diff options
Diffstat (limited to '')
100 files changed, 7260 insertions, 0 deletions
diff --git a/test/docker/.ed25519.sk b/test/docker/.ed25519.sk new file mode 100644 index 0000000..58b097b --- /dev/null +++ b/test/docker/.ed25519.sk @@ -0,0 +1 @@ +iܛV违Z/D<|Sz=:1vu}Jݷ"^Bb&UP
CJ?
\ No newline at end of file diff --git a/test/docker/Dockerfile b/test/docker/Dockerfile new file mode 100644 index 0000000..eef0139 --- /dev/null +++ b/test/docker/Dockerfile @@ -0,0 +1,32 @@ +FROM ubuntu:16.04 + +COPY openssh-4.0p1/sshd /openssh/sshd-4.0p1 +COPY openssh-5.6p1/sshd /openssh/sshd-5.6p1 +COPY openssh-8.0p1/sshd /openssh/sshd-8.0p1 +COPY dropbear-2019.78/dropbear /dropbear/dropbear-2019.78 +COPY tinyssh-20190101/build/bin/tinysshd /tinysshd/tinyssh-20190101 + +# Dropbear host keys. +COPY dropbear_*_host_key* /etc/dropbear/ + +# OpenSSH configs. +COPY sshd_config* /etc/ssh/ + +# OpenSSH host keys & moduli file. +COPY ssh_host_* /etc/ssh/ +COPY ssh1_host_* /etc/ssh/ +COPY moduli_1024 /usr/local/etc/moduli + +# TinySSH host keys. +COPY ed25519.pk /etc/tinyssh/ +COPY .ed25519.sk /etc/tinyssh/ + +COPY debug.sh /debug.sh + +RUN apt update 2> /dev/null +RUN apt install -y libssl-dev strace rsyslog ucspi-tcp 2> /dev/null +RUN apt clean 2> /dev/null +RUN useradd -s /bin/false sshd +RUN mkdir /var/empty + +EXPOSE 22 diff --git a/test/docker/debug.sh b/test/docker/debug.sh new file mode 100755 index 0000000..c4be343 --- /dev/null +++ b/test/docker/debug.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# This script is run on in docker container. It will enable logging for sshd in +# /var/log/auth.log. + +/etc/init.d/rsyslog start +sleep 1 +/openssh/sshd-5.6p1 -o LogLevel=DEBUG3 -f /etc/ssh/sshd_config-5.6p1_test1 +/bin/bash diff --git a/test/docker/dropbear_dss_host_key b/test/docker/dropbear_dss_host_key Binary files differnew file mode 100644 index 0000000..3388632 --- /dev/null +++ b/test/docker/dropbear_dss_host_key diff --git a/test/docker/dropbear_ecdsa_host_key b/test/docker/dropbear_ecdsa_host_key Binary files differnew file mode 100644 index 0000000..318ebb0 --- /dev/null +++ b/test/docker/dropbear_ecdsa_host_key diff --git a/test/docker/dropbear_rsa_host_key_1024 b/test/docker/dropbear_rsa_host_key_1024 Binary files differnew file mode 100644 index 0000000..d9ce331 --- /dev/null +++ b/test/docker/dropbear_rsa_host_key_1024 diff --git a/test/docker/dropbear_rsa_host_key_3072 b/test/docker/dropbear_rsa_host_key_3072 Binary files differnew file mode 100644 index 0000000..006249a --- /dev/null +++ b/test/docker/dropbear_rsa_host_key_3072 diff --git a/test/docker/ed25519.pk b/test/docker/ed25519.pk new file mode 100644 index 0000000..82cfb47 --- /dev/null +++ b/test/docker/ed25519.pk @@ -0,0 +1 @@ +1vu}Jݷ"^Bb&UP
CJ?
\ No newline at end of file diff --git a/test/docker/expected_results/dropbear_2019.78_test1.json b/test/docker/expected_results/dropbear_2019.78_test1.json new file mode 100644 index 0000000..55dd8b6 --- /dev/null +++ b/test/docker/expected_results/dropbear_2019.78_test1.json @@ -0,0 +1,371 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "2.0", + "raw": "SSH-2.0-dropbear_2019.78", + "software": "dropbear_2019.78" + }, + "compression": [ + "zlib@openssh.com", + "none" + ], + "cves": [], + "enc": [ + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes128-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "aes256-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.47" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "3des-ctr", + "notes": { + "fail": [ + "using broken & deprecated 3DES cipher" + ], + "info": [ + "available since Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "3des-cbc", + "notes": { + "fail": [ + "using broken & deprecated 3DES cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + } + ], + "fingerprints": [ + { + "hash": "CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "63:7f:54:f7:0a:28:7f:75:0b:f4:07:0b:fc:66:51:a2", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "curve25519-sha256", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 7.4, Dropbear SSH 2018.76" + ] + } + }, + { + "algorithm": "curve25519-sha256@libssh.org", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 6.4, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "ecdh-sha2-nistp521", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "ecdh-sha2-nistp384", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "ecdh-sha2-nistp256", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha256", + "notes": { + "info": [ + "available since OpenSSH 7.3, Dropbear SSH 2016.73" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 3.9, Dropbear SSH 0.53" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "kexguess2@matt.ucc.asn.au", + "notes": { + "info": [ + "available since Dropbear SSH 2013.57" + ] + } + } + ], + "key": [ + { + "algorithm": "ecdsa-sha2-nistp256", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ], + "warn": [ + "using weak random number generator could reveal the key" + ] + } + }, + { + "algorithm": "ssh-rsa", + "keysize": 1024, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm", + "using small 1024-bit modulus" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 2.5.0, Dropbear SSH 0.28" + ] + } + }, + { + "algorithm": "ssh-dss", + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0", + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak random number generator could reveal the key" + ] + } + } + ], + "mac": [ + { + "algorithm": "hmac-sha1-96", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0, Dropbear SSH 0.47" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha2-256", + "notes": { + "info": [ + "available since OpenSSH 5.9, Dropbear SSH 2013.56" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": { + "critical": { + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "3des-ctr", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp256", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp384", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp521", + "notes": "" + } + ], + "key": [ + { + "name": "ecdsa-sha2-nistp256", + "notes": "" + }, + { + "name": "ssh-dss", + "notes": "" + }, + { + "name": "ssh-rsa", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + } + ] + } + }, + "informational": { + "add": { + "enc": [ + { + "name": "twofish128-ctr", + "notes": "" + }, + { + "name": "twofish256-ctr", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group16-sha512", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha256", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha2-256", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/dropbear_2019.78_test1.txt b/test/docker/expected_results/dropbear_2019.78_test1.txt new file mode 100644 index 0000000..c0d5dfc --- /dev/null +++ b/test/docker/expected_results/dropbear_2019.78_test1.txt @@ -0,0 +1,87 @@ +[0;36m# general[0m +[0;32m(gen) banner: SSH-2.0-dropbear_2019.78[0m +[0;32m(gen) software: Dropbear SSH 2019.78[0m +[0;32m(gen) compatibility: OpenSSH 7.4+ (some functionality from 6.6), Dropbear SSH 2018.76+[0m +[0;32m(gen) compression: enabled (zlib@openssh.com)[0m + +[0;36m# key exchange algorithms[0m +[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m +[0;32m `- [info] default key exchange since OpenSSH 6.4[0m +[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m +[0;32m `- [info] default key exchange since OpenSSH 6.4[0m +[0;31m(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +[0;31m(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +[0;31m(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +[0;33m(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m + `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 +[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 +[0;32m(kex) kexguess2@matt.ucc.asn.au -- [info] available since Dropbear SSH 2013.57[0m + +[0;36m# host-key algorithms[0m +[0;31m(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m +[0;33m `- [warn] using weak random number generator could reveal the key[0m + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +[0;31m(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm[0m +[0;31m `- [fail] using small 1024-bit modulus[0m + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 +[0;31m(key) ssh-dss -- [fail] using small 1024-bit modulus[0m +[0;33m `- [warn] using weak random number generator could reveal the key[0m + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 + `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0 + +[0;36m# encryption algorithms (ciphers)[0m +[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m +[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m +[0;33m(enc) aes128-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 +[0;33m(enc) aes256-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 +[0;31m(enc) 3des-ctr -- [fail] using broken & deprecated 3DES cipher[0m + `- [info] available since Dropbear SSH 0.52 +[0;31m(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher[0m +[0;33m `- [warn] using weak cipher mode[0m +[0;33m `- [warn] using small 64-bit block size[0m + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 + +[0;36m# message authentication code algorithms[0m +[0;31m(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47 +[0;31m(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +[0;33m(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 + +[0;36m# fingerprints[0m +[0;32m(fin) ssh-rsa: SHA256:CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM[0m + +[0;36m# algorithm recommendations (for Dropbear SSH 2019.78)[0m +[0;31m(rec) -3des-cbc -- enc algorithm to remove [0m +[0;31m(rec) -3des-ctr -- enc algorithm to remove [0m +[0;31m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove [0m +[0;31m(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove [0m +[0;31m(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove [0m +[0;31m(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove [0m +[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-sha1-96 -- mac algorithm to remove [0m +[0;31m(rec) -ssh-dss -- key algorithm to remove [0m +[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m +[0;32m(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append [0m +[0;32m(rec) +twofish128-ctr -- enc algorithm to append [0m +[0;32m(rec) +twofish256-ctr -- enc algorithm to append [0m +[0;33m(rec) -aes128-cbc -- enc algorithm to remove [0m +[0;33m(rec) -aes256-cbc -- enc algorithm to remove [0m +[0;33m(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove [0m +[0;33m(rec) -hmac-sha2-256 -- mac algorithm to remove [0m + +[0;36m# additional info[0m +[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m + diff --git a/test/docker/expected_results/openssh_4.0p1_test1.json b/test/docker/expected_results/openssh_4.0p1_test1.json new file mode 100644 index 0000000..f5735a9 --- /dev/null +++ b/test/docker/expected_results/openssh_4.0p1_test1.json @@ -0,0 +1,525 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "1.99", + "raw": "SSH-1.99-OpenSSH_4.0", + "software": "OpenSSH_4.0" + }, + "compression": [ + "none", + "zlib" + ], + "cves": [ + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames due to timing discrepancies", + "name": "CVE-2018-15473" + }, + { + "cvssv2": 5.3, + "description": "readonly bypass via sftp", + "name": "CVE-2017-15906" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + }, + { + "cvssv2": 5.5, + "description": "bypass command restrictions via crafted X11 forwarding data", + "name": "CVE-2016-3115" + }, + { + "cvssv2": 7.5, + "description": "cause DoS via triggering error condition (memory corruption)", + "name": "CVE-2014-1692" + }, + { + "cvssv2": 3.5, + "description": "leak data via debug messages", + "name": "CVE-2012-0814" + }, + { + "cvssv2": 3.5, + "description": "cause DoS via large value in certain length field (memory consumption)", + "name": "CVE-2011-5000" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via large number of connections (slot exhaustion)", + "name": "CVE-2010-5107" + }, + { + "cvssv2": 4.0, + "description": "cause DoS via crafted glob expression (CPU and memory consumption)", + "name": "CVE-2010-4755" + }, + { + "cvssv2": 7.5, + "description": "bypass authentication check via crafted values", + "name": "CVE-2010-4478" + }, + { + "cvssv2": 2.6, + "description": "recover plaintext data from ciphertext", + "name": "CVE-2008-5161" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via multiple login attempts (slot exhaustion)", + "name": "CVE-2008-4109" + }, + { + "cvssv2": 6.5, + "description": "bypass command restrictions via modifying session file", + "name": "CVE-2008-1657" + }, + { + "cvssv2": 6.9, + "description": "hijack forwarded X11 connections", + "name": "CVE-2008-1483" + }, + { + "cvssv2": 7.5, + "description": "privilege escalation via causing an X client to be trusted", + "name": "CVE-2007-4752" + }, + { + "cvssv2": 5.0, + "description": "discover valid usernames through different responses", + "name": "CVE-2007-2243" + }, + { + "cvssv2": 5.0, + "description": "discover valid usernames through different responses", + "name": "CVE-2006-5052" + }, + { + "cvssv2": 9.3, + "description": "cause DoS or execute arbitrary code (double free)", + "name": "CVE-2006-5051" + }, + { + "cvssv2": 7.8, + "description": "cause DoS via crafted packet (CPU consumption)", + "name": "CVE-2006-4924" + }, + { + "cvssv2": 4.6, + "description": "execute arbitrary code", + "name": "CVE-2006-0225" + }, + { + "cvssv2": 5.0, + "description": "leak data about authentication credentials", + "name": "CVE-2005-2798" + } + ], + "enc": [ + { + "algorithm": "aes128-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "3des-cbc", + "notes": { + "fail": [ + "using broken & deprecated 3DES cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "blowfish-cbc", + "notes": { + "fail": [ + "using weak & deprecated Blowfish cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "cast128-cbc", + "notes": { + "fail": [ + "using weak & deprecated CAST cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "arcfour", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ] + } + }, + { + "algorithm": "aes192-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "aes256-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.47" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "rijndael-cbc@lysator.liu.se", + "notes": { + "fail": [ + "using deprecated & non-standardized Rijndael cipher" + ], + "info": [ + "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0", + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes192-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + } + ], + "fingerprints": [ + { + "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "diffie-hellman-group-exchange-sha1", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 2.3.0" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 3.9, Dropbear SSH 0.53" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "diffie-hellman-group1-sha1", + "notes": { + "fail": [ + "using small 1024-bit modulus", + "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)", + "using