Joe Testa
24d7d46c42
Updated PyPI downloads shield.
2024-09-25 10:05:35 -04:00
Joe Testa
e97bbd9782
Added Python 3.13 support.
2024-09-24 18:20:07 -04:00
Joe Testa
6d57c7c0f7
The -p/--port option will now set the default port for multi-host scans (specified with -T/--targets). ( #294 )
2024-09-24 16:42:53 -04:00
Joe Testa
ea3258151e
Fixed invalid JSON output when a socket error occurs while performing a client audit. ( #295 )
2024-09-24 15:48:14 -04:00
Joe Testa
f9032c8277
Added built-in policy for OpenSSH 9.9.
2024-09-24 15:05:05 -04:00
Joe Testa
d7398baad7
Added two new key exchanges: mlkem768x25519-sha256, sntrup761x25519-sha512.
2024-09-19 17:40:49 -04:00
Joe Testa
4621d52223
Updated unknown algorithm message.
2024-09-19 17:01:37 -04:00
Joe Testa
2a7cb13895
Added grasshopper-ctr128 cipher.
2024-09-18 17:59:45 -04:00
Joe Testa
06ebdbd0fe
Updated README.
2024-08-26 16:46:34 -04:00
Drew Noel
7752023dc2
Switch connect_ex
result checks to use errno
lookups ( #289 )
...
* Switch connect_ex result checks to errno lookups
* Return errno strings, clean up comment
2024-08-26 16:38:44 -04:00
Joe Testa
a6f02ae8e8
Added debugging output for key exchanges.
2024-08-26 16:25:32 -04:00
Joe Testa
9049c8476a
Updated README.
2024-07-06 21:01:19 -04:00
Daniel Lenski
bbbdf71e50
Recognize LANcom LCOS software and support ed448 key extraction ( #277 )
...
* Include raw hostkey bytes in debug output
* Recognize LANcom LCOS software and support extraction of ssh-ed448 key type
LANcom router devices appear to be primarily used in Germany (see [1]
for examples on the public Internet), and they appear to support the
`ssh-ed448` key type which is documented in [2], but which has never
been supported by any as-yet-released version of OpenSSH.
[1] https://www.shodan.io/search?query=ssh+%22ed448%22
[2] https://datatracker.ietf.org/doc/html/rfc8709#name-public-key-format
2024-07-06 20:56:24 -04:00
Joe Testa
92db5f0138
Updated docker tests and README due to merge of PR #281 .
2024-07-05 10:53:00 -04:00
dreizehnutters
bc2a89eb11
fix for https://github.com/jtesta/ssh-audit/issues/280 ( #281 )
...
* fix for https://github.com/jtesta/ssh-audit/issues/280
* changed json format to min. the damage for a change
2024-07-05 10:49:16 -04:00
Joe Testa
ea117b203b
Updated README.
2024-07-05 10:16:06 -04:00
Daniel Lenski
d8f8b7c57c
Make HostKeyTest class reusable ( #278 )
...
Because the `HostKeyTest` class was mutating its static/global
`HOST_KEY_TYPES` dict, this class could not actually be used more than once
in a single thread!
Rather than mutate this dict after parsing each key type
(`HOST_KEY_TYPES[host_key_type]['parsed'] = True`), the `perform_test`
method should simple add the parsed key types to a local `set()`.
2024-07-05 10:11:18 -04:00
Joe Testa
e42961fa9a
Added built-in policy for OpenSSH 9.8.
2024-07-02 21:31:36 -04:00
Joe Testa
dcbc43acdf
Fixed crash when running with '-P' and '-T' options simultaneously. ( #273 )
2024-07-02 20:56:11 -04:00
Joe Testa
87e22ae26b
Added IPv6 support for DHEat and connection rate tests. ( #269 )
2024-06-29 19:05:20 -04:00
Joe Testa
46ec4e3edc
Added built-in policies for Ubuntu 24.04 LTS server and client.
2024-04-29 19:11:47 -04:00
Joe Testa
d19b154a46
Bumped version to v3.3.0-dev.
2024-04-22 17:57:26 -04:00
Joe Testa
c5d90106e8
Updated docker run command.
2024-04-22 17:54:37 -04:00
Joe Testa
68cf05d0ff
Set version to 3.2.0 for release.
