v3.2.0

This release features a new --dheat option to test targets for the DHEat denial-of-service attack (see CVE-2002-20001). Also included are changes to custom policies that allow targets to surpass the specified security level; this allows for the creation of baseline policies (partial credit yannik1015 and Damian Szuberski).

This version is also available as a PyPI package (pip3 install ssh-audit), Docker image (docker pull positronsecurity/ssh-audit), Snap package (snap install ssh-audit), or as a Windows executable (see below, though be aware that sometimes Windows Defender inappropriately detects it as malware!).

• Added implementation of the DHEat denial-of-service attack (see --dheat option; CVE-2002-20001).
• Expanded filter of CBC ciphers to flag for the Terrapin vulnerability. It now includes more rarely found ciphers.
• Fixed parsing of ecdsa-sha2-nistp* CA signatures on host keys. Additionally, they are now flagged as potentially back-doored, just as standard host keys are.
• Gracefully handle rare exceptions (i.e.: crashes) while performing GEX tests.
• The built-in man page (-m, --manual) is now available on Docker, PyPI, and Snap builds, in addition to the Windows build.
• Snap builds are now architecture-independent.
• Changed Docker base image from python:3-slim to python:3-alpine, resulting in a 59% reduction in image size; credit Daniel Thamdrup.
• Added built-in policies for Amazon Linux 2023, Debian 12, OpenSSH 9.7, and Rocky Linux 9.
• Built-in policies now include a change log (use -L -v to view them).
• Custom policies now support the allow_algorithm_subset_and_reordering directive to allow targets to pass with a subset and/or re-ordered list of host keys, kex, ciphers, and MACs. This allows for the creation of a baseline policy where targets can optionally implement stricter controls; partial credit yannik1015.
• Custom policies now support the allow_larger_keys directive to allow targets to pass with larger host keys, CA keys, and Diffie-Hellman keys. This allows for the creation of a baseline policy where targets can optionally implement stricter controls; partial credit Damian Szuberski.
• Color output is disabled if the NO_COLOR environment variable is set (see https://no-color.org/).
• Added 1 new key exchange algorithm: gss-nistp384-sha384-*.
• Added 1 new cipher: aes128-ocb@libassh.org.

v3.1.0

This release features tests for the Terrapin message prefix truncation vulnerability in the SSH protocol (CVE-2023-48795), along with other minor enhancements and fixes.

This version is also available as a PyPI package (pip3 install ssh-audit), Docker image (docker pull positronsecurity/ssh-audit), Snap package (snap install ssh-audit), or as a Windows executable (see below, though be aware that sometimes Windows Defender inappropriately detects it as malware!).

The full change log is:

• Added test for the Terrapin message prefix truncation vulnerability (CVE-2023-48795).
• Dropped support for Python 3.7 (EOL was reached in June 2023).
• Added Python 3.12 support.
• In server policies, reduced expected DH modulus sizes from 4096 to 3072 to match the online hardening guides (note that 3072-bit moduli provide the equivalent of 128-bit symmetric security).
• In Ubuntu 22.04 client policy, moved host key types sk-ssh-ed25519@openssh.com and ssh-ed25519 to the end of all certificate types.
• Updated Ubuntu Server & Client policies for 20.04 and 22.04 to account for key exchange list changes due to Terrapin vulnerability patches.
• Re-organized option host key types for OpenSSH 9.2 server policy to correspond with updated Debian 12 hardening guide.
• Added built-in policies for OpenSSH 9.5 and 9.6.
• Added an additional_notes field to the JSON output.

v3.0.0

This release includes important fixes for multiple-host scans, improved Diffie-Hellman group exchange auditing, and the inclusion of algorithm notes into the JSON output (note that this changes the schema of the banner protocol, "enc", and "mac" fields). Support for 49 new algorithms were also added!

This version is also available as a PyPI package (pip3 install ssh-audit), Docker image (docker pull positronsecurity/ssh-audit), Snap package (snap install ssh-audit), or as a Windows executable (see below, though be aware that sometimes Windows Defender inappropriately detects it as malware!).