broken SHA-1 hash algorithm" + ], + "info": [ + "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ] + } + } + ], + "key": [ + { + "algorithm": "ssh-rsa", + "keysize": 1024, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm", + "using small 1024-bit modulus" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 2.5.0, Dropbear SSH 0.28" + ] + } + }, + { + "algorithm": "ssh-dss", + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0", + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak random number generator could reveal the key" + ] + } + } + ], + "mac": [ + { + "algorithm": "hmac-md5", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-ripemd160", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-ripemd160@openssh.com", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1-96", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0, Dropbear SSH 0.47" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-md5-96", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": { + "critical": { + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "arcfour", + "notes": "" + }, + { + "name": "blowfish-cbc", + "notes": "" + }, + { + "name": "cast128-cbc", + "notes": "" + }, + { + "name": "rijndael-cbc@lysator.liu.se", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group1-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha1", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-dss", + "notes": "" + }, + { + "name": "ssh-rsa", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-md5", + "notes": "" + }, + { + "name": "hmac-md5-96", + "notes": "" + }, + { + "name": "hmac-ripemd160", + "notes": "" + }, + { + "name": "hmac-ripemd160@openssh.com", + "notes": "" + }, + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes192-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_4.0p1_test1.txt b/test/docker/expected_results/openssh_4.0p1_test1.txt new file mode 100644 index 0000000..4810a47 --- /dev/null +++ b/test/docker/expected_results/openssh_4.0p1_test1.txt @@ -0,0 +1,130 @@ +[0;36m# general[0m +[0;31m(gen) banner: SSH-1.99-OpenSSH_4.0[0m +[0;31m(gen) protocol SSH1 enabled[0m +[0;32m(gen) software: OpenSSH 4.0[0m +[0;32m(gen) compatibility: OpenSSH 3.9-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)[0m +[0;32m(gen) compression: enabled (zlib)[0m + +[0;36m# security[0m +[0;33m(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers[0m +[0;33m(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies[0m +[0;33m(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp[0m +[0;33m(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response[0m +[0;33m(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data[0m +[0;33m(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)[0m +[0;33m(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages[0m +[0;33m(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)[0m +[0;33m(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)[0m +[0;33m(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)[0m +[0;33m(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values[0m +[0;33m(cve) CVE-2008-5161 -- (CVSSv2: 2.6) recover plaintext data from ciphertext[0m +[0;33m(cve) CVE-2008-4109 -- (CVSSv2: 5.0) cause DoS via multiple login attempts (slot exhaustion)[0m +[0;33m(cve) CVE-2008-1657 -- (CVSSv2: 6.5) bypass command restrictions via modifying session file[0m +[0;33m(cve) CVE-2008-1483 -- (CVSSv2: 6.9) hijack forwarded X11 connections[0m +[0;33m(cve) CVE-2007-4752 -- (CVSSv2: 7.5) privilege escalation via causing an X client to be trusted[0m +[0;33m(cve) CVE-2007-2243 -- (CVSSv2: 5.0) discover valid usernames through different responses[0m +[0;33m(cve) CVE-2006-5052 -- (CVSSv2: 5.0) discover valid usernames through different responses[0m +[0;31m(cve) CVE-2006-5051 -- (CVSSv2: 9.3) cause DoS or execute arbitrary code (double free)[0m +[0;33m(cve) CVE-2006-4924 -- (CVSSv2: 7.8) cause DoS via crafted packet (CPU consumption)[0m +[0;33m(cve) CVE-2006-0225 -- (CVSSv2: 4.6) execute arbitrary code[0m +[0;33m(cve) CVE-2005-2798 -- (CVSSv2: 5.0) leak data about authentication credentials[0m +[0;31m(sec) SSH v1 enabled -- SSH v1 can be exploited to recover plaintext passwords[0m + +[0;36m# key exchange algorithms[0m +[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m + `- [info] available since OpenSSH 2.3.0 +[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 +[0;31m(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus[0m +[0;31m `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m +[0;31m `- [fail] using broken SHA-1 hash algorithm[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 + `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 + +[0;36m# host-key algorithms[0m +[0;31m(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm[0m +[0;31m `- [fail] using small 1024-bit modulus[0m + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 +[0;31m(key) ssh-dss -- [fail] using small 1024-bit modulus[0m +[0;33m `- [warn] using weak random number generator could reveal the key[0m + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 + `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0 + +[0;36m# encryption algorithms (ciphers)[0m +[0;33m(enc) aes128-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 +[0;31m(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher[0m +[0;33m `- [warn] using weak cipher mode[0m +[0;33m `- [warn] using small 64-bit block size[0m + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +[0;31m(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher[0m +[0;33m `- [warn] using weak cipher mode[0m +[0;33m `- [warn] using small 64-bit block size[0m + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +[0;31m(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher[0m +[0;33m `- [warn] using weak cipher mode[0m +[0;33m `- [warn] using small 64-bit block size[0m + `- [info] available since OpenSSH 2.1.0 +[0;31m(enc) arcfour -- [fail] using broken RC4 cipher[0m + `- [info] available since OpenSSH 2.1.0 +[0;33m(enc) aes192-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0 +[0;33m(enc) aes256-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 +[0;31m(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher[0m +[0;33m `- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0 + `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0 +[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m +[0;32m(enc) aes192-ctr -- [info] available since OpenSSH 3.7[0m +[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m + +[0;36m# message authentication code algorithms[0m +[0;31m(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +[0;31m(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +[0;31m(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.5.0 +[0;31m(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0 +[0;31m(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47 +[0;31m(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.5.0 + +[0;36m# fingerprints[0m +[0;32m(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4[0m + +[0;36m# algorithm recommendations (for OpenSSH 4.0)[0m +[0;31m(rec) -3des-cbc -- enc algorithm to remove [0m +[0;31m(rec) -arcfour -- enc algorithm to remove [0m +[0;31m(rec) -blowfish-cbc -- enc algorithm to remove [0m +[0;31m(rec) -cast128-cbc -- enc algorithm to remove [0m +[0;31m(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -hmac-md5 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-md5-96 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-ripemd160 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove [0m +[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-sha1-96 -- mac algorithm to remove [0m +[0;31m(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove [0m +[0;31m(rec) -ssh-dss -- key algorithm to remove [0m +[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m +[0;33m(rec) -aes128-cbc -- enc algorithm to remove [0m +[0;33m(rec) -aes192-cbc -- enc algorithm to remove [0m +[0;33m(rec) -aes256-cbc -- enc algorithm to remove [0m + +[0;36m# additional info[0m +[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m + diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json new file mode 100644 index 0000000..6480bca --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json @@ -0,0 +1,6 @@ +{ + "errors": [], + "host": "localhost", + "passed": true, + "policy": "Docker policy: test1 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.txt new file mode 100644 index 0000000..01146f8 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.txt @@ -0,0 +1,3 @@ +Host: localhost:2222 +Policy: Docker policy: test1 (version 1) +Result: [0;32m✔ Passed[0m diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json new file mode 100644 index 0000000..0a1e148 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json @@ -0,0 +1,31 @@ +{ + "errors": [ + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "Host key (ssh-rsa-cert-v01@openssh.com) sizes" + }, + { + "actual": [ + "1024" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "CA signature size (ssh-rsa)" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker poliicy: test10 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt new file mode 100644 index 0000000..425d463 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt @@ -0,0 +1,28 @@ + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + +Host: localhost:2222 +Policy: Docker poliicy: test10 (version 1) +Result: [0;31m❌ Failed![0m +[0;33m +Errors: + * CA signature size (ssh-rsa) did not match. + - Expected: 4096 + - Actual: 1024 + + * Host key (ssh-rsa-cert-v01@openssh.com) sizes did not match. + - Expected: 4096 + - Actual: 3072 +[0m diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json new file mode 100644 index 0000000..edf4254 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json @@ -0,0 +1,23 @@ +{ + "errors": [ + { + "actual": [ + "diffie-hellman-group-exchange-sha256", + "diffie-hellman-group-exchange-sha1", + "diffie-hellman-group14-sha1", + "diffie-hellman-group1-sha1" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "kex_alg1", + "kex_alg2" + ], + "mismatched_field": "Key exchanges" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker policy: test2 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt new file mode 100644 index 0000000..e88e44b --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt @@ -0,0 +1,9 @@ +Host: localhost:2222 +Policy: Docker policy: test2 (version 1) +Result: [0;31m❌ Failed![0m +[0;33m +Errors: + * Key exchanges did not match. + - Expected: kex_alg1, kex_alg2 + - Actual: diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1 +[0m diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json new file mode 100644 index 0000000..a98fa8d --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json @@ -0,0 +1,22 @@ +{ + "errors": [ + { + "actual": [ + "ssh-rsa", + "ssh-dss" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "ssh-rsa", + "ssh-dss", + "key_alg1" + ], + "mismatched_field": "Host keys" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker policy: test3 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt new file mode 100644 index 0000000..cf7eefc --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt @@ -0,0 +1,9 @@ +Host: localhost:2222 +Policy: Docker policy: test3 (version 1) +Result: [0;31m❌ Failed![0m +[0;33m +Errors: + * Host keys did not match. + - Expected: ssh-rsa, ssh-dss, key_alg1 + - Actual: ssh-rsa, ssh-dss +[0m diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json new file mode 100644 index 0000000..317f7e2 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json @@ -0,0 +1,32 @@ +{ + "errors": [ + { + "actual": [ + "aes128-ctr", + "aes192-ctr", + "aes256-ctr", + "arcfour256", + "arcfour128", + "aes128-cbc", + "3des-cbc", + "blowfish-cbc", + "cast128-cbc", + "aes192-cbc", + "aes256-cbc", + "arcfour", + "rijndael-cbc@lysator.liu.se" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "cipher_alg1", + "cipher_alg2" + ], + "mismatched_field": "Ciphers" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker policy: test4 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt new file mode 100644 index 0000000..514b715 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt @@ -0,0 +1,9 @@ +Host: localhost:2222 +Policy: Docker policy: test4 (version 1) +Result: [0;31m❌ Failed![0m +[0;33m +Errors: + * Ciphers did not match. + - Expected: cipher_alg1, cipher_alg2 + - Actual: aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se +[0m diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json new file mode 100644 index 0000000..50c0b86 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json @@ -0,0 +1,31 @@ +{ + "errors": [ + { + "actual": [ + "hmac-md5", + "hmac-sha1", + "umac-64@openssh.com", + "hmac-ripemd160", + "hmac-ripemd160@openssh.com", + "hmac-sha1-96", + "hmac-md5-96" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "hmac-md5", + "hmac-sha1", + "umac-64@openssh.com", + "hmac-ripemd160", + "hmac-ripemd160@openssh.com", + "hmac_alg1", + "hmac-md5-96" + ], + "mismatched_field": "MACs" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker policy: test5 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt new file mode 100644 index 0000000..746ca8c --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt @@ -0,0 +1,9 @@ +Host: localhost:2222 +Policy: Docker policy: test5 (version 1) +Result: [0;31m❌ Failed![0m +[0;33m +Errors: + * MACs did not match. + - Expected: hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac_alg1, hmac-md5-96 + - Actual: hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96 +[0m diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json new file mode 100644 index 0000000..dcc1d6c --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json @@ -0,0 +1,6 @@ +{ + "errors": [], + "host": "localhost", + "passed": true, + "policy": "Docker poliicy: test7 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.txt new file mode 100644 index 0000000..1d3af14 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.txt @@ -0,0 +1,18 @@ + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + +Host: localhost:2222 +Policy: Docker poliicy: test7 (version 1) +Result: [0;32m✔ Passed[0m diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json new file mode 100644 index 0000000..e7f06a6 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json @@ -0,0 +1,19 @@ +{ + "errors": [ + { + "actual": [ + "1024" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "2048" + ], + "mismatched_field": "CA signature size (ssh-rsa)" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker poliicy: test8 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt new file mode 100644 index 0000000..05ab91d --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt @@ -0,0 +1,24 @@ + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + +Host: localhost:2222 +Policy: Docker poliicy: test8 (version 1) +Result: [0;31m❌ Failed![0m +[0;33m +Errors: + * CA signature size (ssh-rsa) did not match. + - Expected: 2048 + - Actual: 1024 +[0m diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json