Commit Graph

523 Commits

Author SHA1 Message Date
Joe Testa
dc0a959402 Use brighter colors on Windows for better readability. Disable unicode characters on Windows since the default terminal does not display them properly. 2020-09-27 19:29:29 -04:00
Joe Testa
eb1588ddc7 Added release date for v2.3.0. Added link for policy tutorial. 2020-09-27 17:12:10 -04:00
Joe Testa
b7d698d743 Added policy for hardened OpenSSH v8.4. 2020-09-27 17:04:43 -04:00
Joe Testa
b0c00749a6 Improved formatting of usage examples. Added link to web front-end. 2020-09-27 13:24:37 -04:00
Joe Testa
6e3e8bac74 Added policy audit examples and additional usage examples. 2020-09-27 13:13:38 -04:00
Joe Testa
632adc076a Policy check output now prints port number, if applicable. 2020-09-27 11:48:15 -04:00
Joe Testa
13b065b316 Added CONTRIBUTING.md (#54). 2020-09-26 22:06:49 -04:00
Joe Testa
a7581e07dc Added explicit statement regarding fork (#58). 2020-09-26 20:14:29 -04:00
Joe Testa
4cae6aff43 Added 6 new host key types: 'spi-sign-rsa', 'ssh-ed448', 'x509v3-ecdsa-sha2-nistp256', 'x509v3-ecdsa-sha2-nistp384', 'x509v3-ecdsa-sha2-nistp521', 'x509v3-rsa2048-sha256'. Added 5 new key exchanges: 'gss-group14-sha256-', 'gss-group15-sha512-', 'gss-group16-sha512-', 'gss-nistp256-sha256-', 'gss-curve25519-sha256-'. 2020-09-26 19:32:19 -04:00
Joe Testa
3e20f7c622 Fixed optional host key values. 2020-08-12 15:26:18 -04:00
Joe Testa
1123ac718c Send peer a list of supported algorithms after the banner exchange. Fixes not only the weird case of an ssh-audit client hanging against an ssh-audit server, but perhaps some real-world hangs as well. 2020-08-11 20:11:42 -04:00
Joe Testa
6d84cfdc31 Updated program return values for various connection error instances and unknown errors. 2020-08-11 19:45:59 -04:00
Joe Testa
c7ad1828d8 Fixed return value processing and mypy warning in algorithm_lookup(). Updated help listing, man page, and README. 2020-08-11 19:28:53 -04:00
thecliguy
86cb453928
Algorithm lookup (#53)
* Adding ssh-audit.py to algorithm_lookup_branch

* Removed the use of an error handler from algorithm_lookup and implemented suggestions made by jugmac00 and jtesta
2020-08-11 19:02:35 -04:00
Joe Testa
0c00b37328 Added .deepsource.toml for DeepSource integration. 2020-07-30 12:08:18 -04:00
Joe Testa
936acfa37d Added more structure to JSON result when policy errors are found. 2020-07-29 12:36:08 -04:00
Joe Testa
b5d7f73125 When an unexpected exit code is returned, print more debugging info. 2020-07-29 12:31:24 -04:00
Joe Testa
6a7bed06d7 Added two new key exchanges: 'kexAlgoCurve25519SHA256' and 'Curve25519SHA256'. 2020-07-28 21:17:29 -04:00
Joe Testa
41e69dd6f2 Alphabetized options in usage message and README. 2020-07-16 12:07:02 -04:00
Joe Testa
25faeb4c59 Added new man page. 2020-07-16 11:48:35 -04:00
Joe Testa
8051078524 When a list of targets is provided (-T), skip empty lines. 2020-07-16 10:19:36 -04:00
Joe Testa
cf815a6652 Added hardened OpenSSH policies. 2020-07-15 14:35:18 -04:00
Joe Testa
2d4eb7da28 Renamed policies to include 'Hardened' in title. 2020-07-15 14:33:10 -04:00
Joe Testa
68a420ff00 Added policy support for optional host key types, like certificates and smart card-based types. 2020-07-15 14:32:14 -04:00
Joe Testa
17f5eb0b38 Added -L option to list built-in policies. 2020-07-14 19:38:10 -04:00
Joe Testa
b95969bbc0 Policy output now more clearly prints the policy version. 2020-07-14 17:38:15 -04:00
Joe Testa
00ce44e728 Added Ubuntu client policies. 2020-07-14 17:18:35 -04:00
Joe Testa
8fb07edafd Added 'client policy' field in policy files to distinguish server from client policies. 2020-07-14 17:14:47 -04:00
Joe Testa
b27d768c79 Print client IP in output when doing policy audits. 2020-07-14 14:01:08 -04:00
Joe Testa
cb54c2bf33 Moved Windows build instructions to packages directory. 2020-07-14 11:03:35 -04:00
Joe Testa
85f14720cb Added 3 new host keys: ssh-gost2001, ssh-gost2012-256, and ssh-gost2012-512. 2020-07-14 10:43:18 -04:00
Jürgen Gmach
1410894f45
Update description for targets argument (#48)
`targets` takes a file containing a list of target hosts, one on each
line.