2024-04-22 16:32:57 -04:00
Joe Testa
2d9ddabcad
Updated DHEat rate connection warning message.
2024-04-22 16:26:03 -04:00
Joe Testa
986f83653d
Added multi-line real-time output for connection rate testing.
2024-04-22 13:56:50 -04:00
Joe Testa
3c459f1428
Revised connection rate warning during standard audits.
2024-04-22 11:58:52 -04:00
Joe Testa
46b89fff2e
Sockets now time out after 30 seconds during connection rate testing.
2024-04-21 17:05:57 -04:00
Joe Testa
81718d1948
Fixed non-interactive connection rate tests. Revised warning for lack of connection throttling.
2024-04-21 15:08:38 -04:00
Joe Testa
8124c8e443
Added aes128-ocb@libassh.org cipher.
2024-04-18 21:09:02 -04:00
Joe Testa
b9f569fdf8
Added warnings for Windows platform.
2024-04-18 20:51:14 -04:00
Joe Testa
9126ae7d9c
Improved DHEat statistics output.
2024-04-18 20:01:28 -04:00
Joe Testa
d2f1a295a1
Removed vulture from Tox (it rarely made any findings, and when it did, pylint reported the same issues).
2024-04-18 19:36:13 -04:00
Joe Testa
8190fe59d0
Added implementation for DHEat denial-of-service attack (CVE-2002-20001). ( #211 , #217 )
2024-04-18 13:58:13 -04:00
Joe Testa
d7f8bf3e6d
Updated notes on OpenSSH default key exchanges. ( #258 )
2024-03-19 18:24:22 -04:00
Joe Testa
3d403b1d70
Updated availability of algorithms in Dropbear. ( #257 )
2024-03-19 15:47:09 -04:00
Joe Testa
9fae870260
Added allow_larger_keys flag to custom policies to control whether targets can have larger keys, and added Docker tests to complete work started in PR #242 .
2024-03-19 14:45:19 -04:00
Damian Szuberski
20873db596
use less-than instead of not-equal when comparing key sizes ( #242 )
...
When evaluating policy compliance, use less-than operator so keys bigger
than expected (and hence very often better) don't fail policy
evaulation. This change reduces the amount of false-positives and allows
for more flexibility when hardening SSH installations.
Signed-off-by: szubersk <szuberskidamian@gmail.com>
2024-03-19 14:38:27 -04:00
Joe Testa
3c31934ac7
Added tests and other cleanups resulting from merging PR #252 .
2024-03-18 17:48:50 -04:00
yannik1015
5bd925ffc6
[WIP] Adding allowed algorithms ( #252 )
...
* Added allowed policy fields
Added allowed fields for host keys kex ciphers and macs
* Adapted policy.py to newest dev version
* Added allow_algorithm_subset_and_reordering flag
* Removed allowed policy entries as they are redundant now
* Fixed call to append_error
2024-03-18 17:41:17 -04:00
Joe Testa
7b3402b207
Added note that sntrup761x25519-sha512@openssh.com is the default OpenSSH kex since version 9.0.
2024-03-15 17:24:21 -04:00
Joe Testa
b2f46eb71a
Added extra GSS wildcard matching test.
2024-03-15 17:05:40 -04:00
Joe Testa
ab41ca1023
Re-organized README.
2024-03-15 16:28:10 -04:00
Joe Testa
b70fb0bc4c
Added built-in policies for Amazon Linux 2023, Debian 12, and Rocky Linux 9.
2024-03-15 16:24:36 -04:00
Joe Testa
db5104ecb8
Built-in policy change logs no longer printed within quotes.
2024-03-14 18:13:53 -04:00
Joe Testa
15078aaea9
Built-in policies now include a change log.
2024-03-14 17:58:16 -04:00
Joe Testa
f0874af4cd
Split built-in policies from policy.py to builtin_policies.py.
2024-03-14 17:24:40 -04:00
Joe Testa
064b55e0c2
Added 1 new key exchange algorithm: gss-nistp384-sha384-*
2024-03-14 16:01:48 -04:00
Joe Testa
a4f508374a
Updated README.
2024-03-12 21:13:10 -04:00
Daniel Thamdrup
6f39407a8c
use alpine, reduce layers ( #249 )
...
Signed-off-by: Daniel Thamdrup <dallemon@protonmail.com>
2024-03-12 21:02:26 -04:00