new file mode 100644 index 0000000..51d1067 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json @@ -0,0 +1,19 @@ +{ + "errors": [ + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "Host key (ssh-rsa-cert-v01@openssh.com) sizes" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker poliicy: test9 (version 1)" +} diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt new file mode 100644 index 0000000..94060ab --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt @@ -0,0 +1,24 @@ + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + +Host: localhost:2222 +Policy: Docker poliicy: test9 (version 1) +Result: [0;31m❌ Failed![0m +[0;33m +Errors: + * Host key (ssh-rsa-cert-v01@openssh.com) sizes did not match. + - Expected: 4096 + - Actual: 3072 +[0m diff --git a/test/docker/expected_results/openssh_5.6p1_test1.json b/test/docker/expected_results/openssh_5.6p1_test1.json new file mode 100644 index 0000000..53216e5 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test1.json @@ -0,0 +1,558 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "2.0", + "raw": "SSH-2.0-OpenSSH_5.6", + "software": "OpenSSH_5.6" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames due to timing discrepancies", + "name": "CVE-2018-15473" + }, + { + "cvssv2": 5.3, + "description": "readonly bypass via sftp", + "name": "CVE-2017-15906" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + }, + { + "cvssv2": 5.5, + "description": "bypass command restrictions via crafted X11 forwarding data", + "name": "CVE-2016-3115" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via crafted network traffic (out of bounds read)", + "name": "CVE-2016-1907" + }, + { + "cvssv2": 6.9, + "description": "privilege escalation via leveraging sshd uid", + "name": "CVE-2015-6564" + }, + { + "cvssv2": 1.9, + "description": "conduct impersonation attack", + "name": "CVE-2015-6563" + }, + { + "cvssv2": 5.8, + "description": "bypass environment restrictions via specific string before wildcard", + "name": "CVE-2014-2532" + }, + { + "cvssv2": 7.5, + "description": "cause DoS via triggering error condition (memory corruption)", + "name": "CVE-2014-1692" + }, + { + "cvssv2": 3.5, + "description": "leak data via debug messages", + "name": "CVE-2012-0814" + }, + { + "cvssv2": 3.5, + "description": "cause DoS via large value in certain length field (memory consumption)", + "name": "CVE-2011-5000" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via large number of connections (slot exhaustion)", + "name": "CVE-2010-5107" + }, + { + "cvssv2": 4.0, + "description": "cause DoS via crafted glob expression (CPU and memory consumption)", + "name": "CVE-2010-4755" + }, + { + "cvssv2": 7.5, + "description": "bypass authentication check via crafted values", + "name": "CVE-2010-4478" + } + ], + "enc": [ + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes192-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "arcfour256", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "arcfour128", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "aes128-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "3des-cbc", + "notes": { + "fail": [ + "using broken & deprecated 3DES cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "blowfish-cbc", + "notes": { + "fail": [ + "using weak & deprecated Blowfish cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "cast128-cbc", + "notes": { + "fail": [ + "using weak & deprecated CAST cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "aes192-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "aes256-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.47" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "arcfour", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ] + } + }, + { + "algorithm": "rijndael-cbc@lysator.liu.se", + "notes": { + "fail": [ + "using deprecated & non-standardized Rijndael cipher" + ], + "info": [ + "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0", + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + } + ], + "fingerprints": [ + { + "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 4.4" + ] + } + }, + { + "algorithm": "diffie-hellman-group-exchange-sha1", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 2.3.0" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 3.9, Dropbear SSH 0.53" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "diffie-hellman-group1-sha1", + "notes": { + "fail": [ + "using small 1024-bit modulus", + "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)", + "using broken SHA-1 hash algorithm" + ], + "info": [ + "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ] + } + } + ], + "key": [ + { + "algorithm": "ssh-rsa", + "keysize": 1024, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm", + "using small 1024-bit modulus" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 2.5.0, Dropbear SSH 0.28" + ] + } + }, + { + "algorithm": "ssh-dss", + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0", + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak random number generator could reveal the key" + ] + } + } + ], + "mac": [ + { + "algorithm": "hmac-md5", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "umac-64@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 4.7" + ], + "warn": [ + "using encrypt-and-MAC mode", + "using small 64-bit tag size" + ] + } + }, + { + "algorithm": "hmac-ripemd160", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-ripemd160@openssh.com", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1-96", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0, Dropbear SSH 0.47" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-md5-96", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": { + "critical": { + "chg": { + "kex": [ + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "increase modulus size to 3072 bits or larger" + } + ] + }, + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "arcfour128", + "notes": "" + }, + { + "name": "arcfour", + "notes": "" + }, + { + "name": "arcfour256", + "notes": "" + }, + { + "name": "blowfish-cbc", + "notes": "" + }, + { + "name": "cast128-cbc", + "notes": "" + }, + { + "name": "rijndael-cbc@lysator.liu.se", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group1-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha1", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-dss", + "notes": "" + }, + { + "name": "ssh-rsa", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-md5", + "notes": "" + }, + { + "name": "hmac-md5-96", + "notes": "" + }, + { + "name": "hmac-ripemd160", + "notes": "" + }, + { + "name": "hmac-ripemd160@openssh.com", + "notes": "" + }, + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes192-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ], + "mac": [ + { + "name": "umac-64@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_5.6p1_test1.txt b/test/docker/expected_results/openssh_5.6p1_test1.txt new file mode 100644 index 0000000..601dc39 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test1.txt @@ -0,0 +1,134 @@ +[0;36m# general[0m +[0;32m(gen) banner: SSH-2.0-OpenSSH_5.6[0m +[0;32m(gen) software: OpenSSH 5.6[0m +[0;32m(gen) compatibility: OpenSSH 4.7-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)[0m +[0;32m(gen) compression: enabled (zlib@openssh.com)[0m + +[0;36m# security[0m +[0;33m(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers[0m +[0;33m(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies[0m +[0;33m(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp[0m +[0;33m(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response[0m +[0;33m(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data[0m +[0;33m(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)[0m +[0;33m(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid[0m +[0;33m(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack[0m +[0;33m(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard[0m +[0;33m(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)[0m +[0;33m(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages[0m +[0;33m(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)[0m +[0;33m(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)[0m +[0;33m(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)[0m +[0;33m(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values[0m + +[0;36m# key exchange algorithms[0m +[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m + `- [info] available since OpenSSH 4.4 +[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m + `- [info] available since OpenSSH 2.3.0 +[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 +[0;31m(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus[0m +[0;31m `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m +[0;31m `- [fail] using broken SHA-1 hash algorithm[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 + `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 + +[0;36m# host-key algorithms[0m +[0;31m(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm[0m +[0;31m `- [fail] using small 1024-bit modulus[0m + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 +[0;31m(key) ssh-dss -- [fail] using small 1024-bit modulus[0m +[0;33m `- [warn] using weak random number generator could reveal the key[0m + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 + `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0 + +[0;36m# encryption algorithms (ciphers)[0m +[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m +[0;32m(enc) aes192-ctr -- [info] available since OpenSSH 3.7[0m +[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m +[0;31m(enc) arcfour256 -- [fail] using broken RC4 cipher[0m + `- [info] available since OpenSSH 4.2 +[0;31m(enc) arcfour128 -- [fail] using broken RC4 cipher[0m + `- [info] available since OpenSSH 4.2 +[0;33m(enc) aes128-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 +[0;31m(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher[0m +[0;33m `- [warn] using weak cipher mode[0m +[0;33m `- [warn] using small 64-bit block size[0m + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +[0;31m(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher[0m +[0;33m `- [warn] using weak cipher mode[0m +[0;33m `- [warn] using small 64-bit block size[0m + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +[0;31m(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher[0m +[0;33m `- [warn] using weak cipher mode[0m +[0;33m `- [warn] using small 64-bit block size[0m + `- [info] available since OpenSSH 2.1.0 +[0;33m(enc) aes192-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0 +[0;33m(enc) aes256-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 +[0;31m(enc) arcfour -- [fail] using broken RC4 cipher[0m + `- [info] available since OpenSSH 2.1.0 +[0;31m(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher[0m +[0;33m `- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0 + `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0 + +[0;36m# message authentication code algorithms[0m +[0;31m(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +[0;31m(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +[0;33m(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode[0m +[0;33m `- [warn] using small 64-bit tag size[0m + `- [info] available since OpenSSH 4.7 +[0;31m(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.5.0 +[0;31m(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0 +[0;31m(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47 +[0;31m(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.5.0 + +[0;36m# fingerprints[0m +[0;32m(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4[0m + +[0;36m# algorithm recommendations (for OpenSSH 5.6)[0m +[0;31m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) [0m +[0;31m(rec) -3des-cbc -- enc algorithm to remove [0m +[0;31m(rec) -arcfour -- enc algorithm to remove [0m +[0;31m(rec) -arcfour128 -- enc algorithm to remove [0m +[0;31m(rec) -arcfour256 -- enc algorithm to remove [0m +[0;31m(rec) -blowfish-cbc -- enc algorithm to remove [0m +[0;31m(rec) -cast128-cbc -- enc algorithm to remove [0m +[0;31m(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -hmac-md5 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-md5-96 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-ripemd160 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove [0m +[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-sha1-96 -- mac algorithm to remove [0m +[0;31m(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove [0m +[0;31m(rec) -ssh-dss -- key algorithm to remove [0m +[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m +[0;33m(rec) -aes128-cbc -- enc algorithm to remove [0m +[0;33m(rec) -aes192-cbc -- enc algorithm to remove [0m +[0;33m(rec) -aes256-cbc -- enc algorithm to remove [0m +[0;33m(rec) -umac-64@openssh.com -- mac algorithm to remove [0m + +[0;36m# additional info[0m +[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m + diff --git a/test/docker/expected_results/openssh_5.6p1_test2.json b/test/docker/expected_results/openssh_5.6p1_test2.json new file mode 100644 index 0000000..a1dd987 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test2.json @@ -0,0 +1,560 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "2.0", + "raw": "SSH-2.0-OpenSSH_5.6", + "software": "OpenSSH_5.6" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames due to timing discrepancies", + "name": "CVE-2018-15473" + }, + { + "cvssv2": 5.3, + "description": "readonly bypass via sftp", + "name": "CVE-2017-15906" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + }, + { + "cvssv2": 5.5, + "description": "bypass command restrictions via crafted X11 forwarding data", + "name": "CVE-2016-3115" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via crafted network traffic (out of bounds read)", + "name": "CVE-2016-1907" + }, + { + "cvssv2": 6.9, + "description": "privilege escalation via leveraging sshd uid", + "name": "CVE-2015-6564" + }, + { + "cvssv2": 1.9, + "description": "conduct impersonation attack", + "name": "CVE-2015-6563" + }, + { + "cvssv2": 5.8, + "description": "bypass environment restrictions via specific string before wildcard", + "name": "CVE-2014-2532" + }, + { + "cvssv2": 7.5, + "description": "cause DoS via triggering error condition (memory corruption)", + "name": "CVE-2014-1692" + }, + { + "cvssv2": 3.5, + "description": "leak data via debug messages", + "name": "CVE-2012-0814" + }, + { + "cvssv2": 3.5, + "description": "cause DoS via large value in certain length field (memory consumption)", + "name": "CVE-2011-5000" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via large number of connections (slot exhaustion)", + "name": "CVE-2010-5107" + }, + { + "cvssv2": 4.0, + "description": "cause DoS via crafted glob expression (CPU and memory consumption)", + "name": "CVE-2010-4755" + }, + { + "cvssv2": 7.5, + "description": "bypass authentication check via crafted values", + "name": "CVE-2010-4478" + } + ], + "enc": [ + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes192-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "arcfour256", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "arcfour128", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "aes128-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "3des-cbc", + "notes": { + "fail": [ + "using broken & deprecated 3DES cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "blowfish-cbc", + "notes": { + "fail": [ + "using weak & deprecated Blowfish cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "cast128-cbc", + "notes": { + "fail": [ + "using weak & deprecated CAST cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "aes192-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "aes256-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.47" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "arcfour", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ] + } + }, + { + "algorithm": "rijndael-cbc@lysator.liu.se", + "notes": { + "fail": [ + "using deprecated & non-standardized Rijndael cipher" + ], + "info": [ + "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0", + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + } + ], + "fingerprints": [ + { + "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 4.4" + ] + } + }, + { + "algorithm": "diffie-hellman-group-exchange-sha1", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 2.3.0" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 3.9, Dropbear SSH 0.53" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "diffie-hellman-group1-sha1", + "notes": { + "fail": [ + "using small 1024-bit modulus", + "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)", + "using broken SHA-1 hash algorithm" + ], + "info": [ + "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ] + } + } + ], + "key": [ + { + "algorithm": "ssh-rsa", + "keysize": 1024, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm", + "using small 1024-bit modulus" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 2.5.0, Dropbear SSH 0.28" + ] + } + }, + { + "algorithm": "ssh-rsa-cert-v01@openssh.com", + "ca_algorithm": "ssh-rsa", + "casize": 1024, + "keysize": 1024, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm", + "using small 1024-bit hostkey modulus", + "using small 1024-bit CA key modulus" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 5.6" + ] + } + } + ], + "mac": [ + { + "algorithm": "hmac-md5", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "umac-64@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 4.7" + ], + "warn": [ + "using encrypt-and-MAC mode", + "using small 64-bit tag size" + ] + } + }, + { + "algorithm": "hmac-ripemd160", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-ripemd160@openssh.com", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1-96", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0, Dropbear SSH 0.47" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-md5-96", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": { + "critical": { + "chg": { + "kex": [ + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "increase modulus size to 3072 bits or larger" + } + ] + }, + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "arcfour128", + "notes": "" + }, + { + "name": "arcfour", + "notes": "" + }, + { + "name": "arcfour256", + "notes": "" + }, + { + "name": "blowfish-cbc", + "notes": "" + }, + { + "name": "cast128-cbc", + "notes": "" + }, + { + "name": "rijndael-cbc@lysator.liu.se", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group1-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha1", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-rsa", + "notes": "" + }, + { + "name": "ssh-rsa-cert-v01@openssh.com", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-md5", + "notes": "" + }, + { + "name": "hmac-md5-96", + "notes": "" + }, + { + "name": "hmac-ripemd160", + "notes": "" + }, + { + "name": "hmac-ripemd160@openssh.com", + "notes": "" + }, + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes192-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ], + "mac": [ + { + "name": "umac-64@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_5.6p1_test2.txt b/test/docker/expected_results/openssh_5.6p1_test2.txt new file mode 100644 index 0000000..6b3b975 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test2.txt @@ -0,0 +1,135 @@ +[0;36m# general[0m +[0;32m(gen) banner: SSH-2.0-OpenSSH_5.6[0m +[0;32m(gen) software: OpenSSH 5.6[0m +[0;32m(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)[0m +[0;32m(gen) compression: enabled (zlib@openssh.com)[0m + +[0;36m# security[0m +[0;33m(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers[0m +[0;33m(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies[0m +[0;33m(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp[0m +[0;33m(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response[0m +[0;33m(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data[0m +[0;33m(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)[0m +[0;33m(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid[0m +[0;33m(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack[0m +[0;33m(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard[0m +[0;33m(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)[0m +[0;33m(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages[0m +[0;33m(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)[0m +[0;33m(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)[0m +[0;33m(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)[0m +[0;33m(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values[0m + +[0;36m# key exchange algorithms[0m +[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m + `- [info] available since OpenSSH 4.4 +[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m + `- [info] available since OpenSSH 2.3.0 +[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 +[0;31m(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus[0m +[0;31m `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m +[0;31m `- [fail] using broken SHA-1 hash algorithm[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 + `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 + +[0;36m# host-key algorithms[0m +[0;31m(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm[0m +[0;31m `- [fail] using small 1024-bit modulus[0m + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 +[0;31m(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/1024-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm[0m +[0;31m `- [fail] using small 1024-bit hostkey modulus[0m +[0;31m `- [fail] using small 1024-bit CA key modulus[0m + `- [info] available since OpenSSH 5.6 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 + +[0;36m# encryption algorithms (ciphers)[0m +[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m +[0;32m(enc) aes192-ctr -- [info] available since OpenSSH 3.7[0m +[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m +[0;31m(enc) arcfour256 -- [fail] using broken RC4 cipher[0m + `- [info] available since OpenSSH 4.2 +[0;31m(enc) arcfour128 -- [fail] using broken RC4 cipher[0m + `- [info] available since OpenSSH 4.2 +[0;33m(enc) aes128-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 +[0;31m(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher[0m +[0;33m `- [warn] using weak cipher mode[0m +[0;33m `- [warn] using small 64-bit block size[0m + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +[0;31m(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher[0m +[0;33m `- [warn] using weak cipher mode[0m +[0;33m `- [warn] using small 64-bit block size[0m + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +[0;31m(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher[0m +[0;33m `- [warn] using weak cipher mode[0m +[0;33m `- [warn] using small 64-bit block size[0m + `- [info] available since OpenSSH 2.1.0 +[0;33m(enc) aes192-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0 +[0;33m(enc) aes256-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 +[0;31m(enc) arcfour -- [fail] using broken RC4 cipher[0m + `- [info] available since OpenSSH 2.1.0 +[0;31m(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher[0m +[0;33m `- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0 + `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0 + +[0;36m# message authentication code algorithms[0m +[0;31m(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +[0;31m(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +[0;33m(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode[0m +[0;33m `- [warn] using small 64-bit tag size[0m + `- [info] available since OpenSSH 4.7 +[0;31m(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.5.0 +[0;31m(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0 +[0;31m(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47 +[0;31m(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.5.0 + +[0;36m# fingerprints[0m +[0;32m(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4[0m + +[0;36m# algorithm recommendations (for OpenSSH 5.6)[0m +[0;31m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) [0m +[0;31m(rec) -3des-cbc -- enc algorithm to remove [0m +[0;31m(rec) -arcfour -- enc algorithm to remove [0m +[0;31m(rec) -arcfour128 -- enc algorithm to remove [0m +[0;31m(rec) -arcfour256 -- enc algorithm to remove [0m +[0;31m(rec) -blowfish-cbc -- enc algorithm to remove [0m +[0;31m(rec) -cast128-cbc -- enc algorithm to remove [0m +[0;31m(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -hmac-md5 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-md5-96 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-ripemd160 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove [0m +[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-sha1-96 -- mac algorithm to remove [0m +[0;31m(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove [0m +[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m +[0;31m(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove [0m +[0;33m(rec) -aes128-cbc -- enc algorithm to remove [0m +[0;33m(rec) -aes192-cbc -- enc algorithm to remove [0m +[0;33m(rec) -aes256-cbc -- enc algorithm to remove [0m +[0;33m(rec) -umac-64@openssh.com -- mac algorithm to remove [0m + +[0;36m# additional info[0m +[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m + diff --git a/test/docker/expected_results/openssh_5.6p1_test3.json b/test/docker/expected_results/openssh_5.6p1_test3.json new file mode 100644 index 0000000..2cbd316 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test3.json @@ -0,0 +1,559 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "2.0", + "raw": "SSH-2.0-OpenSSH_5.6", + "software": "OpenSSH_5.6" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames due to timing discrepancies", + "name": "CVE-2018-15473" + }, + { + "cvssv2": 5.3, + "description": "readonly bypass via sftp", + "name": "CVE-2017-15906" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + }, + { + "cvssv2": 5.5, + "description": "bypass command restrictions via crafted X11 forwarding data", + "name": "CVE-2016-3115" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via crafted network traffic (out of bounds read)", + "name": "CVE-2016-1907" + }, + { + "cvssv2": 6.9, + "description": "privilege escalation via leveraging sshd uid", + "name": "CVE-2015-6564" + }, + { + "cvssv2": 1.9, + "description": "conduct impersonation attack", + "name": "CVE-2015-6563" + }, + { + "cvssv2": 5.8, + "description": "bypass environment restrictions via specific string before wildcard", + "name": "CVE-2014-2532" + }, + { + "cvssv2": 7.5, + "description": "cause DoS via triggering error condition (memory corruption)", + "name": "CVE-2014-1692" + }, + { + "cvssv2": 3.5, + "description": "leak data via debug messages", + "name": "CVE-2012-0814" + }, + { + "cvssv2": 3.5, + "description": "cause DoS via large value in certain length field (memory consumption)", + "name": "CVE-2011-5000" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via large number of connections (slot exhaustion)", + "name": "CVE-2010-5107" + }, + { + "cvssv2": 4.0, + "description": "cause DoS via crafted glob expression (CPU and memory consumption)", + "name": "CVE-2010-4755" + }, + { + "cvssv2": 7.5, + "description": "bypass authentication check via crafted values", + "name": "CVE-2010-4478" + } + ], + "enc": [ + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes192-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "arcfour256", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "arcfour128", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "aes128-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "3des-cbc", + "notes": { + "fail": [ + "using broken & deprecated 3DES cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "blowfish-cbc", + "notes": { + "fail": [ + "using weak & deprecated Blowfish cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "cast128-cbc", + "notes": { + "fail": [ + "using weak & deprecated CAST cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "aes192-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "aes256-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.47" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "arcfour", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ] + } + }, + { + "algorithm": "rijndael-cbc@lysator.liu.se", + "notes": { + "fail": [ + "using deprecated & non-standardized Rijndael cipher" + ], + "info": [ + "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0", + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + } + ], + "fingerprints": [ + { + "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 4.4" + ] + } + }, + { + "algorithm": "diffie-hellman-group-exchange-sha1", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 2.3.0" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 3.9, Dropbear SSH 0.53" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "diffie-hellman-group1-sha1", + "notes": { + "fail": [ + "using small 1024-bit modulus", + "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)", + "using broken SHA-1 hash algorithm" + ], + "info": [ + "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ] + } + } + ], + "key": [ + { + "algorithm": "ssh-rsa", + "keysize": 1024, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm", + "using small 1024-bit modulus" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 2.5.0, Dropbear SSH 0.28" + ] + } + }, + { + "algorithm": "ssh-rsa-cert-v01@openssh.com", + "ca_algorithm": "ssh-rsa", + "casize": 3072, + "keysize": 1024, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm", + "using small 1024-bit hostkey modulus" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 5.6" + ] + } + } + ], + "mac": [ + { + "algorithm": "hmac-md5", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "umac-64@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 4.7" + ], + "warn": [ + "using encrypt-and-MAC mode", + "using small 64-bit tag size" + ] + } + }, + { + "algorithm": "hmac-ripemd160", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-ripemd160@openssh.com", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1-96", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0, Dropbear