mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-12-23 01:21:07 +01:00
500 lines
15 KiB
JSON
500 lines
15 KiB
JSON
{
|
|
"additional_notes": [],
|
|
"banner": {
|
|
"comments": null,
|
|
"protocol": "2.0",
|
|
"raw": "SSH-2.0-OpenSSH_8.0",
|
|
"software": "OpenSSH_8.0"
|
|
},
|
|
"compression": [
|
|
"none",
|
|
"zlib@openssh.com"
|
|
],
|
|
"cves": [],
|
|
"enc": [
|
|
{
|
|
"algorithm": "chacha20-poly1305@openssh.com",
|
|
"notes": {
|
|
"info": [
|
|
"default cipher since OpenSSH 6.9",
|
|
"available since OpenSSH 6.5, Dropbear SSH 2020.79"
|
|
],
|
|
"warn": [
|
|
"vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "aes128-ctr",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 3.7, Dropbear SSH 0.52"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "aes192-ctr",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 3.7"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "aes256-ctr",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 3.7, Dropbear SSH 0.52"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "aes128-gcm@openssh.com",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 6.2"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "aes256-gcm@openssh.com",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 6.2"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"fingerprints": [
|
|
{
|
|
"hash": "Q6Llm0o4TrcUen4tnT2h4BDf2f+ina6dIJmVH8c40bg",
|
|
"hash_alg": "SHA256",
|
|
"hostkey": "ecdsa-sha2-nistp256"
|
|
},
|
|
{
|
|
"hash": "cc:e0:80:84:5b:05:98:64:24:43:52:3b:17:c8:94:89",
|
|
"hash_alg": "MD5",
|
|
"hostkey": "ecdsa-sha2-nistp256"
|
|
},
|
|
{
|
|
"hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU",
|
|
"hash_alg": "SHA256",
|
|
"hostkey": "ssh-ed25519"
|
|
},
|
|
{
|
|
"hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9",
|
|
"hash_alg": "MD5",
|
|
"hostkey": "ssh-ed25519"
|
|
},
|
|
{
|
|
"hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244",
|
|
"hash_alg": "SHA256",
|
|
"hostkey": "ssh-rsa"
|
|
},
|
|
{
|
|
"hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1",
|
|
"hash_alg": "MD5",
|
|
"hostkey": "ssh-rsa"
|
|
}
|
|
],
|
|
"kex": [
|
|
{
|
|
"algorithm": "curve25519-sha256",
|
|
"notes": {
|
|
"info": [
|
|
"default key exchange from OpenSSH 7.4 to 8.9",
|
|
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
|
|
],
|
|
"warn": [
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "curve25519-sha256@libssh.org",
|
|
"notes": {
|
|
"info": [
|
|
"default key exchange from OpenSSH 6.5 to 7.3",
|
|
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
|
|
],
|
|
"warn": [
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "ecdh-sha2-nistp256",
|
|
"notes": {
|
|
"fail": [
|
|
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
|
|
],
|
|
"warn": [
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "ecdh-sha2-nistp384",
|
|
"notes": {
|
|
"fail": [
|
|
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
|
|
],
|
|
"warn": [
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "ecdh-sha2-nistp521",
|
|
"notes": {
|
|
"fail": [
|
|
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
|
|
],
|
|
"warn": [
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "diffie-hellman-group-exchange-sha256",
|
|
"keysize": 4096,
|
|
"notes": {
|
|
"info": [
|
|
"OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).",
|
|
"available since OpenSSH 4.4"
|
|
],
|
|
"warn": [
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "diffie-hellman-group16-sha512",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 7.3, Dropbear SSH 2016.73"
|
|
],
|
|
"warn": [
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "diffie-hellman-group18-sha512",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 7.3"
|
|
],
|
|
"warn": [
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "diffie-hellman-group14-sha256",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 7.3, Dropbear SSH 2016.73"
|
|
],
|
|
"warn": [
|
|
"2048-bit modulus only provides 112-bits of symmetric strength",
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "diffie-hellman-group14-sha1",
|
|
"notes": {
|
|
"fail": [
|
|
"using broken SHA-1 hash algorithm"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 3.9, Dropbear SSH 0.53"
|
|
],
|
|
"warn": [
|
|
"2048-bit modulus only provides 112-bits of symmetric strength",
|
|
"does not provide protection against post-quantum attacks"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"key": [
|
|
{
|
|
"algorithm": "rsa-sha2-512",
|
|
"keysize": 3072,
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 7.2"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "rsa-sha2-256",
|
