* Added Python 3.13 support.
* Added built-in policies for Ubuntu 24.04 LTS server & client,
OpenSSH 9.8, and OpenSSH 9.9.
* Added IPv6 support for DHEat and connection rate tests.
* Added TCP port information to JSON policy scan results.
* Added LANcom LCOS server recognition and Ed448 key extraction
* Now reports ECDSA and DSS fingerprints when in verbose mode.
* Removed CVE information based on server/client version numbers,
as this was wildly inaccurate (see this thread for the full
discussion, as well as the results of the community vote on
this matter).
* Fixed crash when running with -P and -T options simultaneously.
* Fixed host key tests from only reporting a key type at most
once despite multiple hosts supporting it.
* Fixed invalid JSON output when a socket error occurs while
performing a client audit.
* When scanning multiple targets (using -T/--targets),
the -p/--port option will now be used as the default port
(set to 22 if -p/--port is not given). Hosts specified in the
file can override this default with an explicit port number
(i.e.: "host1:1234"). For example, when using -T targets.txt
-p 222, all hosts in targets.txt that do not explicitly include
a port number will default to 222; when using -T targets.txt
(without -p), all hosts will use a default of 22.
* Updated built-in server & client policies for
Amazon Linux 2023, Debian 12, Rocky Linux 9, and Ubuntu 22.04
to improve host key efficiency and cipher resistance to quantum
attacks.
* Added 1 new cipher: grasshopper-ctr128.
OBS-URL: https://build.opensuse.org/package/show/security/ssh-audit?expand=0&rev=19
- Update to version 3.2.0
* Added implementation of the DHEat denial-of-service attack
(see --dheat option; CVE-2002-20001).
* Expanded filter of CBC ciphers to flag for the Terrapin
vulnerability. It now includes more rarely found ciphers.
* Fixed parsing of ecdsa-sha2-nistp* CA signatures on host keys.
Additionally, they are now flagged as potentially
back-doored, just as standard host keys are.
* Gracefully handle rare exceptions (i.e.: crashes) while
performing GEX tests.
* Built-in policies now include a change log (use -L -v to view
them).
* Custom policies now support the
allow_algorithm_subset_and_reordering directive to allow
targets to pass with a subset and/or re-ordered list of host
keys, kex, ciphers, and MACs. This allows for the creation of
a baseline policy where targets can optionally implement
stricter controls;
* Custom policies now support the allow_larger_keys directive to
allow targets to pass with larger host keys, CA keys, and
Diffie-Hellman keys. This allows for the creation of a baseline
policy where targets can optionally implement stricter controls
* Color output is disabled if the NO_COLOR environment variable
is set (see https://no-color.org/).
* Added 1 new key exchange algorithm: gss-nistp384-sha384-*.
* Added 1 new cipher: aes128-ocb@libassh.org.
OBS-URL: https://build.opensuse.org/request/show/1169816
OBS-URL: https://build.opensuse.org/package/show/security/ssh-audit?expand=0&rev=17
- Update to 3.1.0:
* Added test for the Terrapin message prefix truncation
vulnerability (CVE-2023-48795).
* Dropped support for Python 3.7 (EOL was reached in June 2023).
* Added Python 3.12 support.
* In server policies, reduced expected DH modulus sizes from
4096 to 3072 to match the online hardening guides (note that
3072-bit moduli provide the equivalent of 128-bit symmetric
security).
* In Ubuntu 22.04 client policy, moved host key types
sk-ssh-ed25519@openssh.com and ssh-ed25519 to the end of all
certificate types.
* Updated Ubuntu Server & Client policies for 20.04 and 22.04
to account for key exchange list changes due to Terrapin
vulnerability patches.
* Re-organized option host key types for OpenSSH 9.2 server
policy to correspond with updated Debian 12 hardening guide.
* Added built-in policies for OpenSSH 9.5 and 9.6.
* Added an additional_notes field to the JSON output.
OBS-URL: https://build.opensuse.org/request/show/1134312
OBS-URL: https://build.opensuse.org/package/show/security/ssh-audit?expand=0&rev=15
- Update to version 3.0.0
* Results from concurrent scans against multiple hosts are no
longer improperly combined.
* Hostname resolution failure no longer causes scans against
multiple hosts to terminate unexpectedly.
* Algorithm recommendations resulting from warnings are now
printed in yellow instead of red.
* Added failure, warning, and info notes to JSON output (note
that this results in a breaking change to the banner protocol,
"enc", and "mac" fields).
* Fixed crash during GEX tests.
* Refined GEX testing against OpenSSH servers: when the fallback
mechanism is suspected of being triggered, perform an
additional test to obtain more accurate results.
* The color of all notes will be printed in green when the
related algorithm is rated good.
