summaryrefslogtreecommitdiffstats
path: root/test/docker/expected_results
diff options
context:
space:
mode:
Diffstat (limited to 'test/docker/expected_results')
-rw-r--r--test/docker/expected_results/dropbear_2019.78_test1.json371
-rw-r--r--test/docker/expected_results/dropbear_2019.78_test1.txt87
-rw-r--r--test/docker/expected_results/openssh_4.0p1_test1.json525
-rw-r--r--test/docker/expected_results/openssh_4.0p1_test1.txt130
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json6
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test1.txt3
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json31
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt28
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json23
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt9
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json22
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt9
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json32
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt9
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json31
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt9
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json6
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test7.txt18
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json19
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt24
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json19
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt24
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test1.json558
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test1.txt134
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test2.json560
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test2.txt135
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test3.json559
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test3.txt134
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test4.json558
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test4.txt133
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test5.json557
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test5.txt132
-rw-r--r--test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json43
-rw-r--r--test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.txt17
-rw-r--r--test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json66
-rw-r--r--test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt21
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json6
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test11.txt12
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json43
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt26
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json6
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test13.txt15
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json19
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt21
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json6
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test6.txt3
-rw-r--r--test/docker/expected_results/openssh_8.0p1_test1.json462
-rw-r--r--test/docker/expected_results/openssh_8.0p1_test1.txt99
-rw-r--r--test/docker/expected_results/openssh_8.0p1_test2.json421
-rw-r--r--test/docker/expected_results/openssh_8.0p1_test2.txt91
-rw-r--r--test/docker/expected_results/openssh_8.0p1_test3.json206
-rw-r--r--test/docker/expected_results/openssh_8.0p1_test3.txt51
-rw-r--r--test/docker/expected_results/tinyssh_20190101_test1.json98
-rw-r--r--test/docker/expected_results/tinyssh_20190101_test1.txt29
54 files changed, 6656 insertions, 0 deletions
diff --git a/test/docker/expected_results/dropbear_2019.78_test1.json b/test/docker/expected_results/dropbear_2019.78_test1.json
new file mode 100644
index 0000000..55dd8b6
--- /dev/null
+++ b/test/docker/expected_results/dropbear_2019.78_test1.json
@@ -0,0 +1,371 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "2.0",
+ "raw": "SSH-2.0-dropbear_2019.78",
+ "software": "dropbear_2019.78"
+ },
+ "compression": [
+ "zlib@openssh.com",
+ "none"
+ ],
+ "cves": [],
+ "enc": [
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "3des-ctr",
+ "notes": {
+ "fail": [
+ "using broken & deprecated 3DES cipher"
+ ],
+ "info": [
+ "available since Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "3des-cbc",
+ "notes": {
+ "fail": [
+ "using broken & deprecated 3DES cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-rsa"
+ },
+ {
+ "hash": "63:7f:54:f7:0a:28:7f:75:0b:f4:07:0b:fc:66:51:a2",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-rsa"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "curve25519-sha256",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 7.4, Dropbear SSH 2018.76"
+ ]
+ }
+ },
+ {
+ "algorithm": "curve25519-sha256@libssh.org",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 6.4, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdh-sha2-nistp521",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdh-sha2-nistp384",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdh-sha2-nistp256",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha256",
+ "notes": {
+ "info": [
+ "available since OpenSSH 7.3, Dropbear SSH 2016.73"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 3.9, Dropbear SSH 0.53"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "kexguess2@matt.ucc.asn.au",
+ "notes": {
+ "info": [
+ "available since Dropbear SSH 2013.57"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ecdsa-sha2-nistp256",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ],
+ "warn": [
+ "using weak random number generator could reveal the key"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-rsa",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm",
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-dss",
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak random number generator could reveal the key"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "hmac-sha1-96",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-256",
+ "notes": {
+ "info": [
+ "available since OpenSSH 5.9, Dropbear SSH 2013.56"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "critical": {
+ "del": {
+ "enc": [
+ {
+ "name": "3des-cbc",
+ "notes": ""
+ },
+ {
+ "name": "3des-ctr",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha1",
+ "notes": ""
+ },
+ {
+ "name": "ecdh-sha2-nistp256",
+ "notes": ""
+ },
+ {
+ "name": "ecdh-sha2-nistp384",
+ "notes": ""
+ },
+ {
+ "name": "ecdh-sha2-nistp521",
+ "notes": ""
+ }
+ ],
+ "key": [
+ {
+ "name": "ecdsa-sha2-nistp256",
+ "notes": ""
+ },
+ {
+ "name": "ssh-dss",
+ "notes": ""
+ },
+ {
+ "name": "ssh-rsa",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-sha1",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1-96",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "informational": {
+ "add": {
+ "enc": [
+ {
+ "name": "twofish128-ctr",
+ "notes": ""
+ },
+ {
+ "name": "twofish256-ctr",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group16-sha512",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "aes128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes256-cbc",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha256",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-sha2-256",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/dropbear_2019.78_test1.txt b/test/docker/expected_results/dropbear_2019.78_test1.txt
new file mode 100644
index 0000000..c0d5dfc
--- /dev/null
+++ b/test/docker/expected_results/dropbear_2019.78_test1.txt
@@ -0,0 +1,87 @@
+# general
+(gen) banner: SSH-2.0-dropbear_2019.78
+(gen) software: Dropbear SSH 2019.78
+(gen) compatibility: OpenSSH 7.4+ (some functionality from 6.6), Dropbear SSH 2018.76+
+(gen) compression: enabled (zlib@openssh.com)
+
+# key exchange algorithms
+(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) kexguess2@matt.ucc.asn.au -- [info] available since Dropbear SSH 2013.57
+
+# host-key algorithms
+(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [warn] using weak random number generator could reveal the key
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm
+ `- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ssh-dss -- [fail] using small 1024-bit modulus
+ `- [warn] using weak random number generator could reveal the key
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+ `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+# encryption algorithms (ciphers)
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes128-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) aes256-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) 3des-ctr -- [fail] using broken & deprecated 3DES cipher
+ `- [info] available since Dropbear SSH 0.52
+(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+
+# message authentication code algorithms
+(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+
+# fingerprints
+(fin) ssh-rsa: SHA256:CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM
+
+# algorithm recommendations (for Dropbear SSH 2019.78)
+(rec) -3des-cbc -- enc algorithm to remove 
+(rec) -3des-ctr -- enc algorithm to remove 
+(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove 
+(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove 
+(rec) -hmac-sha1 -- mac algorithm to remove 
+(rec) -hmac-sha1-96 -- mac algorithm to remove 
+(rec) -ssh-dss -- key algorithm to remove 
+(rec) -ssh-rsa -- key algorithm to remove 
+(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append 
+(rec) +twofish128-ctr -- enc algorithm to append 
+(rec) +twofish256-ctr -- enc algorithm to append 
+(rec) -aes128-cbc -- enc algorithm to remove 
+(rec) -aes256-cbc -- enc algorithm to remove 
+(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove 
+(rec) -hmac-sha2-256 -- mac algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/openssh_4.0p1_test1.json b/test/docker/expected_results/openssh_4.0p1_test1.json
new file mode 100644
index 0000000..f5735a9
--- /dev/null
+++ b/test/docker/expected_results/openssh_4.0p1_test1.json
@@ -0,0 +1,525 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "1.99",
+ "raw": "SSH-1.99-OpenSSH_4.0",
+ "software": "OpenSSH_4.0"
+ },
+ "compression": [
+ "none",
+ "zlib"
+ ],
+ "cves": [
+ {
+ "cvssv2": 7.8,
+ "description": "command injection via anomalous argument transfers",
+ "name": "CVE-2020-15778"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames due to timing discrepancies",
+ "name": "CVE-2018-15473"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "readonly bypass via sftp",
+ "name": "CVE-2017-15906"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames via challenge response",
+ "name": "CVE-2016-20012"
+ },
+ {
+ "cvssv2": 5.5,
+ "description": "bypass command restrictions via crafted X11 forwarding data",
+ "name": "CVE-2016-3115"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "cause DoS via triggering error condition (memory corruption)",
+ "name": "CVE-2014-1692"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "leak data via debug messages",
+ "name": "CVE-2012-0814"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "cause DoS via large value in certain length field (memory consumption)",
+ "name": "CVE-2011-5000"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via large number of connections (slot exhaustion)",
+ "name": "CVE-2010-5107"
+ },
+ {
+ "cvssv2": 4.0,
+ "description": "cause DoS via crafted glob expression (CPU and memory consumption)",
+ "name": "CVE-2010-4755"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "bypass authentication check via crafted values",
+ "name": "CVE-2010-4478"
+ },
+ {
+ "cvssv2": 2.6,
+ "description": "recover plaintext data from ciphertext",
+ "name": "CVE-2008-5161"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via multiple login attempts (slot exhaustion)",
+ "name": "CVE-2008-4109"
+ },
+ {
+ "cvssv2": 6.5,
+ "description": "bypass command restrictions via modifying session file",
+ "name": "CVE-2008-1657"
+ },
+ {
