Git/ssh-audit
1
0
Fork 0
mirror of https://github.com/jtesta/ssh-audit.git synced 2025-03-31 06:53:37 +02:00
Code Issues Packages Projects Releases Wiki Activity

Commit Graph

  • dd91c2a41a Bumped version to 3.1.0 in preparation for stable release. Updated Change Log in README. v3.1.0 Joe Testa 2023-12-20 13:12:13 -05:00
  • bef8c6c0f7 Updated notes on fixing Terrapin vulnerability. Joe Testa 2023-12-20 12:11:55 -05:00
  • 75dbc03a77 Added 'additional_notes' field to JSON output. Joe Testa 2023-12-19 18:03:07 -05:00
  • c9412cbb88 Added built-in policies for OpenSSH 9.5 and 9.6. Joe Testa 2023-12-19 17:42:43 -05:00
  • a0f99942a2 Don't recommend enabling the chacha & CBC ciphers, nor ETM MACs in case the user disabled them to address the Terrapin vulnerability. (#229) Joe Testa 2023-12-19 17:16:58 -05:00
  • c259a83782 Added note that when a target is properly configured against the Terrapin vulnerability that unpatched peers may still create vulnerable connections. Updated Ubuntu Server & Client 20.04 & 22.04 policies to include new key exchange markers related to Terrapin counter-measures. Joe Testa 2023-12-19 14:03:28 -05:00
  • 8e972c5e94 Added test for the Terrapin vulnerability (CVE-2023-48795) (#227). Joe Testa 2023-12-18 18:24:49 -05:00
  • 46eb970376 Removed Python 3.7 from Github Actions testing. Joe Testa 2023-11-27 23:39:48 -05:00
  • 965bcb6b18 Dropped support for Python 3.7. Joe Testa 2023-11-27 23:35:40 -05:00
  • ba8e8a7e68 Re-organized option host key types for OpenSSH 9.2 to correspond with updated Debian 12 hardening guide. Joe Testa 2023-11-27 21:33:13 -05:00
  • bad2c9cd8e In Ubuntu 22.04 client policy, moved host key types and to the end of all certificate types. Joe Testa 2023-11-27 20:07:36 -05:00
  • 69e1e121fd In server policies, reduced expected DH modulus sizes from 4096 to 3072 to match online hardening guides. Joe Testa 2023-11-27 19:15:18 -05:00
  • 848052df68
         Add cleanup for apt cache files (#215) Oleksii 2023-10-23 10:51:47 -07:00
  • d62e4cd80c Added Python 3.12 to Tox tests. Joe Testa 2023-10-22 16:43:04 -04:00
  • 2809ff464a Added --rm to docker run commands so stopped containers are automatically removed. Joe Testa 2023-09-12 08:38:07 -04:00
  • 02ab487232 Bumped version to v3.1.0-dev. Joe Testa 2023-09-07 08:57:59 -04:00
  • d62acd688e Updated Docker Makefile and packaging instructions. Joe Testa 2023-09-07 08:57:39 -04:00
  • f517e03d9f Bumped version to v3.0.0. v3.0.0 Joe Testa 2023-09-07 07:45:07 -04:00
  • 6c64257d91 Updated README. Joe Testa 2023-09-06 22:37:06 -04:00
  • 982c0b4c72
         Docker: Build multi-arch container images for amd64, arm64 and arm/v7 (#194) Sebastian Cohnen 2023-09-07 04:32:18 +02:00
  • e26597a7aa Marked all NIST K-, B-, and T-curves as unproven since they are so rarely used. Added 12 new host keys: 'ecdsa-sha2-curve25519', 'ecdsa-sha2-nistb233', 'ecdsa-sha2-nistb409', 'ecdsa-sha2-nistk163', 'ecdsa-sha2-nistk233', 'ecdsa-sha2-nistk283', 'ecdsa-sha2-nistk409', 'ecdsa-sha2-nistp224', 'ecdsa-sha2-nistp192', 'ecdsa-sha2-nistt571', 'ssh-dsa', 'x509v3-sign-rsa-sha256'. Added 15 key exchanges: 'curve448-sha512@libssh.org', 'ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org', 'ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org', 'ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org', 'ecdh-sha2-brainpoolp256r1@genua.de', 'ecdh-sha2-brainpoolp384r1@genua.de', 'ecdh-sha2-brainpoolp521r1@genua.de', 'kexAlgoDH14SHA1', 'kexAlgoDH1SHA1', 'kexAlgoECDH256', 