Commit Graph

  • d7f8bf3e6d Updated notes on OpenSSH default key exchanges. (#258) Joe Testa 2024-03-19 18:24:22 -0400
  • 3d403b1d70 Updated availability of algorithms in Dropbear. (#257) Joe Testa 2024-03-19 15:47:09 -0400
  • 9fae870260 Added allow_larger_keys flag to custom policies to control whether targets can have larger keys, and added Docker tests to complete work started in PR #242. Joe Testa 2024-03-19 14:45:19 -0400
  • 20873db596
    use less-than instead of not-equal when comparing key sizes (#242) Damian Szuberski 2024-03-20 04:38:27 +1000
  • 3c31934ac7 Added tests and other cleanups resulting from merging PR #252. Joe Testa 2024-03-18 17:48:50 -0400
  • 5bd925ffc6
    [WIP] Adding allowed algorithms (#252) yannik1015 2024-03-18 22:41:17 +0100
  • 5fbe94c4dd DRAFT 1 - Attempt to implement never suggest weaker ciphers, with the exception of always suggesting a _second_ option. OAM7575 2024-03-18 22:27:38 +1100
  • cbc3754990
    Fixed call to append_error #252 yannik1015 2024-03-18 10:22:26 +0100
  • 2d32ccdfad
    Removed allowed policy entries as they are redundant now yannik1015 2024-03-18 08:53:57 +0100
  • 366769eac1
    Added allow_algorithm_subset_and_reordering flag yannik1015 2024-03-18 08:36:15 +0100
  • 7b3402b207 Added note that sntrup761x25519-sha512@openssh.com is the default OpenSSH kex since version 9.0. Joe Testa 2024-03-15 17:24:21 -0400
  • b2f46eb71a Added extra GSS wildcard matching test. Joe Testa 2024-03-15 17:05:40 -0400
  • ab41ca1023 Re-organized README. Joe Testa 2024-03-15 16:28:10 -0400
  • b70fb0bc4c Added built-in policies for Amazon Linux 2023, Debian 12, and Rocky Linux 9. Joe Testa 2024-03-15 16:24:36 -0400
  • 31df27ec3e
    Adapted policy.py to newest dev version yannik1015 2024-03-15 15:57:05 +0100
  • 332a1a9c1d
    Added allowed policy fields yannik1015 2024-03-15 15:41:56 +0100
  • db5104ecb8 Built-in policy change logs no longer printed within quotes. Joe Testa 2024-03-14 18:13:53 -0400
  • 15078aaea9 Built-in policies now include a change log. Joe Testa 2024-03-14 17:58:16 -0400
  • f0874af4cd Split built-in policies from policy.py to builtin_policies.py. Joe Testa 2024-03-14 17:24:40 -0400
  • 064b55e0c2 Added 1 new key exchange algorithm: gss-nistp384-sha384-* Joe Testa 2024-03-14 16:01:48 -0400
  • a4f508374a Updated README. Joe Testa 2024-03-12 21:13:10 -0400
  • 6f39407a8c
    use alpine, reduce layers (#249) Daniel Thamdrup 2024-03-13 02:02:26 +0100
  • cb0f6b63d7 Fixed new pylint warnings. Joe Testa 2024-03-12 20:46:39 -0400
  • 3313046714 Added built-in policy for OpenSSH 9.7. Joe Testa 2024-03-12 20:23:55 -0400
  • 50c456aea6
    use alpine, reduce layers #249 Daniel Thamdrup 2024-03-06 17:15:40 +0100
  • 8ee0deade1
    Properly upgrade packages and clean up apt cache in Dockerfile (#218) Peter Dave Hello 2024-02-18 23:25:14 +0800
  • eff2949947 Properly upgrade packages and clean up apt cache in Dockerfile #218 Peter Dave Hello 2023-10-24 00:38:39 +0800
  • 699739d42a Gracefully handle rare exceptions (i.e.: crashes) while performing GEX tests. Joe Testa 2024-02-17 13:44:06 -0500
