Skip to content

v3.9.0

Latest

Choose a tag to compare

@jtesta jtesta released this 04 Jul 21:32
v3.9.0

The highlights of this release are:

  • Warnings will be issued on key exchanges that are not post-quantum safe.
  • Hardening guides are now included for all supported platforms (see --list-hardening-guides).
  • UNIX sockets can be used as scan targets (specified with unix:///path/to/socket); useful in containerized environments such as CI/CD pipelines.
  • Scanning through SOCKS5 proxies can now be done (with --socks5).
  • A variety of new post-quantum algorithms can now be identified.

BIG THANKS to realmiwi for being the project's very first sponsor!!

The full release notes are:

  • Added support for Python 3.14.
  • Dropped support for Python 3.8, as it reached end-of-life in October 2024.
  • Dropped support for Python 3.9, as it reached end-of-life in October 2025.
  • Added warning to all key exchanges that do not include protections against quantum attacks due to the Harvest Now, Decrypt Later strategy (see https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later).
  • Removed SSHv1 support (rationale is documented in: #298).
  • Added hardening guides (see --list-hardening-guides and --get-hardening-guide). Previously, they were only available at https://ssh-audit.com/hardening_guides.html, but now they are built-in for convenience; partial credit oam7575.
  • Added allow_hostkey_subset_and_reordering policy option to allow targets to have a more stringent list of host keys and/or a different ordering of them.
  • Migrated from deprecated getopt module to argparse; partial credit oam7575.
  • When running against multiple hosts, now prints each target host regardless of output level.
  • Batch mode (-b) no longer automatically enables verbose mode, due to sometimes confusing results; users can still explicitly enable verbose mode using the -v flag.
  • Added UNIX server socket scanning (specify the target with unix:///path/to/socket).
  • Added SOCKS5 proxy support (specify the proxy with --socks5 host:port); partial credit Michał Majchrowicz.
  • Updated built-in policy for Debian 12.
  • Added built-in policies for OpenSSH 10.0, 10.1, 10.2, 10.3, and 10.4.
  • Added hardening guides and policies for Debian 13.
  • Added hardening guides and policies for Rocky Linux 10.
  • Added hardening guides and policies for Ubuntu 26.04.
  • Added 2 new key exchanges: mlkem768nistp256-sha256, mlkem1024nistp384-sha384.
  • Added 11 new host keys: webauthn-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, mldsa-44, ssh-mldsa44-ed25519@openssh.com, mldsa-65, mldsa-87, ssh-mldsa-44, ssh-mldsa-65, ssh-mldsa-87, ssh-mldsa44, ssh-mldsa65, ssh-mldsa87.
  • Added 2 new ciphers: AEAD_CAMELLIA_128_GCM, AEAD_CAMELLIA_256_GCM.