'kexAlgoECDH384', 'kexAlgoECDH521', 'sm2kep-sha2-nistp256', 'x25519-kyber-512r3-sha256-d00@amazon.com', 'x25519-kyber512-sha512@aws.amazon.com'. Added 8 new ciphers: 'aes192-gcm@openssh.com', 'cast128-12-cbc', 'cast128-12-cfb', 'cast128-12-ecb', 'cast128-12-ofb', 'des-cfb', 'des-ecb', 'des-ofb'. Added 14 new MACs: 'cbcmac-3des', 'cbcmac-aes', 'cbcmac-blowfish', 'cbcmac-des', 'cbcmac-rijndael', 'cbcmac-twofish', 'hmac-sha256-96', 'md5', 'md5-8', 'ripemd160', 'ripemd160-8', 'sha1', 'sha1-8', 'umac-128'. Joe Testa 2023-09-05 20:10:37 -04:00
  • f8e29674a3 Refined JSON notes output. Fixed Docker & Tox tests. Joe Testa 2023-09-05 16:36:54 -04:00
  • d3dd5a9cac
         Improved JSON output (#185) Bareq 2023-09-05 23:16:23 +03:00
  • 79ca4b2d8b Updated README. Joe Testa 2023-09-05 14:22:35 -04:00
  • 884ef645f8 Prioritized certificate host key types for Ubuntu 22.04 client policy. (#193) Joe Testa 2023-09-05 14:01:51 -04:00
  • 953683a762 Fixed most warnings from Shellcheck scans. (#197) Joe Testa 2023-09-05 13:14:21 -04:00
  • 38f9c21760 The color of all notes will be printed in green when the related algorithm is rated good. Joe Testa 2023-09-03 19:14:25 -04:00
  • 4e6169d0cb Added built-in policy for OpenSSH 9.4. Joe Testa 2023-09-03 18:12:16 -04:00
  • 2867c65819 Perform full Docker image update when building. Joe Testa 2023-09-03 18:07:30 -04:00
  • 77cdb969b9 Fixed flake8 tests. Joe Testa 2023-09-03 16:25:26 -04:00
  • 199e75f6cd Refined GEX testing against OpenSSH servers: when the fallback mechanism is suspected of being triggered, perform an additional test to obtain more accurate results. Joe Testa 2023-09-03 16:13:00 -04:00
  • 3f2fdbaa3d Fixed crash during GEX tests. Joe Testa 2023-07-11 11:08:42 -04:00
  • 83e90729e2 Updated README. Joe Testa 2023-06-20 16:12:30 -04:00
  • 83f9e48271
         Recommendation output now respects level (#196) thecliguy 2023-06-20 21:09:37 +01:00
  • e2fc60cbb4 Updated README and test for resolve function. Joe Testa 2023-06-20 09:26:43 -04:00
  • a74c3abdde
         Removed sys.exit from _resolve in ssh_socket.py (#187) Dani Cuesta 2023-06-20 15:21:06 +02:00
  • e99cb0b579 Now prints the reason why socket listening operations fail. Joe Testa 2023-06-20 08:43:11 -04:00
  • 639f11a5e5 Results from concurrent scans against multiple hosts are no longer improperly combined (#190). Joe Testa 2023-06-19 14:13:32 -04:00
  • 521a50a796 Added 'curve448-sha512@libssh.org' kex. (#195) Joe Testa 2023-06-19 10:35:13 -04:00
  • 2d5a97841f Bumped version to 3.0.0-dev. Joe Testa 2023-04-29 14:46:07 -04:00
  • 54b8c7da02 Updated PyPI and Snap build processes. Joe Testa 2023-04-29 14:42:54 -04:00
  • 3ba28b01e9 Added release date of v2.9.0. v2.9.0 Joe Testa 2023-04-29 12:39:04 -04:00
  • 3c1451cfdc Bumped version to v2.9.0. Joe Testa 2023-04-29 12:33:26 -04:00
  • 929652c9b7 Simplified host key test logic. Joe Testa 2023-04-29 11:59:50 -04:00
  • e172932977
         RSA key size comments duplicated for all RSA sig algs (#182) thecliguy 2023-04-29 16:39:29 +01:00
  • c33e7d9b72 Added built-in policies for OpenSSH 8.8, 8.9, 9.0, 9.1, 9.2, and 9.3. Joe Testa 2023-04-27 21:40:47 -04:00
  • 0074fcc1af Rolled back Windows multithreading crash fix, as upgrading from Python v3.9 to v3.11 may have fixed the root cause. (#152) Joe Testa 2023-04-26 21:55:40 -04:00
  • 1eab4ab0e6 Updated README. Joe Testa 2023-04-26 15:49:45 -04:00
  • 7f8d6b4d5b Fixed built-in policy formatting and filled in missing host key size information. Joe Testa 2023-04-26 15:47:58 -04:00