+ "cvssv2": 6.9,
+ "description": "hijack forwarded X11 connections",
+ "name": "CVE-2008-1483"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "privilege escalation via causing an X client to be trusted",
+ "name": "CVE-2007-4752"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "discover valid usernames through different responses",
+ "name": "CVE-2007-2243"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "discover valid usernames through different responses",
+ "name": "CVE-2006-5052"
+ },
+ {
+ "cvssv2": 9.3,
+ "description": "cause DoS or execute arbitrary code (double free)",
+ "name": "CVE-2006-5051"
+ },
+ {
+ "cvssv2": 7.8,
+ "description": "cause DoS via crafted packet (CPU consumption)",
+ "name": "CVE-2006-4924"
+ },
+ {
+ "cvssv2": 4.6,
+ "description": "execute arbitrary code",
+ "name": "CVE-2006-0225"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "leak data about authentication credentials",
+ "name": "CVE-2005-2798"
+ }
+ ],
+ "enc": [
+ {
+ "algorithm": "aes128-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "3des-cbc",
+ "notes": {
+ "fail": [
+ "using broken & deprecated 3DES cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "blowfish-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated Blowfish cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "cast128-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated CAST cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "rijndael-cbc@lysator.liu.se",
+ "notes": {
+ "fail": [
+ "using deprecated & non-standardized Rijndael cipher"
+ ],
+ "info": [
+ "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-rsa"
+ },
+ {
+ "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-rsa"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha1",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 3.9, Dropbear SSH 0.53"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group1-sha1",
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus",
+ "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ssh-rsa",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm",
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-dss",
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak random number generator could reveal the key"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "hmac-md5",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160@openssh.com",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1-96",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-md5-96",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "critical": {
+ "del": {
+ "enc": [
+ {
+ "name": "3des-cbc",
+ "notes": ""
+ },
+ {
+ "name": "arcfour",
+ "notes": ""
+ },
+ {
+ "name": "blowfish-cbc",
+ "notes": ""
+ },
+ {
+ "name": "cast128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "rijndael-cbc@lysator.liu.se",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group1-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group-exchange-sha1",
+ "notes": ""
+ }
+ ],
+ "key": [
+ {
+ "name": "ssh-dss",
+ "notes": ""
+ },
+ {
+ "name": "ssh-rsa",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-md5",
+ "notes": ""
+ },
+ {
+ "name": "hmac-md5-96",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1-96",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "aes128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes192-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes256-cbc",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/openssh_4.0p1_test1.txt b/test/docker/expected_results/openssh_4.0p1_test1.txt
new file mode 100644
index 0000000..4810a47
--- /dev/null
+++ b/test/docker/expected_results/openssh_4.0p1_test1.txt
@@ -0,0 +1,130 @@
+# general
+(gen) banner: SSH-1.99-OpenSSH_4.0
+(gen) protocol SSH1 enabled
+(gen) software: OpenSSH 4.0
+(gen) compatibility: OpenSSH 3.9-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)
+(gen) compression: enabled (zlib)
+
+# security
+(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
+(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies
+(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp
+(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
+(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
+(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
+(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages
+(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)
+(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)
+(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)
+(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values
+(cve) CVE-2008-5161 -- (CVSSv2: 2.6) recover plaintext data from ciphertext
+(cve) CVE-2008-4109 -- (CVSSv2: 5.0) cause DoS via multiple login attempts (slot exhaustion)
+(cve) CVE-2008-1657 -- (CVSSv2: 6.5) bypass command restrictions via modifying session file
+(cve) CVE-2008-1483 -- (CVSSv2: 6.9) hijack forwarded X11 connections
+(cve) CVE-2007-4752 -- (CVSSv2: 7.5) privilege escalation via causing an X client to be trusted
+(cve) CVE-2007-2243 -- (CVSSv2: 5.0) discover valid usernames through different responses
+(cve) CVE-2006-5052 -- (CVSSv2: 5.0) discover valid usernames through different responses
+(cve) CVE-2006-5051 -- (CVSSv2: 9.3) cause DoS or execute arbitrary code (double free)
+(cve) CVE-2006-4924 -- (CVSSv2: 7.8) cause DoS via crafted packet (CPU consumption)
+(cve) CVE-2006-0225 -- (CVSSv2: 4.6) execute arbitrary code
+(cve) CVE-2005-2798 -- (CVSSv2: 5.0) leak data about authentication credentials
+(sec) SSH v1 enabled -- SSH v1 can be exploited to recover plaintext passwords
+
+# key exchange algorithms
+(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.3.0
+(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
+ `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
+ `- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+ `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
+
+# host-key algorithms
+(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm
+ `- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ssh-dss -- [fail] using small 1024-bit modulus
+ `- [warn] using weak random number generator could reveal the key
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+ `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+# encryption algorithms (ciphers)
+(enc) aes128-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 2.1.0
+(enc) arcfour -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 2.1.0
+(enc) aes192-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+(enc) aes256-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher
+ `- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+ `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+
+# message authentication code algorithms
+(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0
+(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+
+# fingerprints
+(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4
+
+# algorithm recommendations (for OpenSSH 4.0)
+(rec) -3des-cbc -- enc algorithm to remove 
+(rec) -arcfour -- enc algorithm to remove 
+(rec) -blowfish-cbc -- enc algorithm to remove 
+(rec) -cast128-cbc -- enc algorithm to remove 
+(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove 
+(rec) -hmac-md5 -- mac algorithm to remove 
+(rec) -hmac-md5-96 -- mac algorithm to remove 
+(rec) -hmac-ripemd160 -- mac algorithm to remove 
+(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove 
+(rec) -hmac-sha1 -- mac algorithm to remove 
+(rec) -hmac-sha1-96 -- mac algorithm to remove 
+(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove 
+(rec) -ssh-dss -- key algorithm to remove 
+(rec) -ssh-rsa -- key algorithm to remove 
+(rec) -aes128-cbc -- enc algorithm to remove 
+(rec) -aes192-cbc -- enc algorithm to remove 
+(rec) -aes256-cbc -- enc algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json
new file mode 100644
index 0000000..6480bca
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json
@@ -0,0 +1,6 @@
+{
+ "errors": [],
+ "host": "localhost",
+ "passed": true,
+ "policy": "Docker policy: test1 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.txt
new file mode 100644
index 0000000..01146f8
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.txt
@@ -0,0 +1,3 @@
+Host: localhost:2222
+Policy: Docker policy: test1 (version 1)
+Result: ✔ Passed
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json
new file mode 100644
index 0000000..0a1e148
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json
@@ -0,0 +1,31 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "3072"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "Host key (ssh-rsa-cert-v01@openssh.com) sizes"
+ },
+ {
+ "actual": [
+ "1024"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "CA signature size (ssh-rsa)"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Docker poliicy: test10 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt
new file mode 100644
index 0000000..425d463
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt
@@ -0,0 +1,28 @@
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host: localhost:2222
+Policy: Docker poliicy: test10 (version 1)
+Result: ❌ Failed!
+
+Errors:
+ * CA signature size (ssh-rsa) did not match.
+ - Expected: 4096
+ - Actual: 1024
+
+ * Host key (ssh-rsa-cert-v01@openssh.com) sizes did not match.
+ - Expected: 4096
+ - Actual: 3072
+
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json
new file mode 100644
index 0000000..edf4254
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json
@@ -0,0 +1,23 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "diffie-hellman-group-exchange-sha256",
+ "diffie-hellman-group-exchange-sha1",
+ "diffie-hellman-group14-sha1",
+ "diffie-hellman-group1-sha1"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "kex_alg1",
+ "kex_alg2"
+ ],
+ "mismatched_field": "Key exchanges"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Docker policy: test2 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt
new file mode 100644
index 0000000..e88e44b
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt
@@ -0,0 +1,9 @@
+Host: localhost:2222
+Policy: Docker policy: test2 (version 1)
+Result: ❌ Failed!
+
+Errors:
+ * Key exchanges did not match.
+ - Expected: kex_alg1, kex_alg2
+ - Actual: diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json
new file mode 100644
index 0000000..a98fa8d
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json
@@ -0,0 +1,22 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "ssh-rsa",
+ "ssh-dss"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "ssh-rsa",
+ "ssh-dss",
+ "key_alg1"
+ ],
+ "mismatched_field": "Host keys"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Docker policy: test3 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt
new file mode 100644
index 0000000..cf7eefc
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt
@@ -0,0 +1,9 @@
+Host: localhost:2222
+Policy: Docker policy: test3 (version 1)
+Result: ❌ Failed!
+
+Errors:
+ * Host keys did not match.
+ - Expected: ssh-rsa, ssh-dss, key_alg1
+ - Actual: ssh-rsa, ssh-dss
+
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json
new file mode 100644
index 0000000..317f7e2
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json
@@ -0,0 +1,32 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "aes128-ctr",
+ "aes192-ctr",
+ "aes256-ctr",
+ "arcfour256",
+ "arcfour128",
+ "aes128-cbc",
+ "3des-cbc",
+ "blowfish-cbc",
+ "cast128-cbc",
+ "aes192-cbc",
+ "aes256-cbc",
+ "arcfour",
+ "rijndael-cbc@lysator.liu.se"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "cipher_alg1",
+ "cipher_alg2"
+ ],
+ "mismatched_field": "Ciphers"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Docker policy: test4 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt
new file mode 100644
index 0000000..514b715
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt
@@ -0,0 +1,9 @@
+Host: localhost:2222
+Policy: Docker policy: test4 (version 1)
+Result: ❌ Failed!
+
+Errors:
+ * Ciphers did not match.
