Batch mode no longer automatically enables verbose mode.

When running against multiple hosts, now prints each target host regardless of output level. (#309 )
Added warnings to all key exchanges that do not provide protection against quantum attacks.
2025-04-04 08:44:00 +02:00 · 2024-12-05 10:06:58 -05:00 · 2024-12-05 09:41:26 -05:00 · 2024-11-25 15:56:51 -05:00 · 2024-11-22 12:28:02 -05:00 · 2024-11-22 12:26:20 -05:00
187 changed files with 19778 additions and 1616 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,3 @@
+src/ssh_audit/__pycache__/
+src/ssh_audit.egg-info/
+src/ssh_audit/*~
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@ -0,0 +1 @@
+github: jtesta
--- a/.github/workflows/tox.yaml
+++ b/.github/workflows/tox.yaml
@ -0,0 +1,24 @@
+name: ssh-audit
+on: [push, pull_request]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13"]
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        run: |
+          python3 -m pip install --upgrade pip
+          python3 -m pip install -U codecov coveralls flake8 mypy pylint pytest tox
+      - name: Run Tox
+        run: |
+          python3 -m tox
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,27 @@
 *~
-*.pyc
+*.py[cod]
+*.exe
+*.asc
+venv*/
+.cache/
+.mypy_cache/
+.tox
+.coverage*
+reports/
+.scannerwork/
+
+# PyPI packaging
+/build/
+/dist/
+*.egg-info/
+*.egg
+
+# Snap packaging
+/parts/
+/prime/
+/snap/
+/stage/
+/ssh-audit_*.snap
+
+# Your local server config
+servers.txt
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -0,0 +1,26 @@
+# Contributing to ssh-audit
+
+We are very much open to receiving patches from the community!  To encourage participation, passing CI tests, unit tests, etc., *is OPTIONAL*.  As long as the patch works properly, it can be merged.
+
+However, if you can submit patches that pass all of our automated tests, then you'll lighten the load for the project maintainer (who already has enough to do!).  This document describes what tests are done and what documentation is maintained.
+
+*Anything extra you can do is appreciated!*
+
+
+## Tox Tests
+
+[Tox](https://tox.wiki/) is used to automate testing.  Linting is done with [pylint](http://pylint.pycqa.org/en/latest/) & [flake8](https://flake8.pycqa.org/en/latest/), and static type-checking is done with [mypy](https://mypy.readthedocs.io/en/stable/).
+
+Install the required packages with `python3 -m pip install -U codecov coveralls flake8 mypy pylint pytest tox`, then run the tests with `python3 -m tox`.  Look for any error messages in the (verbose) output.
+
+
+## Docker Tests
+
+Docker is used to run ssh-audit against various real SSH servers (OpenSSH, Dropbear, and TinySSH).  The output is then diff'ed against the expected result.  Any differences result in failure.
+
+The docker tests are run with `./docker_test.sh`.
+
+
+## Man Page
+
+The `ssh-audit.1` man page documents the various features of ssh-audit.  If features are added, or significant behavior is modified, the man page needs to be updated.
--- a/24
+++ b/24
@ -0,0 +1,24 @@
+# syntax=docker/dockerfile:latest
+FROM scratch AS files
+
+# Copy ssh-audit code to temporary container
+COPY ssh-audit.py /
+COPY src/ /
+
+FROM python:3-alpine AS runtime
+
+# Update the image to remediate any vulnerabilities.
+RUN apk upgrade -U --no-cache -a -l && \ 
+    # Remove suid & sgid bits from all files.
+    find / -xdev -perm /6000 -exec chmod ug-s {} \; 2> /dev/null || true
+
+# Copy the ssh-audit code from files container.
+COPY --from=files / /
+
+# Allow listening on 2222/tcp for client auditing.
+EXPOSE 2222
+
+# Drop root privileges.
+USER nobody:nogroup
+
+ENTRYPOINT ["python3", "/ssh-audit.py"]
--- a/23
+++ b/23
@ -0,0 +1,23 @@
+The MIT License (MIT)
+
+Copyright (C) 2017-2024 Joe Testa (jtesta@positronsecurity.com)
+Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/Makefile.docker
+++ b/Makefile.docker
@ -0,0 +1,28 @@
+VERSION = $(shell grep VERSION src/ssh_audit/globals.py | grep -E -o "'(v.*)'" | tr -d "'")
+ifeq ($(VERSION),)
+  $(error "could not determine version!")
+endif
+
+all:
+	./add_builtin_man_page.sh
+	docker buildx create --name multiarch --use || exit 0
+	docker buildx build \
+		--platform linux/amd64,linux/arm64,linux/arm/v7 \
+		--tag positronsecurity/ssh-audit:${VERSION} \
+		--tag positronsecurity/ssh-audit:latest \
+		.
+	docker buildx build \
+		--tag positronsecurity/ssh-audit:${VERSION} \
+		--tag positronsecurity/ssh-audit:latest \
+		--load \
+		--builder=multiarch \
+		.
+
+upload:
+	docker login -u positronsecurity
+	docker buildx build \
+		--platform linux/amd64,linux/arm64,linux/arm/v7 \
+		--tag positronsecurity/ssh-audit:${VERSION} \
+		--tag positronsecurity/ssh-audit:latest \
+		--push \
+		.
--- a/Makefile.pypi
+++ b/Makefile.pypi
@ -0,0 +1,16 @@
+all:
+	./add_builtin_man_page.sh
+	rm -rf /tmp/pypi_upload
+	virtualenv -p /usr/bin/python3 /tmp/pypi_upload/
+	cp -R src /tmp/pypi_upload/
+	cp setup.py setup.cfg README.md LICENSE /tmp/pypi_upload/
+	/bin/bash -c "pushd /tmp/pypi_upload/; source bin/activate; pip3 install -U setuptools twine build; pip3 install -U requests_toolbelt; python3 -m build"
+
+uploadtest:
+	/bin/bash -c "pushd /tmp/pypi_upload; source bin/activate; python3 -m twine upload --repository testpypi /tmp/pypi_upload/dist/*"
+
+uploadprod:
+	/bin/bash -c "pushd /tmp/pypi_upload; source bin/activate; twine upload /tmp/pypi_upload/dist/*"
+
+clean:
+	rm -rf /tmp/pypi_upload/
--- a/PACKAGING.md
+++ b/PACKAGING.md
@ -0,0 +1,83 @@
+# Windows
+
+An executable can only be made on a Windows host because the PyInstaller tool (https://www.pyinstaller.org/) does not support cross-compilation.
+
+1.) Install Python v3.x from https://www.python.org/.  To make life easier, check the option to add Python to the PATH environment variable.
+
+2.) Install Cygwin (https://www.cygwin.com/).
+
+3.) Install/update package dependencies and create the executable with:
+
+```
+    $ ./build_windows_executable.sh
+```
+
+
+# PyPI
+
+To create package and upload to test server (hint: use API token for test.pypi.org):
+
+```
+    $ sudo apt install python3-virtualenv python3.12-venv
+    $ make -f Makefile.pypi
+    $ make -f Makefile.pypi uploadtest
+```
+
+To download from test server and verify:
+
+```
+    $ virtualenv /tmp/pypi_test
+    $ cd /tmp/pypi_test; source bin/activate
+    $ pip3 install --index-url https://test.pypi.org/simple ssh-audit
+```
+
+To upload to production server (hint: use API token for production pypi.org):
+
+```
+    $ make -f Makefile.pypi uploadprod
+```
+
+To download from production server and verify:
+
+```
+    $ virtualenv /tmp/pypi_prod
+    $ cd /tmp/pypi_prod; source bin/activate
+    $ pip3 install ssh-audit
+```
+
+
+# Snap
+
+To create the Snap package, run a fully-updated Ubuntu Server 24.04 VM.
+
+Create the Snap package with:
+```
+    $ ./build_snap.sh
+```
+
+Upload the Snap with:
+
+```
+    $ snapcraft export-login ~/snap_creds.txt
+    $ export SNAPCRAFT_STORE_CREDENTIALS=$(cat ~/snap_creds.txt)
+    $ snapcraft upload --release=beta ssh-audit_*.snap
+    $ snapcraft status ssh-audit  # Note the revision number of the beta channel.
+    $ snapcraft release ssh-audit X stable  # Fill in with the revision number.
+```
+
+
+# Docker
+
+Ensure that the `buildx` plugin is available by following the installation instructions available at: https://docs.docker.com/engine/install/ubuntu/
+
+Build a local image with:
+
+```
+    $ make -f Makefile.docker
+```
+
+Create a multi-architecture build and upload it to Dockerhub with (hint: use the API token as the password):
+
+```
+    $ make -f Makefile.docker upload
+```
--- a/README.md
+++ b/README.md
@ -1,43 +1,418 @@
 # ssh-audit
-**ssh-audit** is a tool for ssh server auditing.  
+[![License](https://img.shields.io/badge/license-MIT-brightgreen.svg)](https://github.com/jtesta/ssh-audit/blob/master/LICENSE)
+[![Build Status](https://github.com/jtesta/ssh-audit/actions/workflows/tox.yaml/badge.svg)](https://github.com/jtesta/ssh-audit/actions)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](https://github.com/jtesta/ssh-audit/blob/master/CONTRIBUTING.md)
+
+[![PyPI Downloads](https://img.shields.io/pypi/dm/ssh-audit?label=pypi%20downloads&color=purple)](https://pypi.org/project/ssh-audit/)
+[![Homebrew Downloads](https://img.shields.io/homebrew/installs/dy/ssh-audit?label=homebrew%20downloads&color=teal)](https://formulae.brew.sh/formula/ssh-audit)
+[![Docker Pulls](https://img.shields.io/docker/pulls/positronsecurity/ssh-audit)](https://hub.docker.com/r/positronsecurity/ssh-audit)
+[![Snap Downloads](https://img.shields.io/badge/snap%20downloads-no%20idea-yellow.svg)](https://snapcraft.io/ssh-audit)
+
+[![Github Sponsors](https://img.shields.io/github/sponsors/jtesta?color=red)](https://github.com/sponsors/jtesta)
+
+**ssh-audit** is a tool for ssh server & client configuration auditing.
+
+[jtesta/ssh-audit](https://github.com/jtesta/ssh-audit/) (v2.0+) is the updated and maintained version of ssh-audit forked from [arthepsy/ssh-audit](https://github.com/arthepsy/ssh-audit) (v1.x) due to inactivity.
+
+- [Features](#features)
+- [Usage](#usage)
+- [Screenshots](#screenshots)
+    - [Server Standard Audit Example](#server-standard-audit-example)
+    - [Server Policy Audit Example](#server-policy-audit-example)
+    - [Client Standard Audit Example](#client-standard-audit-example)
+- [Hardening Guides](#hardening-guides)
+- [Pre-Built Packages](#pre-built-packages)
+- [Web Front-End](#web-front-end)
+- [ChangeLog](#changelog)

 ## Features
 - SSH1 and SSH2 protocol server support;
+- analyze SSH client configuration;
 - grab banner, recognize device or software and operating system, detect compression;
 - gather key-exchange, host-key, encryption and message authentication code algorithms;
- output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
- output security information (related issues, assigned CVE list, etc);
+- output algorithm security information (available since, removed/disabled, unsafe/weak/legacy, etc);
+- output algorithm recommendations (append or remove based on recognized software version);
 - analyze SSH version compatibility based on algorithm information;
- historical information from OpenSSH and Dropbear SSH;
- no dependencies, compatible with Python2 and Python3;
+- historical information from OpenSSH, Dropbear SSH and libssh;
+- policy scans to ensure adherence to a hardened/standard configuration;
+- runs on Linux and Windows;
+- supports Python 3.8 - 3.13;
+- no dependencies

 ## Usage
 ```
-usage: ssh-audit.py [-bnv] [-l <level>] <host[:port]>
+usage: ssh-audit.py [-h] [-1] [-2] [-4] [-6] [-b] [-c] [-d]
+                    [-g <min1:pref1:max1[,min2:pref2:max2,...]> / <x-y[:step]>] [-j] [-l {info,warn,fail}] [-L]
+                    [-M custom_policy.txt] [-m] [-n] [-P "Built-In Policy Name" / custom_policy.txt] [-p N]
+                    [-T targets.txt] [-t N] [-v] [--conn-rate-test N[:max_rate]] [--dheat N[:kex[:e_len]]]
+                    [--lookup alg1[,alg2,...]] [--skip-rate-test] [--threads N]
+                    [host]

-   -1,  --ssh1             force ssh version 1 only
-   -2,  --ssh2             force ssh version 1 only
-   -b,  --batch            batch output
-   -n,  --no-colors        disable colors
-   -v,  --verbose          verbose output
-   -l,  --level=<level>    minimum output level (info|warn|fail)
-   
+positional arguments:
+  host                  target hostname or IPv4/IPv6 address
+
+optional arguments:
+  -h, --help            show this help message and exit
+  -1, --ssh1            force ssh version 1 only
+  -2, --ssh2            force ssh version 2 only
+  -4, --ipv4            enable IPv4 (order of precedence)
+  -6, --ipv6            enable IPv6 (order of precedence)
+  -b, --batch           batch output
+  -c, --client-audit    starts a server on port 2222 to audit client software config (use -p to change port; use -t
+                        to change timeout)
+  -d, --debug           enable debugging output
+  -g <min1:pref1:max1[,min2:pref2:max2,...]> / <x-y[:step]>, --gex-test <min1:pref1:max1[,min2:pref2:max2,...]> / <x-y[:step]>
+                        conducts a very customized Diffie-Hellman GEX modulus size test. Tests an array of minimum,
+                        preferred, and maximum values, or a range of values with an optional incremental step amount
+  -j, --json            enable JSON output (use -jj to enable indentation for better readability)
+  -l {info,warn,fail}, --level {info,warn,fail}
+                        minimum output level (default: info)
+  -L, --list-policies   list all the official, built-in policies. Combine with -v to view policy change logs
+  -M custom_policy.txt, --make-policy custom_policy.txt
+                        creates a policy based on the target server (i.e.: the target server has the ideal
+                        configuration that other servers should adhere to), and stores it in the file path specified
+  -m, --manual          print the man page (Docker, PyPI, Snap, and Windows builds only)
+  -n, --no-colors       disable colors (automatic when the NO_COLOR environment variable is set)
+  -P "Built-In Policy Name" / custom_policy.txt, --policy "Built-In Policy Name" / custom_policy.txt
+                        run a policy test using the specified policy (use -L to see built-in policies, or specify
+                        filesystem path to custom policy created by -M)
+  -p N, --port N        the TCP port to connect to (or to listen on when -c is used)
+  -T targets.txt, --targets targets.txt
+                        a file containing a list of target hosts (one per line, format HOST[:PORT]). Use -p/--port
+                        to set the default port for all hosts. Use --threads to control concurrent scans
+  -t N, --timeout N     timeout (in seconds) for connection and reading (default: 5)
+  -v, --verbose         enable verbose output
+  --conn-rate-test N[:max_rate]
+                        perform a connection rate test (useful for collecting metrics related to susceptibility of
+                        the DHEat vuln). Testing is conducted with N concurrent sockets with an optional maximum
+                        rate of connections per second
+  --dheat N[:kex[:e_len]]
+                        continuously perform the DHEat DoS attack (CVE-2002-20001) against the target using N
+                        concurrent sockets. Optionally, a specific key exchange algorithm can be specified instead
+                        of allowing it to be automatically chosen. Additionally, a small length of the fake e value
+                        sent to the server can be chosen for a more efficient attack (such as 4).
+  --lookup alg1[,alg2,...]
+                        looks up an algorithm(s) without connecting to a server.
+  --skip-rate-test      skip the connection rate test during standard audits (used to safely infer whether the DHEat
+                        attack is viable)
+  --threads N           number of threads to use when scanning multiple targets (-T/--targets) (default: 32)
 ```
-* batch flag `-b` will output sections without header and without empty lines (implies verbose flag).  
-* verbose flag `-v` will prefix each line with section type and algorithm name.  
+* if both IPv4 and IPv6 are used, order of precedence can be set by using either `-46` or `-64`.
+* batch flag `-b` will output sections without header and without empty lines (implies verbose flag).
+* verbose flag `-v` will prefix each line with section type and algorithm name.
+* an exit code of 0 is returned when all algorithms are considered secure (for a standard audit), or when a policy check passes (for a policy audit).

-### example
-![screenshot](https://cloud.githubusercontent.com/assets/7356025/17623665/da5281c8-60a9-11e6-9582-13f9971c22e0.png)  
+Basic server auditing:
+```
+ssh-audit localhost
+ssh-audit 127.0.0.1
+ssh-audit 127.0.0.1:222
+ssh-audit ::1
+ssh-audit [::1]:222
+```
+
+To run a standard audit against many servers (place targets into servers.txt, one on each line in the format of `HOST[:PORT]`):
+
+```
+ssh-audit -T servers.txt
+```
+
+To audit a client configuration (listens on port 2222 by default; connect using `ssh -p 2222 anything@localhost`):
+
+```
+ssh-audit -c
+```
+
+To audit a client configuration, with a listener on port 4567:
+```
+ssh-audit -c -p 4567
+```
+
+To  list all official built-in policies (hint: use resulting policy names with `-P`/`--policy`):
+```
+ssh-audit -L
+```
+
+To run a policy audit against a server:
+```
+ssh-audit -P ["policy name" | path/to/server_policy.txt] targetserver
+```
+
+To run a policy audit against a client:
+```
+ssh-audit -c -P ["policy name" | path/to/client_policy.txt]
+```
+
+To run a policy audit against many servers:
+```
+ssh-audit -T servers.txt -P ["policy name" | path/to/server_policy.txt]
+```
+
+To create a policy based on a target server (which can be manually edited):
+```
+ssh-audit -M new_policy.txt targetserver
+```
+
+To run the DHEat CPU exhaustion DoS attack ([CVE-2002-20001](https://nvd.nist.gov/vuln/detail/CVE-2002-20001)) against a target using 10 concurrent sockets:
+```
+ssh-audit --dheat=10 targetserver
+```
+
+To run the DHEat attack using the `diffie-hellman-group-exchange-sha256` key exchange algorithm:
+```
+ssh-audit --dheat=10:diffie-hellman-group-exchange-sha256 targetserver
+```
+
+To run the DHEat attack using the `diffie-hellman-group-exchange-sha256` key exchange algorithm along with very small but non-standard packet lengths (this may result in the same CPU exhaustion, but with many less bytes per second being sent):
+```
+ssh-audit --dheat=10:diffie-hellman-group-exchange-sha256:4 targetserver
+```
+
+## Screenshots
+
+### Server Standard Audit Example
+Below is a screen shot of the standard server-auditing output when connecting to an unhardened OpenSSH v5.3 service:
+![screenshot](https://user-images.githubusercontent.com/2982011/64388792-317e6f80-d00e-11e9-826e-a4934769bb07.png)
+
+### Server Policy Audit Example
+Below is a screen shot of the policy auditing output when connecting to an un-hardened Ubuntu Server 20.04 machine (hint: use `-L`/`--list-policies` to see names of built-in policies to use with `-P`/`--policy`):
+![screenshot](https://user-images.githubusercontent.com/2982011/94370881-95178700-00c0-11eb-8705-3157a4669dc0.png)
+
+After applying the steps in the hardening guide (see below), the output changes to the following:
+![screenshot](https://user-images.githubusercontent.com/2982011/94370873-87620180-00c0-11eb-9a59-469f61a56ce1.png)
+
+### Client Standard Audit Example
+Below is a screen shot of the client-auditing output when an unhardened OpenSSH v7.2 client connects:
+![client_screenshot](https://user-images.githubusercontent.com/2982011/68867998-b946c100-06c4-11ea-975f-1f47e4178a74.png)
+
+## Hardening Guides
+Guides to harden server & client configuration can be found here: [https://www.ssh-audit.com/hardening_guides.html](https://www.ssh-audit.com/hardening_guides.html)
+
+## Pre-Built Packages
+Pre-built packages are available for Windows (see the [Releases](https://github.com/jtesta/ssh-audit/releases) page), PyPI, Snap, and Docker:
+
+To install from PyPI:
+```
+$ pip3 install ssh-audit
+```
+
+To install the Snap package:
+```
+$ snap install ssh-audit
+```
+
+To install from Dockerhub:
+```
+$ docker pull positronsecurity/ssh-audit
+```
+(Then run with: `docker run -it --rm -p 2222:2222 positronsecurity/ssh-audit 10.1.1.1`)
+
+The status of various other platform packages can be found below (via Repology):
+
+<a href="https://repology.org/project/ssh-audit/versions"><img src="https://repology.org/badge/vertical-allrepos/ssh-audit.svg?columns=4" alt="Packaging status" align="center"></a>
+
+## Web Front-End
+For convenience, a web front-end on top of the command-line tool is available at [https://www.ssh-audit.com/](https://www.ssh-audit.com/).

 ## ChangeLog

+### v3.4.0-dev
+ - Added warning to all key exchanges that do not include protections against quantum attacks due to the Harvest Now, Decrypt Later strategy (see https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later).
+ - Migrated from deprecated `getopt` module to `argparse`; partial credit [oam7575](https://github.com/oam7575).
+ - When running against multiple hosts, now prints each target host regardless of output level.
+ - Batch mode (`-b`) no longer automatically enables verbose mode, due to sometimes confusing results; users can still explicitly enable verbose mode using the `-v` flag.
+
+### v3.3.0 (2024-10-15)
+ - Added Python 3.13 support.
+ - Added built-in policies for Ubuntu 24.04 LTS server & client, OpenSSH 9.8, and OpenSSH 9.9.
+ - Added IPv6 support for DHEat and connection rate tests.
+ - Added TCP port information to JSON policy scan results; credit [Fabian Malte Kopp](https://github.com/dreizehnutters).
+ - Added LANcom LCOS server recognition and Ed448 key extraction; credit [Daniel Lenski](https://github.com/dlenskiSB).
+  - Now reports ECDSA and DSS fingerprints when in verbose mode; partial credit [Daniel Lenski](https://github.com/dlenskiSB).
+ - Removed CVE information based on server/client version numbers, as this was wildly inaccurate (see [this thread](https://github.com/jtesta/ssh-audit/issues/240) for the full discussion, as well as the results of the community vote on this matter).
+ - Fixed crash when running with `-P` and `-T` options simultaneously.
+ - Fixed host key tests from only reporting a key type at most once despite multiple hosts supporting it; credit [Daniel Lenski](https://github.com/dlenskiSB).
+ - Fixed DHEat connection rate testing on MacOS X and BSD platforms; credit [Drew Noel](https://github.com/drewmnoel) and [Michael Osipov](https://github.com/michael-o).
+ - Fixed invalid JSON output when a socket error occurs while performing a client audit.
+ - Fixed `--conn-rate-test` feature on Windows.
+ - When scanning multiple targets (using `-T`/`--targets`), the `-p`/`--port` option will now be used as the default port (set to 22 if `-p`/`--port` is not given).  Hosts specified in the file can override this default with an explicit port number (i.e.: "host1:1234").  For example, when using `-T targets.txt -p 222`, all hosts in `targets.txt` that do not explicitly include a port number will default to 222; when using `-T targets.txt` (without `-p`), all hosts will use a default of 22.
+ - Updated built-in server & client policies for Amazon Linux 2023, Debian 12, Rocky Linux 9, and Ubuntu 22.04 to improve host key efficiency and cipher resistance to quantum attacks.
+ - Added 1 new cipher: `grasshopper-ctr128`.
+ - Added 2 new key exchanges: `mlkem768x25519-sha256`, `sntrup761x25519-sha512`.
+
+### v3.2.0 (2024-04-22)
+ - Added implementation of the DHEat denial-of-service attack (see `--dheat` option; [CVE-2002-20001](https://nvd.nist.gov/vuln/detail/CVE-2002-20001)).
+ - Expanded filter of CBC ciphers to flag for the Terrapin vulnerability.  It now includes more rarely found ciphers.
+ - Fixed parsing of `ecdsa-sha2-nistp*` CA signatures on host keys.  Additionally, they are now flagged as potentially back-doored, just as standard host keys are.
+ - Gracefully handle rare exceptions (i.e.: crashes) while performing GEX tests.
+ - The built-in man page (`-m`, `--manual`) is now available on Docker, PyPI, and Snap builds, in addition to the Windows build.
+ - Snap builds are now architecture-independent.
+ - Changed Docker base image from `python:3-slim` to `python:3-alpine`, resulting in a 59% reduction in image size; credit [Daniel Thamdrup](https://github.com/dallemon).
+ - Added built-in policies for Amazon Linux 2023, Debian 12, OpenSSH 9.7, and Rocky Linux 9.
+ - Built-in policies now include a change log (use `-L -v` to view them).
+ - Custom policies now support the `allow_algorithm_subset_and_reordering` directive to allow targets to pass with a subset and/or re-ordered list of host keys, kex, ciphers, and MACs.  This allows for the creation of a baseline policy where targets can optionally implement stricter controls; partial credit [yannik1015](https://github.com/yannik1015).
+ - Custom policies now support the `allow_larger_keys` directive to allow targets to pass with larger host keys, CA keys, and Diffie-Hellman keys.  This allows for the creation of a baseline policy where targets can optionally implement stricter controls; partial credit [Damian Szuberski](https://github.com/szubersk).
+ - Color output is disabled if the `NO_COLOR` environment variable is set (see https://no-color.org/).
+ - Added 1 new key exchange algorithm: `gss-nistp384-sha384-*`.
+ - Added 1 new cipher: `aes128-ocb@libassh.org`.
+
+### v3.1.0 (2023-12-20)
+ - Added test for the Terrapin message prefix truncation vulnerability ([CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795)).
+ - Dropped support for Python 3.7 (EOL was reached in June 2023).
+ - Added Python 3.12 support.
+ - In server policies, reduced expected DH modulus sizes from 4096 to 3072 to match the [online hardening guides](https://ssh-audit.com/hardening_guides.html) (note that 3072-bit moduli provide the equivalent of 128-bit symmetric security).
+ - In Ubuntu 22.04 client policy, moved host key types `sk-ssh-ed25519@openssh.com` and `ssh-ed25519` to the end of all certificate types.
+ - Updated Ubuntu Server & Client policies for 20.04 and 22.04 to account for key exchange list changes due to Terrapin vulnerability patches.
+ - Re-organized option host key types for OpenSSH 9.2 server policy to correspond with updated Debian 12 hardening guide.
+ - Added built-in policies for OpenSSH 9.5 and 9.6.
+ - Added an `additional_notes` field to the JSON output.
+
+### v3.0.0 (2023-09-07)
+ - Results from concurrent scans against multiple hosts are no longer improperly combined; bug discovered by [Adam Russell](https://github.com/thecliguy).
+ - Hostname resolution failure no longer causes scans against multiple hosts to terminate unexpectedly; credit [Dani Cuesta](https://github.com/daniel-cues).
+ - Algorithm recommendations resulting from warnings are now printed in yellow instead of red; credit [Adam Russell](https://github.com/thecliguy).
+ - Added failure, warning, and info notes to JSON output (note that this results in a breaking change to the banner protocol, "enc", and "mac" fields); credit [Bareq Al-Azzawi](https://github.com/BareqAZ).
+ - Docker Makefile now creates multi-arch builds for amd64, arm64, and armv7; credit [Sebastian Cohnen](https://github.com/tisba).
+ - Fixed crash during GEX tests.
+ - Refined GEX testing against OpenSSH servers: when the fallback mechanism is suspected of being triggered, perform an additional test to obtain more accurate results.
+ - The color of all notes will be printed in green when the related algorithm is rated good.
+ - Prioritized host key certificate algorithms for Ubuntu 22.04 LTS client policy.
+ - Marked all NIST K-, B-, and T-curves as unproven since they are so rarely used.
+ - Added built-in policy for OpenSSH 9.4.
+ - Added 12 new host keys: `ecdsa-sha2-curve25519`, `ecdsa-sha2-nistb233`, `ecdsa-sha2-nistb409`, `ecdsa-sha2-nistk163`, `ecdsa-sha2-nistk233`, `ecdsa-sha2-nistk283`, `ecdsa-sha2-nistk409`, `ecdsa-sha2-nistp224`, `ecdsa-sha2-nistp192`, `ecdsa-sha2-nistt571`, `ssh-dsa`, `x509v3-sign-rsa-sha256`.
+ - Added 15 new key exchanges: `curve448-sha512@libssh.org`, `ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org`, `ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org`, `ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org`, `ecdh-sha2-brainpoolp256r1@genua.de`, `ecdh-sha2-brainpoolp384r1@genua.de`, `ecdh-sha2-brainpoolp521r1@genua.de`, `kexAlgoDH14SHA1`, `kexAlgoDH1SHA1`, `kexAlgoECDH256`, `kexAlgoECDH384`, `kexAlgoECDH521`, `sm2kep-sha2-nistp256`, `x25519-kyber-512r3-sha256-d00@amazon.com`, `x25519-kyber512-sha512@aws.amazon.com`.
+ - Added 8 new ciphers: `aes192-gcm@openssh.com`, `cast128-12-cbc`, `cast128-12-cfb`, `cast128-12-ecb`, `cast128-12-ofb`, `des-cfb`, `des-ecb`, `des-ofb`.
+ - Added 14 new MACs: `cbcmac-3des`, `cbcmac-aes`, `cbcmac-blowfish`, `cbcmac-des`, `cbcmac-rijndael`, `cbcmac-twofish`, `hmac-sha256-96`, `md5`, `md5-8`, `ripemd160`, `ripemd160-8`, `sha1`, `sha1-8`, `umac-128`.
+
+### v2.9.0 (2023-04-29)
+ - Dropped support for Python 3.6, as it reached EOL at the end of 2021.
+ - Added Ubuntu Server & Client 22.04 hardening policies.
+ - Removed experimental warning tag from `sntrup761x25519-sha512@openssh.com`.
+ - Updated CVE database; credit [Alexandre Zanni](https://github.com/noraj).
+ - Added `-g` and `--gex-test` for granular GEX modulus size tests; credit [Adam Russell](https://github.com/thecliguy).
+ - Snap packages now print more user-friendly error messages when permission errors are encountered.
+ - JSON 'target' field now always includes port number; credit [tomatohater1337](https://github.com/tomatohater1337).
+ - JSON output now includes recommendations and CVE data.
+ - Mixed host key/CA key types (i.e.: RSA host keys signed with ED25519 CAs, etc.) are now properly handled.
+ - Warnings are now printed for 2048-bit moduli; partial credit [Adam Russell](https://github.com/thecliguy).
+ - SHA-1 algorithms now cause failures.
+ - CBC mode ciphers are now warnings instead of failures.
+ - Generic failure/warning messages replaced with more specific reasons (i.e.: 'using weak cipher' => 'using broken RC4 cipher').
+ - Updated built-in policies to include missing host key size information.
+ - Added built-in policies for OpenSSH 8.8, 8.9, 9.0, 9.1, 9.2, and 9.3.
+ - Added 33 new host keys: `dsa2048-sha224@libassh.org`, `dsa2048-sha256@libassh.org`, `dsa3072-sha256@libassh.org`, `ecdsa-sha2-1.3.132.0.10-cert-v01@openssh.com`, `eddsa-e382-shake256@libassh.org`, `eddsa-e521-shake256@libassh.org`, `null`, `pgp-sign-dss`, `pgp-sign-rsa`, `spki-sign-dss`, `spki-sign-rsa`, `ssh-dss-sha224@ssh.com`, `ssh-dss-sha384@ssh.com`, `ssh-dss-sha512@ssh.com`, `ssh-ed448-cert-v01@openssh.com`, `ssh-rsa-sha224@ssh.com`, `ssh-rsa-sha2-256`, `ssh-rsa-sha2-512`, `ssh-rsa-sha384@ssh.com`, `ssh-rsa-sha512@ssh.com`, `ssh-xmss-cert-v01@openssh.com`, `ssh-xmss@openssh.com`, `webauthn-sk-ecdsa-sha2-nistp256@openssh.com`, `x509v3-ecdsa-sha2-1.3.132.0.10`, `x509v3-sign-dss-sha1`, `x509v3-sign-dss-sha224@ssh.com`, `x509v3-sign-dss-sha256@ssh.com`, `x509v3-sign-dss-sha384@ssh.com`, `x509v3-sign-dss-sha512@ssh.com`, `x509v3-sign-rsa-sha1`, `x509v3-sign-rsa-sha224@ssh.com`, `x509v3-sign-rsa-sha384@ssh.com`, `x509v3-sign-rsa-sha512@ssh.com`.
+ - Added 46 new key exchanges: `diffie-hellman-group14-sha224@ssh.com`, `diffie-hellman_group17-sha512`, `diffie-hellman-group-exchange-sha224@ssh.com`, `diffie-hellman-group-exchange-sha384@ssh.com`, `ecdh-sha2-1.2.840.10045.3.1.1`, `ecdh-sha2-1.2.840.10045.3.1.7`, `ecdh-sha2-1.3.132.0.1`, `ecdh-sha2-1.3.132.0.16`, `ecdh-sha2-1.3.132.0.26`, `ecdh-sha2-1.3.132.0.27`, `ecdh-sha2-1.3.132.0.33`, `ecdh-sha2-1.3.132.0.34`, `ecdh-sha2-1.3.132.0.35`, `ecdh-sha2-1.3.132.0.36`, `ecdh-sha2-1.3.132.0.37`, `ecdh-sha2-1.3.132.0.38`, `ecdh-sha2-4MHB+NBt3AlaSRQ7MnB4cg==`, `ecdh-sha2-5pPrSUQtIaTjUSt5VZNBjg==`, `ecdh-sha2-9UzNcgwTlEnSCECZa7V1mw==`, `ecdh-sha2-D3FefCjYoJ/kfXgAyLddYA==`, `ecdh-sha2-h/SsxnLCtRBh7I9ATyeB3A==`, `ecdh-sha2-m/FtSAmrV4j/Wy6RVUaK7A==`, `ecdh-sha2-mNVwCXAoS1HGmHpLvBC94w==`, `ecdh-sha2-qCbG5Cn/jjsZ7nBeR7EnOA==`, `ecdh-sha2-qcFQaMAMGhTziMT0z+Tuzw==`, `ecdh-sha2-VqBg4QRPjxx1EXZdV0GdWQ==`, `ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==`, `ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==`, `ecmqv-sha2`, `gss-13.3.132.0.10-sha256-*`, `gss-curve25519-sha256-*`, `gss-curve448-sha512-*`, `gss-gex-sha1-*`, `gss-gex-sha256-*`, `gss-group14-sha1-*`, `gss-group14-sha256-*`, `gss-group15-sha512-*`, `gss-group16-sha512-*`, `gss-group17-sha512-*`, `gss-group18-sha512-*`, `gss-group1-sha1-*`, `gss-nistp256-sha256-*`, `gss-nistp384-sha256-*`, `gss-nistp521-sha512-*`, `m383-sha384@libassh.org`, `m511-sha512@libassh.org`.
+ - Added 28 new ciphers: `3des-cfb`, `3des-ecb`, `3des-ofb`, `blowfish-cfb`, `blowfish-ecb`, `blowfish-ofb`, `camellia128-cbc@openssh.org`, `camellia128-ctr@openssh.org`, `camellia192-cbc@openssh.org`, `camellia192-ctr@openssh.org`, `camellia256-cbc@openssh.org`, `camellia256-ctr@openssh.org`, `cast128-cfb`, `cast128-ecb`, `cast128-ofb`, `cast128-12-cbc@ssh.com`, `idea-cfb`, `idea-ecb`, `idea-ofb`, `rijndael-cbc@ssh.com`, `seed-ctr@ssh.com`, `serpent128-gcm@libassh.org`, `serpent256-gcm@libassh.org`, `twofish128-gcm@libassh.org`, `twofish256-gcm@libassh.org`, `twofish-cfb`, `twofish-ecb`, `twofish-ofb`
+ - Added 5 new MACs: `hmac-sha1-96@openssh.com`, `hmac-sha224@ssh.com`, `hmac-sha256-2@ssh.com`, `hmac-sha384@ssh.com`, `hmac-whirlpool`.
+
+### v2.5.0 (2021-08-26)
+ - Fixed crash when running host key tests.
+ - Handles server connection failures more gracefully.
+ - Now prints JSON with indents when `-jj` is used (useful for debugging).
+ - Added MD5 fingerprints to verbose output.
+ - Added `-d`/`--debug` option for getting debugging output; credit [Adam Russell](https://github.com/thecliguy).
+ - Updated JSON output to include MD5 fingerprints.  Note that this results in a breaking change in the 'fingerprints' dictionary format.
+ - Updated OpenSSH 8.1 (and earlier) policies to include `rsa-sha2-512` and `rsa-sha2-256`.
+ - Added OpenSSH v8.6 & v8.7 policies.
+ - Added 3 new key exchanges: `gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==`, `gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==`, and `gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==`.
+ - Added 3 new MACs: `hmac-ripemd160-96`, `AEAD_AES_128_GCM`, and `AEAD_AES_256_GCM`.
+
+### v2.4.0 (2021-02-23)
+ - Added multi-threaded scanning support.
+ - Added built-in Windows manual page (see `-m`/`--manual`); credit [Adam Russell](https://github.com/thecliguy).
+ - Added version check for OpenSSH user enumeration (CVE-2018-15473).
+ - Added deprecation note to host key types based on SHA-1.
+ - Added extra warnings for SSHv1.
+ - Added built-in hardened OpenSSH v8.5 policy.
+ - Upgraded warnings to failures for host key types based on SHA-1.
+ - Fixed crash when receiving unexpected response during host key test.
+ - Fixed hang against older Cisco devices during host key test & gex test.
+ - Fixed improper termination while scanning multiple targets when one target returns an error.
+ - Dropped support for Python 3.5 (which reached EOL in Sept. 2020).
+ - Added 1 new key exchange: `sntrup761x25519-sha512@openssh.com`.
+
+### v2.3.1 (2020-10-28)
+ - Now parses public key sizes for `rsa-sha2-256-cert-v01@openssh.com` and `rsa-sha2-512-cert-v01@openssh.com` host key types.
+ - Flag `ssh-rsa-cert-v01@openssh.com` as a failure due to SHA-1 hash.
+ - Fixed bug in recommendation output which suppressed some algorithms inappropriately.
+ - Built-in policies now include CA key requirements (if certificates are in use).
+ - Lookup function (`--lookup`) now performs case-insensitive lookups of similar algorithms; credit [Adam Russell](https://github.com/thecliguy).
+ - Migrated pre-made policies from external files to internal database.
+ - Split single 3,500 line script into many files (by class).
+ - Added setup.py support; credit [Ganden Schaffner](https://github.com/gschaffner).
+ - Added 1 new cipher: `des-cbc@ssh.com`.
+
+### v2.3.0 (2020-09-27)
+ - Added new policy auditing functionality to test adherence to a hardening guide/standard configuration (see `-L`/`--list-policies`, `-M`/`--make-policy` and `-P`/`--policy`).  For an in-depth tutorial, see <https://www.positronsecurity.com/blog/2020-09-27-ssh-policy-configuration-checks-with-ssh-audit/>.
+ - Created new man page (see `ssh-audit.1` file).
+ - 1024-bit moduli upgraded from warnings to failures.
+ - Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit [Jürgen Gmach](https://github.com/jugmac00).
+ - Added feature to look up algorithms in internal database (see `--lookup`); credit [Adam Russell](https://github.com/thecliguy).
+ - Suppress recommendation of token host key types.
+ - Added check for use-after-free vulnerability in PuTTY v0.73.
+ - Added 11 new host key types: `ssh-rsa1`, `ssh-dss-sha256@ssh.com`, `ssh-gost2001`, `ssh-gost2012-256`, `ssh-gost2012-512`, `spki-sign-rsa`, `ssh-ed448`, `x509v3-ecdsa-sha2-nistp256`, `x509v3-ecdsa-sha2-nistp384`, `x509v3-ecdsa-sha2-nistp521`, `x509v3-rsa2048-sha256`.
+ - Added 8 new key exchanges: `diffie-hellman-group1-sha256`, `kexAlgoCurve25519SHA256`, `Curve25519SHA256`, `gss-group14-sha256-`, `gss-group15-sha512-`, `gss-group16-sha512-`, `gss-nistp256-sha256-`, `gss-curve25519-sha256-`.
+ - Added 5 new ciphers: `blowfish`, `AEAD_AES_128_GCM`, `AEAD_AES_256_GCM`, `crypticore128@ssh.com`, `seed-cbc@ssh.com`.
+ - Added 3 new MACs: `chacha20-poly1305@openssh.com`, `hmac-sha3-224`, `crypticore-mac@ssh.com`.
+
+### v2.2.0 (2020-03-11)
+ - Marked host key type `ssh-rsa` as weak due to [practical SHA-1 collisions](https://eprint.iacr.org/2020/014.pdf).
+ - Added Windows builds.
+ - Added 10 new host key types: `ecdsa-sha2-1.3.132.0.10`, `x509v3-sign-dss`, `x509v3-sign-rsa`, `x509v3-sign-rsa-sha256@ssh.com`, `x509v3-ssh-dss`, `x509v3-ssh-rsa`, `sk-ecdsa-sha2-nistp256-cert-v01@openssh.com`, `sk-ecdsa-sha2-nistp256@openssh.com`, `sk-ssh-ed25519-cert-v01@openssh.com`, and `sk-ssh-ed25519@openssh.com`.
+ - Added 18 new key exchanges: `diffie-hellman-group14-sha256@ssh.com`, `diffie-hellman-group15-sha256@ssh.com`, `diffie-hellman-group15-sha384@ssh.com`, `diffie-hellman-group16-sha384@ssh.com`, `diffie-hellman-group16-sha512@ssh.com`, `diffie-hellman-group18-sha512@ssh.com`, `ecdh-sha2-curve25519`, `ecdh-sha2-nistb233`, `ecdh-sha2-nistb409`, `ecdh-sha2-nistk163`, `ecdh-sha2-nistk233`, `ecdh-sha2-nistk283`, `ecdh-sha2-nistk409`, `ecdh-sha2-nistp192`, `ecdh-sha2-nistp224`, `ecdh-sha2-nistt571`, `gss-gex-sha1-`, and `gss-group1-sha1-`.
+ - Added 9 new ciphers: `camellia128-cbc`, `camellia128-ctr`, `camellia192-cbc`, `camellia192-ctr`, `camellia256-cbc`, `camellia256-ctr`, `aes128-gcm`, `aes256-gcm`, and `chacha20-poly1305`.
+ - Added 2 new MACs: `aes128-gcm` and `aes256-gcm`.
+
+### v2.1.1 (2019-11-26)
+ - Added 2 new host key types: `rsa-sha2-256-cert-v01@openssh.com`, `rsa-sha2-512-cert-v01@openssh.com`.
+ - Added 2 new ciphers: `des`, `3des`.
+ - Added 3 new PuTTY vulnerabilities.
+ - During client testing, client IP address is now listed in output.
+
+### v2.1.0 (2019-11-14)
+ - Added client software auditing functionality (see `-c` / `--client-audit` option).
+ - Added JSON output option (see `-j` / `--json` option; credit [Andreas Jaggi](https://github.com/x-way)).
+ - Fixed crash while scanning Solaris Sun_SSH.
+ - Added 9 new key exchanges: `gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==`, `gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==`, `gss-group14-sha1-`, `gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==`, `gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==`, `gss-group15-sha512-toWM5Slw5Ew8Mqkay+al2g==`, `diffie-hellman-group15-sha256`, `ecdh-sha2-1.3.132.0.10`, `curve448-sha512`.
+ - Added 1 new host key type: `ecdsa-sha2-1.3.132.0.10`.
+ - Added 4 new ciphers: `idea-cbc`, `serpent128-cbc`, `serpent192-cbc`, `serpent256-cbc`.
+ - Added 6 new MACs: `hmac-sha2-256-96-etm@openssh.com`, `hmac-sha2-512-96-etm@openssh.com`, `hmac-ripemd`, `hmac-sha256-96@ssh.com`, `umac-32@openssh.com`, `umac-96@openssh.com`.
+
+### v2.0.0 (2019-08-29)
+ - Forked from https://github.com/arthepsy/ssh-audit (development was stalled, and developer went MIA).
+ - Added RSA host key length test.
+ - Added RSA certificate key length test.
+ - Added Diffie-Hellman modulus size test.
+ - Now outputs host key fingerprints for RSA and ED25519.
+ - Added 5 new key exchanges: `sntrup4591761x25519-sha512@tinyssh.org`, `diffie-hellman-group-exchange-sha256@ssh.com`, `diffie-hellman-group-exchange-sha512@ssh.com`, `diffie-hellman-group16-sha256`, `diffie-hellman-group17-sha512`.
+ - Added 3 new encryption algorithms: `des-cbc-ssh1`, `blowfish-ctr`, `twofish-ctr`.
+ - Added 10 new MACs: `hmac-sha2-56`, `hmac-sha2-224`, `hmac-sha2-384`, `hmac-sha3-256`, `hmac-sha3-384`, `hmac-sha3-512`, `hmac-sha256`, `hmac-sha256@ssh.com`, `hmac-sha512`, `hmac-512@ssh.com`.
+ - Added command line argument (`-t` / `--timeout`) for connection & reading timeouts.
+ - Updated CVEs for libssh & Dropbear.
+
+### v1.7.0 (2016-10-26)
+ - implement options to allow specify IPv4/IPv6 usage and order of precedence
+ - implement option to specify remote port (old behavior kept for compatibility)
+ - add colors support for Microsoft Windows via optional colorama dependency
+ - fix encoding and decoding issues, add tests, do not crash on encoding errors
+ - use mypy-lang for static type checking and verify all code
+
+### v1.6.0 (2016-10-14)
+ - implement algorithm recommendations section (based on recognized software)
+ - implement full libssh support (version history, algorithms, security, etc)
+ - fix SSH-1.99 banner recognition and version comparison functionality
+ - do not output empty algorithms (happens for misconfigured servers)
+ - make consistent output for Python 3.x versions
+ - add a lot more tests (conf, banner, software, SSH1/SSH2, output, etc)
+ - use Travis CI to test for multiple Python versions (2.6-3.5, pypy, pypy3)
+
 ### v1.5.0 (2016-09-20)
 - create security section for related security information
 - match and output assigned CVE list and security issues for Dropbear SSH
 - implement full SSH1 support with fingerprint information
 - automatically fallback to SSH1 on protocol mismatch
 - add new options to force SSH1 or SSH2 (both allowed by default)
- - parse banner information and convert it to specific sofware and OS version
+ - parse banner information and convert it to specific software and OS version
 - do not use padding in batch mode
 - several fixes (Cisco sshd, rare hangs, error handling, etc)

@ -59,18 +434,18 @@ usage: ssh-audit.py [-bnv] [-l <level>] <host[:port]>

 ### v1.0.20160207
 - use OpenSSH 7.2 banner
- - additional warnings for OpenSSH 7.2 
+ - additional warnings for OpenSSH 7.2
 - fix OpenSSH 7.0 failure messages
 - add rijndael-cbc failure message from OpenSSH 6.7

 ### v1.0.20160105
 - multiple additional warnings
 - support for none algorithm
- - better compression handling  
- - ensure reading enough data (fixes few Linux SSH)  
+ - better compression handling
+ - ensure reading enough data (fixes few Linux SSH)

 ### v1.0.20151230
- - Dropbear SSH support  
+ - Dropbear SSH support

 ### v1.0.20151223
- - initial version  
+ - initial version
--- a/add_builtin_man_page.sh
+++ b/add_builtin_man_page.sh
@ -0,0 +1,120 @@
+#!/usr/bin/env bash
+
+#
+#   The MIT License (MIT)
+#
+#   Copyright (C) 2021-2024 Joe Testa (jtesta@positronsecurity.com)
+#   Copyright (C) 2021 Adam Russell (<adam[at]thecliguy[dot]co[dot]uk>)
+#
+#   Permission is hereby granted, free of charge, to any person obtaining a copy
+#   of this software and associated documentation files (the "Software"), to deal
+#   in the Software without restriction, including without limitation the rights
+#   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+#   copies of the Software, and to permit persons to whom the Software is
+#   furnished to do so, subject to the following conditions:
+#
+#   The above copyright notice and this permission notice shall be included in
+#   all copies or substantial portions of the Software.
+#
+#   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+#   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+#   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+#   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+#   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+#   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+#   THE SOFTWARE.
+#
+
+################################################################################
+# add_builtin_man_page.sh
+#
+# PURPOSE
+#   Since some platforms lack a manual reader it's necessary to provide an
+#   alternative means of reading the man page.
+#
+#   This script should be run as part of the ssh-audit packaging process for
+#   Docker, PyPI, Snap, and Windows. It populates the 'BUILTIN_MAN_PAGE'
+#   variable in 'globals.py' with the contents of the man page. Users can then
+#   see the man page with "ssh-audit [--manual|-m]".
+#
+#   Linux or Cygwin is required to run this script.
+#
+# USAGE
+#   add_builtin_man_page.sh [-m <path-to-man-page>] [-g <path-to-globals.py>]
+#
+################################################################################
+
+usage() {
+    echo >&2 "Usage: $0 [-m <path-to-man-page>] [-g <path-to-globals.py>] [-h]"
+    echo >&2 "  -m    Specify an alternate man page path (default: ./ssh-audit.1)"
+    echo >&2 "  -g    Specify an alternate globals.py path (default: ./src/ssh_audit/globals.py)"
+    echo >&2 "  -h    This help message"
+}
+
+PLATFORM="$(uname -s)"
+
+# This script is intended for use on Linux and Cygwin only.
+case "${PLATFORM}" in
+  Linux | CYGWIN*) ;;
+  *)
+    echo "Platform not supported: ${PLATFORM}"
+    exit 1
+    ;;
+esac
+
+MAN_PAGE=./ssh-audit.1
+GLOBALS_PY=./src/ssh_audit/globals.py
+
+while getopts "m: g: h" OPTION; do
+    case "${OPTION}" in
+        m)
+            MAN_PAGE="${OPTARG}"
+            ;;
+        g)
+            GLOBALS_PY="${OPTARG}"
+            ;;
+        h)
+            usage
+            exit 0
+            ;;
+        *)
+            echo >&2 "Invalid parameter(s) provided"
+            usage
+            exit 1
+            ;;
+    esac
+done
+
+# Check that the specified files exist.
+[[ -f "$MAN_PAGE" ]] || { echo >&2 "man page file not found: $MAN_PAGE"; exit 1; }
+[[ -f "${GLOBALS_PY}" ]] || { echo >&2 "globals.py file not found: ${GLOBALS_PY}"; exit 1; }
+
+# Check that the 'ul' (do underlining) binary exists.
+if [[ "${PLATFORM}" == "Linux" ]]; then
+    command -v ul >/dev/null 2>&1 || { echo >&2 "ul not found."; exit 1; }
+fi
+
+# Check that the 'sed' (stream editor) binary exists.
+command -v sed >/dev/null 2>&1 || { echo >&2 "sed not found."; exit 1; }
+
+# Reset the globals.py file, in case it was modified from a prior run.
+git checkout "${GLOBALS_PY}" > /dev/null 2>&1
+
+# Remove the Windows man page placeholder from 'globals.py'.
+sed -i '/^BUILTIN_MAN_PAGE/d' "${GLOBALS_PY}"
+
+echo "Processing man page at ${MAN_PAGE} and placing output into ${GLOBALS_PY}..."
+
+# Append the man page content to 'globals.py'.
+#   * man outputs a backspace-overwrite sequence rather than an ANSI escape
+#     sequence.
+#   * 'MAN_KEEP_FORMATTING' preserves the backspace-overwrite sequence when
+#     redirected to a file or a pipe.
+#   * sed converts unicode hyphens into an ASCI equivalent.
+
+echo BUILTIN_MAN_PAGE = '"""' >> "${GLOBALS_PY}"
+MANWIDTH=80 MAN_KEEP_FORMATTING=1 man "${MAN_PAGE}" | sed $'s/\u2010/-/g' >> "${GLOBALS_PY}"
+echo '"""' >> "${GLOBALS_PY}"
+
+echo "Done."
+exit 0
--- a/build_snap.sh
+++ b/build_snap.sh
@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+
+#
+#   The MIT License (MIT)
+#
+#   Copyright (C) 2021-2024 Joe Testa (jtesta@positronsecurity.com)
+#
+#   Permission is hereby granted, free of charge, to any person obtaining a copy
+#   of this software and associated documentation files (the "Software"), to deal
+#   in the Software without restriction, including without limitation the rights
+#   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+#   copies of the Software, and to permit persons to whom the Software is
+#   furnished to do so, subject to the following conditions:
+#
+#   The above copyright notice and this permission notice shall be included in
+#   all copies or substantial portions of the Software.
+#
+#   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+#   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+#   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+#   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+#   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+#   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+#   THE SOFTWARE.
+#
+
+################################################################################
+# build_snap.sh
+#
+# Builds a Snap package.