The full change log is:

• Results from concurrent scans against multiple hosts are no longer improperly combined; bug discovered by Adam Russell.
• Hostname resolution failure no longer causes scans against multiple hosts to terminate unexpectedly; credit Dani Cuesta.
• Algorithm recommendations resulting from warnings are now printed in yellow instead of red; credit Adam Russell.
• Added failure, warning, and info notes to JSON output (note that this results in a breaking change to the banner protocol, "enc", and "mac" fields); credit Bareq Al-Azzawi.
• Docker Makefile now creates multi-arch builds for amd64, arm64, and armv7; credit Sebastian Cohnen.
• Fixed crash during GEX tests.
• Refined GEX testing against OpenSSH servers: when the fallback mechanism is suspected of being triggered, perform an additional test to obtain more accurate results.
• The color of all notes will be printed in green when the related algorithm is rated good.
• Prioritized host key certificate algorithms for Ubuntu 22.04 LTS client policy.
• Marked all NIST K-, B-, and T-curves as unproven since they are so rarely used.
• Added built-in policy for OpenSSH 9.4.
• Added 12 new host keys: ecdsa-sha2-curve25519, ecdsa-sha2-nistb233, ecdsa-sha2-nistb409, ecdsa-sha2-nistk163, ecdsa-sha2-nistk233, ecdsa-sha2-nistk283, ecdsa-sha2-nistk409, ecdsa-sha2-nistp224, ecdsa-sha2-nistp192, ecdsa-sha2-nistt571, ssh-dsa, x509v3-sign-rsa-sha256.
• Added 15 new key exchanges: curve448-sha512@libssh.org, ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org, ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org, ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org, ecdh-sha2-brainpoolp256r1@genua.de, ecdh-sha2-brainpoolp384r1@genua.de, ecdh-sha2-brainpoolp521r1@genua.de, kexAlgoDH14SHA1, kexAlgoDH1SHA1, kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521, sm2kep-sha2-nistp256, x25519-kyber-512r3-sha256-d00@amazon.com, x25519-kyber512-sha512@aws.amazon.com.
• Added 8 new ciphers: aes192-gcm@openssh.com, cast128-12-cbc, cast128-12-cfb, cast128-12-ecb, cast128-12-ofb, des-cfb, des-ecb, des-ofb.
• Added 14 new MACs: cbcmac-3des, cbcmac-aes, cbcmac-blowfish, cbcmac-des, cbcmac-rijndael, cbcmac-twofish, hmac-sha256-96, md5, md5-8, ripemd160, ripemd160-8, sha1, sha1-8, umac-128.

v2.9.0

This release includes many new features, including granular GEX modulus tests (credit Adam Russell), support for mixed host key/CA key certificates (i.e.: RSA host keys signed by ED25519 CAs), warnings for 2048-bit moduli, and more descriptive algorithm notes. Support for 112 new algorithms were also added!

Note that this version is also available as a PyPI package (pip3 install ssh-audit), Snap package (snap install ssh-audit), or as a Windows executable (see below, though be aware that sometimes Windows Defender inappropriately detects it as malware!).

The full change log is:

