Skip to content

v2.9.0

Compare
Choose a tag to compare
@jtesta jtesta released this 29 Apr 17:32
· 141 commits to master since this release
v2.9.0

This release includes many new features, including granular GEX modulus tests (credit Adam Russell), support for mixed host key/CA key certificates (i.e.: RSA host keys signed by ED25519 CAs), warnings for 2048-bit moduli, and more descriptive algorithm notes. Support for 112 new algorithms were also added!

Note that this version is also available as a PyPI package (pip3 install ssh-audit), Snap package (snap install ssh-audit), or as a Windows executable (see below, though be aware that sometimes Windows Defender inappropriately detects it as malware!).

The full change log is:

  • Dropped support for Python 3.6, as it reached EOL at the end of 2021.
  • Added Ubuntu Server & Client 22.04 hardening policies.
  • Removed experimental warning tag from sntrup761x25519-sha512@openssh.com.
  • Updated CVE database; credit Alexandre Zanni.
  • Added -g and --gex-test for granular GEX modulus size tests; credit Adam Russell.
  • Snap packages now print more user-friendly error messages when permission errors are encountered.
  • JSON 'target' field now always includes port number; credit tomatohater1337.
  • JSON output now includes recommendations and CVE data.
  • Mixed host key/CA key types (i.e.: RSA host keys signed with ED25519 CAs, etc.) are now properly handled.
  • Warnings are now printed for 2048-bit moduli; partial credit Adam Russell.
  • SHA-1 algorithms now cause failures.
  • CBC mode ciphers are now warnings instead of failures.
  • Generic failure/warning messages replaced with more specific reasons (i.e.: 'using weak cipher' => 'using broken RC4 cipher').
  • Updated built-in policies to include missing host key size information.
  • Added built-in policies for OpenSSH 8.8, 8.9, 9.0, 9.1, 9.2, and 9.3.
  • Added 33 new host keys: dsa2048-sha224@libassh.org, dsa2048-sha256@libassh.org, dsa3072-sha256@libassh.org, ecdsa-sha2-1.3.132.0.10-cert-v01@openssh.com, eddsa-e382-shake256@libassh.org, eddsa-e521-shake256@libassh.org, null, pgp-sign-dss, pgp-sign-rsa, spki-sign-dss, spki-sign-rsa, ssh-dss-sha224@ssh.com, ssh-dss-sha384@ssh.com, ssh-dss-sha512@ssh.com, ssh-ed448-cert-v01@openssh.com, ssh-rsa-sha224@ssh.com, ssh-rsa-sha2-256, ssh-rsa-sha2-512, ssh-rsa-sha384@ssh.com, ssh-rsa-sha512@ssh.com, ssh-xmss-cert-v01@openssh.com, ssh-xmss@openssh.com, webauthn-sk-ecdsa-sha2-nistp256@openssh.com, x509v3-ecdsa-sha2-1.3.132.0.10, x509v3-sign-dss-sha1, x509v3-sign-dss-sha224@ssh.com, x509v3-sign-dss-sha256@ssh.com, x509v3-sign-dss-sha384@ssh.com, x509v3-sign-dss-sha512@ssh.com, x509v3-sign-rsa-sha1, x509v3-sign-rsa-sha224@ssh.com, x509v3-sign-rsa-sha384@ssh.com, x509v3-sign-rsa-sha512@ssh.com.
  • Added 46 new key exchanges: diffie-hellman-group14-sha224@ssh.com, diffie-hellman_group17-sha512, diffie-hellman-group-exchange-sha224@ssh.com, diffie-hellman-group-exchange-sha384@ssh.com, ecdh-sha2-1.2.840.10045.3.1.1, ecdh-sha2-1.2.840.10045.3.1.7, ecdh-sha2-1.3.132.0.1, ecdh-sha2-1.3.132.0.16, ecdh-sha2-1.3.132.0.26, ecdh-sha2-1.3.132.0.27, ecdh-sha2-1.3.132.0.33, ecdh-sha2-1.3.132.0.34, ecdh-sha2-1.3.132.0.35, ecdh-sha2-1.3.132.0.36, ecdh-sha2-1.3.132.0.37, ecdh-sha2-1.3.132.0.38, ecdh-sha2-4MHB+NBt3AlaSRQ7MnB4cg==, ecdh-sha2-5pPrSUQtIaTjUSt5VZNBjg==, ecdh-sha2-9UzNcgwTlEnSCECZa7V1mw==, ecdh-sha2-D3FefCjYoJ/kfXgAyLddYA==, ecdh-sha2-h/SsxnLCtRBh7I9ATyeB3A==, ecdh-sha2-m/FtSAmrV4j/Wy6RVUaK7A==, ecdh-sha2-mNVwCXAoS1HGmHpLvBC94w==, ecdh-sha2-qCbG5Cn/jjsZ7nBeR7EnOA==, ecdh-sha2-qcFQaMAMGhTziMT0z+Tuzw==, ecdh-sha2-VqBg4QRPjxx1EXZdV0GdWQ==, ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==, ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==, ecmqv-sha2, gss-13.3.132.0.10-sha256-*, gss-curve25519-sha256-*, gss-curve448-sha512-*, gss-gex-sha1-*, gss-gex-sha256-*, gss-group14-sha1-*, gss-group14-sha256-*, gss-group15-sha512-*, gss-group16-sha512-*, gss-group17-sha512-*, gss-group18-sha512-*, gss-group1-sha1-*, gss-nistp256-sha256-*, gss-nistp384-sha256-*, gss-nistp521-sha512-*, m383-sha384@libassh.org, m511-sha512@libassh.org.
  • Added 28 new ciphers: 3des-cfb, 3des-ecb, 3des-ofb, blowfish-cfb, blowfish-ecb, blowfish-ofb, camellia128-cbc@openssh.org, camellia128-ctr@openssh.org, camellia192-cbc@openssh.org, camellia192-ctr@openssh.org, camellia256-cbc@openssh.org, camellia256-ctr@openssh.org, cast128-cfb, cast128-ecb, cast128-ofb, cast128-12-cbc@ssh.com, idea-cfb, idea-ecb, idea-ofb, rijndael-cbc@ssh.com, seed-ctr@ssh.com, serpent128-gcm@libassh.org, serpent256-gcm@libassh.org, twofish128-gcm@libassh.org, twofish256-gcm@libassh.org, twofish-cfb, twofish-ecb, twofish-ofb
  • Added 5 new MACs: hmac-sha1-96@openssh.com, hmac-sha224@ssh.com, hmac-sha256-2@ssh.com, hmac-sha384@ssh.com, hmac-whirlpool.