+################################################################################
+
+
+# Pre-requisites
+sudo apt install -y make
+sudo snap install snapcraft --classic
+sudo snap install review-tools lxd
+
+# Initialize LXD.
+sudo lxd init --auto
+
+# Reset the filesystem from any previous runs.
+rm -rf parts/ prime/ snap/ stage/ build/ dist/ src/*.egg-info/ ssh-audit*.snap
+git checkout snapcraft.yaml 2> /dev/null
+git checkout src/ssh_audit/globals.py 2> /dev/null
+
+# Add the built-in manual page.
+./add_builtin_man_page.sh
+
+# Get the version from the globals.py file.
+version=$(grep VERSION src/ssh_audit/globals.py | awk 'BEGIN {FS="="} ; {print $2}' | tr -d '[:space:]')
+
+# Strip the quotes around the version (along with the initial 'v' character) and append "-1" to make the default Snap version (i.e.: 'v2.5.0' => '2.5.0-1')
+default_snap_version="${version:2:-1}-1"
+echo -e -n "\nEnter Snap package version [default: ${default_snap_version}]: "
+read -r snap_version
+
+# If no version was specified, use the default version.
+if [[ $snap_version == '' ]]; then
+    snap_version=$default_snap_version
+    echo -e "Using default snap version: ${snap_version}\n"
+fi
+
+# Ensure that the snap version fits the format of X.X.X-X.
+if [[ ! $snap_version =~ ^[0-9]\.[0-9]\.[0-9]\-[0-9]$ ]]; then
+   echo "Error: version string does not match format X.X.X-X!"
+   exit 1
+fi
+
+# Append the version field to the end of the file.  Not pretty, but it works.
+echo -e "\nversion: '${snap_version}'" >> snapcraft.yaml
+
+# Set the SNAP_PACKAGE variable to True so that file permission errors give more user-friendly 
+sed -i 's/SNAP_PACKAGE = False/SNAP_PACKAGE = True/' src/ssh_audit/globals.py
+
+snapcraft --use-lxd && echo -e "\nDone.\n"
--- a/build_windows_executable.sh
+++ b/build_windows_executable.sh
@ -0,0 +1,127 @@
+#!/usr/bin/env bash
+
+#
+#   The MIT License (MIT)
+#
+#   Copyright (C) 2021-2024 Joe Testa (jtesta@positronsecurity.com)
+#
+#   Permission is hereby granted, free of charge, to any person obtaining a copy
+#   of this software and associated documentation files (the "Software"), to deal
+#   in the Software without restriction, including without limitation the rights
+#   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+#   copies of the Software, and to permit persons to whom the Software is
+#   furnished to do so, subject to the following conditions:
+#
+#   The above copyright notice and this permission notice shall be included in
+#   all copies or substantial portions of the Software.
+#
+#   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+#   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+#   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+#   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+#   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+#   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+#   THE SOFTWARE.
+#
+
+################################################################################
+# build_windows_executable.sh
+#
+# Builds a Windows executable using PyInstaller.
+################################################################################
+
+
+PLATFORM="$(uname -s)"
+
+# This script is intended for use on Cygwin only.
+case "${PLATFORM}" in
+    CYGWIN*) ;;
+    *)
+    echo "Platform not supported (${PLATFORM}).  This must be run in Cygwin only."
+    exit 1
+    ;;
+esac
+
+# Ensure that Python 3.x is installed.
+if [[ "$(python -V)" != "Python 3."* ]]; then
+    echo "Python v3.x not found.  Install the latest stable version from: https://www.python.org/"
+    exit 1
+fi
+
+# Install/update package dependencies.
+echo "Installing/updating pyinstaller and colorama packages..."
+pip install -U pyinstaller colorama
+echo
+
+# Prompt for the version to release.
+echo -n "Enter the version to release, using format 'vX.X.X': "
+read -r version
+
+# Ensure that entered version fits required format.
+if [[ ! $version =~ ^v[0-9]\.[0-9]\.[0-9]$ ]]; then
+   echo "Error: version string does not match format vX.X.X!"
+   exit 1
+fi
+
+# Verify that version is correct.
+echo -n "Version will be set to '${version}'.  Is this correct? (y/n): "
+read -r yn
+echo
+
+if [[ $yn != "y" ]]; then
+   echo "Build cancelled."
+   exit 1
+fi
+
+# Reset any local changes made to globals.py from a previous run.
+git checkout src/ssh_audit/globals.py 2> /dev/null
+
+# Update the man page.
+./add_builtin_man_page.sh
+retval=$?
+if [[ ${retval} != 0 ]]; then
+    echo "Failed to run ./update_windows_man_page.sh"
+    exit 1
+fi
+
+# Do all operations from this point from the main source directory.
+pushd src/ssh_audit || exit > /dev/null
+
+# Delete the existing VERSION variable and add the value that the user entered, above.
+sed -i '/^VERSION/d' globals.py
+echo "VERSION = '$version'" >> globals.py
+
+# Delete cached files if they exist from a prior run.
+rm -rf dist/ build/ ssh-audit.spec
+
+# Create a hard link from ssh_audit.py to ssh-audit.py.
+if [[ ! -f ssh-audit.py ]]; then
+    ln ssh_audit.py ssh-audit.py
+fi
+
+echo -e "\nRunning pyinstaller...\n"
+pyinstaller -F --icon ../../windows_icon.ico ssh-audit.py
+
+if [[ -f dist/ssh-audit.exe ]]; then
+    echo -e "\nExecutable created in $(pwd)/dist/ssh-audit.exe\n"
+else
+    echo -e "\nFAILED to create $(pwd)/dist/ssh-audit.exe!\n"
+    exit 1
+fi
+
+# Ensure that the version string doesn't have '-dev' in it.
+dist/ssh-audit.exe | grep -E 'ssh-audit.exe v.+\-dev' > /dev/null
+retval=$?
+if [[ ${retval} == 0 ]]; then
+    echo -e "\nError: executable's version number includes '-dev'."
+    exit 1
+fi
+
+# Remove the cache files created during the build process, along with the link we created, above.
+rm -rf build/ ssh-audit.spec ssh-audit.py
+
+# Reset the changes we made to globals.py.
+git checkout globals.py 2> /dev/null
+
+popd || exit > /dev/null
+exit 0
--- a/docker_test.sh
+++ b/docker_test.sh
@ -0,0 +1,810 @@
+#!/bin/bash
+
+#
+# This script will set up a docker image with multiple versions of OpenSSH, then
+# use it to run tests.
+#
+# Optional arguments:
+#   --accept: accepts test failures and overwrites expected results with actual results (useful for updating the tests themselves).
+#   --create: attempts to create a new docker image.
+#
+#
+# For debugging purposes, here is a cheat sheet for manually running the docker image:
+#
+# docker run -p 2222:22 -it ssh-audit-test:X /bin/bash
+# docker run -p 2222:22 --security-opt seccomp:unconfined -it ssh-audit-test /debug.sh
+# docker run -d -p 2222:22 ssh-audit-test:X /openssh/sshd-5.6p1 -D -f /etc/ssh/sshd_config-5.6p1_test1
+# docker run -d -p 2222:22 ssh-audit-test:X /openssh/sshd-8.0p1 -D -f /etc/ssh/sshd_config-8.0p1_test1
+#
+
+
+# This is the docker tag for the image.  If this tag doesn't exist, then we assume the
+# image is out of date, and generate a new one with this tag.
+IMAGE_VERSION=3
+
+# This is the name of our docker image.
+IMAGE_NAME=positronsecurity/ssh-audit-test-framework
+
+
+# Terminal colors.
+CLR="\033[0m"
+#RED="\033[0;31m"
+#YELLOW="\033[0;33m"
+GREEN="\033[0;32m"
+REDB="\033[1;31m"    # Red + bold
+YELLOWB="\033[1;33m" # Yellow + bold
+GREENB="\033[1;32m"  # Green + bold
+
+# Program return values.
+PROGRAM_RETVAL_FAILURE=3
+PROGRAM_RETVAL_WARNING=2
+#PROGRAM_RETVAL_CONNECTION_ERROR=1
+PROGRAM_RETVAL_GOOD=0
+
+
+# Counts the number of test failures.
+num_failures=0
+
+# When set, if a failure is encountered, overwrite the expected output with the actual value (i.e.: the user validated the failures already and wants to update the tests themselves).
+accept=0
+
+
+# Returns 0 if current docker image exists.
+check_if_docker_image_exists() {
+    images=$(docker image ls | grep -E "$IMAGE_NAME[[:space:]]+$IMAGE_VERSION")
+}
+
+
+# Uncompresses and compiles the specified version of Dropbear.
+compile_dropbear() {
+    version=$1
+    compile "Dropbear" "$version"
+}
+
+
+# Uncompresses and compiles the specified version of OpenSSH.
+compile_openssh() {
+    version=$1
+    compile "OpenSSH" "$version"
+}
+
+
+# Uncompresses and compiles the specified version of TinySSH.
+compile_tinyssh() {
+    version=$1
+    compile "TinySSH" "$version"
+}
+
+
+compile() {
+    project=$1
+    version=$2
+
+    tarball=
+    uncompress_options=
+    source_dir=
+    server_executable=
+    if [[ $project == "OpenSSH" ]]; then
+        tarball="openssh-${version}.tar.gz"
+        uncompress_options="xzf"
+        source_dir="openssh-${version}"
+        server_executable=sshd
+    elif [[ $project == "Dropbear" ]]; then
+        tarball="dropbear-${version}.tar.bz2"
+        uncompress_options="xjf"
+        source_dir="dropbear-${version}"
+        server_executable=dropbear
+    elif [[ $project == "TinySSH" ]]; then
+        tarball="${version}.tar.gz"
+        uncompress_options="xzf"
+        source_dir="tinyssh-${version}"
+        server_executable="build/bin/tinysshd"
+    fi
+
+    echo "Uncompressing ${project} ${version}..."
+    tar $uncompress_options "$tarball"
+
+    echo "Compiling ${project} ${version}..."
+    pushd "$source_dir" || exit > /dev/null
+
+    # TinySSH has no configure script... only a Makefile.
+    if [[ $project == "TinySSH" ]]; then
+        make -j 10
+    else
+        ./configure && make -j 10
+    fi
+
+    if [[ ! -f $server_executable ]]; then
+        echo -e "${REDB}Error: ${server_executable} not built!${CLR}"
+        exit 1
+    fi
+
+    echo -e "\n${GREEN}Successfully built ${project} ${version}${CLR}\n"
+    popd || exit > /dev/null
+}
+
+
+# Creates a new docker image.
+create_docker_image() {
+    # Create a new temporary directory.
+    TMP_DIR=$(mktemp -d /tmp/sshaudit-docker-XXXXXXXXXX)
+
+    # Copy the Dockerfile and all files in the test/docker/ dir to our new temp directory.
+    find test/docker/ -maxdepth 1 -type f -exec cp -t "$TMP_DIR" "{}" +
+
+    # Make the temp directory our working directory for the duration of the build
+    # process.
+    pushd "$TMP_DIR" || exit > /dev/null
+
+    # Get the release keys.
+    get_dropbear_release_key
+    get_openssh_release_key
+    get_tinyssh_release_key
+
+    # Aside from checking the GPG signatures, we also compare against this known-good
+    # SHA-256 hash just in case.
+    get_openssh "4.0p1" "5adb9b2c2002650e15216bf94ed9db9541d9a17c96fcd876784861a8890bc92b"
+    get_openssh "5.6p1" "538af53b2b8162c21a293bb004ae2bdb141abd250f61b4cea55244749f3c6c2b"
+    get_openssh "8.0p1" "bd943879e69498e8031eb6b7f44d08cdc37d59a7ab689aa0b437320c3481fd68"
+    get_dropbear "2019.78" "525965971272270995364a0eb01f35180d793182e63dd0b0c3eb0292291644a4"
+    get_tinyssh "20190101" "554a9a94e53b370f0cd0c5fbbd322c34d1f695cbcea6a6a32dcb8c9f595b3fea"
+
+    # Compile the versions of OpenSSH.
+    compile_openssh "4.0p1"
+    compile_openssh "5.6p1"
+    compile_openssh "8.0p1"
+
+    # Compile the versions of Dropbear.
+    compile_dropbear "2019.78"
+
+    # Compile the versions of TinySSH.
+    compile_tinyssh "20190101"
+
+
+    # Rename the default config files so we know they are our originals.
+    mv openssh-4.0p1/sshd_config sshd_config-4.0p1_orig
+    mv openssh-5.6p1/sshd_config sshd_config-5.6p1_orig
+    mv openssh-8.0p1/sshd_config sshd_config-8.0p1_orig
+
+
+    # Create the configurations for each test.
+
+
+    #
+    # OpenSSH v4.0p1
+    #
+
+    # Test 1: Basic test.
+    create_openssh_config "4.0p1" "test1" "HostKey /etc/ssh/ssh1_host_key\nHostKey /etc/ssh/ssh_host_rsa_key_1024\nHostKey /etc/ssh/ssh_host_dsa_key"
+
+
+    #
+    # OpenSSH v5.6p1
+    #
+
+    # Test 1: Basic test.
+    create_openssh_config "5.6p1" "test1" "HostKey /etc/ssh/ssh_host_rsa_key_1024\nHostKey /etc/ssh/ssh_host_dsa_key"
+
+    # Test 2: RSA 1024 host key with RSA 1024 certificate.
+    create_openssh_config "5.6p1" "test2" "HostKey /etc/ssh/ssh_host_rsa_key_1024\nHostCertificate /etc/ssh/ssh_host_rsa_key_1024-cert_1024.pub"
+
+    # Test 3: RSA 1024 host key with RSA 3072 certificate.
+    create_openssh_config "5.6p1" "test3" "HostKey /etc/ssh/ssh_host_rsa_key_1024\nHostCertificate /etc/ssh/ssh_host_rsa_key_1024-cert_3072.pub"
+
+    # Test 4: RSA 3072 host key with RSA 1024 certificate.
+    create_openssh_config "5.6p1" "test4" "HostKey /etc/ssh/ssh_host_rsa_key_3072\nHostCertificate /etc/ssh/ssh_host_rsa_key_3072-cert_1024.pub"
+
+    # Test 5: RSA 3072 host key with RSA 3072 certificate.
+    create_openssh_config "5.6p1" "test5" "HostKey /etc/ssh/ssh_host_rsa_key_3072\nHostCertificate /etc/ssh/ssh_host_rsa_key_3072-cert_3072.pub"
+
+
+    #
+    # OpenSSH v8.0p1
+    #
+
+    # Test 1: Basic test.
+    create_openssh_config "8.0p" "test1" "HostKey /etc/ssh/ssh_host_rsa_key_3072\nHostKey /etc/ssh/ssh_host_ecdsa_key\nHostKey /etc/ssh/ssh_host_ed25519_key"
+
+    # Test 2: ED25519 certificate test.
+    create_openssh_config "8.0p1" "test2" "HostKey /etc/ssh/ssh_host_ed25519_key\nHostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"
+
+    # Test 3: Hardened installation test.
+    create_openssh_config "8.0p1" "test3" "HostKey /etc/ssh/ssh_host_ed25519_key\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com"
+
+
+    # Now build the docker image!
+    docker build --tag "$IMAGE_NAME:$IMAGE_VERSION" .
+
+    popd || exit > /dev/null
+    rm -rf -- "$TMP_DIR"
+}
+
+
+# Creates an OpenSSH configuration file for a specific test.
+create_openssh_config() {
+    openssh_version=$1
+    test_number=$2
+    config_text=$3
+
+    cp "sshd_config-${openssh_version}_orig" "sshd_config-${openssh_version}_${test_number}"
+    echo -e "${config_text}" >> "sshd_config-${openssh_version}_${test_number}"
+}
+
+
+# Downloads the Dropbear release key and adds it to the local keyring.
+get_dropbear_release_key() {
+    get_release_key "Dropbear" "https://matt.ucc.asn.au/dropbear/releases/dropbear-key-2015.asc" "F29C6773" "F734 7EF2 EE2E 07A2 6762  8CA9 4493 1494 F29C 6773"
+}
+
+
+# Downloads the OpenSSH release key and adds it to the local keyring.
+get_openssh_release_key() {
+    get_release_key "OpenSSH" "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc" "6D920D30" "59C2 118E D206 D927 E667  EBE3 D3E5 F56B 6D92 0D30"
+}
+
+
+# Downloads the TinySSH release key and adds it to the local keyring.
+get_tinyssh_release_key() {
+    get_release_key "TinySSH" "" "96939FF9" "AADF 2EDF 5529 F170 2772  C8A2 DEC4 D246 931E F49B"
+}
+
+
+get_release_key() {
+    project=$1
+    key_url=$2
+    key_id=$3
+    release_key_fingerprint_expected=$4
+
+    # The TinySSH release key isn't on any website, apparently.
+    if [[ $project == "TinySSH" ]]; then
+        gpg --keyserver keys.gnupg.net --recv-key "$key_id"
+    else
+        echo -e "\nGetting ${project} release key...\n"
+        wget -O key.asc "$2"
+
+        echo -e "\nImporting ${project} release key...\n"
+        gpg --import key.asc
+
+        rm key.asc
+    fi
+
+    local release_key_fingerprint_actual
+    release_key_fingerprint_actual=$(gpg --fingerprint "$key_id")
+    if [[ $release_key_fingerprint_actual != *"$release_key_fingerprint_expected"* ]]; then
+        echo -e "\n${REDB}Error: ${project} release key fingerprint does not match expected value!\n\tExpected: $release_key_fingerprint_expected\n\tActual: $release_key_fingerprint_actual\n\nTerminating.${CLR}"
+        exit 1
+    fi
+    echo -e "\n\n${GREEN}${project} release key matches expected value.${CLR}\n"
+}
+
+
+# Downloads the specified version of Dropbear.
+get_dropbear() {
+    version=$1
+    tarball_checksum_expected=$2
+    get_source "Dropbear" "$version" "$tarball_checksum_expected"
+}
+
+
+# Downloads the specified version of OpenSSH.
+get_openssh() {
+    version=$1
+    tarball_checksum_expected=$2
+    get_source "OpenSSH" "$version" "$tarball_checksum_expected"
+}
+
+
+# Downloads the specified version of TinySSH.
+get_tinyssh() {
+    version=$1
+    tarball_checksum_expected=$2
+    get_source "TinySSH" "$version" "$tarball_checksum_expected"
+}
+
+
+get_source() {
+    project=$1
+    version=$2
+    tarball_checksum_expected=$3
+
+    base_url_source=
+    base_url_sig=
+    tarball=
+    sig=
+    signer=
+    if [[ $project == "OpenSSH" ]]; then
+        base_url_source="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/"
+        base_url_sig=$base_url_source
+        tarball="openssh-${version}.tar.gz"
+        sig="${tarball}.asc"
+        signer="Damien Miller "
+    elif [[ $project == "Dropbear" ]]; then
+        base_url_source="https://matt.ucc.asn.au/dropbear/releases/"
+        base_url_sig=$base_url_source
+        tarball="dropbear-${version}.tar.bz2"
+        sig="${tarball}.asc"
+        signer="Dropbear SSH Release Signing <matt@ucc.asn.au>"
+    elif [[ $project == "TinySSH" ]]; then
+        base_url_source="https://github.com/janmojzis/tinyssh/archive/"
+        base_url_sig="https://github.com/janmojzis/tinyssh/releases/download/${version}/"
+        tarball="${version}.tar.gz"
+        sig="${tarball}.asc"
+        signer="Jan Mojžíš <jan.mojzis@gmail.com>"
+    fi
+
+    echo -e "\nGetting ${project} ${version} sources...\n"
+    wget "${base_url_source}${tarball}"
+
+    echo -e "\nGetting ${project} ${version} signature...\n"
+    wget "${base_url_sig}${sig}"
+
+
+    # Older OpenSSH releases were .sigs.
+    if [[ ($project == "OpenSSH") && (! -f $sig) ]]; then
+        wget "${base_url_sig}openssh-${version}.tar.gz.sig"
+        sig=openssh-${version}.tar.gz.sig
+    fi
+
+    local gpg_verify
+    gpg_verify=$(gpg --verify "${sig}" "${tarball}" 2>&1)
+    retval=$?
+    if [[ $gpg_verify != *"Good signature from \"${signer}"* ]]; then
+        echo -e "\n\n${REDB}Error: ${project} signature invalid!\n$gpg_verify\n\nTerminating.${CLR}"
+        exit 1
+    fi
+
+    # Check GPG's return value.  0 denotes a valid signature, and 1 is returned
+    # on invalid signatures.
+    if [[ ${retval} != 0 ]]; then
+        echo -e "\n\n${REDB}Error: ${project} signature invalid!  Verification returned code: $?\n\nTerminating.${CLR}"
+        exit 1
+    fi
+
+    echo -e "${GREEN}Signature on ${project} sources verified.${CLR}\n"
+
+    local checksum_actual
+    checksum_actual=$(sha256sum "${tarball}" | cut -f1 -d" ")
+    if [[ $checksum_actual != "$tarball_checksum_expected" ]]; then
+        echo -e "${REDB}Error: ${project} checksum is invalid!\n  Expected: ${tarball_checksum_expected}\n  Actual:   ${checksum_actual}\n\n  Terminating.${CLR}"
+        exit 1
+    fi
+}
+
+
+# Pulls the defined image from Dockerhub.
+pull_docker_image() {
+    docker pull "${IMAGE_NAME}:${IMAGE_VERSION}"
+    retval=$?
+    if [[ ${retval} == 0 ]]; then
+        echo -e "${GREEN}Successfully downloaded image ${IMAGE_NAME}:${IMAGE_VERSION} from Dockerhub.${CLR}\n"
+    else
+        echo -e "${REDB}Failed to pull image ${IMAGE_NAME}:${IMAGE_VERSION} from Dockerhub!  Error code: ${retval}${CLR}\n"
+        exit 1
+    fi
+}
+
+
+# Runs a Dropbear test.  Upon failure, a diff between the expected and actual results
+# is shown, then the script immediately terminates.
+run_dropbear_test() {
+    dropbear_version=$1
+    test_number=$2
+    options=$3
+    expected_retval=$4
+
+    run_test "Dropbear" "${dropbear_version}" "${test_number}" "${options}" "${expected_retval}"
+}
+
+
+# Runs an OpenSSH test.  Upon failure, a diff between the expected and actual results
+# is shown, then the script immediately terminates.
+run_openssh_test() {
+    openssh_version=$1
+    test_number=$2
+    expected_retval=$3
+
+    run_test "OpenSSH" "${openssh_version}" "${test_number}" "" "${expected_retval}"
+}
+
+
+# Runs a TinySSH test.  Upon failure, a diff between the expected and actual results
+# is shown, then the script immediately terminates.
+run_tinyssh_test() {
+    tinyssh_version=$1
+    test_number=$2
+    expected_retval=$3
+
+    run_test "TinySSH" "${tinyssh_version}" "${test_number}" "" "${expected_retval}"
+}
+
+
+run_test() {
+    server_type=$1
+    version=$2
+    test_number=$3
+    options=$4
+    expected_retval=$5
+
+    failed=0  # Set to 1 if this test fails.
+    server_exec=
+    test_result_stdout=
+    test_result_json=
+    expected_result_stdout=
+    expected_result_json=
+    test_name=
+    if [[ $server_type == "OpenSSH" ]]; then
+        server_exec="/openssh/sshd-${version} -D -f /etc/ssh/sshd_config-${version}_${test_number}"
+        test_result_stdout="${TEST_RESULT_DIR}/openssh_${version}_${test_number}.txt"
+        test_result_json="${TEST_RESULT_DIR}/openssh_${version}_${test_number}.json"
+        expected_result_stdout="test/docker/expected_results/openssh_${version}_${test_number}.txt"
+        expected_result_json="test/docker/expected_results/openssh_${version}_${test_number}.json"
+        test_name="OpenSSH ${version} ${test_number}"
+        options=
+    elif [[ $server_type == "Dropbear" ]]; then
+        server_exec="/dropbear/dropbear-${version} -F ${options}"
+        test_result_stdout="${TEST_RESULT_DIR}/dropbear_${version}_${test_number}.txt"
+        test_result_json="${TEST_RESULT_DIR}/dropbear_${version}_${test_number}.json"
+        expected_result_stdout="test/docker/expected_results/dropbear_${version}_${test_number}.txt"
+        expected_result_json="test/docker/expected_results/dropbear_${version}_${test_number}.json"
+        test_name="Dropbear ${version} ${test_number}"
+    elif [[ $server_type == "TinySSH" ]]; then
+        server_exec="/usr/bin/tcpserver -HRDl0 0.0.0.0 22 /tinysshd/tinyssh-20190101 -v /etc/tinyssh/"
+        test_result_stdout="${TEST_RESULT_DIR}/tinyssh_${version}_${test_number}.txt"
+        test_result_json="${TEST_RESULT_DIR}/tinyssh_${version}_${test_number}.json"
+        expected_result_stdout="test/docker/expected_results/tinyssh_${version}_${test_number}.txt"
+        expected_result_json="test/docker/expected_results/tinyssh_${version}_${test_number}.json"
+        test_name="TinySSH ${version} ${test_number}"
+    fi
+
+    #echo "Running: docker run --rm -d -p 2222:22 $IMAGE_NAME:$IMAGE_VERSION ${server_exec}"
+    cid=$(docker run --rm -d -p 2222:22 "${IMAGE_NAME}:${IMAGE_VERSION}" ${server_exec})
+    retval=$?
+    if [[ ${retval} != 0 ]]; then
+        echo -e "${REDB}Failed to run docker image! (exit code: ${retval})${CLR}"
+        exit 1
+    fi
+
+    ./ssh-audit.py --skip-rate-test localhost:2222 > "$test_result_stdout"
+    actual_retval=$?
+    if [[ $actual_retval != "$expected_retval" ]]; then
+        echo -e "${REDB}Unexpected return value.  Expected: ${expected_retval}; Actual: ${actual_retval}${CLR}"
+
+        if [[ $accept == 1 ]]; then
+            echo -e "\n${REDB}This failure cannot be automatically fixed; this script must be manually updated with the new expected return value.${CLR}"
+        fi
+
+        cat "${test_result_stdout}"
+        docker container stop -t 0 "${cid}" > /dev/null
+        exit 1
+    fi
+
+    ./ssh-audit.py --skip-rate-test -jj localhost:2222 > "$test_result_json"
+    actual_retval=$?
+    if [[ $actual_retval != "$expected_retval" ]]; then
+        echo -e "${REDB}Unexpected return value.  Expected: ${expected_retval}; Actual: ${actual_retval}${CLR}"
+
+        if [[ $accept == 1 ]]; then
+            echo -e "\n${REDB}This failure cannot be automatically fixed; this script must be manually updated with the new expected return value.${CLR}"
+	fi
+
+        cat "${test_result_json}"
+        docker container stop -t 0 "${cid}" > /dev/null
+        exit 1
+    fi
+
+    docker container stop -t 0 "${cid}" > /dev/null
+    retval=$?
+    if [[ ${retval} != 0 ]]; then
+       echo -e "${REDB}Failed to stop docker container ${cid}! (exit code: ${retval})${CLR}"
+       exit 1
+    fi
+
+    # TinySSH outputs a random string in each banner, which breaks our test.  So
+    # we need to filter out the banner part of the output so we get stable, repeatable
+    # results.
+    if [[ $server_type == "TinySSH" ]]; then
+        grep -v "(gen) banner: " "${test_result_stdout}" > "${test_result_stdout}.tmp"
+        mv "${test_result_stdout}.tmp" "${test_result_stdout}"
+        cat "${test_result_json}" | perl -pe 's/"comments": ".*?"/"comments": ""/' | perl -pe 's/"raw": ".+?"/"raw": ""/' > "${test_result_json}.tmp"
+        mv "${test_result_json}.tmp" "${test_result_json}"
+    fi
+
+    diff=$(diff -u "${expected_result_stdout}" "${test_result_stdout}")
+    retval=$?
+    if [[ ${retval} != 0 ]]; then
+
+        # If the user wants to update the tests, then overwrite the expected results with the actual results.
+        if [[ $accept == 1 ]]; then
+            cp "${test_result_stdout}" "${expected_result_stdout}"
+            echo -e "${test_name} ${YELLOWB}UPDATED${CLR}\n"
+        else
+            echo -e "${test_name} ${REDB}FAILED${CLR}.\n\n${diff}\n"
+            failed=1
+            num_failures=$((num_failures+1))
+        fi
+
+    fi
+
+    diff=$(diff -u "${expected_result_json}" "${test_result_json}")
+    retval=$?
+    if [[ ${retval} != 0 ]]; then
+
+        # If the user wants to update the tests, then overwrite the expected results with the actual results.
+        if [[ $accept == 1 ]]; then
+            cp "${test_result_json}" "${expected_result_json}"
+            echo -e "${test_name} ${YELLOWB}UPDATED${CLR}\n"
+        else
+            echo -e "${test_name} ${REDB}FAILED${CLR}.\n\n${diff}\n"
+            failed=1
+            num_failures=$((num_failures+1))
+        fi
+
+    fi
+
+    if [[ $failed == 0 ]]; then
+        echo -e "${test_name} ${GREEN}passed${CLR}."
+    fi
+}
+
+run_builtin_policy_test() {
+    policy_name=$1         # The built-in policy name to use.
+    version=$2             # Version of OpenSSH to test with.
+    test_number=$3         # The test number to run.
+    server_options=$4      # The options to start the server with (i.e.: "-o option1,options2,...")
+    expected_exit_code=$5  # The expected exit code of ssh-audit.py.
+
+    server_exec="/openssh/sshd-${version} -D -f /etc/ssh/sshd_config-8.0p1_test1 ${server_options}"
+    test_result_stdout="${TEST_RESULT_DIR}/openssh_${version}_builtin_policy_${test_number}.txt"
+    test_result_json="${TEST_RESULT_DIR}/openssh_${version}_builtin_policy_${test_number}.json"
+    expected_result_stdout="test/docker/expected_results/openssh_${version}_builtin_policy_${test_number}.txt"
+    expected_result_json="test/docker/expected_results/openssh_${version}_builtin_policy_${test_number}.json"
+    test_name="OpenSSH ${version} built-in policy ${test_number}"
+
+    run_policy_test "${test_name}" "${server_exec}" "${policy_name}" "${test_result_stdout}" "${test_result_json}" "${expected_exit_code}"
+}
+
+
+run_custom_policy_test() {
+    config_number=$1  # The configuration number to use.
+    test_number=$2    # The policy test number to run.
+    expected_exit_code=$3  # The expected exit code of ssh-audit.py.
+
+    version=
+    config=
+    if [[ ${config_number} == "config1" ]]; then
+        version="5.6p1"
+        config="sshd_config-5.6p1_test1"
+    elif [[ ${config_number} == "config2" ]]; then
+        version="8.0p1"
+        config="sshd_config-8.0p1_test1"
+    elif [[ ${config_number} == "config3" ]]; then
+        version="5.6p1"
+        config="sshd_config-5.6p1_test4"
+    fi
+
+    server_exec="/openssh/sshd-${version} -D -f /etc/ssh/${config}"
+    policy_path="test/docker/policies/policy_${test_number}.txt"
+    test_result_stdout="${TEST_RESULT_DIR}/openssh_${version}_custom_policy_${test_number}.txt"
+    test_result_json="${TEST_RESULT_DIR}/openssh_${version}_custom_policy_${test_number}.json"
+    expected_result_stdout="test/docker/expected_results/openssh_${version}_custom_policy_${test_number}.txt"
+    expected_result_json="test/docker/expected_results/openssh_${version}_custom_policy_${test_number}.json"
+    test_name="OpenSSH ${version} custom policy ${test_number}"
+
+    run_policy_test "${test_name}" "${server_exec}" "${policy_path}" "${test_result_stdout}" "${test_result_json}" "${expected_exit_code}"
+}
+
+
+run_policy_test() {
+    test_name=$1
+    server_exec=$2
+    policy_path=$3
+    test_result_stdout=$4
+    test_result_json=$5
+    expected_exit_code=$6
+
+
+    #echo "Running: docker run --rm -d -p 2222:22 $IMAGE_NAME:$IMAGE_VERSION ${server_exec}"
+    cid=$(docker run --rm -d -p 2222:22 "${IMAGE_NAME}:${IMAGE_VERSION}" ${server_exec})
+    retval=$?
+    if [[ ${retval} != 0 ]]; then
+        echo -e "${REDB}Failed to run docker image! (exit code: ${retval})${CLR}"
+        exit 1
+    fi
+
+    #echo "Running: ./ssh-audit.py -P \"${policy_path}\" localhost:2222 > ${test_result_stdout}"
+    ./ssh-audit.py -P "${policy_path}" localhost:2222 > "${test_result_stdout}"
+    actual_exit_code=$?
+    if [[ ${actual_exit_code} != "${expected_exit_code}" ]]; then
+        echo -e "${test_name} ${REDB}FAILED${CLR} (expected exit code: ${expected_exit_code}; actual exit code: ${actual_exit_code}\n"
+
+        if [[ $accept == 1 ]]; then
+            echo -e "\n${REDB}This failure cannot be automatically fixed; this script must be manually updated with the new expected return value.${CLR}"
+        fi
+
+        cat "${test_result_stdout}"
+        docker container stop -t 0 "${cid}" > /dev/null
+        exit 1
+    fi
+
+    #echo "Running: ./ssh-audit.py -P \"${policy_path}\" -jj localhost:2222 > ${test_result_json} 2> /dev/null"
+    ./ssh-audit.py -P "${policy_path}" -jj localhost:2222 > "${test_result_json}" 2> /dev/null
+    actual_exit_code=$?
+    if [[ ${actual_exit_code} != "${expected_exit_code}" ]]; then
+        echo -e "${test_name} ${REDB}FAILED${CLR} (expected exit code: ${expected_exit_code}; actual exit code: ${actual_exit_code}\n"
+
+        if [[ $accept == 1 ]]; then
+            echo -e "\n${REDB}This failure cannot be automatically fixed; this script must be manually updated with the new expected return value.${CLR}"
+        fi
+
+        cat "${test_result_json}"
+        docker container stop -t 0 "${cid}" > /dev/null
+        exit 1
+    fi
+
+    docker container stop -t 0 "${cid}" > /dev/null
+    retval=$?
+    if [[ ${retval} != 0 ]]; then
+       echo -e "${REDB}Failed to stop docker container ${cid}! (exit code: ${retval})${CLR}"
+       exit 1
+    fi
+
+    diff=$(diff -u "${expected_result_stdout}" "${test_result_stdout}")
+    retval=$?
+    if [[ ${retval} != 0 ]]; then
+
+	# If the user wants to update the tests, then overwrite the expected results with the actual results.
+        if [[ $accept == 1 ]]; then
+            cp "${test_result_stdout}" "${expected_result_stdout}"
+            echo -e "${test_name} ${YELLOWB}UPDATED${CLR}\n"
+        else
+            echo -e "${test_name} ${REDB}FAILED${CLR}.\n\n${diff}\n"
+            exit 1
+        fi
+
+    fi
+
+    diff=$(diff -u "${expected_result_json}" "${test_result_json}")
+    retval=$?
+    if [[ ${retval} != 0 ]]; then
+
+	# If the user wants to update the tests, then overwrite the expected results with the actual results.
+        if [[ $accept == 1 ]]; then
+            cp "${test_result_json}" "${expected_result_json}"
+            echo -e "${test_name} ${YELLOWB}UPDATED${CLR}\n"
+        else
+            echo -e "${test_name} ${REDB}FAILED${CLR}.\n\n${diff}\n"
+            exit 1
+        fi
+
+    fi
+
+    echo -e "${test_name} ${GREEN}passed${CLR}."
+}
+
+
+# First check if docker is functional.
+docker version > /dev/null
+retval=$?
+if [[ ${retval} != 0 ]]; then
+    echo -e "${REDB}Error: 'docker version' command failed (error code: ${retval}).  Is docker installed and functioning?${CLR}"
+    exit 1
+fi
+
+
+# Check if the docker image is the most up-to-date version.
+docker_image_exists=0
+check_if_docker_image_exists
+retval=$?
+if [[ ${retval} == 0 ]]; then
+    docker_image_exists=1
+fi
+
+
+# Check if the user specified --create to build a new image.
+if [[ ($# == 1) && ($1 == "--create") ]]; then
+    # Ensure that the image name doesn't already exist before building.
+    if [[ ${docker_image_exists} == 1 ]]; then
+        echo -e "${REDB}Error: --create specified, but ${IMAGE_NAME}:${IMAGE_VERSION} already exists!${CLR}"
+        exit 1
+    else
+        echo -e "\nCreating docker image ${IMAGE_NAME}:${IMAGE_VERSION}..."
+        create_docker_image
+        echo -e "\n${GREEN}Done creating docker image!${CLR}"
+        exit 0
+    fi
+fi
+
+
+# If the user passes --accept, then the actual results will replace the expected results (meaning the user wants to update the tests themselves due to new functionality).
+if [[ ($# == 1) && ($1 == "--accept") ]]; then
+    accept=1
+    echo -e "\n${YELLOWB}Expected test results will be replaced with actual results.${CLR}"
+fi
+
+
+# If we weren't explicitly told to create a new image, and it doesn't exist, then pull it from Dockerhub.
+if [[ ${docker_image_exists} == 0 ]]; then
+    echo -e "\nPulling docker image ${IMAGE_NAME}:${IMAGE_VERSION}..."
+    pull_docker_image
+fi
+
+
+echo -e "\n${GREEN}Starting tests...${CLR}"
+
+# Create a temporary directory to write test results to.
+TEST_RESULT_DIR=$(mktemp -d /tmp/ssh-audit_test-results_XXXXXXXXXX)
+
+# Now run all the tests.
+echo -e "\nRunning tests..."
+run_openssh_test "4.0p1" "test1" "${PROGRAM_RETVAL_FAILURE}"
+echo
+run_openssh_test "5.6p1" "test1" "${PROGRAM_RETVAL_FAILURE}"
+run_openssh_test "5.6p1" "test2" "${PROGRAM_RETVAL_FAILURE}"
+run_openssh_test "5.6p1" "test3" "${PROGRAM_RETVAL_FAILURE}"
+run_openssh_test "5.6p1" "test4" "${PROGRAM_RETVAL_FAILURE}"
+run_openssh_test "5.6p1" "test5" "${PROGRAM_RETVAL_FAILURE}"
+echo
+run_openssh_test "8.0p1" "test1" "${PROGRAM_RETVAL_FAILURE}"
+run_openssh_test "8.0p1" "test2" "${PROGRAM_RETVAL_FAILURE}"
+run_openssh_test "8.0p1" "test3" "${PROGRAM_RETVAL_WARNING}"
+echo
+run_dropbear_test "2019.78" "test1" "-r /etc/dropbear/dropbear_rsa_host_key_1024 -r /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_ecdsa_host_key" 3
+echo
+run_tinyssh_test "20190101" "test1" "${PROGRAM_RETVAL_WARNING}"
+echo
+echo
+run_custom_policy_test "config1" "test1" "${PROGRAM_RETVAL_GOOD}"
+run_custom_policy_test "config1" "test2" "${PROGRAM_RETVAL_FAILURE}"
+run_custom_policy_test "config1" "test3" "${PROGRAM_RETVAL_FAILURE}"
+run_custom_policy_test "config1" "test4" "${PROGRAM_RETVAL_FAILURE}"
+run_custom_policy_test "config1" "test5" "${PROGRAM_RETVAL_FAILURE}"
+run_custom_policy_test "config2" "test6" "${PROGRAM_RETVAL_GOOD}"
+
+# Passing test with host key certificate and CA key certificates.
+run_custom_policy_test "config3" "test7" "${PROGRAM_RETVAL_GOOD}"
+
+# Failing test with host key certificate and non-compliant CA key length.
+run_custom_policy_test "config3" "test8" "${PROGRAM_RETVAL_FAILURE}"
+
+# Failing test with non-compliant host key certificate and CA key certificate.
+run_custom_policy_test "config3" "test9" "${PROGRAM_RETVAL_FAILURE}"
+
+# Failing test with non-compliant host key certificate and non-compliant CA key certificate.
+run_custom_policy_test "config3" "test10" "${PROGRAM_RETVAL_FAILURE}"
+
+# Passing test with host key size check.
+run_custom_policy_test "config2" "test11" "${PROGRAM_RETVAL_GOOD}"
+
+# Failing test with non-compliant host key size check.
+run_custom_policy_test "config2" "test12" "${PROGRAM_RETVAL_FAILURE}"
+
+# Passing test with DH modulus test.
+run_custom_policy_test "config2" "test13" "${PROGRAM_RETVAL_GOOD}"
+
+# Failing test with DH modulus test.
+run_custom_policy_test "config2" "test14" "${PROGRAM_RETVAL_FAILURE}"
+
+# Passing test with algorithm subset matching.
+run_custom_policy_test "config2" "test15" "${PROGRAM_RETVAL_GOOD}"
+
+# Failing test with algorithm subset matching.
+run_custom_policy_test "config2" "test16" "${PROGRAM_RETVAL_FAILURE}"
+
+# Passing test with larger key matching.
+run_custom_policy_test "config2" "test17" "${PROGRAM_RETVAL_GOOD}"
+
+# Failing test for built-in OpenSSH 8.0p1 server policy (RSA host key size is 3072 instead of 4096).
+run_builtin_policy_test "Hardened OpenSSH Server v8.0 (version 4)" "8.0p1" "test1" "-o HostKeyAlgorithms=rsa-sha2-512,rsa-sha2-256,ssh-ed25519 -o KexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 -o Ciphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -o MACs=hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com" "${PROGRAM_RETVAL_FAILURE}"
+
+# Failing test for built-in OpenSSH 8.0p1 server policy (MACs not hardened).
+run_builtin_policy_test "Hardened OpenSSH Server v8.0 (version 4)" "8.0p1" "test2" "-o HostKeyAlgorithms=rsa-sha2-512,rsa-sha2-256,ssh-ed25519 -o KexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 -o Ciphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" "${PROGRAM_RETVAL_FAILURE}"
+
+
+if [[ $num_failures == 0 ]]; then
+    echo -e "\n${GREENB}ALL TESTS PASS!${CLR}\n"
+    rm -rf -- "${TEST_RESULT_DIR}"
+else
+    echo -e "\n${REDB}${num_failures} TESTS FAILED!${CLR}\n"
+fi
+
+exit 0
--- a/pyproject.toml
+++ b/pyproject.toml
@ -0,0 +1,7 @@
+[build-system]
+# https://pip.pypa.io/en/stable/reference/pip/#pep-517-and-518-support
+requires = [
+    "setuptools>=40.8.0",
+    "wheel"
+]
+build-backend = "setuptools.build_meta"
--- a/setup.cfg
+++ b/setup.cfg
@ -0,0 +1,44 @@
+[metadata]
+name = ssh-audit
+version = attr: ssh_audit.globals.VERSION
+author = Joe Testa
+author_email = jtesta@positronsecurity.com
+description = An SSH server & client configuration security auditing tool
+long_description = file: README.md
+long_description_content_type = text/markdown
+license = MIT
+license_files = LICENSE
+url = https://github.com/jtesta/ssh-audit
+project_urls =
+    Source Code = https://github.com/jtesta/ssh-audit
+    Bug Tracker = https://github.com/jtesta/ssh-audit/issues
+classifiers =
+    Development Status :: 5 - Production/Stable
+    Intended Audience :: Information Technology
+    Intended Audience :: System Administrators
+    License :: OSI Approved :: MIT License
+    Operating System :: OS Independent
+    Programming Language :: Python :: 3
+    Programming Language :: Python :: 3.8
+    Programming Language :: Python :: 3.9
+    Programming Language :: Python :: 3.10
+    Programming Language :: Python :: 3.11
+    Programming Language :: Python :: 3.12
+    Programming Language :: Python :: 3.13
+    Programming Language :: Python :: Implementation :: CPython
+    Programming Language :: Python :: Implementation :: PyPy
+    Topic :: Security
+    Topic :: Security :: Cryptography
+
+[options]
+packages = find:
+package_dir =
+     = src
+python_requires = >=3.8,<4
+
+[options.packages.find]
+where = src
+
+[options.entry_points]
+console_scripts =
+    ssh-audit = ssh_audit.ssh_audit:main
--- a/setup.py
+++ b/setup.py
@ -0,0 +1,23 @@
+import re
+import sys
+from setuptools import setup
+
+print_warning = False
+m = re.search(r'^VERSION\s*=\s*\'v(\d\.\d\.\d)\'', open('src/ssh_audit/globals.py').read(), re.M)
+if m is None:
+    # If we failed to parse the stable version, see if this is the development version.
+    m = re.search(r'^VERSION\s*=\s*\'v(\d\.\d\.\d-dev)\'', open('src/ssh_audit/globals.py').read(), re.M)
+    if m is None:
+        print("Error: could not parse VERSION variable from ssh_audit.py.")
+        sys.exit(1)
+    else:  # Continue with the development version, but print a warning later.
+        print_warning = True
+
+version = m.group(1)
+print("\n\nPackaging ssh-audit v%s...\n\n" % version)
+
+# see setup.cfg
+setup()
+
+if print_warning:
+    print("\n\n    !!! WARNING: development version detected (%s).  Are you sure you want to package this version?  Probably not...\n" % version)
--- a/snapcraft.yaml
+++ b/snapcraft.yaml
@ -0,0 +1,23 @@
+name: ssh-audit
+# 'version' field will be automatically added by build_snap.sh.
+license: 'MIT'
+summary: ssh-audit
+description: |
+  SSH server and client security configuration auditor.  Official repository: <https://github.com/jtesta/ssh-audit>
+
+base: core22
+grade: stable
+confinement: strict
+architectures:
+  - build-on: [amd64]
+    build-for: [all]
+
+apps:
+  ssh-audit:
+    command: bin/ssh-audit
+    plugs: [network,network-bind,home]
+
+parts:
+  ssh-audit:
+    plugin: python
+    source: .
--- a/src/ssh_audit/init.py
+++ b/src/ssh_audit/init.py
--- a/src/ssh_audit/main.py
+++ b/src/ssh_audit/main.py
@ -0,0 +1,16 @@
+import sys
+import traceback
+
+from ssh_audit.ssh_audit import main
+from ssh_audit import exitcodes
+
+
+exit_code = exitcodes.GOOD
+
+try:
+    exit_code = main()
+except Exception:
+    exit_code = exitcodes.UNKNOWN_ERROR
+    print(traceback.format_exc())
+
+sys.exit(exit_code)
--- a/src/ssh_audit/algorithm.py
+++ b/src/ssh_audit/algorithm.py
@ -0,0 +1,61 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+# pylint: disable=unused-import
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+from ssh_audit.product import Product
+
+
+class Algorithm:
+
+    @staticmethod
+    def get_ssh_version(version_desc: str) -> Tuple[str, str, bool]:
+        is_client = version_desc.endswith('C')
+        if is_client:
+            version_desc = version_desc[:-1]
+        if version_desc.startswith('d'):
+            return Product.DropbearSSH, version_desc[1:], is_client
+        elif version_desc.startswith('l1'):
+            return Product.LibSSH, version_desc[2:], is_client
+        else:
+            return Product.OpenSSH, version_desc, is_client
+
+    @classmethod
+    def get_since_text(cls, versions: List[Optional[str]]) -> Optional[str]:
+        tv = []
+        if len(versions) == 0 or versions[0] is None:
+            return None
+        for v in versions[0].split(','):
+            ssh_prod, ssh_ver, is_cli = cls.get_ssh_version(v)
+            if not ssh_ver:
+                continue
+            if ssh_prod in [Product.LibSSH]:
+                continue
+            if is_cli:
+                ssh_ver = '{} (client only)'.format(ssh_ver)
+            tv.append('{} {}'.format(ssh_prod, ssh_ver))
+        if len(tv) == 0:
+            return None
+        return 'available since ' + ', '.join(tv).rstrip(', ')
--- a/src/ssh_audit/algorithms.py
+++ b/src/ssh_audit/algorithms.py
@ -0,0 +1,226 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017-2021 Joe Testa (jtesta@positronsecurity.com)
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+# pylint: disable=unused-import
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+from ssh_audit.algorithm import Algorithm
+from ssh_audit.product import Product
+from ssh_audit.software import Software
+from ssh_audit.ssh1_kexdb import SSH1_KexDB
+from ssh_audit.ssh1_publickeymessage import SSH1_PublicKeyMessage
+from ssh_audit.ssh2_kex import SSH2_Kex
+from ssh_audit.ssh2_kexdb import SSH2_KexDB
+from ssh_audit.timeframe import Timeframe
+from ssh_audit.utils import Utils
+
+
+class Algorithms:
+    def __init__(self, pkm: Optional[SSH1_PublicKeyMessage], kex: Optional[SSH2_Kex]) -> None:
+        self.__ssh1kex = pkm
+        self.__ssh2kex = kex
+
+    @property
+    def ssh1kex(self) -> Optional[SSH1_PublicKeyMessage]:
+        return self.__ssh1kex
+
+    @property
+    def ssh2kex(self) -> Optional[SSH2_Kex]:
+        return self.__ssh2kex
+
+    @property
+    def ssh1(self) -> Optional['Algorithms.Item']:
+        if self.ssh1kex is None:
+            return None
+        item = Algorithms.Item(1, SSH1_KexDB.get_db())
+        item.add('key', ['ssh-rsa1'])
+        item.add('enc', self.ssh1kex.supported_ciphers)
+        item.add('aut', self.ssh1kex.supported_authentications)
+        return item
+
+    @property
+    def ssh2(self) -> Optional['Algorithms.Item']:
+        if self.ssh2kex is None:
+            return None
+        item = Algorithms.Item(2, SSH2_KexDB.get_db())
+        item.add('kex', self.ssh2kex.kex_algorithms)
+        item.add('key', self.ssh2kex.key_algorithms)
+        item.add('enc', self.ssh2kex.server.encryption)
+        item.add('mac', self.ssh2kex.server.mac)
+        return item
+
+    @property
+    def values(self) -> Iterable['Algorithms.Item']:
+        for item in [self.ssh1, self.ssh2]:
+            if item is not None:
+                yield item
+
+    @property
+    def maxlen(self) -> int:
+        def _ml(items: Sequence[str]) -> int:
+            return max(len(i) for i in items)
+        maxlen = 0
+        if self.ssh1kex is not None:
+            maxlen = max(_ml(self.ssh1kex.supported_ciphers),
+                         _ml(self.ssh1kex.supported_authentications),
+                         maxlen)
+        if self.ssh2kex is not None:
+            maxlen = max(_ml(self.ssh2kex.kex_algorithms),
+                         _ml(self.ssh2kex.key_algorithms),
+                         _ml(self.ssh2kex.server.encryption),
+                         _ml(self.ssh2kex.server.mac),
+                         maxlen)
+        return maxlen
+
+    def get_ssh_timeframe(self, for_server: Optional[bool] = None) -> 'Timeframe':
+        timeframe = Timeframe()
+        for alg_pair in self.values:
+            alg_db = alg_pair.db
+            for alg_type, alg_list in alg_pair.items():
+                for alg_name in alg_list:
+                    alg_name_native = Utils.to_text(alg_name)
+                    alg_desc = alg_db[alg_type].get(alg_name_native)
+                    if alg_desc is None:
+                        continue
+                    versions = alg_desc[0]
+                    timeframe.update(versions, for_server)
+        return timeframe
+
+    def get_recommendations(self, software: Optional['Software'], for_server: bool = True) -> Tuple[Optional['Software'], Dict[int, Dict[str, Dict[str, Dict[str, int]]]]]:
+        # pylint: disable=too-many-locals,too-many-statements
+        vproducts = [Product.OpenSSH,
+                     Product.DropbearSSH,
+                     Product.LibSSH,
+                     Product.TinySSH]
+        # Set to True if server is not one of vproducts, above.
+        unknown_software = False
+        if software is not None:
+            if software.product not in vproducts:
+                unknown_software = True
+
+        # The code below is commented out because it would try to guess what the server is,
+        # usually resulting in wild & incorrect recommendations.