SSH 0.47" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-md5-96", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": { + "critical": { + "chg": { + "kex": [ + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "increase modulus size to 3072 bits or larger" + } + ] + }, + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "arcfour128", + "notes": "" + }, + { + "name": "arcfour", + "notes": "" + }, + { + "name": "arcfour256", + "notes": "" + }, + { + "name": "blowfish-cbc", + "notes": "" + }, + { + "name": "cast128-cbc", + "notes": "" + }, + { + "name": "rijndael-cbc@lysator.liu.se", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group1-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha1", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-rsa", + "notes": "" + }, + { + "name": "ssh-rsa-cert-v01@openssh.com", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-md5", + "notes": "" + }, + { + "name": "hmac-md5-96", + "notes": "" + }, + { + "name": "hmac-ripemd160", + "notes": "" + }, + { + "name": "hmac-ripemd160@openssh.com", + "notes": "" + }, + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes192-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ], + "mac": [ + { + "name": "umac-64@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_5.6p1_test3.txt b/test/docker/expected_results/openssh_5.6p1_test3.txt new file mode 100644 index 0000000..991c502 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test3.txt @@ -0,0 +1,134 @@ +[0;36m# general[0m +[0;32m(gen) banner: SSH-2.0-OpenSSH_5.6[0m +[0;32m(gen) software: OpenSSH 5.6[0m +[0;32m(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)[0m +[0;32m(gen) compression: enabled (zlib@openssh.com)[0m + +[0;36m# security[0m +[0;33m(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers[0m +[0;33m(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies[0m +[0;33m(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp[0m +[0;33m(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response[0m +[0;33m(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data[0m +[0;33m(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)[0m +[0;33m(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid[0m +[0;33m(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack[0m +[0;33m(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard[0m +[0;33m(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)[0m +[0;33m(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages[0m +[0;33m(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)[0m +[0;33m(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)[0m +[0;33m(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)[0m +[0;33m(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values[0m + +[0;36m# key exchange algorithms[0m +[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m + `- [info] available since OpenSSH 4.4 +[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m + `- [info] available since OpenSSH 2.3.0 +[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 +[0;31m(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus[0m +[0;31m `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m +[0;31m `- [fail] using broken SHA-1 hash algorithm[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 + `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 + +[0;36m# host-key algorithms[0m +[0;31m(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm[0m +[0;31m `- [fail] using small 1024-bit modulus[0m + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 +[0;31m(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/3072-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm[0m +[0;31m `- [fail] using small 1024-bit hostkey modulus[0m + `- [info] available since OpenSSH 5.6 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 + +[0;36m# encryption algorithms (ciphers)[0m +[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m +[0;32m(enc) aes192-ctr -- [info] available since OpenSSH 3.7[0m +[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m +[0;31m(enc) arcfour256 -- [fail] using broken RC4 cipher[0m + `- [info] available since OpenSSH 4.2 +[0;31m(enc) arcfour128 -- [fail] using broken RC4 cipher[0m + `- [info] available since OpenSSH 4.2 +[0;33m(enc) aes128-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 +[0;31m(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher[0m +[0;33m `- [warn] using weak cipher mode[0m +[0;33m `- [warn] using small 64-bit block size[0m + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +[0;31m(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher[0m +[0;33m `- [warn] using weak cipher mode[0m +[0;33m `- [warn] using small 64-bit block size[0m + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +[0;31m(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher[0m +[0;33m `- [warn] using weak cipher mode[0m +[0;33m `- [warn] using small 64-bit block size[0m + `- [info] available since OpenSSH 2.1.0 +[0;33m(enc) aes192-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0 +[0;33m(enc) aes256-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 +[0;31m(enc) arcfour -- [fail] using broken RC4 cipher[0m + `- [info] available since OpenSSH 2.1.0 +[0;31m(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher[0m +[0;33m `- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0 + `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0 + +[0;36m# message authentication code algorithms[0m +[0;31m(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +[0;31m(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +[0;33m(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode[0m +[0;33m `- [warn] using small 64-bit tag size[0m + `- [info] available since OpenSSH 4.7 +[0;31m(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.5.0 +[0;31m(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0 +[0;31m(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47 +[0;31m(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.5.0 + +[0;36m# fingerprints[0m +[0;32m(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4[0m + +[0;36m# algorithm recommendations (for OpenSSH 5.6)[0m +[0;31m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) [0m +[0;31m(rec) -3des-cbc -- enc algorithm to remove [0m +[0;31m(rec) -arcfour -- enc algorithm to remove [0m +[0;31m(rec) -arcfour128 -- enc algorithm to remove [0m +[0;31m(rec) -arcfour256 -- enc algorithm to remove [0m +[0;31m(rec) -blowfish-cbc -- enc algorithm to remove [0m +[0;31m(rec) -cast128-cbc -- enc algorithm to remove [0m +[0;31m(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -hmac-md5 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-md5-96 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-ripemd160 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove [0m +[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-sha1-96 -- mac algorithm to remove [0m +[0;31m(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove [0m +[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m +[0;31m(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove [0m +[0;33m(rec) -aes128-cbc -- enc algorithm to remove [0m +[0;33m(rec) -aes192-cbc -- enc algorithm to remove [0m +[0;33m(rec) -aes256-cbc -- enc algorithm to remove [0m +[0;33m(rec) -umac-64@openssh.com -- mac algorithm to remove [0m + +[0;36m# additional info[0m +[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m + diff --git a/test/docker/expected_results/openssh_5.6p1_test4.json b/test/docker/expected_results/openssh_5.6p1_test4.json new file mode 100644 index 0000000..90f5fc6 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test4.json @@ -0,0 +1,558 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "2.0", + "raw": "SSH-2.0-OpenSSH_5.6", + "software": "OpenSSH_5.6" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames due to timing discrepancies", + "name": "CVE-2018-15473" + }, + { + "cvssv2": 5.3, + "description": "readonly bypass via sftp", + "name": "CVE-2017-15906" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + }, + { + "cvssv2": 5.5, + "description": "bypass command restrictions via crafted X11 forwarding data", + "name": "CVE-2016-3115" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via crafted network traffic (out of bounds read)", + "name": "CVE-2016-1907" + }, + { + "cvssv2": 6.9, + "description": "privilege escalation via leveraging sshd uid", + "name": "CVE-2015-6564" + }, + { + "cvssv2": 1.9, + "description": "conduct impersonation attack", + "name": "CVE-2015-6563" + }, + { + "cvssv2": 5.8, + "description": "bypass environment restrictions via specific string before wildcard", + "name": "CVE-2014-2532" + }, + { + "cvssv2": 7.5, + "description": "cause DoS via triggering error condition (memory corruption)", + "name": "CVE-2014-1692" + }, + { + "cvssv2": 3.5, + "description": "leak data via debug messages", + "name": "CVE-2012-0814" + }, + { + "cvssv2": 3.5, + "description": "cause DoS via large value in certain length field (memory consumption)", + "name": "CVE-2011-5000" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via large number of connections (slot exhaustion)", + "name": "CVE-2010-5107" + }, + { + "cvssv2": 4.0, + "description": "cause DoS via crafted glob expression (CPU and memory consumption)", + "name": "CVE-2010-4755" + }, + { + "cvssv2": 7.5, + "description": "bypass authentication check via crafted values", + "name": "CVE-2010-4478" + } + ], + "enc": [ + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes192-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "arcfour256", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "arcfour128", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "aes128-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "3des-cbc", + "notes": { + "fail": [ + "using broken & deprecated 3DES cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "blowfish-cbc", + "notes": { + "fail": [ + "using weak & deprecated Blowfish cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "cast128-cbc", + "notes": { + "fail": [ + "using weak & deprecated CAST cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "aes192-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "aes256-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.47" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "arcfour", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ] + } + }, + { + "algorithm": "rijndael-cbc@lysator.liu.se", + "notes": { + "fail": [ + "using deprecated & non-standardized Rijndael cipher" + ], + "info": [ + "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0", + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + } + ], + "fingerprints": [ + { + "hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 4.4" + ] + } + }, + { + "algorithm": "diffie-hellman-group-exchange-sha1", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 2.3.0" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 3.9, Dropbear SSH 0.53" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "diffie-hellman-group1-sha1", + "notes": { + "fail": [ + "using small 1024-bit modulus", + "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)", + "using broken SHA-1 hash algorithm" + ], + "info": [ + "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ] + } + } + ], + "key": [ + { + "algorithm": "ssh-rsa", + "keysize": 3072, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 2.5.0, Dropbear SSH 0.28" + ] + } + }, + { + "algorithm": "ssh-rsa-cert-v01@openssh.com", + "ca_algorithm": "ssh-rsa", + "casize": 1024, + "keysize": 3072, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm", + "using small 1024-bit CA key modulus" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 5.6" + ] + } + } + ], + "mac": [ + { + "algorithm": "hmac-md5", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "umac-64@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 4.7" + ], + "warn": [ + "using encrypt-and-MAC mode", + "using small 64-bit tag size" + ] + } + }, + { + "algorithm": "hmac-ripemd160", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-ripemd160@openssh.com", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1-96", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0, Dropbear SSH 0.47" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-md5-96", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": { + "critical": { + "chg": { + "kex": [ + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "increase modulus size to 3072 bits or larger" + } + ] + }, + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "arcfour128", + "notes": "" + }, + { + "name": "arcfour", + "notes": "" + }, + { + "name": "arcfour256", + "notes": "" + }, + { + "name": "blowfish-cbc", + "notes": "" + }, + { + "name": "cast128-cbc", + "notes": "" + }, + { + "name": "rijndael-cbc@lysator.liu.se", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group1-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha1", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-rsa", + "notes": "" + }, + { + "name": "ssh-rsa-cert-v01@openssh.com", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-md5", + "notes": "" + }, + { + "name": "hmac-md5-96", + "notes": "" + }, + { + "name": "hmac-ripemd160", + "notes": "" + }, + { + "name": "hmac-ripemd160@openssh.com", + "notes": "" + }, + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes192-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ], + "mac": [ + { + "name": "umac-64@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_5.6p1_test4.txt b/test/docker/expected_results/openssh_5.6p1_test4.txt new file mode 100644 index 0000000..2fb3e19 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test4.txt @@ -0,0 +1,133 @@ +[0;36m# general[0m +[0;32m(gen) banner: SSH-2.0-OpenSSH_5.6[0m +[0;32m(gen) software: OpenSSH 5.6[0m +[0;32m(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)[0m +[0;32m(gen) compression: enabled (zlib@openssh.com)[0m + +[0;36m# security[0m +[0;33m(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers[0m +[0;33m(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies[0m +[0;33m(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp[0m +[0;33m(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response[0m +[0;33m(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data[0m +[0;33m(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)[0m +[0;33m(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid[0m +[0;33m(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack[0m +[0;33m(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard[0m +[0;33m(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)[0m +[0;33m(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages[0m +[0;33m(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)[0m +[0;33m(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)[0m +[0;33m(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)[0m +[0;33m(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values[0m + +[0;36m# key exchange algorithms[0m +[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m + `- [info] available since OpenSSH 4.4 +[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m + `- [info] available since OpenSSH 2.3.0 +[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 +[0;31m(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus[0m +[0;31m `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m +[0;31m `- [fail] using broken SHA-1 hash algorithm[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 + `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 + +[0;36m# host-key algorithms[0m +[0;31m(key) ssh-rsa (3072-bit) -- [fail] using broken SHA-1 hash algorithm[0m + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 +[0;31m(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/1024-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm[0m +[0;31m `- [fail] using small 1024-bit CA key modulus[0m + `- [info] available since OpenSSH 5.6 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 + +[0;36m# encryption algorithms (ciphers)[0m +[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m +[0;32m(enc) aes192-ctr -- [info] available since OpenSSH 3.7[0m +[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m +[0;31m(enc) arcfour256 -- [fail] using broken RC4 cipher[0m + `- [info] available since OpenSSH 4.2 +[0;31m(enc) arcfour128 -- [fail] using broken RC4 cipher[0m + `- [info] available since OpenSSH 4.2 +[0;33m(enc) aes128-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 +[0;31m(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher[0m +[0;33m `- [warn] using weak cipher mode[0m +[0;33m `- [warn] using small 64-bit block size[0m + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +[0;31m(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher[0m +[0;33m `- [warn] using weak cipher mode[0m +[0;33m `- [warn] using small 64-bit block size[0m + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +[0;31m(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher[0m +[0;33m `- [warn] using weak cipher mode[0m +[0;33m `- [warn] using small 64-bit block size[0m + `- [info] available since OpenSSH 2.1.0 +[0;33m(enc) aes192-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0 +[0;33m(enc) aes256-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 +[0;31m(enc) arcfour -- [fail] using broken RC4 cipher[0m + `- [info] available since OpenSSH 2.1.0 +[0;31m(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher[0m +[0;33m `- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0 + `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0 + +[0;36m# message authentication code algorithms[0m +[0;31m(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +[0;31m(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +[0;33m(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode[0m +[0;33m `- [warn] using small 64-bit tag size[0m + `- [info] available since OpenSSH 4.7 +[0;31m(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.5.0 +[0;31m(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0 +[0;31m(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47 +[0;31m(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.5.0 + +[0;36m# fingerprints[0m +[0;32m(fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244[0m + +[0;36m# algorithm recommendations (for OpenSSH 5.6)[0m +[0;31m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) [0m +[0;31m(rec) -3des-cbc -- enc algorithm to remove [0m +[0;31m(rec) -arcfour -- enc algorithm to remove [0m +[0;31m(rec) -arcfour128 -- enc algorithm to remove [0m +[0;31m(rec) -arcfour256 -- enc algorithm to remove [0m +[0;31m(rec) -blowfish-cbc -- enc algorithm to remove [0m +[0;31m(rec) -cast128-cbc -- enc algorithm to remove [0m +[0;31m(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -hmac-md5 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-md5-96 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-ripemd160 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove [0m +[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-sha1-96 -- mac algorithm to remove [0m +[0;31m(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove [0m +[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m +[0;31m(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove [0m +[0;33m(rec) -aes128-cbc -- enc algorithm to remove [0m +[0;33m(rec) -aes192-cbc -- enc algorithm to remove [0m +[0;33m(rec) -aes256-cbc -- enc algorithm to remove [0m +[0;33m(rec) -umac-64@openssh.com -- mac algorithm to remove [0m + +[0;36m# additional info[0m +[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m + diff --git a/test/docker/expected_results/openssh_5.6p1_test5.json b/test/docker/expected_results/openssh_5.6p1_test5.json new file mode 100644 index 0000000..0749cd1 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test5.json @@ -0,0 +1,557 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "2.0", + "raw": "SSH-2.0-OpenSSH_5.6", + "software": "OpenSSH_5.6" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames due to timing discrepancies", + "name": "CVE-2018-15473" + }, + { + "cvssv2": 5.3, + "description": "readonly bypass via sftp", + "name": "CVE-2017-15906" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + }, + { + "cvssv2": 5.5, + "description": "bypass command restrictions via crafted X11 forwarding data", + "name": "CVE-2016-3115" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via crafted network traffic (out of bounds read)", + "name": "CVE-2016-1907" + }, + { + "cvssv2": 6.9, + "description": "privilege escalation via leveraging sshd uid", + "name": "CVE-2015-6564" + }, + { + "cvssv2": 1.9, + "description": "conduct impersonation attack", + "name": "CVE-2015-6563" + }, + { + "cvssv2": 5.8, + "description": "bypass environment restrictions via specific string before wildcard", + "name": "CVE-2014-2532" + }, + { + "cvssv2": 7.5, + "description": "cause DoS via triggering error condition (memory corruption)", + "name": "CVE-2014-1692" + }, + { + "cvssv2": 3.5, + "description": "leak data via debug messages", + "name": "CVE-2012-0814" + }, + { + "cvssv2": 3.5, + "description": "cause DoS via large value in certain length field (memory consumption)", + "name": "CVE-2011-5000" + }, + { + "cvssv2": 5.0, + "description": "cause DoS via large number of connections (slot exhaustion)", + "name": "CVE-2010-5107" + }, + { + "cvssv2": 4.0, + "description": "cause DoS via crafted glob expression (CPU and memory consumption)", + "name": "CVE-2010-4755" + }, + { + "cvssv2": 7.5, + "description": "bypass authentication check via crafted values", + "name": "CVE-2010-4478" + } + ], + "enc": [ + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes192-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "arcfour256", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "arcfour128", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 4.2" + ] + } + }, + { + "algorithm": "aes128-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "3des-cbc", + "notes": { + "fail": [ + "using broken & deprecated 3DES cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "blowfish-cbc", + "notes": { + "fail": [ + "using weak & deprecated Blowfish cipher" + ], + "info": [ + "available since OpenSSH 1.2.2, Dropbear SSH 0.28" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "cast128-cbc", + "notes": { + "fail": [ + "using weak & deprecated CAST cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using weak cipher mode", + "using small 64-bit block size" + ] + } + }, + { + "algorithm": "aes192-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "aes256-cbc", + "notes": { + "info": [ + "available since OpenSSH 2.3.0, Dropbear SSH 0.47" + ], + "warn": [ + "using weak cipher mode" + ] + } + }, + { + "algorithm": "arcfour", + "notes": { + "fail": [ + "using broken RC4 cipher" + ], + "info": [ + "available since OpenSSH 2.1.0" + ] + } + }, + { + "algorithm": "rijndael-cbc@lysator.liu.se", + "notes": { + "fail": [ + "using deprecated & non-standardized Rijndael cipher" + ], + "info": [ + "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0", + "available since OpenSSH 2.3.0" + ], + "warn": [ + "using weak cipher mode" + ] + } + } + ], + "fingerprints": [ + { + "hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 4.4" + ] + } + }, + { + "algorithm": "diffie-hellman-group-exchange-sha1", + "keysize": 1024, + "notes": { + "fail": [ + "using small 1024-bit modulus" + ], + "info": [ + "available since OpenSSH 2.3.0" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 3.9, Dropbear SSH 0.53" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "diffie-hellman-group1-sha1", + "notes": { + "fail": [ + "using small 1024-bit modulus", + "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)", + "using broken SHA-1 hash algorithm" + ], + "info": [ + "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9", + "available since OpenSSH 2.3.0, Dropbear SSH 0.28" + ] + } + } + ], + "key": [ + { + "algorithm": "ssh-rsa", + "keysize": 3072, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 2.5.0, Dropbear SSH 0.28" + ] + } + }, + { + "algorithm": "ssh-rsa-cert-v01@openssh.com", + "ca_algorithm": "ssh-rsa", + "casize": 3072, + "keysize": 3072, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 5.6" + ] + } + } + ], + "mac": [ + { + "algorithm": "hmac-md5", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "umac-64@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 4.7" + ], + "warn": [ + "using encrypt-and-MAC mode", + "using small 64-bit tag size" + ] + } + }, + { + "algorithm": "hmac-ripemd160", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-ripemd160@openssh.com", + "notes": { + "fail": [ + "using deprecated RIPEMD hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1-96", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0, Dropbear SSH 0.47" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-md5-96", + "notes": { + "fail": [ + "using broken MD5 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.5.0" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": { + "critical": { + "chg": { + "kex": [ + { + "name": "diffie-hellman-group-exchange-sha256", + "notes": "increase modulus size to 3072 bits or larger" + } + ] + }, + "del": { + "enc": [ + { + "name": "3des-cbc", + "notes": "" + }, + { + "name": "arcfour128", + "notes": "" + }, + { + "name": "arcfour", + "notes": "" + }, + { + "name": "arcfour256", + "notes": "" + }, + { + "name": "blowfish-cbc", + "notes": "" + }, + { + "name": "cast128-cbc", + "notes": "" + }, + { + "name": "rijndael-cbc@lysator.liu.se", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group1-sha1", + "notes": "" + }, + { + "name": "diffie-hellman-group-exchange-sha1", + "notes": "" + } + ], + "key": [ + { + "name": "ssh-rsa", + "notes": "" + }, + { + "name": "ssh-rsa-cert-v01@openssh.com", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-md5", + "notes": "" + }, + { + "name": "hmac-md5-96", + "notes": "" + }, + { + "name": "hmac-ripemd160", + "notes": "" + }, + { + "name": "hmac-ripemd160@openssh.com", + "notes": "" + }, + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-96", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "aes128-cbc", + "notes": "" + }, + { + "name": "aes192-cbc", + "notes": "" + }, + { + "name": "aes256-cbc", + "notes": "" + } + ], + "mac": [ + { + "name": "umac-64@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_5.6p1_test5.txt b/test/docker/expected_results/openssh_5.6p1_test5.txt new file mode 100644 index 0000000..b9e7cd7 --- /dev/null +++ b/test/docker/expected_results/openssh_5.6p1_test5.txt @@ -0,0 +1,132 @@ +[0;36m# general[0m +[0;32m(gen) banner: SSH-2.0-OpenSSH_5.6[0m +[0;32m(gen) software: OpenSSH 5.6[0m +[0;32m(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)[0m +[0;32m(gen) compression: enabled (zlib@openssh.com)[0m + +[0;36m# security[0m +[0;33m(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers[0m +[0;33m(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies[0m +[0;33m(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp[0m +[0;33m(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response[0m +[0;33m(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data[0m +[0;33m(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)[0m +[0;33m(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid[0m +[0;33m(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack[0m +[0;33m(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard[0m +[0;33m(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)[0m +[0;33m(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages[0m +[0;33m(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)[0m +[0;33m(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)[0m +[0;33m(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)[0m +[0;33m(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values[0m + +[0;36m# key exchange algorithms[0m +[0;31m(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus[0m + `- [info] available since OpenSSH 4.4 +[0;31m(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus[0m + `- [info] available since OpenSSH 2.3.0 +[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 +[0;31m(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus[0m +[0;31m `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)[0m +[0;31m `- [fail] using broken SHA-1 hash algorithm[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 + `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9 + +[0;36m# host-key algorithms[0m +[0;31m(key) ssh-rsa (3072-bit) -- [fail] using broken SHA-1 hash algorithm[0m + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 +[0;31m(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/3072-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm[0m + `- [info] available since OpenSSH 5.6 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 + +[0;36m# encryption algorithms (ciphers)[0m +[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m +[0;32m(enc) aes192-ctr -- [info] available since OpenSSH 3.7[0m +[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m +[0;31m(enc) arcfour256 -- [fail] using broken RC4 cipher[0m + `- [info] available since OpenSSH 4.2 +[0;31m(enc) arcfour128 -- [fail] using broken RC4 cipher[0m + `- [info] available since OpenSSH 4.2 +[0;33m(enc) aes128-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 +[0;31m(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher[0m +[0;33m `- [warn] using weak cipher mode[0m +[0;33m `- [warn] using small 64-bit block size[0m + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +[0;31m(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher[0m +[0;33m `- [warn] using weak cipher mode[0m +[0;33m `- [warn] using small 64-bit block size[0m + `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28 +[0;31m(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher[0m +[0;33m `- [warn] using weak cipher mode[0m +[0;33m `- [warn] using small 64-bit block size[0m + `- [info] available since OpenSSH 2.1.0 +[0;33m(enc) aes192-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0 +[0;33m(enc) aes256-cbc -- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47 +[0;31m(enc) arcfour -- [fail] using broken RC4 cipher[0m + `- [info] available since OpenSSH 2.1.0 +[0;31m(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher[0m +[0;33m `- [warn] using weak cipher mode[0m + `- [info] available since OpenSSH 2.3.0 + `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0 + +[0;36m# message authentication code algorithms[0m +[0;31m(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +[0;31m(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 +[0;33m(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode[0m +[0;33m `- [warn] using small 64-bit tag size[0m + `- [info] available since OpenSSH 4.7 +[0;31m(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.5.0 +[0;31m(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0 +[0;31m(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47 +[0;31m(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.5.0 + +[0;36m# fingerprints[0m +[0;32m(fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244[0m + +[0;36m# algorithm recommendations (for OpenSSH 5.6)[0m +[0;31m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) [0m +[0;31m(rec) -3des-cbc -- enc algorithm to remove [0m +[0;31m(rec) -arcfour -- enc algorithm to remove [0m +[0;31m(rec) -arcfour128 -- enc algorithm to remove [0m +[0;31m(rec) -arcfour256 -- enc algorithm to remove [0m +[0;31m(rec) -blowfish-cbc -- enc algorithm to remove [0m +[0;31m(rec) -cast128-cbc -- enc algorithm to remove [0m +[0;31m(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -hmac-md5 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-md5-96 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-ripemd160 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove [0m +[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-sha1-96 -- mac algorithm to remove [0m +[0;31m(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove [0m +[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m +[0;31m(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove [0m +[0;33m(rec) -aes128-cbc -- enc algorithm to remove [0m +[0;33m(rec) -aes192-cbc -- enc algorithm to remove [0m +[0;33m(rec) -aes256-cbc -- enc algorithm to remove [0m +[0;33m(rec) -umac-64@openssh.com -- mac algorithm to remove [0m + +[0;36m# additional info[0m +[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m + diff --git a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json new file mode 100644 index 0000000..3dfe59c --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json @@ -0,0 +1,43 @@ +{ + "errors": [ + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "Host key (rsa-sha2-256) sizes" + }, + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "Host key (rsa-sha2-512) sizes" + }, + { + "actual": [ + "4096" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "3072" + ], + "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes" + } + ], + "host": "localhost", + "passed": false, + "policy": "Hardened OpenSSH Server v8.0 (version 4)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.txt b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.txt new file mode 100644 index 0000000..f1f617e --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.txt @@ -0,0 +1,17 @@ +Host: localhost:2222 +Policy: Hardened OpenSSH Server v8.0 (version 4) +Result: [0;31m❌ Failed![0m +[0;33m +Errors: + * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match. + - Expected: 3072 + - Actual: 4096 + + * Host key (rsa-sha2-256) sizes did not match. + - Expected: 4096 + - Actual: 3072 + + * Host key (rsa-sha2-512) sizes did not match. + - Expected: 4096 + - Actual: 3072 +[0m diff --git a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json new file mode 100644 index 0000000..0c54345 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json @@ -0,0 +1,66 @@ +{ + "errors": [ + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "Host key (rsa-sha2-256) sizes" + }, + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "Host key (rsa-sha2-512) sizes" + }, + { + "actual": [ + "umac-64-etm@openssh.com", + "umac-128-etm@openssh.com", + "hmac-sha2-256-etm@openssh.com", + "hmac-sha2-512-etm@openssh.com", + "hmac-sha1-etm@openssh.com", + "umac-64@openssh.com", + "umac-128@openssh.com", + "hmac-sha2-256", + "hmac-sha2-512", + "hmac-sha1" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "hmac-sha2-256-etm@openssh.com", + "hmac-sha2-512-etm@openssh.com", + "umac-128-etm@openssh.com" + ], + "mismatched_field": "MACs" + }, + { + "actual": [ + "4096" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "3072" + ], + "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes" + } + ], + "host": "localhost", + "passed": false, + "policy": "Hardened OpenSSH Server v8.0 (version 4)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt new file mode 100644 index 0000000..8f1d9dc --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt @@ -0,0 +1,21 @@ +Host: localhost:2222 +Policy: Hardened OpenSSH Server v8.0 (version 4) +Result: [0;31m❌ Failed![0m +[0;33m +Errors: + * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match. + - Expected: 3072 + - Actual: 4096 + + * Host key (rsa-sha2-256) sizes did not match. + - Expected: 4096 + - Actual: 3072 + + * Host key (rsa-sha2-512) sizes did not match. + - Expected: 4096 + - Actual: 3072 + + * MACs did not match. + - Expected: hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com + - Actual: umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1 +[0m diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json new file mode 100644 index 0000000..b6a8308 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json @@ -0,0 +1,6 @@ +{ + "errors": [], + "host": "localhost", + "passed": true, + "policy": "Docker policy: test11 (version 1)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.txt new file mode 100644 index 0000000..0ac0671 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.txt @@ -0,0 +1,12 @@ + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + +Host: localhost:2222 +Policy: Docker policy: test11 (version 1) +Result: [0;32m✔ Passed[0m diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json new file mode 100644 index 0000000..8ddcf39 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json @@ -0,0 +1,43 @@ +{ + "errors": [ + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "Host key (rsa-sha2-256) sizes" + }, + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "Host key (rsa-sha2-512) sizes" + }, + { + "actual": [ + "3072" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "4096" + ], + "mismatched_field": "Host key (ssh-rsa) sizes" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker policy: test12 (version 1)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt new file mode 100644 index 0000000..de615e0 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt @@ -0,0 +1,26 @@ + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + +Host: localhost:2222 +Policy: Docker policy: test12 (version 1) +Result: [0;31m❌ Failed![0m +[0;33m +Errors: + * Host key (rsa-sha2-256) sizes did not match. + - Expected: 4096 + - Actual: 3072 + + * Host key (rsa-sha2-512) sizes did not match. + - Expected: 4096 + - Actual: 3072 + + * Host key (ssh-rsa) sizes did not match. + - Expected: 4096 + - Actual: 3072 +[0m diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json new file mode 100644 index 0000000..4f942bd --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json @@ -0,0 +1,6 @@ +{ + "errors": [], + "host": "localhost", + "passed": true, + "policy": "Docker policy: test13 (version 1)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.txt new file mode 100644 index 0000000..7734d88 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.txt @@ -0,0 +1,15 @@ + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + +Host: localhost:2222 +Policy: Docker policy: test13 (version 1) +Result: [0;32m✔ Passed[0m diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json new file mode 100644 index 0000000..fc8eb61 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json @@ -0,0 +1,19 @@ +{ + "errors": [ + { + "actual": [ + "4096" + ], + "expected_optional": [ + "" + ], + "expected_required": [ + "8192" + ], + "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes" + } + ], + "host": "localhost", + "passed": false, + "policy": "Docker policy: test14 (version 1)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt new file mode 100644 index 0000000..17987a5 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt @@ -0,0 +1,21 @@ + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + + +WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option. + +Host: localhost:2222 +Policy: Docker policy: test14 (version 1) +Result: [0;31m❌ Failed![0m +[0;33m +Errors: + * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match. + - Expected: 8192 + - Actual: 4096 +[0m diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json new file mode 100644 index 0000000..8804aae --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json @@ -0,0 +1,6 @@ +{ + "errors": [], + "host": "localhost", + "passed": true, + "policy": "Docker policy: test6 (version 1)" +} diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.txt new file mode 100644 index 0000000..b0e9441 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.txt @@ -0,0 +1,3 @@ +Host: localhost:2222 +Policy: Docker policy: test6 (version 1) +Result: [0;32m✔ Passed[0m diff --git a/test/docker/expected_results/openssh_8.0p1_test1.json b/test/docker/expected_results/openssh_8.0p1_test1.json new file mode 100644 index 0000000..350af5e --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_test1.json @@ -0,0 +1,462 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "2.0", + "raw": "SSH-2.0-OpenSSH_8.0", + "software": "OpenSSH_8.0" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.0, + "description": "privilege escalation via supplemental groups", + "name": "CVE-2021-41617" + }, + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 7.8, + "description": "memory corruption and local code execution via pre-authentication integer overflow", + "name": "CVE-2019-16905" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + } + ], + "enc": [ + { + "algorithm": "chacha20-poly1305@openssh.com", + "notes": { + "info": [ + "default cipher since OpenSSH 6.9", + "available since OpenSSH 6.5" + ], + "warn": [ + "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation" + ] + } + }, + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes192-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes128-gcm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "aes256-gcm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + } + ], + "fingerprints": [ + { + "hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU", + "hash_alg": "SHA256", + "hostkey": "ssh-ed25519" + }, + { + "hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9", + "hash_alg": "MD5", + "hostkey": "ssh-ed25519" + }, + { + "hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244", + "hash_alg": "SHA256", + "hostkey": "ssh-rsa" + }, + { + "hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1", + "hash_alg": "MD5", + "hostkey": "ssh-rsa" + } + ], + "kex": [ + { + "algorithm": "curve25519-sha256", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 7.4, Dropbear SSH 2018.76" + ] + } + }, + { + "algorithm": "curve25519-sha256@libssh.org", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 6.4, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "ecdh-sha2-nistp256", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "ecdh-sha2-nistp384", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "ecdh-sha2-nistp521", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 4096, + "notes": { + "info": [ + "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).", + "available since OpenSSH 4.4" + ] + } + }, + { + "algorithm": "diffie-hellman-group16-sha512", + "notes": { + "info": [ + "available since OpenSSH 7.3, Dropbear SSH 2016.73" + ] + } + }, + { + "algorithm": "diffie-hellman-group18-sha512", + "notes": { + "info": [ + "available since OpenSSH 7.3" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha256", + "notes": { + "info": [ + "available since OpenSSH 7.3, Dropbear SSH 2016.73" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 3.9, Dropbear SSH 0.53" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + } + ], + "key": [ + { + "algorithm": "rsa-sha2-512", + "keysize": 3072, + "notes": { + "info": [ + "available since OpenSSH 7.2" + ] + } + }, + { + "algorithm": "rsa-sha2-256", + "keysize": 3072, + "notes": { + "info": [ + "available since OpenSSH 7.2" + ] + } + }, + { + "algorithm": "ssh-rsa", + "keysize": 3072, + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8", + "available since OpenSSH 2.5.0, Dropbear SSH 0.28" + ] + } + }, + { + "algorithm": "ecdsa-sha2-nistp256", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ], + "warn": [ + "using weak random number generator could reveal the key" + ] + } + }, + { + "algorithm": "ssh-ed25519", + "notes": { + "info": [ + "available since OpenSSH 6.5" + ] + } + } + ], + "mac": [ + { + "algorithm": "umac-64-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ], + "warn": [ + "using small 64-bit tag size" + ] + } + }, + { + "algorithm": "umac-128-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "hmac-sha2-256-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "hmac-sha2-512-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "hmac-sha1-etm@openssh.com", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "umac-64@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 4.7" + ], + "warn": [ + "using encrypt-and-MAC mode", + "using small 64-bit tag size" + ] + } + }, + { + "algorithm": "umac-128@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha2-256", + "notes": { + "info": [ + "available since OpenSSH 5.9, Dropbear SSH 2013.56" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha2-512", + "notes": { + "info": [ + "available since OpenSSH 5.9, Dropbear SSH 2013.56" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": { + "critical": { + "del": { + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp256", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp384", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp521", + "notes": "" + } + ], + "key": [ + { + "name": "ecdsa-sha2-nistp256", + "notes": "" + }, + { + "name": "ssh-rsa", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-etm@openssh.com", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "chacha20-poly1305@openssh.com", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha256", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha2-256", + "notes": "" + }, + { + "name": "hmac-sha2-512", + "notes": "" + }, + { + "name": "umac-128@openssh.com", + "notes": "" + }, + { + "name": "umac-64-etm@openssh.com", + "notes": "" + }, + { + "name": "umac-64@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_8.0p1_test1.txt b/test/docker/expected_results/openssh_8.0p1_test1.txt new file mode 100644 index 0000000..cde69a5 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_test1.txt @@ -0,0 +1,99 @@ +[0;36m# general[0m +[0;32m(gen) banner: SSH-2.0-OpenSSH_8.0[0m +[0;32m(gen) software: OpenSSH 8.0[0m +[0;32m(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+[0m +[0;32m(gen) compression: enabled (zlib@openssh.com)[0m + +[0;36m# security[0m +[0;33m(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups[0m +[0;33m(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers[0m +[0;33m(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow[0m +[0;33m(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response[0m + +[0;36m# key exchange algorithms[0m +[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m +[0;32m `- [info] default key exchange since OpenSSH 6.4[0m +[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m +[0;32m `- [info] default key exchange since OpenSSH 6.4[0m +[0;31m(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +[0;31m(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +[0;31m(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +[0;32m(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4[0m +[0;32m `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).