  • a958fd1fec Snap builds are now architecture-independent. (#232) Joe Testa 2024-02-17 12:54:28 -0500
  • c33f419224 Updated '-m', '--manual' description in README. Joe Testa 2024-02-16 23:16:07 -0500
  • 6ee4899b4f Bumped copyright year. Joe Testa 2024-02-16 23:13:55 -0500
  • 20fbb706b0 The built-in man page (, ) is now available on Docker, PyPI, and Snap builds, in addition to the Windows build. (#231) Joe Testa 2024-02-16 22:40:53 -0500
  • 73b669b49d Fixed parsing of ecdsa-sha2-nistp* CA signatures on host keys. Additionally, they are now flagged as potentially back-doored, just as standard host keys are. (#239) Joe Testa 2024-02-16 21:58:51 -0500
  • f326d58068 Disable color when the NO_COLOR environment variable is set. (#234) Joe Testa 2024-01-28 18:17:49 -0500
  • b72f6a420f Added note regarding general OpenSSH policies failing against platforms with back-ported features. (#236) Joe Testa 2024-01-28 17:37:21 -0500
  • 31fa0577bd
    use chainguard image as base #244 Daniel Thamdrup 2024-01-25 00:04:53 +0100
  • aab105c398 use less-than instead of not-equal when comparing key sizes #242 szubersk 2024-01-16 00:48:32 +1000
  • fe65b5df8a Added missing dev tag to Change Log: v3.2.0 -> v3.2.0-dev Joe Testa 2023-12-21 15:34:38 -0500
  • 44393c56b3 Expanded filter of CBC ciphers to flag for the Terrapin vulnerability. Joe Testa 2023-12-21 15:30:43 -0500
  • 164356e776
    Spelling fixes (#233) Ville Skyttä 2023-12-21 15:58:12 +0200
  • 22059c54e1 Spelling fixes #233 Ville Skyttä 2023-12-21 09:33:55 +0200
  • c8e075ad13 Bumped version number to v3.2.0-dev. Joe Testa 2023-12-20 15:41:03 -0500
  • eebeac99a0 Updated packaging instructions and Docker build steps. Joe Testa 2023-12-20 15:40:01 -0500
  • dd91c2a41a Bumped version to 3.1.0 in preparation for stable release. Updated Change Log in README. v3.1.0 Joe Testa 2023-12-20 13:12:13 -0500
  • bef8c6c0f7 Updated notes on fixing Terrapin vulnerability. Joe Testa 2023-12-20 12:11:55 -0500
  • 75dbc03a77 Added 'additional_notes' field to JSON output. Joe Testa 2023-12-19 18:03:07 -0500
  • c9412cbb88 Added built-in policies for OpenSSH 9.5 and 9.6. Joe Testa 2023-12-19 17:42:43 -0500
  • a0f99942a2 Don't recommend enabling the chacha & CBC ciphers, nor ETM MACs in case the user disabled them to address the Terrapin vulnerability. (#229) Joe Testa 2023-12-19 17:16:58 -0500
  • c259a83782 Added note that when a target is properly configured against the Terrapin vulnerability that unpatched peers may still create vulnerable connections. Updated Ubuntu Server & Client 20.04 & 22.04 policies to include new key exchange markers related to Terrapin counter-measures. Joe Testa 2023-12-19 14:03:28 -0500
  • 8e972c5e94 Added test for the Terrapin vulnerability (CVE-2023-48795) (#227). Joe Testa 2023-12-18 18:24:49 -0500
  • 46eb970376 Removed Python 3.7 from Github Actions testing. Joe Testa 2023-11-27 23:39:48 -0500
  • 965bcb6b18 Dropped support for Python 3.7. Joe Testa 2023-11-27 23:35:40 -0500
  • ba8e8a7e68 Re-organized option host key types for OpenSSH 9.2 to correspond with updated Debian 12 hardening guide. Joe Testa 2023-11-27 21:33:13 -0500
