Skip to content

v3.0.0
Compare
Choose a tag to compare
@jtesta jtesta released this 07 Sep 12:16
· 63 commits to master since this release
v3.0.0
This tag was signed with the committer’s verified signature.
jtesta Joe Testa
GPG key ID: E44F5FD3B799916A
Learn about vigilant mode.
f517e03

This release includes important fixes for multiple-host scans, improved Diffie-Hellman group exchange auditing, and the inclusion of algorithm notes into the JSON output (note that this changes the schema of the banner protocol, "enc", and "mac" fields). Support for 49 new algorithms were also added!

This version is also available as a PyPI package (pip3 install ssh-audit), Docker image (docker pull positronsecurity/ssh-audit), Snap package (snap install ssh-audit), or as a Windows executable (see below, though be aware that sometimes Windows Defender inappropriately detects it as malware!).

The full change log is:

  • Results from concurrent scans against multiple hosts are no longer improperly combined; bug discovered by Adam Russell.
  • Hostname resolution failure no longer causes scans against multiple hosts to terminate unexpectedly; credit Dani Cuesta.
  • Algorithm recommendations resulting from warnings are now printed in yellow instead of red; credit Adam Russell.
  • Added failure, warning, and info notes to JSON output (note that this results in a breaking change to the banner protocol, "enc", and "mac" fields); credit Bareq Al-Azzawi.
  • Docker Makefile now creates multi-arch builds for amd64, arm64, and armv7; credit Sebastian Cohnen.
  • Fixed crash during GEX tests.
  • Refined GEX testing against OpenSSH servers: when the fallback mechanism is suspected of being triggered, perform an additional test to obtain more accurate results.
  • The color of all notes will be printed in green when the related algorithm is rated good.
  • Prioritized host key certificate algorithms for Ubuntu 22.04 LTS client policy.
  • Marked all NIST K-, B-, and T-curves as unproven since they are so rarely used.
  • Added built-in policy for OpenSSH 9.4.
  • Added 12 new host keys: ecdsa-sha2-curve25519, ecdsa-sha2-nistb233, ecdsa-sha2-nistb409, ecdsa-sha2-nistk163, ecdsa-sha2-nistk233, ecdsa-sha2-nistk283, ecdsa-sha2-nistk409, ecdsa-sha2-nistp224, ecdsa-sha2-nistp192, ecdsa-sha2-nistt571, ssh-dsa, x509v3-sign-rsa-sha256.
  • Added 15 new key exchanges: curve448-sha512@libssh.org, ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org, ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org, ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org, ecdh-sha2-brainpoolp256r1@genua.de, ecdh-sha2-brainpoolp384r1@genua.de, ecdh-sha2-brainpoolp521r1@genua.de, kexAlgoDH14SHA1, kexAlgoDH1SHA1, kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521, sm2kep-sha2-nistp256, x25519-kyber-512r3-sha256-d00@amazon.com, x25519-kyber512-sha512@aws.amazon.com.
  • Added 8 new ciphers: aes192-gcm@openssh.com, cast128-12-cbc, cast128-12-cfb, cast128-12-ecb, cast128-12-ofb, des-cfb, des-ecb, des-ofb.
  • Added 14 new MACs: cbcmac-3des, cbcmac-aes, cbcmac-blowfish, cbcmac-des, cbcmac-rijndael, cbcmac-twofish, hmac-sha256-96, md5, md5-8, ripemd160, ripemd160-8, sha1, sha1-8, umac-128.
Assets 7