+        # if software is None:
+        #     ssh_timeframe = self.get_ssh_timeframe(for_server)
+        #     for product in vproducts:
+        #         if product not in ssh_timeframe:
+        #             continue
+        #         version = ssh_timeframe.get_from(product, for_server)
+        #         if version is not None:
+        #             software = SSH.Software(None, product, version, None, None)
+        #             break
+        rec: Dict[int, Dict[str, Dict[str, Dict[str, int]]]] = {}
+        if software is None:
+            unknown_software = True
+        for alg_pair in self.values:
+            sshv, alg_db = alg_pair.sshv, alg_pair.db
+            rec[sshv] = {}
+            for alg_type, alg_list in alg_pair.items():
+                if alg_type == 'aut':
+                    continue
+                rec[sshv][alg_type] = {'add': {}, 'del': {}, 'chg': {}}
+                for n, alg_desc in alg_db[alg_type].items():
+                    versions = alg_desc[0]
+                    empty_version = False
+                    if len(versions) == 0 or versions[0] is None:
+                        empty_version = True
+                    else:
+                        matches = False
+                        if unknown_software:
+                            matches = True
+                        for v in versions[0].split(','):
+                            ssh_prefix, ssh_version, is_cli = Algorithm.get_ssh_version(v)
+                            if not ssh_version:
+                                continue
+                            if (software is not None) and (ssh_prefix != software.product):
+                                continue
+                            if is_cli and for_server:
+                                continue
+                            if (software is not None) and (software.compare_version(ssh_version) < 0):
+                                continue
+                            matches = True
+                            break
+                        if not matches:
+                            continue
+                    adl, faults = len(alg_desc), 0
+                    for i in range(1, 3):
+                        if not adl > i:
+                            continue
+                        fc = len(alg_desc[i])
+                        if fc > 0:
+                            faults += pow(10, 2 - i) * fc
+                    if n not in alg_list:
+                        # Don't recommend certificate or token types; these will only appear in the server's list if they are fully configured & functional on the server.  Also don't recommend 'ext-info-[cs]' nor 'kex-strict-[cs]-v00@openssh.com' key exchanges.
+                        if faults > 0 or \
+                           (alg_type == 'key' and (('-cert-' in n) or (n.startswith('sk-')))) or \
+                           (alg_type == 'kex' and (n.startswith('ext-info-') or n.startswith('kex-strict-'))) or \
+                           empty_version:
+                            continue
+                        rec[sshv][alg_type]['add'][n] = 0
+                    else:
+                        if faults == 0:
+                            continue
+                        if n in ['diffie-hellman-group-exchange-sha256', 'rsa-sha2-256', 'rsa-sha2-512', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com']:
+                            rec[sshv][alg_type]['chg'][n] = faults
+                        else:
+                            rec[sshv][alg_type]['del'][n] = faults
+                # If we are working with unknown software, drop all add recommendations, because we don't know if they're valid.
+                if unknown_software:
+                    rec[sshv][alg_type]['add'] = {}
+                add_count = len(rec[sshv][alg_type]['add'])
+                del_count = len(rec[sshv][alg_type]['del'])
+                chg_count = len(rec[sshv][alg_type]['chg'])
+
+                if add_count == 0:
+                    del rec[sshv][alg_type]['add']
+                if del_count == 0:
+                    del rec[sshv][alg_type]['del']
+                if chg_count == 0:
+                    del rec[sshv][alg_type]['chg']
+                if len(rec[sshv][alg_type]) == 0:
+                    del rec[sshv][alg_type]
+            if len(rec[sshv]) == 0:
+                del rec[sshv]
+        return software, rec
+
+    class Item:
+        def __init__(self, sshv: int, db: Dict[str, Dict[str, List[List[Optional[str]]]]]) -> None:
+            self.__sshv = sshv
+            self.__db = db
+            self.__storage: Dict[str, List[str]] = {}
+
+        @property
+        def sshv(self) -> int:
+            return self.__sshv
+
+        @property
+        def db(self) -> Dict[str, Dict[str, List[List[Optional[str]]]]]:
+            return self.__db
+
+        def add(self, key: str, value: List[str]) -> None:
+            self.__storage[key] = value
+
+        def items(self) -> Iterable[Tuple[str, List[str]]]:
+            return self.__storage.items()
--- a/src/ssh_audit/auditconf.py
+++ b/src/ssh_audit/auditconf.py
@ -0,0 +1,192 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017-2024 Joe Testa (jtesta@positronsecurity.com)
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+# pylint: disable=unused-import
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+from ssh_audit.policy import Policy
+from ssh_audit.utils import Utils
+
+
+class AuditConf:
+    # pylint: disable=too-many-instance-attributes
+    def __init__(self, host: str = '', port: int = 22) -> None:
+        self.host = host
+        self.port = port
+        self.ssh1 = True
+        self.ssh2 = True
+        self.batch = False
+        self.client_audit = False
+        self.colors = True
+        self.json = False
+        self.json_print_indent = False
+        self.verbose = False
+        self.level = 'info'
+        self.ip_version_preference: List[int] = []  # Holds only 5 possible values: [] (no preference), [4] (use IPv4 only), [6] (use IPv6 only), [46] (use both IPv4 and IPv6, but prioritize v4), and [64] (use both IPv4 and IPv6, but prioritize v6).
+        self.ipv4 = False
+        self.ipv6 = False
+        self.make_policy = False  # When True, creates a policy file from an audit scan.
+        self.policy_file: Optional[str] = None   # File system path to a policy
+        self.policy: Optional[Policy] = None  # Policy object
+        self.timeout = 5.0
+        self.timeout_set = False  # Set to True when the user explicitly sets it.
+        self.target_file: Optional[str] = None
+        self.target_list: List[str] = []
+        self.threads = 32
+        self.list_policies = False
+        self.lookup = ''
+        self.manual = False
+        self.debug = False
+        self.gex_test = ''
+        self.dheat: Optional[str] = None
+        self.dheat_concurrent_connections: int = 0
+        self.dheat_e_length: int = 0
+        self.dheat_target_alg: str = ""
+        self.skip_rate_test = False
+        self.conn_rate_test: str = "1:1"
+        self.conn_rate_test_enabled = False
+        self.conn_rate_test_threads = 0
+        self.conn_rate_test_target_rate = 0
+
+
+    def __setattr__(self, name: str, value: Union[str, int, float, bool, Sequence[int]]) -> None:
+        valid = False
+        if name in ['batch', 'client_audit', 'colors', 'json', 'json_print_indent', 'list_policies', 'manual', 'make_policy', 'ssh1', 'ssh2', 'timeout_set', 'verbose', 'debug', 'skip_rate_test']:
+            valid, value = True, bool(value)
+        elif name in ['ipv4', 'ipv6']:
+            valid, value = True, bool(value)
+            if len(self.ip_version_preference) == 2:  # Being called more than twice is not valid.
+                valid = False
+            elif value:
+                self.ip_version_preference.append(4 if name == 'ipv4' else 6)
+        elif name == 'port':
+            valid, port = True, Utils.parse_int(value)
+            if port < 1 or port > 65535:
+                raise ValueError('invalid port: {}'.format(value))
+            value = port
+        elif name in ['level']:
+            if value not in ('info', 'warn', 'fail'):
+                raise ValueError('invalid level: {}'.format(value))
+            valid = True
+        elif name == 'host':
+            valid = True
+        elif name == 'timeout':
+            value = Utils.parse_float(value)
+            if value == -1.0:
+                raise ValueError('invalid timeout: {}'.format(value))
+            valid = True
+        elif name in ['ip_version_preference', 'lookup', 'policy_file', 'policy', 'target_file', 'target_list', 'gex_test']:
+            valid = True
+        elif name == "threads":
+            valid, num_threads = True, Utils.parse_int(value)
+            if num_threads < 1:
+                raise ValueError('invalid number of threads: {}'.format(value))
+            value = num_threads
+        elif name == "dheat":
+            # Valid values:
+            #   * None
+            #   * "10" (concurrent-connections)
+            #   * "10:diffie-hellman-group18-sha512" (concurrent-connections:target-alg)
+            #   * "10:diffie-hellman-group18-sha512:100" (concurrent-connections:target-alg:e-length)
+            valid = True
+            if value is not None:
+
+                def _parse_concurrent_connections(s: str) -> int:
+                    if Utils.parse_int(s) < 1:
+                        raise ValueError("number of concurrent connections must be 1 or greater: {}".format(s))
+                    return int(s)
+
+                def _parse_e_length(s: str) -> int:
+                    s_int = Utils.parse_int(s)
+                    if s_int < 2:
+                        raise ValueError("length of e must not be less than 2: {}".format(s))
+                    return s_int
+
+                def _parse_target_alg(s: str) -> str:
+                    if len(s) == 0:
+                        raise ValueError("target algorithm must not be the empty string.")
+                    return s
+
+                value = str(value)
+                fields = value.split(':')
+
+                self.dheat_concurrent_connections = _parse_concurrent_connections(fields[0])
+
+                # Parse the target algorithm if present.
+                if len(fields) >= 2:
+                    self.dheat_target_alg = _parse_target_alg(fields[1])
+
+                # Parse the length of e, if present.
+                if len(fields) == 3:
+                    self.dheat_e_length = _parse_e_length(fields[2])
+
+                if len(fields) > 3:
+                    raise ValueError("only three fields are expected instead of {}: {}".format(len(fields), value))
+
+        elif name in ["dheat_concurrent_connections", "dheat_e_length"]:
+            valid = True
+            if not isinstance(value, int):
+                valid = False
+
+        elif name == "dheat_target_alg":
+            valid = True
+            if not isinstance(value, str):
+                valid = False
+
+        elif name == "conn_rate_test":
+            # Valid values:
+            #   * "4" (run rate test with 4 threads)
+            #   * "4:100" (run rate test with 4 threads, targeting 100 connections/second)
+
+            error_msg = "valid format for {:s} is \"N\" or \"N:N\", where N is an integer.".format(name)
+            self.conn_rate_test_enabled = True
+            fields = str(value).split(":")
+
+            if len(fields) > 2 or len(fields) == 0:
+                raise ValueError(error_msg)
+            else:
+                self.conn_rate_test_threads = int(fields[0])
+                if self.conn_rate_test_threads < 1:
+                    raise ValueError("number of threads must be 1 or greater.")
+
+                self.conn_rate_test_target_rate = 0
+                if len(fields) == 2:
+                    self.conn_rate_test_target_rate = int(fields[1])
+                    if self.conn_rate_test_target_rate < 1:
+                        raise ValueError("rate target must be 1 or greater.")
+
+        elif name == "conn_rate_test_enabled":
+            valid = True
+            if not isinstance(value, bool):
+                valid = False
+
+        elif name in ["conn_rate_test_threads", "conn_rate_test_target_rate"]:
+            valid = True
+            if not isinstance(value, int):
+                valid = False
+
+
+        if valid:
+            object.__setattr__(self, name, value)
--- a/src/ssh_audit/banner.py
+++ b/src/ssh_audit/banner.py
@ -0,0 +1,92 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+import re
+
+# pylint: disable=unused-import
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+from ssh_audit.utils import Utils
+
+
+class Banner:
+    _RXP, _RXR = r'SSH-\d\.\s*?\d+', r'(-\s*([^\s]*)(?:\s+(.*))?)?'
+    RX_PROTOCOL = re.compile(re.sub(r'\\d(\+?)', r'(\\d\g<1>)', _RXP))
+    RX_BANNER = re.compile(r'^({0}(?:(?:-{0})*)){1}$'.format(_RXP, _RXR))
+
+    def __init__(self, protocol: Tuple[int, int], software: Optional[str], comments: Optional[str], valid_ascii: bool) -> None:
+        self.__protocol = protocol
+        self.__software = software
+        self.__comments = comments
+        self.__valid_ascii = valid_ascii
+
+    @property
+    def protocol(self) -> Tuple[int, int]:
+        return self.__protocol
+
+    @property
+    def software(self) -> Optional[str]:
+        return self.__software
+
+    @property
+    def comments(self) -> Optional[str]:
+        return self.__comments
+
+    @property
+    def valid_ascii(self) -> bool:
+        return self.__valid_ascii
+
+    def __str__(self) -> str:
+        r = 'SSH-{}.{}'.format(self.protocol[0], self.protocol[1])
+        if self.software is not None:
+            r += '-{}'.format(self.software)
+        if bool(self.comments):
+            r += ' {}'.format(self.comments)
+        return r
+
+    def __repr__(self) -> str:
+        p = '{}.{}'.format(self.protocol[0], self.protocol[1])
+        r = 'protocol={}'.format(p)
+        if self.software is not None:
+            r += ', software={}'.format(self.software)
+        if bool(self.comments):
+            r += ', comments={}'.format(self.comments)
+        return '<{}({})>'.format(self.__class__.__name__, r)
+
+    @classmethod
+    def parse(cls, banner: str) -> Optional['Banner']:
+        valid_ascii = Utils.is_print_ascii(banner)
+        ascii_banner = Utils.to_print_ascii(banner)
+        mx = cls.RX_BANNER.match(ascii_banner)
+        if mx is None:
+            return None
+        protocol = min(re.findall(cls.RX_PROTOCOL, mx.group(1)))
+        protocol = (int(protocol[0]), int(protocol[1]))
+        software = (mx.group(3) or '').strip() or None
+        if software is None and (mx.group(2) or '').startswith('-'):
+            software = ''
+        comments = (mx.group(4) or '').strip() or None
+        if comments is not None:
+            comments = re.sub(r'\s+', ' ', comments)
+        return cls(protocol, software, comments, valid_ascii)
--- a/src/ssh_audit/builtin_policies.py
+++ b/src/ssh_audit/builtin_policies.py
@ -0,0 +1,144 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2020-2024 Joe Testa (jtesta@positronsecurity.com)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+from typing import Any, Dict, List, Optional, Union
+
+# Each field maps directly to a private member variable of the Policy class.
+BUILTIN_POLICIES: Dict[str, Dict[str, Union[Optional[str], Optional[List[str]], bool, Dict[str, Any]]]] = {
+
+
+    # Amazon Linux 2023
+    'Hardened Amazon Linux 2023 (version 1)': {'version': '1', 'changelog': 'Initial version', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'kex-strict-s-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened Amazon Linux 2023 (version 2)': {'version': '2', 'changelog': 'Re-ordered host keys to prioritize ED25519 due to efficiency.  Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', 'banner': None, 'compressions': None, 'host_keys': ['ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'kex-strict-s-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-gcm@openssh.com', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+
+    # Debian Server 12
+    'Hardened Debian 12 (version 1)': {'version': '1', 'changelog': 'Initial version', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'kex-strict-s-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened Debian 12 (version 2)': {'version': '2', 'changelog': 'Re-ordered host keys to prioritize ED25519 due to efficiency.  Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', 'banner': None, 'compressions': None, 'host_keys': ['ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'kex-strict-s-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-gcm@openssh.com', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+
+    # Rocky Linux 9
+    'Hardened Rocky Linux 9 (version 1)': {'version': '1', 'changelog': 'Initial version', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'kex-strict-s-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened Rocky Linux 9 (version 2)': {'version': '2', 'changelog': 'Re-ordered host keys to prioritize ED25519 due to efficiency.  Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', 'banner': None, 'compressions': None, 'host_keys': ['ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'kex-strict-s-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-gcm@openssh.com', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+
+    # Ubuntu Server policies
+
+    'Hardened Ubuntu Server 16.04 LTS (version 4)': {'version': '4', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['ssh-ed25519'], 'optional_host_keys': ['ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256@libssh.org', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened Ubuntu Server 18.04 LTS (version 4)': {'version': '4', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['ssh-ed25519'], 'optional_host_keys': ['ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened Ubuntu Server 20.04 LTS (version 5)': {'version': '5', 'changelog': 'Added kex-strict-s-v00@openssh.com to kex list.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'kex-strict-s-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened Ubuntu Server 22.04 LTS (version 5)': {'version': '5', 'changelog': 'Added kex-strict-s-v00@openssh.com to kex list.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'kex-strict-s-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened Ubuntu Server 22.04 LTS (version 6)': {'version': '6', 'changelog': 'Re-ordered host keys to prioritize ED25519 due to efficiency. Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', 'banner': None, 'compressions': None, 'host_keys': ['ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'kex-strict-s-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-gcm@openssh.com', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened Ubuntu Server 24.04 LTS (version 1)': {'version': '1', 'changelog': 'Initial version.', 'banner': None, 'compressions': None, 'host_keys': ['ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group16-sha512', 'ext-info-s', 'kex-strict-s-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-gcm@openssh.com', 'aes128-ctr'], 'macs': ['hmac-sha2-512-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    # Generic OpenSSH Server policies
+
+    'Hardened OpenSSH Server v7.7 (version 4)': {'version': '4', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v7.8 (version 4)': {'version': '4', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v7.9 (version 4)': {'version': '4', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v8.0 (version 4)': {'version': '4', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v8.1 (version 4)': {'version': '4', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v8.2 (version 4)': {'version': '4', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v8.3 (version 4)': {'version': '4', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v8.4 (version 4)': {'version': '4', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v8.5 (version 4)': {'version': '4', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v8.6 (version 4)': {'version': '4', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v8.7 (version 4)': {'version': '4', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v8.8 (version 3)': {'version': '3', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v8.9 (version 3)': {'version': '3', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v9.0 (version 3)': {'version': '3', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v9.1 (version 3)': {'version': '3', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v9.2 (version 3)': {'version': '3', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519-cert-v01@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'sk-ssh-ed25519@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v9.3 (version 3)': {'version': '3', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v9.4 (version 2)': {'version': '2', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v9.5 (version 1)': {'version': '1', 'changelog': 'Initial version.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v9.6 (version 1)': {'version': '1', 'changelog': 'Initial version.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-s', 'kex-strict-s-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v9.7 (version 1)': {'version': '1', 'changelog': 'Initial version.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-s', 'kex-strict-s-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v9.8 (version 1)': {'version': '1', 'changelog': 'Initial version.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-s', 'kex-strict-s-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    'Hardened OpenSSH Server v9.9 (version 1)': {'version': '1', 'changelog': 'Initial version.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512', 'sntrup761x25519-sha512@openssh.com', 'mlkem768x25519-sha256', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-s', 'kex-strict-s-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
+    # Amazon Linux Policies
+
+    'Hardened Amazon Linux Client 2023 (version 1)': {'version': '1', 'changelog': 'Initial version.', 'banner': None, 'compressions': None, 'host_keys': ['sk-ssh-ed25519-cert-v01@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'sk-ssh-ed25519@openssh.com', 'ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': None, 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-c', 'kex-strict-c-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False},
+
+    'Hardened Amazon Linux Client 2023 (version 2)': {'version': '2', 'changelog': 'Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', 'banner': None, 'compressions': None, 'host_keys': ['sk-ssh-ed25519-cert-v01@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'sk-ssh-ed25519@openssh.com', 'ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': None, 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-c', 'kex-strict-c-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-gcm@openssh.com', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False},
+
+
+    # Debian Client Policies
+
+    'Hardened Debian Client 12 (version 1)': {'version': '1', 'changelog': 'Initial version.', 'banner': None, 'compressions': None, 'host_keys': ['sk-ssh-ed25519-cert-v01@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'sk-ssh-ed25519@openssh.com', 'ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': None, 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-c', 'kex-strict-c-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False},
+
+    'Hardened Debian Client 12 (version 2)': {'version': '2', 'changelog': 'Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', 'banner': None, 'compressions': None, 'host_keys': ['sk-ssh-ed25519-cert-v01@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'sk-ssh-ed25519@openssh.com', 'ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': None, 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-c', 'kex-strict-c-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-gcm@openssh.com', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False},
+
+
+    # Rocky Linux Policies
+
+    'Hardened Rocky Linux Client 9 (version 1)': {'version': '1', 'changelog': 'Initial version.', 'banner': None, 'compressions': None, 'host_keys': ['sk-ssh-ed25519-cert-v01@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'sk-ssh-ed25519@openssh.com', 'ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': None, 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-c', 'kex-strict-c-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False},
+
+    'Hardened Rocky Linux Client 9 (version 2)': {'version': '2', 'changelog': 'Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', 'banner': None, 'compressions': None, 'host_keys': ['sk-ssh-ed25519-cert-v01@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'sk-ssh-ed25519@openssh.com', 'ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': None, 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-c', 'kex-strict-c-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-gcm@openssh.com', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False},
+
+    # Ubuntu Client policies
+
+    'Hardened Ubuntu Client 16.04 LTS (version 2)': {'version': '2', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['ssh-ed25519', 'ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256', 'rsa-sha2-512'], 'optional_host_keys': None, 'kex': ['curve25519-sha256@libssh.org', 'diffie-hellman-group-exchange-sha256', 'ext-info-c'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False},
+
+    'Hardened Ubuntu Client 18.04 LTS (version 2)': {'version': '2', 'changelog': 'No change log available.', 'banner': None, 'compressions': None, 'host_keys': ['ssh-ed25519', 'ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256', 'rsa-sha2-512'], 'optional_host_keys': None, 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-c'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False},
+
+    'Hardened Ubuntu Client 20.04 LTS (version 3)': {'version': '3', 'changelog': 'Added kex-strict-c-v00@openssh.com to kex list.', 'banner': None, 'compressions': None, 'host_keys': ['ssh-ed25519', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512', 'rsa-sha2-512-cert-v01@openssh.com'], 'optional_host_keys': None, 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-c', 'kex-strict-c-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False},
+
+    'Hardened Ubuntu Client 22.04 LTS (version 4)': {'version': '4', 'changelog': 'Added kex-strict-c-v00@openssh.com to kex list.', 'banner': None, 'compressions': None, 'host_keys': ['sk-ssh-ed25519-cert-v01@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'sk-ssh-ed25519@openssh.com', 'ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': None, 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-c', 'kex-strict-c-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False},
+
+    'Hardened Ubuntu Client 22.04 LTS (version 5)': {'version': '5', 'changelog': 'Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', 'banner': None, 'compressions': None, 'host_keys': ['sk-ssh-ed25519-cert-v01@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'sk-ssh-ed25519@openssh.com', 'ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': None, 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-c', 'kex-strict-c-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-gcm@openssh.com', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False},
+
+    'Hardened Ubuntu Client 24.04 LTS (version 1)': {'version': '1', 'changelog': 'Initial version.', 'banner': None, 'compressions': None, 'host_keys': ['sk-ssh-ed25519-cert-v01@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'sk-ssh-ed25519@openssh.com', 'ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': None, 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group16-sha512', 'ext-info-c', 'kex-strict-c-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-gcm@openssh.com', 'aes128-ctr'], 'macs': ['hmac-sha2-512-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False},
+
+}
--- a/src/ssh_audit/dheat.py
+++ b/src/ssh_audit/dheat.py
--- a/src/ssh_audit/exitcodes.py
+++ b/src/ssh_audit/exitcodes.py
@ -0,0 +1,6 @@
+# The program return values corresponding to failure(s) encountered, warning(s) encountered, connection errors, and no problems found, respectively.
+FAILURE = 3
+WARNING = 2
+CONNECTION_ERROR = 1
+GOOD = 0
+UNKNOWN_ERROR = -1
--- a/src/ssh_audit/fingerprint.py
+++ b/src/ssh_audit/fingerprint.py
@ -0,0 +1,43 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017-2021 Joe Testa (jtesta@positronsecurity.com)
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+import base64
+import hashlib
+
+
+class Fingerprint:
+    def __init__(self, fpd: bytes) -> None:
+        self.__fpd = fpd
+
+    @property
+    def md5(self) -> str:
+        h = hashlib.md5(self.__fpd).hexdigest()
+        r = ':'.join(h[i:i + 2] for i in range(0, len(h), 2))
+        return 'MD5:{}'.format(r)
+
+    @property
+    def sha256(self) -> str:
+        h = base64.b64encode(hashlib.sha256(self.__fpd).digest())
+        r = h.decode('ascii').rstrip('=')
+        return 'SHA256:{}'.format(r)
--- a/src/ssh_audit/gextest.py
+++ b/src/ssh_audit/gextest.py
@ -0,0 +1,236 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017-2023 Joe Testa (jtesta@positronsecurity.com)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+import struct
+import traceback
+
+# pylint: disable=unused-import
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+from ssh_audit.banner import Banner
+from ssh_audit.kexdh import KexDHException, KexGroupExchange, KexGroupExchange_SHA1, KexGroupExchange_SHA256
+from ssh_audit.ssh2_kexdb import SSH2_KexDB
+from ssh_audit.ssh2_kex import SSH2_Kex
+from ssh_audit.ssh_socket import SSH_Socket
+from ssh_audit.outputbuffer import OutputBuffer
+from ssh_audit import exitcodes
+
+
+# Performs DH group exchanges to find what moduli are supported, and checks
+# their size.
+class GEXTest:
+
+    # Creates a new connection to the server.  Returns True on success, or False.
+    @staticmethod
+    def reconnect(out: 'OutputBuffer', s: 'SSH_Socket', kex: 'SSH2_Kex', gex_alg: str) -> bool:
+        if s.is_connected():
+            return True
+
+        err = s.connect()
+        if err is not None:
+            out.v(err, write_now=True)
+            return False
+
+        _, _, err = s.get_banner()
+        if err is not None:
+            out.v(err, write_now=True)
+            s.close()
+            return False
+
+        # Send our KEX using the specified group-exchange and most of the
+        # server's own values.
+        s.send_kexinit(key_exchanges=[gex_alg], hostkeys=kex.key_algorithms, ciphers=kex.server.encryption, macs=kex.server.mac, compressions=kex.server.compression, languages=kex.server.languages)
+
+        try:
+            # Parse the server's KEX.
+            _, payload = s.read_packet(2)
+            SSH2_Kex.parse(out, payload)
+        except (KexDHException, struct.error):
+            out.v("Failed to parse server's kex.  Stack trace:\n%s" % str(traceback.format_exc()), write_now=True)
+            return False
+
+        return True
+
+    @staticmethod
+    def granular_modulus_size_test(out: 'OutputBuffer', s: 'SSH_Socket', kex: 'SSH2_Kex', bits_min: int, bits_pref: int, bits_max: int, modulus_dict: Dict[str, List[int]]) -> int:
+        '''
+        Tests for granular modulus sizes.
+        Builds a dictionary, where a key represents a DH algorithm name and the
+        values are the modulus sizes (in bits) that have been returned by the
+        target server.
+        Returns an exitcodes.* flag.
+        '''
+
+        retval = exitcodes.GOOD
+
+        out.d("Starting modulus_size_test...")
+        out.d("Bits Min:  " + str(bits_min))
+        out.d("Bits Pref: " + str(bits_pref))
+        out.d("Bits Max:  " + str(bits_max))
+
+        GEX_ALGS = {
+            'diffie-hellman-group-exchange-sha1': KexGroupExchange_SHA1,
+            'diffie-hellman-group-exchange-sha256': KexGroupExchange_SHA256,
+        }
+
+        # Check if the server supports any of the group-exchange
+        # algorithms.  If so, test each one.
+        for gex_alg, kex_group_class in GEX_ALGS.items():
+            if gex_alg not in kex.kex_algorithms:
+                out.d('Server does not support the algorithm "' + gex_alg + '".', write_now=True)
+            else:
+                kex_group = kex_group_class(out)
+                out.d('Preparing to perform DH group exchange using ' + gex_alg + ' with min, pref and max modulus sizes of ' + str(bits_min) + ' bits, ' + str(bits_pref) + ' bits and ' + str(bits_max) + ' bits...', write_now=True)
+
+                # It has been observed that reconnecting to some SSH servers
+                # multiple times in quick succession can eventually result
+                # in a "connection reset by peer" error. It may be possible
+                # to recover from such an error by sleeping for some time
+                # before continuing to issue reconnects.
+                modulus_size_returned, reconnect_failed = GEXTest._send_init(out, s, kex_group, kex, gex_alg, bits_min, bits_pref, bits_max)
+                if reconnect_failed:
+                    out.fail('Reconnect failed.')
+                    return exitcodes.FAILURE
+
+                if modulus_size_returned > 0:
+                    if gex_alg in modulus_dict:
+                        if modulus_size_returned not in modulus_dict[gex_alg]:
+                            modulus_dict[gex_alg].append(modulus_size_returned)
+                    else:
+                        modulus_dict[gex_alg] = [modulus_size_returned]
+
+        return retval
+
+    # Runs the DH moduli test against the specified target.
+    @staticmethod
+    def run(out: 'OutputBuffer', s: 'SSH_Socket', banner: Optional['Banner'], kex: 'SSH2_Kex') -> None:
+        GEX_ALGS = {
+            'diffie-hellman-group-exchange-sha1': KexGroupExchange_SHA1,
+            'diffie-hellman-group-exchange-sha256': KexGroupExchange_SHA256,
+        }
+
+        # The previous RSA tests put the server in a state we can't
+        # test.  So we need a new connection to start with a clean
+        # slate.
+        if s.is_connected():
+            s.close()
+
+        # Check if the server supports any of the group-exchange
+        # algorithms.  If so, test each one.
+        for gex_alg, kex_group_class in GEX_ALGS.items():  # pylint: disable=too-many-nested-blocks
+            if gex_alg in kex.kex_algorithms:
+                out.d('Preparing to perform DH group exchange using ' + gex_alg + ' with min, pref and max modulus sizes of 512 bits, 1024 bits and 1536 bits...', write_now=True)
+
+                kex_group = kex_group_class(out)
+                smallest_modulus, reconnect_failed = GEXTest._send_init(out, s, kex_group, kex, gex_alg, 512, 1024, 1536)
+                if reconnect_failed:
+                    break
+
+                # Try an array of specific modulus sizes... one at a time.
+                reconnect_failed = False
+                for bits in [512, 768, 1024, 1536, 2048, 3072, 4096]:
+
+                    # If we found one modulus size already, but we're about
+                    # to test a larger one, don't bother.
+                    if bits >= smallest_modulus > 0:
+                        break
+
+                    smallest_modulus, reconnect_failed = GEXTest._send_init(out, s, kex_group, kex, gex_alg, bits, bits, bits)
+
+                # If the smallest modulus is 2048 and the server is OpenSSH, then we may have triggered the fallback mechanism, which tends to happen in testing scenarios such as this but not in most real-world conditions (see X).  To better test this condition, we will do an additional check to see if the server supports sizes between 2048 and 4096, and consider this the definitive result.
+                openssh_test_updated = False
+                if (smallest_modulus == 2048) and (banner is not None) and (banner.software is not None) and (banner.software.find('OpenSSH') != -1):
+                    out.d('First pass found a minimum GEX modulus of 2048 against OpenSSH server.  Performing a second pass to get a more accurate result...')
+                    smallest_modulus, _ = GEXTest._send_init(out, s, kex_group, kex, gex_alg, 2048, 3072, 4096)
+                    out.d('Modulus size returned by server during second pass: %d bits' % smallest_modulus, write_now=True)
+                    openssh_test_updated = bool((smallest_modulus > 0) and (smallest_modulus != 2048))
+
+                if smallest_modulus > 0:
+                    kex.set_dh_modulus_size(gex_alg, smallest_modulus)
+
+                    lst = SSH2_KexDB.get_db()['kex'][gex_alg]
+
+                    # We flag moduli smaller than 2048 as a failure.
+                    if smallest_modulus < 2048:
+                        text = 'using small %d-bit modulus' % smallest_modulus
+
+                        # For 'diffie-hellman-group-exchange-sha256', add
+                        # a failure reason.
+                        if len(lst) == 1:
+                            lst.append([text])
+                        # For 'diffie-hellman-group-exchange-sha1', delete
+                        # the existing failure reason (which is vague), and
+                        # insert our own.
+                        else:
+                            del lst[1]
+                            lst.insert(1, [text])
+
+                    # Moduli smaller than 3072 get flagged as a warning.
+                    elif smallest_modulus < 3072:
+
+                        # Ensure that a warning list exists for us to append to, below.
+                        while len(lst) < 3:
+                            lst.append([])
+
+                        # Ensure this is only added once.
+                        text = '2048-bit modulus only provides 112-bits of symmetric strength'
+                        if text not in lst[2]:
+                            lst[2].append(text)
+
+                    # If we retested against OpenSSH (because its fallback mechanism was triggered), add a special note for the user.
+                    if openssh_test_updated:
+                        text = "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use %u. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477)." % smallest_modulus
+
+                        # Ensure that an info list exists for us to append to, below.
+                        while len(lst) < 4:
+                            lst.append([])
+
+                        # Ensure this is only added once.
+                        if text not in lst[3]:
+                            lst[3].append(text)
+
+                if reconnect_failed:
+                    break
+
+    @staticmethod
+    def _send_init(out: 'OutputBuffer', s: 'SSH_Socket', kex_group: 'KexGroupExchange', kex: 'SSH2_Kex', gex_alg: str, min_bits: int, pref_bits: int, max_bits: int) -> Tuple[int, bool]:
+        '''Internal function for sending the GEX initialization to the server with the minimum, preferred, and maximum modulus bits.  Returns a Tuple of the modulus size received from the server (or -1 on error) and boolean signifying that the connection to the server failed.'''
+
+        smallest_modulus = -1
+        reconnect_failed = False
+        try:
+            if GEXTest.reconnect(out, s, kex, gex_alg) is False:
+                reconnect_failed = True
+                out.d('GEXTest._send_init(%s, %u, %u, %u): reconnection failed.' % (gex_alg, min_bits, pref_bits, max_bits), write_now=True)
+            else:
+                kex_group.send_init_gex(s, min_bits, pref_bits, max_bits)
+                kex_group.recv_reply(s, False)
+                smallest_modulus = kex_group.get_dh_modulus_size()
+                out.d('GEXTest._send_init(%s, %u, %u, %u): received modulus size: %d' % (gex_alg, min_bits, pref_bits, max_bits, smallest_modulus), write_now=True)
+        except KexDHException as e:
+            out.d('GEXTest._send_init(%s, %u, %u, %u): exception when performing DH group exchange init: %s' % (gex_alg, min_bits, pref_bits, max_bits, str(e)), write_now=True)
+        finally:
+            s.close()
+
+        return smallest_modulus, reconnect_failed
--- a/src/ssh_audit/globals.py
+++ b/src/ssh_audit/globals.py
@ -0,0 +1,40 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017-2024 Joe Testa (jtesta@positronsecurity.com)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+# The version to display.
+VERSION = 'v3.4.0-dev'
+
+# SSH software to impersonate
+SSH_HEADER = 'SSH-{0}-OpenSSH_8.2'
+
+# The URL to the Github issues tracker.
+GITHUB_ISSUES_URL = 'https://github.com/jtesta/ssh-audit/issues'
+
+# The man page.  Only filled in on Docker, PyPI, Snap, and Windows builds.
+BUILTIN_MAN_PAGE = ''
+
+# True when installed from a Snap package, otherwise False.
+SNAP_PACKAGE = False
+
+# Error message when installed as a Snap package and a file access fails.
+SNAP_PERMISSIONS_ERROR = 'Error while accessing file.  It appears that ssh-audit was installed as a Snap package.  In that case, there are two options:  1.) only try to read & write files in the $HOME/snap/ssh-audit/common/ directory, or 2.) grant permissions to read & write files in $HOME using the following command: "sudo snap connect ssh-audit:home :home"'
--- a/src/ssh_audit/hostkeytest.py
+++ b/src/ssh_audit/hostkeytest.py
@ -0,0 +1,263 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017-2024 Joe Testa (jtesta@positronsecurity.com)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+
+# pylint: disable=unused-import
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+import traceback
+
+from ssh_audit.kexdh import KexDH, KexDHException, KexGroup1, KexGroup14_SHA1, KexGroup14_SHA256, KexCurve25519_SHA256, KexGroup16_SHA512, KexGroup18_SHA512, KexGroupExchange_SHA1, KexGroupExchange_SHA256, KexNISTP256, KexNISTP384, KexNISTP521
+from ssh_audit.ssh2_kex import SSH2_Kex
+from ssh_audit.ssh2_kexdb import SSH2_KexDB
+from ssh_audit.ssh_socket import SSH_Socket
+from ssh_audit.outputbuffer import OutputBuffer
+
+
+# Obtains host keys, checks their size, and derives their fingerprints.
+class HostKeyTest:
+    # Tracks the RSA host key types.  As of this writing, testing one in this family yields valid results for the rest.
+    RSA_FAMILY = ['ssh-rsa', 'rsa-sha2-256', 'rsa-sha2-512']
+
+    # Dict holding the host key types we should extract & parse.  'cert' is True to denote that a host key type handles certificates (thus requires additional parsing).  'variable_key_len' is True for host key types that can have variable sizes (True only for RSA types, as the rest are of fixed-size).
+    HOST_KEY_TYPES = {
+        'ssh-rsa':      {'cert': False, 'variable_key_len': True},
+        'rsa-sha2-256': {'cert': False, 'variable_key_len': True},
+        'rsa-sha2-512': {'cert': False, 'variable_key_len': True},
+
+        'ssh-rsa-cert-v01@openssh.com':      {'cert': True, 'variable_key_len': True},
+        'rsa-sha2-256-cert-v01@openssh.com': {'cert': True, 'variable_key_len': True},
+        'rsa-sha2-512-cert-v01@openssh.com': {'cert': True, 'variable_key_len': True},
+
+        'ssh-ed25519':                      {'cert': False, 'variable_key_len': False},
+        'ssh-ed25519-cert-v01@openssh.com': {'cert': True, 'variable_key_len': False},
+
+        'ssh-ed448':                      {'cert': False, 'variable_key_len': False},
+        # 'ssh-ed448-cert-v01@openssh.com': {'cert': True,  'variable_key_len': False},
+
+        'ecdsa-sha2-nistp256': {'cert': False, 'variable_key_len': False},
+        'ecdsa-sha2-nistp384': {'cert': False, 'variable_key_len': False},
+        'ecdsa-sha2-nistp521': {'cert': False, 'variable_key_len': False},
+
+        'ecdsa-sha2-nistp256-cert-v01@openssh.com': {'cert': True, 'variable_key_len': False},
+        'ecdsa-sha2-nistp384-cert-v01@openssh.com': {'cert': True, 'variable_key_len': False},
+        'ecdsa-sha2-nistp521-cert-v01@openssh.com': {'cert': True, 'variable_key_len': False},
+
+        'ssh-dss':                      {'cert': False, 'variable_key_len': True},
+        'ssh-dss-cert-v01@openssh.com': {'cert': True,  'variable_key_len': True},
+    }
+
+    TWO2K_MODULUS_WARNING = '2048-bit modulus only provides 112-bits of symmetric strength'
+    SMALL_ECC_MODULUS_WARNING = '224-bit ECC modulus only provides 112-bits of symmetric strength'
+
+
+    @staticmethod
+    def run(out: 'OutputBuffer', s: 'SSH_Socket', server_kex: 'SSH2_Kex') -> None:
+        KEX_TO_DHGROUP = {
+            'diffie-hellman-group1-sha1': KexGroup1,
+            'diffie-hellman-group14-sha1': KexGroup14_SHA1,
+            'diffie-hellman-group14-sha256': KexGroup14_SHA256,
+            'curve25519-sha256': KexCurve25519_SHA256,
+            'curve25519-sha256@libssh.org': KexCurve25519_SHA256,
+            'diffie-hellman-group16-sha512': KexGroup16_SHA512,
+            'diffie-hellman-group18-sha512': KexGroup18_SHA512,
+            'diffie-hellman-group-exchange-sha1': KexGroupExchange_SHA1,
+            'diffie-hellman-group-exchange-sha256': KexGroupExchange_SHA256,
+            'ecdh-sha2-nistp256': KexNISTP256,
+            'ecdh-sha2-nistp384': KexNISTP384,
+            'ecdh-sha2-nistp521': KexNISTP521,
+            # 'kexguess2@matt.ucc.asn.au': ???
+        }
+
+        # Pick the first kex algorithm that the server supports, which we
+        # happen to support as well.
+        kex_str = None
+        kex_group = None
+        for server_kex_alg in server_kex.kex_algorithms:
+            if server_kex_alg in KEX_TO_DHGROUP:
+                kex_str = server_kex_alg
+                kex_group = KEX_TO_DHGROUP[kex_str](out)
+                break
+
+        if kex_str is not None and kex_group is not None:
+            HostKeyTest.perform_test(out, s, server_kex, kex_str, kex_group, HostKeyTest.HOST_KEY_TYPES)
+
+    @staticmethod
+    def perform_test(out: 'OutputBuffer', s: 'SSH_Socket', server_kex: 'SSH2_Kex', kex_str: str, kex_group: 'KexDH', host_key_types: Dict[str, Dict[str, bool]]) -> None:
+        hostkey_modulus_size = 0
+        ca_modulus_size = 0
+        parsed_host_key_types = set()
+
+        # If the connection still exists, close it so we can test
+        # using a clean slate (otherwise it may exist in a non-testable
+        # state).
+        if s.is_connected():
+            s.close()
+
+        # For each host key type...
+        for host_key_type in host_key_types:
+            key_fail_comments = []
+            key_warn_comments = []
+
+            # Skip those already handled (i.e.: those in the RSA family, as testing one tests them all).
+            if host_key_type in parsed_host_key_types:
+                continue
+
+            # If this host key type is supported by the server, we test it.
+            if host_key_type in server_kex.key_algorithms:
+                out.d('Preparing to obtain ' + host_key_type + ' host key...', write_now=True)
+
+                cert = host_key_types[host_key_type]['cert']
+
+                # If the connection is closed, re-open it and get the kex again.
+                if not s.is_connected():
+                    err = s.connect()
+                    if err is not None:
+                        out.v(err, write_now=True)
+                        return
+
+                    _, _, err = s.get_banner()
+                    if err is not None:
+                        out.v(err, write_now=True)
+                        s.close()
+                        return
+
+                    # Send our KEX using the specified group-exchange and most of the server's own values.
+                    s.send_kexinit(key_exchanges=[kex_str], hostkeys=[host_key_type], ciphers=server_kex.server.encryption, macs=server_kex.server.mac, compressions=server_kex.server.compression, languages=server_kex.server.languages)
+
+                    try:
+                        # Parse the server's KEX.
+                        _, payload = s.read_packet()
+                        SSH2_Kex.parse(out, payload)
+                    except Exception:
+                        msg = "Failed to parse server's kex."
+                        if not out.debug:
+                            msg += "  Re-run in debug mode to see stack trace."
+
+                        out.v(msg, write_now=True)
+                        out.d("Stack trace:\n%s" % str(traceback.format_exc()), write_now=True)
+                        return
+
+                # Do the initial DH exchange.  The server responds back
+                # with the host key and its length.  Bingo.  We also get back the host key fingerprint.
+                kex_group.send_init(s)
+                raw_hostkey_bytes = b''
+                try:
+                    kex_reply = kex_group.recv_reply(s)
+                    raw_hostkey_bytes = kex_reply if kex_reply is not None else b''
+                except KexDHException:
+                    msg = "Failed to parse server's host key."
+                    if not out.debug:
+                        msg += "  Re-run in debug mode to see stack trace."
+
+                    out.v(msg, write_now=True)
+                    out.d("Stack trace:\n%s" % str(traceback.format_exc()), write_now=True)
+
+                    # Since parsing this host key failed, there's nothing more to do but close the socket and move on to the next host key type.
+                    s.close()
+                    continue
+
+                hostkey_modulus_size = kex_group.get_hostkey_size()
+                ca_key_type = kex_group.get_ca_type()
+                ca_modulus_size = kex_group.get_ca_size()
+                out.d("Hostkey type: [%s]; hostkey size: %u; CA type: [%s]; CA modulus size: %u" % (host_key_type, hostkey_modulus_size, ca_key_type, ca_modulus_size), write_now=True)
+                out.d("Raw hostkey bytes (%d): [%s]" % (len(raw_hostkey_bytes), raw_hostkey_bytes.hex()), write_now=True)
+
+                # Record all the host key info.
+                server_kex.set_host_key(host_key_type, raw_hostkey_bytes, hostkey_modulus_size, ca_key_type, ca_modulus_size)
+
+                # Set the hostkey size for all RSA key types since 'ssh-rsa', 'rsa-sha2-256', etc. are all using the same host key.  Note, however, that this may change in the future.
+                if cert is False and host_key_type in HostKeyTest.RSA_FAMILY:
+                    for rsa_type in HostKeyTest.RSA_FAMILY:
+                        server_kex.set_host_key(rsa_type, raw_hostkey_bytes, hostkey_modulus_size, ca_key_type, ca_modulus_size)
+
+                # Close the socket, as the connection has
+                # been put in a state that later tests can't use.
+                s.close()
+
+                # If the host key modulus or CA modulus was successfully parsed, check to see that its a safe size.
+                if hostkey_modulus_size > 0 or ca_modulus_size > 0:
+                    # The minimum good modulus size for RSA host keys is 3072.  However, since ECC cryptosystems are fundamentally different, the minimum good is 256.
+                    hostkey_min_good = cakey_min_good = 3072
+                    hostkey_min_warn = cakey_min_warn = 2048
+                    hostkey_warn_str = cakey_warn_str = HostKeyTest.TWO2K_MODULUS_WARNING
+                    if host_key_type.startswith('ssh-ed25519') or host_key_type.startswith('ecdsa-sha2-nistp'):
+                        hostkey_min_good = 256
+                        hostkey_min_warn = 224
+                        hostkey_warn_str = HostKeyTest.SMALL_ECC_MODULUS_WARNING
+                    if ca_key_type.startswith('ssh-ed25519') or ca_key_type.startswith('ecdsa-sha2-nistp'):
+                        cakey_min_good = 256
+                        cakey_min_warn = 224
+                        cakey_warn_str = HostKeyTest.SMALL_ECC_MODULUS_WARNING
+
+                    # Keys smaller than 2048 result in a failure.  Keys smaller 3072 result in a warning.  Update the database accordingly.
+                    if (cert is False) and (hostkey_modulus_size < hostkey_min_good) and (host_key_type != 'ssh-dss'):  # Skip ssh-dss, otherwise we get duplicate failure messages (SSH2_KexDB will always flag it).
+
+                        # If the key is under 2048, add to the failure list.
+                        if hostkey_modulus_size < hostkey_min_warn:
+                            key_fail_comments.append('using small %d-bit modulus' % hostkey_modulus_size)
+                        elif hostkey_warn_str not in key_warn_comments:  # Issue a warning about 2048-bit moduli.
+                            key_warn_comments.append(hostkey_warn_str)
+
+                    elif (cert is True) and ((hostkey_modulus_size < hostkey_min_good) or (0 < ca_modulus_size < cakey_min_good)):
+                        # If the host key is smaller than 2048-bit/224-bit, flag this as a failure.
+                        if hostkey_modulus_size < hostkey_min_warn:
+                            key_fail_comments.append('using small %d-bit hostkey modulus' % hostkey_modulus_size)
+                        # Otherwise, this is just a warning.
+                        elif (hostkey_modulus_size < hostkey_min_good) and (hostkey_warn_str not in key_warn_comments):
+                            key_warn_comments.append(hostkey_warn_str)
+
+                        # If the CA key is smaller than 2048-bit/224-bit, flag this as a failure.
+                        if 0 < ca_modulus_size < cakey_min_warn:
+                            key_fail_comments.append('using small %d-bit CA key modulus' % ca_modulus_size)
+                        # Otherwise, this is just a warning.
+                        elif (0 < ca_modulus_size < cakey_min_good) and (cakey_warn_str not in key_warn_comments):
+                            key_warn_comments.append(cakey_warn_str)
+
+                    # If the CA key type uses ECDSA with a NIST P-curve, fail it for possibly being back-doored.
+                    if ca_key_type.startswith('ecdsa-sha2-nistp'):
+                        key_fail_comments.append('CA key uses elliptic curves that are suspected as being backdoored by the U.S. National Security Agency')
+
+                # If this host key type is in the RSA family, then mark them all as parsed (since results in one are valid for them all).
+                if host_key_type in HostKeyTest.RSA_FAMILY:
+                    for rsa_type in HostKeyTest.RSA_FAMILY:
+                        parsed_host_key_types.add(rsa_type)
+
+                        # If the current key is a member of the RSA family, then populate all RSA family members with the same
+                        # failure and/or warning comments.
+                        db = SSH2_KexDB.get_db()
+                        while len(db['key'][rsa_type]) < 3:
+                            db['key'][rsa_type].append([])
+
+                        db['key'][rsa_type][1].extend(key_fail_comments)
+                        db['key'][rsa_type][2].extend(key_warn_comments)
+
+                else:
+                    parsed_host_key_types.add(host_key_type)
+                    db = SSH2_KexDB.get_db()
+                    while len(db['key'][host_key_type]) < 3:
+                        db['key'][host_key_type].append([])
+
+                    db['key'][host_key_type][1].extend(key_fail_comments)
+                    db['key'][host_key_type][2].extend(key_warn_comments)
--- a/src/ssh_audit/kexdh.py
+++ b/src/ssh_audit/kexdh.py
@ -0,0 +1,421 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017-2023 Joe Testa (jtesta@positronsecurity.com)
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+import binascii
+import os
+import random
+import struct
+import traceback
+
+# pylint: disable=unused-import
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+from ssh_audit.outputbuffer import OutputBuffer
+from ssh_audit.protocol import Protocol
+from ssh_audit.ssh_socket import SSH_Socket
+
+
+class KexDHException(Exception):
+    pass
+
+
+class KexDH:  # pragma: nocover
+    def __init__(self, out: 'OutputBuffer', kex_name: str, hash_alg: str, g: int, p: int) -> None:
+        self.out = out
+        self.__kex_name = kex_name  # pylint: disable=unused-private-member
+        self.__hash_alg = hash_alg  # pylint: disable=unused-private-member
+        self.__g = 0
+        self.__p = 0
+        self.__q = 0
+        self.__x = 0
+        self.__e = 0
+        self.set_params(g, p)
+
+        self.__ed25519_pubkey: Optional[bytes] = None  # pylint: disable=unused-private-member
+        self.__hostkey_type = ''
+        self.__hostkey_e = 0  # pylint: disable=unused-private-member
+        self.__hostkey_n = 0  # pylint: disable=unused-private-member
+        self.__hostkey_n_len = 0  # Length of the host key modulus.
+        self.__ca_key_type = ''  # Type of CA key ('ssh-rsa', etc).
+        self.__ca_n_len = 0  # Length of the CA key modulus (if hostkey is a cert).
+
+    def set_params(self, g: int, p: int) -> None:
+        self.__g = g
+        self.__p = p
+        self.__q = (self.__p - 1) // 2
+        self.__x = 0
+        self.__e = 0
+
+    def send_init(self, s: SSH_Socket, init_msg: int = Protocol.MSG_KEXDH_INIT) -> None:
+        r = random.SystemRandom()
+        self.__x = r.randrange(2, self.__q)
+        self.__e = pow(self.__g, self.__x, self.__p)
+        s.write_byte(init_msg)
+        s.write_mpint2(self.__e)
+        s.send_packet()
+
+    # Parse a KEXDH_REPLY or KEXDH_GEX_REPLY message from the server.  This
+    # contains the host key, among other things.  Function returns the host
+    # key blob (from which the fingerprint can be calculated).
+    def recv_reply(self, s: 'SSH_Socket', parse_host_key_size: bool = True) -> Optional[bytes]:
+        # Reset the CA info, in case it was set from a prior invocation.
+        self.__hostkey_type = ''
+        self.__hostkey_e = 0  # pylint: disable=unused-private-member
+        self.__hostkey_n = 0  # pylint: disable=unused-private-member
+        self.__hostkey_n_len = 0
+        self.__ca_key_type = ''
+        self.__ca_n_len = 0
+
+        packet_type, payload = s.read_packet(2)
+
+        # Skip any & all MSG_DEBUG messages.
+        while packet_type == Protocol.MSG_DEBUG:
+            packet_type, payload = s.read_packet(2)
+
+        if packet_type != -1 and packet_type not in [Protocol.MSG_KEXDH_REPLY, Protocol.MSG_KEXDH_GEX_REPLY]:  # pylint: disable=no-else-raise
+            raise KexDHException('Expected MSG_KEXDH_REPLY (%d) or MSG_KEXDH_GEX_REPLY (%d), but got %d instead.' % (Protocol.MSG_KEXDH_REPLY, Protocol.MSG_KEXDH_GEX_REPLY, packet_type))
+        elif packet_type == -1:
+            # A connection error occurred.  We can't parse anything, so just
+            # return.  The host key modulus (and perhaps certificate modulus)
+            # will remain at length 0.
+            self.out.d("KexDH.recv_reply(): received package_type == -1.")
+            return None
+
+        # Get the host key blob, F, and signature.
+        ptr = 0
+        hostkey, _, ptr = KexDH.__get_bytes(payload, ptr)
+
+        # If we are not supposed to parse the host key size (i.e.: it is a type that is of fixed size such as ed25519), then stop here.
+        if not parse_host_key_size:
+            return hostkey
+
+        _, _, ptr = KexDH.__get_bytes(payload, ptr)
+        _, _, ptr = KexDH.__get_bytes(payload, ptr)
+
+        # Now pick apart the host key blob.
+        # Get the host key type (i.e.: 'ssh-rsa', 'ssh-ed25519', etc).
+        ptr = 0
+        hostkey_type, _, ptr = KexDH.__get_bytes(hostkey, ptr)
+        self.__hostkey_type = hostkey_type.decode('ascii')
+        self.out.d("Parsing host key type: %s" % self.__hostkey_type)
+
+        # If this is an RSA certificate, skip over the nonce.
+        if self.__hostkey_type.startswith('ssh-rsa-cert-v0'):
+            self.out.d("RSA certificate found, so skipping nonce.")
+            _, _, ptr = KexDH.__get_bytes(hostkey, ptr)  # Read & skip over the nonce.
+
+        # The public key exponent.
+        hostkey_e, _, ptr = KexDH.__get_bytes(hostkey, ptr)
+        self.__hostkey_e = int(binascii.hexlify(hostkey_e), 16)  # pylint: disable=unused-private-member
+
+        # ED25519 moduli are fixed at 32 bytes.