  • bad2c9cd8e In Ubuntu 22.04 client policy, moved host key types and to the end of all certificate types. Joe Testa 2023-11-27 20:07:36 -0500
  • 69e1e121fd In server policies, reduced expected DH modulus sizes from 4096 to 3072 to match online hardening guides. Joe Testa 2023-11-27 19:15:18 -0500
  • 848052df68
    Add cleanup for apt cache files (#215) Oleksii 2023-10-23 10:51:47 -0700
  • 8570aae468
    Fix Dockerfile #215 Oleksii 2023-10-22 19:40:49 -0700
  • d62e4cd80c Added Python 3.12 to Tox tests. Joe Testa 2023-10-22 16:43:04 -0400
  • 603819e2da
    Add cleanup for apt cache files Oleksii 2023-10-20 09:20:01 -0700
  • ffc1a0f867 Added check for DHEater vulnerability and updated relevant tests (#211) #212 Bareq 2023-10-18 21:55:38 +0300
  • b81d0f519f
    Merge branch 'jtesta:master' into master Manfred Kaiser 2023-10-13 18:50:19 +0200
  • 2809ff464a Added --rm to docker run commands so stopped containers are automatically removed. Joe Testa 2023-09-12 08:38:07 -0400
  • 02ab487232 Bumped version to v3.1.0-dev. Joe Testa 2023-09-07 08:57:59 -0400
  • d62acd688e Updated Docker Makefile and packaging instructions. Joe Testa 2023-09-07 08:57:39 -0400
  • f517e03d9f Bumped version to v3.0.0. v3.0.0 Joe Testa 2023-09-07 07:45:07 -0400
  • 6c64257d91 Updated README. Joe Testa 2023-09-06 22:37:06 -0400
  • 982c0b4c72
    Docker: Build multi-arch container images for amd64, arm64 and arm/v7 (#194) Sebastian Cohnen 2023-09-07 04:32:18 +0200
  • e26597a7aa Marked all NIST K-, B-, and T-curves as unproven since they are so rarely used. Added 12 new host keys: 'ecdsa-sha2-curve25519', 'ecdsa-sha2-nistb233', 'ecdsa-sha2-nistb409', 'ecdsa-sha2-nistk163', 'ecdsa-sha2-nistk233', 'ecdsa-sha2-nistk283', 'ecdsa-sha2-nistk409', 'ecdsa-sha2-nistp224', 'ecdsa-sha2-nistp192', 'ecdsa-sha2-nistt571', 'ssh-dsa', 'x509v3-sign-rsa-sha256'. Added 15 key exchanges: 'curve448-sha512@libssh.org', 'ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org', 'ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org', 'ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org', 'ecdh-sha2-brainpoolp256r1@genua.de', 'ecdh-sha2-brainpoolp384r1@genua.de', 'ecdh-sha2-brainpoolp521r1@genua.de', 'kexAlgoDH14SHA1', 'kexAlgoDH1SHA1', 'kexAlgoECDH256', 'kexAlgoECDH384', 'kexAlgoECDH521', 'sm2kep-sha2-nistp256', 'x25519-kyber-512r3-sha256-d00@amazon.com', 'x25519-kyber512-sha512@aws.amazon.com'. Added 8 new ciphers: 'aes192-gcm@openssh.com', 'cast128-12-cbc', 'cast128-12-cfb', 'cast128-12-ecb', 'cast128-12-ofb', 'des-cfb', 'des-ecb', 'des-ofb'. Added 14 new MACs: 'cbcmac-3des', 'cbcmac-aes', 'cbcmac-blowfish', 'cbcmac-des', 'cbcmac-rijndael', 'cbcmac-twofish', 'hmac-sha256-96', 'md5', 'md5-8', 'ripemd160', 'ripemd160-8', 'sha1', 'sha1-8', 'umac-128'. Joe Testa 2023-09-05 20:10:37 -0400
  • f8e29674a3 Refined JSON notes output. Fixed Docker & Tox tests. Joe Testa 2023-09-05 16:36:54 -0400
  • d3dd5a9cac
    Improved JSON output (#185) Bareq 2023-09-05 23:16:23 +0300
  • 79ca4b2d8b Updated README. Joe Testa 2023-09-05 14:22:35 -0400