+ - Expected: cipher_alg1, cipher_alg2
+ - Actual: aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json
new file mode 100644
index 0000000..50c0b86
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json
@@ -0,0 +1,31 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "hmac-md5",
+ "hmac-sha1",
+ "umac-64@openssh.com",
+ "hmac-ripemd160",
+ "hmac-ripemd160@openssh.com",
+ "hmac-sha1-96",
+ "hmac-md5-96"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "hmac-md5",
+ "hmac-sha1",
+ "umac-64@openssh.com",
+ "hmac-ripemd160",
+ "hmac-ripemd160@openssh.com",
+ "hmac_alg1",
+ "hmac-md5-96"
+ ],
+ "mismatched_field": "MACs"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Docker policy: test5 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt
new file mode 100644
index 0000000..746ca8c
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt
@@ -0,0 +1,9 @@
+Host: localhost:2222
+Policy: Docker policy: test5 (version 1)
+Result: ❌ Failed!
+
+Errors:
+ * MACs did not match.
+ - Expected: hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac_alg1, hmac-md5-96
+ - Actual: hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
+
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json
new file mode 100644
index 0000000..dcc1d6c
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json
@@ -0,0 +1,6 @@
+{
+ "errors": [],
+ "host": "localhost",
+ "passed": true,
+ "policy": "Docker poliicy: test7 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.txt
new file mode 100644
index 0000000..1d3af14
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.txt
@@ -0,0 +1,18 @@
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host: localhost:2222
+Policy: Docker poliicy: test7 (version 1)
+Result: ✔ Passed
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json
new file mode 100644
index 0000000..e7f06a6
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json
@@ -0,0 +1,19 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "1024"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "2048"
+ ],
+ "mismatched_field": "CA signature size (ssh-rsa)"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Docker poliicy: test8 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt
new file mode 100644
index 0000000..05ab91d
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt
@@ -0,0 +1,24 @@
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host: localhost:2222
+Policy: Docker poliicy: test8 (version 1)
+Result: ❌ Failed!
+
+Errors:
+ * CA signature size (ssh-rsa) did not match.
+ - Expected: 2048
+ - Actual: 1024
+
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json
new file mode 100644
index 0000000..51d1067
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json
@@ -0,0 +1,19 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "3072"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "Host key (ssh-rsa-cert-v01@openssh.com) sizes"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Docker poliicy: test9 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt
new file mode 100644
index 0000000..94060ab
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt
@@ -0,0 +1,24 @@
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host: localhost:2222
+Policy: Docker poliicy: test9 (version 1)
+Result: ❌ Failed!
+
+Errors:
+ * Host key (ssh-rsa-cert-v01@openssh.com) sizes did not match.
+ - Expected: 4096
+ - Actual: 3072
+
diff --git a/test/docker/expected_results/openssh_5.6p1_test1.json b/test/docker/expected_results/openssh_5.6p1_test1.json
new file mode 100644
index 0000000..53216e5
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test1.json
@@ -0,0 +1,558 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "2.0",
+ "raw": "SSH-2.0-OpenSSH_5.6",
+ "software": "OpenSSH_5.6"
+ },
+ "compression": [
+ "none",
+ "zlib@openssh.com"
+ ],
+ "cves": [
+ {
+ "cvssv2": 7.8,
+ "description": "command injection via anomalous argument transfers",
+ "name": "CVE-2020-15778"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames due to timing discrepancies",
+ "name": "CVE-2018-15473"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "readonly bypass via sftp",
+ "name": "CVE-2017-15906"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames via challenge response",
+ "name": "CVE-2016-20012"
+ },
+ {
+ "cvssv2": 5.5,
+ "description": "bypass command restrictions via crafted X11 forwarding data",
+ "name": "CVE-2016-3115"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via crafted network traffic (out of bounds read)",
+ "name": "CVE-2016-1907"
+ },
+ {
+ "cvssv2": 6.9,
+ "description": "privilege escalation via leveraging sshd uid",
+ "name": "CVE-2015-6564"
+ },
+ {
+ "cvssv2": 1.9,
+ "description": "conduct impersonation attack",
+ "name": "CVE-2015-6563"
+ },
+ {
+ "cvssv2": 5.8,
+ "description": "bypass environment restrictions via specific string before wildcard",
+ "name": "CVE-2014-2532"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "cause DoS via triggering error condition (memory corruption)",
+ "name": "CVE-2014-1692"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "leak data via debug messages",
+ "name": "CVE-2012-0814"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "cause DoS via large value in certain length field (memory consumption)",
+ "name": "CVE-2011-5000"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via large number of connections (slot exhaustion)",
+ "name": "CVE-2010-5107"
+ },
+ {
+ "cvssv2": 4.0,
+ "description": "cause DoS via crafted glob expression (CPU and memory consumption)",
+ "name": "CVE-2010-4755"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "bypass authentication check via crafted values",
+ "name": "CVE-2010-4478"
+ }
+ ],
+ "enc": [
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour256",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour128",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "3des-cbc",
+ "notes": {
+ "fail": [
+ "using broken & deprecated 3DES cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "blowfish-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated Blowfish cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "cast128-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated CAST cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "rijndael-cbc@lysator.liu.se",
+ "notes": {
+ "fail": [
+ "using deprecated & non-standardized Rijndael cipher"
+ ],
+ "info": [
+ "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-rsa"
+ },
+ {
+ "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-rsa"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha256",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 4.4"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha1",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 3.9, Dropbear SSH 0.53"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group1-sha1",
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus",
+ "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ssh-rsa",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm",
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-dss",
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak random number generator could reveal the key"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "hmac-md5",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-64@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 4.7"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode",
+ "using small 64-bit tag size"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160@openssh.com",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1-96",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-md5-96",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "critical": {
+ "chg": {
+ "kex": [
+ {
+ "name": "diffie-hellman-group-exchange-sha256",
+ "notes": "increase modulus size to 3072 bits or larger"
+ }
+ ]
+ },
+ "del": {
+ "enc": [
+ {
+ "name": "3des-cbc",
+ "notes": ""
+ },
+ {
+ "name": "arcfour128",
+ "notes": ""
+ },
+ {
+ "name": "arcfour",
+ "notes": ""
+ },
+ {
+ "name": "arcfour256",
+ "notes": ""
+ },
+ {
+ "name": "blowfish-cbc",
+ "notes": ""
+ },
+ {
+ "name": "cast128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "rijndael-cbc@lysator.liu.se",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group1-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group-exchange-sha1",
+ "notes": ""
+ }
+ ],
+ "key": [
+ {
+ "name": "ssh-dss",
+ "notes": ""
+ },
+ {
+ "name": "ssh-rsa",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-md5",
+ "notes": ""
+ },
+ {
+ "name": "hmac-md5-96",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1-96",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "aes128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes192-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes256-cbc",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "umac-64@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_test1.txt b/test/docker/expected_results/openssh_5.6p1_test1.txt
new file mode 100644
index 0000000..601dc39
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test1.txt
@@ -0,0 +1,134 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_5.6
+(gen) software: OpenSSH 5.6
+(gen) compatibility: OpenSSH 4.7-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
+(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies
+(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp
+(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
+(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
+(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
+(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid
+(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack
+(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard
+(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
+(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages
+(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)
+(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)
+(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)
+(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values
+
+# key exchange algorithms
+(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 4.4
+(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.3.0
+(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
+ `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
+ `- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+ `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
+
+# host-key algorithms
+(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm
+ `- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ssh-dss -- [fail] using small 1024-bit modulus
+ `- [warn] using weak random number generator could reveal the key
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+ `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+# encryption algorithms (ciphers)
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) arcfour256 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) arcfour128 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) aes128-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 2.1.0
+(enc) aes192-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+(enc) aes256-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) arcfour -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 2.1.0
+(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher
+ `- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+ `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+# message authentication code algorithms
+(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 4.7
+(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0
+(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+
+# fingerprints
+(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4
+
+# algorithm recommendations (for OpenSSH 5.6)
+(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) 
+(rec) -3des-cbc -- enc algorithm to remove 
+(rec) -arcfour -- enc algorithm to remove 
+(rec) -arcfour128 -- enc algorithm to remove 
+(rec) -arcfour256 -- enc algorithm to remove 
+(rec) -blowfish-cbc -- enc algorithm to remove 
+(rec) -cast128-cbc -- enc algorithm to remove 
+(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove 
+(rec) -hmac-md5 -- mac algorithm to remove 
+(rec) -hmac-md5-96 -- mac algorithm to remove 
+(rec) -hmac-ripemd160 -- mac algorithm to remove 
+(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove 
+(rec) -hmac-sha1 -- mac algorithm to remove 
+(rec) -hmac-sha1-96 -- mac algorithm to remove 
+(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove 
+(rec) -ssh-dss -- key algorithm to remove 
+(rec) -ssh-rsa -- key algorithm to remove 
+(rec) -aes128-cbc -- enc algorithm to remove 
+(rec) -aes192-cbc -- enc algorithm to remove 
+(rec) -aes256-cbc -- enc algorithm to remove 
+(rec) -umac-64@openssh.com -- mac algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/openssh_5.6p1_test2.json b/test/docker/expected_results/openssh_5.6p1_test2.json
new file mode 100644
index 0000000..a1dd987
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test2.json
@@ -0,0 +1,560 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "2.0",
+ "raw": "SSH-2.0-OpenSSH_5.6",
+ "software": "OpenSSH_5.6"
+ },
+ "compression": [
+ "none",
+ "zlib@openssh.com"
+ ],
+ "cves": [
+ {
+ "cvssv2": 7.8,
+ "description": "command injection via anomalous argument transfers",
+ "name": "CVE-2020-15778"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames due to timing discrepancies",
+ "name": "CVE-2018-15473"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "readonly bypass via sftp",
+ "name": "CVE-2017-15906"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames via challenge response",
+ "name": "CVE-2016-20012"
+ },
+ {
+ "cvssv2": 5.5,
+ "description": "bypass command restrictions via crafted X11 forwarding data",
