{ "additional_notes": [], "banner": { "comments": null, "protocol": "2.0", "raw": "SSH-2.0-OpenSSH_8.0", "software": "OpenSSH_8.0" }, "compression": [ "none", "zlib@openssh.com" ], "cves": [], "enc": [ { "algorithm": "chacha20-poly1305@openssh.com", "notes": { "info": [ "default cipher since OpenSSH 6.9", "available since OpenSSH 6.5, Dropbear SSH 2020.79" ], "warn": [ "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation" ] } }, { "algorithm": "aes128-ctr", "notes": { "info": [ "available since OpenSSH 3.7, Dropbear SSH 0.52" ] } }, { "algorithm": "aes192-ctr", "notes": { "info": [ "available since OpenSSH 3.7" ] } }, { "algorithm": "aes256-ctr", "notes": { "info": [ "available since OpenSSH 3.7, Dropbear SSH 0.52" ] } }, { "algorithm": "aes128-gcm@openssh.com", "notes": { "info": [ "available since OpenSSH 6.2" ] } }, { "algorithm": "aes256-gcm@openssh.com", "notes": { "info": [ "available since OpenSSH 6.2" ] } } ], "fingerprints": [ { "hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU", "hash_alg": "SHA256", "hostkey": "ssh-ed25519" }, { "hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9", "hash_alg": "MD5", "hostkey": "ssh-ed25519" } ], "kex": [ { "algorithm": "curve25519-sha256", "notes": { "info": [ "default key exchange from OpenSSH 7.4 to 8.9", "available since OpenSSH 7.4, Dropbear SSH 2018.76" ] } }, { "algorithm": "curve25519-sha256@libssh.org", "notes": { "info": [ "default key exchange from OpenSSH 6.5 to 7.3", "available since OpenSSH 6.4, Dropbear SSH 2013.62" ] } }, { "algorithm": "ecdh-sha2-nistp256", "notes": { "fail": [ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" ], "info": [ "available since OpenSSH 5.7, Dropbear SSH 2013.62" ] } }, { "algorithm": "ecdh-sha2-nistp384", "notes": { "fail": [ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" ], "info": [ "available since OpenSSH 5.7, Dropbear SSH 2013.62" ] } }, { "algorithm": "ecdh-sha2-nistp521", "notes": { "fail": [ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" ], "info": [ "available since OpenSSH 5.7, Dropbear SSH 2013.62" ] } }, { "algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 4096, "notes": { "info": [ "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).", "available since OpenSSH 4.4" ] } }, { "algorithm": "diffie-hellman-group16-sha512", "notes": { "info": [ "available since OpenSSH 7.3, Dropbear SSH 2016.73" ] } }, { "algorithm": "diffie-hellman-group18-sha512", "notes": { "info": [ "available since OpenSSH 7.3" ] } }, { "algorithm": "diffie-hellman-group14-sha256", "notes": { "info": [ "available since OpenSSH 7.3, Dropbear SSH 2016.73" ], "warn": [ "2048-bit modulus only provides 112-bits of symmetric strength" ] } }, { "algorithm": "diffie-hellman-group14-sha1", "notes": { "fail": [ "using broken SHA-1 hash algorithm" ], "info": [ "available since OpenSSH 3.9, Dropbear SSH 0.53" ], "warn": [ "2048-bit modulus only provides 112-bits of symmetric strength" ] } } ], "key": [ { "algorithm": "ssh-ed25519", "notes": { "info": [ "available since OpenSSH 6.5, Dropbear SSH 2020.79" ] } }, { "algorithm": "ssh-ed25519-cert-v01@openssh.com", "ca_algorithm": "ssh-ed25519", "casize": 256, "notes": { "info": [ "available since OpenSSH 6.5" ] } } ], "mac": [ { "algorithm": "umac-64-etm@openssh.com", "notes": { "info": [ "available since OpenSSH 6.2" ], "warn": [ "using small 64-bit tag size" ] } }, { "algorithm": "umac-128-etm@openssh.com", "notes": { "info": [ "available since OpenSSH 6.2" ] } }, { "algorithm": "hmac-sha2-256-etm@openssh.com", "notes": { "info": [ "available since OpenSSH 6.2" ] } }, { "algorithm": "hmac-sha2-512-etm@openssh.com", "notes": { "info": [ "available since OpenSSH 6.2" ] } }, { "algorithm": "hmac-sha1-etm@openssh.com", "notes": { "fail": [ "using broken SHA-1 hash algorithm" ], "info": [ "available since OpenSSH 6.2" ] } }, { "algorithm": "umac-64@openssh.com", "notes": { "info": [ "available since OpenSSH 4.7" ], "warn": [ "using encrypt-and-MAC mode", "using small 64-bit tag size" ] } }, { "algorithm": "umac-128@openssh.com", "notes": { "info": [ "available since OpenSSH 6.2" ], "warn": [ "using encrypt-and-MAC mode" ] } }, { "algorithm": "hmac-sha2-256", "notes": { "info": [ "available since OpenSSH 5.9, Dropbear SSH 2013.56" ], "warn": [ "using encrypt-and-MAC mode" ] } }, { "algorithm": "hmac-sha2-512", "notes": { "info": [ "available since OpenSSH 5.9, Dropbear SSH 2013.56" ], "warn": [ "using encrypt-and-MAC mode" ] } }, { "algorithm": "hmac-sha1", "notes": { "fail": [ "using broken SHA-1 hash algorithm" ], "info": [ "available since OpenSSH 2.1.0, Dropbear SSH 0.28" ], "warn": [ "using encrypt-and-MAC mode" ] } } ], "recommendations": { "critical": { "del": { "kex": [ { "name": "diffie-hellman-group14-sha1", "notes": "" }, { "name": "ecdh-sha2-nistp256", "notes": "" }, { "name": "ecdh-sha2-nistp384", "notes": "" }, { "name": "ecdh-sha2-nistp521", "notes": "" } ], "mac": [ { "name": "hmac-sha1", "notes": "" }, { "name": "hmac-sha1-etm@openssh.com", "notes": "" } ] } }, "informational": { "add": { "key": [ { "name": "rsa-sha2-256", "notes": "" }, { "name": "rsa-sha2-512", "notes": "" } ] } }, "warning": { "del": { "enc": [ { "name": "chacha20-poly1305@openssh.com", "notes": "" } ], "kex": [ { "name": "diffie-hellman-group14-sha256", "notes": "" } ], "mac": [ { "name": "hmac-sha2-256", "notes": "" }, { "name": "hmac-sha2-512", "notes": "" }, { "name": "umac-128@openssh.com", "notes": "" }, { "name": "umac-64-etm@openssh.com", "notes": "" }, { "name": "umac-64@openssh.com", "notes": "" } ] } } }, "target": "localhost:2222" }