Skip to content

v3.3.0

Latest
Latest
Compare
Choose a tag to compare
@jtesta jtesta released this 15 Oct 20:08
· 4 commits to master since this release
v3.3.0
This tag was signed with the committer’s verified signature.
jtesta Joe Testa
GPG key ID: E44F5FD3B799916A
Learn about vigilant mode.
772204c

This release features many general bugfixes & improvements, as well as support for new standardized post-quantum algorithms.

This version is also available as a PyPI package (pip3 install ssh-audit), Docker image (docker pull positronsecurity/ssh-audit), Snap package (snap install ssh-audit), or as a Windows executable (see below, though be aware that sometimes Windows Defender inappropriately detects it as malware!).

  • Added Python 3.13 support.
  • Added built-in policies for Ubuntu 24.04 LTS server & client, OpenSSH 9.8, and OpenSSH 9.9.
  • Added IPv6 support for DHEat and connection rate tests.
  • Added TCP port information to JSON policy scan results; credit Fabian Malte Kopp.
  • Added LANcom LCOS server recognition and Ed448 key extraction; credit Daniel Lenski.
  • Now reports ECDSA and DSS fingerprints when in verbose mode; partial credit Daniel Lenski.
  • Removed CVE information based on server/client version numbers, as this was wildly inaccurate (see this thread for the full discussion, as well as the results of the community vote on this matter).
  • Fixed crash when running with -P and -T options simultaneously.
  • Fixed host key tests from only reporting a key type at most once despite multiple hosts supporting it; credit Daniel Lenski.
  • Fixed DHEat connection rate testing on MacOS X and BSD platforms; credit Drew Noel and Michael Osipov.
  • Fixed invalid JSON output when a socket error occurs while performing a client audit.
  • Fixed --conn-rate-test feature on Windows.
  • When scanning multiple targets (using -T/--targets), the -p/--port option will now be used as the default port (set to 22 if -p/--port is not given). Hosts specified in the file can override this default with an explicit port number (i.e.: "host1:1234"). For example, when using -T targets.txt -p 222, all hosts in targets.txt that do not explicitly include a port number will default to 222; when using -T targets.txt (without -p), all hosts will use a default of 22.
  • Updated built-in server & client policies for Amazon Linux 2023, Debian 12, Rocky Linux 9, and Ubuntu 22.04 to improve host key efficiency and cipher resistance to quantum attacks.
  • Added 1 new cipher: grasshopper-ctr128.
  • Added 2 new key exchanges: mlkem768x25519-sha256, sntrup761x25519-sha512.
Assets 7
Loading