+        if self.__hostkey_type == 'ssh-ed25519':
+            self.out.d("%s has a fixed host key modulus of 32." % self.__hostkey_type)
+            self.__hostkey_n_len = 32
+        elif self.__hostkey_type == 'ssh-ed448':
+            self.out.d("%s has a fixed host key modulus of 57." % self.__hostkey_type)
+            self.__hostkey_n_len = 57
+        else:
+            # Here is the modulus size & actual modulus of the host key public key.
+            hostkey_n, self.__hostkey_n_len, ptr = KexDH.__get_bytes(hostkey, ptr)
+            self.__hostkey_n = int(binascii.hexlify(hostkey_n), 16)  # pylint: disable=unused-private-member
+
+        # If this is a certificate, continue parsing to extract the CA type and key length.  Even though a hostkey type might be 'ssh-ed25519-cert-v01@openssh.com', its CA may still be RSA.
+        if self.__hostkey_type.startswith('ssh-rsa-cert-v0') or self.__hostkey_type.startswith('ssh-ed25519-cert-v0'):
+            # Get the CA key type and key length.
+            self.__ca_key_type, self.__ca_n_len = self.__parse_ca_key(hostkey, self.__hostkey_type, ptr)
+            self.out.d("KexDH.__parse_ca_key(): CA key type: [%s]; CA key length: %u" % (self.__ca_key_type, self.__ca_n_len))
+
+        return hostkey
+
+    def __parse_ca_key(self, hostkey: bytes, hostkey_type: str, ptr: int) -> Tuple[str, int]:
+        ca_key_type = ''
+        ca_key_n_len = 0
+
+        # If this is a certificate, continue parsing to extract the CA type and key length.  Even though a hostkey type might be 'ssh-ed25519-cert-v01@openssh.com', its CA may still be RSA.
+        # if hostkey_type.startswith('ssh-rsa-cert-v0') or hostkey_type.startswith('ssh-ed25519-cert-v0'):
+        self.out.d("Parsing CA for hostkey type [%s]..." % hostkey_type)
+
+        # Skip over the serial number.
+        ptr += 8
+
+        # Get the certificate type.
+        cert_type = int(binascii.hexlify(hostkey[ptr:ptr + 4]), 16)
+        ptr += 4
+
+        # Only SSH2_CERT_TYPE_HOST (2) makes sense in this context.
+        if cert_type == 2:
+
+            # Skip the key ID (this is the serial number of the
+            # certificate).
+            key_id, key_id_len, ptr = KexDH.__get_bytes(hostkey, ptr)  # pylint: disable=unused-variable
+
+            # The principles, which are... I don't know what.
+            principles, principles_len, ptr = KexDH.__get_bytes(hostkey, ptr)  # pylint: disable=unused-variable
+
+            # Skip over the timestamp that this certificate is valid after.
+            ptr += 8
+
+            # Skip over the timestamp that this certificate is valid before.
+            ptr += 8
+
+            # TODO: validate the principles, and time range.
+
+            # The critical options.
+            critical_options, critical_options_len, ptr = KexDH.__get_bytes(hostkey, ptr)  # pylint: disable=unused-variable
+
+            # Certificate extensions.
+            extensions, extensions_len, ptr = KexDH.__get_bytes(hostkey, ptr)  # pylint: disable=unused-variable
+
+            # Another nonce.
+            nonce, nonce_len, ptr = KexDH.__get_bytes(hostkey, ptr)  # pylint: disable=unused-variable
+
+            # Finally, we get to the CA key.
+            ca_key, ca_key_len, ptr = KexDH.__get_bytes(hostkey, ptr)  # pylint: disable=unused-variable
+
+            # Last in the host key blob is the CA signature.  It isn't
+            # interesting to us, so we won't bother parsing any further.
+            # The CA key has the modulus, however...
+            ptr = 0
+
+            # 'ssh-rsa', 'rsa-sha2-256', etc.
+            ca_key_type_bytes, ca_key_type_len, ptr = KexDH.__get_bytes(ca_key, ptr)  # pylint: disable=unused-variable
+            ca_key_type = ca_key_type_bytes.decode('ascii')
+            self.out.d("Found CA type: [%s]" % ca_key_type)
+
+            # ED25519 CA's don't explicitly include the modulus size in the public key, since its fixed at 32 in all cases.
+            if ca_key_type == 'ssh-ed25519':
+                ca_key_n_len = 32
+            else:
+                # CA's public key exponent.
+                ca_key_e, ca_key_e_len, ptr = KexDH.__get_bytes(ca_key, ptr)  # pylint: disable=unused-variable
+
+                # CA's modulus.  Bingo.
+                ca_key_n, ca_key_n_len, ptr = KexDH.__get_bytes(ca_key, ptr)  # pylint: disable=unused-variable
+
+                if ca_key_type.startswith("ecdsa-sha2-nistp") and ca_key_n_len > 0:
+                    self.out.d("Found ecdsa-sha2-nistp* CA key type.")
+
+                    # 0x04 signifies that this is an uncompressed public key (meaning that full X and Y values are provided in ca_key_n.
+                    if ca_key_n[0] == 4:
+                        ca_key_n_len = ca_key_n_len - 1  # Subtract the 0x04 byte.
+                        ca_key_n_len = int(ca_key_n_len / 2)  # Divide by 2 since the modulus is the size of either the X or Y value.
+
+
+        else:
+            self.out.d("Certificate type %u found; this is not usually valid in the context of a host key!  Skipping it..." % cert_type)
+
+        return ca_key_type, ca_key_n_len
+
+    @staticmethod
+    def __get_bytes(buf: bytes, ptr: int) -> Tuple[bytes, int, int]:
+        num_bytes = struct.unpack('>I', buf[ptr:ptr + 4])[0]
+        ptr += 4
+        return buf[ptr:ptr + num_bytes], num_bytes, ptr + num_bytes
+
+    # Converts a modulus length in bytes to its size in bits, after some
+    # possible adjustments.
+    @staticmethod
+    def __adjust_key_size(size: int) -> int:
+        size = size * 8
+        # Actual keys are observed to be about 8 bits bigger than expected
+        # (i.e.: 1024-bit keys have a 1032-bit modulus).  Check if this is
+        # the case, and subtract 8 if so.  This simply improves readability
+        # in the UI.
+        if (size >> 3) % 2 != 0:
+            size = size - 8
+        return size
+
+    # Returns the hostkey type.
+    def get_hostkey_type(self) -> str:
+        return self.__hostkey_type
+
+    # Returns the size of the hostkey, in bits.
+    def get_hostkey_size(self) -> int:
+        return KexDH.__adjust_key_size(self.__hostkey_n_len)
+
+    # Returns the CA type ('ssh-rsa', 'ssh-ed25519', etc).
+    def get_ca_type(self) -> str:
+        return self.__ca_key_type
+
+    # Returns the size of the CA key, in bits.
+    def get_ca_size(self) -> int:
+        return KexDH.__adjust_key_size(self.__ca_n_len)
+
+    # Returns the size of the DH modulus, in bits.
+    def get_dh_modulus_size(self) -> int:
+        # -2 to account for the '0b' prefix in the string.
+        return len(bin(self.__p)) - 2
+
+
+class KexGroup1(KexDH):  # pragma: nocover
+    def __init__(self, out: 'OutputBuffer') -> None:
+        # rfc2409: second oakley group
+        p = int('ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece65381ffffffffffffffff', 16)
+        super(KexGroup1, self).__init__(out, 'KexGroup1', 'sha1', 2, p)
+
+
+class KexGroup14(KexDH):  # pragma: nocover
+    def __init__(self, out: 'OutputBuffer', hash_alg: str) -> None:
+        # rfc3526: 2048-bit modp group
+        p = int('ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca18217c32905e462e36ce3be39e772c180e86039b2783a2ec07a28fb5c55df06f4c52c9de2bcbf6955817183995497cea956ae515d2261898fa051015728e5a8aacaa68ffffffffffffffff', 16)
+        super(KexGroup14, self).__init__(out, 'KexGroup14', hash_alg, 2, p)
+
+
+class KexGroup14_SHA1(KexGroup14):
+    def __init__(self, out: 'OutputBuffer') -> None:
+        super(KexGroup14_SHA1, self).__init__(out, 'sha1')
+
+
+class KexGroup14_SHA256(KexGroup14):
+    def __init__(self, out: 'OutputBuffer') -> None:
+        super(KexGroup14_SHA256, self).__init__(out, 'sha256')
+
+
+class KexGroup16_SHA512(KexDH):
+    def __init__(self, out: 'OutputBuffer') -> None:
+        # rfc3526: 4096-bit modp group
+        p = int('ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca18217c32905e462e36ce3be39e772c180e86039b2783a2ec07a28fb5c55df06f4c52c9de2bcbf6955817183995497cea956ae515d2261898fa051015728e5a8aaac42dad33170d04507a33a85521abdf1cba64ecfb850458dbef0a8aea71575d060c7db3970f85a6e1e4c7abf5ae8cdb0933d71e8c94e04a25619dcee3d2261ad2ee6bf12ffa06d98a0864d87602733ec86a64521f2b18177b200cbbe117577a615d6c770988c0bad946e208e24fa074e5ab3143db5bfce0fd108e4b82d120a92108011a723c12a787e6d788719a10bdba5b2699c327186af4e23c1a946834b6150bda2583e9ca2ad44ce8dbbbc2db04de8ef92e8efc141fbecaa6287c59474e6bc05d99b2964fa090c3a2233ba186515be7ed1f612970cee2d7afb81bdd762170481cd0069127d5b05aa993b4ea988d8fddc186ffb7dc90a6c08f4df435c934063199ffffffffffffffff', 16)
+        super(KexGroup16_SHA512, self).__init__(out, 'KexGroup16_SHA512', 'sha512', 2, p)
+
+
+class KexGroup18_SHA512(KexDH):
+    def __init__(self, out: 'OutputBuffer') -> None:
+        # rfc3526: 8192-bit modp group
+        p = int('ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca18217c32905e462e36ce3be39e772c180e86039b2783a2ec07a28fb5c55df06f4c52c9de2bcbf6955817183995497cea956ae515d2261898fa051015728e5a8aaac42dad33170d04507a33a85521abdf1cba64ecfb850458dbef0a8aea71575d060c7db3970f85a6e1e4c7abf5ae8cdb0933d71e8c94e04a25619dcee3d2261ad2ee6bf12ffa06d98a0864d87602733ec86a64521f2b18177b200cbbe117577a615d6c770988c0bad946e208e24fa074e5ab3143db5bfce0fd108e4b82d120a92108011a723c12a787e6d788719a10bdba5b2699c327186af4e23c1a946834b6150bda2583e9ca2ad44ce8dbbbc2db04de8ef92e8efc141fbecaa6287c59474e6bc05d99b2964fa090c3a2233ba186515be7ed1f612970cee2d7afb81bdd762170481cd0069127d5b05aa993b4ea988d8fddc186ffb7dc90a6c08f4df435c93402849236c3fab4d27c7026c1d4dcb2602646dec9751e763dba37bdf8ff9406ad9e530ee5db382f413001aeb06a53ed9027d831179727b0865a8918da3edbebcf9b14ed44ce6cbaced4bb1bdb7f1447e6cc254b332051512bd7af426fb8f401378cd2bf5983ca01c64b92ecf032ea15d1721d03f482d7ce6e74fef6d55e702f46980c82b5a84031900b1c9e59e7c97fbec7e8f323a97a7e36cc88be0f1d45b7ff585ac54bd407b22b4154aacc8f6d7ebf48e1d814cc5ed20f8037e0a79715eef29be32806a1d58bb7c5da76f550aa3d8a1fbff0eb19ccb1a313d55cda56c9ec2ef29632387fe8d76e3c0468043e8f663f4860ee12bf2d5b0b7474d6e694f91e6dbe115974a3926f12fee5e438777cb6a932df8cd8bec4d073b931ba3bc832b68d9dd300741fa7bf8afc47ed2576f6936ba424663aab639c5ae4f5683423b4742bf1c978238f16cbe39d652de3fdb8befc848ad922222e04a4037c0713eb57a81a23f0c73473fc646cea306b4bcbc8862f8385ddfa9d4b7fa2c087e879683303ed5bdd3a062b3cf5b3a278a66d2a13f83f44f82ddf310ee074ab6a364597e899a0255dc164f31cc50846851df9ab48195ded7ea1b1d510bd7ee74d73faf36bc31ecfa268359046f4eb879f924009438b481c6cd7889a002ed5ee382bc9190da6fc026e479558e4475677e9aa9e3050e2765694dfc81f56e880b96e7160c980dd98edd3dfffffffffffffffff', 16)
+        super(KexGroup18_SHA512, self).__init__(out, 'KexGroup18_SHA512', 'sha512', 2, p)
+
+
+class KexCurve25519_SHA256(KexDH):
+    def __init__(self, out: 'OutputBuffer') -> None:
+        super(KexCurve25519_SHA256, self).__init__(out, 'KexCurve25519_SHA256', 'sha256', 0, 0)
+
+    # To start an ED25519 kex, we simply send a random 256-bit number as the
+    # public key.
+    def send_init(self, s: 'SSH_Socket', init_msg: int = Protocol.MSG_KEXDH_INIT) -> None:
+        self.__ed25519_pubkey = os.urandom(32)
+        s.write_byte(init_msg)
+        s.write_string(self.__ed25519_pubkey)
+        s.send_packet()
+
+
+class KexNISTP256(KexDH):
+    def __init__(self, out: 'OutputBuffer') -> None:
+        super(KexNISTP256, self).__init__(out, 'KexNISTP256', 'sha256', 0, 0)
+
+    # Because the server checks that the value sent here is valid (i.e.: it lies
+    # on the curve, among other things), we would have to write a lot of code
+    # or import an elliptic curve library in order to randomly generate a
+    # valid elliptic point each time.  Hence, we will simply send a static
+    # value, which is enough for us to extract the server's host key.
+    def send_init(self, s: 'SSH_Socket', init_msg: int = Protocol.MSG_KEXDH_INIT) -> None:
+        s.write_byte(init_msg)
+        s.write_string(b'\x04\x0b\x60\x44\x9f\x8a\x11\x9e\xc7\x81\x0c\xa9\x98\xfc\xb7\x90\xaa\x6b\x26\x8c\x12\x4a\xc0\x09\xbb\xdf\xc4\x2c\x4c\x2c\x99\xb6\xe1\x71\xa0\xd4\xb3\x62\x47\x74\xb3\x39\x0c\xf2\x88\x4a\x84\x6b\x3b\x15\x77\xa5\x77\xd2\xa9\xc9\x94\xf9\xd5\x66\x19\xcd\x02\x34\xd1')
+        s.send_packet()
+
+
+class KexNISTP384(KexDH):
+    def __init__(self, out: 'OutputBuffer') -> None:
+        super(KexNISTP384, self).__init__(out, 'KexNISTP384', 'sha256', 0, 0)
+
+    # See comment for KexNISTP256.send_init().
+    def send_init(self, s: 'SSH_Socket', init_msg: int = Protocol.MSG_KEXDH_INIT) -> None:
+        s.write_byte(init_msg)
+        s.write_string(b'\x04\xe2\x9b\x84\xce\xa1\x39\x50\xfe\x1e\xa3\x18\x70\x1c\xe2\x7a\xe4\xb5\x6f\xdf\x93\x9f\xd4\xf4\x08\xcc\x9b\x02\x10\xa4\xca\x77\x9c\x2e\x51\x44\x1d\x50\x7a\x65\x4e\x7e\x2f\x10\x2d\x2d\x4a\x32\xc9\x8e\x18\x75\x90\x6c\x19\x10\xda\xcc\xa8\xe9\xf4\xc4\x3a\x53\x80\x35\xf4\x97\x9c\x04\x16\xf9\x5a\xdc\xcc\x05\x94\x29\xfa\xc4\xd6\x87\x4e\x13\x21\xdb\x3d\x12\xac\xbd\x20\x3b\x60\xff\xe6\x58\x42')
+        s.send_packet()
+
+
+class KexNISTP521(KexDH):
+    def __init__(self, out: 'OutputBuffer') -> None:
+        super(KexNISTP521, self).__init__(out, 'KexNISTP521', 'sha256', 0, 0)
+
+    # See comment for KexNISTP256.send_init().
+    def send_init(self, s: 'SSH_Socket', init_msg: int = Protocol.MSG_KEXDH_INIT) -> None:
+        s.write_byte(init_msg)
+        s.write_string(b'\x04\x01\x02\x90\x29\xe9\x8f\xa8\x04\xaf\x1c\x00\xf9\xc6\x29\xc0\x39\x74\x8e\xea\x47\x7e\x7c\xf7\x15\x6e\x43\x3b\x59\x13\x53\x43\xb0\xae\x0b\xe7\xe6\x7c\x55\x73\x52\xa5\x2a\xc1\x42\xde\xfc\xf4\x1f\x8b\x5a\x8d\xfa\xcd\x0a\x65\x77\xa8\xce\x68\xd2\xc6\x26\xb5\x3f\xee\x4b\x01\x7b\xd2\x96\x23\x69\x53\xc7\x01\xe1\x0d\x39\xe9\x87\x49\x3b\xc8\xec\xda\x0c\xf9\xca\xad\x89\x42\x36\x6f\x93\x78\x78\x31\x55\x51\x09\x51\xc0\x96\xd7\xea\x61\xbf\xc2\x44\x08\x80\x43\xed\xc6\xbb\xfb\x94\xbd\xf8\xdf\x2b\xd8\x0b\x2e\x29\x1b\x8c\xc4\x8a\x04\x2d\x3a')
+        s.send_packet()
+
+
+class KexGroupExchange(KexDH):
+    def __init__(self, out: 'OutputBuffer', classname: str, hash_alg: str) -> None:
+        super(KexGroupExchange, self).__init__(out, classname, hash_alg, 0, 0)
+
+    def send_init(self, s: 'SSH_Socket', init_msg: int = Protocol.MSG_KEXDH_GEX_REQUEST) -> None:
+        self.send_init_gex(s)
+
+    # The group exchange starts with sending a message to the server with
+    # the minimum, maximum, and preferred number of bits are for the DH group.
+    # The server responds with a generator and prime modulus that matches that,
+    # then the handshake continues on like a normal DH handshake (except the
+    # SSH message types differ).
+    def send_init_gex(self, s: 'SSH_Socket', minbits: int = 1024, prefbits: int = 2048, maxbits: int = 8192) -> None:
+
+        # Send the initial group exchange request.  Tell the server what range
+        # of modulus sizes we will accept, along with our preference.
+        s.write_byte(Protocol.MSG_KEXDH_GEX_REQUEST)
+        s.write_int(minbits)
+        s.write_int(prefbits)
+        s.write_int(maxbits)
+        s.send_packet()
+
+        packet_type, payload = s.read_packet(2)
+        if packet_type not in [Protocol.MSG_KEXDH_GEX_GROUP, Protocol.MSG_DEBUG]:
+            raise KexDHException('Expected MSG_KEXDH_GEX_REPLY (%d), but got %d instead.' % (Protocol.MSG_KEXDH_GEX_REPLY, packet_type))
+
+        # Skip any & all MSG_DEBUG messages.
+        while packet_type == Protocol.MSG_DEBUG:
+            packet_type, payload = s.read_packet(2)
+
+        try:
+            # Parse the modulus (p) and generator (g) values from the server.
+            ptr = 0
+            p_len = struct.unpack('>I', payload[ptr:ptr + 4])[0]
+            ptr += 4
+
+            p = int(binascii.hexlify(payload[ptr:ptr + p_len]), 16)
+            ptr += p_len
+
+            g_len = struct.unpack('>I', payload[ptr:ptr + 4])[0]
+            ptr += 4
+
+            g = int(binascii.hexlify(payload[ptr:ptr + g_len]), 16)
+            ptr += g_len
+        except struct.error:
+            raise KexDHException("Error while parsing modulus and generator during GEX init: %s" % str(traceback.format_exc())) from None
+
+        # Now that we got the generator and modulus, perform the DH exchange
+        # like usual.
+        super(KexGroupExchange, self).set_params(g, p)
+        super(KexGroupExchange, self).send_init(s, Protocol.MSG_KEXDH_GEX_INIT)
+
+
+class KexGroupExchange_SHA1(KexGroupExchange):
+    def __init__(self, out: 'OutputBuffer') -> None:
+        super(KexGroupExchange_SHA1, self).__init__(out, 'KexGroupExchange_SHA1', 'sha1')
+
+
+class KexGroupExchange_SHA256(KexGroupExchange):
+    def __init__(self, out: 'OutputBuffer') -> None:
+        super(KexGroupExchange_SHA256, self).__init__(out, 'KexGroupExchange_SHA256', 'sha256')
--- a/src/ssh_audit/outputbuffer.py
+++ b/src/ssh_audit/outputbuffer.py
@ -0,0 +1,187 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2021 Joe Testa (jtesta@positronsecurity.com)
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+import os
+import sys
+
+# pylint: disable=unused-import
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+from ssh_audit.utils import Utils
+
+
+class OutputBuffer:
+    LEVELS: Sequence[str] = ('info', 'warn', 'fail')
+    COLORS = {'head': 36, 'good': 32, 'warn': 33, 'fail': 31}
+
+    # Use brighter colors on Windows for better readability.
+    if Utils.is_windows():
+        COLORS = {'head': 96, 'good': 92, 'warn': 93, 'fail': 91}
+
+    def __init__(self, buffer_output: bool = True) -> None:
+        self.buffer_output = buffer_output
+        self.buffer: List[str] = []
+        self.in_section = False
+        self.section: List[str] = []
+        self.batch = False
+        self.verbose = False
+        self.debug = False
+        self.use_colors = True
+        self.json = False
+        self.__level = 0
+        self.__is_color_supported = ('colorama' in sys.modules) or (os.name == 'posix')
+        self.line_ended = True
+
+    def _print(self, level: str, s: str = '', line_ended: bool = True, always_print: bool = False) -> None:
+        '''Saves output to buffer (if in buffered mode), or immediately prints to stdout otherwise.'''
+
+        # If we're logging only 'warn' or above, and this is an 'info', ignore message, unless always_print is True (useful for printing informational lines regardless of the level setting).
+        if (always_print is False) and (self.get_level(level) < self.__level):
+            return
+
+        if self.use_colors and self.colors_supported and len(s) > 0 and level != 'info':
+            s = "\033[0;%dm%s\033[0m" % (self.COLORS[level], s)
+
+        if self.buffer_output:
+            # Select which list to add to.  If we are in a 'with' statement, then this goes in the section buffer, otherwise the general buffer.
+            buf = self.section if self.in_section else self.buffer
+
+            # Determine if a new line should be added, or if the last line should be appended.
+            if not self.line_ended:
+                last_entry = -1 if len(buf) > 0 else 0
+                buf[last_entry] = buf[last_entry] + s
+            else:
+                buf.append(s)
+
+            # When False, this tells the next call to append to the last line we just added.
+            self.line_ended = line_ended
+        else:
+            print(s)
+
+    def get_buffer(self) -> str:
+        '''Returns all buffered output, then clears the buffer.'''
+        self.flush_section()
+
+        buffer_str = "\n".join(self.buffer)
+        self.buffer = []
+        return buffer_str
+
+    def write(self) -> None:
+        '''Writes the output to stdout.'''
+        self.flush_section()
+        print(self.get_buffer(), flush=True)
+
+    def reset(self) -> None:
+        self.flush_section()
+        self.get_buffer()
+
+    @property
+    def level(self) -> str:
+        '''Returns the minimum level for output.'''
+        if self.__level < len(self.LEVELS):
+            return self.LEVELS[self.__level]
+        return 'unknown'
+
+    @level.setter
+    def level(self, name: str) -> None:
+        '''Sets the minimum level for output (one of: 'info', 'warn', 'fail').'''
+        self.__level = self.get_level(name)
+
+    def get_level(self, name: str) -> int:
+        cname = 'info' if name == 'good' else name
+        if cname not in self.LEVELS:
+            return sys.maxsize
+        return self.LEVELS.index(cname)
+
+    @property
+    def colors_supported(self) -> bool:
+        '''Returns True if the system supports color output.'''
+        return self.__is_color_supported
+
+    # When used in a 'with' block, the output to goes into a section; this can be sorted separately when add_section_to_buffer() is later called.
+    def __enter__(self) -> 'OutputBuffer':
+        self.in_section = True
+        return self
+
+    def __exit__(self, *args: Any) -> None:
+        self.in_section = False
+
+    def flush_section(self, sort_section: bool = False) -> None:
+        '''Appends section output (optionally sorting it first) to the end of the buffer, then clears the section output.'''
+        if sort_section:
+            self.section.sort()
+
+        self.buffer.extend(self.section)
+        self.section = []
+
+    def is_section_empty(self) -> bool:
+        '''Returns True if the section buffer is empty, otherwise False.'''
+        return len(self.section) == 0
+
+    def head(self, s: str, line_ended: bool = True) -> 'OutputBuffer':
+        if not self.batch:
+            self._print('head', s, line_ended)
+        return self
+
+    def fail(self, s: str, line_ended: bool = True, write_now: bool = False, always_print: bool = False) -> 'OutputBuffer':
+        self._print('fail', s, line_ended, always_print=always_print)
+        if write_now:
+            self.write()
+        return self
+
+    def warn(self, s: str, line_ended: bool = True, always_print: bool = False) -> 'OutputBuffer':
+        self._print('warn', s, line_ended, always_print=always_print)
+        return self
+
+    def info(self, s: str, line_ended: bool = True, always_print: bool = False) -> 'OutputBuffer':
+        self._print('info', s, line_ended, always_print=always_print)
+        return self
+
+    def good(self, s: str, line_ended: bool = True, always_print: bool = False) -> 'OutputBuffer':
+        self._print('good', s, line_ended, always_print=always_print)
+        return self
+
+    def sep(self) -> 'OutputBuffer':
+        if not self.batch:
+            self._print('info')
+        return self
+
+    def v(self, s: str, write_now: bool = False) -> 'OutputBuffer':
+        '''Prints a message if verbose output is enabled.'''
+        if self.verbose or self.debug:
+            self.info(s)
+            if write_now:
+                self.write()
+
+        return self
+
+    def d(self, s: str, write_now: bool = False) -> 'OutputBuffer':
+        '''Prints a message if verbose output is enabled.'''
+        if self.debug:
+            self.info(s)
+            if write_now:
+                self.write()
+
+        return self
--- a/src/ssh_audit/policy.py
+++ b/src/ssh_audit/policy.py
@ -0,0 +1,675 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2020-2024 Joe Testa (jtesta@positronsecurity.com)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+import copy
+import json
+import sys
+
+from typing import Dict, List, Tuple
+from typing import Optional, Any, Union, cast
+from datetime import date
+
+from ssh_audit import exitcodes
+from ssh_audit.banner import Banner
+from ssh_audit.builtin_policies import BUILTIN_POLICIES
+from ssh_audit.globals import SNAP_PACKAGE, SNAP_PERMISSIONS_ERROR
+from ssh_audit.ssh2_kex import SSH2_Kex
+
+
+# Validates policy files and performs policy testing
+class Policy:
+
+    WARNING_DEPRECATED_DIRECTIVES = "\nWARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.\n"
+
+    def __init__(self, policy_file: Optional[str] = None, policy_data: Optional[str] = None, manual_load: bool = False, json_output: bool = False) -> None:
+        self._name: Optional[str] = None
+        self._version: Optional[str] = None
+        self._banner: Optional[str] = None
+        self._compressions: Optional[List[str]] = None
+        self._host_keys: Optional[List[str]] = None
+        self._optional_host_keys: Optional[List[str]] = None
+        self._kex: Optional[List[str]] = None
+        self._ciphers: Optional[List[str]] = None
+        self._macs: Optional[List[str]] = None
+        self._hostkey_sizes: Optional[Dict[str, Dict[str, Union[int, str, bytes]]]] = None
+        self._dh_modulus_sizes: Optional[Dict[str, int]] = None
+        self._server_policy = True
+        self._allow_algorithm_subset_and_reordering = False
+        self._allow_larger_keys = False
+        self._errors: List[Any] = []
+        self._updated_builtin_policy_available = False  # If True, an outdated built-in policy was loaded.
+
+        self._name_and_version: str = ''
+
+        # If invoked while JSON output is expected, send warnings to stderr instead of stdout (which would corrupt the JSON output).
+        if json_output:
+            self._warning_target = sys.stderr
+        else:
+            self._warning_target = sys.stdout
+
+        # Ensure that only one mode was specified.
+        num_modes = 0
+        if policy_file is not None:
+            num_modes += 1
+        if policy_data is not None:
+            num_modes += 1
+        if manual_load is True:
+            num_modes += 1
+
+        if num_modes != 1:
+            raise RuntimeError('Exactly one of the following can be specified only: policy_file, policy_data, or manual_load')
+
+        if manual_load:
+            return
+
+        if policy_file is not None:
+            try:
+                with open(policy_file, "r", encoding='utf-8') as f:
+                    policy_data = f.read()
+            except FileNotFoundError:
+                print("Error: policy file not found: %s" % policy_file)
+                sys.exit(exitcodes.UNKNOWN_ERROR)
+            except PermissionError as e:
+                # If installed as a Snap package, print a more useful message with potential work-arounds.
+                if SNAP_PACKAGE:
+                    print(SNAP_PERMISSIONS_ERROR)
+                else:
+                    print("Error: insufficient permissions: %s" % str(e))
+                sys.exit(exitcodes.UNKNOWN_ERROR)
+
+        lines = []
+        if policy_data is not None:
+            lines = policy_data.split("\n")
+
+        for line in lines:
+            line = line.strip()
+            if (len(line) == 0) or line.startswith('#'):
+                continue
+
+            key = None
+            val = None
+            try:
+                key, val = line.split('=')
+            except ValueError as ve:
+                raise ValueError("could not parse line: %s" % line) from ve
+
+            key = key.strip()
+            val = val.strip()
+
+            if key not in ['name', 'version', 'banner', 'compressions', 'host keys', 'optional host keys', 'key exchanges', 'ciphers', 'macs', 'client policy', 'host_key_sizes', 'dh_modulus_sizes', 'allow_algorithm_subset_and_reordering', 'allow_larger_keys'] and not key.startswith('hostkey_size_') and not key.startswith('cakey_size_') and not key.startswith('dh_modulus_size_'):
+                raise ValueError("invalid field found in policy: %s" % line)
+
+            if key in ['name', 'banner']:
+
+                # If the banner value is blank, set it to "" so that the code below handles it.
+                if len(val) < 2:
+                    val = "\"\""
+
+                if (val[0] != '"') or (val[-1] != '"'):
+                    raise ValueError('the value for the %s field must be enclosed in quotes: %s' % (key, val))
+
+                # Remove the surrounding quotes, and unescape quotes & newlines.
+                val = val[1:-1]. replace("\\\"", "\"").replace("\\n", "\n")
+
+                if key == 'name':
+                    self._name = val
+                elif key == 'banner':
+                    self._banner = val
+
+            elif key == 'version':
+                self._version = val
+
+            elif key in ['compressions', 'host keys', 'optional host keys', 'key exchanges', 'ciphers', 'macs']:
+                try:
+                    algs = val.split(',')
+                except ValueError:
+                    # If the value has no commas, then set the algorithm list to just the value.
+                    algs = [val]
+
+                # Strip whitespace in each algorithm name.
+                algs = [alg.strip() for alg in algs]
+
+                if key == 'compressions':
+                    self._compressions = algs
+                elif key == 'host keys':
+                    self._host_keys = algs
+                elif key == 'optional host keys':
+                    self._optional_host_keys = algs
+                elif key == 'key exchanges':
+                    self._kex = algs
+                elif key == 'ciphers':
+                    self._ciphers = algs
+                elif key == 'macs':
+                    self._macs = algs
+
+            elif key.startswith('hostkey_size_'):  # Old host key size format.
+                print(Policy.WARNING_DEPRECATED_DIRECTIVES, file=self._warning_target)  # Warn the user that the policy file is using deprecated directives.
+
+                hostkey_type = key[13:]
+                hostkey_size = int(val)
+
+                if self._hostkey_sizes is None:
+                    self._hostkey_sizes = {}
+
+                self._hostkey_sizes[hostkey_type] = {'hostkey_size': hostkey_size, 'ca_key_type': '', 'ca_key_size': 0}
+
+            elif key.startswith('cakey_size_'):  # Old host key size format.
+                print(Policy.WARNING_DEPRECATED_DIRECTIVES, file=self._warning_target)  # Warn the user that the policy file is using deprecated directives.
+
+                hostkey_type = key[11:]
+                ca_key_size = int(val)
+
+                ca_key_type = 'ssh-ed25519'
+                if hostkey_type in ['ssh-rsa-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com']:
+                    ca_key_type = 'ssh-rsa'
+
+                if self._hostkey_sizes is None:
+                    self._hostkey_sizes = {}
+                self._hostkey_sizes[hostkey_type] = {'hostkey_size': hostkey_size, 'ca_key_type': ca_key_type, 'ca_key_size': ca_key_size}
+
+            elif key == 'host_key_sizes':  # New host key size format.
+                self._hostkey_sizes = json.loads(val)
+
+                # Fill in the trimmed fields that were omitted from the policy.
+                self._normalize_hostkey_sizes()
+
+            elif key.startswith('dh_modulus_size_'):  # Old DH modulus format.
+                print(Policy.WARNING_DEPRECATED_DIRECTIVES, file=self._warning_target)  # Warn the user that the policy file is using deprecated directives.
+
+                dh_type = key[16:]
+                dh_size = int(val)
+
+                if self._dh_modulus_sizes is None:
+                    self._dh_modulus_sizes = {}
+
+                self._dh_modulus_sizes[dh_type] = dh_size
+
+            elif key == 'dh_modulus_sizes':  # New DH modulus format.
+                self._dh_modulus_sizes = json.loads(val)
+
+            elif key.startswith('client policy') and val.lower() == 'true':
+                self._server_policy = False
+            elif key == 'allow_algorithm_subset_and_reordering' and val.lower() == 'true':
+                self._allow_algorithm_subset_and_reordering = True
+            elif key == 'allow_larger_keys' and val.lower() == 'true':
+                self._allow_larger_keys = True
+
+        if self._name is None:
+            raise ValueError('The policy does not have a name field.')
+        if self._version is None:
+            raise ValueError('The policy does not have a version field.')
+
+        self._name_and_version = "%s (version %s)" % (self._name, self._version)
+
+
+    def _append_error(self, mismatched_field: str, expected_required: Optional[List[str]], expected_optional: Optional[List[str]], actual: List[str]) -> None:
+        if expected_required is None:
+            expected_required = ['']
+        if expected_optional is None:
+            expected_optional = ['']
+        self._errors.append({'mismatched_field': mismatched_field, 'expected_required': expected_required, 'expected_optional': expected_optional, 'actual': actual})
+
+
+    def _normalize_hostkey_sizes(self) -> None:
+        '''Normalizes the self._hostkey_sizes structure to ensure all required fields are present.'''
+
+        if self._hostkey_sizes is not None:
+            for host_key_type in self._hostkey_sizes:
+                if 'ca_key_type' not in self._hostkey_sizes[host_key_type]:
+                    self._hostkey_sizes[host_key_type]['ca_key_type'] = ''
+                if 'ca_key_size' not in self._hostkey_sizes[host_key_type]:
+                    self._hostkey_sizes[host_key_type]['ca_key_size'] = 0
+                if 'raw_hostkey_bytes' not in self._hostkey_sizes[host_key_type]:
+                    self._hostkey_sizes[host_key_type]['raw_hostkey_bytes'] = b''
+
+
+    @staticmethod
+    def create(source: Optional[str], banner: Optional['Banner'], kex: Optional['SSH2_Kex'], client_audit: bool) -> str:
+        '''Creates a policy based on a server configuration.  Returns a string.'''
+
+        today = date.today().strftime('%Y/%m/%d')
+        compressions = None
+        host_keys = None
+        kex_algs = None
+        ciphers = None
+        macs = None
+        dh_modulus_sizes_str = ''
+        client_policy_str = ''
+        host_keys_json = ''
+
+        if client_audit:
+            client_policy_str = "\n# Set to true to signify this is a policy for clients, not servers.\nclient policy = true\n"
+
+        if kex is not None:
+            if kex.server.compression is not None:
+                compressions = ', '.join(kex.server.compression)
+            if kex.key_algorithms is not None:
+                host_keys = ', '.join(kex.key_algorithms)
+            if kex.kex_algorithms is not None:
+                kex_algs = ', '.join(kex.kex_algorithms)
+            if kex.server.encryption is not None:
+                ciphers = ', '.join(kex.server.encryption)
+            if kex.server.mac is not None:
+                macs = ', '.join(kex.server.mac)
+
+            if kex.host_keys():
+
+                # Make a deep copy of the host keys dict, then delete all the raw hostkey bytes from the copy.
+                host_keys_trimmed = copy.deepcopy(kex.host_keys())
+                for hostkey_alg in host_keys_trimmed:
+                    del host_keys_trimmed[hostkey_alg]['raw_hostkey_bytes']
+
+                    # Delete the CA signature if any of its fields are empty.
+                    if host_keys_trimmed[hostkey_alg]['ca_key_type'] == '' or host_keys_trimmed[hostkey_alg]['ca_key_size'] == 0:
+                        del host_keys_trimmed[hostkey_alg]['ca_key_type']
+                        del host_keys_trimmed[hostkey_alg]['ca_key_size']
+
+                host_keys_json = "\n# Dictionary containing all host key and size information.  Optionally contains the certificate authority's signature algorithm ('ca_key_type') and signature length ('ca_key_size'), if any.\nhost_key_sizes = %s\n" % json.dumps(host_keys_trimmed)
+
+            if kex.dh_modulus_sizes():
+                dh_modulus_sizes_str = "\n# Group exchange DH modulus sizes.\ndh_modulus_sizes = %s\n" % json.dumps(kex.dh_modulus_sizes())
+
+
+        policy_data = '''#
+# Custom policy based on %s (created on %s)
+#
+%s
+# The name of this policy (displayed in the output during scans).  Must be in quotes.
+name = "Custom Policy (based on %s on %s)"
+
+# The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
+version = 1
+
+# When false, host keys, kex, ciphers, and MAC lists must match exactly.  When true, the target host may support a subset of the specified algorithms and/or algorithms may appear in a different order; this feature is useful for specifying a baseline and allowing some hosts the option to implement stricter controls.
+allow_algorithm_subset_and_reordering = false
+
+# When false, host keys, CA keys, and Diffie-Hellman key sizes must exactly match what's specified in this policy.  When true, target systems are allowed to have larger keys; this feature is useful for specifying a baseline and allowing some hosts the option to implement stricter controls.
+allow_larger_keys = false
+
+# The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "%s"
+
+# The compression options that must match exactly (order matters).  Commented out to ignore by default.
+# compressions = %s
+%s%s
+# The host key types that must match exactly (order matters).
+host keys = %s
+
+# Host key types that may optionally appear.
+#optional host keys = ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = %s
+
+# The ciphers that must match exactly (order matters).
+ciphers = %s
+
+# The MACs that must match exactly (order matters).
+macs = %s
+''' % (source, today, client_policy_str, source, today, banner, compressions, host_keys_json, dh_modulus_sizes_str, host_keys, kex_algs, ciphers, macs)
+
+        return policy_data
+
+
+    def evaluate(self, banner: Optional['Banner'], kex: Optional['SSH2_Kex']) -> Tuple[bool, List[Dict[str, str]], str]:
+        '''Evaluates a server configuration against this policy.  Returns a tuple of a boolean (True if server adheres to policy) and an array of strings that holds error messages.'''
+
+        ret = True
+
+        banner_str = str(banner)
+        if (self._banner is not None) and (banner_str != self._banner):
+            ret = False
+            self._append_error('Banner', [self._banner], None, [banner_str])
+
+        # All subsequent tests require a valid kex, so end here if we don't have one.
+        if kex is None:
+            error_list, error_str = self._get_errors()
+            return ret, error_list, error_str
+
+        if (self._compressions is not None) and (kex.server.compression != self._compressions):
+            ret = False
+            self._append_error('Compression', self._compressions, None, kex.server.compression)
+
+        # If a list of optional host keys was given in the policy, remove any of its entries from the list retrieved from the server.  This allows us to do an exact comparison with the expected list below.
+        pruned_host_keys = kex.key_algorithms
+        if self._optional_host_keys is not None:
+            pruned_host_keys = [x for x in kex.key_algorithms if x not in self._optional_host_keys]
+
+        # Check host keys.
+        if self._host_keys is not None:
+            # If the policy allows subsets and re-ordered algorithms...
+            if self._allow_algorithm_subset_and_reordering:
+                for hostkey_t in kex.key_algorithms:
+                    if hostkey_t not in self._host_keys:
+                        ret = False
+                        self._append_error('Host keys', self._host_keys, self._optional_host_keys, kex.key_algorithms)
+                        break
+            # The policy requires exact matching of algorithms.
+            elif pruned_host_keys != self._host_keys:
+                ret = False
+                self._append_error('Host keys', self._host_keys, self._optional_host_keys, kex.key_algorithms)
+
+        # Check host key sizes.
+        if self._hostkey_sizes is not None:
+            hostkey_types = list(self._hostkey_sizes.keys())
+            hostkey_types.sort()  # Sorted to make testing output repeatable.
+            for hostkey_type in hostkey_types:
+                expected_hostkey_size = cast(int, self._hostkey_sizes[hostkey_type]['hostkey_size'])
+                server_host_keys = kex.host_keys()
+                if hostkey_type in server_host_keys:
+                    actual_hostkey_size = cast(int, server_host_keys[hostkey_type]['hostkey_size'])
+                    if (self._allow_larger_keys and actual_hostkey_size < expected_hostkey_size) or \
+                       (not self._allow_larger_keys and actual_hostkey_size != expected_hostkey_size):
+                        ret = False
+                        self._append_error('Host key (%s) sizes' % hostkey_type, [str(expected_hostkey_size)], None, [str(actual_hostkey_size)])
+
+                    # If we have expected CA signatures set, check them against what the server returned.
+                    if self._hostkey_sizes is not None and len(cast(str, self._hostkey_sizes[hostkey_type]['ca_key_type'])) > 0 and cast(int, self._hostkey_sizes[hostkey_type]['ca_key_size']) > 0:
+                        expected_ca_key_type = cast(str, self._hostkey_sizes[hostkey_type]['ca_key_type'])
+                        expected_ca_key_size = cast(int, self._hostkey_sizes[hostkey_type]['ca_key_size'])
+                        actual_ca_key_type = cast(str, server_host_keys[hostkey_type]['ca_key_type'])
+                        actual_ca_key_size = cast(int, server_host_keys[hostkey_type]['ca_key_size'])
+
+                        # Ensure that the CA signature type is what's expected (i.e.: the server doesn't have an RSA sig when we're expecting an ED25519 sig).
+                        if actual_ca_key_type != expected_ca_key_type:
+                            ret = False
+                            self._append_error('CA signature type', [expected_ca_key_type], None, [actual_ca_key_type])
+                        # Ensure that the actual and expected signature sizes match.
+                        elif (self._allow_larger_keys and actual_ca_key_size < expected_ca_key_size) or \
+                             (not self._allow_larger_keys and actual_ca_key_size != expected_ca_key_size):
+                            ret = False
+                            self._append_error('CA signature size (%s)' % actual_ca_key_type, [str(expected_ca_key_size)], None, [str(actual_ca_key_size)])
+
+        # Check key exchanges.
+        if self._kex is not None:
+            # If the policy allows subsets and re-ordered algorithms...
+            if self._allow_algorithm_subset_and_reordering:
+                for kex_t in kex.kex_algorithms:
+                    if kex_t not in self._kex:
+                        ret = False
+                        self._append_error('Key exchanges', self._kex, None, kex.kex_algorithms)
+                        break
+                # If kex-strict-?-v00@openssh.com is in the policy (i.e. the Terrapin vulnerability countermeasure), then it must appear in the server's list, regardless of the "allow_algorithm_subset_and_reordering" flag.
+                if ('kex-strict-s-v00@openssh.com' in self._kex and 'kex-strict-s-v00@openssh.com' not in kex.kex_algorithms) or \
+                   ('kex-strict-c-v00@openssh.com' in self._kex and 'kex-strict-c-v00@openssh.com' not in kex.kex_algorithms):
+                    ret = False
+                    self._append_error('Key exchanges', self._kex, None, kex.kex_algorithms)
+
+            # The policy requires exact matching of algorithms.
+            elif kex.kex_algorithms != self._kex:
+                ret = False
+                self._append_error('Key exchanges', self._kex, None, kex.kex_algorithms)
+
+        # Checking Ciphers
+        if self._ciphers is not None:
+            # If the policy allows subsets and re-ordered algorithms...
+            if self._allow_algorithm_subset_and_reordering:
+                for cipher_t in kex.server.encryption:
+                    if cipher_t not in self._ciphers:
+                        ret = False
+                        self._append_error('Ciphers', self._ciphers, None, kex.server.encryption)
+                        break
+            # The policy requires exact matching of algorithms.
+            elif kex.server.encryption != self._ciphers:
+                ret = False
+                self._append_error('Ciphers', self._ciphers, None, kex.server.encryption)
+
+        # Checking MACs
+        if self._macs is not None:
+            # If the policy allows subsets and re-ordered algorithms...
+            if self._allow_algorithm_subset_and_reordering:
+                for mac_t in kex.server.mac:
+                    if mac_t not in self._macs:
+                        ret = False
+                        self._append_error('MACs', self._macs, None, kex.server.mac)
+                        break
+            # The policy requires exact matching of algorithms.
+            elif kex.server.mac != self._macs:
+                ret = False
+                self._append_error('MACs', self._macs, None, kex.server.mac)
+
+        if self._dh_modulus_sizes is not None:
+            dh_modulus_types = list(self._dh_modulus_sizes.keys())
+            dh_modulus_types.sort()  # Sorted to make testing output repeatable.
+            for dh_modulus_type in dh_modulus_types:
+                expected_dh_modulus_size = self._dh_modulus_sizes[dh_modulus_type]
+                if dh_modulus_type in kex.dh_modulus_sizes():
+                    actual_dh_modulus_size = kex.dh_modulus_sizes()[dh_modulus_type]
+                    if (self._allow_larger_keys and actual_dh_modulus_size < expected_dh_modulus_size) or \
+                       (not self._allow_larger_keys and actual_dh_modulus_size != expected_dh_modulus_size):
+                        ret = False
+                        self._append_error('Group exchange (%s) modulus sizes' % dh_modulus_type, [str(expected_dh_modulus_size)], None, [str(actual_dh_modulus_size)])
+
+        error_list, error_str = self._get_errors()
+        return ret, error_list, error_str
+
+
+    def _get_errors(self) -> Tuple[List[Any], str]:
+        '''Returns the list of errors, along with the string representation of those errors.'''
+
+        subset_and_reordering_semicolon = "; subset and/or reordering allowed" if self._allow_algorithm_subset_and_reordering else "; exact match"
+        subset_and_reordering_parens = " (subset and/or reordering allowed)" if self._allow_algorithm_subset_and_reordering else ""
+        error_list = []
+        spacer = ''
+        for e in self._errors:
+            e_str = "  * %s did not match.\n" % e['mismatched_field']
+
+            if ('expected_optional' in e) and (e['expected_optional'] != ['']):
+                e_str += "    - Expected (required%s): %s\n    - Expected (optional): %s\n" % (subset_and_reordering_semicolon, Policy._normalize_error_field(e['expected_required']), Policy._normalize_error_field(e['expected_optional']))
+                spacer = '              '
+            else:
+                e_str += "    - Expected%s: %s\n" % (subset_and_reordering_parens, Policy._normalize_error_field(e['expected_required']))
+                spacer = '   '
+            e_str += "    - Actual:%s%s\n" % (spacer, Policy._normalize_error_field(e['actual']))
+            error_list.append(e_str)
+
+        error_list.sort()  # To ensure repeatable results for testing.
+
+        error_str = ''
+        if len(error_list) > 0:
+            error_str = "\n".join(error_list)
+
+        return self._errors, error_str
+
+
+    def get_name_and_version(self) -> str:
+        '''Returns a string of this Policy's name and version.'''
+        return self._name_and_version
+
+
+    def is_outdated_builtin_policy(self) -> bool:
+        '''Returns True if this is a built-in policy that has a more recent version available than currently selected.'''
+        return self._updated_builtin_policy_available
+
+
+    def is_server_policy(self) -> bool:
+        '''Returns True if this is a server policy, or False if this is a client policy.'''
+        return self._server_policy
+
+
+    @staticmethod
+    def list_builtin_policies(verbose: bool) -> Tuple[List[str], List[str]]:
+        '''Returns two lists: a list of names of built-in server policies, and a list of names of built-in client policies, respectively.'''
+        server_policy_descriptions = []
+        client_policy_descriptions = []
+
+        latest_server_policies: Dict[str, Dict[str, Union[int, str]]] = {}
+        latest_client_policies: Dict[str, Dict[str, Union[int, str]]] = {}
+        for policy_name, policy in BUILTIN_POLICIES.items():
+
+            # If not in verbose mode, only store the latest version of each policy.
+            if not verbose:
+                policy_description = "\"{:s}\"".format(policy_name)
+
+                # Truncate the version off the policy name and obtain the version as an integer. (i.e.: "Platform X (version 3)" -> "Platform X", 3
+                policy_name_no_version = ""
+                version = 0
+                version_pos = policy_name.find(" (version ")
+                if version_pos != -1:
+                    policy_name_no_version = policy_name[0:version_pos]
+                    version = int(cast(str, policy['version']))  # Unit tests guarantee this to be parseable as an int.
+
+                d = latest_server_policies if policy['server_policy'] else latest_client_policies
+                if policy_name_no_version not in d:
+                    d[policy_name_no_version] = {}
+                    d[policy_name_no_version]['latest_version'] = version
+                    d[policy_name_no_version]['description'] = policy_description
+                elif version > cast(int, d[policy_name_no_version]['latest_version']):  # If an updated version of the policy was found, replace the old one.
+                    d[policy_name_no_version]['latest_version'] = version
+                    d[policy_name_no_version]['description'] = policy_description
+            else:  # In verbose mode, return all policy versions.
+                policy_description = "\"{:s}\": {:s}".format(policy_name, policy['changelog'])
+                if policy['server_policy']:
+                    server_policy_descriptions.append(policy_description)
+                else:
+                    client_policy_descriptions.append(policy_description)
+
+        # Now that we have references to the latest policies only, add their full descriptions to the lists for returning.
+        if not verbose:
+            for _, dd in latest_server_policies.items():
+                server_policy_descriptions.append(cast(str, dd['description']))
+
+            for _, dd in latest_client_policies.items():
+                client_policy_descriptions.append(cast(str, dd['description']))
+
+        # Sort the lists for better readability.
+        server_policy_descriptions.sort()
+        client_policy_descriptions.sort()
+        return server_policy_descriptions, client_policy_descriptions
+
+
+    @staticmethod
+    def load_builtin_policy(policy_name: str, json_output: bool = False) -> Optional['Policy']:
+        '''Returns a Policy with the specified built-in policy name loaded, or None if no policy of that name exists.'''
+        p = None
+        if policy_name in BUILTIN_POLICIES:
+            policy_struct = BUILTIN_POLICIES[policy_name]
+            p = Policy(manual_load=True, json_output=json_output)
+            policy_name_without_version = policy_name[0:policy_name.rfind(' (')]
+            p._name = policy_name_without_version  # pylint: disable=protected-access
+            p._version = cast(str, policy_struct['version'])  # pylint: disable=protected-access
+            p._banner = cast(Optional[str], policy_struct['banner'])  # pylint: disable=protected-access
+            p._compressions = cast(Optional[List[str]], policy_struct['compressions'])  # pylint: disable=protected-access
+            p._host_keys = cast(Optional[List[str]], policy_struct['host_keys'])  # pylint: disable=protected-access
+            p._optional_host_keys = cast(Optional[List[str]], policy_struct['optional_host_keys'])  # pylint: disable=protected-access
+            p._kex = cast(Optional[List[str]], policy_struct['kex'])  # pylint: disable=protected-access
+            p._ciphers = cast(Optional[List[str]], policy_struct['ciphers'])  # pylint: disable=protected-access
+            p._macs = cast(Optional[List[str]], policy_struct['macs'])  # pylint: disable=protected-access
+            p._hostkey_sizes = cast(Optional[Dict[str, Dict[str, Union[int, str, bytes]]]], policy_struct['hostkey_sizes'])  # pylint: disable=protected-access
+            p._dh_modulus_sizes = cast(Optional[Dict[str, int]], policy_struct['dh_modulus_sizes'])  # pylint: disable=protected-access
+            p._server_policy = cast(bool, policy_struct['server_policy'])  # pylint: disable=protected-access
+            p._name_and_version = "%s (version %s)" % (p._name, p._version)  # pylint: disable=protected-access
+
+            # Ensure this struct has all the necessary fields.