Added required format, ie HOST:PORT.

modified:   ssh-audit.py
2020-07-14 10:35:54 -04:00
Joe Testa
381ba1a660 Now supports a list of targets with -T (#11). 2020-07-13 18:39:05 -04:00
Joe Testa
8e3f3c6044 Updated PyPI notes. 2020-07-11 12:42:11 -04:00
Joe Testa
f80e3f22ce Now returns -1 when an uncaught exception is found. 2020-07-07 16:31:44 -04:00
Joe Testa
49bd2c96a8 Added return values for standard scans. 2020-07-07 15:56:37 -04:00
Joe Testa
103b8fb934 Added official policies for hardened Ubuntu 16.04, 18.04, and 20.04. 2020-07-06 16:16:52 -04:00
Joe Testa
1faa24ad86 Do not accidentally overwrite policies when creating new policy with -M. 2020-07-06 16:15:26 -04:00
Joe Testa
adc1007d7d Mark 'gss-group1-sha1-' kex as failure due to 1024-bit modulus. 2020-07-04 09:41:46 -04:00
Jürgen Gmach
8a406dd9d2
Simplify mypy config (#45)
Instead of specifying stricter checks one by one, just run `mypy` in
`strict` mode.

modified:   tox.ini
2020-07-04 09:39:43 -04:00
Joe Testa
d717f86238 Added check for use-after-free vulnerability in PuTTY v0.73. 2020-07-03 15:07:34 -04:00
Jürgen Gmach
bf1fbbfa43
Fix RuntimeError for the JSON export (#44)
* Fix RuntimeError for the JSON export

It is never a good idea to modify an iterable while iterating over it.

Copying the iterable fixes #41

modified:   ssh-audit.py

* Add test case for #41

new file:   test/test_build_struct.py

* Fix linting error

modified:   test/test_build_struct.py
2020-07-03 14:56:46 -04:00
Joe Testa
282770e698 Added 'ssh-dss-sha256@ssh.com' host key type, 'crypticore128@ssh.com' and 'seed-cbc@ssh.com' ciphers, and 'crypticore-mac@ssh.com' MAC. 2020-07-01 14:32:55 -04:00
Joe Testa
01ec6b0b37 Removed header processing from policy checks, as this did not function the way users would expect. 2020-07-01 13:12:49 -04:00
Joe Testa
30f2b7690a Enabled the following mypy options: check_untyped_defs, disallow_untyped_defs, disallow_untyped_calls, disallow_incomplete_defs, disallow_untyped_decorators, disallow_untyped_decorators, strict_equality, and strict. 2020-07-01 13:00:44 -04:00
Joe Testa
cabbe717d3 Added 'diffie-hellman-group1-sha256' kex. 2020-06-30 22:58:28 -04:00
Joe Testa
d5ef967758 Upgraded 1024-bit modulus warning to failure. 2020-06-30 22:51:13 -04:00
Joe Testa
dd44e2f010 Added policy checks (#10). 2020-06-30 15:53:50 -04:00
Joe Testa
8e71c2d66b Handle case of KexDH.recv_reply() returning None. 2020-06-27 23:59:15 -04:00
Jürgen Gmach
da31c19d38
Re-enable mypy options (#43)
* Convert type comments to annotations

Notes:
- variable annotations are only possible for Python 3.6 and upwards

- class names as a result of a function have to be quoted
cf https://www.python.org/dev/peps/pep-0563/#enabling-the-future-behavior-in-python-3-7

This is ongoing work for #32

modified:   ssh-audit.py

* Do not use variable annotation

... as this feature works only for Python 3.6 and above only.

modified:   ssh-audit.py

* Re-enable strict_optional

`None` is a valid return type for mypy, even when you specify a certain
type. `strict_optional` makes sure that only the annotated return type
is actually returned.

modified:   tox.ini

* Re-enable `warn_unused_ignores`

Quote from mypy docs:
This flag will make mypy report an error whenever your code uses a
`# type: ignore` comment on a line that is not actually generating
 an error message.

modified:   tox.ini

* Re-enable `warn_return_any`

Quote from the documenation:
"This flag causes mypy to generate a warning when returning a value with
type Any from a function declared with a non-Any return type."

modified:   tox.ini

* Re-enable `warn_redundant_casts`

Quote from the documentation:
"This flag will make mypy report an error whenever your code uses an
unnecessary cast that can safely be removed."

modified:   tox.ini

* Remove `warn_incomplete_stub`

... as the documentation says
"This flag is mainly intended to be used by people who want contribute
to typeshed and would like a convenient way to find gaps and omissions."

modified:   tox.ini

* Re-enable `disallow_subclassing_any`

Quote from the documentation:
"This flag reports an error whenever a class subclasses a value of type
Any."

modified:   tox.ini

* Re-enable `follow_imports`

... and set it to `normal`.