• Dropped support for Python 3.6, as it reached EOL at the end of 2021.
• Added Ubuntu Server & Client 22.04 hardening policies.
• Removed experimental warning tag from sntrup761x25519-sha512@openssh.com.
• Updated CVE database; credit Alexandre Zanni.
• Added -g and --gex-test for granular GEX modulus size tests; credit Adam Russell.
• Snap packages now print more user-friendly error messages when permission errors are encountered.
• JSON 'target' field now always includes port number; credit tomatohater1337.
• JSON output now includes recommendations and CVE data.
• Mixed host key/CA key types (i.e.: RSA host keys signed with ED25519 CAs, etc.) are now properly handled.
• Warnings are now printed for 2048-bit moduli; partial credit Adam Russell.
• SHA-1 algorithms now cause failures.
• CBC mode ciphers are now warnings instead of failures.
• Generic failure/warning messages replaced with more specific reasons (i.e.: 'using weak cipher' => 'using broken RC4 cipher').
• Updated built-in policies to include missing host key size information.
• Added built-in policies for OpenSSH 8.8, 8.9, 9.0, 9.1, 9.2, and 9.3.
• Added 33 new host keys: dsa2048-sha224@libassh.org, dsa2048-sha256@libassh.org, dsa3072-sha256@libassh.org, ecdsa-sha2-1.3.132.0.10-cert-v01@openssh.com, eddsa-e382-shake256@libassh.org, eddsa-e521-shake256@libassh.org, null, pgp-sign-dss, pgp-sign-rsa, spki-sign-dss, spki-sign-rsa, ssh-dss-sha224@ssh.com, ssh-dss-sha384@ssh.com, ssh-dss-sha512@ssh.com, ssh-ed448-cert-v01@openssh.com, ssh-rsa-sha224@ssh.com, ssh-rsa-sha2-256, ssh-rsa-sha2-512, ssh-rsa-sha384@ssh.com, ssh-rsa-sha512@ssh.com, ssh-xmss-cert-v01@openssh.com, ssh-xmss@openssh.com, webauthn-sk-ecdsa-sha2-nistp256@openssh.com, x509v3-ecdsa-sha2-1.3.132.0.10, x509v3-sign-dss-sha1, x509v3-sign-dss-sha224@ssh.com, x509v3-sign-dss-sha256@ssh.com, x509v3-sign-dss-sha384@ssh.com, x509v3-sign-dss-sha512@ssh.com, x509v3-sign-rsa-sha1, x509v3-sign-rsa-sha224@ssh.com, x509v3-sign-rsa-sha384@ssh.com, x509v3-sign-rsa-sha512@ssh.com.
• Added 46 new key exchanges: diffie-hellman-group14-sha224@ssh.com, diffie-hellman_group17-sha512, diffie-hellman-group-exchange-sha224@ssh.com, diffie-hellman-group-exchange-sha384@ssh.com, ecdh-sha2-1.2.840.10045.3.1.1, ecdh-sha2-1.2.840.10045.3.1.7, ecdh-sha2-1.3.132.0.1, ecdh-sha2-1.3.132.0.16, ecdh-sha2-1.3.132.0.26, ecdh-sha2-1.3.132.0.27, ecdh-sha2-1.3.132.0.33, ecdh-sha2-1.3.132.0.34, ecdh-sha2-1.3.132.0.35, ecdh-sha2-1.3.132.0.36, ecdh-sha2-1.3.132.0.37, ecdh-sha2-1.3.132.0.38, ecdh-sha2-4MHB+NBt3AlaSRQ7MnB4cg==, ecdh-sha2-5pPrSUQtIaTjUSt5VZNBjg==, ecdh-sha2-9UzNcgwTlEnSCECZa7V1mw==, ecdh-sha2-D3FefCjYoJ/kfXgAyLddYA==, ecdh-sha2-h/SsxnLCtRBh7I9ATyeB3A==, ecdh-sha2-m/FtSAmrV4j/Wy6RVUaK7A==, ecdh-sha2-mNVwCXAoS1HGmHpLvBC94w==, ecdh-sha2-qCbG5Cn/jjsZ7nBeR7EnOA==, ecdh-sha2-qcFQaMAMGhTziMT0z+Tuzw==, ecdh-sha2-VqBg4QRPjxx1EXZdV0GdWQ==, ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==, ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==, ecmqv-sha2, gss-13.3.132.0.10-sha256-*, gss-curve25519-sha256-*, gss-curve448-sha512-*, gss-gex-sha1-*, gss-gex-sha256-*, gss-group14-sha1-*, gss-group14-sha256-*, gss-group15-sha512-*, gss-group16-sha512-*, gss-group17-sha512-*, gss-group18-sha512-*, gss-group1-sha1-*, gss-nistp256-sha256-*, gss-nistp384-sha256-*, gss-nistp521-sha512-*, m383-sha384@libassh.org, m511-sha512@libassh.org.
• Added 28 new ciphers: 3des-cfb, 3des-ecb, 3des-ofb, blowfish-cfb, blowfish-ecb, blowfish-ofb, camellia128-cbc@openssh.org, camellia128-ctr@openssh.org, camellia192-cbc@openssh.org, camellia192-ctr@openssh.org, camellia256-cbc@openssh.org, camellia256-ctr@openssh.org, cast128-cfb, cast128-ecb, cast128-ofb, cast128-12-cbc@ssh.com, idea-cfb, idea-ecb, idea-ofb, rijndael-cbc@ssh.com, seed-ctr@ssh.com, serpent128-gcm@libassh.org, serpent256-gcm@libassh.org, twofish128-gcm@libassh.org, twofish256-gcm@libassh.org, twofish-cfb, twofish-ecb, twofish-ofb
• Added 5 new MACs: hmac-sha1-96@openssh.com, hmac-sha224@ssh.com, hmac-sha256-2@ssh.com, hmac-sha384@ssh.com, hmac-whirlpool.