+            p._normalize_hostkey_sizes()  # pylint: disable=protected-access
+
+        # Now check if an updated version of the requested policy exists.  If so, set a warning for the user.
+        if p is not None and p._version is not None:  # pylint: disable=protected-access
+            next_version = str(int(p._version) + 1)  # pylint: disable=protected-access
+            name_version_pos = policy_name.find("(version ")
+            next_version_name = policy_name[0:name_version_pos] + "(version %s)" % next_version
+            if next_version_name in BUILTIN_POLICIES:
+                p._updated_builtin_policy_available = True  # pylint: disable=protected-access
+
+        return p
+
+
+    @staticmethod
+    def _normalize_error_field(field: List[str]) -> Any:
+        '''If field is an array with a string parsable as an integer, return that integer.  Otherwise, return the field joined with commas.'''
+        if len(field) == 1:
+            try:
+                return int(field[0])
+            except ValueError:
+                return field[0]
+        else:
+            return ', '.join(field)
+
+
+    def __str__(self) -> str:
+        undefined = '{undefined}'
+
+        name = undefined
+        version = undefined
+        banner = undefined
+        compressions_str = undefined
+        host_keys_str = undefined
+        optional_host_keys_str = undefined
+        kex_str = undefined
+        ciphers_str = undefined
+        macs_str = undefined
+        hostkey_sizes_str = undefined
+        dh_modulus_sizes_str = undefined
+
+
+        if self._name is not None:
+            name = '[%s]' % self._name
+        if self._version is not None:
+            version = '[%s]' % self._version
+        if self._banner is not None:
+            banner = '[%s]' % self._banner
+
+        if self._compressions is not None:
+            compressions_str = ', '.join(self._compressions)
+        if self._host_keys is not None:
+            host_keys_str = ', '.join(self._host_keys)
+        if self._optional_host_keys is not None:
+            optional_host_keys_str = ', '.join(self._optional_host_keys)
+        if self._kex is not None:
+            kex_str = ', '.join(self._kex)
+        if self._ciphers is not None:
+            ciphers_str = ', '.join(self._ciphers)
+        if self._macs is not None:
+            macs_str = ', '.join(self._macs)
+        if self._hostkey_sizes is not None:
+            hostkey_sizes_str = str(self._hostkey_sizes)
+        if self._dh_modulus_sizes is not None:
+            dh_modulus_sizes_str = str(self._dh_modulus_sizes)
+
+        return "Name: %s\nVersion: %s\nAllow Algorithm Subset and/or Reordering: %r\nBanner: %s\nCompressions: %s\nHost Keys: %s\nOptional Host Keys: %s\nKey Exchanges: %s\nCiphers: %s\nMACs: %s\nHost Key Sizes: %s\nDH Modulus Sizes: %s\nServer Policy: %r" % (name, version, self._allow_algorithm_subset_and_reordering, banner, compressions_str, host_keys_str, optional_host_keys_str, kex_str, ciphers_str, macs_str, hostkey_sizes_str, dh_modulus_sizes_str, self._server_policy)
+
+
+    def __getstate__(self) -> Dict[str, Any]:
+        '''Called when pickling this object.  The file descriptor isn't serializable, so we'll remove it from the state and include a string representation.'''
+
+        state = self.__dict__.copy()
+
+        if state['_warning_target'] == sys.stdout:
+            state['_warning_target_type'] = 'stdout'
+        else:
+            state['_warning_target_type'] = 'stderr'
+
+        del state['_warning_target']
+        return state
+
+
+    def __setstate__(self, state: Dict[str, Any]) -> None:
+        '''Called when unpickling this object.  Based on the string representation of the file descriptor, we'll restore the right handle.'''
+
+        if state['_warning_target_type'] == 'stdout':
+            state['_warning_target'] = sys.stdout
+        else:
+            state['_warning_target'] = sys.stderr
+
+        del state['_warning_target_type']
+        self.__dict__.update(state)
--- a/src/ssh_audit/product.py
+++ b/src/ssh_audit/product.py
@ -0,0 +1,31 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+
+
+class Product:  # pylint: disable=too-few-public-methods
+    OpenSSH = 'OpenSSH'
+    DropbearSSH = 'Dropbear SSH'
+    LibSSH = 'libssh'
+    TinySSH = 'TinySSH'
+    PuTTY = 'PuTTY'
--- a/src/ssh_audit/protocol.py
+++ b/src/ssh_audit/protocol.py
@ -0,0 +1,36 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+
+
+class Protocol:  # pylint: disable=too-few-public-methods
+    SMSG_PUBLIC_KEY = 2
+    MSG_DEBUG = 4
+    MSG_KEXINIT = 20
+    MSG_NEWKEYS = 21
+    MSG_KEXDH_INIT = 30
+    MSG_KEXDH_REPLY = 31
+    MSG_KEXDH_GEX_REQUEST = 34
+    MSG_KEXDH_GEX_GROUP = 31
+    MSG_KEXDH_GEX_INIT = 32
+    MSG_KEXDH_GEX_REPLY = 33
--- a/src/ssh_audit/readbuf.py
+++ b/src/ssh_audit/readbuf.py
@ -0,0 +1,92 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+import io
+import struct
+
+# pylint: disable=unused-import
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+
+class ReadBuf:
+    def __init__(self, data: Optional[bytes] = None) -> None:
+        super(ReadBuf, self).__init__()
+        self._buf = io.BytesIO(data) if data is not None else io.BytesIO()
+        self._len = len(data) if data is not None else 0
+
+    @property
+    def unread_len(self) -> int:
+        return self._len - self._buf.tell()
+
+    def read(self, size: int) -> bytes:
+        return self._buf.read(size)
+
+    def read_byte(self) -> int:
+        v: int = struct.unpack('B', self.read(1))[0]
+        return v
+
+    def read_bool(self) -> bool:
+        return self.read_byte() != 0
+
+    def read_int(self) -> int:
+        v: int = struct.unpack('>I', self.read(4))[0]
+        return v
+
+    def read_list(self) -> List[str]:
+        list_size = self.read_int()
+        return self.read(list_size).decode('utf-8', 'replace').split(',')
+
+    def read_string(self) -> bytes:
+        n = self.read_int()
+        return self.read(n)
+
+    @classmethod
+    def _parse_mpint(cls, v: bytes, pad: bytes, f: str) -> int:
+        r = 0
+        if len(v) % 4 != 0:
+            v = pad * (4 - (len(v) % 4)) + v
+        for i in range(0, len(v), 4):
+            r = (r << 32) | struct.unpack(f, v[i:i + 4])[0]
+        return r
+
+    def read_mpint1(self) -> int:
+        # NOTE: Data Type Enc @ http://www.snailbook.com/docs/protocol-1.5.txt
+        bits = struct.unpack('>H', self.read(2))[0]
+        n = (bits + 7) // 8
+        return self._parse_mpint(self.read(n), b'\x00', '>I')
+
+    def read_mpint2(self) -> int:
+        # NOTE: Section 5 @ https://www.ietf.org/rfc/rfc4251.txt
+        v = self.read_string()
+        if len(v) == 0:
+            return 0
+        pad, f = (b'\xff', '>i') if ord(v[0:1]) & 0x80 != 0 else (b'\x00', '>I')
+        return self._parse_mpint(v, pad, f)
+
+    def read_line(self) -> str:
+        return self._buf.readline().rstrip().decode('utf-8', 'replace')
+
+    def reset(self) -> None:
+        self._buf = io.BytesIO()
+        self._len = 0
--- a/src/ssh_audit/software.py
+++ b/src/ssh_audit/software.py
@ -0,0 +1,231 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+import re
+
+# pylint: disable=unused-import
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+from ssh_audit.banner import Banner
+from ssh_audit.product import Product
+
+
+class Software:
+    def __init__(self, vendor: Optional[str], product: str, version: str, patch: Optional[str], os_version: Optional[str]) -> None:
+        self.__vendor = vendor
+        self.__product = product
+        self.__version = version
+        self.__patch = patch
+        self.__os = os_version
+
+    @property
+    def vendor(self) -> Optional[str]:
+        return self.__vendor
+
+    @property
+    def product(self) -> str:
+        return self.__product
+
+    @property
+    def version(self) -> str:
+        return self.__version
+
+    @property
+    def patch(self) -> Optional[str]:
+        return self.__patch
+
+    @property
+    def os(self) -> Optional[str]:
+        return self.__os
+
+    def compare_version(self, other: Union[None, 'Software', str]) -> int:
+        # pylint: disable=too-many-branches,too-many-return-statements
+        if other is None:
+            return 1
+        if isinstance(other, Software):
+            other = '{}{}'.format(other.version, other.patch or '')
+        else:
+            other = str(other)
+        mx = re.match(r'^([\d\.]+\d+)(.*)$', other)
+        if mx is not None:
+            oversion, opatch = mx.group(1), mx.group(2).strip()
+        else:
+            oversion, opatch = other, ''
+        if self.version < oversion:
+            return -1
+        elif self.version > oversion:
+            return 1
+        spatch = self.patch or ''
+        if self.product == Product.DropbearSSH:
+            if not re.match(r'^test\d.*$', opatch):
+                opatch = 'z{}'.format(opatch)
+            if not re.match(r'^test\d.*$', spatch):
+                spatch = 'z{}'.format(spatch)
+        elif self.product == Product.OpenSSH:
+            mx1 = re.match(r'^p(\d).*', opatch)
+            mx2 = re.match(r'^p(\d).*', spatch)
+            if not (bool(mx1) and bool(mx2)):
+                if mx1 is not None:
+                    opatch = mx1.group(1)
+                if mx2 is not None:
+                    spatch = mx2.group(1)
+            # OpenBSD version and p1 versions are considered the same.
+            if ((spatch == '') and (opatch == '1')) or ((spatch == '1') and (opatch == '')):
+                return 0
+        if spatch < opatch:
+            return -1
+        elif spatch > opatch:
+            return 1
+        return 0
+
+    def between_versions(self, vfrom: str, vtill: str) -> bool:
+        if bool(vfrom) and self.compare_version(vfrom) < 0:
+            return False
+        if bool(vtill) and self.compare_version(vtill) > 0:
+            return False
+        return True
+
+    def display(self, full: bool = True) -> str:
+        r = '{} '.format(self.vendor) if bool(self.vendor) else ''
+        r += self.product
+        if bool(self.version):
+            r += ' {}'.format(self.version)
+        if full:
+            patch = self.patch or ''
+            if self.product == Product.OpenSSH:
+                mx = re.match(r'^(p\d)(.*)$', patch)
+                if mx is not None:
+                    r += mx.group(1)
+                    patch = mx.group(2).strip()
+            if bool(patch):
+                r += ' ({})'.format(patch)
+            if bool(self.os):
+                r += ' running on {}'.format(self.os)
+        return r
+
+    def __str__(self) -> str:
+        return self.display()
+
+    def __repr__(self) -> str:
+        r = 'vendor={}, '.format(self.vendor) if bool(self.vendor) else ''
+        r += 'product={}'.format(self.product)
+        if bool(self.version):
+            r += ', version={}'.format(self.version)
+        if bool(self.patch):
+            r += ', patch={}'.format(self.patch)
+        if bool(self.os):
+            r += ', os={}'.format(self.os)
+        return '<{}({})>'.format(self.__class__.__name__, r)
+
+    @staticmethod
+    def _fix_patch(patch: str) -> Optional[str]:
+        return re.sub(r'^[-_\.]+', '', patch) or None
+
+    @staticmethod
+    def _fix_date(d: Optional[str]) -> Optional[str]:
+        if d is not None and len(d) == 8:
+            return '{}-{}-{}'.format(d[:4], d[4:6], d[6:8])
+        else:
+            return None
+
+    @classmethod
+    def _extract_os_version(cls, c: Optional[str]) -> Optional[str]:
+        if c is None:
+            return None
+        mx = re.match(r'^NetBSD(?:_Secure_Shell)?(?:[\s-]+(\d{8})(.*))?$', c)
+        if mx is not None:
+            d = cls._fix_date(mx.group(1))
+            return 'NetBSD' if d is None else 'NetBSD ({})'.format(d)
+        mx = re.match(r'^FreeBSD(?:\slocalisations)?[\s-]+(\d{8})(.*)$', c)
+        if not bool(mx):
+            mx = re.match(r'^[^@]+@FreeBSD\.org[\s-]+(\d{8})(.*)$', c)
+        if mx is not None:
+            d = cls._fix_date(mx.group(1))
+            return 'FreeBSD' if d is None else 'FreeBSD ({})'.format(d)
+        w = ['RemotelyAnywhere', 'DesktopAuthority', 'RemoteSupportManager']
+        for win_soft in w:
+            mx = re.match(r'^in ' + win_soft + r' ([\d\.]+\d)$', c)
+            if mx is not None:
+                ver = mx.group(1)
+                return 'Microsoft Windows ({} {})'.format(win_soft, ver)
+        generic = ['NetBSD', 'FreeBSD']
+        for g in generic:
+            if c.startswith(g) or c.endswith(g):
+                return g
+        return None
+
+    @classmethod
+    def parse(cls, banner: 'Banner') -> Optional['Software']:
+        # pylint: disable=too-many-return-statements
+        software = str(banner.software)
+        mx = re.match(r'^dropbear_([\d\.]+\d+)(.*)', software)
+        v: Optional[str] = None
+        if mx is not None:
+            patch = cls._fix_patch(mx.group(2))
+            v, p = 'Matt Johnston', Product.DropbearSSH
+            v = None
+            return cls(v, p, mx.group(1), patch, None)
+        mx = re.match(r'^OpenSSH[_\.-]+([\d\.]+\d+)(.*)', software)
+        if mx is not None:
+            patch = cls._fix_patch(mx.group(2))
+            v, p = 'OpenBSD', Product.OpenSSH
+            v = None
+            os_version = cls._extract_os_version(banner.comments)
+            return cls(v, p, mx.group(1), patch, os_version)
+        mx = re.match(r'^libssh-([\d\.]+\d+)(.*)', software)
+        if mx is not None:
+            patch = cls._fix_patch(mx.group(2))
+            v, p = None, Product.LibSSH
+            os_version = cls._extract_os_version(banner.comments)
+            return cls(v, p, mx.group(1), patch, os_version)
+        mx = re.match(r'^libssh_([\d\.]+\d+)(.*)', software)
+        if mx is not None:
+            patch = cls._fix_patch(mx.group(2))
+            v, p = None, Product.LibSSH
+            os_version = cls._extract_os_version(banner.comments)
+            return cls(v, p, mx.group(1), patch, os_version)
+        mx = re.match(r'^RomSShell_([\d\.]+\d+)(.*)', software)
+        if mx is not None:
+            patch = cls._fix_patch(mx.group(2))
+            v, p = 'Allegro Software', 'RomSShell'
+            return cls(v, p, mx.group(1), patch, None)
+        mx = re.match(r'^mpSSH_([\d\.]+\d+)', software)
+        if mx is not None:
+            v, p = 'HP', 'iLO (Integrated Lights-Out) sshd'
+            return cls(v, p, mx.group(1), None, None)
+        mx = re.match(r'^Cisco-([\d\.]+\d+)', software)
+        if mx is not None:
+            v, p = 'Cisco', 'IOS/PIX sshd'
+            return cls(v, p, mx.group(1), None, None)
+        mx = re.match(r'^tinyssh_(.*)', software)
+        if mx is not None:
+            return cls(None, Product.TinySSH, mx.group(1), None, None)
+        mx = re.match(r'^PuTTY_Release_(.*)', software)
+        if mx:
+            return cls(None, Product.PuTTY, mx.group(1), None, None)
+        mx = re.match(r'^lancom(.*)', software)
+        if mx:
+            v, p = 'LANcom', 'LCOS sshd'
+            return cls(v, p, mx.group(1), None, None)
+        return None
--- a/src/ssh_audit/ssh1.py
+++ b/src/ssh_audit/ssh1.py
@ -0,0 +1,40 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+# pylint: disable=unused-import
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+from ssh_audit.ssh1_crc32 import SSH1_CRC32
+
+
+class SSH1:
+    _crc32: Optional[SSH1_CRC32] = None
+    CIPHERS = ['none', 'idea', 'des', '3des', 'tss', 'rc4', 'blowfish']
+    AUTHS = ['none', 'rhosts', 'rsa', 'password', 'rhosts_rsa', 'tis', 'kerberos']
+
+    @classmethod
+    def crc32(cls, v: bytes) -> int:
+        if cls._crc32 is None:
+            cls._crc32 = SSH1_CRC32()
+        return cls._crc32.calc(v)
--- a/src/ssh_audit/ssh1_crc32.py
+++ b/src/ssh_audit/ssh1_crc32.py
@ -0,0 +1,47 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+# pylint: disable=unused-import
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+
+class SSH1_CRC32:
+    def __init__(self) -> None:
+        self._table = [0] * 256
+        for i in range(256):
+            crc = 0
+            n = i
+            for _ in range(8):
+                x = (crc ^ n) & 1
+                crc = (crc >> 1) ^ (x * 0xedb88320)
+                n = n >> 1
+                self._table[i] = crc
+
+    def calc(self, v: bytes) -> int:
+        crc, length = 0, len(v)
+        for i in range(length):
+            n = ord(v[i:i + 1])
+            n = n ^ (crc & 0xff)
+            crc = (crc >> 8) ^ self._table[n]
+        return crc
--- a/src/ssh_audit/ssh1_kexdb.py
+++ b/src/ssh_audit/ssh1_kexdb.py
@ -0,0 +1,84 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+# pylint: disable=unused-import
+import copy
+import threading
+
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+
+class SSH1_KexDB:  # pylint: disable=too-few-public-methods
+
+    FAIL_PLAINTEXT = 'no encryption/integrity'
+    FAIL_OPENSSH37_REMOVE = 'removed since OpenSSH 3.7'
+    FAIL_NA_BROKEN = 'not implemented in OpenSSH, broken algorithm'
+    FAIL_NA_UNSAFE = 'not implemented in OpenSSH (server), unsafe algorithm'
+    TEXT_CIPHER_IDEA = 'cipher used by commercial SSH'
+
+    DB_PER_THREAD: Dict[int, Dict[str, Dict[str, List[List[Optional[str]]]]]] = {}
+
+    MASTER_DB: Dict[str, Dict[str, List[List[Optional[str]]]]] = {
+        'key': {
+            'ssh-rsa1': [['1.2.2']],
+        },
+        'enc': {
+            'none': [['1.2.2'], [FAIL_PLAINTEXT]],
+            'idea': [[None], [], [], [TEXT_CIPHER_IDEA]],
+            'des': [['2.3.0C'], [FAIL_NA_UNSAFE]],
+            '3des': [['1.2.2']],
+            'tss': [[''], [FAIL_NA_BROKEN]],
+            'rc4': [[], [FAIL_NA_BROKEN]],
+            'blowfish': [['1.2.2']],
+        },
+        'aut': {
+            'rhosts': [['1.2.2', '3.6'], [FAIL_OPENSSH37_REMOVE]],
+            'rsa': [['1.2.2']],
+            'password': [['1.2.2']],
+            'rhosts_rsa': [['1.2.2']],
+            'tis': [['1.2.2']],
+            'kerberos': [['1.2.2', '3.6'], [FAIL_OPENSSH37_REMOVE]],
+        }
+    }
+
+
+    @staticmethod
+    def get_db() -> Dict[str, Dict[str, List[List[Optional[str]]]]]:
+        '''Returns a copy of the MASTER_DB that is private to the calling thread.  This prevents multiple threads from polluting the results of other threads.'''
+        calling_thread_id = threading.get_ident()
+
+        if calling_thread_id not in SSH1_KexDB.DB_PER_THREAD:
+            SSH1_KexDB.DB_PER_THREAD[calling_thread_id] = copy.deepcopy(SSH1_KexDB.MASTER_DB)
+
+        return SSH1_KexDB.DB_PER_THREAD[calling_thread_id]
+
+
+    @staticmethod
+    def thread_exit() -> None:
+        '''Deletes the calling thread's copy of the MASTER_DB.  This is needed because, in rare circumstances, a terminated thread's ID can be re-used by new threads.'''
+
+        calling_thread_id = threading.get_ident()
+
+        if calling_thread_id in SSH1_KexDB.DB_PER_THREAD:
+            del SSH1_KexDB.DB_PER_THREAD[calling_thread_id]
--- a/src/ssh_audit/ssh1_publickeymessage.py
+++ b/src/ssh_audit/ssh1_publickeymessage.py
@ -0,0 +1,144 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+# pylint: disable=unused-import
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+from ssh_audit.ssh1 import SSH1
+from ssh_audit.readbuf import ReadBuf
+from ssh_audit.utils import Utils
+from ssh_audit.writebuf import WriteBuf
+
+
+class SSH1_PublicKeyMessage:
+    def __init__(self, cookie: bytes, skey: Tuple[int, int, int], hkey: Tuple[int, int, int], pflags: int, cmask: int, amask: int) -> None:
+        if len(skey) != 3:
+            raise ValueError('invalid server key pair: {}'.format(skey))
+        if len(hkey) != 3:
+            raise ValueError('invalid host key pair: {}'.format(hkey))
+        self.__cookie = cookie
+        self.__server_key = skey
+        self.__host_key = hkey
+        self.__protocol_flags = pflags
+        self.__supported_ciphers_mask = cmask
+        self.__supported_authentications_mask = amask
+
+    @property
+    def cookie(self) -> bytes:
+        return self.__cookie
+
+    @property
+    def server_key_bits(self) -> int:
+        return self.__server_key[0]
+
+    @property
+    def server_key_public_exponent(self) -> int:
+        return self.__server_key[1]
+
+    @property
+    def server_key_public_modulus(self) -> int:
+        return self.__server_key[2]
+
+    @property
+    def host_key_bits(self) -> int:
+        return self.__host_key[0]
+
+    @property
+    def host_key_public_exponent(self) -> int:
+        return self.__host_key[1]
+
+    @property
+    def host_key_public_modulus(self) -> int:
+        return self.__host_key[2]
+
+    @property
+    def host_key_fingerprint_data(self) -> bytes:
+        # pylint: disable=protected-access
+        mod = WriteBuf._create_mpint(self.host_key_public_modulus, False)
+        e = WriteBuf._create_mpint(self.host_key_public_exponent, False)
+        return mod + e
+
+    @property
+    def protocol_flags(self) -> int:
+        return self.__protocol_flags
+
+    @property
+    def supported_ciphers_mask(self) -> int:
+        return self.__supported_ciphers_mask
+
+    @property
+    def supported_ciphers(self) -> List[str]:
+        ciphers = []
+        for i in range(len(SSH1.CIPHERS)):  # pylint: disable=consider-using-enumerate
+            if self.__supported_ciphers_mask & (1 << i) != 0:
+                ciphers.append(Utils.to_text(SSH1.CIPHERS[i]))
+        return ciphers
+
+    @property
+    def supported_authentications_mask(self) -> int:
+        return self.__supported_authentications_mask
+
+    @property
+    def supported_authentications(self) -> List[str]:
+        auths = []
+        for i in range(1, len(SSH1.AUTHS)):
+            if self.__supported_authentications_mask & (1 << i) != 0:
+                auths.append(Utils.to_text(SSH1.AUTHS[i]))
+        return auths
+
+    def write(self, wbuf: 'WriteBuf') -> None:
+        wbuf.write(self.cookie)
+        wbuf.write_int(self.server_key_bits)
+        wbuf.write_mpint1(self.server_key_public_exponent)
+        wbuf.write_mpint1(self.server_key_public_modulus)
+        wbuf.write_int(self.host_key_bits)
+        wbuf.write_mpint1(self.host_key_public_exponent)
+        wbuf.write_mpint1(self.host_key_public_modulus)
+        wbuf.write_int(self.protocol_flags)
+        wbuf.write_int(self.supported_ciphers_mask)
+        wbuf.write_int(self.supported_authentications_mask)
+
+    @property
+    def payload(self) -> bytes:
+        wbuf = WriteBuf()
+        self.write(wbuf)
+        return wbuf.write_flush()
+
+    @classmethod
+    def parse(cls, payload: bytes) -> 'SSH1_PublicKeyMessage':
+        buf = ReadBuf(payload)
+        cookie = buf.read(8)
+        server_key_bits = buf.read_int()
+        server_key_exponent = buf.read_mpint1()
+        server_key_modulus = buf.read_mpint1()
+        skey = (server_key_bits, server_key_exponent, server_key_modulus)
+        host_key_bits = buf.read_int()
+        host_key_exponent = buf.read_mpint1()
+        host_key_modulus = buf.read_mpint1()
+        hkey = (host_key_bits, host_key_exponent, host_key_modulus)
+        pflags = buf.read_int()
+        cmask = buf.read_int()
+        amask = buf.read_int()
+        pkm = cls(cookie, skey, hkey, pflags, cmask, amask)
+        return pkm
--- a/src/ssh_audit/ssh2_kex.py
+++ b/src/ssh_audit/ssh2_kex.py
@ -0,0 +1,147 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017-2024 Joe Testa (jtesta@positronsecurity.com)
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+from typing import Dict, List
+from typing import Union
+
+from ssh_audit.outputbuffer import OutputBuffer
+from ssh_audit.readbuf import ReadBuf
+from ssh_audit.ssh2_kexparty import SSH2_KexParty
+from ssh_audit.writebuf import WriteBuf
+
+
+class SSH2_Kex:
+    def __init__(self, outputbuffer: 'OutputBuffer', cookie: bytes, kex_algs: List[str], key_algs: List[str], cli: 'SSH2_KexParty', srv: 'SSH2_KexParty', follows: bool, unused: int = 0) -> None:  # pylint: disable=too-many-arguments
+        self.__outputbuffer = outputbuffer
+        self.__cookie = cookie
+        self.__kex_algs = kex_algs
+        self.__key_algs = key_algs
+        self.__client = cli
+        self.__server = srv
+        self.__follows = follows
+        self.__unused = unused
+
+        self.__dh_modulus_sizes: Dict[str, int] = {}
+        self.__host_keys: Dict[str, Dict[str, Union[bytes, str, int]]] = {}
+
+    @property
+    def cookie(self) -> bytes:
+        return self.__cookie
+
+    @property
+    def kex_algorithms(self) -> List[str]:
+        return self.__kex_algs
+
+    @property
+    def key_algorithms(self) -> List[str]:
+        return self.__key_algs
+
+    # client_to_server
+    @property
+    def client(self) -> 'SSH2_KexParty':
+        return self.__client
+
+    # server_to_client
+    @property
+    def server(self) -> 'SSH2_KexParty':
+        return self.__server
+
+    @property
+    def follows(self) -> bool:
+        return self.__follows
+
+    @property
+    def unused(self) -> int:
+        return self.__unused
+
+    def set_dh_modulus_size(self, gex_alg: str, modulus_size: int) -> None:
+        self.__dh_modulus_sizes[gex_alg] = modulus_size
+
+    def dh_modulus_sizes(self) -> Dict[str, int]:
+        return self.__dh_modulus_sizes
+
+    def set_host_key(self, key_type: str, raw_hostkey_bytes: bytes, hostkey_size: int, ca_key_type: str, ca_key_size: int) -> None:
+
+        if key_type not in self.__host_keys:
+            self.__host_keys[key_type] = {'raw_hostkey_bytes': raw_hostkey_bytes, 'hostkey_size': hostkey_size, 'ca_key_type': ca_key_type, 'ca_key_size': ca_key_size}
+        else:  # A host key may only have one CA signature...
+            self.__outputbuffer.d("WARNING: called SSH2_Kex.set_host_key() multiple times with the same host key type (%s)!  Existing info: %r, %r, %r; Duplicate (ignored) info: %r, %r, %r" % (key_type, self.__host_keys[key_type]['hostkey_size'], self.__host_keys[key_type]['ca_key_type'], self.__host_keys[key_type]['ca_key_size'], hostkey_size, ca_key_type, ca_key_size))
+
+    def host_keys(self) -> Dict[str, Dict[str, Union[bytes, str, int]]]:
+        return self.__host_keys
+
+    def write(self, wbuf: 'WriteBuf') -> None:
+        wbuf.write(self.cookie)
+        wbuf.write_list(self.kex_algorithms)
+        wbuf.write_list(self.key_algorithms)
+        wbuf.write_list(self.client.encryption)
+        wbuf.write_list(self.server.encryption)
+        wbuf.write_list(self.client.mac)
+        wbuf.write_list(self.server.mac)
+        wbuf.write_list(self.client.compression)
+        wbuf.write_list(self.server.compression)
+        wbuf.write_list(self.client.languages)
+        wbuf.write_list(self.server.languages)
+        wbuf.write_bool(self.follows)
+        wbuf.write_int(self.__unused)
+
+    @property
+    def payload(self) -> bytes:
+        wbuf = WriteBuf()
+        self.write(wbuf)
+        return wbuf.write_flush()
+
+    @classmethod
+    def parse(cls, outputbuffer: 'OutputBuffer', payload: bytes) -> 'SSH2_Kex':
+        buf = ReadBuf(payload)
+        cookie = buf.read(16)
+        kex_algs = buf.read_list()
+        key_algs = buf.read_list()
+        cli_enc = buf.read_list()
+        srv_enc = buf.read_list()
+        cli_mac = buf.read_list()
+        srv_mac = buf.read_list()
+        cli_compression = buf.read_list()
+        srv_compression = buf.read_list()
+        cli_languages = buf.read_list()
+        srv_languages = buf.read_list()
+        follows = buf.read_bool()
+        unused = buf.read_int()
+        cli = SSH2_KexParty(cli_enc, cli_mac, cli_compression, cli_languages)
+        srv = SSH2_KexParty(srv_enc, srv_mac, srv_compression, srv_languages)
+        kex = cls(outputbuffer, cookie, kex_algs, key_algs, cli, srv, follows, unused)
+        return kex
+
+    def __str__(self) -> str:
+        ret = "----\nSSH2_Kex object:"
+        ret += "\nHost keys: "
+        ret += ", ".join(self.__key_algs)
+        ret += "\nKey exchanges: "
+        ret += ", ".join(self.__kex_algs)
+        ret += "\nClient SSH2_KexParty:"
+        ret += "\n" + str(self.__client)
+        ret += "\nServer SSH2_KexParty:"
+        ret += "\n" + str(self.__server)
+        ret += "\n----"
+        return ret
--- a/src/ssh_audit/ssh2_kexdb.py
+++ b/src/ssh_audit/ssh2_kexdb.py
@ -0,0 +1,478 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017-2024 Joe Testa (jtesta@positronsecurity.com)
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+# pylint: disable=unused-import
+import copy
+import threading
+
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+
+class SSH2_KexDB:  # pylint: disable=too-few-public-methods
+    FAIL_1024BIT_MODULUS = 'using small 1024-bit modulus'
+    FAIL_3DES = 'using broken & deprecated 3DES cipher'
+    FAIL_BLOWFISH = 'using weak & deprecated Blowfish cipher'
+    FAIL_CAST = 'using weak & deprecated CAST cipher'
+    FAIL_DES = 'using broken DES cipher'
+    FAIL_IDEA = 'using deprecated IDEA cipher'
+    FAIL_LOGJAM_ATTACK = 'vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)'
+    FAIL_MD5 = 'using broken MD5 hash algorithm'
+    FAIL_NSA_BACKDOORED_CURVE = 'using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency'
+    FAIL_PLAINTEXT = 'no encryption/integrity'
+    FAIL_RC4 = 'using broken RC4 cipher'
+    FAIL_RIJNDAEL = 'using deprecated & non-standardized Rijndael cipher'
+    FAIL_RIPEMD = 'using deprecated RIPEMD hash algorithm'
+    FAIL_SEED = 'using deprecated SEED cipher'
+    FAIL_SERPENT = 'using deprecated Serpent cipher'
+    FAIL_SHA1 = 'using broken SHA-1 hash algorithm'
+    FAIL_SMALL_ECC_MODULUS = 'using small ECC modulus'
+    FAIL_UNKNOWN = 'using unknown algorithm'
+    FAIL_UNPROVEN = 'using unproven algorithm'
+    FAIL_UNTRUSTED = 'using untrusted algorithm developed in secret by a government entity'
+
+    WARN_2048BIT_MODULUS = '2048-bit modulus only provides 112-bits of symmetric strength'
+    WARN_BLOCK_SIZE = 'using small 64-bit block size'
+    WARN_CIPHER_MODE = 'using weak cipher mode'
+    WARN_ENCRYPT_AND_MAC = 'using encrypt-and-MAC mode'
+    WARN_EXPERIMENTAL = 'using experimental algorithm'
+    WARN_NOT_PQ_SAFE = 'does not provide protection against post-quantum attacks'
+    WARN_RNDSIG_KEY = 'using weak random number generator could reveal the key'
+    WARN_TAG_SIZE = 'using small 64-bit tag size'
+    WARN_TAG_SIZE_96 = 'using small 96-bit tag size'
+
+    INFO_DEFAULT_OPENSSH_CIPHER = 'default cipher since OpenSSH 6.9'
+    INFO_DEFAULT_OPENSSH_KEX_65_TO_73 = 'default key exchange from OpenSSH 6.5 to 7.3'
+    INFO_DEFAULT_OPENSSH_KEX_74_TO_89 = 'default key exchange from OpenSSH 7.4 to 8.9'
+    INFO_DEFAULT_OPENSSH_KEX_90_TO_98 = 'default key exchange from OpenSSH 9.0 to 9.8'
+    INFO_DEFAULT_OPENSSH_KEX_99 = 'default key exchange since OpenSSH 9.9'
+    INFO_DEPRECATED_IN_OPENSSH88 = 'deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8'
+    INFO_DISABLED_IN_DBEAR67 = 'disabled in Dropbear SSH 2015.67'
+    INFO_DISABLED_IN_OPENSSH70 = 'disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0'
+    INFO_NEVER_IMPLEMENTED_IN_OPENSSH = 'despite the @openssh.com tag, this was never implemented in OpenSSH'
+    INFO_HYBRID_PQ_X25519_KEX = 'hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm'
+    INFO_REMOVED_IN_OPENSSH61 = 'removed since OpenSSH 6.1, removed from specification'
+    INFO_REMOVED_IN_OPENSSH69 = 'removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9'
+    INFO_REMOVED_IN_OPENSSH70 = 'removed in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0'
+    INFO_WITHDRAWN_PQ_ALG = 'the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security'
+    INFO_EXTENSION_NEGOTIATION = 'pseudo-algorithm that denotes the peer supports RFC8308 extensions'
+    INFO_STRICT_KEX = 'pseudo-algorithm that denotes the peer supports a stricter key exchange method as a counter-measure to the Terrapin attack (CVE-2023-48795)'
+
+    # Maintains a dictionary per calling thread that yields its own copy of MASTER_DB.  This prevents results from one thread polluting the results of another thread.
+    DB_PER_THREAD: Dict[int, Dict[str, Dict[str, List[List[Optional[str]]]]]] = {}
+
+    MASTER_DB: Dict[str, Dict[str, List[List[Optional[str]]]]] = {
+        # Format: 'algorithm_name': [['version_first_appeared_in'], [reason_for_failure1, reason_for_failure2, ...], [warning1, warning2, ...], [info1, info2, ...]]
+        'kex': {
+            'Curve25519SHA256': [[], [], [WARN_NOT_PQ_SAFE]],
+            'curve25519-sha256': [['7.4,d2018.76'], [], [WARN_NOT_PQ_SAFE], [INFO_DEFAULT_OPENSSH_KEX_74_TO_89]],
+            'curve25519-sha256@libssh.org': [['6.4,d2013.62,l10.6.0'], [], [WARN_NOT_PQ_SAFE], [INFO_DEFAULT_OPENSSH_KEX_65_TO_73]],
+            'curve448-sha512': [[], [], [WARN_NOT_PQ_SAFE]],
+            'curve448-sha512@libssh.org': [[], [], [WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group14-sha1': [['3.9,d0.53,l10.6.0'], [FAIL_SHA1], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group14-sha224@ssh.com': [[], [], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group14-sha256': [['7.3,d2016.73'], [], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group14-sha256@ssh.com': [[], [], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group15-sha256': [[], [], [WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group15-sha256@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group15-sha384@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group15-sha512': [[], [], [WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group16-sha256': [[], [], [WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group16-sha384@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group16-sha512': [['7.3,d2016.73'], [], [WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group16-sha512@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group17-sha512': [[], [], [WARN_NOT_PQ_SAFE]],
+            'diffie-hellman_group17-sha512': [[], [], [WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group18-sha512': [['7.3'], [], [WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group18-sha512@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group1-sha1': [['2.3.0,d0.28,l10.2', '6.6', '6.9'], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1], [WARN_NOT_PQ_SAFE], [INFO_REMOVED_IN_OPENSSH69]],
+            'diffie-hellman-group1-sha256': [[], [FAIL_1024BIT_MODULUS], [WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group-exchange-sha1': [['2.3.0', '6.6', None], [FAIL_SHA1], [WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group-exchange-sha224@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group-exchange-sha256': [['4.4'], [], [WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group-exchange-sha256@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group-exchange-sha384@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]],
+            'diffie-hellman-group-exchange-sha512@ssh.com': [[], [], [WARN_NOT_PQ_SAFE]],
+            'ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org': [[], [FAIL_NSA_BACKDOORED_CURVE]],
+            'ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org': [[], [FAIL_NSA_BACKDOORED_CURVE]],
+            'ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org': [[], [FAIL_NSA_BACKDOORED_CURVE]],
+            'ecdh-sha2-1.2.840.10045.3.1.1': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],  # NIST P-192 / secp192r1
+            'ecdh-sha2-1.2.840.10045.3.1.7': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],  # NIST P-256 / secp256r1
+            'ecdh-sha2-1.3.132.0.10': [[], [], [WARN_NOT_PQ_SAFE]],  # ECDH over secp256k1 (i.e.: the Bitcoin curve)
+            'ecdh-sha2-1.3.132.0.16': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],  # sect283k1
+            'ecdh-sha2-1.3.132.0.1': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]],  # sect163k1
+            'ecdh-sha2-1.3.132.0.26': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]],  # sect233k1
+            'ecdh-sha2-1.3.132.0.27': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],  # sect233r1
+            'ecdh-sha2-1.3.132.0.33': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],  # NIST P-224 / secp224r1
+            'ecdh-sha2-1.3.132.0.34': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],  # NIST P-384 / secp384r1
+            'ecdh-sha2-1.3.132.0.35': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],  # NIST P-521 / secp521r1
+            'ecdh-sha2-1.3.132.0.36': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],  # sect409k1
+            'ecdh-sha2-1.3.132.0.37': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],  # sect409r1
+            'ecdh-sha2-1.3.132.0.38': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],  # sect571k1
+
+            # Note: the base64 strings, according to draft 6 of RFC5656, is Base64(MD5(DER(OID))).  The final RFC5656 dropped the base64 strings in favor of plain OID concatenation, but apparently some SSH servers implement them anyway.  See: https://datatracker.ietf.org/doc/html/draft-green-secsh-ecc-06#section-9.2
+            'ecdh-sha2-4MHB+NBt3AlaSRQ7MnB4cg==': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]],  # sect163k1
+            'ecdh-sha2-5pPrSUQtIaTjUSt5VZNBjg==': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],  # NIST P-192 / secp192r1
+            'ecdh-sha2-9UzNcgwTlEnSCECZa7V1mw==': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],  # NIST P-256 / secp256r1
+            'ecdh-sha2-brainpoolp256r1@genua.de': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
+            'ecdh-sha2-brainpoolp384r1@genua.de': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
+            'ecdh-sha2-brainpoolp521r1@genua.de': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
+            'ecdh-sha2-curve25519': [[], [], [WARN_NOT_PQ_SAFE]],
+            'ecdh-sha2-D3FefCjYoJ/kfXgAyLddYA==': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],  # sect409r1
+            'ecdh-sha2-h/SsxnLCtRBh7I9ATyeB3A==': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],  # NIST P-521 / secp521r1
+            'ecdh-sha2-m/FtSAmrV4j/Wy6RVUaK7A==': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],  # sect409k1
+            'ecdh-sha2-mNVwCXAoS1HGmHpLvBC94w==': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],  # sect571k1
+            'ecdh-sha2-nistb233': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]],
+            'ecdh-sha2-nistb409': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
+            'ecdh-sha2-nistk163': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]],
+            'ecdh-sha2-nistk233': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]],
+            'ecdh-sha2-nistk283': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
+            'ecdh-sha2-nistk409': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
+            'ecdh-sha2-nistp192': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
+            'ecdh-sha2-nistp224': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
+            'ecdh-sha2-nistp256': [['5.7,d2013.62,l10.6.0'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
+            'ecdh-sha2-nistp384': [['5.7,d2013.62'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
+            'ecdh-sha2-nistp521': [['5.7,d2013.62'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
+            'ecdh-sha2-nistt571': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
+            'ecdh-sha2-qCbG5Cn/jjsZ7nBeR7EnOA==': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],  # sect233r1
+            'ecdh-sha2-qcFQaMAMGhTziMT0z+Tuzw==': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],  # NIST P-384 / secp384r1
+            'ecdh-sha2-VqBg4QRPjxx1EXZdV0GdWQ==': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]],  # NIST P-224 / secp224r1
+            'ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],  # sect283k1
+            'ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_NOT_PQ_SAFE]],  # sect233k1
+            'ecmqv-sha2': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
+            'ext-info-c': [['7.2'], [], [], [INFO_EXTENSION_NEGOTIATION]],  # Extension negotiation (RFC 8308)
+            'ext-info-s': [['9.6'], [], [], [INFO_EXTENSION_NEGOTIATION]],  # Extension negotiation (RFC 8308)
+            'kex-strict-c-v00@openssh.com': [[], [], [], [INFO_STRICT_KEX]],  # Strict KEX marker (countermeasure for CVE-2023-48795).
+            'kex-strict-s-v00@openssh.com': [[], [], [], [INFO_STRICT_KEX]],  # Strict KEX marker (countermeasure for CVE-2023-48795).
+
+            # The GSS kex algorithms get special wildcard handling, since they include variable base64 data after their standard prefixes.
+            'gss-13.3.132.0.10-sha256-*': [[], [FAIL_UNKNOWN], [WARN_NOT_PQ_SAFE]],
+            'gss-curve25519-sha256-*': [[], [], [WARN_NOT_PQ_SAFE]],
+            'gss-curve448-sha512-*': [[], [], [WARN_NOT_PQ_SAFE]],
+            'gss-gex-sha1-*': [[], [FAIL_SHA1], [WARN_NOT_PQ_SAFE]],
+            'gss-gex-sha256-*': [[], [], [WARN_NOT_PQ_SAFE]],
+            'gss-group14-sha1-*': [[], [FAIL_SHA1], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]],
+            'gss-group14-sha256-*': [[], [], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]],
+            'gss-group15-sha512-*': [[], [], [WARN_NOT_PQ_SAFE]],
+            'gss-group16-sha512-*': [[], [], [WARN_NOT_PQ_SAFE]],
+            'gss-group17-sha512-*': [[], [], [WARN_NOT_PQ_SAFE]],
+            'gss-group18-sha512-*': [[], [], [WARN_NOT_PQ_SAFE]],
+            'gss-group1-sha1-*': [[], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1], [WARN_NOT_PQ_SAFE]],
+            'gss-nistp256-sha256-*': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
+            'gss-nistp384-sha256-*': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
+            'gss-nistp384-sha384-*': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
+            'gss-nistp521-sha512-*': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
+            'kexAlgoCurve25519SHA256': [[], [], [WARN_NOT_PQ_SAFE]],
+            'kexAlgoDH14SHA1': [[], [FAIL_SHA1], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]],
+            'kexAlgoDH1SHA1': [[], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1], [WARN_NOT_PQ_SAFE]],
+            'kexAlgoECDH256': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
+            'kexAlgoECDH384': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
+            'kexAlgoECDH521': [[], [FAIL_NSA_BACKDOORED_CURVE], [WARN_NOT_PQ_SAFE]],
+            'kexguess2@matt.ucc.asn.au': [['d2013.57'], [], [WARN_NOT_PQ_SAFE]],
+            'm383-sha384@libassh.org': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
+            'm511-sha512@libassh.org': [[], [FAIL_UNPROVEN], [WARN_NOT_PQ_SAFE]],
+            'mlkem768x25519-sha256': [['9.9'], [], [], [INFO_HYBRID_PQ_X25519_KEX]],
+            'rsa1024-sha1': [[], [FAIL_1024BIT_MODULUS, FAIL_SHA1], [WARN_NOT_PQ_SAFE]],
+            'rsa2048-sha256': [[], [], [WARN_2048BIT_MODULUS, WARN_NOT_PQ_SAFE]],
+            'sm2kep-sha2-nistp256': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_UNTRUSTED], [WARN_NOT_PQ_SAFE]],
+            'sntrup4591761x25519-sha512@tinyssh.org': [['8.0', '8.4'], [], [WARN_EXPERIMENTAL], [INFO_WITHDRAWN_PQ_ALG]],
+            'sntrup761x25519-sha512': [['9.9'], [], [], [INFO_DEFAULT_OPENSSH_KEX_99, INFO_HYBRID_PQ_X25519_KEX]],
+            'sntrup761x25519-sha512@openssh.com': [['8.5'], [], [], [INFO_DEFAULT_OPENSSH_KEX_90_TO_98, INFO_HYBRID_PQ_X25519_KEX]],
+            'x25519-kyber-512r3-sha256-d00@amazon.com': [[]],
+            'x25519-kyber512-sha512@aws.amazon.com': [[]],
+        },
+        'key': {
+            'dsa2048-sha224@libassh.org': [[], [FAIL_UNPROVEN], [WARN_2048BIT_MODULUS]],
+            'dsa2048-sha256@libassh.org': [[], [FAIL_UNPROVEN], [WARN_2048BIT_MODULUS]],
+            'dsa3072-sha256@libassh.org': [[], [FAIL_UNPROVEN]],
+            'ecdsa-sha2-1.3.132.0.10-cert-v01@openssh.com': [[], [FAIL_UNKNOWN]],
+            'ecdsa-sha2-1.3.132.0.10': [[], [], [WARN_RNDSIG_KEY]],  # ECDSA over secp256k1 (i.e.: the Bitcoin curve)
+            'ecdsa-sha2-curve25519': [[], [], [WARN_RNDSIG_KEY]],  # ECDSA with Curve25519?  Bizarre...