For more information, see
https://mypy.readthedocs.io/en/latest/running_mypy.html#follow-imports

modified:   tox.ini

* Re-enable `ignore_missing_imports`

Quote from the documentation:
"This flag makes mypy ignore all missing imports. It is equivalent to
adding # type: ignore comments to all unresolved imports within your
codebase."

modified:   tox.ini

* Fix arguments for Kex initialization

`follows` has to be a boolean, but an int was provided.

This worked, as in Python boolean is a subtype of int.

modified:   ssh-audit.py

* Do not uncomment `check_untyped_defs` yet

modified:   tox.ini

* Change KexDH.__ed25519_pubkey's default type

It was initialized with 0 (int), and later it gets set with bytes.

Now, it gets initialized with None, and thus gets the type
Optional[bytes].

Optional means None or the named type.

modified:   ssh-audit.py

* Fix whitespace

modified:   tox.ini

* Add type annotation for main function

modified:   ssh-audit.py

* Add type annotation for KexDH.set_params

modified:   ssh-audit.py

* Add type annotation for Kex.set_rsa_key_size

modified:   ssh-audit.py

* Add type annotation for Kex.rsa_key_sizes

modified:   ssh-audit.py

* Add type annotation for Kex.set_dh_modulus_size

modified:   ssh-audit.py

* Add type annotation to Kex.dh_modulus_sizes

modified:   ssh-audit.py

* Add type annotation for Kex.set_host_key

modified:   ssh-audit.py

* Add type annotation for Kex.host_keys

modified:   ssh-audit.py

* Add type annotation for HostKeyTest.run

modified:   ssh-audit.py

* Add static typing to HostKeyTest.perform_test

This revealed a small oversight in the guard protecting the call to
perform_test.

modified:   ssh-audit.py

* Add type annotation for GexTest.reconnect

modified:   ssh-audit.py

* Add type annotation for GexTest.run

modified:   ssh-audit.py

* Add type annotation for ReadBuf.reset

modified:   ssh-audit.py

* Add type annoation for WriteBuf.reset

modified:   ssh-audit.py

* Add type annotation to Socket.listen_and_accept

modified:   ssh-audit.py

* Move comment for is_connected into docstring.

modified:   ssh-audit.py

* Add type annotation for Socket.is_connected

modified:   ssh-audit.py

* Add type annotation for Socket.close

modified:   ssh-audit.py

* Do not commit breakpoint

modified:   ssh-audit.py

* Add annotations for KexDH key size handling

modified:   ssh-audit.py

* Add type annotation for KexDH.get_ca_size

modified:   ssh-audit.py

* Add type annotation to output_info

modified:   ssh-audit.py

* Add type annotation for KexDH.__get_bytes

modified:   ssh-audit.py

* Add type annotation to KexGroup14.__init__

modified:   ssh-audit.py

* Add type annotation for KexGroup14_SHA256.__init__

modified:   ssh-audit.py

* Add type annotation for KexGroup16_SHA512.__init__

modified:   ssh-audit.py

* Add type annotation for KexGroup18_SHA512.__init__

modified:   ssh-audit.py

* Add type annotation for KexCurve25519_SHA256.__init__

modified:   ssh-audit.py

* Add type annotation for KexNISTP256.__init__

modified:   ssh-audit.py

* Add type annotations to several init methods

modified:   ssh-audit.py

* Add type annotataion for KexGroupExchange.send_init_gex

modified:   ssh-audit.py

* Add type annotation for KexGroupExchange.__init__

modified:   ssh-audit.py

* Add type annotation to KexCurve25519_SHA256.send_init

modified:   ssh-audit.py

* Add type annotation for KexNISTP256.sent_init

modified:   ssh-audit.py

* Add type annotation for KexNISTP384.send_init

modified:   ssh-audit.py

* Add type annotation for KexNISTP521.send_init

modified:   ssh-audit.py

* Add type annotation for KexGroupExchange.send_init

modified:   ssh-audit.py

* Add type annotation to KexDH.get_dh_modulus_size

modified:   ssh-audit.py

* Delete unused variables KexDH.__f and f_len

__f was initialized as int, then assigned to bytes, but never used.

f_len assigned an int, but not all.

modified:   ssh-audit.py

* Delete unused variables KexDH.__h_sig and h_sig_len

modified:   ssh-audit.py

* Add type annotation for KexDH.__hostkey_type

modified:   ssh-audit.py
2020-06-27 23:54:34 -04:00