+ "name": "CVE-2016-3115"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via crafted network traffic (out of bounds read)",
+ "name": "CVE-2016-1907"
+ },
+ {
+ "cvssv2": 6.9,
+ "description": "privilege escalation via leveraging sshd uid",
+ "name": "CVE-2015-6564"
+ },
+ {
+ "cvssv2": 1.9,
+ "description": "conduct impersonation attack",
+ "name": "CVE-2015-6563"
+ },
+ {
+ "cvssv2": 5.8,
+ "description": "bypass environment restrictions via specific string before wildcard",
+ "name": "CVE-2014-2532"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "cause DoS via triggering error condition (memory corruption)",
+ "name": "CVE-2014-1692"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "leak data via debug messages",
+ "name": "CVE-2012-0814"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "cause DoS via large value in certain length field (memory consumption)",
+ "name": "CVE-2011-5000"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via large number of connections (slot exhaustion)",
+ "name": "CVE-2010-5107"
+ },
+ {
+ "cvssv2": 4.0,
+ "description": "cause DoS via crafted glob expression (CPU and memory consumption)",
+ "name": "CVE-2010-4755"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "bypass authentication check via crafted values",
+ "name": "CVE-2010-4478"
+ }
+ ],
+ "enc": [
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour256",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour128",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "3des-cbc",
+ "notes": {
+ "fail": [
+ "using broken & deprecated 3DES cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "blowfish-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated Blowfish cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "cast128-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated CAST cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "rijndael-cbc@lysator.liu.se",
+ "notes": {
+ "fail": [
+ "using deprecated & non-standardized Rijndael cipher"
+ ],
+ "info": [
+ "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-rsa"
+ },
+ {
+ "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-rsa"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha256",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 4.4"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha1",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 3.9, Dropbear SSH 0.53"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group1-sha1",
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus",
+ "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ssh-rsa",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm",
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-rsa-cert-v01@openssh.com",
+ "ca_algorithm": "ssh-rsa",
+ "casize": 1024,
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm",
+ "using small 1024-bit hostkey modulus",
+ "using small 1024-bit CA key modulus"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 5.6"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "hmac-md5",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-64@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 4.7"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode",
+ "using small 64-bit tag size"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160@openssh.com",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1-96",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-md5-96",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "critical": {
+ "chg": {
+ "kex": [
+ {
+ "name": "diffie-hellman-group-exchange-sha256",
+ "notes": "increase modulus size to 3072 bits or larger"
+ }
+ ]
+ },
+ "del": {
+ "enc": [
+ {
+ "name": "3des-cbc",
+ "notes": ""
+ },
+ {
+ "name": "arcfour128",
+ "notes": ""
+ },
+ {
+ "name": "arcfour",
+ "notes": ""
+ },
+ {
+ "name": "arcfour256",
+ "notes": ""
+ },
+ {
+ "name": "blowfish-cbc",
+ "notes": ""
+ },
+ {
+ "name": "cast128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "rijndael-cbc@lysator.liu.se",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group1-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group-exchange-sha1",
+ "notes": ""
+ }
+ ],
+ "key": [
+ {
+ "name": "ssh-rsa",
+ "notes": ""
+ },
+ {
+ "name": "ssh-rsa-cert-v01@openssh.com",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-md5",
+ "notes": ""
+ },
+ {
+ "name": "hmac-md5-96",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1-96",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "aes128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes192-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes256-cbc",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "umac-64@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_test2.txt b/test/docker/expected_results/openssh_5.6p1_test2.txt
new file mode 100644
index 0000000..6b3b975
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test2.txt
@@ -0,0 +1,135 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_5.6
+(gen) software: OpenSSH 5.6
+(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
+(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies
+(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp
+(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
+(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
+(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
+(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid
+(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack
+(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard
+(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
+(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages
+(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)
+(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)
+(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)
+(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values
+
+# key exchange algorithms
+(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 4.4
+(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.3.0
+(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
+ `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
+ `- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+ `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
+
+# host-key algorithms
+(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm
+ `- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/1024-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm
+ `- [fail] using small 1024-bit hostkey modulus
+ `- [fail] using small 1024-bit CA key modulus
+ `- [info] available since OpenSSH 5.6
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+
+# encryption algorithms (ciphers)
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) arcfour256 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) arcfour128 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) aes128-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 2.1.0
+(enc) aes192-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+(enc) aes256-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) arcfour -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 2.1.0
+(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher
+ `- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+ `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+# message authentication code algorithms
+(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 4.7
+(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0
+(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+
+# fingerprints
+(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4
+
+# algorithm recommendations (for OpenSSH 5.6)
+(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) 
+(rec) -3des-cbc -- enc algorithm to remove 
+(rec) -arcfour -- enc algorithm to remove 
+(rec) -arcfour128 -- enc algorithm to remove 
+(rec) -arcfour256 -- enc algorithm to remove 
+(rec) -blowfish-cbc -- enc algorithm to remove 
+(rec) -cast128-cbc -- enc algorithm to remove 
+(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove 
+(rec) -hmac-md5 -- mac algorithm to remove 
+(rec) -hmac-md5-96 -- mac algorithm to remove 
+(rec) -hmac-ripemd160 -- mac algorithm to remove 
+(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove 
+(rec) -hmac-sha1 -- mac algorithm to remove 
+(rec) -hmac-sha1-96 -- mac algorithm to remove 
+(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove 
+(rec) -ssh-rsa -- key algorithm to remove 
+(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove 
+(rec) -aes128-cbc -- enc algorithm to remove 
+(rec) -aes192-cbc -- enc algorithm to remove 
+(rec) -aes256-cbc -- enc algorithm to remove 
+(rec) -umac-64@openssh.com -- mac algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/openssh_5.6p1_test3.json b/test/docker/expected_results/openssh_5.6p1_test3.json
new file mode 100644
index 0000000..2cbd316
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test3.json
@@ -0,0 +1,559 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "2.0",
+ "raw": "SSH-2.0-OpenSSH_5.6",
+ "software": "OpenSSH_5.6"
+ },
+ "compression": [
+ "none",
+ "zlib@openssh.com"
+ ],
+ "cves": [
+ {
+ "cvssv2": 7.8,
+ "description": "command injection via anomalous argument transfers",
+ "name": "CVE-2020-15778"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames due to timing discrepancies",
+ "name": "CVE-2018-15473"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "readonly bypass via sftp",
+ "name": "CVE-2017-15906"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames via challenge response",
+ "name": "CVE-2016-20012"
+ },
+ {
+ "cvssv2": 5.5,
+ "description": "bypass command restrictions via crafted X11 forwarding data",
+ "name": "CVE-2016-3115"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via crafted network traffic (out of bounds read)",
+ "name": "CVE-2016-1907"
+ },
+ {
+ "cvssv2": 6.9,
+ "description": "privilege escalation via leveraging sshd uid",
+ "name": "CVE-2015-6564"
+ },
+ {
+ "cvssv2": 1.9,
+ "description": "conduct impersonation attack",
+ "name": "CVE-2015-6563"
+ },
+ {
+ "cvssv2": 5.8,
+ "description": "bypass environment restrictions via specific string before wildcard",
+ "name": "CVE-2014-2532"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "cause DoS via triggering error condition (memory corruption)",
+ "name": "CVE-2014-1692"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "leak data via debug messages",
+ "name": "CVE-2012-0814"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "cause DoS via large value in certain length field (memory consumption)",
+ "name": "CVE-2011-5000"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via large number of connections (slot exhaustion)",
+ "name": "CVE-2010-5107"
+ },
+ {
+ "cvssv2": 4.0,
+ "description": "cause DoS via crafted glob expression (CPU and memory consumption)",
+ "name": "CVE-2010-4755"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "bypass authentication check via crafted values",
+ "name": "CVE-2010-4478"
+ }
+ ],
+ "enc": [
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour256",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour128",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "3des-cbc",
+ "notes": {
+ "fail": [
+ "using broken & deprecated 3DES cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "blowfish-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated Blowfish cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "cast128-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated CAST cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "rijndael-cbc@lysator.liu.se",
+ "notes": {
+ "fail": [
+ "using deprecated & non-standardized Rijndael cipher"
+ ],
+ "info": [
+ "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-rsa"
+ },
+ {
+ "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-rsa"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha256",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 4.4"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha1",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 3.9, Dropbear SSH 0.53"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group1-sha1",
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus",
+ "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ssh-rsa",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm",
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-rsa-cert-v01@openssh.com",
+ "ca_algorithm": "ssh-rsa",
+ "casize": 3072,
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm",
+ "using small 1024-bit hostkey modulus"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 5.6"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "hmac-md5",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-64@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 4.7"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode",
+ "using small 64-bit tag size"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160@openssh.com",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1-96",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-md5-96",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "critical": {
+ "chg": {
+ "kex": [
+ {
+ "name": "diffie-hellman-group-exchange-sha256",
+ "notes": "increase modulus size to 3072 bits or larger"
+ }
+ ]
+ },
+ "del": {
+ "enc": [
+ {
+ "name": "3des-cbc",
+ "notes": ""
+ },
+ {
+ "name": "arcfour128",
+ "notes": ""
+ },
+ {
+ "name": "arcfour",
+ "notes": ""
+ },
+ {
+ "name": "arcfour256",
+ "notes": ""
+ },
+ {
+ "name": "blowfish-cbc",
+ "notes": ""
+ },
+ {
+ "name": "cast128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "rijndael-cbc@lysator.liu.se",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group1-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group-exchange-sha1",
+ "notes": ""
+ }
+ ],
+ "key": [
+ {
+ "name": "ssh-rsa",
+ "notes": ""
+ },
+ {
+ "name": "ssh-rsa-cert-v01@openssh.com",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-md5",