+            'ecdsa-sha2-nistb233': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_RNDSIG_KEY]],
+            'ecdsa-sha2-nistb409': [[], [FAIL_UNPROVEN], [WARN_RNDSIG_KEY]],
+            'ecdsa-sha2-nistk163': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_RNDSIG_KEY]],
+            'ecdsa-sha2-nistk233': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_RNDSIG_KEY]],
+            'ecdsa-sha2-nistk283': [[], [FAIL_UNPROVEN], [WARN_RNDSIG_KEY]],
+            'ecdsa-sha2-nistk409': [[], [FAIL_UNPROVEN], [WARN_RNDSIG_KEY]],
+            'ecdsa-sha2-nistp224': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_SMALL_ECC_MODULUS], [WARN_RNDSIG_KEY]],
+            'ecdsa-sha2-nistp192': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_SMALL_ECC_MODULUS], [WARN_RNDSIG_KEY]],
+            'ecdsa-sha2-nistp256': [['5.7,d2013.62,l10.6.4'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_RNDSIG_KEY]],
+            'ecdsa-sha2-nistp256-cert-v01@openssh.com': [['5.7'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_RNDSIG_KEY]],
+            'ecdsa-sha2-nistp384': [['5.7,d2013.62,l10.6.4'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_RNDSIG_KEY]],
+            'ecdsa-sha2-nistp384-cert-v01@openssh.com': [['5.7'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_RNDSIG_KEY]],
+            'ecdsa-sha2-nistp521': [['5.7,d2013.62,l10.6.4'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_RNDSIG_KEY]],
+            'ecdsa-sha2-nistp521-cert-v01@openssh.com': [['5.7'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_RNDSIG_KEY]],
+            'ecdsa-sha2-nistt571': [[], [FAIL_UNPROVEN], [WARN_RNDSIG_KEY]],
+            'eddsa-e382-shake256@libassh.org': [[], [FAIL_UNPROVEN]],
+            'eddsa-e521-shake256@libassh.org': [[], [FAIL_UNPROVEN]],
+            'null': [[], [FAIL_PLAINTEXT]],
+            'pgp-sign-dss': [[], [FAIL_1024BIT_MODULUS]],
+            'pgp-sign-rsa': [[], [FAIL_1024BIT_MODULUS]],
+            'rsa-sha2-256': [['7.2,d2020.79']],
+            'rsa-sha2-256-cert-v01@openssh.com': [['7.8']],
+            'rsa-sha2-512': [['7.2']],
+            'rsa-sha2-512-cert-v01@openssh.com': [['7.8']],
+            'sk-ecdsa-sha2-nistp256-cert-v01@openssh.com': [['8.2'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_RNDSIG_KEY]],
+            'sk-ecdsa-sha2-nistp256@openssh.com': [['8.2'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_RNDSIG_KEY]],
+            'sk-ssh-ed25519-cert-v01@openssh.com': [['8.2']],
+            'sk-ssh-ed25519@openssh.com': [['8.2']],
+            'spi-sign-rsa': [[]],
+            'spki-sign-dss': [[], [FAIL_1024BIT_MODULUS]],
+            'spki-sign-rsa': [[], [FAIL_1024BIT_MODULUS]],
+            'ssh-dsa': [[], [FAIL_1024BIT_MODULUS], [WARN_RNDSIG_KEY]],
+            'ssh-dss': [['2.1.0,d0.28,l10.2', '6.9'], [FAIL_1024BIT_MODULUS], [WARN_RNDSIG_KEY], [INFO_DISABLED_IN_OPENSSH70]],
+            'ssh-dss-cert-v00@openssh.com': [['5.4', '6.9'], [FAIL_1024BIT_MODULUS], [WARN_RNDSIG_KEY], [INFO_DISABLED_IN_OPENSSH70]],
+            'ssh-dss-cert-v01@openssh.com': [['5.6', '6.9'], [FAIL_1024BIT_MODULUS], [WARN_RNDSIG_KEY]],
+            'ssh-dss-sha224@ssh.com': [[], [FAIL_1024BIT_MODULUS]],
+            'ssh-dss-sha256@ssh.com': [[], [FAIL_1024BIT_MODULUS]],
+            'ssh-dss-sha384@ssh.com': [[], [FAIL_1024BIT_MODULUS]],
+            'ssh-dss-sha512@ssh.com': [[], [FAIL_1024BIT_MODULUS]],
+            'ssh-ed25519': [['6.5,d2020.79,l10.7.0']],
+            'ssh-ed25519-cert-v01@openssh.com': [['6.5']],
+            'ssh-ed448': [[]],
+            'ssh-ed448-cert-v01@openssh.com': [[], [], [], [INFO_NEVER_IMPLEMENTED_IN_OPENSSH]],
+            'ssh-gost2001': [[], [FAIL_UNTRUSTED]],
+            'ssh-gost2012-256': [[], [FAIL_UNTRUSTED]],
+            'ssh-gost2012-512': [[], [FAIL_UNTRUSTED]],
+            'ssh-rsa1': [[], [FAIL_SHA1]],
+            'ssh-rsa': [['2.5.0,d0.28,l10.2'], [FAIL_SHA1], [], [INFO_DEPRECATED_IN_OPENSSH88]],
+            'ssh-rsa-cert-v00@openssh.com': [['5.4', '6.9'], [FAIL_SHA1], [], [INFO_REMOVED_IN_OPENSSH70]],
+            'ssh-rsa-cert-v01@openssh.com': [['5.6'], [FAIL_SHA1], [], [INFO_DEPRECATED_IN_OPENSSH88]],
+            'ssh-rsa-sha224@ssh.com': [[]],
+            'ssh-rsa-sha2-256': [[]],
+            'ssh-rsa-sha2-512': [[]],
+            'ssh-rsa-sha256@ssh.com': [[]],
+            'ssh-rsa-sha384@ssh.com': [[]],
+            'ssh-rsa-sha512@ssh.com': [[]],
+            'ssh-xmss-cert-v01@openssh.com': [['7.7'], [WARN_EXPERIMENTAL]],
+            'ssh-xmss@openssh.com': [['7.7'], [WARN_EXPERIMENTAL]],
+            'webauthn-sk-ecdsa-sha2-nistp256@openssh.com': [['8.3'], [FAIL_NSA_BACKDOORED_CURVE]],
+            'x509v3-ecdsa-sha2-1.3.132.0.10': [[], [FAIL_UNKNOWN]],
+            'x509v3-ecdsa-sha2-nistp256': [[], [FAIL_NSA_BACKDOORED_CURVE]],
+            'x509v3-ecdsa-sha2-nistp384': [[], [FAIL_NSA_BACKDOORED_CURVE]],
+            'x509v3-ecdsa-sha2-nistp521': [[], [FAIL_NSA_BACKDOORED_CURVE]],
+            'x509v3-rsa2048-sha256': [[]],
+            'x509v3-sign-dss': [[], [FAIL_1024BIT_MODULUS], [WARN_RNDSIG_KEY]],
+            'x509v3-sign-dss-sha1': [[], [FAIL_1024BIT_MODULUS, FAIL_SHA1]],
+            'x509v3-sign-dss-sha224@ssh.com': [[], [FAIL_1024BIT_MODULUS]],
+            'x509v3-sign-dss-sha256@ssh.com': [[], [FAIL_1024BIT_MODULUS]],
+            'x509v3-sign-dss-sha384@ssh.com': [[], [FAIL_1024BIT_MODULUS]],
+            'x509v3-sign-dss-sha512@ssh.com': [[], [FAIL_1024BIT_MODULUS]],
+            'x509v3-sign-rsa': [[], [FAIL_SHA1]],
+            'x509v3-sign-rsa-sha1': [[], [FAIL_SHA1]],
+            'x509v3-sign-rsa-sha224@ssh.com': [[]],
+            'x509v3-sign-rsa-sha256': [[]],
+            'x509v3-sign-rsa-sha256@ssh.com': [[]],
+            'x509v3-sign-rsa-sha384@ssh.com': [[]],
+            'x509v3-sign-rsa-sha512@ssh.com': [[]],
+            'x509v3-ssh-dss': [[], [FAIL_1024BIT_MODULUS], [WARN_RNDSIG_KEY]],
+            'x509v3-ssh-rsa': [[], [FAIL_SHA1], [], [INFO_DEPRECATED_IN_OPENSSH88]],
+        },
+        'enc': {
+            '3des-cbc': [['1.2.2,d0.28,l10.2', '6.6', None], [FAIL_3DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]],
+            '3des-cfb': [[], [FAIL_3DES], [WARN_CIPHER_MODE]],
+            '3des-ctr': [['d0.52'], [FAIL_3DES]],
+            '3des-ecb': [[], [FAIL_3DES], [WARN_CIPHER_MODE]],
+            '3des': [[], [FAIL_3DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]],
+            '3des-ofb': [[], [FAIL_3DES], [WARN_CIPHER_MODE]],
+            'AEAD_AES_128_GCM': [[]],
+            'AEAD_AES_256_GCM': [[]],
+            'aes128-cbc': [['2.3.0,d0.28,l10.2', '6.6', None], [], [WARN_CIPHER_MODE]],
+            'aes128-ctr': [['3.7,d0.52,l10.4.1']],
+            'aes128-gcm': [[]],
+            'aes128-gcm@openssh.com': [['6.2']],
+            'aes128-ocb@libassh.org': [[], [], [WARN_CIPHER_MODE]],
+            'aes192-cbc': [['2.3.0,l10.2', '6.6', None], [], [WARN_CIPHER_MODE]],
+            'aes192-ctr': [['3.7,l10.4.1']],
+            'aes192-gcm@openssh.com': [[], [], [], [INFO_NEVER_IMPLEMENTED_IN_OPENSSH]],
+            'aes256-cbc': [['2.3.0,d0.47,l10.2', '6.6', None], [], [WARN_CIPHER_MODE]],
+            'aes256-ctr': [['3.7,d0.52,l10.4.1']],
+            'aes256-gcm': [[]],
+            'aes256-gcm@openssh.com': [['6.2']],
+            'arcfour128': [['4.2', '6.6', '7.1'], [FAIL_RC4]],
+            'arcfour': [['2.1.0', '6.6', '7.1'], [FAIL_RC4]],
+            'arcfour256': [['4.2', '6.6', '7.1'], [FAIL_RC4]],
+            'blowfish-cbc': [['1.2.2,d0.28,l10.2', '6.6,d0.52', '7.1,d0.52'], [FAIL_BLOWFISH], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]],
+            'blowfish-cfb': [[], [FAIL_BLOWFISH], [WARN_CIPHER_MODE]],
+            'blowfish-ctr': [[], [FAIL_BLOWFISH], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]],
+            'blowfish-ecb': [[], [FAIL_BLOWFISH], [WARN_CIPHER_MODE]],
+            'blowfish': [[], [FAIL_BLOWFISH], [WARN_BLOCK_SIZE]],
+            'blowfish-ofb': [[], [FAIL_BLOWFISH], [WARN_CIPHER_MODE]],
+            'camellia128-cbc@openssh.org': [[], [], [WARN_CIPHER_MODE]],
+            'camellia128-cbc': [[], [], [WARN_CIPHER_MODE]],
+            'camellia128-ctr': [[]],
+            'camellia128-ctr@openssh.org': [[]],
+            'camellia192-cbc@openssh.org': [[], [], [WARN_CIPHER_MODE]],
+            'camellia192-cbc': [[], [], [WARN_CIPHER_MODE]],
+            'camellia192-ctr': [[]],
+            'camellia192-ctr@openssh.org': [[]],
+            'camellia256-cbc@openssh.org': [[], [], [WARN_CIPHER_MODE]],
+            'camellia256-cbc': [[], [], [WARN_CIPHER_MODE]],
+            'camellia256-ctr': [[]],
+            'camellia256-ctr@openssh.org': [[]],
+            'cast128-12-cbc@ssh.com': [[], [FAIL_CAST], [WARN_CIPHER_MODE]],
+            'cast128-cbc': [['2.1.0', '6.6', '7.1'], [FAIL_CAST], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]],
+            'cast128-12-cbc': [[], [FAIL_CAST], [WARN_CIPHER_MODE]],
+            'cast128-12-cfb': [[], [FAIL_CAST], [WARN_CIPHER_MODE]],
+            'cast128-12-ecb': [[], [FAIL_CAST], [WARN_CIPHER_MODE]],
+            'cast128-12-ofb': [[], [FAIL_CAST], [WARN_CIPHER_MODE]],
+            'cast128-cfb': [[], [FAIL_CAST], [WARN_CIPHER_MODE]],
+            'cast128-ctr': [[], [FAIL_CAST]],
+            'cast128-ecb': [[], [FAIL_CAST], [WARN_CIPHER_MODE]],
+            'cast128-ofb': [[], [FAIL_CAST], [WARN_CIPHER_MODE]],
+            'chacha20-poly1305': [[], [], [], [INFO_DEFAULT_OPENSSH_CIPHER]],
+            'chacha20-poly1305@openssh.com': [['6.5,d2020.79'], [], [], [INFO_DEFAULT_OPENSSH_CIPHER]],
+            'crypticore128@ssh.com': [[], [FAIL_UNPROVEN]],
+            'des-cbc': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]],
+            'des-cfb': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]],
+            'des-ecb': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]],
+            'des-ofb': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]],
+            'des-cbc-ssh1': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]],
+            'des-cbc@ssh.com': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]],
+            'des': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]],
+            'grasshopper-ctr128': [[], [FAIL_UNTRUSTED]],
+            'idea-cbc': [[], [FAIL_IDEA], [WARN_CIPHER_MODE]],
+            'idea-cfb': [[], [FAIL_IDEA], [WARN_CIPHER_MODE]],
+            'idea-ctr': [[], [FAIL_IDEA]],
+            'idea-ecb': [[], [FAIL_IDEA], [WARN_CIPHER_MODE]],
+            'idea-ofb': [[], [FAIL_IDEA], [WARN_CIPHER_MODE]],
+            'none': [['1.2.2,d2013.56,l10.2'], [FAIL_PLAINTEXT]],
+            'rijndael128-cbc': [['2.3.0', '7.0'], [FAIL_RIJNDAEL], [WARN_CIPHER_MODE], [INFO_DISABLED_IN_OPENSSH70]],
+            'rijndael192-cbc': [['2.3.0', '7.0'], [FAIL_RIJNDAEL], [WARN_CIPHER_MODE], [INFO_DISABLED_IN_OPENSSH70]],
+            'rijndael256-cbc': [['2.3.0', '7.0'], [FAIL_RIJNDAEL], [WARN_CIPHER_MODE], [INFO_DISABLED_IN_OPENSSH70]],
+            'rijndael-cbc@lysator.liu.se': [['2.3.0', '6.6', '7.0'], [FAIL_RIJNDAEL], [WARN_CIPHER_MODE], [INFO_DISABLED_IN_OPENSSH70]],
+            'rijndael-cbc@ssh.com': [[], [FAIL_RIJNDAEL], [WARN_CIPHER_MODE]],
+            'seed-cbc@ssh.com': [[], [FAIL_SEED], [WARN_CIPHER_MODE]],
+            'seed-ctr@ssh.com': [[], [FAIL_SEED]],
+            'serpent128-cbc': [[], [FAIL_SERPENT], [WARN_CIPHER_MODE]],
+            'serpent128-ctr': [[], [FAIL_SERPENT]],
+            'serpent128-gcm@libassh.org': [[], [FAIL_SERPENT]],
+            'serpent192-cbc': [[], [FAIL_SERPENT], [WARN_CIPHER_MODE]],
+            'serpent192-ctr': [[], [FAIL_SERPENT]],
+            'serpent256-cbc': [[], [FAIL_SERPENT], [WARN_CIPHER_MODE]],
+            'serpent256-ctr': [[], [FAIL_SERPENT]],
+            'serpent256-gcm@libassh.org': [[], [FAIL_SERPENT]],
+            'twofish128-cbc': [['d0.47', 'd2014.66'], [], [WARN_CIPHER_MODE], [INFO_DISABLED_IN_DBEAR67]],
+            'twofish128-ctr': [['d2015.68']],
+            'twofish128-gcm@libassh.org': [[]],
+            'twofish192-cbc': [[], [], [WARN_CIPHER_MODE]],
+            'twofish192-ctr': [[]],
+            'twofish256-cbc': [['d0.47', 'd2014.66'], [], [WARN_CIPHER_MODE], [INFO_DISABLED_IN_DBEAR67]],
+            'twofish256-ctr': [['d2015.68']],
+            'twofish256-gcm@libassh.org': [[]],
+            'twofish-cbc': [['d0.28', 'd2014.66'], [], [WARN_CIPHER_MODE], [INFO_DISABLED_IN_DBEAR67]],
+            'twofish-cfb': [[], [], [WARN_CIPHER_MODE]],
+            'twofish-ctr': [[]],
+            'twofish-ecb': [[], [], [WARN_CIPHER_MODE]],
+            'twofish-ofb': [[], [], [WARN_CIPHER_MODE]],
+        },
+        'mac': {
+            'AEAD_AES_128_GCM': [[]],
+            'AEAD_AES_256_GCM': [[]],
+            'aes128-gcm': [[]],
+            'aes256-gcm': [[]],
+            'cbcmac-3des': [[], [FAIL_UNPROVEN, FAIL_3DES]],
+            'cbcmac-aes': [[], [FAIL_UNPROVEN]],
+            'cbcmac-blowfish': [[], [FAIL_UNPROVEN, FAIL_BLOWFISH]],
+            'cbcmac-des': [[], [FAIL_UNPROVEN, FAIL_DES]],
+            'cbcmac-rijndael': [[], [FAIL_UNPROVEN, FAIL_RIJNDAEL]],
+            'cbcmac-twofish': [[], [FAIL_UNPROVEN]],
+            'chacha20-poly1305@openssh.com': [[], [], [], [INFO_NEVER_IMPLEMENTED_IN_OPENSSH]],  # Despite the @openssh.com tag, this was never shipped as a MAC in OpenSSH (only as a cipher); it is only implemented as a MAC in Syncplify.
+            'crypticore-mac@ssh.com': [[], [FAIL_UNPROVEN]],
+            'hmac-md5': [['2.1.0,d0.28', '6.6', '7.1'], [FAIL_MD5], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-md5-96': [['2.5.0', '6.6', '7.1'], [FAIL_MD5], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-md5-96-etm@openssh.com': [['6.2', '6.6', '7.1'], [FAIL_MD5]],
+            'hmac-md5-etm@openssh.com': [['6.2', '6.6', '7.1'], [FAIL_MD5]],
+            'hmac-ripemd160': [['2.5.0', '6.6', '7.1'], [FAIL_RIPEMD], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-ripemd160-96': [[], [FAIL_RIPEMD], [WARN_ENCRYPT_AND_MAC, WARN_TAG_SIZE]],
+            'hmac-ripemd160-etm@openssh.com': [['6.2', '6.6', '7.1'], [FAIL_RIPEMD]],
+            'hmac-ripemd160@openssh.com': [['2.1.0', '6.6', '7.1'], [FAIL_RIPEMD], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-ripemd': [[], [FAIL_RIPEMD], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-sha1': [['2.1.0,d0.28,l10.2'], [FAIL_SHA1], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-sha1-96': [['2.5.0,d0.47', '6.6', '7.1'], [FAIL_SHA1], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-sha1-96-etm@openssh.com': [['6.2', '6.6', None], [FAIL_SHA1]],
+            'hmac-sha1-96@openssh.com': [[], [FAIL_SHA1], [WARN_TAG_SIZE, WARN_ENCRYPT_AND_MAC], [INFO_NEVER_IMPLEMENTED_IN_OPENSSH]],
+            'hmac-sha1-etm@openssh.com': [['6.2'], [FAIL_SHA1]],
+            'hmac-sha2-224': [[], [], [WARN_TAG_SIZE, WARN_ENCRYPT_AND_MAC]],
+            'hmac-sha224@ssh.com': [[], [], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-sha2-256': [['5.9,d2013.56,l10.7.0'], [], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-sha2-256-96': [['5.9', '6.0'], [], [WARN_ENCRYPT_AND_MAC], [INFO_REMOVED_IN_OPENSSH61]],
+            'hmac-sha2-256-96-etm@openssh.com': [[], [], [WARN_TAG_SIZE_96], [INFO_NEVER_IMPLEMENTED_IN_OPENSSH]],  # Only ever implemented in AsyncSSH (?).
+            'hmac-sha2-256-etm@openssh.com': [['6.2']],
+            'hmac-sha2-384': [[], [], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-sha2-512': [['5.9,d2013.56,l10.7.0'], [], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-sha2-512-96': [['5.9', '6.0'], [], [WARN_ENCRYPT_AND_MAC], [INFO_REMOVED_IN_OPENSSH61]],
+            'hmac-sha2-512-96-etm@openssh.com': [[], [], [WARN_TAG_SIZE_96], [INFO_NEVER_IMPLEMENTED_IN_OPENSSH]],  # Only ever implemented in AsyncSSH (?).
+            'hmac-sha2-512-etm@openssh.com': [['6.2']],
+            'hmac-sha256-2@ssh.com': [[], [], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-sha256-96@ssh.com': [[], [], [WARN_ENCRYPT_AND_MAC, WARN_TAG_SIZE]],
+            'hmac-sha256-96': [[], [], [WARN_ENCRYPT_AND_MAC, WARN_TAG_SIZE]],
+            'hmac-sha256@ssh.com': [[], [], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-sha256': [[], [], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-sha2-56': [[], [], [WARN_TAG_SIZE, WARN_ENCRYPT_AND_MAC]],
+            'hmac-sha3-224': [[], [], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-sha3-256': [[], [], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-sha3-384': [[], [], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-sha3-512': [[], [], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-sha384@ssh.com': [[], [], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-sha512@ssh.com': [[], [], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-sha512': [[], [], [WARN_ENCRYPT_AND_MAC]],
+            'hmac-whirlpool': [[], [], [WARN_ENCRYPT_AND_MAC]],
+            'md5':  [[], [FAIL_PLAINTEXT]],
+            'md5-8':  [[], [FAIL_PLAINTEXT]],
+            'none': [['d2013.56'], [FAIL_PLAINTEXT]],
+            'ripemd160':  [[], [FAIL_PLAINTEXT]],
+            'ripemd160-8':  [[], [FAIL_PLAINTEXT]],
+            'sha1':  [[], [FAIL_PLAINTEXT]],
+            'sha1-8':  [[], [FAIL_PLAINTEXT]],
+            'umac-128': [[], [], [WARN_ENCRYPT_AND_MAC]],
+            'umac-128-etm@openssh.com': [['6.2']],
+            'umac-128@openssh.com': [['6.2'], [], [WARN_ENCRYPT_AND_MAC]],
+            'umac-32@openssh.com': [[], [], [WARN_ENCRYPT_AND_MAC, WARN_TAG_SIZE], [INFO_NEVER_IMPLEMENTED_IN_OPENSSH]],
+            'umac-64-etm@openssh.com': [['6.2'], [], [WARN_TAG_SIZE]],
+            'umac-64@openssh.com': [['4.7'], [], [WARN_ENCRYPT_AND_MAC, WARN_TAG_SIZE]],
+            'umac-96@openssh.com': [[], [], [WARN_ENCRYPT_AND_MAC], [INFO_NEVER_IMPLEMENTED_IN_OPENSSH]],
+        }
+    }
+
+
+    @staticmethod
+    def get_db() -> Dict[str, Dict[str, List[List[Optional[str]]]]]:
+        '''Returns a copy of the MASTER_DB that is private to the calling thread.  This prevents multiple threads from polluting the results of other threads.'''
+        calling_thread_id = threading.get_ident()
+
+        if calling_thread_id not in SSH2_KexDB.DB_PER_THREAD:
+            SSH2_KexDB.DB_PER_THREAD[calling_thread_id] = copy.deepcopy(SSH2_KexDB.MASTER_DB)
+
+        return SSH2_KexDB.DB_PER_THREAD[calling_thread_id]
+
+
+    @staticmethod
+    def thread_exit() -> None:
+        '''Deletes the calling thread's copy of the MASTER_DB.  This is needed because, in rare circumstances, a terminated thread's ID can be re-used by new threads.'''
+
+        calling_thread_id = threading.get_ident()
+
+        if calling_thread_id in SSH2_KexDB.DB_PER_THREAD:
+            del SSH2_KexDB.DB_PER_THREAD[calling_thread_id]
--- a/src/ssh_audit/ssh2_kexparty.py
+++ b/src/ssh_audit/ssh2_kexparty.py
@ -0,0 +1,58 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2024 Joe Testa (jtesta@positronsecurity.com)
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+# pylint: disable=unused-import
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+
+class SSH2_KexParty:
+    def __init__(self, enc: List[str], mac: List[str], compression: List[str], languages: List[str]) -> None:
+        self.__enc = enc
+        self.__mac = mac
+        self.__compression = compression
+        self.__languages = languages
+
+    @property
+    def encryption(self) -> List[str]:
+        return self.__enc
+
+    @property
+    def mac(self) -> List[str]:
+        return self.__mac
+
+    @property
+    def compression(self) -> List[str]:
+        return self.__compression
+
+    @property
+    def languages(self) -> List[str]:
+        return self.__languages
+
+    def __str__(self) -> str:
+        ret = "Ciphers: " + ", ".join(self.__enc)
+        ret += "\nMACs: " + ", ".join(self.__mac)
+        ret += "\nCompressions: " + ", ".join(self.__compression)
+        ret += "\nLanguages: " + ", ".join(self.__languages)
+        return ret
--- a/src/ssh_audit/ssh_audit.py
+++ b/src/ssh_audit/ssh_audit.py
--- a/src/ssh_audit/ssh_socket.py
+++ b/src/ssh_audit/ssh_socket.py
@ -0,0 +1,344 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017-2021 Joe Testa (jtesta@positronsecurity.com)
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+import errno
+import os
+import select
+import socket
+import struct
+import sys
+
+# pylint: disable=unused-import
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+from ssh_audit import exitcodes
+from ssh_audit.banner import Banner
+from ssh_audit.globals import SSH_HEADER
+from ssh_audit.outputbuffer import OutputBuffer
+from ssh_audit.protocol import Protocol
+from ssh_audit.readbuf import ReadBuf
+from ssh_audit.ssh1 import SSH1
+from ssh_audit.ssh2_kex import SSH2_Kex
+from ssh_audit.ssh2_kexparty import SSH2_KexParty
+from ssh_audit.utils import Utils
+from ssh_audit.writebuf import WriteBuf
+
+
+class SSH_Socket(ReadBuf, WriteBuf):
+    class InsufficientReadException(Exception):
+        pass
+
+    SM_BANNER_SENT = 1
+
+    def __init__(self, outputbuffer: 'OutputBuffer', host: Optional[str], port: int, ip_version_preference: List[int] = [], timeout: Union[int, float] = 5, timeout_set: bool = False) -> None:  # pylint: disable=dangerous-default-value
+        super(SSH_Socket, self).__init__()
+        self.__outputbuffer = outputbuffer
+        self.__sock: Optional[socket.socket] = None
+        self.__sock_map: Dict[int, socket.socket] = {}
+        self.__block_size = 8
+        self.__state = 0
+        self.__header: List[str] = []
+        self.__banner: Optional[Banner] = None
+        if host is None:
+            raise ValueError('undefined host')
+        nport = Utils.parse_int(port)
+        if nport < 1 or nport > 65535:
+            raise ValueError('invalid port: {}'.format(port))
+        self.__host = host
+        self.__port = nport
+        self.__ip_version_preference = ip_version_preference  # Holds only 5 possible values: [] (no preference), [4] (use IPv4 only), [6] (use IPv6 only), [46] (use both IPv4 and IPv6, but prioritize v4), and [64] (use both IPv4 and IPv6, but prioritize v6).
+        self.__timeout = timeout
+        self.__timeout_set = timeout_set
+        self.client_host: Optional[str] = None
+        self.client_port = None
+
+    def _resolve(self) -> Iterable[Tuple[int, Tuple[Any, ...]]]:
+        """Resolves a hostname into a list of IPs
+        Raises
+        ------
+        socket.gaierror [Errno -2]
+            If the hostname cannot be resolved.
+        """
+        # If __ip_version_preference has only one entry, then it means that ONLY that IP version should be used.
+        if len(self.__ip_version_preference) == 1:
+            family = socket.AF_INET if self.__ip_version_preference[0] == 4 else socket.AF_INET6
+        else:
+            family = socket.AF_UNSPEC
+        stype = socket.SOCK_STREAM
+        r = socket.getaddrinfo(self.__host, self.__port, family, stype)
+
+        # If the user has a preference for using IPv4 over IPv6 (or vice-versa), then sort the list returned by getaddrinfo() so that the preferred address type comes first.
+        if len(self.__ip_version_preference) == 2:
+            r = sorted(r, key=lambda x: x[0], reverse=(self.__ip_version_preference[0] == 6))  # pylint: disable=superfluous-parens
+        for af, socktype, _proto, _canonname, addr in r:
+            if socktype == socket.SOCK_STREAM:
+                yield af, addr
+
+    # Listens on a server socket and accepts one connection (used for
+    # auditing client connections).
+    def listen_and_accept(self) -> None:
+
+        try:
+            # Socket to listen on all IPv4 addresses.
+            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+            s.bind(('0.0.0.0', self.__port))
+            s.listen()
+            self.__sock_map[s.fileno()] = s
+        except Exception as e:
+            print("Warning: failed to listen on any IPv4 interfaces: %s" % str(e), file=sys.stderr)
+
+        try:
+            # Socket to listen on all IPv6 addresses.
+            s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
+            s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+            s.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, 1)
+            s.bind(('::', self.__port))
+            s.listen()
+            self.__sock_map[s.fileno()] = s
+        except Exception as e:
+            print("Warning: failed to listen on any IPv6 interfaces: %s" % str(e), file=sys.stderr)
+
+        # If we failed to listen on any interfaces, terminate.
+        if len(self.__sock_map.keys()) == 0:
+            print("Error: failed to listen on any IPv4 and IPv6 interfaces!", file=sys.stderr)
+            sys.exit(exitcodes.CONNECTION_ERROR)
+
+        # Wait for an incoming connection.  If a timeout was explicitly
+        # set by the user, terminate when it elapses.
+        fds = None
+        time_elapsed = 0.0
+        interval = 1.0
+        while True:
+            # Wait for a connection on either socket.
+            fds = select.select(self.__sock_map.keys(), [], [], interval)
+            time_elapsed += interval
+
+            # We have incoming data on at least one of the sockets.
+            if len(fds[0]) > 0:
+                break
+
+            if self.__timeout_set and time_elapsed >= self.__timeout:
+                print("Timeout elapsed.  Terminating...")
+                sys.exit(exitcodes.CONNECTION_ERROR)
+
+        # Accept the connection.
+        c, addr = self.__sock_map[fds[0][0]].accept()
+        self.client_host = addr[0]
+        self.client_port = addr[1]
+        c.settimeout(self.__timeout)
+        self.__sock = c
+
+    def connect(self) -> Optional[str]:
+        '''Returns None on success, or an error string.'''
+        err = None
+        s = None
+        try:
+            for af, addr in self._resolve():
+                s = socket.socket(af, socket.SOCK_STREAM)
+                s.settimeout(self.__timeout)
+                self.__outputbuffer.d(("Connecting to %s:%d..." % ('[%s]' % addr[0] if Utils.is_ipv6_address(addr[0]) else addr[0], addr[1])), write_now=True)
+                s.connect(addr)
+                self.__sock = s
+                return None
+        except socket.error as e:
+            err = e
+            self._close_socket(s)
+        if err is None:
+            errm = 'host {} has no DNS records'.format(self.__host)
+        else:
+            errt = (self.__host, self.__port, err)
+            errm = 'cannot connect to {} port {}: {}'.format(*errt)
+        return '[exception] {}'.format(errm)
+
+    def get_banner(self, sshv: int = 2) -> Tuple[Optional['Banner'], List[str], Optional[str]]:
+        self.__outputbuffer.d('Getting banner...', write_now=True)
+
+        if self.__sock is None:
+            return self.__banner, self.__header, 'not connected'
+        if self.__banner is not None:
+            return self.__banner, self.__header, None
+
+        banner = SSH_HEADER.format('1.5' if sshv == 1 else '2.0')
+        if self.__state < self.SM_BANNER_SENT:
+            self.send_banner(banner)
+
+        s = 0
+        e = None
+        while s >= 0:
+            s, e = self.recv()
+            if s < 0:
+                continue
+            while self.unread_len > 0:
+                line = self.read_line()
+                if len(line.strip()) == 0:
+                    continue
+                self.__banner = Banner.parse(line)
+                if self.__banner is not None:
+                    return self.__banner, self.__header, None
+                self.__header.append(line)
+
+        return self.__banner, self.__header, e
+
+    def recv(self, size: int = 2048) -> Tuple[int, Optional[str]]:
+        if self.__sock is None:
+            return -1, 'not connected'
+        try:
+            data = self.__sock.recv(size)
+        except socket.timeout:
+            return -1, 'timed out'
+        except socket.error as e:
+            if e.args[0] in (errno.EAGAIN, errno.EWOULDBLOCK):
+                return 0, 'retry'
+            return -1, str(e.args[-1])
+        if len(data) == 0:
+            return -1, None
+        pos = self._buf.tell()
+        self._buf.seek(0, 2)
+        self._buf.write(data)
+        self._len += len(data)
+        self._buf.seek(pos, 0)
+        return len(data), None
+
+    def send(self, data: bytes) -> Tuple[int, Optional[str]]:
+        if self.__sock is None:
+            return -1, 'not connected'
+        try:
+            self.__sock.send(data)
+            return 0, None
+        except socket.error as e:
+            return -1, str(e.args[-1])
+
+    # Send a KEXINIT with the lists of key exchanges, hostkeys, ciphers, MACs, compressions, and languages that we "support".
+    def send_kexinit(self, key_exchanges: List[str] = ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group14-sha256'], hostkeys: List[str] = ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-rsa', 'ecdsa-sha2-nistp256', 'ssh-ed25519'], ciphers: List[str] = ['chacha20-poly1305@openssh.com', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'aes128-gcm@openssh.com', 'aes256-gcm@openssh.com'], macs: List[str] = ['umac-64-etm@openssh.com', 'umac-128-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'hmac-sha1-etm@openssh.com', 'umac-64@openssh.com', 'umac-128@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'], compressions: List[str] = ['none', 'zlib@openssh.com'], languages: List[str] = ['']) -> None:  # pylint: disable=dangerous-default-value
+        '''Sends the list of supported host keys, key exchanges, ciphers, and MACs.  Emulates OpenSSH v8.2.'''
+
+        self.__outputbuffer.d('KEX initialisation...', write_now=True)
+
+        kexparty = SSH2_KexParty(ciphers, macs, compressions, languages)
+        kex = SSH2_Kex(self.__outputbuffer, os.urandom(16), key_exchanges, hostkeys, kexparty, kexparty, False, 0)
+
+        self.write_byte(Protocol.MSG_KEXINIT)
+        kex.write(self)
+        self.send_packet()
+
+    def send_banner(self, banner: str) -> None:
+        self.send(banner.encode() + b'\r\n')
+        self.__state = max(self.__state, self.SM_BANNER_SENT)
+
+    def ensure_read(self, size: int) -> None:
+        while self.unread_len < size:
+            s, e = self.recv()
+            if s < 0:
+                raise SSH_Socket.InsufficientReadException(e)
+
+    def read_packet(self, sshv: int = 2) -> Tuple[int, bytes]:
+        try:
+            header = WriteBuf()
+            self.ensure_read(4)
+            packet_length = self.read_int()
+            header.write_int(packet_length)
+            # XXX: validate length
+            if sshv == 1:
+                padding_length = 8 - packet_length % 8
+                self.ensure_read(padding_length)
+                padding = self.read(padding_length)
+                header.write(padding)
+                payload_length = packet_length
+                check_size = padding_length + payload_length
+            else:
+                self.ensure_read(1)
+                padding_length = self.read_byte()
+                header.write_byte(padding_length)
+                payload_length = packet_length - padding_length - 1
+                check_size = 4 + 1 + payload_length + padding_length
+            if check_size % self.__block_size != 0:
+                self.__outputbuffer.fail('[exception] invalid ssh packet (block size)').write()
+                sys.exit(exitcodes.CONNECTION_ERROR)
+            self.ensure_read(payload_length)
+            if sshv == 1:
+                payload = self.read(payload_length - 4)
+                header.write(payload)
+                crc = self.read_int()
+                header.write_int(crc)
+            else:
+                payload = self.read(payload_length)
+                header.write(payload)
+            packet_type = ord(payload[0:1])
+            if sshv == 1:
+                rcrc = SSH1.crc32(padding + payload)
+                if crc != rcrc:
+                    self.__outputbuffer.fail('[exception] packet checksum CRC32 mismatch.').write()
+                    sys.exit(exitcodes.CONNECTION_ERROR)
+            else:
+                self.ensure_read(padding_length)
+                padding = self.read(padding_length)
+            payload = payload[1:]
+            return packet_type, payload
+        except SSH_Socket.InsufficientReadException as ex:
+            if ex.args[0] is None:
+                header.write(self.read(self.unread_len))
+                e = header.write_flush().strip()
+            else:
+                e = ex.args[0].encode('utf-8')
+            return -1, e
+
+    def send_packet(self) -> Tuple[int, Optional[str]]:
+        payload = self.write_flush()
+        padding = -(len(payload) + 5) % 8
+        if padding < 4:
+            padding += 8
+        plen = len(payload) + padding + 1
+        pad_bytes = b'\x00' * padding
+        data = struct.pack('>Ib', plen, padding) + payload + pad_bytes
+        return self.send(data)
+
+    def is_connected(self) -> bool:
+        """Returns true if this Socket is connected, False otherwise."""
+        return self.__sock is not None
+
+    def close(self) -> None:
+        self.__cleanup()
+        self.reset()
+        self.__state = 0
+        self.__header = []
+        self.__banner = None
+
+    def _close_socket(self, s: Optional[socket.socket]) -> None:
+        try:
+            if s is not None:
+                s.shutdown(socket.SHUT_RDWR)
+                s.close()  # pragma: nocover
+        except Exception:
+            pass
+
+    def __del__(self) -> None:
+        self.__cleanup()
+
+    def __cleanup(self) -> None:
+        self._close_socket(self.__sock)
+        for sock in self.__sock_map.values():
+            self._close_socket(sock)
+        self.__sock = None
--- a/src/ssh_audit/timeframe.py
+++ b/src/ssh_audit/timeframe.py
@ -0,0 +1,77 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+# pylint: disable=unused-import
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+from ssh_audit.algorithm import Algorithm
+
+
+class Timeframe:
+    def __init__(self) -> None:
+        self.__storage: Dict[str, List[Optional[str]]] = {}
+
+    def __contains__(self, product: str) -> bool:
+        return product in self.__storage
+
+    def __getitem__(self, product: str) -> Sequence[Optional[str]]:
+        return tuple(self.__storage.get(product, [None] * 4))
+
+    def __str__(self) -> str:
+        return self.__storage.__str__()
+
+    def __repr__(self) -> str:
+        return self.__str__()
+
+    def get_from(self, product: str, for_server: bool = True) -> Optional[str]:
+        return self[product][0 if bool(for_server) else 2]
+
+    def get_till(self, product: str, for_server: bool = True) -> Optional[str]:
+        return self[product][1 if bool(for_server) else 3]
+
+    def _update(self, versions: Optional[str], pos: int) -> None:
+        ssh_versions: Dict[str, str] = {}
+        for_srv, for_cli = pos < 2, pos > 1
+        for v in (versions or '').split(','):
+            ssh_prod, ssh_ver, is_cli = Algorithm.get_ssh_version(v)
+            if not ssh_ver or (is_cli and for_srv) or (not is_cli and for_cli and ssh_prod in ssh_versions):
+                continue
+            ssh_versions[ssh_prod] = ssh_ver
+        for ssh_product, ssh_version in ssh_versions.items():
+            if ssh_product not in self.__storage:
+                self.__storage[ssh_product] = [None] * 4
+            prev = self[ssh_product][pos]
+            if (prev is None or (prev < ssh_version and pos % 2 == 0) or (prev > ssh_version and pos % 2 == 1)):
+                self.__storage[ssh_product][pos] = ssh_version
+
+    def update(self, versions: List[Optional[str]], for_server: Optional[bool] = None) -> 'Timeframe':
+        for_cli = for_server is None or for_server is False
+        for_srv = for_server is None or for_server is True
+        vlen = len(versions)
+        for i in range(min(3, vlen)):
+            if for_srv and i < 2:
+                self._update(versions[i], i)
+            if for_cli and (i % 2 == 0 or vlen == 2):
+                self._update(versions[i], 3 - 0**i)
+        return self
--- a/src/ssh_audit/utils.py
+++ b/src/ssh_audit/utils.py
@ -0,0 +1,165 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017-2020 Joe Testa (jtesta@positronsecurity.com)
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+import ipaddress
+import re
+import sys
+
+# pylint: disable=unused-import
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+
+class Utils:
+    @classmethod
+    def _type_err(cls, v: Any, target: str) -> TypeError:
+        return TypeError('cannot convert {} to {}'.format(type(v), target))
+
+    @classmethod
+    def to_bytes(cls, v: Union[bytes, str], enc: str = 'utf-8') -> bytes:
+        if isinstance(v, bytes):
+            return v
+        elif isinstance(v, str):
+            return v.encode(enc)
+        raise cls._type_err(v, 'bytes')
+
+    @classmethod
+    def to_text(cls, v: Union[str, bytes], enc: str = 'utf-8') -> str:
+        if isinstance(v, str):
+            return v
+        elif isinstance(v, bytes):
+            return v.decode(enc)
+        raise cls._type_err(v, 'unicode text')
+
+    @classmethod
+    def _is_ascii(cls, v: str, char_filter: Callable[[int], bool] = lambda x: x <= 127) -> bool:
+        r = False
+        if isinstance(v, str):
+            for c in v:
+                i = cls.ctoi(c)
+                if not char_filter(i):
+                    return r
+            r = True
+        return r
+
+    @classmethod
+    def _to_ascii(cls, v: str, char_filter: Callable[[int], bool] = lambda x: x <= 127, errors: str = 'replace') -> str:
+        if isinstance(v, str):
+            r = bytearray()
+            for c in v:
+                i = cls.ctoi(c)
+                if char_filter(i):
+                    r.append(i)
+                else:
+                    if errors == 'ignore':
+                        continue
+                    r.append(63)
+            return cls.to_text(r.decode('ascii'))
+        raise cls._type_err(v, 'ascii')
+
+    @classmethod
+    def is_ascii(cls, v: str) -> bool:
+        return cls._is_ascii(v)
+
+    @classmethod
+    def to_ascii(cls, v: str, errors: str = 'replace') -> str:
+        return cls._to_ascii(v, errors=errors)
+
+    @classmethod
+    def is_print_ascii(cls, v: str) -> bool:
+        return cls._is_ascii(v, lambda x: 126 >= x >= 32)
+
+    @classmethod
+    def to_print_ascii(cls, v: str, errors: str = 'replace') -> str:
+        return cls._to_ascii(v, lambda x: 126 >= x >= 32, errors)
+
+    @classmethod
+    def unique_seq(cls, seq: Sequence[Any]) -> Sequence[Any]:
+        seen: Set[Any] = set()
+
+        def _seen_add(x: Any) -> bool:
+            seen.add(x)
+            return False
+
+        if isinstance(seq, tuple):
+            return tuple(x for x in seq if x not in seen and not _seen_add(x))
+        else:
+            return [x for x in seq if x not in seen and not _seen_add(x)]
+
+    @classmethod
+    def ctoi(cls, c: Union[str, int]) -> int:
+        if isinstance(c, str):
+            return ord(c[0])
+        else:
+            return c
+
+    @staticmethod
+    def parse_int(v: Any) -> int:
+        try:
+            return int(v)
+        except ValueError:
+            return 0
+
+    @staticmethod
+    def parse_float(v: Any) -> float:
+        try:
+            return float(v)
+        except ValueError:
+            return -1.0
+
+    @staticmethod
+    def parse_host_and_port(host_and_port: str, default_port: int = 22) -> Tuple[str, int]:
+        '''Parses a string into a tuple of its host and port.  The port is 0 if not specified.'''
+        host = host_and_port
+        port = default_port
+
+        mx = re.match(r'^\[([^\]]+)\](?::(\d+))?$', host_and_port)
+        if mx is not None:
+            host = mx.group(1)
+            port_str = mx.group(2)
+            if port_str is not None:
+                port = int(port_str)
+        else:
+            s = host_and_port.split(':')
+            if len(s) == 2:
+                host = s[0]
+                if len(s[1]) > 0:
+                    port = int(s[1])
+
+        return host, port
+
+    @staticmethod
+    def is_ipv6_address(address: str) -> bool:
+        '''Returns True if address is an IPv6 address, otherwise False.'''
+        is_ipv6 = True
+        try:
+            ipaddress.IPv6Address(address)
+        except ipaddress.AddressValueError:
+            is_ipv6 = False
+
+        return is_ipv6
+
+    @staticmethod
+    def is_windows() -> bool:
+        return sys.platform in ['win32', 'cygwin']
--- a/src/ssh_audit/writebuf.py
+++ b/src/ssh_audit/writebuf.py
@ -0,0 +1,108 @@
+"""
+   The MIT License (MIT)
+
+   Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+"""
+import io
+import struct
+
+# pylint: disable=unused-import
+from typing import Dict, List, Set, Sequence, Tuple, Iterable  # noqa: F401
+from typing import Callable, Optional, Union, Any  # noqa: F401
+
+
+class WriteBuf:
+    def __init__(self, data: Optional[bytes] = None) -> None:
+        super(WriteBuf, self).__init__()
+        self._wbuf = io.BytesIO(data) if data is not None else io.BytesIO()
+
+    def write(self, data: bytes) -> 'WriteBuf':
+        self._wbuf.write(data)
+        return self
+
+    def write_byte(self, v: int) -> 'WriteBuf':
+        return self.write(struct.pack('B', v))
+
+    def write_bool(self, v: bool) -> 'WriteBuf':
+        return self.write_byte(1 if v else 0)
+
+    def write_int(self, v: int) -> 'WriteBuf':
+        return self.write(struct.pack('>I', v))
+
+    def write_string(self, v: Union[bytes, str]) -> 'WriteBuf':
+        if not isinstance(v, bytes):
+            v = bytes(bytearray(v, 'utf-8'))
+        self.write_int(len(v))
+        return self.write(v)
+
+    def write_list(self, v: List[str]) -> 'WriteBuf':
+        return self.write_string(','.join(v))
+
+    @classmethod
+    def _bitlength(cls, n: int) -> int:
+        try:
+            return n.bit_length()
+        except AttributeError:
+            return len(bin(n)) - (2 if n > 0 else 3)
+
+    @classmethod
+    def _create_mpint(cls, n: int, signed: bool = True, bits: Optional[int] = None) -> bytes:
+        if bits is None:
+            bits = cls._bitlength(n)
+        length = bits // 8 + (1 if n != 0 else 0)
+        ql = (length + 7) // 8
+        fmt, v2 = '>{}Q'.format(ql), [0] * ql
+        for i in range(ql):
+            v2[ql - i - 1] = n & 0xffffffffffffffff
+            n >>= 64
+        data = bytes(struct.pack(fmt, *v2)[-length:])
+        if not signed:
+            data = data.lstrip(b'\x00')
+        elif data.startswith(b'\xff\x80'):
+            data = data[1:]
+        return data
+
+    def write_mpint1(self, n: int) -> 'WriteBuf':
+        # NOTE: Data Type Enc @ http://www.snailbook.com/docs/protocol-1.5.txt
+        bits = self._bitlength(n)
+        data = self._create_mpint(n, False, bits)
+        self.write(struct.pack('>H', bits))
+        return self.write(data)
+
+    def write_mpint2(self, n: int) -> 'WriteBuf':
+        # NOTE: Section 5 @ https://www.ietf.org/rfc/rfc4251.txt
+        data = self._create_mpint(n)
+        return self.write_string(data)
+
+    def write_line(self, v: Union[bytes, str]) -> 'WriteBuf':
+        if not isinstance(v, bytes):
+            v = bytes(bytearray(v, 'utf-8'))
+        v += b'\r\n'
+        return self.write(v)
+
+    def write_flush(self) -> bytes:
+        payload = self._wbuf.getvalue()
+        self._wbuf.truncate(0)
+        self._wbuf.seek(0)
+        return payload
+
+    def reset(self) -> None:
+        self._wbuf = io.BytesIO()
--- a/ssh-audit.1
+++ b/ssh-audit.1
@ -0,0 +1,354 @@
+.TH SSH-AUDIT 1 "September 24, 2024"
+.SH NAME
+\fBssh-audit\fP \- SSH server & client configuration auditor
+.SH SYNOPSIS
+.B ssh-audit
+.RI [ options ] " <target_host>"
+.SH DESCRIPTION
+.PP
+\fBssh-audit\fP analyzes the configuration of SSH servers & clients, then warns the user of weak, obsolete, and/or untested cryptographic primitives.  It is very useful for hardening SSH tunnels, which by default tend to be optimized for compatibility, not security.
+.PP
+See <https://www.ssh\-audit.com/> for official hardening guides for common platforms.
+
+.SH OPTIONS
+.TP
+.B -h, \-\-help
+.br
+Print short summary of options.
+
+.TP
+.B -1, \-\-ssh1
+.br
+Only perform an audit using SSH protocol version 1.
+
+.TP
+.B -2, \-\-ssh2
+.br
+Only perform an audit using SSH protocol version 2.
+
+.TP
+.B -4, \-\-ipv4
+.br
+Prioritize the usage of IPv4.
+
+.TP
+.B -6, \-\-ipv6
+.br
+Prioritize the usage of IPv6.
+
+.TP
+.B -b, \-\-batch
+.br
+Enables grepable output.
+
+.TP
+.B -c, \-\-client\-audit
+.br
+Starts a server on port 2222 to audit client software configuration.  Use -p/--port=<port> to change port and -t/--timeout=<secs> to change listen timeout.
+
+.TP
+.B     \-\-conn\-rate\-test=N[:max_rate]
+.br
+Performs a connection rate test (useful for collecting metrics related to susceptibility of the DHEat vulnerability [CVE-2002-20001]).  A successful connection is counted when the server returns a valid SSH banner.  Testing is conducted with N concurrent sockets with an optional maximum rate of connections per second.
+
+.TP
+.B -d, \-\-debug
+.br
+Enable debug output.
+
+.TP
+.B     \-\-dheat=N[:kex[:e_len]]
+.br
+Run the DHEat DoS attack (CVE-2002-20001) against the target server (which will consume all available CPU resources).  The number of concurrent sockets, N, needed to achieve this effect will be highly dependent on the CPU resources available on the target, as well as the latency between the source and target machines.  The key exchange is automatically chosen based on which would cause maximum effect, unless explicitly chosen in the second field.  Lastly, an (experimental) option allows the length in bytes of the fake e value sent to the server to be specified in the third field.  Normally, the length of e is roughly the length of the modulus of the Diffie-Hellman exchange (hence, an 8192-bit / 1024-byte value of e is sent in each connection when targeting the diffie-hellman-group18-sha512 algorithm).  Instead, it was observed that many SSH implementations accept small values, such as 4 bytes; this results in a much more network-efficient attack.
+
+.TP
+.B -g, \-\-gex-test=<x[,y,...] | min1:pref1:max1[,min2:pref2:max2,...] | x-y[:step]>
+.br
+Runs a Diffie-Hellman Group Exchange modulus size test against a server.
+
+Diffie-Hellman requires the client and server to agree on a generator value and a modulus value.  In the "Group Exchange" implementation of Diffie-Hellman, the client specifies the size of the modulus in bits by providing the server with minimum, preferred and maximum values. The server then finds a group that best matches the client's request, returning the corresponding generator and modulus.  For a full explanation of this process see RFC 4419 and its successors.
+
+This test acts as a client by providing an SSH server with the size of a modulus and then obtains the size of the modulus returned by the server.
+
+Three types of syntax are supported:
+
+  1. <x[,y,...]>
+
+     A comma delimited list of modulus sizes.
+     A test is performed against each value in the list where it acts as the minimum, preferred and maximum modulus size.
+
+  2. <min:pref:max[,min:pref:max,...]>
+
+     A set of three colon delimited values denoting minimum, preferred and maximum modulus size.
+     A test is performed against each set.
+     Multiple sets can specified as a comma separated list.
+
+  3. <x-y[:step]>
+
+     A range of modulus sizes with an optional step value. Step defaults to 1 if omitted.
+     If the left value is greater than the right value, then the sequence operates from right to left.
+     A test is performed against each value in the range where it acts as the minimum, preferred and maximum modulus size.
+
+Duplicates are excluded from the return value.
+
+.TP
+.B -j, \-\-json
+.br
+Output results in JSON format.  Specify twice (-jj) to enable indent printing (useful for debugging).
+
+.TP
+.B -l, \-\-level=<info|warn|fail>
+.br
+Specify the minimum output level.  Default is info.
+
+.TP
+.B -L, \-\-list-policies
+.br
+List all official, built-in policies for common systems.  Their full names can then be passed to -P/--policy.  Add \-v to \-L to view policy change logs.
+
+.TP
+.B \-\-lookup=<alg1,alg2,...>
+.br
+Look up the security information of an algorithm(s) in the internal database.  Does not connect to a server.
+
+.TP
+.B -m, \-\-manual
+.br
+Print the man page (Docker, PyPI, Snap, and Windows builds only).
+
+.TP
+.B -M, \-\-make-policy=<custom_policy.txt>
+.br
+Creates a policy based on the target server.  Useful when other servers should be compared to the target server's custom configuration (i.e.: a cluster environment).  Note that the resulting policy can be edited manually.
+
+.TP
+.B -n, \-\-no-colors
+.br
+Disable color output.  Automatically set when the NO_COLOR environment variable is set.
+
+.TP
+.B -p, \-\-port=<port>
+.br
+The TCP port to connect to when auditing a server, or the port to listen on when auditing a client.
+
+.TP
+.B -P, \-\-policy=<"built-in policy name" | path/to/custom_policy.txt>
+.br
+Runs a policy audit against a target using the specified policy (see \fBPOLICY AUDIT\fP section for detailed description of this mode of operation).  Combine with -c/--client-audit to audit a client configuration instead of a server.  Use -L/--list-policies to list all official, built-in policies for common systems.
+
+.TP
+.B     \-\-skip\-rate\-test
+.br
+Skips the connection rate test during standard audits.  By default, a few dozen TCP connections are created with the target host to see if connection throttling is implemented (this can safely infer whether the target is vulnerable to the DHEat attack; see CVE-2002-20001).
+
+.TP
+.B -t, \-\-timeout=<secs>
+.br
+The timeout, in seconds, for creating connections and reading data from the socket.  Default is 5.
+
+.TP
+.B -T, \-\-targets=<hosts.txt>
+.br
+A file containing a list of target hosts.  Each line must have one host, in the format of HOST[:PORT].  Use -p/--port to set the default port for all hosts.  Use --threads to control concurrent scans.
+
+.TP
+.B     \-\-threads=<threads>
+.br
+The number of threads to use when scanning multiple targets (with -T/--targets).  Default is 32.
+
+.TP
+.B -v, \-\-verbose
+.br
+Enable verbose output.
+
+
+.SH STANDARD AUDIT
+.PP
+By default, \fBssh-audit\fP performs a standard audit.  That is, it enumerates all host key types, key exchanges, ciphers, MACs, and other information, then color-codes them in output to the user.  Cryptographic primitives with potential issues are displayed in yellow; primitives with serious flaws are displayed in red.
+
+
+.SH POLICY AUDIT
+.PP
+When the -P/--policy option is used, \fBssh-audit\fP performs a policy audit.  The target's host key types, key exchanges, ciphers, MACs, and other information is compared to a set of expected values defined in the specified policy file.  If everything matches, only a short message stating a passing result is reported.  Otherwise, the field(s) that did not match are reported.
+
+.PP
+Policy auditing is helpful for ensuring a group of related servers are properly hardened to an exact specification.
+
+.PP
+The set of official built-in policies can be viewed with -L/--list-policies.  Multiple servers can be audited with -T/--targets=<servers.txt>.  Custom policies can be made from an ideal target server with -M/--make-policy=<custom_policy.txt>.
+
+
+.SH EXAMPLES
+.LP
+Basic server auditing:
+.RS
+.nf
+ssh-audit localhost
+ssh-audit 127.0.0.1
+ssh-audit 127.0.0.1:222
+ssh-audit ::1
+ssh-audit [::1]:222
+.fi
+.RE
+
+.LP
+To run a standard audit against many servers (place targets into servers.txt, one on each line in the format of HOST[:PORT]):
+.RS
+.nf
+ssh-audit -T servers.txt
+.fi
+.RE
+
+.LP
+To audit a client configuration (listens on port 2222 by default; connect using "ssh -p 2222 anything@localhost"):
+.RS
+.nf
+ssh-audit -c
+.fi
+.RE
+
+.LP
+To audit a client configuration, with a listener on port 4567:
+.RS
+.nf
+ssh-audit -c -p 4567
+.fi
+.RE
+
+.LP
+To list all official built-in policies (hint: use their full names with -P/--policy):
+.RS
+.nf
+ssh-audit -L
+.fi
+.RE
+
+.LP
+To run a built-in policy audit against a server (hint: use -L to see list of built-in policies):
+.RS
+.nf
+ssh-audit -P "Hardened Ubuntu Server 20.04 LTS (version 1)" targetserver
+.fi
+.RE
+
+
+.LP
+To run a custom policy audit against a server (hint: use -M/--make-policy to create a custom policy file):
+.RS
+.nf
+ssh-audit -P path/to/server_policy.txt targetserver
+.fi
+.RE
+
+.LP
+To run a policy audit against a client:
+.RS
+.nf
+ssh-audit -c -P ["policy name" | path/to/client_policy.txt]
+.fi
+.RE
+
+.LP
+To run a policy audit against many servers:
+.RS
+.nf
+ssh-audit -T servers.txt -P ["policy name" | path/to/server_policy.txt]
+.fi
+.RE
+
+.LP
+To create a policy based on a target server (which can be manually edited; see official built-in policies for syntax examples):
+.RS
+.nf
+ssh-audit -M new_policy.txt targetserver
+.fi
+.RE
+
+.LP
+To run a Diffie-Hellman Group Exchange modulus size test using the values 2000 bits, 3000 bits, 4000 bits and 5000 bits:
+.RS
+.nf
+ssh-audit targetserver --gex-test=2000,3000,4000,5000
+.fi
+.RE
+
+.LP
+To run a Diffie-Hellman Group Exchange modulus size test where 2048 bits is the minimum, 3072 bits is the preferred and 5000 bits is the maximum:
+.RS
+.nf
+ssh-audit targetserver --gex-test=2048:3072:5000
+.fi
+.RE
+
+.LP
+To run a Diffie-Hellman Group Exchange modulus size test from 0 bits to 5120 bits in increments of 1024 bits:
+.RS
+.nf
+ssh-audit targetserver --gex-test=0-5120:1024
+.fi
+.RE
+
+.LP
+To run the DHEat DoS attack (monitor the target server's CPU usage to determine the optimal number of concurrent sockets):
+.RS
+.nf
+ssh-audit targetserver --dheat=10
+.fi
+.RE
+
+.LP
+To run the DHEat attack and manually target the diffie-hellman-group-exchange-sha256 algorithm:
+.RS
+.nf
+ssh-audit targetserver --dheat=10:diffie-hellman-group-exchange-sha256
+.fi
+.RE
+
+.LP
+To run the DHEat attack and manually target the diffie-hellman-group-exchange-sha256 algorithm with a very small length of e (resulting in the same effect but without having to send large packets):
+.RS
+.nf
+ssh-audit targetserver --dheat=10:diffie-hellman-group-exchange-sha256:4
+.fi
+.RE
+
+.LP
+To test the number of successful connections per second that can be created with the target using 8 parallel threads (useful for detecting whether connection throttling is implemented by the target):
+.RS
+.nf
+ssh-audit targetserver --conn-rate-test=8
+.fi
+.RE
+
+.LP
+To use 8 parallel threads to create up to 100 connections per second with the target (useful for understanding how much CPU load is caused on the target simply from handling new connections vs excess modular exponentiation when performing the DHEat attack):
+.RS
+.nf
+ssh-audit targetserver --conn-rate-test=8:100
+.fi
+.RE
+
+.SH RETURN VALUES
+When a successful connection is made and all algorithms are rated as "good", \fBssh-audit\fP returns 0.  Other possible return values are:
+
+.RS
+.nf
+1 = connection error
+2 = at least one algorithm warning was found
+3 = at least one algorithm failure was found
+<any other non-zero value> = unknown error
+.fi
+.RE
+
+.SH SSH HARDENING GUIDES
+Hardening guides for common platforms can be found at: <https://www.ssh\-audit.com/>
+
+.SH BUG REPORTS
+Please file bug reports as a Github Issue at: <https://github.com/jtesta/ssh\-audit/issues>
+
+.SH AUTHOR
+.LP
+\fBssh-audit\fP was originally written by Andris Raugulis <moo@arthepsy.eu>, and maintained from 2015 to 2017.