v2.5.0

This release fixes some minor bugs, and adds some minor features.

Please note that this version is also available as a PyPI package (pip3 install ssh-audit), Snap package (snap install ssh-audit), or as a Windows executable (below, though be aware that Windows Defender inappropriately detects it as malware!).

The full change log is:

• Fixed crash when running host key tests.
• Handles server connection failures more gracefully.
• Now prints JSON with indents when -jj is used (useful for debugging).
• Added MD5 fingerprints to verbose output.
• Added -d/--debug option for getting debugging output; credit Adam Russell.
• Updated JSON output to include MD5 fingerprints. Note that this results in a breaking change in the 'fingerprints' dictionary format.
• Updated OpenSSH 8.1 (and earlier) policies to include rsa-sha2-512 and rsa-sha2-256.
• Added OpenSSH v8.6 & v8.7 policies.
• Added 3 new key exchanges: gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==, gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==, and gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==.
• Added 3 new MACs: hmac-ripemd160-96, AEAD_AES_128_GCM, and AEAD_AES_256_GCM.

v2.4.0

This is primarily a bug-fix release.

Please note that this version is also available as a PyPI package (pip3 install ssh-audit), Snap package (snap install ssh-audit), or as a Windows executable (below).

The full change log is:

• Added multi-threaded scanning support.
• Added built-in Windows manual page (see -m/--manual); credit Adam Russell.
• Added version check for OpenSSH user enumeration (CVE-2018-15473).
• Added deprecation note to host key types based on SHA-1.
• Added extra warnings for SSHv1.
• Added built-in hardened OpenSSH v8.5 policy.
• Upgraded warnings to failures for host key types based on SHA-1.
• Fixed crash when receiving unexpected response during host key test.
• Fixed hang against older Cisco devices during host key test & gex test.
• Fixed improper termination while scanning multiple targets when one target returns an error.
• Dropped support for Python 3.5 (which reached EOL in Sept. 2020).
• Added 1 new key exchange: sntrup761x25519-sha512@openssh.com.

v2.3.1

This release features better public key size parsing, as well as a major code re-organization (see #46 and #47), and other improvements.

Please note that this version is also available as a PyPI package (pip3 install ssh-audit), Snap package (snap install ssh-audit), or as a Windows executable (below).

The full change log is:

• Now parses public key sizes for rsa-sha2-256-cert-v01@openssh.com and rsa-sha2-512-cert-v01@openssh.com host key types.
• Flag ssh-rsa-cert-v01@openssh.com as a failure due to SHA-1 hash.
• Fixed bug in recommendation output which suppressed some algorithms inappropriately.
• Built-in policies now include CA key requirements (if certificates are in use).
• Lookup function (--lookup) now performs case-insensitive lookups of similar algorithms; credit Adam Russell.
• Migrated pre-made policies from external files to internal database.
• Split single 3,500 line script into many files (by class).
• Added setup.py support; credit Ganden Schaffner.
• Added 1 new cipher: des-cbc@ssh.com.

v2.3.0

The highlight of this release is support for policy scanning (this allows an admin to test a server against a hardened/standard configuration). See the tutorial link below for a more detailed description.