+ "notes": ""
+ },
+ {
+ "name": "hmac-md5-96",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1-96",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "aes128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes192-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes256-cbc",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "umac-64@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_test3.txt b/test/docker/expected_results/openssh_5.6p1_test3.txt
new file mode 100644
index 0000000..991c502
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test3.txt
@@ -0,0 +1,134 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_5.6
+(gen) software: OpenSSH 5.6
+(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
+(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies
+(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp
+(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
+(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
+(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
+(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid
+(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack
+(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard
+(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
+(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages
+(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)
+(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)
+(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)
+(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values
+
+# key exchange algorithms
+(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 4.4
+(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.3.0
+(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
+ `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
+ `- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+ `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
+
+# host-key algorithms
+(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm
+ `- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/3072-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm
+ `- [fail] using small 1024-bit hostkey modulus
+ `- [info] available since OpenSSH 5.6
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+
+# encryption algorithms (ciphers)
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) arcfour256 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) arcfour128 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) aes128-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 2.1.0
+(enc) aes192-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+(enc) aes256-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) arcfour -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 2.1.0
+(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher
+ `- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+ `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+# message authentication code algorithms
+(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 4.7
+(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0
+(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+
+# fingerprints
+(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4
+
+# algorithm recommendations (for OpenSSH 5.6)
+(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) 
+(rec) -3des-cbc -- enc algorithm to remove 
+(rec) -arcfour -- enc algorithm to remove 
+(rec) -arcfour128 -- enc algorithm to remove 
+(rec) -arcfour256 -- enc algorithm to remove 
+(rec) -blowfish-cbc -- enc algorithm to remove 
+(rec) -cast128-cbc -- enc algorithm to remove 
+(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove 
+(rec) -hmac-md5 -- mac algorithm to remove 
+(rec) -hmac-md5-96 -- mac algorithm to remove 
+(rec) -hmac-ripemd160 -- mac algorithm to remove 
+(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove 
+(rec) -hmac-sha1 -- mac algorithm to remove 
+(rec) -hmac-sha1-96 -- mac algorithm to remove 
+(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove 
+(rec) -ssh-rsa -- key algorithm to remove 
+(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove 
+(rec) -aes128-cbc -- enc algorithm to remove 
+(rec) -aes192-cbc -- enc algorithm to remove 
+(rec) -aes256-cbc -- enc algorithm to remove 
+(rec) -umac-64@openssh.com -- mac algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/openssh_5.6p1_test4.json b/test/docker/expected_results/openssh_5.6p1_test4.json
new file mode 100644
index 0000000..90f5fc6
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test4.json
@@ -0,0 +1,558 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "2.0",
+ "raw": "SSH-2.0-OpenSSH_5.6",
+ "software": "OpenSSH_5.6"
+ },
+ "compression": [
+ "none",
+ "zlib@openssh.com"
+ ],
+ "cves": [
+ {
+ "cvssv2": 7.8,
+ "description": "command injection via anomalous argument transfers",
+ "name": "CVE-2020-15778"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames due to timing discrepancies",
+ "name": "CVE-2018-15473"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "readonly bypass via sftp",
+ "name": "CVE-2017-15906"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames via challenge response",
+ "name": "CVE-2016-20012"
+ },
+ {
+ "cvssv2": 5.5,
+ "description": "bypass command restrictions via crafted X11 forwarding data",
+ "name": "CVE-2016-3115"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via crafted network traffic (out of bounds read)",
+ "name": "CVE-2016-1907"
+ },
+ {
+ "cvssv2": 6.9,
+ "description": "privilege escalation via leveraging sshd uid",
+ "name": "CVE-2015-6564"
+ },
+ {
+ "cvssv2": 1.9,
+ "description": "conduct impersonation attack",
+ "name": "CVE-2015-6563"
+ },
+ {
+ "cvssv2": 5.8,
+ "description": "bypass environment restrictions via specific string before wildcard",
+ "name": "CVE-2014-2532"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "cause DoS via triggering error condition (memory corruption)",
+ "name": "CVE-2014-1692"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "leak data via debug messages",
+ "name": "CVE-2012-0814"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "cause DoS via large value in certain length field (memory consumption)",
+ "name": "CVE-2011-5000"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via large number of connections (slot exhaustion)",
+ "name": "CVE-2010-5107"
+ },
+ {
+ "cvssv2": 4.0,
+ "description": "cause DoS via crafted glob expression (CPU and memory consumption)",
+ "name": "CVE-2010-4755"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "bypass authentication check via crafted values",
+ "name": "CVE-2010-4478"
+ }
+ ],
+ "enc": [
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour256",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour128",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "3des-cbc",
+ "notes": {
+ "fail": [
+ "using broken & deprecated 3DES cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "blowfish-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated Blowfish cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "cast128-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated CAST cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "rijndael-cbc@lysator.liu.se",
+ "notes": {
+ "fail": [
+ "using deprecated & non-standardized Rijndael cipher"
+ ],
+ "info": [
+ "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-rsa"
+ },
+ {
+ "hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-rsa"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha256",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 4.4"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha1",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 3.9, Dropbear SSH 0.53"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group1-sha1",
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus",
+ "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ssh-rsa",
+ "keysize": 3072,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-rsa-cert-v01@openssh.com",
+ "ca_algorithm": "ssh-rsa",
+ "casize": 1024,
+ "keysize": 3072,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm",
+ "using small 1024-bit CA key modulus"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 5.6"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "hmac-md5",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-64@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 4.7"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode",
+ "using small 64-bit tag size"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160@openssh.com",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1-96",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-md5-96",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "critical": {
+ "chg": {
+ "kex": [
+ {
+ "name": "diffie-hellman-group-exchange-sha256",
+ "notes": "increase modulus size to 3072 bits or larger"
+ }
+ ]
+ },
+ "del": {
+ "enc": [
+ {
+ "name": "3des-cbc",
+ "notes": ""
+ },
+ {
+ "name": "arcfour128",
+ "notes": ""
+ },
+ {
+ "name": "arcfour",
+ "notes": ""
+ },
+ {
+ "name": "arcfour256",
+ "notes": ""
+ },
+ {
+ "name": "blowfish-cbc",
+ "notes": ""
+ },
+ {
+ "name": "cast128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "rijndael-cbc@lysator.liu.se",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group1-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group-exchange-sha1",
+ "notes": ""
+ }
+ ],
+ "key": [
+ {
+ "name": "ssh-rsa",
+ "notes": ""
+ },
+ {
+ "name": "ssh-rsa-cert-v01@openssh.com",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-md5",
+ "notes": ""
+ },
+ {
+ "name": "hmac-md5-96",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1-96",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "aes128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes192-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes256-cbc",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "umac-64@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_test4.txt b/test/docker/expected_results/openssh_5.6p1_test4.txt
new file mode 100644
index 0000000..2fb3e19
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test4.txt
@@ -0,0 +1,133 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_5.6
+(gen) software: OpenSSH 5.6
+(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
+(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies
+(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp
+(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
+(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
+(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
+(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid
+(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack
+(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard
+(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
+(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages
+(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)
+(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)
+(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)
+(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values
+
+# key exchange algorithms
+(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 4.4
+(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.3.0
+(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
+ `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
+ `- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+ `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
+
+# host-key algorithms
+(key) ssh-rsa (3072-bit) -- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/1024-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm
+ `- [fail] using small 1024-bit CA key modulus
+ `- [info] available since OpenSSH 5.6
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+
+# encryption algorithms (ciphers)
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) arcfour256 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) arcfour128 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) aes128-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 2.1.0
+(enc) aes192-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+(enc) aes256-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) arcfour -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 2.1.0
+(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher
+ `- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+ `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+# message authentication code algorithms
+(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 4.7
+(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0
+(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+
+# fingerprints
+(fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244
+
+# algorithm recommendations (for OpenSSH 5.6)
+(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) 
+(rec) -3des-cbc -- enc algorithm to remove 
+(rec) -arcfour -- enc algorithm to remove 
+(rec) -arcfour128 -- enc algorithm to remove 
+(rec) -arcfour256 -- enc algorithm to remove 
+(rec) -blowfish-cbc -- enc algorithm to remove 
+(rec) -cast128-cbc -- enc algorithm to remove 
+(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove 
+(rec) -hmac-md5 -- mac algorithm to remove 
+(rec) -hmac-md5-96 -- mac algorithm to remove 
+(rec) -hmac-ripemd160 -- mac algorithm to remove 
+(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove 
+(rec) -hmac-sha1 -- mac algorithm to remove 
+(rec) -hmac-sha1-96 -- mac algorithm to remove 
+(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove 
+(rec) -ssh-rsa -- key algorithm to remove 
+(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove 
+(rec) -aes128-cbc -- enc algorithm to remove 
+(rec) -aes192-cbc -- enc algorithm to remove 
+(rec) -aes256-cbc -- enc algorithm to remove 
