa-sha2-nistb409', 'ecdsa-sha2-nistk163', 'ecdsa-sha2-nistk233', 'ecdsa-sha2-nistk283', 'ecdsa-sha2-nistk409', 'ecdsa-sha2-nistp224', 'ecdsa-sha2-nistp192', 'ecdsa-sha2-nistt571', 'ssh-dsa', 'x509v3-sign-rsa-sha256'. Added 15 key exchanges: 'curve448-sha512@libssh.org', 'ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org', 'ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org', 'ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org', 'ecdh-sha2-brainpoolp256r1@genua.de', 'ecdh-sha2-brainpoolp384r1@genua.de', 'ecdh-sha2-brainpoolp521r1@genua.de', 'kexAlgoDH14SHA1', 'kexAlgoDH1SHA1', 'kexAlgoECDH256', 'kexAlgoECDH384', 'kexAlgoECDH521', 'sm2kep-sha2-nistp256', 'x25519-kyber-512r3-sha256-d00@amazon.com', 'x25519-kyber512-sha512@aws.amazon.com'. Added 8 new ciphers: 'aes192-gcm@openssh.com', 'cast128-12-cbc', 'cast128-12-cfb', 'cast128-12-ecb', 'cast128-12-ofb', 'des-cfb', 'des-ecb', 'des-ofb'. Added 14 new MACs: 'cbcmac-3des', 'cbcmac-aes', 'cbcmac-blowfish', 'cbcmac-des', 'cbcmac-rijndael', 'cbcmac-twofish', 'hmac-sha256-96', 'md5', 'md5-8', 'ripemd160', 'ripemd160-8', 'sha1', 'sha1-8', 'umac-128'. 2023-09-05 20:10:37 -04:00
Joe Testa f8e29674a3 Refined JSON notes output. Fixed Docker & Tox tests. 2023-09-05 16:36:54 -04:00
Bareq d3dd5a9cac
Improved JSON output (#185) 2023-09-05 16:16:23 -04:00
Joe Testa 79ca4b2d8b Updated README. 2023-09-05 14:22:35 -04:00
Joe Testa 884ef645f8 Prioritized certificate host key types for Ubuntu 22.04 client policy. (#193) 2023-09-05 14:01:51 -04:00
Joe Testa 953683a762 Fixed most warnings from Shellcheck scans. (#197) 2023-09-05 13:14:21 -04:00
Joe Testa 38f9c21760 The color of all notes will be printed in green when the related algorithm is rated good. 2023-09-03 19:14:25 -04:00
Joe Testa 4e6169d0cb Added built-in policy for OpenSSH 9.4. 2023-09-03 18:12:16 -04:00
Joe Testa 2867c65819 Perform full Docker image update when building. 2023-09-03 18:07:30 -04:00
Joe Testa 77cdb969b9 Fixed flake8 tests. 2023-09-03 16:25:26 -04:00
Joe Testa 199e75f6cd Refined GEX testing against OpenSSH servers: when the fallback mechanism is suspected of being triggered, perform an additional test to obtain more accurate results. 2023-09-03 16:13:00 -04:00
Joe Testa 3f2fdbaa3d Fixed crash during GEX tests. 2023-07-11 11:08:42 -04:00
Joe Testa 83e90729e2 Updated README. 2023-06-20 16:12:30 -04:00
thecliguy 83f9e48271
Recommendation output now respects level (#196) 2023-06-20 16:09:37 -04:00
Joe Testa e2fc60cbb4 Updated README and test for resolve function. 2023-06-20 09:26:43 -04:00
Dani Cuesta a74c3abdde
Removed sys.exit from _resolve in ssh_socket.py (#187) 
Changed (and documented) _resolve so the application does not quit when a hostname cannot be resolved.

Adapted connect function to expect incoming exceptions from _resolve

This fixes issue #186
 2023-06-20 09:21:06 -04:00
Joe Testa e99cb0b579 Now prints the reason why socket listening operations fail. 2023-06-20 08:43:11 -04:00
Joe Testa 639f11a5e5 Results from concurrent scans against multiple hosts are no longer improperly combined (#190). 2023-06-19 14:13:32 -04:00
Joe Testa 521a50a796 Added 'curve448-sha512@libssh.org' kex. (#195) 2023-06-19 10:35:13 -04:00
Joe Testa 2d5a97841f Bumped version to 3.0.0-dev. 2023-04-29 14:46:07 -04:00
Joe Testa 54b8c7da02 Updated PyPI and Snap build processes. 2023-04-29 14:42:54 -04:00
Joe Testa 3ba28b01e9 Added release date of v2.9.0. 2023-04-29 12:39:04 -04:00
Joe Testa 3c1451cfdc Bumped version to v2.9.0. 2023-04-29 12:33:26 -04:00
Joe Testa 929652c9b7 Simplified host key test logic. 2023-04-29 11:59:50 -04:00
thecliguy e172932977
RSA key size comments duplicated for all RSA sig algs (#182) 
* RSA key size comments duplicated for all RSA sig algs

* Save results on completion of testing a hostkey

* Revised list names because they operates against all keys now not just rsa.

* ensure all required fields added for non-rsa keys

* Correction to the saving of comments against non-rsa keys
 2023-04-29 11:39:29 -04:00
Joe Testa c33e7d9b72 Added built-in policies for OpenSSH 8.8, 8.9, 9.0, 9.1, 9.2, and 9.3. 2023-04-27 21:40:47 -04:00
Joe Testa 0074fcc1af Rolled back Windows multithreading crash fix, as upgrading from Python v3.9 to v3.11 may have fixed the root cause. (#152) 2023-04-26 21:55:40 -04:00
Joe Testa 1eab4ab0e6 Updated README. 2023-04-26 15:49:45 -04:00
Joe Testa 7f8d6b4d5b Fixed built-in policy formatting and filled in missing host key size information. 2023-04-26 15:47:58 -04:00
Joe Testa 4c098b7d12 Windows build script now automatically installs/updates package dependencies. 2023-04-25 20:14:49 -04:00
Joe Testa 0bfb5d6979 Updated snap base image. Now installing snapcraft tool from snap instead of apt. 2023-04-25 11:54:12 -04:00
Joe Testa a5f5e0dab2 Updated changelog. 2023-04-25 10:25:06 -04:00
Joe Testa 05f159a152 Fixed Windows-specific crash when multiple threads are used (#152). 2023-04-25 10:18:45 -04:00
Joe Testa 263267c5ad Added support for mixed host key/CA key types (i.e.: RSA host keys signed by ED25519 CAs) (#120). 2023-04-25 09:17:32 -04:00