The full change log is:

• Added new policy auditing functionality to test adherence to a hardening guide/standard configuration (see -L/--list-policies, -M/--make-policy and -P/--policy). For an in-depth tutorial, see https://www.positronsecurity.com/blog/2020-09-27-ssh-policy-configuration-checks-with-ssh-audit/.
• Created new man page (see ssh-audit.1 file).
• 1024-bit moduli upgraded from warnings to failures.
• Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit Jürgen Gmach.
• Added feature to look up algorithms in internal database (see --lookup); credit Adam Russell.
• Suppress recommendation of token host key types.
• Added check for use-after-free vulnerability in PuTTY v0.73.
• Added 11 new host key types: ssh-rsa1, ssh-dss-sha256@ssh.com, ssh-gost2001, ssh-gost2012-256, ssh-gost2012-512, spki-sign-rsa, ssh-ed448, x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp521, x509v3-rsa2048-sha256.
• Added 8 new key exchanges: diffie-hellman-group1-sha256, kexAlgoCurve25519SHA256, Curve25519SHA256, gss-group14-sha256-, gss-group15-sha512-, gss-group16-sha512-, gss-nistp256-sha256-, gss-curve25519-sha256-.
• Added 5 new ciphers: blowfish, AEAD_AES_128_GCM, AEAD_AES_256_GCM, crypticore128@ssh.com, seed-cbc@ssh.com.
• Added 3 new MACs: chacha20-poly1305@openssh.com, hmac-sha3-224, crypticore-mac@ssh.com.

v2.2.0

This release re-classifies the very common ssh-rsa host key type as weak, due to practical SHA-1 attacks (see link below). Many new algorithms are also implemented.

• Marked host key type ssh-rsa as weak due to practical SHA-1 collisions.
• Added Windows builds.
• Added 10 new host key types: ecdsa-sha2-1.3.132.0.10, x509v3-sign-dss, x509v3-sign-rsa, x509v3-sign-rsa-sha256@ssh.com, x509v3-ssh-dss, x509v3-ssh-rsa, sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, and sk-ssh-ed25519@openssh.com.
• Added 18 new key exchanges: diffie-hellman-group14-sha256@ssh.com, diffie-hellman-group15-sha256@ssh.com, diffie-hellman-group15-sha384@ssh.com, diffie-hellman-group16-sha384@ssh.com, diffie-hellman-group16-sha512@ssh.com, diffie-hellman-group18-sha512@ssh.com, ecdh-sha2-curve25519, ecdh-sha2-nistb233, ecdh-sha2-nistb409, ecdh-sha2-nistk163, ecdh-sha2-nistk233, ecdh-sha2-nistk283, ecdh-sha2-nistk409, ecdh-sha2-nistp192, ecdh-sha2-nistp224, ecdh-sha2-nistt571, gss-gex-sha1-, and gss-group1-sha1-.
• Added 9 new ciphers: camellia128-cbc, camellia128-ctr, camellia192-cbc, camellia192-ctr, camellia256-cbc, camellia256-ctr, aes128-gcm, aes256-gcm, and chacha20-poly1305.
• Added 2 new MACs: aes128-gcm and aes256-gcm.

Note that pre-built packages are available for Windows (below), via PyPI (pip3 install ssh-audit), and via the snap repository (snap install ssh-audit).

v2.1.1

This maintenance release focuses on improving support for client testing. The full changelog is:

• Added 2 new host key types: rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com.
• Added 2 new ciphers: des, 3des.
• Added 3 new PuTTY vulnerabilities.
• During client testing, client IP address is now listed in output.

Also included is the first Windows release!