+(rec) -umac-64@openssh.com -- mac algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/openssh_5.6p1_test5.json b/test/docker/expected_results/openssh_5.6p1_test5.json
new file mode 100644
index 0000000..0749cd1
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test5.json
@@ -0,0 +1,557 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "2.0",
+ "raw": "SSH-2.0-OpenSSH_5.6",
+ "software": "OpenSSH_5.6"
+ },
+ "compression": [
+ "none",
+ "zlib@openssh.com"
+ ],
+ "cves": [
+ {
+ "cvssv2": 7.8,
+ "description": "command injection via anomalous argument transfers",
+ "name": "CVE-2020-15778"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames due to timing discrepancies",
+ "name": "CVE-2018-15473"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "readonly bypass via sftp",
+ "name": "CVE-2017-15906"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames via challenge response",
+ "name": "CVE-2016-20012"
+ },
+ {
+ "cvssv2": 5.5,
+ "description": "bypass command restrictions via crafted X11 forwarding data",
+ "name": "CVE-2016-3115"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via crafted network traffic (out of bounds read)",
+ "name": "CVE-2016-1907"
+ },
+ {
+ "cvssv2": 6.9,
+ "description": "privilege escalation via leveraging sshd uid",
+ "name": "CVE-2015-6564"
+ },
+ {
+ "cvssv2": 1.9,
+ "description": "conduct impersonation attack",
+ "name": "CVE-2015-6563"
+ },
+ {
+ "cvssv2": 5.8,
+ "description": "bypass environment restrictions via specific string before wildcard",
+ "name": "CVE-2014-2532"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "cause DoS via triggering error condition (memory corruption)",
+ "name": "CVE-2014-1692"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "leak data via debug messages",
+ "name": "CVE-2012-0814"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "cause DoS via large value in certain length field (memory consumption)",
+ "name": "CVE-2011-5000"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via large number of connections (slot exhaustion)",
+ "name": "CVE-2010-5107"
+ },
+ {
+ "cvssv2": 4.0,
+ "description": "cause DoS via crafted glob expression (CPU and memory consumption)",
+ "name": "CVE-2010-4755"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "bypass authentication check via crafted values",
+ "name": "CVE-2010-4478"
+ }
+ ],
+ "enc": [
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour256",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour128",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "3des-cbc",
+ "notes": {
+ "fail": [
+ "using broken & deprecated 3DES cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "blowfish-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated Blowfish cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "cast128-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated CAST cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "rijndael-cbc@lysator.liu.se",
+ "notes": {
+ "fail": [
+ "using deprecated & non-standardized Rijndael cipher"
+ ],
+ "info": [
+ "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-rsa"
+ },
+ {
+ "hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-rsa"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha256",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 4.4"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha1",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 3.9, Dropbear SSH 0.53"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group1-sha1",
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus",
+ "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ssh-rsa",
+ "keysize": 3072,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-rsa-cert-v01@openssh.com",
+ "ca_algorithm": "ssh-rsa",
+ "casize": 3072,
+ "keysize": 3072,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 5.6"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "hmac-md5",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-64@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 4.7"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode",
+ "using small 64-bit tag size"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160@openssh.com",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1-96",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-md5-96",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "critical": {
+ "chg": {
+ "kex": [
+ {
+ "name": "diffie-hellman-group-exchange-sha256",
+ "notes": "increase modulus size to 3072 bits or larger"
+ }
+ ]
+ },
+ "del": {
+ "enc": [
+ {
+ "name": "3des-cbc",
+ "notes": ""
+ },
+ {
+ "name": "arcfour128",
+ "notes": ""
+ },
+ {
+ "name": "arcfour",
+ "notes": ""
+ },
+ {
+ "name": "arcfour256",
+ "notes": ""
+ },
+ {
+ "name": "blowfish-cbc",
+ "notes": ""
+ },
+ {
+ "name": "cast128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "rijndael-cbc@lysator.liu.se",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group1-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group-exchange-sha1",
+ "notes": ""
+ }
+ ],
+ "key": [
+ {
+ "name": "ssh-rsa",
+ "notes": ""
+ },
+ {
+ "name": "ssh-rsa-cert-v01@openssh.com",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-md5",
+ "notes": ""
+ },
+ {
+ "name": "hmac-md5-96",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1-96",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "aes128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes192-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes256-cbc",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "umac-64@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_test5.txt b/test/docker/expected_results/openssh_5.6p1_test5.txt
new file mode 100644
index 0000000..b9e7cd7
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test5.txt
@@ -0,0 +1,132 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_5.6
+(gen) software: OpenSSH 5.6
+(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
+(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies
+(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp
+(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
+(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
+(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
+(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid
+(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack
+(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard
+(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
+(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages
+(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)
+(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)
+(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)
+(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values
+
+# key exchange algorithms
+(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 4.4
+(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.3.0
+(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
+ `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
+ `- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+ `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
+
+# host-key algorithms
+(key) ssh-rsa (3072-bit) -- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/3072-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 5.6
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+
+# encryption algorithms (ciphers)
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) arcfour256 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) arcfour128 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) aes128-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 2.1.0
+(enc) aes192-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+(enc) aes256-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) arcfour -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 2.1.0
+(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher
+ `- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+ `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+# message authentication code algorithms
+(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 4.7
+(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0
+(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+
+# fingerprints
+(fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244
+
+# algorithm recommendations (for OpenSSH 5.6)
+(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) 
+(rec) -3des-cbc -- enc algorithm to remove 
+(rec) -arcfour -- enc algorithm to remove 
+(rec) -arcfour128 -- enc algorithm to remove 
+(rec) -arcfour256 -- enc algorithm to remove 
+(rec) -blowfish-cbc -- enc algorithm to remove 
+(rec) -cast128-cbc -- enc algorithm to remove 
+(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove 
+(rec) -hmac-md5 -- mac algorithm to remove 
+(rec) -hmac-md5-96 -- mac algorithm to remove 
+(rec) -hmac-ripemd160 -- mac algorithm to remove 
+(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove 
+(rec) -hmac-sha1 -- mac algorithm to remove 
+(rec) -hmac-sha1-96 -- mac algorithm to remove 
+(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove 
+(rec) -ssh-rsa -- key algorithm to remove 
+(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove 
+(rec) -aes128-cbc -- enc algorithm to remove 
+(rec) -aes192-cbc -- enc algorithm to remove 
+(rec) -aes256-cbc -- enc algorithm to remove 
+(rec) -umac-64@openssh.com -- mac algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json
new file mode 100644
index 0000000..3dfe59c
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json
@@ -0,0 +1,43 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "3072"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "Host key (rsa-sha2-256) sizes"
+ },
+ {
+ "actual": [
+ "3072"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "Host key (rsa-sha2-512) sizes"
+ },
+ {
+ "actual": [
+ "4096"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "3072"
+ ],
+ "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Hardened OpenSSH Server v8.0 (version 4)"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.txt b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.txt
new file mode 100644
index 0000000..f1f617e
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.txt
@@ -0,0 +1,17 @@
+Host: localhost:2222
+Policy: Hardened OpenSSH Server v8.0 (version 4)
+Result: ❌ Failed!
+
+Errors:
+ * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match.
+ - Expected: 3072
+ - Actual: 4096
+
+ * Host key (rsa-sha2-256) sizes did not match.
+ - Expected: 4096
+ - Actual: 3072
+
+ * Host key (rsa-sha2-512) sizes did not match.
+ - Expected: 4096
+ - Actual: 3072
+
diff --git a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json
new file mode 100644
index 0000000..0c54345
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json
@@ -0,0 +1,66 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "3072"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "Host key (rsa-sha2-256) sizes"
+ },
+ {
+ "actual": [
+ "3072"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "Host key (rsa-sha2-512) sizes"
+ },
+ {
+ "actual": [
+ "umac-64-etm@openssh.com",
+ "umac-128-etm@openssh.com",
+ "hmac-sha2-256-etm@openssh.com",
+ "hmac-sha2-512-etm@openssh.com",
+ "hmac-sha1-etm@openssh.com",
+ "umac-64@openssh.com",
+ "umac-128@openssh.com",
+ "hmac-sha2-256",
+ "hmac-sha2-512",
+ "hmac-sha1"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "hmac-sha2-256-etm@openssh.com",
+ "hmac-sha2-512-etm@openssh.com",
+ "umac-128-etm@openssh.com"
+ ],
+ "mismatched_field": "MACs"
+ },
+ {
+ "actual": [
+ "4096"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "3072"
+ ],
+ "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Hardened OpenSSH Server v8.0 (version 4)"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt
new file mode 100644
index 0000000..8f1d9dc
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt
@@ -0,0 +1,21 @@
+Host: localhost:2222
+Policy: Hardened OpenSSH Server v8.0 (version 4)
+Result: ❌ Failed!
+
+Errors:
+ * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match.
+ - Expected: 3072
+ - Actual: 4096
+
+ * Host key (rsa-sha2-256) sizes did not match.
+ - Expected: 4096
+ - Actual: 3072
+
+ * Host key (rsa-sha2-512) sizes did not match.
+ - Expected: 4096
+ - Actual: 3072
+
+ * MACs did not match.
+ - Expected: hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com
+ - Actual: umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
+
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json
new file mode 100644
index 0000000..b6a8308
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json
@@ -0,0 +1,6 @@
+{
+ "errors": [],
+ "host": "localhost",
+ "passed": true,
+ "policy": "Docker policy: test11 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.txt
new file mode 100644
index 0000000..0ac0671
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.txt
@@ -0,0 +1,12 @@
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host: localhost:2222
+Policy: Docker policy: test11 (version 1)
+Result: ✔ Passed
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json
new file mode 100644
index 0000000..8ddcf39
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json
@@ -0,0 +1,43 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "3072"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "Host key (rsa-sha2-256) sizes"
+ },
+ {
+ "actual": [
+ "3072"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "Host key (rsa-sha2-512) sizes"
+ },
+ {
+ "actual": [
+ "3072"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "Host key (ssh-rsa) sizes"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Docker policy: test12 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt
new file mode 100644
index 0000000..de615e0
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt
@@ -0,0 +1,26 @@
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host: localhost:2222
+Policy: Docker policy: test12 (version 1)
+Result: ❌ Failed!