  • 4c098b7d12 Windows build script now automatically installs/updates package dependencies. Joe Testa 2023-04-25 20:14:49 -04:00
  • 0bfb5d6979 Updated snap base image. Now installing snapcraft tool from snap instead of apt. Joe Testa 2023-04-25 11:54:12 -04:00
  • a5f5e0dab2 Updated changelog. Joe Testa 2023-04-25 10:25:06 -04:00
  • 05f159a152 Fixed Windows-specific crash when multiple threads are used (#152). Joe Testa 2023-04-25 10:18:45 -04:00
  • 263267c5ad Added support for mixed host key/CA key types (i.e.: RSA host keys signed by ED25519 CAs) (#120). Joe Testa 2023-04-25 09:17:32 -04:00
  • 4f31304b66 Alphabetized algorithm database. Joe Testa 2023-03-28 12:09:25 -04:00
  • 6f05a2c6b5 Updated README. Joe Testa 2023-03-25 14:15:53 -04:00
  • 784d412148 Added Repology table. Joe Testa 2023-03-24 19:22:45 -04:00
  • dc083de87e Added recommendations and CVE information to JSON output (#122). Joe Testa 2023-03-24 18:48:36 -04:00
  • 7d5eb37a0f Updated colorama initialization. Joe Testa 2023-03-24 16:43:38 -04:00
  • 5c1c447755 Updated testing descriptions. Joe Testa 2023-03-24 14:12:03 -04:00
  • cbb7d43006 Updated base image. Removed all suid & sgid bits from image. Drop root privileges by default. Joe Testa 2023-03-23 23:43:52 -04:00
  • cc9e4fbc4a Generic failure/warning messages replaced with more specific reasons. SHA-1 algorithms now cause failures. CBC mode ciphers are now warnings instead of failures. Joe Testa 2023-03-23 21:36:02 -04:00
  • 992aa1b961 Added support for kex GSS wildcards (#143). Joe Testa 2023-03-21 22:17:23 -04:00
  • 413dea60ae Fixed docker tests affected by previous commit. Joe Testa 2023-03-21 14:58:00 -04:00
  • e2a9896397
         Deprecation of ssh-rsa signature algorithm in OpenSSH 8.8 (#171) thecliguy 2023-03-21 18:52:23 +00:00
  • 71feaa191e Add note regarding OpenSSH's 2048-bit GEX fallback, and suppress the related recommendation since the user cannot control it (partly related to #168). Joe Testa 2023-03-21 11:44:45 -04:00
  • c02ab8f170 Added --accept option to automatically update failed tests. Joe Testa 2023-03-21 11:28:52 -04:00
  • cdaee69642 Improved debugging output. Joe Testa 2023-03-21 10:48:58 -04:00
  • 7bbf4cdff0 Fix tox tests. Joe Testa 2023-02-06 18:24:03 -05:00
  • e4d864c6c1
         usage now respects no color (#162) thecliguy 2023-02-06 23:20:34 +00:00
  • 1663e5bdcf Fixed setuptools config file. Joe Testa 2023-02-06 16:57:24 -05:00
  • 5ecad8fac9 Bumped copyright year. Joe Testa 2023-02-06 16:49:25 -05:00
  • 38ff225ed8 Updated supported Python versions. Joe Testa 2023-02-06 16:48:53 -05:00
  • c9dc9a9c10 Now issues a warning when 2048-bit moduli are encountered. Joe Testa 2023-02-06 16:27:30 -05:00
  • f9e00b6f2d Renamed WARN_CURVES_WEAK to FAIL_CURVES_WEAK. Joe Testa 2023-02-03 17:22:10 -05:00
  • 433c7e779d Added 2 new ciphers: 'rijndael-cbc@ssh.com', 'cast128-12-cbc@ssh.com'. Added 21 new host key types: . Joe Testa 2023-02-02 18:57:53 -05:00