* Prioritized host key certificate algorithms for Ubuntu
22.04 LTS client policy.
* Marked all NIST K-, B-, and T-curves as unproven since they
are so rarely used.
* Added built-in policy for OpenSSH 9.4.
* Added 12 new host keys
* Added 15 new key exchanges.
* Added 8 new ciphers.
* Added 14 new MACs.
OBS-URL: https://build.opensuse.org/request/show/1110355
OBS-URL: https://build.opensuse.org/package/show/security/ssh-audit?expand=0&rev=13
- Update to version 2.9.0
* Dropped support for Python 3.6
* Updated CVE database.
* Added -g and --gex-test for granular GEX modulus size tests.
* JSON 'target' field now always includes port number.
* JSON output now includes recommendations and CVE data.
* Mixed host key/CA key types (i.e.: RSA host keys signed with
ED25519 CAs, etc.) are now properly handled.
* Warnings are now printed for 2048-bit moduli.
* SHA-1 algorithms now cause failures.
* CBC mode ciphers are now warnings instead of failures.
* Generic failure/warning messages replaced with more specific
reasons (i.e.:'using weak cipher' => 'using broken RC4 cipher')
* Updated built-in policies to include missing host key size
information.
* Added built-in policies for OpenSSH 8.8, 8.9, 9.0, 9.1, 9.2,
and 9.3.
* Added 33 new host keys.
* Added 46 new key exchanges.
* Added 28 new ciphers.
* Added 5 new MACs.
OBS-URL: https://build.opensuse.org/request/show/1083858
OBS-URL: https://build.opensuse.org/package/show/security/ssh-audit?expand=0&rev=11
- Update to version 2.5.0
* Fixed crash when running host key tests.
* Handles server connection failures more gracefully.
* Now prints JSON with indents when -jj is used (useful for
debugging).
* Added MD5 fingerprints to verbose output.
* Added -d/--debug option for getting debugging output.
* Updated JSON output to include MD5 fingerprints. Note that
this results in a breaking change in the 'fingerprints'
dictionary format.
* Updated OpenSSH 8.1 (and earlier) policies to include
rsa-sha2-512 and rsa-sha2-256.
* Added OpenSSH v8.6 & v8.7 policies.
* Added 3 new key exchanges:
+ gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==
+ gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==
+ gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==
* Added 3 new MACs:
+ hmac-ripemd160-96
+ AEAD_AES_128_GCM
+ AEAD_AES_256_GCM
OBS-URL: https://build.opensuse.org/request/show/914447
OBS-URL: https://build.opensuse.org/package/show/security/ssh-audit?expand=0&rev=9
- Update to version 2.4.0
* Added multi-threaded scanning support.
* Added version check for OpenSSH user enumeration
(CVE-2018-15473).
* Added deprecation note to host key types based on SHA-1.
* Added extra warnings for SSHv1.
* Added built-in hardened OpenSSH v8.5 policy.
* Upgraded warnings to failures for host key types based on SHA-1
* Fixed crash when receiving unexpected response during host key
test.
* Fixed hang against older Cisco devices during host key test &
gex test.
* Fixed improper termination while scanning multiple targets when
one target returns an error.
* Dropped support for Python 3.5 (which reached EOL in Sept.2020)
* Added 1 new key exchange: sntrup761x25519-sha512@openssh.com.
OBS-URL: https://build.opensuse.org/request/show/875917
OBS-URL: https://build.opensuse.org/package/show/security/ssh-audit?expand=0&rev=7
- Update to version 2.3.1
* Now parses public key sizes for
rsa-sha2-256-cert-v01@openssh.com and
rsa-sha2-512-cert-v01@openssh.com host key types.
* Flag ssh-rsa-cert-v01@openssh.com as a failure due to SHA-1
hash.
* Fixed bug in recommendation output which suppressed some
algorithms inappropriately.
* Built-in policies now include CA key requirements (if
certificates are in use).
* Lookup function (--lookup) now performs case-insensitive
lookups of similar algorithms.
* Migrated pre-made policies from external files to internal
database.
* Split single 3,500 line script into many files (by class).
* Added setup.py support
* Added 1 new cipher: des-cbc@ssh.com.
- Install manpage
- Use py-* rpm macros
- Update to version 2.3.0
The highlight of this release is support for policy scanning
(this allows an admin to test a server against a
hardened/standard configuration).
* Added new policy auditing functionality to test adherence to
a hardening guide/standard configuration
(see -L/--list-policies, -M/--make-policy and -P/--policy).
* Created new man page (see ssh-audit.1 file).
* 1024-bit moduli upgraded from warnings to failures.
* Many Python 2 code clean-ups, testing framework improvements,
OBS-URL: https://build.opensuse.org/request/show/845092
OBS-URL: https://build.opensuse.org/package/show/security/ssh-audit?expand=0&rev=5