+
+Errors:
+ * Host key (rsa-sha2-256) sizes did not match.
+ - Expected: 4096
+ - Actual: 3072
+
+ * Host key (rsa-sha2-512) sizes did not match.
+ - Expected: 4096
+ - Actual: 3072
+
+ * Host key (ssh-rsa) sizes did not match.
+ - Expected: 4096
+ - Actual: 3072
+
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json
new file mode 100644
index 0000000..4f942bd
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json
@@ -0,0 +1,6 @@
+{
+ "errors": [],
+ "host": "localhost",
+ "passed": true,
+ "policy": "Docker policy: test13 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.txt
new file mode 100644
index 0000000..7734d88
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.txt
@@ -0,0 +1,15 @@
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host: localhost:2222
+Policy: Docker policy: test13 (version 1)
+Result: ✔ Passed
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json
new file mode 100644
index 0000000..fc8eb61
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json
@@ -0,0 +1,19 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "4096"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "8192"
+ ],
+ "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Docker policy: test14 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt
new file mode 100644
index 0000000..17987a5
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt
@@ -0,0 +1,21 @@
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host: localhost:2222
+Policy: Docker policy: test14 (version 1)
+Result: ❌ Failed!
+
+Errors:
+ * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match.
+ - Expected: 8192
+ - Actual: 4096
+
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json
new file mode 100644
index 0000000..8804aae
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json
@@ -0,0 +1,6 @@
+{
+ "errors": [],
+ "host": "localhost",
+ "passed": true,
+ "policy": "Docker policy: test6 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.txt
new file mode 100644
index 0000000..b0e9441
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.txt
@@ -0,0 +1,3 @@
+Host: localhost:2222
+Policy: Docker policy: test6 (version 1)
+Result: ✔ Passed
diff --git a/test/docker/expected_results/openssh_8.0p1_test1.json b/test/docker/expected_results/openssh_8.0p1_test1.json
new file mode 100644
index 0000000..350af5e
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_test1.json
@@ -0,0 +1,462 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "2.0",
+ "raw": "SSH-2.0-OpenSSH_8.0",
+ "software": "OpenSSH_8.0"
+ },
+ "compression": [
+ "none",
+ "zlib@openssh.com"
+ ],
+ "cves": [
+ {
+ "cvssv2": 7.0,
+ "description": "privilege escalation via supplemental groups",
+ "name": "CVE-2021-41617"
+ },
+ {
+ "cvssv2": 7.8,
+ "description": "command injection via anomalous argument transfers",
+ "name": "CVE-2020-15778"
+ },
+ {
+ "cvssv2": 7.8,
+ "description": "memory corruption and local code execution via pre-authentication integer overflow",
+ "name": "CVE-2019-16905"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames via challenge response",
+ "name": "CVE-2016-20012"
+ }
+ ],
+ "enc": [
+ {
+ "algorithm": "chacha20-poly1305@openssh.com",
+ "notes": {
+ "info": [
+ "default cipher since OpenSSH 6.9",
+ "available since OpenSSH 6.5"
+ ],
+ "warn": [
+ "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-gcm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-gcm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-ed25519"
+ },
+ {
+ "hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-ed25519"
+ },
+ {
+ "hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-rsa"
+ },
+ {
+ "hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-rsa"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "curve25519-sha256",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 7.4, Dropbear SSH 2018.76"
+ ]
+ }
+ },
+ {
+ "algorithm": "curve25519-sha256@libssh.org",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 6.4, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdh-sha2-nistp256",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdh-sha2-nistp384",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdh-sha2-nistp521",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha256",
+ "keysize": 4096,
+ "notes": {
+ "info": [
+ "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).",
+ "available since OpenSSH 4.4"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group16-sha512",
+ "notes": {
+ "info": [
+ "available since OpenSSH 7.3, Dropbear SSH 2016.73"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group18-sha512",
+ "notes": {
+ "info": [
+ "available since OpenSSH 7.3"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha256",
+ "notes": {
+ "info": [
+ "available since OpenSSH 7.3, Dropbear SSH 2016.73"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 3.9, Dropbear SSH 0.53"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "rsa-sha2-512",
+ "keysize": 3072,
+ "notes": {
+ "info": [
+ "available since OpenSSH 7.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "rsa-sha2-256",
+ "keysize": 3072,
+ "notes": {
+ "info": [
+ "available since OpenSSH 7.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-rsa",
+ "keysize": 3072,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdsa-sha2-nistp256",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ],
+ "warn": [
+ "using weak random number generator could reveal the key"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-ed25519",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.5"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "umac-64-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ],
+ "warn": [
+ "using small 64-bit tag size"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-128-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-256-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-512-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1-etm@openssh.com",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-64@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 4.7"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode",
+ "using small 64-bit tag size"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-128@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-256",
+ "notes": {
+ "info": [
+ "available since OpenSSH 5.9, Dropbear SSH 2013.56"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-512",
+ "notes": {
+ "info": [
+ "available since OpenSSH 5.9, Dropbear SSH 2013.56"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "critical": {
+ "del": {
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha1",
+ "notes": ""
+ },
+ {
+ "name": "ecdh-sha2-nistp256",
+ "notes": ""
+ },
+ {
+ "name": "ecdh-sha2-nistp384",
+ "notes": ""
+ },
+ {
+ "name": "ecdh-sha2-nistp521",
+ "notes": ""
+ }
+ ],
+ "key": [
+ {
+ "name": "ecdsa-sha2-nistp256",
+ "notes": ""
+ },
+ {
+ "name": "ssh-rsa",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-sha1",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1-etm@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "chacha20-poly1305@openssh.com",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha256",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-sha2-256",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha2-512",
+ "notes": ""
+ },
+ {
+ "name": "umac-128@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "umac-64-etm@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "umac-64@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_test1.txt b/test/docker/expected_results/openssh_8.0p1_test1.txt
new file mode 100644
index 0000000..cde69a5
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_test1.txt
@@ -0,0 +1,99 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_8.0
+(gen) software: OpenSSH 8.0
+(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups
+(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
+(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow
+(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
+
+# key exchange algorithms
+(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4
+ `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
+(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
+(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+
+# host-key algorithms
+(key) rsa-sha2-512 (3072-bit) -- [info] available since OpenSSH 7.2
+(key) rsa-sha2-256 (3072-bit) -- [info] available since OpenSSH 7.2
+(key) ssh-rsa (3072-bit) -- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [warn] using weak random number generator could reveal the key
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
+
+# encryption algorithms (ciphers)
+(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
+ `- [info] available since OpenSSH 6.5
+ `- [info] default cipher since OpenSSH 6.9
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2
+(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
+
+# message authentication code algorithms
+(mac) umac-64-etm@openssh.com -- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 6.2
+(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) hmac-sha1-etm@openssh.com -- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 6.2
+(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 4.7
+(mac) umac-128@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+
+# fingerprints
+(fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU
+(fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244
+
+# algorithm recommendations (for OpenSSH 8.0)
+(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove 
+(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove 
+(rec) -hmac-sha1 -- mac algorithm to remove 
+(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove 
+(rec) -ssh-rsa -- key algorithm to remove 
+(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove 
+(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove 
+(rec) -hmac-sha2-256 -- mac algorithm to remove 
+(rec) -hmac-sha2-512 -- mac algorithm to remove 
+(rec) -umac-128@openssh.com -- mac algorithm to remove 
+(rec) -umac-64-etm@openssh.com -- mac algorithm to remove 
+(rec) -umac-64@openssh.com -- mac algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/openssh_8.0p1_test2.json b/test/docker/expected_results/openssh_8.0p1_test2.json
new file mode 100644
index 0000000..a05ae96
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_test2.json
@@ -0,0 +1,421 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "2.0",
+ "raw": "SSH-2.0-OpenSSH_8.0",
+ "software": "OpenSSH_8.0"
+ },
+ "compression": [
+ "none",
+ "zlib@openssh.com"
+ ],
+ "cves": [
+ {
+ "cvssv2": 7.0,
+ "description": "privilege escalation via supplemental groups",
+ "name": "CVE-2021-41617"
+ },
+ {
+ "cvssv2": 7.8,
+ "description": "command injection via anomalous argument transfers",
+ "name": "CVE-2020-15778"
+ },
+ {
+ "cvssv2": 7.8,
+ "description": "memory corruption and local code execution via pre-authentication integer overflow",
+ "name": "CVE-2019-16905"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames via challenge response",
+ "name": "CVE-2016-20012"
+ }
+ ],
+ "enc": [
+ {
+ "algorithm": "chacha20-poly1305@openssh.com",
+ "notes": {
+ "info": [
+ "default cipher since OpenSSH 6.9",
+ "available since OpenSSH 6.5"
+ ],
+ "warn": [
+ "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-gcm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-gcm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-ed25519"
+ },
+ {
+ "hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-ed25519"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "curve25519-sha256",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 7.4, Dropbear SSH 2018.76"
+ ]
+ }
+ },
+ {
+ "algorithm": "curve25519-sha256@libssh.org",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 6.4, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdh-sha2-nistp256",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdh-sha2-nistp384",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdh-sha2-nistp521",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha256",
+ "keysize": 4096,
+ "notes": {
+ "info": [
+ "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).",
+ "available since OpenSSH 4.4"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group16-sha512",