  • 984ea1eee3 Added the following 9 new host key types: 'dsa2048-sha224@libassh.org', 'dsa2048-sha256@libassh.org', 'dsa3072-sha256@libassh.org', 'ecdsa-sha2-1.3.132.0.10-cert-v01@openssh.com', 'eddsa-e382-shake256@libassh.org', 'eddsa-e521-shake256@libassh.org', 'null', 'pgp-sign-dss', 'pgp-sign-rsa'. Added the following 22 new key exchange algorithms: 'diffie-hellman-group-exchange-sha224@ssh.com', 'diffie-hellman-group-exchange-sha384@ssh.com', 'diffie-hellman-group14-sha224@ssh.com', 'diffie-hellman_group17-sha512', 'ecmqv-sha2', 'gss-13.3.132.0.10-sha256-*', 'gss-curve25519-sha256-*', 'gss-curve448-sha512-*', 'gss-gex-sha1-*', 'gss-gex-sha256-*', 'gss-group1-sha1-*', 'gss-group14-sha1-*', 'gss-group14-sha256-*', 'gss-group15-sha512-*', 'gss-group16-sha512-*', 'gss-group17-sha512-*', 'gss-group18-sha512-*', 'gss-nistp256-sha256-*', 'gss-nistp384-sha256-*', 'gss-nistp521-sha512-*', 'm383-sha384@libassh.org', 'm511-sha512@libassh.org'. Added the following 26 new ciphers: '3des-cfb', '3des-ecb', '3des-ofb', 'blowfish-cfb', 'blowfish-ecb', 'blowfish-ofb', 'camellia128-cbc@openssh.org', 'camellia128-ctr@openssh.org', 'camellia192-cbc@openssh.org', 'camellia192-ctr@openssh.org', 'camellia256-cbc@openssh.org', 'camellia256-ctr@openssh.org', 'cast128-cfb', 'cast128-ecb', 'cast128-ofb', 'idea-cfb', 'idea-ecb', 'idea-ofb', 'seed-ctr@ssh.com', 'serpent128-gcm@libassh.org', 'serpent256-gcm@libassh.org', 'twofish-cfb', 'twofish-ecb', 'twofish-ofb', 'twofish128-gcm@libassh.org', 'twofish256-gcm@libassh.org'. Added the following 4 new HMAC algorithms: 'hmac-sha224@ssh.com', 'hmac-sha256-2@ssh.com', 'hmac-sha384@ssh.com', 'hmac-whirlpool'. Joe Testa 2023-02-02 18:30:40 -05:00
  • 0b905a7fdd Added Ubuntu Client 22.04 hardening policy. Joe Testa 2023-02-01 19:29:54 -05:00
  • 6e9283e643 Removed unused CI configs. Joe Testa 2023-02-01 18:00:41 -05:00
  • 32ff04c2cc Added Tox testing for Python 3.11. Fixed flake8 & pylint errors. Joe Testa 2023-02-01 17:56:54 -05:00
  • e50ac5c84d
         Gex test usage text (#158) thecliguy 2022-10-27 15:11:05 +01:00
  • 29496b43d5
         updated vulnerability database (#157) Manfred Kaiser 2022-10-27 16:10:17 +02:00
  • 3300c60aaa Added 'ssh-xmss@openssh.com' and 'ssh-xmss-cert-v01@openssh.com' experimental host keys (#146). Joe Testa 2022-10-14 23:21:09 -04:00
  • 78a9475a32 Added hmac-sha1-96@openssh.com MAC. (#148) Joe Testa 2022-10-14 22:56:02 -04:00
  • 8d861dcdc6 Removed pytest version pin from Tox. Joe Testa 2022-10-10 21:28:51 -04:00
  • c50cc040c2 Upgrade all Tox dependencies before running Tox. Joe Testa 2022-10-10 21:06:03 -04:00
  • 93f0692444 Enabled Python 3.10 tests in Tox. Joe Testa 2022-10-10 21:00:05 -04:00
  • 6e9945337e Removed CI tests for Python 3.6. Joe Testa 2022-10-10 20:52:46 -04:00
  • d429b543d0 Added support for host key 'webauthn-sk-ecdsa-sha2-nistp256@openssh.com' (#149). Joe Testa 2022-10-10 20:51:37 -04:00
  • b9520cbc25 Fixed pylint & flake8 warnings and errors. Joe Testa 2022-10-10 20:40:29 -04:00
  • 0b8ecf2fb5 Added Ubuntu Server 22.04 LTS hardening policy. Joe Testa 2022-10-10 20:34:28 -04:00
  • eb4ae65b0a Usage now includes '-g' and '--gex-test' parameters thecliguy 2022-03-27 16:17:27 +01:00
  • 113d1de443 Removed experimental warning tag from sntrup761x25519-sha512@openssh.com. Joe Testa 2022-04-10 12:16:25 -04:00
  • 4d89f9b30b Updated example. Joe Testa 2022-03-24 10:29:04 -04:00
  • 11905ed44a Fixed pylint errors, consolidated error checking for granular GEX tests, renamed functions for better readability. Joe Testa 2022-03-13 20:58:22 -04:00
  • 19f192d21f Corrected accidental text update and a minor typo. Adam Russell 2022-02-16 21:13:40 +00:00
  • 5ac0ffa8f1 DH GEX Modulus Size Testing Adam Russell 2022-02-16 21:01:22 +00:00
  • 0a6ac5de54 Updated CVE vulnerability flag. Joe Testa 2022-02-21 21:51:35 -05:00
  • c6b8dc97e1 Fixed tests. Joe Testa 2022-02-21 21:48:10 -05:00
  • 1bdf7029b4
         add a bunch of openssh CVEs (#126) Alexandre ZANNI 2022-02-22 03:41:44 +01:00