Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v2.3.0 Milestones #59

Closed
thecliguy opened this issue Sep 2, 2020 · 9 comments
Closed

v2.3.0 Milestones #59

thecliguy opened this issue Sep 2, 2020 · 9 comments

Comments

@thecliguy
Copy link
Contributor

@jtesta Hi Joe,

At the end of July you mentioned that you were hoping to release v2.3.0.

Are there some specific issues that you want to close before releasing v2.3.0? If so, perhaps they could be tagged as milestones.

@jugmac00
Copy link
Contributor

jugmac00 commented Sep 3, 2020

@jtesta If you ever need a helping hand with making a new release, please reach out to me.

@jtesta
Copy link
Owner

jtesta commented Sep 26, 2020

@cliguy @jugmac00 Sorry for the very late response. Work and personal things got in the way of my ability to finish the v2.3.0 release. Things are still busy, but I'm able to resume on it now.

On my to-do list is:

  1. More testing of the new policy checking code (in the dev branch).
  2. More testing of the policy checking integration for the web application at https://www.ssh-audit.com/
  3. Write a blog entry showing how to use the new policy checks.

The only thing other people can help with is the first one. If you have some free time, please give it a whirl! The new man page describes the basics of policy scanning (run man ./ssh-audit.1 and see the new -L, -M and -P options).

@mpolanski
Copy link

It might be easier for you to use scdoc for writing man pages. It's a little POSIX-compatible tool with a nice syntax. This way ssh-audit.1 will be readable also in source form.

@jtesta
Copy link
Owner

jtesta commented Sep 27, 2020

@mpolanski Thanks for the suggestion! I didn't know about scdoc until now. Perhaps after the stable release, I'll look into switching over.

@thecliguy
Copy link
Contributor Author

@jtesta Hi, I've done some testing of the -L, -M and -P options today.

Everything worked well for me and I really like this new functionality.

My only suggestions are:

  • The output produced by -P could be prettier.
  • It would be nice if -P could be used in conjunction with -v/--verbose to show successes.

Here's an example of how I imagine this:

thecliguy@SANDBOX:~$ ./ssh-audit.py 10.0.0.2 -P /policies/ubuntu_server_16_04.txt --verbose 
Host:   10.0.0.2
Policy: Hardened Ubuntu Server 16.04 LTS (version 1)
Result: ❌ Failed!

Errors:
  * Ciphers did not match. 
    Expected:            'chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr' 
    Actual:              'chacha20-poly1305@openssh.com', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'aes128-gcm@openssh.com', 'aes256-gcm@openssh.com'

  * Key exchanges did not match. 
    Expected:            'curve25519-sha256@libssh.org', 'diffie-hellman-group-exchange-sha256'
    Actual:              'curve25519-sha256@libssh.org', 'ecdh-sha2-nistp256', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group14-sha1'

  * MACs did not match. 
    Expected:            'hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'
    Actual:              'hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'hmac-sha1-etm@openssh.com', 'hmac-sha2-512', 'hmac-sha1'

Success:
  * Host keys matched. 
    Expected (required): 'ssh-ed25519'
    Expected (optional): 'ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'
    Actual:              'ssh-ed25519', 'rsa-sha2-256-cert-v01@openssh.com'

  * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes matched. 
    Expected:             2048
    Actual:               2048

@jtesta
Copy link
Owner

jtesta commented Sep 27, 2020

@thecliguy Thanks for testing! And I like your suggestions too.

Right now I'm aiming to package the v2.3.0 release in the next few hours since this is the only window of time I have for the next two weeks. This release is way overdue. I'd much rather get this out the door, then update the output in a quick v2.3.1 revision release.

I don't think updating the output later will break anything for users, since any parsing should be done on the JSON output (-j), which won't change.

And I'd happily accept a PR for this if you happened to have some spare cycles to put it together!

@thecliguy
Copy link
Contributor Author

@jtesta I completely agree with you, that makes sense to me.

Looking forward to version 2.3.0 👍

@jtesta
Copy link
Owner

jtesta commented Sep 28, 2020

@mpolanski If you have free cycles to migrate the man page to scdoc, that would be very much appreciated! Otherwise, I'm not sure I'll be able to get to it any time soon...

@jtesta
Copy link
Owner

jtesta commented Sep 28, 2020

@jugmac00 @thecliguy v2.3.0 has been released at last!

I look forward to moving on to re-organizing the project to a more standard layout. Specifically, including a setup.py script (#46) and splitting the 3,900-line ssh-audit.py into separate files (#47).

I'll also check stable changes into the master branch, instead of keeping a long-lived dev branch going.

@jtesta jtesta closed this as completed Sep 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants