v2.9.0
This release includes many new features, including granular GEX modulus tests (credit Adam Russell), support for mixed host key/CA key certificates (i.e.: RSA host keys signed by ED25519 CAs), warnings for 2048-bit moduli, and more descriptive algorithm notes. Support for 112 new algorithms were also added!
Note that this version is also available as a PyPI package (pip3 install ssh-audit
), Snap package (snap install ssh-audit
), or as a Windows executable (see below, though be aware that sometimes Windows Defender inappropriately detects it as malware!).
The full change log is:
- Dropped support for Python 3.6, as it reached EOL at the end of 2021.
- Added Ubuntu Server & Client 22.04 hardening policies.
- Removed experimental warning tag from
sntrup761x25519-sha512@openssh.com
. - Updated CVE database; credit Alexandre Zanni.
- Added
-g
and--gex-test
for granular GEX modulus size tests; credit Adam Russell. - Snap packages now print more user-friendly error messages when permission errors are encountered.
- JSON 'target' field now always includes port number; credit tomatohater1337.
- JSON output now includes recommendations and CVE data.
- Mixed host key/CA key types (i.e.: RSA host keys signed with ED25519 CAs, etc.) are now properly handled.
- Warnings are now printed for 2048-bit moduli; partial credit Adam Russell.
- SHA-1 algorithms now cause failures.
- CBC mode ciphers are now warnings instead of failures.
- Generic failure/warning messages replaced with more specific reasons (i.e.: 'using weak cipher' => 'using broken RC4 cipher').
- Updated built-in policies to include missing host key size information.
- Added built-in policies for OpenSSH 8.8, 8.9, 9.0, 9.1, 9.2, and 9.3.
- Added 33 new host keys:
dsa2048-sha224@libassh.org
,dsa2048-sha256@libassh.org
,dsa3072-sha256@libassh.org
,ecdsa-sha2-1.3.132.0.10-cert-v01@openssh.com
,eddsa-e382-shake256@libassh.org
,eddsa-e521-shake256@libassh.org
,null
,pgp-sign-dss
,pgp-sign-rsa
,spki-sign-dss
,spki-sign-rsa
,ssh-dss-sha224@ssh.com
,ssh-dss-sha384@ssh.com
,ssh-dss-sha512@ssh.com
,ssh-ed448-cert-v01@openssh.com
,ssh-rsa-sha224@ssh.com
,ssh-rsa-sha2-256
,ssh-rsa-sha2-512
,ssh-rsa-sha384@ssh.com
,ssh-rsa-sha512@ssh.com
,ssh-xmss-cert-v01@openssh.com
,ssh-xmss@openssh.com
,webauthn-sk-ecdsa-sha2-nistp256@openssh.com
,x509v3-ecdsa-sha2-1.3.132.0.10
,x509v3-sign-dss-sha1
,x509v3-sign-dss-sha224@ssh.com
,x509v3-sign-dss-sha256@ssh.com
,x509v3-sign-dss-sha384@ssh.com
,x509v3-sign-dss-sha512@ssh.com
,x509v3-sign-rsa-sha1
,x509v3-sign-rsa-sha224@ssh.com
,x509v3-sign-rsa-sha384@ssh.com
,x509v3-sign-rsa-sha512@ssh.com
. - Added 46 new key exchanges:
diffie-hellman-group14-sha224@ssh.com
,diffie-hellman_group17-sha512
,diffie-hellman-group-exchange-sha224@ssh.com
,diffie-hellman-group-exchange-sha384@ssh.com
,ecdh-sha2-1.2.840.10045.3.1.1
,ecdh-sha2-1.2.840.10045.3.1.7
,ecdh-sha2-1.3.132.0.1
,ecdh-sha2-1.3.132.0.16
,ecdh-sha2-1.3.132.0.26
,ecdh-sha2-1.3.132.0.27
,ecdh-sha2-1.3.132.0.33
,ecdh-sha2-1.3.132.0.34
,ecdh-sha2-1.3.132.0.35
,ecdh-sha2-1.3.132.0.36
,ecdh-sha2-1.3.132.0.37
,ecdh-sha2-1.3.132.0.38
,ecdh-sha2-4MHB+NBt3AlaSRQ7MnB4cg==
,ecdh-sha2-5pPrSUQtIaTjUSt5VZNBjg==
,ecdh-sha2-9UzNcgwTlEnSCECZa7V1mw==
,ecdh-sha2-D3FefCjYoJ/kfXgAyLddYA==
,ecdh-sha2-h/SsxnLCtRBh7I9ATyeB3A==
,ecdh-sha2-m/FtSAmrV4j/Wy6RVUaK7A==
,ecdh-sha2-mNVwCXAoS1HGmHpLvBC94w==
,ecdh-sha2-qCbG5Cn/jjsZ7nBeR7EnOA==
,ecdh-sha2-qcFQaMAMGhTziMT0z+Tuzw==
,ecdh-sha2-VqBg4QRPjxx1EXZdV0GdWQ==
,ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==
,ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==
,ecmqv-sha2
,gss-13.3.132.0.10-sha256-*
,gss-curve25519-sha256-*
,gss-curve448-sha512-*
,gss-gex-sha1-*
,gss-gex-sha256-*
,gss-group14-sha1-*
,gss-group14-sha256-*
,gss-group15-sha512-*
,gss-group16-sha512-*
,gss-group17-sha512-*
,gss-group18-sha512-*
,gss-group1-sha1-*
,gss-nistp256-sha256-*
,gss-nistp384-sha256-*
,gss-nistp521-sha512-*
,m383-sha384@libassh.org
,m511-sha512@libassh.org
. - Added 28 new ciphers:
3des-cfb
,3des-ecb
,3des-ofb
,blowfish-cfb
,blowfish-ecb
,blowfish-ofb
,camellia128-cbc@openssh.org
,camellia128-ctr@openssh.org
,camellia192-cbc@openssh.org
,camellia192-ctr@openssh.org
,camellia256-cbc@openssh.org
,camellia256-ctr@openssh.org
,cast128-cfb
,cast128-ecb
,cast128-ofb
,cast128-12-cbc@ssh.com
,idea-cfb
,idea-ecb
,idea-ofb
,rijndael-cbc@ssh.com
,seed-ctr@ssh.com
,serpent128-gcm@libassh.org
,serpent256-gcm@libassh.org
,twofish128-gcm@libassh.org
,twofish256-gcm@libassh.org
,twofish-cfb
,twofish-ecb
,twofish-ofb
- Added 5 new MACs:
hmac-sha1-96@openssh.com
,hmac-sha224@ssh.com
,hmac-sha256-2@ssh.com
,hmac-sha384@ssh.com
,hmac-whirlpool
.