+.br
+.LP
+Maintainership was assumed and development was resumed in 2017 by Joe Testa <jtesta@positronsecurity.com>.
--- a/ssh-audit.py
+++ b/ssh-audit.py
--- a/test/conftest.py
+++ b/test/conftest.py
@ -1,10 +1,152 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-import os, sys
+import io
+import sys
+import socket
 import pytest

+
@pytest.fixture(scope='module')
 def ssh_audit():
-	__rdir = os.path.join(os.path.dirname(os.path.abspath(__file__)), '..')
-	sys.path.append(os.path.abspath(__rdir))
-	return __import__('ssh-audit')
+    import ssh_audit.ssh_audit
+    return ssh_audit.ssh_audit
+
+
+# pylint: disable=attribute-defined-outside-init
+class _OutputSpy(list):
+    def begin(self):
+        self.__out = io.StringIO()
+        self.__old_stdout = sys.stdout
+        sys.stdout = self.__out
+
+    def flush(self):
+        lines = self.__out.getvalue().splitlines()
+        sys.stdout = self.__old_stdout
+        self.__out = None
+        return lines
+
+
+@pytest.fixture(scope='module')
+def output_spy():
+    return _OutputSpy()
+
+
+class _VirtualGlobalSocket:
+    def __init__(self, vsocket):
+        self.vsocket = vsocket
+        self.addrinfodata = {}
+
+    # pylint: disable=unused-argument
+    def create_connection(self, address, timeout=0, source_address=None):
+        # pylint: disable=protected-access
+        return self.vsocket._connect(address, True)
+
+    # pylint: disable=unused-argument
+    def socket(self,
+               family=socket.AF_INET,
+               socktype=socket.SOCK_STREAM,
+               proto=0,
+               fileno=None):
+        return self.vsocket
+
+    def getaddrinfo(self, host, port, family=0, socktype=0, proto=0, flags=0):
+        key = '{}#{}'.format(host, port)
+        if key in self.addrinfodata:
+            data = self.addrinfodata[key]
+            if isinstance(data, Exception):
+                raise data
+            return data
+        if host == 'localhost':
+            r = []
+            if family in (0, socket.AF_INET):
+                r.append((socket.AF_INET, 1, 6, '', ('127.0.0.1', port)))
+            if family in (0, socket.AF_INET6):
+                r.append((socket.AF_INET6, 1, 6, '', ('::1', port)))
+            return r
+        return []
+
+
+class _VirtualSocket:
+    def __init__(self):
+        self.sock_address = ('127.0.0.1', 0)
+        self.peer_address = None
+        self._connected = False
+        self.timeout = -1.0
+        self.rdata = []
+        self.sdata = []
+        self.errors = {}
+        self.blocking = False
+        self.gsock = _VirtualGlobalSocket(self)
+
+    def _check_err(self, method):
+        method_error = self.errors.get(method)
+        if method_error:
+            raise method_error
+
+    def connect(self, address):
+        return self._connect(address, False)
+
+    def connect_ex(self, address):
+        return self.connect(address)
+
+    def _connect(self, address, ret=True):
+        self.peer_address = address
+        self._connected = True
+        self._check_err('connect')
+        return self if ret else None
+
+    def setblocking(self, r: bool):
+        self.blocking = r
+
+    def settimeout(self, timeout):
+        self.timeout = timeout
+
+    def gettimeout(self):
+        return self.timeout
+
+    def getpeername(self):
+        if self.peer_address is None or not self._connected:
+            raise OSError(57, 'Socket is not connected')
+        return self.peer_address
+
+    def getsockname(self):
+        return self.sock_address
+
+    def bind(self, address):
+        self.sock_address = address
+
+    def listen(self, backlog):
+        pass
+
+    def accept(self):
+        # pylint: disable=protected-access
+        conn = _VirtualSocket()
+        conn.sock_address = self.sock_address
+        conn.peer_address = ('127.0.0.1', 0)
+        conn._connected = True
+        return conn, conn.peer_address
+
+    def recv(self, bufsize, flags=0):
+        # pylint: disable=unused-argument
+        if not self._connected:
+            raise OSError(54, 'Connection reset by peer')
+        if not len(self.rdata) > 0:
+            return b''
+        data = self.rdata.pop(0)
+        if isinstance(data, Exception):
+            raise data
+        return data
+
+    def send(self, data):
+        if self.peer_address is None or not self._connected:
+            raise OSError(32, 'Broken pipe')
+        self._check_err('send')
+        self.sdata.append(data)
+
+
+@pytest.fixture()
+def virtual_socket(monkeypatch):
+    vsocket = _VirtualSocket()
+    gsock = vsocket.gsock
+    monkeypatch.setattr(socket, 'create_connection', gsock.create_connection)
+    monkeypatch.setattr(socket, 'socket', gsock.socket)
+    monkeypatch.setattr(socket, 'getaddrinfo', gsock.getaddrinfo)
+    return vsocket
--- a/test/docker/.ed25519.sk
+++ b/test/docker/.ed25519.sk
@ -0,0 +1 @@
+iÜ›<EFBFBD><EFBFBD>ãÈÍíVÌè¿<C3A8>ÓZ/Dì<†î|S“zË=°:×1vu}¢ï„JòÝ·ŸŠ"à^Bb&U‰ìP«<50>
’CJ?
--- a/test/docker/Dockerfile
+++ b/test/docker/Dockerfile
@ -0,0 +1,32 @@
+FROM ubuntu:16.04
+
+COPY openssh-4.0p1/sshd /openssh/sshd-4.0p1
+COPY openssh-5.6p1/sshd /openssh/sshd-5.6p1
+COPY openssh-8.0p1/sshd /openssh/sshd-8.0p1
+COPY dropbear-2019.78/dropbear /dropbear/dropbear-2019.78
+COPY tinyssh-20190101/build/bin/tinysshd /tinysshd/tinyssh-20190101
+
+# Dropbear host keys.
+COPY dropbear_*_host_key* /etc/dropbear/
+
+# OpenSSH configs.
+COPY sshd_config* /etc/ssh/
+
+# OpenSSH host keys & moduli file.
+COPY ssh_host_* /etc/ssh/
+COPY ssh1_host_* /etc/ssh/
+COPY moduli_1024 /usr/local/etc/moduli
+
+# TinySSH host keys.
+COPY ed25519.pk /etc/tinyssh/
+COPY .ed25519.sk /etc/tinyssh/
+
+COPY debug.sh /debug.sh
+
+RUN apt update 2> /dev/null
+RUN apt install -y libssl-dev strace rsyslog ucspi-tcp 2> /dev/null
+RUN apt clean 2> /dev/null
+RUN useradd -s /bin/false sshd
+RUN mkdir /var/empty
+
+EXPOSE 22
--- a/test/docker/debug.sh
+++ b/test/docker/debug.sh
@ -0,0 +1,9 @@
+#!/bin/bash
+
+# This script is run on in docker container.  It will enable logging for sshd in
+# /var/log/auth.log.
+
+/etc/init.d/rsyslog start
+sleep 1
+/openssh/sshd-5.6p1 -o LogLevel=DEBUG3 -f /etc/ssh/sshd_config-5.6p1_test1
+/bin/bash
--- a/test/docker/dropbear_dss_host_key
+++ b/test/docker/dropbear_dss_host_key
--- a/test/docker/dropbear_ecdsa_host_key
+++ b/test/docker/dropbear_ecdsa_host_key
--- a/test/docker/dropbear_rsa_host_key_1024
+++ b/test/docker/dropbear_rsa_host_key_1024
--- a/test/docker/dropbear_rsa_host_key_3072
+++ b/test/docker/dropbear_rsa_host_key_3072
--- a/test/docker/ed25519.pk
+++ b/test/docker/ed25519.pk
@ -0,0 +1 @@
+1vu}¢ï„JòÝ·ŸŠ"à^Bb&U‰ìP«<50>
’CJ?
--- a/test/docker/expected_results/dropbear_2019.78_test1.json
+++ b/test/docker/expected_results/dropbear_2019.78_test1.json
@ -0,0 +1,415 @@
+{
+    "additional_notes": [],
+    "banner": {
+        "comments": null,
+        "protocol": "2.0",
+        "raw": "SSH-2.0-dropbear_2019.78",
+        "software": "dropbear_2019.78"
+    },
+    "compression": [
+        "zlib@openssh.com",
+        "none"
+    ],
+    "cves": [],
+    "enc": [
+        {
+            "algorithm": "aes128-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7, Dropbear SSH 0.52"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes256-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7, Dropbear SSH 0.52"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes128-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes256-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "3des-ctr",
+            "notes": {
+                "fail": [
+                    "using broken & deprecated 3DES cipher"
+                ],
+                "info": [
+                    "available since Dropbear SSH 0.52"
+                ]
+            }
+        },
+        {
+            "algorithm": "3des-cbc",
+            "notes": {
+                "fail": [
+                    "using broken & deprecated 3DES cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode",
+                    "using small 64-bit block size"
+                ]
+            }
+        }
+    ],
+    "fingerprints": [
+        {
+            "hash": "jdUfqoGCDOY1drQcoqIJm/pEix2r09hqwOs9E9GimZQ",
+            "hash_alg": "SHA256",
+            "hostkey": "ecdsa-sha2-nistp256"
+        },
+        {
+            "hash": "98:27:f3:12:20:f6:23:6d:1a:00:2a:6c:71:7c:1e:6b",
+            "hash_alg": "MD5",
+            "hostkey": "ecdsa-sha2-nistp256"
+        },
+        {
+            "hash": "NBzry0uMAX8BRsn4mv9CHpeivMOdwzGFEKrf6Hg7tIQ",
+            "hash_alg": "SHA256",
+            "hostkey": "ssh-dss"
+        },
+        {
+            "hash": "16:60:9e:54:d7:1e:b3:0d:97:60:12:ad:fe:83:a2:40",
+            "hash_alg": "MD5",
+            "hostkey": "ssh-dss"
+        },
+        {
+            "hash": "CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM",
+            "hash_alg": "SHA256",
+            "hostkey": "ssh-rsa"
+        },
+        {
+            "hash": "63:7f:54:f7:0a:28:7f:75:0b:f4:07:0b:fc:66:51:a2",
+            "hash_alg": "MD5",
+            "hostkey": "ssh-rsa"
+        }
+    ],
+    "kex": [
+        {
+            "algorithm": "curve25519-sha256",
+            "notes": {
+                "info": [
+                    "default key exchange from OpenSSH 7.4 to 8.9",
+                    "available since OpenSSH 7.4, Dropbear SSH 2018.76"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "curve25519-sha256@libssh.org",
+            "notes": {
+                "info": [
+                    "default key exchange from OpenSSH 6.5 to 7.3",
+                    "available since OpenSSH 6.4, Dropbear SSH 2013.62"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "ecdh-sha2-nistp521",
+            "notes": {
+                "fail": [
+                    "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+                ],
+                "info": [
+                    "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "ecdh-sha2-nistp384",
+            "notes": {
+                "fail": [
+                    "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+                ],
+                "info": [
+                    "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "ecdh-sha2-nistp256",
+            "notes": {
+                "fail": [
+                    "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+                ],
+                "info": [
+                    "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "diffie-hellman-group14-sha256",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 7.3, Dropbear SSH 2016.73"
+                ],
+                "warn": [
+                    "2048-bit modulus only provides 112-bits of symmetric strength",
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "diffie-hellman-group14-sha1",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 3.9, Dropbear SSH 0.53"
+                ],
+                "warn": [
+                    "2048-bit modulus only provides 112-bits of symmetric strength",
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "kexguess2@matt.ucc.asn.au",
+            "notes": {
+                "info": [
+                    "available since Dropbear SSH 2013.57"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        }
+    ],
+    "key": [
+        {
+            "algorithm": "ecdsa-sha2-nistp256",
+            "notes": {
+                "fail": [
+                    "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+                ],
+                "info": [
+                    "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+                ],
+                "warn": [
+                    "using weak random number generator could reveal the key"
+                ]
+            }
+        },
+        {
+            "algorithm": "ssh-rsa",
+            "keysize": 1024,
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm",
+                    "using small 1024-bit modulus"
+                ],
+                "info": [
+                    "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+                    "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+                ]
+            }
+        },
+        {
+            "algorithm": "ssh-dss",
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus"
+                ],
+                "info": [
+                    "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+                    "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak random number generator could reveal the key"
+                ]
+            }
+        }
+    ],
+    "mac": [
+        {
+            "algorithm": "hmac-sha1-96",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-sha1",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-sha2-256",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 5.9, Dropbear SSH 2013.56"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        }
+    ],
+    "recommendations": {
+        "critical": {
+            "del": {
+                "enc": [
+                    {
+                        "name": "3des-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "3des-ctr",
+                        "notes": ""
+                    }
+                ],
+                "kex": [
+                    {
+                        "name": "diffie-hellman-group14-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "ecdh-sha2-nistp256",
+                        "notes": ""
+                    },
+                    {
+                        "name": "ecdh-sha2-nistp384",
+                        "notes": ""
+                    },
+                    {
+                        "name": "ecdh-sha2-nistp521",
+                        "notes": ""
+                    }
+                ],
+                "key": [
+                    {
+                        "name": "ecdsa-sha2-nistp256",
+                        "notes": ""
+                    },
+                    {
+                        "name": "ssh-dss",
+                        "notes": ""
+                    },
+                    {
+                        "name": "ssh-rsa",
+                        "notes": ""
+                    }
+                ],
+                "mac": [
+                    {
+                        "name": "hmac-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-sha1-96",
+                        "notes": ""
+                    }
+                ]
+            }
+        },
+        "informational": {
+            "add": {
+                "enc": [
+                    {
+                        "name": "twofish128-ctr",
+                        "notes": ""
+                    },
+                    {
+                        "name": "twofish256-ctr",
+                        "notes": ""
+                    }
+                ]
+            }
+        },
+        "warning": {
+            "del": {
+                "enc": [
+                    {
+                        "name": "aes128-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "aes256-cbc",
+                        "notes": ""
+                    }
+                ],
+                "kex": [
+                    {
+                        "name": "curve25519-sha256",
+                        "notes": ""
+                    },
+                    {
+                        "name": "curve25519-sha256@libssh.org",
+                        "notes": ""
+                    },
+                    {
+                        "name": "diffie-hellman-group14-sha256",
+                        "notes": ""
+                    },
+                    {
+                        "name": "kexguess2@matt.ucc.asn.au",
+                        "notes": ""
+                    }
+                ],
+                "mac": [
+                    {
+                        "name": "hmac-sha2-256",
+                        "notes": ""
+                    }
+                ]
+            }
+        }
+    },
+    "target": "localhost:2222"
+}
--- a/test/docker/expected_results/dropbear_2019.78_test1.txt
+++ b/test/docker/expected_results/dropbear_2019.78_test1.txt
@ -0,0 +1,97 @@
+[0;36m# general[0m
+[0;32m(gen) banner: SSH-2.0-dropbear_2019.78[0m
+[0;32m(gen) software: Dropbear SSH 2019.78[0m
+[0;32m(gen) compatibility: OpenSSH 7.4+ (some functionality from 6.6), Dropbear SSH 2018.76+[0m
+[0;32m(gen) compression: enabled (zlib@openssh.com)[0m
+
+[0;36m# key exchange algorithms[0m
+[0;33m(kex) curve25519-sha256              -- [warn] does not provide protection against post-quantum attacks[0m
+                                     `- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
+                                     `- [info] default key exchange from OpenSSH 7.4 to 8.9
+[0;33m(kex) curve25519-sha256@libssh.org   -- [warn] does not provide protection against post-quantum attacks[0m
+                                     `- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
+                                     `- [info] default key exchange from OpenSSH 6.5 to 7.3
+[0;31m(kex) ecdh-sha2-nistp521             -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
+[0;33m                                     `- [warn] does not provide protection against post-quantum attacks[0m
+                                     `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+[0;31m(kex) ecdh-sha2-nistp384             -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
+[0;33m                                     `- [warn] does not provide protection against post-quantum attacks[0m
+                                     `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+[0;31m(kex) ecdh-sha2-nistp256             -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
+[0;33m                                     `- [warn] does not provide protection against post-quantum attacks[0m
+                                     `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+[0;33m(kex) diffie-hellman-group14-sha256  -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
+[0;33m                                     `- [warn] does not provide protection against post-quantum attacks[0m
+                                     `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+[0;31m(kex) diffie-hellman-group14-sha1    -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                     `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
+[0;33m                                     `- [warn] does not provide protection against post-quantum attacks[0m
+                                     `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+[0;33m(kex) kexguess2@matt.ucc.asn.au      -- [warn] does not provide protection against post-quantum attacks[0m
+                                     `- [info] available since Dropbear SSH 2013.57
+
+[0;36m# host-key algorithms[0m
+[0;31m(key) ecdsa-sha2-nistp256            -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m
+[0;33m                                     `- [warn] using weak random number generator could reveal the key[0m
+                                     `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+[0;31m(key) ssh-rsa (1024-bit)             -- [fail] using broken SHA-1 hash algorithm[0m
+[0;31m                                     `- [fail] using small 1024-bit modulus[0m
+                                     `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+                                     `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+[0;31m(key) ssh-dss                        -- [fail] using small 1024-bit modulus[0m
+[0;33m                                     `- [warn] using weak random number generator could reveal the key[0m
+                                     `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+                                     `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+[0;36m# encryption algorithms (ciphers)[0m
+[0;32m(enc) aes128-ctr                     -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
+[0;32m(enc) aes256-ctr                     -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
+[0;33m(enc) aes128-cbc                     -- [warn] using weak cipher mode[0m
+                                     `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+[0;33m(enc) aes256-cbc                     -- [warn] using weak cipher mode[0m
+                                     `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+[0;31m(enc) 3des-ctr                       -- [fail] using broken & deprecated 3DES cipher[0m
+                                     `- [info] available since Dropbear SSH 0.52
+[0;31m(enc) 3des-cbc                       -- [fail] using broken & deprecated 3DES cipher[0m
+[0;33m                                     `- [warn] using weak cipher mode[0m
+[0;33m                                     `- [warn] using small 64-bit block size[0m
+                                     `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+
+[0;36m# message authentication code algorithms[0m
+[0;31m(mac) hmac-sha1-96                   -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                     `- [warn] using encrypt-and-MAC mode[0m
+                                     `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+[0;31m(mac) hmac-sha1                      -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                     `- [warn] using encrypt-and-MAC mode[0m
+                                     `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+[0;33m(mac) hmac-sha2-256                  -- [warn] using encrypt-and-MAC mode[0m
+                                     `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+
+[0;36m# fingerprints[0m
+[0;32m(fin) ssh-rsa: SHA256:CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM[0m
+
+[0;36m# algorithm recommendations (for Dropbear SSH 2019.78)[0m
+[0;31m(rec) -3des-cbc                      -- enc algorithm to remove [0m
+[0;31m(rec) -3des-ctr                      -- enc algorithm to remove [0m
+[0;31m(rec) -diffie-hellman-group14-sha1   -- kex algorithm to remove [0m
+[0;31m(rec) -ecdh-sha2-nistp256            -- kex algorithm to remove [0m
+[0;31m(rec) -ecdh-sha2-nistp384            -- kex algorithm to remove [0m
+[0;31m(rec) -ecdh-sha2-nistp521            -- kex algorithm to remove [0m
+[0;31m(rec) -ecdsa-sha2-nistp256           -- key algorithm to remove [0m
+[0;31m(rec) -hmac-sha1                     -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-sha1-96                  -- mac algorithm to remove [0m
+[0;31m(rec) -ssh-dss                       -- key algorithm to remove [0m
+[0;31m(rec) -ssh-rsa                       -- key algorithm to remove [0m
+[0;32m(rec) +twofish128-ctr                -- enc algorithm to append [0m
+[0;32m(rec) +twofish256-ctr                -- enc algorithm to append [0m
+[0;33m(rec) -aes128-cbc                    -- enc algorithm to remove [0m
+[0;33m(rec) -aes256-cbc                    -- enc algorithm to remove [0m
+[0;33m(rec) -curve25519-sha256             -- kex algorithm to remove [0m
+[0;33m(rec) -curve25519-sha256@libssh.org  -- kex algorithm to remove [0m
+[0;33m(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove [0m
+[0;33m(rec) -hmac-sha2-256                 -- mac algorithm to remove [0m
+[0;33m(rec) -kexguess2@matt.ucc.asn.au     -- kex algorithm to remove [0m
+
+[0;36m# additional info[0m
+[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m
+
--- a/test/docker/expected_results/openssh_4.0p1_test1.json
+++ b/test/docker/expected_results/openssh_4.0p1_test1.json
@ -0,0 +1,429 @@
+{
+    "additional_notes": [],
+    "banner": {
+        "comments": null,
+        "protocol": "1.99",
+        "raw": "SSH-1.99-OpenSSH_4.0",
+        "software": "OpenSSH_4.0"
+    },
+    "compression": [
+        "none",
+        "zlib"
+    ],
+    "cves": [],
+    "enc": [
+        {
+            "algorithm": "aes128-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "3des-cbc",
+            "notes": {
+                "fail": [
+                    "using broken & deprecated 3DES cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode",
+                    "using small 64-bit block size"
+                ]
+            }
+        },
+        {
+            "algorithm": "blowfish-cbc",
+            "notes": {
+                "fail": [
+                    "using weak & deprecated Blowfish cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode",
+                    "using small 64-bit block size"
+                ]
+            }
+        },
+        {
+            "algorithm": "cast128-cbc",
+            "notes": {
+                "fail": [
+                    "using weak & deprecated CAST cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0"
+                ],
+                "warn": [
+                    "using weak cipher mode",
+                    "using small 64-bit block size"
+                ]
+            }
+        },
+        {
+            "algorithm": "arcfour",
+            "notes": {
+                "fail": [
+                    "using broken RC4 cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes192-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes256-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "rijndael-cbc@lysator.liu.se",
+            "notes": {
+                "fail": [
+                    "using deprecated & non-standardized Rijndael cipher"
+                ],
+                "info": [
+                    "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+                    "available since OpenSSH 2.3.0"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes128-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7, Dropbear SSH 0.52"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes192-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes256-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7, Dropbear SSH 0.52"
+                ]
+            }
+        }
+    ],
+    "fingerprints": [
+        {
+            "hash": "sqDDYhzYz7YIQeFDc0WF8SeXtrEz+iwsV7d/FdIgztM",
+            "hash_alg": "SHA256",
+            "hostkey": "ssh-dss"
+        },
+        {
+            "hash": "5c:de:62:f0:60:c8:93:13:87:71:78:95:56:3f:61:51",
+            "hash_alg": "MD5",
+            "hostkey": "ssh-dss"
+        },
+        {
+            "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4",
+            "hash_alg": "SHA256",
+            "hostkey": "ssh-rsa"
+        },
+        {
+            "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a",
+            "hash_alg": "MD5",
+            "hostkey": "ssh-rsa"
+        }
+    ],
+    "kex": [
+        {
+            "algorithm": "diffie-hellman-group-exchange-sha1",
+            "keysize": 1024,
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus"
+                ],
+                "info": [
+                    "available since OpenSSH 2.3.0"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "diffie-hellman-group14-sha1",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 3.9, Dropbear SSH 0.53"
+                ],
+                "warn": [
+                    "2048-bit modulus only provides 112-bits of symmetric strength",
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "diffie-hellman-group1-sha1",
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus",
+                    "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        }
+    ],
+    "key": [
+        {
+            "algorithm": "ssh-rsa",
+            "keysize": 1024,
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm",
+                    "using small 1024-bit modulus"
+                ],
+                "info": [
+                    "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+                    "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+                ]
+            }
+        },
+        {
+            "algorithm": "ssh-dss",
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus"
+                ],
+                "info": [
+                    "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+                    "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak random number generator could reveal the key"
+                ]
+            }
+        }
+    ],
+    "mac": [
+        {
+            "algorithm": "hmac-md5",
+            "notes": {
+                "fail": [
+                    "using broken MD5 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-sha1",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-ripemd160",
+            "notes": {
+                "fail": [
+                    "using deprecated RIPEMD hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.5.0"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-ripemd160@openssh.com",
+            "notes": {
+                "fail": [
+                    "using deprecated RIPEMD hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-sha1-96",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-md5-96",
+            "notes": {
+                "fail": [
+                    "using broken MD5 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.5.0"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        }
+    ],
+    "recommendations": {
+        "critical": {
+            "del": {
+                "enc": [
+                    {
+                        "name": "3des-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "arcfour",
+                        "notes": ""
+                    },
+                    {
+                        "name": "blowfish-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "cast128-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "rijndael-cbc@lysator.liu.se",
+                        "notes": ""
+                    }
+                ],
+                "kex": [
+                    {
+                        "name": "diffie-hellman-group14-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "diffie-hellman-group1-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "diffie-hellman-group-exchange-sha1",
+                        "notes": ""
+                    }
+                ],
+                "key": [
+                    {
+                        "name": "ssh-dss",
+                        "notes": ""
+                    },
+                    {
+                        "name": "ssh-rsa",
+                        "notes": ""
+                    }
+                ],
+                "mac": [
+                    {
+                        "name": "hmac-md5",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-md5-96",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-ripemd160",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-ripemd160@openssh.com",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-sha1-96",
+                        "notes": ""
+                    }
+                ]
+            }
+        },
+        "warning": {
+            "del": {
+                "enc": [
+                    {
+                        "name": "aes128-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "aes192-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "aes256-cbc",
+                        "notes": ""
+                    }
+                ]
+            }
+        }
+    },
+    "target": "localhost:2222"
+}
--- a/test/docker/expected_results/openssh_4.0p1_test1.txt
+++ b/test/docker/expected_results/openssh_4.0p1_test1.txt
@ -0,0 +1,111 @@
+[0;36m# general[0m
+[0;31m(gen) banner: SSH-1.99-OpenSSH_4.0[0m
+[0;31m(gen) protocol SSH1 enabled[0m
+[0;32m(gen) software: OpenSSH 4.0[0m
+[0;32m(gen) compatibility: OpenSSH 3.9-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)[0m
+[0;32m(gen) compression: enabled (zlib)[0m
+
+[0;36m# security[0m
+[0;31m(sec) SSH v1 enabled                      -- SSH v1 can be exploited to recover plaintext passwords[0m
+
+[0;36m# key exchange algorithms[0m
+[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m
+[0;33m                                                    `- [warn] does not provide protection against post-quantum attacks[0m
+                                                    `- [info] available since OpenSSH 2.3.0
+[0;31m(kex) diffie-hellman-group14-sha1         -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                          `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
+[0;33m                                          `- [warn] does not provide protection against post-quantum attacks[0m
+                                          `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+[0;31m(kex) diffie-hellman-group1-sha1          -- [fail] using small 1024-bit modulus[0m
+[0;31m                                          `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m
+[0;31m                                          `- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                          `- [warn] does not provide protection against post-quantum attacks[0m
+                                          `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+                                          `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
+
+[0;36m# host-key algorithms[0m
+[0;31m(key) ssh-rsa (1024-bit)                  -- [fail] using broken SHA-1 hash algorithm[0m
+[0;31m                                          `- [fail] using small 1024-bit modulus[0m
+                                          `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+                                          `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+[0;31m(key) ssh-dss                             -- [fail] using small 1024-bit modulus[0m
+[0;33m                                          `- [warn] using weak random number generator could reveal the key[0m
+                                          `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+                                          `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+[0;36m# encryption algorithms (ciphers)[0m
+[0;33m(enc) aes128-cbc                          -- [warn] using weak cipher mode[0m
+                                          `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+[0;31m(enc) 3des-cbc                            -- [fail] using broken & deprecated 3DES cipher[0m
+[0;33m                                          `- [warn] using weak cipher mode[0m
+[0;33m                                          `- [warn] using small 64-bit block size[0m
+                                          `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+[0;31m(enc) blowfish-cbc                        -- [fail] using weak & deprecated Blowfish cipher[0m
+[0;33m                                          `- [warn] using weak cipher mode[0m
+[0;33m                                          `- [warn] using small 64-bit block size[0m
+                                          `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+[0;31m(enc) cast128-cbc                         -- [fail] using weak & deprecated CAST cipher[0m
+[0;33m                                          `- [warn] using weak cipher mode[0m
+[0;33m                                          `- [warn] using small 64-bit block size[0m
+                                          `- [info] available since OpenSSH 2.1.0
+[0;31m(enc) arcfour                             -- [fail] using broken RC4 cipher[0m
+                                          `- [info] available since OpenSSH 2.1.0
+[0;33m(enc) aes192-cbc                          -- [warn] using weak cipher mode[0m
+                                          `- [info] available since OpenSSH 2.3.0
+[0;33m(enc) aes256-cbc                          -- [warn] using weak cipher mode[0m
+                                          `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+[0;31m(enc) rijndael-cbc@lysator.liu.se         -- [fail] using deprecated & non-standardized Rijndael cipher[0m
+[0;33m                                          `- [warn] using weak cipher mode[0m
+                                          `- [info] available since OpenSSH 2.3.0
+                                          `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+[0;32m(enc) aes128-ctr                          -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
+[0;32m(enc) aes192-ctr                          -- [info] available since OpenSSH 3.7[0m
+[0;32m(enc) aes256-ctr                          -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
+
+[0;36m# message authentication code algorithms[0m
+[0;31m(mac) hmac-md5                            -- [fail] using broken MD5 hash algorithm[0m
+[0;33m                                          `- [warn] using encrypt-and-MAC mode[0m
+                                          `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+[0;31m(mac) hmac-sha1                           -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                          `- [warn] using encrypt-and-MAC mode[0m
+                                          `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+[0;31m(mac) hmac-ripemd160                      -- [fail] using deprecated RIPEMD hash algorithm[0m
+[0;33m                                          `- [warn] using encrypt-and-MAC mode[0m
+                                          `- [info] available since OpenSSH 2.5.0
+[0;31m(mac) hmac-ripemd160@openssh.com          -- [fail] using deprecated RIPEMD hash algorithm[0m
+[0;33m                                          `- [warn] using encrypt-and-MAC mode[0m
+                                          `- [info] available since OpenSSH 2.1.0
+[0;31m(mac) hmac-sha1-96                        -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                          `- [warn] using encrypt-and-MAC mode[0m
+                                          `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+[0;31m(mac) hmac-md5-96                         -- [fail] using broken MD5 hash algorithm[0m
+[0;33m                                          `- [warn] using encrypt-and-MAC mode[0m
+                                          `- [info] available since OpenSSH 2.5.0
+
+[0;36m# fingerprints[0m
+[0;32m(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4[0m
+
+[0;36m# algorithm recommendations (for OpenSSH 4.0)[0m
+[0;31m(rec) -3des-cbc                           -- enc algorithm to remove [0m
+[0;31m(rec) -arcfour                            -- enc algorithm to remove [0m
+[0;31m(rec) -blowfish-cbc                       -- enc algorithm to remove [0m
+[0;31m(rec) -cast128-cbc                        -- enc algorithm to remove [0m
+[0;31m(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove [0m
+[0;31m(rec) -diffie-hellman-group1-sha1         -- kex algorithm to remove [0m
+[0;31m(rec) -diffie-hellman-group14-sha1        -- kex algorithm to remove [0m
+[0;31m(rec) -hmac-md5                           -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-md5-96                        -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-ripemd160                     -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-ripemd160@openssh.com         -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-sha1                          -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-sha1-96                       -- mac algorithm to remove [0m
+[0;31m(rec) -rijndael-cbc@lysator.liu.se        -- enc algorithm to remove [0m
+[0;31m(rec) -ssh-dss                            -- key algorithm to remove [0m
+[0;31m(rec) -ssh-rsa                            -- key algorithm to remove [0m
+[0;33m(rec) -aes128-cbc                         -- enc algorithm to remove [0m
+[0;33m(rec) -aes192-cbc                         -- enc algorithm to remove [0m
+[0;33m(rec) -aes256-cbc                         -- enc algorithm to remove [0m
+
+[0;36m# additional info[0m
+[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m
+
--- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json
@ -0,0 +1,8 @@
+{
+    "errors": [],
+    "host": "localhost",
+    "passed": true,
+    "policy": "Docker policy: test1 (version 1)",
+    "port": 2222,
+    "warnings": []
+}
--- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.txt
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.txt
@ -0,0 +1,3 @@
+Host:   localhost:2222
+Policy: Docker policy: test1 (version 1)
+Result: [0;32m✔ Passed[0m
--- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json
@ -0,0 +1,33 @@
+{
+    "errors": [
+        {
+            "actual": [
+                "3072"
+            ],
+            "expected_optional": [
+                ""
+            ],
+            "expected_required": [
+                "4096"
+            ],
+            "mismatched_field": "Host key (ssh-rsa-cert-v01@openssh.com) sizes"
+        },
+        {
+            "actual": [
+                "1024"
+            ],
+            "expected_optional": [
+                ""
+            ],
+            "expected_required": [
+                "4096"
+            ],
+            "mismatched_field": "CA signature size (ssh-rsa)"
+        }
+    ],
+    "host": "localhost",
+    "passed": false,
+    "policy": "Docker poliicy: test10 (version 1)",
+    "port": 2222,
+    "warnings": []
+}
--- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt
@ -0,0 +1,28 @@
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host:   localhost:2222
+Policy: Docker poliicy: test10 (version 1)
+Result: [0;31m❌ Failed![0m
+[0;33m
+Errors:
+  * CA signature size (ssh-rsa) did not match.
+    - Expected: 4096
+    - Actual:   1024
+
+  * Host key (ssh-rsa-cert-v01@openssh.com) sizes did not match.
+    - Expected: 4096
+    - Actual:   3072
+[0m
--- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json
@ -0,0 +1,25 @@
+{
+    "errors": [
+        {
+            "actual": [
+                "diffie-hellman-group-exchange-sha256",
+                "diffie-hellman-group-exchange-sha1",
+                "diffie-hellman-group14-sha1",
+                "diffie-hellman-group1-sha1"
+            ],
+            "expected_optional": [
+                ""
+            ],
+            "expected_required": [
+                "kex_alg1",
+                "kex_alg2"
+            ],
+            "mismatched_field": "Key exchanges"
+        }
+    ],
+    "host": "localhost",
+    "passed": false,
+    "policy": "Docker policy: test2 (version 1)",
+    "port": 2222,
+    "warnings": []
+}
--- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt
@ -0,0 +1,9 @@
+Host:   localhost:2222
+Policy: Docker policy: test2 (version 1)
+Result: [0;31m❌ Failed![0m
+[0;33m
+Errors:
+  * Key exchanges did not match.
+    - Expected: kex_alg1, kex_alg2
+    - Actual:   diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+[0m
--- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json
@ -0,0 +1,24 @@
+{
+    "errors": [
+        {
+            "actual": [
+                "ssh-rsa",
+                "ssh-dss"
+            ],
+            "expected_optional": [
+                ""
+            ],
+            "expected_required": [
+                "ssh-rsa",
+                "ssh-dss",
+                "key_alg1"
+            ],
+            "mismatched_field": "Host keys"
+        }
+    ],
+    "host": "localhost",
+    "passed": false,
+    "policy": "Docker policy: test3 (version 1)",
+    "port": 2222,
+    "warnings": []
+}
--- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt
@ -0,0 +1,9 @@
+Host:   localhost:2222
+Policy: Docker policy: test3 (version 1)
+Result: [0;31m❌ Failed![0m
+[0;33m
+Errors:
+  * Host keys did not match.
+    - Expected: ssh-rsa, ssh-dss, key_alg1
+    - Actual:   ssh-rsa, ssh-dss
+[0m
--- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json
@ -0,0 +1,34 @@
+{
+    "errors": [
+        {
+            "actual": [
+                "aes128-ctr",
+                "aes192-ctr",
+                "aes256-ctr",
+                "arcfour256",
+                "arcfour128",
+                "aes128-cbc",
+                "3des-cbc",
+                "blowfish-cbc",
+                "cast128-cbc",
+                "aes192-cbc",
+                "aes256-cbc",
+                "arcfour",
+                "rijndael-cbc@lysator.liu.se"
+            ],
+            "expected_optional": [
+                ""
+            ],
+            "expected_required": [
+                "cipher_alg1",
+                "cipher_alg2"
+            ],
+            "mismatched_field": "Ciphers"
+        }
+    ],
+    "host": "localhost",
+    "passed": false,
+    "policy": "Docker policy: test4 (version 1)",
+    "port": 2222,
+    "warnings": []
+}
--- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt
@ -0,0 +1,9 @@
+Host:   localhost:2222
+Policy: Docker policy: test4 (version 1)
+Result: [0;31m❌ Failed![0m
+[0;33m
+Errors:
+  * Ciphers did not match.
+    - Expected: cipher_alg1, cipher_alg2
+    - Actual:   aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+[0m
--- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json
@ -0,0 +1,33 @@
+{
+    "errors": [
+        {
+            "actual": [
+                "hmac-md5",
+                "hmac-sha1",
+                "umac-64@openssh.com",
+                "hmac-ripemd160",
+                "hmac-ripemd160@openssh.com",
+                "hmac-sha1-96",
+                "hmac-md5-96"
+            ],
+            "expected_optional": [
+                ""
+            ],
+            "expected_required": [
+                "hmac-md5",
+                "hmac-sha1",
+                "umac-64@openssh.com",
+                "hmac-ripemd160",
+                "hmac-ripemd160@openssh.com",
+                "hmac_alg1",
+                "hmac-md5-96"
+            ],
+            "mismatched_field": "MACs"
+        }
+    ],
+    "host": "localhost",
+    "passed": false,
+    "policy": "Docker policy: test5 (version 1)",
+    "port": 2222,
+    "warnings": []
+}
--- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt
@ -0,0 +1,9 @@
+Host:   localhost:2222
+Policy: Docker policy: test5 (version 1)
+Result: [0;31m❌ Failed![0m
+[0;33m
+Errors:
+  * MACs did not match.
+    - Expected: hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac_alg1, hmac-md5-96
+    - Actual:   hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
+[0m
--- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json
@ -0,0 +1,8 @@
+{
+    "errors": [],
+    "host": "localhost",
+    "passed": true,
+    "policy": "Docker poliicy: test7 (version 1)",
+    "port": 2222,
+    "warnings": []
+}
--- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.txt
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.txt
@ -0,0 +1,18 @@
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host:   localhost:2222
+Policy: Docker poliicy: test7 (version 1)
+Result: [0;32m✔ Passed[0m
--- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json
@ -0,0 +1,21 @@
+{
+    "errors": [
+        {
+            "actual": [
+                "1024"
+            ],
+            "expected_optional": [
+                ""
+            ],
+            "expected_required": [
+                "2048"
+            ],
+            "mismatched_field": "CA signature size (ssh-rsa)"
+        }
+    ],
+    "host": "localhost",
+    "passed": false,
+    "policy": "Docker poliicy: test8 (version 1)",
+    "port": 2222,
+    "warnings": []
+}
--- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt
@ -0,0 +1,24 @@
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host:   localhost:2222
+Policy: Docker poliicy: test8 (version 1)
+Result: [0;31m❌ Failed![0m
+[0;33m
+Errors:
+  * CA signature size (ssh-rsa) did not match.
+    - Expected: 2048
+    - Actual:   1024
+[0m
--- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json
@ -0,0 +1,21 @@
+{
+    "errors": [
+        {
+            "actual": [
+                "3072"
+            ],
+            "expected_optional": [
+                ""
+            ],
+            "expected_required": [
+                "4096"
+            ],
+            "mismatched_field": "Host key (ssh-rsa-cert-v01@openssh.com) sizes"
+        }
+    ],
+    "host": "localhost",
+    "passed": false,
+    "policy": "Docker poliicy: test9 (version 1)",
+    "port": 2222,
+    "warnings": []
+}
--- a/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt
@ -0,0 +1,24 @@
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host:   localhost:2222
+Policy: Docker poliicy: test9 (version 1)
+Result: [0;31m❌ Failed![0m
+[0;33m
+Errors:
+  * Host key (ssh-rsa-cert-v01@openssh.com) sizes did not match.