+ "notes": {
+ "info": [
+ "available since OpenSSH 7.3, Dropbear SSH 2016.73"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group18-sha512",
+ "notes": {
+ "info": [
+ "available since OpenSSH 7.3"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha256",
+ "notes": {
+ "info": [
+ "available since OpenSSH 7.3, Dropbear SSH 2016.73"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 3.9, Dropbear SSH 0.53"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ssh-ed25519",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.5"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-ed25519-cert-v01@openssh.com",
+ "ca_algorithm": "ssh-ed25519",
+ "casize": 256,
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.5"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "umac-64-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ],
+ "warn": [
+ "using small 64-bit tag size"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-128-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-256-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-512-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1-etm@openssh.com",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-64@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 4.7"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode",
+ "using small 64-bit tag size"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-128@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-256",
+ "notes": {
+ "info": [
+ "available since OpenSSH 5.9, Dropbear SSH 2013.56"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-512",
+ "notes": {
+ "info": [
+ "available since OpenSSH 5.9, Dropbear SSH 2013.56"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "critical": {
+ "del": {
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha1",
+ "notes": ""
+ },
+ {
+ "name": "ecdh-sha2-nistp256",
+ "notes": ""
+ },
+ {
+ "name": "ecdh-sha2-nistp384",
+ "notes": ""
+ },
+ {
+ "name": "ecdh-sha2-nistp521",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-sha1",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1-etm@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "informational": {
+ "add": {
+ "key": [
+ {
+ "name": "rsa-sha2-256",
+ "notes": ""
+ },
+ {
+ "name": "rsa-sha2-512",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "chacha20-poly1305@openssh.com",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha256",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-sha2-256",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha2-512",
+ "notes": ""
+ },
+ {
+ "name": "umac-128@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "umac-64-etm@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "umac-64@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_test2.txt b/test/docker/expected_results/openssh_8.0p1_test2.txt
new file mode 100644
index 0000000..8cbb69a
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_test2.txt
@@ -0,0 +1,91 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_8.0
+(gen) software: OpenSSH 8.0
+(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups
+(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
+(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow
+(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
+
+# key exchange algorithms
+(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4
+ `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
+(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
+(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+
+# host-key algorithms
+(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
+(key) ssh-ed25519-cert-v01@openssh.com (256-bit cert/256-bit ssh-ed25519 CA) -- [info] available since OpenSSH 6.5
+
+# encryption algorithms (ciphers)
+(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
+ `- [info] available since OpenSSH 6.5
+ `- [info] default cipher since OpenSSH 6.9
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2
+(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
+
+# message authentication code algorithms
+(mac) umac-64-etm@openssh.com -- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 6.2
+(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) hmac-sha1-etm@openssh.com -- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 6.2
+(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 4.7
+(mac) umac-128@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+
+# fingerprints
+(fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU
+
+# algorithm recommendations (for OpenSSH 8.0)
+(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove 
+(rec) -hmac-sha1 -- mac algorithm to remove 
+(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove 
+(rec) +rsa-sha2-256 -- key algorithm to append 
+(rec) +rsa-sha2-512 -- key algorithm to append 
+(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove 
+(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove 
+(rec) -hmac-sha2-256 -- mac algorithm to remove 
+(rec) -hmac-sha2-512 -- mac algorithm to remove 
+(rec) -umac-128@openssh.com -- mac algorithm to remove 
+(rec) -umac-64-etm@openssh.com -- mac algorithm to remove 
+(rec) -umac-64@openssh.com -- mac algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/openssh_8.0p1_test3.json b/test/docker/expected_results/openssh_8.0p1_test3.json
new file mode 100644
index 0000000..13a8130
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_test3.json
@@ -0,0 +1,206 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "2.0",
+ "raw": "SSH-2.0-OpenSSH_8.0",
+ "software": "OpenSSH_8.0"
+ },
+ "compression": [
+ "none",
+ "zlib@openssh.com"
+ ],
+ "cves": [
+ {
+ "cvssv2": 7.0,
+ "description": "privilege escalation via supplemental groups",
+ "name": "CVE-2021-41617"
+ },
+ {
+ "cvssv2": 7.8,
+ "description": "command injection via anomalous argument transfers",
+ "name": "CVE-2020-15778"
+ },
+ {
+ "cvssv2": 7.8,
+ "description": "memory corruption and local code execution via pre-authentication integer overflow",
+ "name": "CVE-2019-16905"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames via challenge response",
+ "name": "CVE-2016-20012"
+ }
+ ],
+ "enc": [
+ {
+ "algorithm": "chacha20-poly1305@openssh.com",
+ "notes": {
+ "info": [
+ "default cipher since OpenSSH 6.9",
+ "available since OpenSSH 6.5"
+ ],
+ "warn": [
+ "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-gcm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-gcm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-ed25519"
+ },
+ {
+ "hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-ed25519"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "curve25519-sha256",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 7.4, Dropbear SSH 2018.76"
+ ]
+ }
+ },
+ {
+ "algorithm": "curve25519-sha256@libssh.org",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 6.4, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha256",
+ "keysize": 4096,
+ "notes": {
+ "info": [
+ "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).",
+ "available since OpenSSH 4.4"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ssh-ed25519",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.5"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "hmac-sha2-256-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-512-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-128-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "informational": {
+ "add": {
+ "kex": [
+ {
+ "name": "diffie-hellman-group16-sha512",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group18-sha512",
+ "notes": ""
+ }
+ ],
+ "key": [
+ {
+ "name": "rsa-sha2-256",
+ "notes": ""
+ },
+ {
+ "name": "rsa-sha2-512",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "chacha20-poly1305@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_test3.txt b/test/docker/expected_results/openssh_8.0p1_test3.txt
new file mode 100644
index 0000000..27154b8
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_test3.txt
@@ -0,0 +1,51 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_8.0
+(gen) software: OpenSSH 8.0
+(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups
+(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
+(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow
+(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
+
+# key exchange algorithms
+(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4
+ `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
+
+# host-key algorithms
+(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
+
+# encryption algorithms (ciphers)
+(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
+ `- [info] available since OpenSSH 6.5
+ `- [info] default cipher since OpenSSH 6.9
+(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
+(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+
+# message authentication code algorithms
+(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2
+
+# fingerprints
+(fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU
+
+# algorithm recommendations (for OpenSSH 8.0)
+(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append 
+(rec) +diffie-hellman-group18-sha512 -- kex algorithm to append 
+(rec) +rsa-sha2-256 -- key algorithm to append 
+(rec) +rsa-sha2-512 -- key algorithm to append 
+(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/tinyssh_20190101_test1.json b/test/docker/expected_results/tinyssh_20190101_test1.json
new file mode 100644
index 0000000..7cc7629
--- /dev/null
+++ b/test/docker/expected_results/tinyssh_20190101_test1.json
@@ -0,0 +1,98 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": "",
+ "protocol": "2.0",
+ "raw": "",
+ "software": "tinyssh_noversion"
+ },
+ "compression": [
+ "none"
+ ],
+ "cves": [],
+ "enc": [
+ {
+ "algorithm": "chacha20-poly1305@openssh.com",
+ "notes": {
+ "info": [
+ "default cipher since OpenSSH 6.9",
+ "available since OpenSSH 6.5"
+ ],
+ "warn": [
+ "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "89ocln1x7KNqnMgWffGoYtD70ksJ4FrH7BMJHa7SrwU",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-ed25519"
+ },
+ {
+ "hash": "dd:9c:6d:f9:b0:8c:af:fa:c2:65:81:5d:5d:56:f8:21",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-ed25519"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "curve25519-sha256",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 7.4, Dropbear SSH 2018.76"
+ ]
+ }
+ },
+ {
+ "algorithm": "curve25519-sha256@libssh.org",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 6.4, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "sntrup4591761x25519-sha512@tinyssh.org",
+ "notes": {
+ "info": [
+ "the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security",
+ "available since OpenSSH 8.0"
+ ],
+ "warn": [
+ "using experimental algorithm"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ssh-ed25519",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.5"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "hmac-sha2-256",
+ "notes": {
+ "info": [
+ "available since OpenSSH 5.9, Dropbear SSH 2013.56"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {},
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/tinyssh_20190101_test1.txt b/test/docker/expected_results/tinyssh_20190101_test1.txt
new file mode 100644
index 0000000..7307169
--- /dev/null
+++ b/test/docker/expected_results/tinyssh_20190101_test1.txt
@@ -0,0 +1,29 @@
+# general
+(gen) software: TinySSH noversion
+(gen) compatibility: OpenSSH 8.0-8.4, Dropbear SSH 2018.76+
+(gen) compression: disabled
+
+# key exchange algorithms
+(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) sntrup4591761x25519-sha512@tinyssh.org -- [warn] using experimental algorithm
+ `- [info] available since OpenSSH 8.0
+ `- [info] the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security
+
+# host-key algorithms
+(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
+
+# encryption algorithms (ciphers)
+(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
+ `- [info] available since OpenSSH 6.5
+ `- [info] default cipher since OpenSSH 6.9
+
+# message authentication code algorithms
+(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+
+# fingerprints
+(fin) ssh-ed25519: SHA256:89ocln1x7KNqnMgWffGoYtD70ksJ4FrH7BMJHa7SrwU
+
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-18 14:15:01 +0000