|
"keysize": 3072,
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 7.2, Dropbear SSH 2020.79"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "ssh-rsa",
|
|
"keysize": 3072,
|
|
"notes": {
|
|
"fail": [
|
|
"using broken SHA-1 hash algorithm"
|
|
],
|
|
"info": [
|
|
"deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
|
|
"available since OpenSSH 2.5.0, Dropbear SSH 0.28"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "ecdsa-sha2-nistp256",
|
|
"notes": {
|
|
"fail": [
|
|
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
|
|
],
|
|
"warn": [
|
|
"using weak random number generator could reveal the key"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "ssh-ed25519",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 6.5, Dropbear SSH 2020.79"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"mac": [
|
|
{
|
|
"algorithm": "umac-64-etm@openssh.com",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 6.2"
|
|
],
|
|
"warn": [
|
|
"using small 64-bit tag size"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "umac-128-etm@openssh.com",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 6.2"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "hmac-sha2-256-etm@openssh.com",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 6.2"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "hmac-sha2-512-etm@openssh.com",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 6.2"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "hmac-sha1-etm@openssh.com",
|
|
"notes": {
|
|
"fail": [
|
|
"using broken SHA-1 hash algorithm"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 6.2"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "umac-64@openssh.com",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 4.7"
|
|
],
|
|
"warn": [
|
|
"using encrypt-and-MAC mode",
|
|
"using small 64-bit tag size"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "umac-128@openssh.com",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 6.2"
|
|
],
|
|
"warn": [
|
|
"using encrypt-and-MAC mode"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "hmac-sha2-256",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 5.9, Dropbear SSH 2013.56"
|
|
],
|
|
"warn": [
|
|
"using encrypt-and-MAC mode"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "hmac-sha2-512",
|
|
"notes": {
|
|
"info": [
|
|
"available since OpenSSH 5.9, Dropbear SSH 2013.56"
|
|
],
|
|
"warn": [
|
|
"using encrypt-and-MAC mode"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"algorithm": "hmac-sha1",
|
|
"notes": {
|
|
"fail": [
|
|
"using broken SHA-1 hash algorithm"
|
|
],
|
|
"info": [
|
|
"available since OpenSSH 2.1.0, Dropbear SSH 0.28"
|
|
],
|
|
"warn": [
|
|
"using encrypt-and-MAC mode"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"recommendations": {
|
|
"critical": {
|
|
"del": {
|
|
"kex": [
|
|
{
|
|
"name": "diffie-hellman-group14-sha1",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "ecdh-sha2-nistp256",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "ecdh-sha2-nistp384",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "ecdh-sha2-nistp521",
|
|
"notes": ""
|
|
}
|
|
],
|
|
"key": [
|
|
{
|
|
"name": "ecdsa-sha2-nistp256",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "ssh-rsa",
|
|
"notes": ""
|
|
}
|
|
],
|
|
"mac": [
|
|
{
|
|
"name": "hmac-sha1",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "hmac-sha1-etm@openssh.com",
|
|
"notes": ""
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"warning": {
|
|
"chg": {
|
|
"kex": [
|
|
{
|
|
"name": "diffie-hellman-group-exchange-sha256",
|
|
"notes": "increase modulus size to 3072 bits or larger"
|
|
}
|
|
]
|
|
},
|
|
"del": {
|
|
"enc": [
|
|
{
|
|
"name": "chacha20-poly1305@openssh.com",
|
|
"notes": ""
|
|
}
|
|
],
|
|
"kex": [
|
|
{
|
|
"name": "curve25519-sha256",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "curve25519-sha256@libssh.org",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "diffie-hellman-group14-sha256",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "diffie-hellman-group16-sha512",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "diffie-hellman-group18-sha512",
|
|
"notes": ""
|
|
}
|
|
],
|
|
"mac": [
|
|
{
|
|
"name": "hmac-sha2-256",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "hmac-sha2-512",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "umac-128@openssh.com",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "umac-64-etm@openssh.com",
|
|
"notes": ""
|
|
},
|
|
{
|
|
"name": "umac-64@openssh.com",
|
|
"notes": ""
|
|
}
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"target": "localhost:2222"
|
|
}
|