+    - Expected: 4096
+    - Actual:   3072
+[0m
--- a/test/docker/expected_results/openssh_5.6p1_test1.json
+++ b/test/docker/expected_results/openssh_5.6p1_test1.json
@ -0,0 +1,500 @@
+{
+    "additional_notes": [],
+    "banner": {
+        "comments": null,
+        "protocol": "2.0",
+        "raw": "SSH-2.0-OpenSSH_5.6",
+        "software": "OpenSSH_5.6"
+    },
+    "compression": [
+        "none",
+        "zlib@openssh.com"
+    ],
+    "cves": [],
+    "enc": [
+        {
+            "algorithm": "aes128-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7, Dropbear SSH 0.52"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes192-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes256-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7, Dropbear SSH 0.52"
+                ]
+            }
+        },
+        {
+            "algorithm": "arcfour256",
+            "notes": {
+                "fail": [
+                    "using broken RC4 cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 4.2"
+                ]
+            }
+        },
+        {
+            "algorithm": "arcfour128",
+            "notes": {
+                "fail": [
+                    "using broken RC4 cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 4.2"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes128-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "3des-cbc",
+            "notes": {
+                "fail": [
+                    "using broken & deprecated 3DES cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode",
+                    "using small 64-bit block size"
+                ]
+            }
+        },
+        {
+            "algorithm": "blowfish-cbc",
+            "notes": {
+                "fail": [
+                    "using weak & deprecated Blowfish cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode",
+                    "using small 64-bit block size"
+                ]
+            }
+        },
+        {
+            "algorithm": "cast128-cbc",
+            "notes": {
+                "fail": [
+                    "using weak & deprecated CAST cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0"
+                ],
+                "warn": [
+                    "using weak cipher mode",
+                    "using small 64-bit block size"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes192-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes256-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "arcfour",
+            "notes": {
+                "fail": [
+                    "using broken RC4 cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0"
+                ]
+            }
+        },
+        {
+            "algorithm": "rijndael-cbc@lysator.liu.se",
+            "notes": {
+                "fail": [
+                    "using deprecated & non-standardized Rijndael cipher"
+                ],
+                "info": [
+                    "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+                    "available since OpenSSH 2.3.0"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        }
+    ],
+    "fingerprints": [
+        {
+            "hash": "sqDDYhzYz7YIQeFDc0WF8SeXtrEz+iwsV7d/FdIgztM",
+            "hash_alg": "SHA256",
+            "hostkey": "ssh-dss"
+        },
+        {
+            "hash": "5c:de:62:f0:60:c8:93:13:87:71:78:95:56:3f:61:51",
+            "hash_alg": "MD5",
+            "hostkey": "ssh-dss"
+        },
+        {
+            "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4",
+            "hash_alg": "SHA256",
+            "hostkey": "ssh-rsa"
+        },
+        {
+            "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a",
+            "hash_alg": "MD5",
+            "hostkey": "ssh-rsa"
+        }
+    ],
+    "kex": [
+        {
+            "algorithm": "diffie-hellman-group-exchange-sha256",
+            "keysize": 1024,
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus"
+                ],
+                "info": [
+                    "available since OpenSSH 4.4"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "diffie-hellman-group-exchange-sha1",
+            "keysize": 1024,
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus"
+                ],
+                "info": [
+                    "available since OpenSSH 2.3.0"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "diffie-hellman-group14-sha1",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 3.9, Dropbear SSH 0.53"
+                ],
+                "warn": [
+                    "2048-bit modulus only provides 112-bits of symmetric strength",
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "diffie-hellman-group1-sha1",
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus",
+                    "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        }
+    ],
+    "key": [
+        {
+            "algorithm": "ssh-rsa",
+            "keysize": 1024,
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm",
+                    "using small 1024-bit modulus"
+                ],
+                "info": [
+                    "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+                    "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+                ]
+            }
+        },
+        {
+            "algorithm": "ssh-dss",
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus"
+                ],
+                "info": [
+                    "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+                    "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak random number generator could reveal the key"
+                ]
+            }
+        }
+    ],
+    "mac": [
+        {
+            "algorithm": "hmac-md5",
+            "notes": {
+                "fail": [
+                    "using broken MD5 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-sha1",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "umac-64@openssh.com",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 4.7"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode",
+                    "using small 64-bit tag size"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-ripemd160",
+            "notes": {
+                "fail": [
+                    "using deprecated RIPEMD hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.5.0"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-ripemd160@openssh.com",
+            "notes": {
+                "fail": [
+                    "using deprecated RIPEMD hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-sha1-96",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-md5-96",
+            "notes": {
+                "fail": [
+                    "using broken MD5 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.5.0"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        }
+    ],
+    "recommendations": {
+        "critical": {
+            "chg": {
+                "kex": [
+                    {
+                        "name": "diffie-hellman-group-exchange-sha256",
+                        "notes": "increase modulus size to 3072 bits or larger"
+                    }
+                ]
+            },
+            "del": {
+                "enc": [
+                    {
+                        "name": "3des-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "arcfour128",
+                        "notes": ""
+                    },
+                    {
+                        "name": "arcfour",
+                        "notes": ""
+                    },
+                    {
+                        "name": "arcfour256",
+                        "notes": ""
+                    },
+                    {
+                        "name": "blowfish-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "cast128-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "rijndael-cbc@lysator.liu.se",
+                        "notes": ""
+                    }
+                ],
+                "kex": [
+                    {
+                        "name": "diffie-hellman-group14-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "diffie-hellman-group1-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "diffie-hellman-group-exchange-sha1",
+                        "notes": ""
+                    }
+                ],
+                "key": [
+                    {
+                        "name": "ssh-dss",
+                        "notes": ""
+                    },
+                    {
+                        "name": "ssh-rsa",
+                        "notes": ""
+                    }
+                ],
+                "mac": [
+                    {
+                        "name": "hmac-md5",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-md5-96",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-ripemd160",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-ripemd160@openssh.com",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-sha1-96",
+                        "notes": ""
+                    }
+                ]
+            }
+        },
+        "warning": {
+            "del": {
+                "enc": [
+                    {
+                        "name": "aes128-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "aes192-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "aes256-cbc",
+                        "notes": ""
+                    }
+                ],
+                "mac": [
+                    {
+                        "name": "umac-64@openssh.com",
+                        "notes": ""
+                    }
+                ]
+            }
+        }
+    },
+    "target": "localhost:2222"
+}
--- a/test/docker/expected_results/openssh_5.6p1_test1.txt
+++ b/test/docker/expected_results/openssh_5.6p1_test1.txt
@ -0,0 +1,121 @@
+[0;36m# general[0m
+[0;32m(gen) banner: SSH-2.0-OpenSSH_5.6[0m
+[0;32m(gen) software: OpenSSH 5.6[0m
+[0;32m(gen) compatibility: OpenSSH 4.7-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)[0m
+[0;32m(gen) compression: enabled (zlib@openssh.com)[0m
+
+[0;36m# key exchange algorithms[0m
+[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m
+[0;33m                                                      `- [warn] does not provide protection against post-quantum attacks[0m
+                                                      `- [info] available since OpenSSH 4.4
+[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m
+[0;33m                                                    `- [warn] does not provide protection against post-quantum attacks[0m
+                                                    `- [info] available since OpenSSH 2.3.0
+[0;31m(kex) diffie-hellman-group14-sha1           -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
+[0;33m                                            `- [warn] does not provide protection against post-quantum attacks[0m
+                                            `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+[0;31m(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus[0m
+[0;31m                                            `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m
+[0;31m                                            `- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] does not provide protection against post-quantum attacks[0m
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+                                            `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
+
+[0;36m# host-key algorithms[0m
+[0;31m(key) ssh-rsa (1024-bit)                    -- [fail] using broken SHA-1 hash algorithm[0m
+[0;31m                                            `- [fail] using small 1024-bit modulus[0m
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+                                            `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+[0;31m(key) ssh-dss                               -- [fail] using small 1024-bit modulus[0m
+[0;33m                                            `- [warn] using weak random number generator could reveal the key[0m
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+                                            `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+[0;36m# encryption algorithms (ciphers)[0m
+[0;32m(enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
+[0;32m(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7[0m
+[0;32m(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
+[0;31m(enc) arcfour256                            -- [fail] using broken RC4 cipher[0m
+                                            `- [info] available since OpenSSH 4.2
+[0;31m(enc) arcfour128                            -- [fail] using broken RC4 cipher[0m
+                                            `- [info] available since OpenSSH 4.2
+[0;33m(enc) aes128-cbc                            -- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+[0;31m(enc) 3des-cbc                              -- [fail] using broken & deprecated 3DES cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+[0;33m                                            `- [warn] using small 64-bit block size[0m
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+[0;31m(enc) blowfish-cbc                          -- [fail] using weak & deprecated Blowfish cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+[0;33m                                            `- [warn] using small 64-bit block size[0m
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+[0;31m(enc) cast128-cbc                           -- [fail] using weak & deprecated CAST cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+[0;33m                                            `- [warn] using small 64-bit block size[0m
+                                            `- [info] available since OpenSSH 2.1.0
+[0;33m(enc) aes192-cbc                            -- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0
+[0;33m(enc) aes256-cbc                            -- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+[0;31m(enc) arcfour                               -- [fail] using broken RC4 cipher[0m
+                                            `- [info] available since OpenSSH 2.1.0
+[0;31m(enc) rijndael-cbc@lysator.liu.se           -- [fail] using deprecated & non-standardized Rijndael cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0
+                                            `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+[0;36m# message authentication code algorithms[0m
+[0;31m(mac) hmac-md5                              -- [fail] using broken MD5 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+[0;31m(mac) hmac-sha1                             -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+[0;33m(mac) umac-64@openssh.com                   -- [warn] using encrypt-and-MAC mode[0m
+[0;33m                                            `- [warn] using small 64-bit tag size[0m
+                                            `- [info] available since OpenSSH 4.7
+[0;31m(mac) hmac-ripemd160                        -- [fail] using deprecated RIPEMD hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.5.0
+[0;31m(mac) hmac-ripemd160@openssh.com            -- [fail] using deprecated RIPEMD hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.1.0
+[0;31m(mac) hmac-sha1-96                          -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+[0;31m(mac) hmac-md5-96                           -- [fail] using broken MD5 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.5.0
+
+[0;36m# fingerprints[0m
+[0;32m(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4[0m
+
+[0;36m# algorithm recommendations (for OpenSSH 5.6)[0m
+[0;31m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) [0m
+[0;31m(rec) -3des-cbc                             -- enc algorithm to remove [0m
+[0;31m(rec) -arcfour                              -- enc algorithm to remove [0m
+[0;31m(rec) -arcfour128                           -- enc algorithm to remove [0m
+[0;31m(rec) -arcfour256                           -- enc algorithm to remove [0m
+[0;31m(rec) -blowfish-cbc                         -- enc algorithm to remove [0m
+[0;31m(rec) -cast128-cbc                          -- enc algorithm to remove [0m
+[0;31m(rec) -diffie-hellman-group-exchange-sha1   -- kex algorithm to remove [0m
+[0;31m(rec) -diffie-hellman-group1-sha1           -- kex algorithm to remove [0m
+[0;31m(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove [0m
+[0;31m(rec) -hmac-md5                             -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-md5-96                          -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-ripemd160                       -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-ripemd160@openssh.com           -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-sha1                            -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-sha1-96                         -- mac algorithm to remove [0m
+[0;31m(rec) -rijndael-cbc@lysator.liu.se          -- enc algorithm to remove [0m
+[0;31m(rec) -ssh-dss                              -- key algorithm to remove [0m
+[0;31m(rec) -ssh-rsa                              -- key algorithm to remove [0m
+[0;33m(rec) -aes128-cbc                           -- enc algorithm to remove [0m
+[0;33m(rec) -aes192-cbc                           -- enc algorithm to remove [0m
+[0;33m(rec) -aes256-cbc                           -- enc algorithm to remove [0m
+[0;33m(rec) -umac-64@openssh.com                  -- mac algorithm to remove [0m
+
+[0;36m# additional info[0m
+[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m
+
--- a/test/docker/expected_results/openssh_5.6p1_test2.json
+++ b/test/docker/expected_results/openssh_5.6p1_test2.json
@ -0,0 +1,492 @@
+{
+    "additional_notes": [],
+    "banner": {
+        "comments": null,
+        "protocol": "2.0",
+        "raw": "SSH-2.0-OpenSSH_5.6",
+        "software": "OpenSSH_5.6"
+    },
+    "compression": [
+        "none",
+        "zlib@openssh.com"
+    ],
+    "cves": [],
+    "enc": [
+        {
+            "algorithm": "aes128-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7, Dropbear SSH 0.52"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes192-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes256-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7, Dropbear SSH 0.52"
+                ]
+            }
+        },
+        {
+            "algorithm": "arcfour256",
+            "notes": {
+                "fail": [
+                    "using broken RC4 cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 4.2"
+                ]
+            }
+        },
+        {
+            "algorithm": "arcfour128",
+            "notes": {
+                "fail": [
+                    "using broken RC4 cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 4.2"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes128-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "3des-cbc",
+            "notes": {
+                "fail": [
+                    "using broken & deprecated 3DES cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode",
+                    "using small 64-bit block size"
+                ]
+            }
+        },
+        {
+            "algorithm": "blowfish-cbc",
+            "notes": {
+                "fail": [
+                    "using weak & deprecated Blowfish cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode",
+                    "using small 64-bit block size"
+                ]
+            }
+        },
+        {
+            "algorithm": "cast128-cbc",
+            "notes": {
+                "fail": [
+                    "using weak & deprecated CAST cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0"
+                ],
+                "warn": [
+                    "using weak cipher mode",
+                    "using small 64-bit block size"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes192-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes256-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "arcfour",
+            "notes": {
+                "fail": [
+                    "using broken RC4 cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0"
+                ]
+            }
+        },
+        {
+            "algorithm": "rijndael-cbc@lysator.liu.se",
+            "notes": {
+                "fail": [
+                    "using deprecated & non-standardized Rijndael cipher"
+                ],
+                "info": [
+                    "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+                    "available since OpenSSH 2.3.0"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        }
+    ],
+    "fingerprints": [
+        {
+            "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4",
+            "hash_alg": "SHA256",
+            "hostkey": "ssh-rsa"
+        },
+        {
+            "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a",
+            "hash_alg": "MD5",
+            "hostkey": "ssh-rsa"
+        }
+    ],
+    "kex": [
+        {
+            "algorithm": "diffie-hellman-group-exchange-sha256",
+            "keysize": 1024,
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus"
+                ],
+                "info": [
+                    "available since OpenSSH 4.4"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "diffie-hellman-group-exchange-sha1",
+            "keysize": 1024,
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus"
+                ],
+                "info": [
+                    "available since OpenSSH 2.3.0"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "diffie-hellman-group14-sha1",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 3.9, Dropbear SSH 0.53"
+                ],
+                "warn": [
+                    "2048-bit modulus only provides 112-bits of symmetric strength",
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "diffie-hellman-group1-sha1",
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus",
+                    "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        }
+    ],
+    "key": [
+        {
+            "algorithm": "ssh-rsa",
+            "keysize": 1024,
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm",
+                    "using small 1024-bit modulus"
+                ],
+                "info": [
+                    "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+                    "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+                ]
+            }
+        },
+        {
+            "algorithm": "ssh-rsa-cert-v01@openssh.com",
+            "ca_algorithm": "ssh-rsa",
+            "casize": 1024,
+            "keysize": 1024,
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm",
+                    "using small 1024-bit hostkey modulus",
+                    "using small 1024-bit CA key modulus"
+                ],
+                "info": [
+                    "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+                    "available since OpenSSH 5.6"
+                ]
+            }
+        }
+    ],
+    "mac": [
+        {
+            "algorithm": "hmac-md5",
+            "notes": {
+                "fail": [
+                    "using broken MD5 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-sha1",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "umac-64@openssh.com",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 4.7"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode",
+                    "using small 64-bit tag size"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-ripemd160",
+            "notes": {
+                "fail": [
+                    "using deprecated RIPEMD hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.5.0"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-ripemd160@openssh.com",
+            "notes": {
+                "fail": [
+                    "using deprecated RIPEMD hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-sha1-96",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-md5-96",
+            "notes": {
+                "fail": [
+                    "using broken MD5 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.5.0"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        }
+    ],
+    "recommendations": {
+        "critical": {
+            "chg": {
+                "kex": [
+                    {
+                        "name": "diffie-hellman-group-exchange-sha256",
+                        "notes": "increase modulus size to 3072 bits or larger"
+                    }
+                ]
+            },
+            "del": {
+                "enc": [
+                    {
+                        "name": "3des-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "arcfour128",
+                        "notes": ""
+                    },
+                    {
+                        "name": "arcfour",
+                        "notes": ""
+                    },
+                    {
+                        "name": "arcfour256",
+                        "notes": ""
+                    },
+                    {
+                        "name": "blowfish-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "cast128-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "rijndael-cbc@lysator.liu.se",
+                        "notes": ""
+                    }
+                ],
+                "kex": [
+                    {
+                        "name": "diffie-hellman-group14-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "diffie-hellman-group1-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "diffie-hellman-group-exchange-sha1",
+                        "notes": ""
+                    }
+                ],
+                "key": [
+                    {
+                        "name": "ssh-rsa",
+                        "notes": ""
+                    },
+                    {
+                        "name": "ssh-rsa-cert-v01@openssh.com",
+                        "notes": ""
+                    }
+                ],
+                "mac": [
+                    {
+                        "name": "hmac-md5",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-md5-96",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-ripemd160",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-ripemd160@openssh.com",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-sha1-96",
+                        "notes": ""
+                    }
+                ]
+            }
+        },
+        "warning": {
+            "del": {
+                "enc": [
+                    {
+                        "name": "aes128-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "aes192-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "aes256-cbc",
+                        "notes": ""
+                    }
+                ],
+                "mac": [
+                    {
+                        "name": "umac-64@openssh.com",
+                        "notes": ""
+                    }
+                ]
+            }
+        }
+    },
+    "target": "localhost:2222"
+}
--- a/test/docker/expected_results/openssh_5.6p1_test2.txt
+++ b/test/docker/expected_results/openssh_5.6p1_test2.txt
@ -0,0 +1,122 @@
+[0;36m# general[0m
+[0;32m(gen) banner: SSH-2.0-OpenSSH_5.6[0m
+[0;32m(gen) software: OpenSSH 5.6[0m
+[0;32m(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)[0m
+[0;32m(gen) compression: enabled (zlib@openssh.com)[0m
+
+[0;36m# key exchange algorithms[0m
+[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m
+[0;33m                                                      `- [warn] does not provide protection against post-quantum attacks[0m
+                                                      `- [info] available since OpenSSH 4.4
+[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m
+[0;33m                                                    `- [warn] does not provide protection against post-quantum attacks[0m
+                                                    `- [info] available since OpenSSH 2.3.0
+[0;31m(kex) diffie-hellman-group14-sha1           -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
+[0;33m                                            `- [warn] does not provide protection against post-quantum attacks[0m
+                                            `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+[0;31m(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus[0m
+[0;31m                                            `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m
+[0;31m                                            `- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] does not provide protection against post-quantum attacks[0m
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+                                            `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
+
+[0;36m# host-key algorithms[0m
+[0;31m(key) ssh-rsa (1024-bit)                    -- [fail] using broken SHA-1 hash algorithm[0m
+[0;31m                                            `- [fail] using small 1024-bit modulus[0m
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+                                            `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+[0;31m(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/1024-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm[0m
+[0;31m                                                                   `- [fail] using small 1024-bit hostkey modulus[0m
+[0;31m                                                                   `- [fail] using small 1024-bit CA key modulus[0m
+                                                                   `- [info] available since OpenSSH 5.6
+                                                                   `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+
+[0;36m# encryption algorithms (ciphers)[0m
+[0;32m(enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
+[0;32m(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7[0m
+[0;32m(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
+[0;31m(enc) arcfour256                            -- [fail] using broken RC4 cipher[0m
+                                            `- [info] available since OpenSSH 4.2
+[0;31m(enc) arcfour128                            -- [fail] using broken RC4 cipher[0m
+                                            `- [info] available since OpenSSH 4.2
+[0;33m(enc) aes128-cbc                            -- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+[0;31m(enc) 3des-cbc                              -- [fail] using broken & deprecated 3DES cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+[0;33m                                            `- [warn] using small 64-bit block size[0m
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+[0;31m(enc) blowfish-cbc                          -- [fail] using weak & deprecated Blowfish cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+[0;33m                                            `- [warn] using small 64-bit block size[0m
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+[0;31m(enc) cast128-cbc                           -- [fail] using weak & deprecated CAST cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+[0;33m                                            `- [warn] using small 64-bit block size[0m
+                                            `- [info] available since OpenSSH 2.1.0
+[0;33m(enc) aes192-cbc                            -- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0
+[0;33m(enc) aes256-cbc                            -- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+[0;31m(enc) arcfour                               -- [fail] using broken RC4 cipher[0m
+                                            `- [info] available since OpenSSH 2.1.0
+[0;31m(enc) rijndael-cbc@lysator.liu.se           -- [fail] using deprecated & non-standardized Rijndael cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0
+                                            `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+[0;36m# message authentication code algorithms[0m
+[0;31m(mac) hmac-md5                              -- [fail] using broken MD5 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+[0;31m(mac) hmac-sha1                             -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+[0;33m(mac) umac-64@openssh.com                   -- [warn] using encrypt-and-MAC mode[0m
+[0;33m                                            `- [warn] using small 64-bit tag size[0m
+                                            `- [info] available since OpenSSH 4.7
+[0;31m(mac) hmac-ripemd160                        -- [fail] using deprecated RIPEMD hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.5.0
+[0;31m(mac) hmac-ripemd160@openssh.com            -- [fail] using deprecated RIPEMD hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.1.0
+[0;31m(mac) hmac-sha1-96                          -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+[0;31m(mac) hmac-md5-96                           -- [fail] using broken MD5 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.5.0
+
+[0;36m# fingerprints[0m
+[0;32m(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4[0m
+
+[0;36m# algorithm recommendations (for OpenSSH 5.6)[0m
+[0;31m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) [0m
+[0;31m(rec) -3des-cbc                             -- enc algorithm to remove [0m
+[0;31m(rec) -arcfour                              -- enc algorithm to remove [0m
+[0;31m(rec) -arcfour128                           -- enc algorithm to remove [0m
+[0;31m(rec) -arcfour256                           -- enc algorithm to remove [0m
+[0;31m(rec) -blowfish-cbc                         -- enc algorithm to remove [0m
+[0;31m(rec) -cast128-cbc                          -- enc algorithm to remove [0m
+[0;31m(rec) -diffie-hellman-group-exchange-sha1   -- kex algorithm to remove [0m
+[0;31m(rec) -diffie-hellman-group1-sha1           -- kex algorithm to remove [0m
+[0;31m(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove [0m
+[0;31m(rec) -hmac-md5                             -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-md5-96                          -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-ripemd160                       -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-ripemd160@openssh.com           -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-sha1                            -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-sha1-96                         -- mac algorithm to remove [0m
+[0;31m(rec) -rijndael-cbc@lysator.liu.se          -- enc algorithm to remove [0m
+[0;31m(rec) -ssh-rsa                              -- key algorithm to remove [0m
+[0;31m(rec) -ssh-rsa-cert-v01@openssh.com         -- key algorithm to remove [0m
+[0;33m(rec) -aes128-cbc                           -- enc algorithm to remove [0m
+[0;33m(rec) -aes192-cbc                           -- enc algorithm to remove [0m
+[0;33m(rec) -aes256-cbc                           -- enc algorithm to remove [0m
+[0;33m(rec) -umac-64@openssh.com                  -- mac algorithm to remove [0m
+
+[0;36m# additional info[0m
+[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m
+
--- a/test/docker/expected_results/openssh_5.6p1_test3.json
+++ b/test/docker/expected_results/openssh_5.6p1_test3.json
@ -0,0 +1,491 @@
+{
+    "additional_notes": [],
+    "banner": {
+        "comments": null,
+        "protocol": "2.0",
+        "raw": "SSH-2.0-OpenSSH_5.6",
+        "software": "OpenSSH_5.6"
+    },
+    "compression": [
+        "none",
+        "zlib@openssh.com"
+    ],
+    "cves": [],
+    "enc": [
+        {
+            "algorithm": "aes128-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7, Dropbear SSH 0.52"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes192-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes256-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7, Dropbear SSH 0.52"
+                ]
+            }
+        },
+        {
+            "algorithm": "arcfour256",
+            "notes": {
+                "fail": [
+                    "using broken RC4 cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 4.2"
+                ]
+            }
+        },
+        {
+            "algorithm": "arcfour128",
+            "notes": {
+                "fail": [
+                    "using broken RC4 cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 4.2"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes128-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "3des-cbc",
+            "notes": {
+                "fail": [
+                    "using broken & deprecated 3DES cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode",
+                    "using small 64-bit block size"
+                ]
+            }
+        },
+        {
+            "algorithm": "blowfish-cbc",
+            "notes": {
+                "fail": [
+                    "using weak & deprecated Blowfish cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode",
+                    "using small 64-bit block size"
+                ]
+            }
+        },
+        {
+            "algorithm": "cast128-cbc",
+            "notes": {
+                "fail": [
+                    "using weak & deprecated CAST cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0"
+                ],
+                "warn": [
+                    "using weak cipher mode",
+                    "using small 64-bit block size"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes192-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes256-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "arcfour",
+            "notes": {
+                "fail": [
+                    "using broken RC4 cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0"
+                ]
+            }
+        },
+        {
+            "algorithm": "rijndael-cbc@lysator.liu.se",
+            "notes": {
+                "fail": [
+                    "using deprecated & non-standardized Rijndael cipher"
+                ],
+                "info": [
+                    "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+                    "available since OpenSSH 2.3.0"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        }
+    ],
+    "fingerprints": [
+        {
+            "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4",
+            "hash_alg": "SHA256",
+            "hostkey": "ssh-rsa"
+        },
+        {
+            "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a",
+            "hash_alg": "MD5",
+            "hostkey": "ssh-rsa"
+        }
+    ],
+    "kex": [
+        {
+            "algorithm": "diffie-hellman-group-exchange-sha256",
+            "keysize": 1024,
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus"
+                ],
+                "info": [
+                    "available since OpenSSH 4.4"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "diffie-hellman-group-exchange-sha1",
+            "keysize": 1024,
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus"
+                ],
+                "info": [
+                    "available since OpenSSH 2.3.0"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "diffie-hellman-group14-sha1",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 3.9, Dropbear SSH 0.53"
+                ],
+                "warn": [
+                    "2048-bit modulus only provides 112-bits of symmetric strength",
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "diffie-hellman-group1-sha1",
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus",
+                    "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        }
+    ],
+    "key": [
+        {
+            "algorithm": "ssh-rsa",
+            "keysize": 1024,
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm",
+                    "using small 1024-bit modulus"
+                ],
+                "info": [
+                    "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+                    "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+                ]
+            }
+        },
+        {
+            "algorithm": "ssh-rsa-cert-v01@openssh.com",
+            "ca_algorithm": "ssh-rsa",
+            "casize": 3072,
+            "keysize": 1024,
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm",
+                    "using small 1024-bit hostkey modulus"
+                ],
+                "info": [
+                    "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+                    "available since OpenSSH 5.6"
+                ]
+            }
+        }
+    ],
+    "mac": [
+        {
+            "algorithm": "hmac-md5",
+            "notes": {
+                "fail": [
+                    "using broken MD5 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-sha1",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "umac-64@openssh.com",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 4.7"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode",
+                    "using small 64-bit tag size"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-ripemd160",
+            "notes": {
+                "fail": [
+                    "using deprecated RIPEMD hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.5.0"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-ripemd160@openssh.com",
+            "notes": {
+                "fail": [
+                    "using deprecated RIPEMD hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-sha1-96",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-md5-96",
+            "notes": {
+                "fail": [
+                    "using broken MD5 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.5.0"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        }
+    ],
+    "recommendations": {
+        "critical": {
+            "chg": {
+                "kex": [
+                    {
+                        "name": "diffie-hellman-group-exchange-sha256",
+                        "notes": "increase modulus size to 3072 bits or larger"
+                    }
+                ]
+            },
+            "del": {
+                "enc": [
+                    {
+                        "name": "3des-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "arcfour128",
+                        "notes": ""
+                    },
+                    {
+                        "name": "arcfour",
+                        "notes": ""
+                    },
+                    {
+                        "name": "arcfour256",
+                        "notes": ""
+                    },
+                    {
+                        "name": "blowfish-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "cast128-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "rijndael-cbc@lysator.liu.se",
+                        "notes": ""
+                    }
+                ],
+                "kex": [
+                    {
+                        "name": "diffie-hellman-group14-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "diffie-hellman-group1-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "diffie-hellman-group-exchange-sha1",
+                        "notes": ""
+                    }
+                ],
+                "key": [
+                    {
+                        "name": "ssh-rsa",
+                        "notes": ""
+                    },
+                    {
+                        "name": "ssh-rsa-cert-v01@openssh.com",
+                        "notes": ""
+                    }
+                ],
+                "mac": [
+                    {
+                        "name": "hmac-md5",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-md5-96",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-ripemd160",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-ripemd160@openssh.com",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-sha1-96",
+                        "notes": ""
+                    }
+                ]
+            }
+        },
+        "warning": {
+            "del": {
+                "enc": [
+                    {
+                        "name": "aes128-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "aes192-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "aes256-cbc",
+                        "notes": ""
+                    }
+                ],
+                "mac": [
+                    {
+                        "name": "umac-64@openssh.com",
+                        "notes": ""
+                    }
+                ]
+            }
+        }
+    },
+    "target": "localhost:2222"
+}
--- a/test/docker/expected_results/openssh_5.6p1_test3.txt
+++ b/test/docker/expected_results/openssh_5.6p1_test3.txt
@ -0,0 +1,121 @@
+[0;36m# general[0m
+[0;32m(gen) banner: SSH-2.0-OpenSSH_5.6[0m
+[0;32m(gen) software: OpenSSH 5.6[0m
+[0;32m(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)[0m
+[0;32m(gen) compression: enabled (zlib@openssh.com)[0m
+
+[0;36m# key exchange algorithms[0m
+[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m
+[0;33m                                                      `- [warn] does not provide protection against post-quantum attacks[0m
+                                                      `- [info] available since OpenSSH 4.4
+[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m
+[0;33m                                                    `- [warn] does not provide protection against post-quantum attacks[0m
+                                                    `- [info] available since OpenSSH 2.3.0
+[0;31m(kex) diffie-hellman-group14-sha1           -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
+[0;33m                                            `- [warn] does not provide protection against post-quantum attacks[0m
+                                            `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+[0;31m(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus[0m
+[0;31m                                            `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m
+[0;31m                                            `- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] does not provide protection against post-quantum attacks[0m
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+                                            `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
+
+[0;36m# host-key algorithms[0m
+[0;31m(key) ssh-rsa (1024-bit)                    -- [fail] using broken SHA-1 hash algorithm[0m
+[0;31m                                            `- [fail] using small 1024-bit modulus[0m
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+                                            `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+[0;31m(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/3072-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm[0m
+[0;31m                                                                   `- [fail] using small 1024-bit hostkey modulus[0m
+                                                                   `- [info] available since OpenSSH 5.6
+                                                                   `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+
+[0;36m# encryption algorithms (ciphers)[0m
+[0;32m(enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
+[0;32m(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7[0m
+[0;32m(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
+[0;31m(enc) arcfour256                            -- [fail] using broken RC4 cipher[0m
+                                            `- [info] available since OpenSSH 4.2
+[0;31m(enc) arcfour128                            -- [fail] using broken RC4 cipher[0m
+                                            `- [info] available since OpenSSH 4.2
+[0;33m(enc) aes128-cbc                            -- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+[0;31m(enc) 3des-cbc                              -- [fail] using broken & deprecated 3DES cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+[0;33m                                            `- [warn] using small 64-bit block size[0m
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+[0;31m(enc) blowfish-cbc                          -- [fail] using weak & deprecated Blowfish cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+[0;33m                                            `- [warn] using small 64-bit block size[0m
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+[0;31m(enc) cast128-cbc                           -- [fail] using weak & deprecated CAST cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+[0;33m                                            `- [warn] using small 64-bit block size[0m
+                                            `- [info] available since OpenSSH 2.1.0
+[0;33m(enc) aes192-cbc                            -- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0
+[0;33m(enc) aes256-cbc                            -- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+[0;31m(enc) arcfour                               -- [fail] using broken RC4 cipher[0m
+                                            `- [info] available since OpenSSH 2.1.0
+[0;31m(enc) rijndael-cbc@lysator.liu.se           -- [fail] using deprecated & non-standardized Rijndael cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0
+                                            `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+[0;36m# message authentication code algorithms[0m
+[0;31m(mac) hmac-md5                              -- [fail] using broken MD5 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+[0;31m(mac) hmac-sha1                             -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+[0;33m(mac) umac-64@openssh.com                   -- [warn] using encrypt-and-MAC mode[0m
+[0;33m                                            `- [warn] using small 64-bit tag size[0m
+                                            `- [info] available since OpenSSH 4.7
+[0;31m(mac) hmac-ripemd160                        -- [fail] using deprecated RIPEMD hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.5.0
+[0;31m(mac) hmac-ripemd160@openssh.com            -- [fail] using deprecated RIPEMD hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.1.0
+[0;31m(mac) hmac-sha1-96                          -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+[0;31m(mac) hmac-md5-96                           -- [fail] using broken MD5 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.5.0
+
+[0;36m# fingerprints[0m
+[0;32m(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4[0m
+
+[0;36m# algorithm recommendations (for OpenSSH 5.6)[0m
+[0;31m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) [0m
+[0;31m(rec) -3des-cbc                             -- enc algorithm to remove [0m
+[0;31m(rec) -arcfour                              -- enc algorithm to remove [0m
+[0;31m(rec) -arcfour128                           -- enc algorithm to remove [0m
+[0;31m(rec) -arcfour256                           -- enc algorithm to remove [0m
+[0;31m(rec) -blowfish-cbc                         -- enc algorithm to remove [0m
+[0;31m(rec) -cast128-cbc                          -- enc algorithm to remove [0m
+[0;31m(rec) -diffie-hellman-group-exchange-sha1   -- kex algorithm to remove [0m
+[0;31m(rec) -diffie-hellman-group1-sha1           -- kex algorithm to remove [0m
+[0;31m(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove [0m
+[0;31m(rec) -hmac-md5                             -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-md5-96                          -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-ripemd160                       -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-ripemd160@openssh.com           -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-sha1                            -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-sha1-96                         -- mac algorithm to remove [0m
+[0;31m(rec) -rijndael-cbc@lysator.liu.se          -- enc algorithm to remove [0m
+[0;31m(rec) -ssh-rsa                              -- key algorithm to remove [0m
+[0;31m(rec) -ssh-rsa-cert-v01@openssh.com         -- key algorithm to remove [0m
+[0;33m(rec) -aes128-cbc                           -- enc algorithm to remove [0m
+[0;33m(rec) -aes192-cbc                           -- enc algorithm to remove [0m
+[0;33m(rec) -aes256-cbc                           -- enc algorithm to remove [0m
+[0;33m(rec) -umac-64@openssh.com                  -- mac algorithm to remove [0m
+
+[0;36m# additional info[0m
+[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m
+
--- a/test/docker/expected_results/openssh_5.6p1_test4.json
+++ b/test/docker/expected_results/openssh_5.6p1_test4.json
@ -0,0 +1,490 @@
+{
+    "additional_notes": [],
+    "banner": {
+        "comments": null,
+        "protocol": "2.0",
+        "raw": "SSH-2.0-OpenSSH_5.6",
+        "software": "OpenSSH_5.6"
+    },
+    "compression": [
+        "none",
+        "zlib@openssh.com"
+    ],
+    "cves": [],
+    "enc": [
+        {
+            "algorithm": "aes128-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7, Dropbear SSH 0.52"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes192-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes256-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7, Dropbear SSH 0.52"
+                ]
+            }
+        },
+        {
+            "algorithm": "arcfour256",
+            "notes": {
+                "fail": [
+                    "using broken RC4 cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 4.2"
+                ]
+            }
+        },
+        {
+            "algorithm": "arcfour128",
+            "notes": {
+                "fail": [
+                    "using broken RC4 cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 4.2"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes128-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "3des-cbc",
+            "notes": {
+                "fail": [
+                    "using broken & deprecated 3DES cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode",
+                    "using small 64-bit block size"
+                ]
+            }
+        },
+        {
+            "algorithm": "blowfish-cbc",
+            "notes": {
+                "fail": [
+                    "using weak & deprecated Blowfish cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode",
+                    "using small 64-bit block size"
+                ]
+            }
+        },
+        {
+            "algorithm": "cast128-cbc",
+            "notes": {
+                "fail": [
+                    "using weak & deprecated CAST cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0"
+                ],
+                "warn": [
+                    "using weak cipher mode",
+                    "using small 64-bit block size"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes192-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes256-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "arcfour",
+            "notes": {
+                "fail": [
+                    "using broken RC4 cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0"
+                ]
+            }
+        },
+        {
+            "algorithm": "rijndael-cbc@lysator.liu.se",
+            "notes": {
+                "fail": [
+                    "using deprecated & non-standardized Rijndael cipher"
+                ],
+                "info": [
+                    "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+                    "available since OpenSSH 2.3.0"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        }
+    ],
+    "fingerprints": [
+        {
+            "hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244",
+            "hash_alg": "SHA256",
+            "hostkey": "ssh-rsa"
+        },
+        {
+            "hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1",
+            "hash_alg": "MD5",
+            "hostkey": "ssh-rsa"
+        }
+    ],
+    "kex": [
+        {
+            "algorithm": "diffie-hellman-group-exchange-sha256",
+            "keysize": 1024,
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus"
+                ],
+                "info": [
+                    "available since OpenSSH 4.4"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "diffie-hellman-group-exchange-sha1",
+            "keysize": 1024,
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus"
+                ],
+                "info": [
+                    "available since OpenSSH 2.3.0"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "diffie-hellman-group14-sha1",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 3.9, Dropbear SSH 0.53"
+                ],
+                "warn": [
+                    "2048-bit modulus only provides 112-bits of symmetric strength",
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "diffie-hellman-group1-sha1",
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus",
+                    "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        }
+    ],
+    "key": [
+        {
+            "algorithm": "ssh-rsa",
+            "keysize": 3072,
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+                    "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+                ]
+            }
+        },
+        {
+            "algorithm": "ssh-rsa-cert-v01@openssh.com",
+            "ca_algorithm": "ssh-rsa",
+            "casize": 1024,
+            "keysize": 3072,
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm",
+                    "using small 1024-bit CA key modulus"
+                ],
+                "info": [
+                    "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+                    "available since OpenSSH 5.6"
+                ]
+            }
+        }
+    ],
+    "mac": [
+        {
+            "algorithm": "hmac-md5",
+            "notes": {
+                "fail": [
+                    "using broken MD5 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-sha1",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "umac-64@openssh.com",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 4.7"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode",
+                    "using small 64-bit tag size"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-ripemd160",
+            "notes": {
+                "fail": [
+                    "using deprecated RIPEMD hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.5.0"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-ripemd160@openssh.com",
+            "notes": {
+                "fail": [
+                    "using deprecated RIPEMD hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-sha1-96",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-md5-96",
+            "notes": {
+                "fail": [
+                    "using broken MD5 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.5.0"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        }
+    ],
+    "recommendations": {
+        "critical": {
+            "chg": {
+                "kex": [
+                    {
+                        "name": "diffie-hellman-group-exchange-sha256",
+                        "notes": "increase modulus size to 3072 bits or larger"
+                    }
+                ]
+            },
+            "del": {
+                "enc": [
+                    {
+                        "name": "3des-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "arcfour128",
+                        "notes": ""
+                    },
+                    {
+                        "name": "arcfour",
+                        "notes": ""
+                    },
+                    {
+                        "name": "arcfour256",
+                        "notes": ""
+                    },
+                    {
+                        "name": "blowfish-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "cast128-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "rijndael-cbc@lysator.liu.se",
+                        "notes": ""
+                    }
+                ],
+                "kex": [
+                    {
+                        "name": "diffie-hellman-group14-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "diffie-hellman-group1-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "diffie-hellman-group-exchange-sha1",
+                        "notes": ""
+                    }
+                ],
+                "key": [
+                    {
+                        "name": "ssh-rsa",
+                        "notes": ""
+                    },
+                    {
+                        "name": "ssh-rsa-cert-v01@openssh.com",
+                        "notes": ""
+                    }
+                ],
+                "mac": [
+                    {
+                        "name": "hmac-md5",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-md5-96",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-ripemd160",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-ripemd160@openssh.com",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-sha1-96",
+                        "notes": ""
+                    }
+                ]
+            }
+        },
+        "warning": {
+            "del": {
+                "enc": [
+                    {
+                        "name": "aes128-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "aes192-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "aes256-cbc",
+                        "notes": ""
+                    }
+                ],
+                "mac": [
+                    {
+                        "name": "umac-64@openssh.com",
+                        "notes": ""
+                    }
+                ]
+            }
+        }
+    },
+    "target": "localhost:2222"
+}
--- a/test/docker/expected_results/openssh_5.6p1_test4.txt
+++ b/test/docker/expected_results/openssh_5.6p1_test4.txt
@ -0,0 +1,120 @@
+[0;36m# general[0m
+[0;32m(gen) banner: SSH-2.0-OpenSSH_5.6[0m
+[0;32m(gen) software: OpenSSH 5.6[0m
+[0;32m(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)[0m
+[0;32m(gen) compression: enabled (zlib@openssh.com)[0m
+
+[0;36m# key exchange algorithms[0m
+[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m
+[0;33m                                                      `- [warn] does not provide protection against post-quantum attacks[0m
+                                                      `- [info] available since OpenSSH 4.4
+[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m
+[0;33m                                                    `- [warn] does not provide protection against post-quantum attacks[0m
+                                                    `- [info] available since OpenSSH 2.3.0
+[0;31m(kex) diffie-hellman-group14-sha1           -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
+[0;33m                                            `- [warn] does not provide protection against post-quantum attacks[0m
+                                            `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+[0;31m(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus[0m
+[0;31m                                            `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m
+[0;31m                                            `- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] does not provide protection against post-quantum attacks[0m
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+                                            `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
+
+[0;36m# host-key algorithms[0m
+[0;31m(key) ssh-rsa (3072-bit)                    -- [fail] using broken SHA-1 hash algorithm[0m
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+                                            `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+[0;31m(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/1024-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm[0m
+[0;31m                                                                   `- [fail] using small 1024-bit CA key modulus[0m
+                                                                   `- [info] available since OpenSSH 5.6
+                                                                   `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+
+[0;36m# encryption algorithms (ciphers)[0m
+[0;32m(enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
+[0;32m(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7[0m
+[0;32m(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
+[0;31m(enc) arcfour256                            -- [fail] using broken RC4 cipher[0m
+                                            `- [info] available since OpenSSH 4.2
+[0;31m(enc) arcfour128                            -- [fail] using broken RC4 cipher[0m
+                                            `- [info] available since OpenSSH 4.2
+[0;33m(enc) aes128-cbc                            -- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+[0;31m(enc) 3des-cbc                              -- [fail] using broken & deprecated 3DES cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+[0;33m                                            `- [warn] using small 64-bit block size[0m
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+[0;31m(enc) blowfish-cbc                          -- [fail] using weak & deprecated Blowfish cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+[0;33m                                            `- [warn] using small 64-bit block size[0m
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+[0;31m(enc) cast128-cbc                           -- [fail] using weak & deprecated CAST cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+[0;33m                                            `- [warn] using small 64-bit block size[0m
+                                            `- [info] available since OpenSSH 2.1.0
+[0;33m(enc) aes192-cbc                            -- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0
+[0;33m(enc) aes256-cbc                            -- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+[0;31m(enc) arcfour                               -- [fail] using broken RC4 cipher[0m
+                                            `- [info] available since OpenSSH 2.1.0
+[0;31m(enc) rijndael-cbc@lysator.liu.se           -- [fail] using deprecated & non-standardized Rijndael cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0
+                                            `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+[0;36m# message authentication code algorithms[0m
+[0;31m(mac) hmac-md5                              -- [fail] using broken MD5 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+[0;31m(mac) hmac-sha1                             -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+[0;33m(mac) umac-64@openssh.com                   -- [warn] using encrypt-and-MAC mode[0m
+[0;33m                                            `- [warn] using small 64-bit tag size[0m
+                                            `- [info] available since OpenSSH 4.7
+[0;31m(mac) hmac-ripemd160                        -- [fail] using deprecated RIPEMD hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.5.0
+[0;31m(mac) hmac-ripemd160@openssh.com            -- [fail] using deprecated RIPEMD hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.1.0
+[0;31m(mac) hmac-sha1-96                          -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+[0;31m(mac) hmac-md5-96                           -- [fail] using broken MD5 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.5.0
+
+[0;36m# fingerprints[0m
+[0;32m(fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244[0m
+
+[0;36m# algorithm recommendations (for OpenSSH 5.6)[0m
+[0;31m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) [0m
+[0;31m(rec) -3des-cbc                             -- enc algorithm to remove [0m
+[0;31m(rec) -arcfour                              -- enc algorithm to remove [0m
+[0;31m(rec) -arcfour128                           -- enc algorithm to remove [0m
+[0;31m(rec) -arcfour256                           -- enc algorithm to remove [0m
+[0;31m(rec) -blowfish-cbc                         -- enc algorithm to remove [0m
+[0;31m(rec) -cast128-cbc                          -- enc algorithm to remove [0m
+[0;31m(rec) -diffie-hellman-group-exchange-sha1   -- kex algorithm to remove [0m
+[0;31m(rec) -diffie-hellman-group1-sha1           -- kex algorithm to remove [0m
+[0;31m(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove [0m
+[0;31m(rec) -hmac-md5                             -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-md5-96                          -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-ripemd160                       -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-ripemd160@openssh.com           -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-sha1                            -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-sha1-96                         -- mac algorithm to remove [0m
+[0;31m(rec) -rijndael-cbc@lysator.liu.se          -- enc algorithm to remove [0m
+[0;31m(rec) -ssh-rsa                              -- key algorithm to remove [0m
+[0;31m(rec) -ssh-rsa-cert-v01@openssh.com         -- key algorithm to remove [0m
+[0;33m(rec) -aes128-cbc                           -- enc algorithm to remove [0m
+[0;33m(rec) -aes192-cbc                           -- enc algorithm to remove [0m
+[0;33m(rec) -aes256-cbc                           -- enc algorithm to remove [0m
+[0;33m(rec) -umac-64@openssh.com                  -- mac algorithm to remove [0m
+
+[0;36m# additional info[0m
+[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m
+
--- a/test/docker/expected_results/openssh_5.6p1_test5.json
+++ b/test/docker/expected_results/openssh_5.6p1_test5.json
@ -0,0 +1,489 @@
+{
+    "additional_notes": [],
+    "banner": {
+        "comments": null,
+        "protocol": "2.0",
+        "raw": "SSH-2.0-OpenSSH_5.6",
+        "software": "OpenSSH_5.6"
+    },
+    "compression": [
+        "none",
+        "zlib@openssh.com"
+    ],
+    "cves": [],
+    "enc": [
+        {
+            "algorithm": "aes128-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7, Dropbear SSH 0.52"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes192-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes256-ctr",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 3.7, Dropbear SSH 0.52"
+                ]
+            }
+        },
+        {
+            "algorithm": "arcfour256",
+            "notes": {
+                "fail": [
+                    "using broken RC4 cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 4.2"
+                ]
+            }
+        },
+        {
+            "algorithm": "arcfour128",
+            "notes": {
+                "fail": [
+                    "using broken RC4 cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 4.2"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes128-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "3des-cbc",
+            "notes": {
+                "fail": [
+                    "using broken & deprecated 3DES cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode",
+                    "using small 64-bit block size"
+                ]
+            }
+        },
+        {
+            "algorithm": "blowfish-cbc",
+            "notes": {
+                "fail": [
+                    "using weak & deprecated Blowfish cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using weak cipher mode",
+                    "using small 64-bit block size"
+                ]
+            }
+        },
+        {
+            "algorithm": "cast128-cbc",
+            "notes": {
+                "fail": [
+                    "using weak & deprecated CAST cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0"
+                ],
+                "warn": [
+                    "using weak cipher mode",
+                    "using small 64-bit block size"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes192-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "aes256-cbc",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "arcfour",
+            "notes": {
+                "fail": [
+                    "using broken RC4 cipher"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0"
+                ]
+            }
+        },
+        {
+            "algorithm": "rijndael-cbc@lysator.liu.se",
+            "notes": {
+                "fail": [
+                    "using deprecated & non-standardized Rijndael cipher"
+                ],
+                "info": [
+                    "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+                    "available since OpenSSH 2.3.0"
+                ],
+                "warn": [
+                    "using weak cipher mode"
+                ]
+            }
+        }
+    ],
+    "fingerprints": [
+        {
+            "hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244",
+            "hash_alg": "SHA256",
+            "hostkey": "ssh-rsa"
+        },
+        {
+            "hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1",
+            "hash_alg": "MD5",
+            "hostkey": "ssh-rsa"
+        }
+    ],
+    "kex": [
+        {
+            "algorithm": "diffie-hellman-group-exchange-sha256",
+            "keysize": 1024,
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus"
+                ],
+                "info": [
+                    "available since OpenSSH 4.4"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "diffie-hellman-group-exchange-sha1",
+            "keysize": 1024,
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus"
+                ],
+                "info": [
+                    "available since OpenSSH 2.3.0"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "diffie-hellman-group14-sha1",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 3.9, Dropbear SSH 0.53"
+                ],
+                "warn": [
+                    "2048-bit modulus only provides 112-bits of symmetric strength",
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        },
+        {
+            "algorithm": "diffie-hellman-group1-sha1",
+            "notes": {
+                "fail": [
+                    "using small 1024-bit modulus",
+                    "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
+                    "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "does not provide protection against post-quantum attacks"
+                ]
+            }
+        }
+    ],
+    "key": [
+        {
+            "algorithm": "ssh-rsa",
+            "keysize": 3072,
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+                    "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+                ]
+            }
+        },
+        {
+            "algorithm": "ssh-rsa-cert-v01@openssh.com",
+            "ca_algorithm": "ssh-rsa",
+            "casize": 3072,
+            "keysize": 3072,
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+                    "available since OpenSSH 5.6"
+                ]
+            }
+        }
+    ],
+    "mac": [
+        {
+            "algorithm": "hmac-md5",
+            "notes": {
+                "fail": [
+                    "using broken MD5 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-sha1",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "umac-64@openssh.com",
+            "notes": {
+                "info": [
+                    "available since OpenSSH 4.7"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode",
+                    "using small 64-bit tag size"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-ripemd160",
+            "notes": {
+                "fail": [
+                    "using deprecated RIPEMD hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.5.0"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-ripemd160@openssh.com",
+            "notes": {
+                "fail": [
+                    "using deprecated RIPEMD hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.1.0"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-sha1-96",
+            "notes": {
+                "fail": [
+                    "using broken SHA-1 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        },
+        {
+            "algorithm": "hmac-md5-96",
+            "notes": {
+                "fail": [
+                    "using broken MD5 hash algorithm"
+                ],
+                "info": [
+                    "available since OpenSSH 2.5.0"
+                ],
+                "warn": [
+                    "using encrypt-and-MAC mode"
+                ]
+            }
+        }
+    ],
+    "recommendations": {
+        "critical": {
+            "chg": {
+                "kex": [
+                    {
+                        "name": "diffie-hellman-group-exchange-sha256",
+                        "notes": "increase modulus size to 3072 bits or larger"
+                    }
+                ]
+            },
+            "del": {
+                "enc": [
+                    {
+                        "name": "3des-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "arcfour128",
+                        "notes": ""
+                    },
+                    {
+                        "name": "arcfour",
+                        "notes": ""
+                    },
+                    {
+                        "name": "arcfour256",
+                        "notes": ""
+                    },
+                    {
+                        "name": "blowfish-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "cast128-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "rijndael-cbc@lysator.liu.se",
+                        "notes": ""
+                    }
+                ],
+                "kex": [
+                    {
+                        "name": "diffie-hellman-group14-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "diffie-hellman-group1-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "diffie-hellman-group-exchange-sha1",
+                        "notes": ""
+                    }
+                ],
+                "key": [
+                    {
+                        "name": "ssh-rsa",
+                        "notes": ""
+                    },
+                    {
+                        "name": "ssh-rsa-cert-v01@openssh.com",
+                        "notes": ""
+                    }
+                ],
+                "mac": [
+                    {
+                        "name": "hmac-md5",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-md5-96",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-ripemd160",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-ripemd160@openssh.com",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-sha1",
+                        "notes": ""
+                    },
+                    {
+                        "name": "hmac-sha1-96",
+                        "notes": ""
+                    }
+                ]
+            }
+        },
+        "warning": {
+            "del": {
+                "enc": [
+                    {
+                        "name": "aes128-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "aes192-cbc",
+                        "notes": ""
+                    },
+                    {
+                        "name": "aes256-cbc",
+                        "notes": ""
+                    }
+                ],
+                "mac": [
+                    {
+                        "name": "umac-64@openssh.com",
+                        "notes": ""
+                    }
+                ]
+            }
+        }
+    },
+    "target": "localhost:2222"
+}
--- a/test/docker/expected_results/openssh_5.6p1_test5.txt
+++ b/test/docker/expected_results/openssh_5.6p1_test5.txt
@ -0,0 +1,119 @@
+[0;36m# general[0m
+[0;32m(gen) banner: SSH-2.0-OpenSSH_5.6[0m
+[0;32m(gen) software: OpenSSH 5.6[0m
+[0;32m(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)[0m
+[0;32m(gen) compression: enabled (zlib@openssh.com)[0m
+
+[0;36m# key exchange algorithms[0m
+[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m
+[0;33m                                                      `- [warn] does not provide protection against post-quantum attacks[0m
+                                                      `- [info] available since OpenSSH 4.4
+[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m
+[0;33m                                                    `- [warn] does not provide protection against post-quantum attacks[0m
+                                                    `- [info] available since OpenSSH 2.3.0
+[0;31m(kex) diffie-hellman-group14-sha1           -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m
+[0;33m                                            `- [warn] does not provide protection against post-quantum attacks[0m
+                                            `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+[0;31m(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus[0m
+[0;31m                                            `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m
+[0;31m                                            `- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] does not provide protection against post-quantum attacks[0m
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+                                            `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
+
+[0;36m# host-key algorithms[0m
+[0;31m(key) ssh-rsa (3072-bit)                    -- [fail] using broken SHA-1 hash algorithm[0m
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+                                            `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+[0;31m(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/3072-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm[0m
+                                                                   `- [info] available since OpenSSH 5.6
+                                                                   `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+
+[0;36m# encryption algorithms (ciphers)[0m
+[0;32m(enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
+[0;32m(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7[0m
+[0;32m(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m
+[0;31m(enc) arcfour256                            -- [fail] using broken RC4 cipher[0m
+                                            `- [info] available since OpenSSH 4.2
+[0;31m(enc) arcfour128                            -- [fail] using broken RC4 cipher[0m
+                                            `- [info] available since OpenSSH 4.2
+[0;33m(enc) aes128-cbc                            -- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+[0;31m(enc) 3des-cbc                              -- [fail] using broken & deprecated 3DES cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+[0;33m                                            `- [warn] using small 64-bit block size[0m
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+[0;31m(enc) blowfish-cbc                          -- [fail] using weak & deprecated Blowfish cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+[0;33m                                            `- [warn] using small 64-bit block size[0m
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+[0;31m(enc) cast128-cbc                           -- [fail] using weak & deprecated CAST cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+[0;33m                                            `- [warn] using small 64-bit block size[0m
+                                            `- [info] available since OpenSSH 2.1.0
+[0;33m(enc) aes192-cbc                            -- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0
+[0;33m(enc) aes256-cbc                            -- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+[0;31m(enc) arcfour                               -- [fail] using broken RC4 cipher[0m
+                                            `- [info] available since OpenSSH 2.1.0
+[0;31m(enc) rijndael-cbc@lysator.liu.se           -- [fail] using deprecated & non-standardized Rijndael cipher[0m
+[0;33m                                            `- [warn] using weak cipher mode[0m
+                                            `- [info] available since OpenSSH 2.3.0
+                                            `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+[0;36m# message authentication code algorithms[0m
+[0;31m(mac) hmac-md5                              -- [fail] using broken MD5 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+[0;31m(mac) hmac-sha1                             -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+[0;33m(mac) umac-64@openssh.com                   -- [warn] using encrypt-and-MAC mode[0m
+[0;33m                                            `- [warn] using small 64-bit tag size[0m
+                                            `- [info] available since OpenSSH 4.7
+[0;31m(mac) hmac-ripemd160                        -- [fail] using deprecated RIPEMD hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.5.0
+[0;31m(mac) hmac-ripemd160@openssh.com            -- [fail] using deprecated RIPEMD hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.1.0
+[0;31m(mac) hmac-sha1-96                          -- [fail] using broken SHA-1 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+[0;31m(mac) hmac-md5-96                           -- [fail] using broken MD5 hash algorithm[0m
+[0;33m                                            `- [warn] using encrypt-and-MAC mode[0m
+                                            `- [info] available since OpenSSH 2.5.0
+
+[0;36m# fingerprints[0m
+[0;32m(fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244[0m
+
+[0;36m# algorithm recommendations (for OpenSSH 5.6)[0m
+[0;31m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) [0m
+[0;31m(rec) -3des-cbc                             -- enc algorithm to remove [0m
+[0;31m(rec) -arcfour                              -- enc algorithm to remove [0m
+[0;31m(rec) -arcfour128                           -- enc algorithm to remove [0m
+[0;31m(rec) -arcfour256                           -- enc algorithm to remove [0m
+[0;31m(rec) -blowfish-cbc                         -- enc algorithm to remove [0m
+[0;31m(rec) -cast128-cbc                          -- enc algorithm to remove [0m
+[0;31m(rec) -diffie-hellman-group-exchange-sha1   -- kex algorithm to remove [0m
+[0;31m(rec) -diffie-hellman-group1-sha1           -- kex algorithm to remove [0m
+[0;31m(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove [0m
+[0;31m(rec) -hmac-md5                             -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-md5-96                          -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-ripemd160                       -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-ripemd160@openssh.com           -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-sha1                            -- mac algorithm to remove [0m
+[0;31m(rec) -hmac-sha1-96                         -- mac algorithm to remove [0m
+[0;31m(rec) -rijndael-cbc@lysator.liu.se          -- enc algorithm to remove [0m
+[0;31m(rec) -ssh-rsa                              -- key algorithm to remove [0m
+[0;31m(rec) -ssh-rsa-cert-v01@openssh.com         -- key algorithm to remove [0m
+[0;33m(rec) -aes128-cbc                           -- enc algorithm to remove [0m
+[0;33m(rec) -aes192-cbc                           -- enc algorithm to remove [0m
+[0;33m(rec) -aes256-cbc                           -- enc algorithm to remove [0m
+[0;33m(rec) -umac-64@openssh.com                  -- mac algorithm to remove [0m
+
+[0;36m# additional info[0m
+[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m
+
--- a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json
+++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json
@ -0,0 +1,45 @@
+{
+    "errors": [
+        {
+            "actual": [
+                "3072"
+            ],
+            "expected_optional": [
+                ""
+            ],
+            "expected_required": [
+                "4096"
+            ],
+            "mismatched_field": "Host key (rsa-sha2-256) sizes"
+        },
+        {
+            "actual": [
+                "3072"
+            ],
+            "expected_optional": [
+                ""
+            ],
+            "expected_required": [
+                "4096"
+            ],
+            "mismatched_field": "Host key (rsa-sha2-512) sizes"
+        },
+        {
+            "actual": [
+                "4096"
+            ],
+            "expected_optional": [
+                ""
+            ],
+            "expected_required": [
+                "3072"
+            ],
+            "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes"
+        }
+    ],
+    "host": "localhost",
+    "passed": false,
+    "policy": "Hardened OpenSSH Server v8.0 (version 4)",
+    "port": 2222,
+    "warnings": []
+}
--- a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.txt
+++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.txt
@ -0,0 +1,17 @@
+Host:   localhost:2222
+Policy: Hardened OpenSSH Server v8.0 (version 4)
+Result: [0;31m❌ Failed![0m
+[0;33m
+Errors:
+  * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match.
+    - Expected: 3072
+    - Actual:   4096
+
+  * Host key (rsa-sha2-256) sizes did not match.
+    - Expected: 4096
+    - Actual:   3072
+
+  * Host key (rsa-sha2-512) sizes did not match.
+    - Expected: 4096
+    - Actual:   3072
+[0m
--- a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json
+++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json
@ -0,0 +1,68 @@
+{
+    "errors": [
+        {
+            "actual": [
+                "3072"
+            ],
+            "expected_optional": [
+                ""
+            ],
+            "expected_required": [
+                "4096"
+            ],
+            "mismatched_field": "Host key (rsa-sha2-256) sizes"
+        },
+        {
+            "actual": [
+                "3072"
+            ],
+            "expected_optional": [
+                ""
+            ],
+            "expected_required": [
+                "4096"
+            ],
+            "mismatched_field": "Host key (rsa-sha2-512) sizes"
+        },
+        {
+            "actual": [
+                "umac-64-etm@openssh.com",
+                "umac-128-etm@openssh.com",
+                "hmac-sha2-256-etm@openssh.com",
+                "hmac-sha2-512-etm@openssh.com",
+                "hmac-sha1-etm@openssh.com",
+                "umac-64@openssh.com",
+                "umac-128@openssh.com",
+                "hmac-sha2-256",
+                "hmac-sha2-512",
+                "hmac-sha1"
+            ],
+            "expected_optional": [
+                ""
+            ],
+            "expected_required": [
+                "hmac-sha2-256-etm@openssh.com",
+                "hmac-sha2-512-etm@openssh.com",
+                "umac-128-etm@openssh.com"
+            ],
+            "mismatched_field": "MACs"
+        },
+        {
+            "actual": [
+                "4096"
+            ],
+            "expected_optional": [
+                ""
+            ],
+            "expected_required": [
+                "3072"
+            ],
+            "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes"
+        }
+    ],
+    "host": "localhost",
+    "passed": false,
+    "policy": "Hardened OpenSSH Server v8.0 (version 4)",
+    "port": 2222,
+    "warnings": []
+}
--- a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt
+++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt
@ -0,0 +1,21 @@
+Host:   localhost:2222
+Policy: Hardened OpenSSH Server v8.0 (version 4)
+Result: [0;31m❌ Failed![0m
+[0;33m
+Errors:
+  * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match.
+    - Expected: 3072
+    - Actual:   4096
+
+  * Host key (rsa-sha2-256) sizes did not match.
+    - Expected: 4096
+    - Actual:   3072
+
+  * Host key (rsa-sha2-512) sizes did not match.
+    - Expected: 4096
+    - Actual:   3072
+
+  * MACs did not match.
+    - Expected: hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com
+    - Actual:   umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
+[0m
--- a/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json
@ -0,0 +1,8 @@
+{
+    "errors": [],
+    "host": "localhost",
+    "passed": true,
+    "policy": "Docker policy: test11 (version 1)",
+    "port": 2222,
+    "warnings": []
+}
--- a/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.txt
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.txt
@ -0,0 +1,12 @@
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features.  Future versions of ssh-audit may remove support for them.  Re-generating the policy file is perhaps the most straight-forward way of resolving this issue.  Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host:   localhost:2222
+Policy: Docker policy: test11 (version 1)
+Result: [0;32m✔ Passed[0m
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`iÜ›<EFBFBD><EFBFBD>ãÈÍíVÌè¿<C3A8>ÓZ/Dì<†î\|S“zË=°:×1vu}¢ï„JòÝ·ŸŠ"à^Bb&U‰ìP«<50> ’CJ?`
				`@ -0,0 +1 @@`
				`1vu}¢ï„JòÝ·ŸŠ"à^Bb&U‰ìP«<50> ’CJ?`