  • 884ef645f8 Prioritized certificate host key types for Ubuntu 22.04 client policy. (#193) Joe Testa 2023-09-05 14:01:51 -0400
  • 953683a762 Fixed most warnings from Shellcheck scans. (#197) Joe Testa 2023-09-05 13:14:21 -0400
  • 04351e8076
    Merge branch 'jtesta:master' into master Manfred Kaiser 2023-09-04 21:45:12 +0200
  • 38f9c21760 The color of all notes will be printed in green when the related algorithm is rated good. Joe Testa 2023-09-03 19:14:25 -0400
  • 4e6169d0cb Added built-in policy for OpenSSH 9.4. Joe Testa 2023-09-03 18:12:16 -0400
  • 2867c65819 Perform full Docker image update when building. Joe Testa 2023-09-03 18:07:30 -0400
  • 77cdb969b9 Fixed flake8 tests. Joe Testa 2023-09-03 16:25:26 -0400
  • 199e75f6cd Refined GEX testing against OpenSSH servers: when the fallback mechanism is suspected of being triggered, perform an additional test to obtain more accurate results. Joe Testa 2023-09-03 16:13:00 -0400
  • 3f2fdbaa3d Fixed crash during GEX tests. Joe Testa 2023-07-11 11:08:42 -0400
  • 83e90729e2 Updated README. Joe Testa 2023-06-20 16:12:30 -0400
  • 83f9e48271
    Recommendation output now respects level (#196) thecliguy 2023-06-20 21:09:37 +0100
  • e1291cd39f Recommendation output now respects level #196 Adam Russell 2023-06-20 20:22:28 +0100
  • e2fc60cbb4 Updated README and test for resolve function. Joe Testa 2023-06-20 09:26:43 -0400
  • a74c3abdde
    Removed sys.exit from _resolve in ssh_socket.py (#187) Dani Cuesta 2023-06-20 15:21:06 +0200
  • e99cb0b579 Now prints the reason why socket listening operations fail. Joe Testa 2023-06-20 08:43:11 -0400
  • 639f11a5e5 Results from concurrent scans against multiple hosts are no longer improperly combined (#190). Joe Testa 2023-06-19 14:13:32 -0400
  • 521a50a796 Added 'curve448-sha512@libssh.org' kex. (#195) Joe Testa 2023-06-19 10:35:13 -0400
  • 8c712caf58 adds local-build build target for easier local testing #194 Sebastian Cohnen 2023-05-24 19:54:39 +0200
  • a05ab8ca06 builds multi-arch container images for linux/{amd64,arm64,arm/v7} Sebastian Cohnen 2023-05-24 19:44:51 +0200
  • 1a69aa8460
    Removed sys.exit from _resolve in ssh_socket.py #187 Dani Cuesta 2023-05-09 18:28:30 +0200
  • f92bf148af Improved JSON output #185 Bareq 2023-05-02 21:42:45 +0300
  • 2d5a97841f Bumped version to 3.0.0-dev. Joe Testa 2023-04-29 14:46:07 -0400
  • 54b8c7da02 Updated PyPI and Snap build processes. Joe Testa 2023-04-29 14:42:54 -0400
  • 3ba28b01e9 Added release date of v2.9.0. v2.9.0 Joe Testa 2023-04-29 12:39:04 -0400
  • 3c1451cfdc Bumped version to v2.9.0. Joe Testa 2023-04-29 12:33:26 -0400
  • 929652c9b7 Simplified host key test logic. Joe Testa 2023-04-29 11:59:50 -0400
  • e172932977
    RSA key size comments duplicated for all RSA sig algs (#182) thecliguy 2023-04-29 16:39:29 +0100
  • c33e7d9b72 Added built-in policies for OpenSSH 8.8, 8.9, 9.0, 9.1, 9.2, and 9.3. Joe Testa 2023-04-27 21:40:47 -0400
  • 0074fcc1af Rolled back Windows multithreading crash fix, as upgrading from Python v3.9 to v3.11 may have fixed the root cause. (#152) Joe Testa 2023-04-26 21:55:40 -0400