[0m +[0;32m(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73[0m +[0;32m(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3[0m +[0;33m(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m + `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 +[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 + +[0;36m# host-key algorithms[0m +[0;32m(key) rsa-sha2-512 (3072-bit) -- [info] available since OpenSSH 7.2[0m +[0;32m(key) rsa-sha2-256 (3072-bit) -- [info] available since OpenSSH 7.2[0m +[0;31m(key) ssh-rsa (3072-bit) -- [fail] using broken SHA-1 hash algorithm[0m + `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 + `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8 +[0;31m(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m +[0;33m `- [warn] using weak random number generator could reveal the key[0m + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +[0;32m(key) ssh-ed25519 -- [info] available since OpenSSH 6.5[0m + +[0;36m# encryption algorithms (ciphers)[0m +[0;33m(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation[0m + `- [info] available since OpenSSH 6.5 + `- [info] default cipher since OpenSSH 6.9 +[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m +[0;32m(enc) aes192-ctr -- [info] available since OpenSSH 3.7[0m +[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m +[0;32m(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2[0m +[0;32m(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2[0m + +[0;36m# message authentication code algorithms[0m +[0;33m(mac) umac-64-etm@openssh.com -- [warn] using small 64-bit tag size[0m + `- [info] available since OpenSSH 6.2 +[0;32m(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2[0m +[0;32m(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2[0m +[0;32m(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2[0m +[0;31m(mac) hmac-sha1-etm@openssh.com -- [fail] using broken SHA-1 hash algorithm[0m + `- [info] available since OpenSSH 6.2 +[0;33m(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode[0m +[0;33m `- [warn] using small 64-bit tag size[0m + `- [info] available since OpenSSH 4.7 +[0;33m(mac) umac-128@openssh.com -- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 6.2 +[0;33m(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 +[0;33m(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 +[0;31m(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 + +[0;36m# fingerprints[0m +[0;32m(fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU[0m +[0;32m(fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244[0m + +[0;36m# algorithm recommendations (for OpenSSH 8.0)[0m +[0;31m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove [0m +[0;31m(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove [0m +[0;31m(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove [0m +[0;31m(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove [0m +[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove [0m +[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m +[0;33m(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove [0m +[0;33m(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove [0m +[0;33m(rec) -hmac-sha2-256 -- mac algorithm to remove [0m +[0;33m(rec) -hmac-sha2-512 -- mac algorithm to remove [0m +[0;33m(rec) -umac-128@openssh.com -- mac algorithm to remove [0m +[0;33m(rec) -umac-64-etm@openssh.com -- mac algorithm to remove [0m +[0;33m(rec) -umac-64@openssh.com -- mac algorithm to remove [0m + +[0;36m# additional info[0m +[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m + diff --git a/test/docker/expected_results/openssh_8.0p1_test2.json b/test/docker/expected_results/openssh_8.0p1_test2.json new file mode 100644 index 0000000..a05ae96 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_test2.json @@ -0,0 +1,421 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "2.0", + "raw": "SSH-2.0-OpenSSH_8.0", + "software": "OpenSSH_8.0" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.0, + "description": "privilege escalation via supplemental groups", + "name": "CVE-2021-41617" + }, + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 7.8, + "description": "memory corruption and local code execution via pre-authentication integer overflow", + "name": "CVE-2019-16905" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + } + ], + "enc": [ + { + "algorithm": "chacha20-poly1305@openssh.com", + "notes": { + "info": [ + "default cipher since OpenSSH 6.9", + "available since OpenSSH 6.5" + ], + "warn": [ + "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation" + ] + } + }, + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes192-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes128-gcm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "aes256-gcm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + } + ], + "fingerprints": [ + { + "hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU", + "hash_alg": "SHA256", + "hostkey": "ssh-ed25519" + }, + { + "hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9", + "hash_alg": "MD5", + "hostkey": "ssh-ed25519" + } + ], + "kex": [ + { + "algorithm": "curve25519-sha256", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 7.4, Dropbear SSH 2018.76" + ] + } + }, + { + "algorithm": "curve25519-sha256@libssh.org", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 6.4, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "ecdh-sha2-nistp256", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "ecdh-sha2-nistp384", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "ecdh-sha2-nistp521", + "notes": { + "fail": [ + "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" + ], + "info": [ + "available since OpenSSH 5.7, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 4096, + "notes": { + "info": [ + "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).", + "available since OpenSSH 4.4" + ] + } + }, + { + "algorithm": "diffie-hellman-group16-sha512", + "notes": { + "info": [ + "available since OpenSSH 7.3, Dropbear SSH 2016.73" + ] + } + }, + { + "algorithm": "diffie-hellman-group18-sha512", + "notes": { + "info": [ + "available since OpenSSH 7.3" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha256", + "notes": { + "info": [ + "available since OpenSSH 7.3, Dropbear SSH 2016.73" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + }, + { + "algorithm": "diffie-hellman-group14-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 3.9, Dropbear SSH 0.53" + ], + "warn": [ + "2048-bit modulus only provides 112-bits of symmetric strength" + ] + } + } + ], + "key": [ + { + "algorithm": "ssh-ed25519", + "notes": { + "info": [ + "available since OpenSSH 6.5" + ] + } + }, + { + "algorithm": "ssh-ed25519-cert-v01@openssh.com", + "ca_algorithm": "ssh-ed25519", + "casize": 256, + "notes": { + "info": [ + "available since OpenSSH 6.5" + ] + } + } + ], + "mac": [ + { + "algorithm": "umac-64-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ], + "warn": [ + "using small 64-bit tag size" + ] + } + }, + { + "algorithm": "umac-128-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "hmac-sha2-256-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "hmac-sha2-512-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "hmac-sha1-etm@openssh.com", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "umac-64@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 4.7" + ], + "warn": [ + "using encrypt-and-MAC mode", + "using small 64-bit tag size" + ] + } + }, + { + "algorithm": "umac-128@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha2-256", + "notes": { + "info": [ + "available since OpenSSH 5.9, Dropbear SSH 2013.56" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha2-512", + "notes": { + "info": [ + "available since OpenSSH 5.9, Dropbear SSH 2013.56" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + }, + { + "algorithm": "hmac-sha1", + "notes": { + "fail": [ + "using broken SHA-1 hash algorithm" + ], + "info": [ + "available since OpenSSH 2.1.0, Dropbear SSH 0.28" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": { + "critical": { + "del": { + "kex": [ + { + "name": "diffie-hellman-group14-sha1", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp256", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp384", + "notes": "" + }, + { + "name": "ecdh-sha2-nistp521", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha1", + "notes": "" + }, + { + "name": "hmac-sha1-etm@openssh.com", + "notes": "" + } + ] + } + }, + "informational": { + "add": { + "key": [ + { + "name": "rsa-sha2-256", + "notes": "" + }, + { + "name": "rsa-sha2-512", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "chacha20-poly1305@openssh.com", + "notes": "" + } + ], + "kex": [ + { + "name": "diffie-hellman-group14-sha256", + "notes": "" + } + ], + "mac": [ + { + "name": "hmac-sha2-256", + "notes": "" + }, + { + "name": "hmac-sha2-512", + "notes": "" + }, + { + "name": "umac-128@openssh.com", + "notes": "" + }, + { + "name": "umac-64-etm@openssh.com", + "notes": "" + }, + { + "name": "umac-64@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_8.0p1_test2.txt b/test/docker/expected_results/openssh_8.0p1_test2.txt new file mode 100644 index 0000000..8cbb69a --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_test2.txt @@ -0,0 +1,91 @@ +[0;36m# general[0m +[0;32m(gen) banner: SSH-2.0-OpenSSH_8.0[0m +[0;32m(gen) software: OpenSSH 8.0[0m +[0;32m(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+[0m +[0;32m(gen) compression: enabled (zlib@openssh.com)[0m + +[0;36m# security[0m +[0;33m(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups[0m +[0;33m(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers[0m +[0;33m(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow[0m +[0;33m(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response[0m + +[0;36m# key exchange algorithms[0m +[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m +[0;32m `- [info] default key exchange since OpenSSH 6.4[0m +[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m +[0;32m `- [info] default key exchange since OpenSSH 6.4[0m +[0;31m(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +[0;31m(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +[0;31m(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m + `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 +[0;32m(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4[0m +[0;32m `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).[0m +[0;32m(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73[0m +[0;32m(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3[0m +[0;33m(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m + `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 +[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m + `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 + +[0;36m# host-key algorithms[0m +[0;32m(key) ssh-ed25519 -- [info] available since OpenSSH 6.5[0m +[0;32m(key) ssh-ed25519-cert-v01@openssh.com (256-bit cert/256-bit ssh-ed25519 CA) -- [info] available since OpenSSH 6.5[0m + +[0;36m# encryption algorithms (ciphers)[0m +[0;33m(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation[0m + `- [info] available since OpenSSH 6.5 + `- [info] default cipher since OpenSSH 6.9 +[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m +[0;32m(enc) aes192-ctr -- [info] available since OpenSSH 3.7[0m +[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m +[0;32m(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2[0m +[0;32m(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2[0m + +[0;36m# message authentication code algorithms[0m +[0;33m(mac) umac-64-etm@openssh.com -- [warn] using small 64-bit tag size[0m + `- [info] available since OpenSSH 6.2 +[0;32m(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2[0m +[0;32m(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2[0m +[0;32m(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2[0m +[0;31m(mac) hmac-sha1-etm@openssh.com -- [fail] using broken SHA-1 hash algorithm[0m + `- [info] available since OpenSSH 6.2 +[0;33m(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode[0m +[0;33m `- [warn] using small 64-bit tag size[0m + `- [info] available since OpenSSH 4.7 +[0;33m(mac) umac-128@openssh.com -- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 6.2 +[0;33m(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 +[0;33m(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 +[0;31m(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm[0m +[0;33m `- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 + +[0;36m# fingerprints[0m +[0;32m(fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU[0m + +[0;36m# algorithm recommendations (for OpenSSH 8.0)[0m +[0;31m(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove [0m +[0;31m(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove [0m +[0;31m(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove [0m +[0;31m(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove [0m +[0;31m(rec) -hmac-sha1 -- mac algorithm to remove [0m +[0;31m(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove [0m +[0;32m(rec) +rsa-sha2-256 -- key algorithm to append [0m +[0;32m(rec) +rsa-sha2-512 -- key algorithm to append [0m +[0;33m(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove [0m +[0;33m(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove [0m +[0;33m(rec) -hmac-sha2-256 -- mac algorithm to remove [0m +[0;33m(rec) -hmac-sha2-512 -- mac algorithm to remove [0m +[0;33m(rec) -umac-128@openssh.com -- mac algorithm to remove [0m +[0;33m(rec) -umac-64-etm@openssh.com -- mac algorithm to remove [0m +[0;33m(rec) -umac-64@openssh.com -- mac algorithm to remove [0m + +[0;36m# additional info[0m +[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m + diff --git a/test/docker/expected_results/openssh_8.0p1_test3.json b/test/docker/expected_results/openssh_8.0p1_test3.json new file mode 100644 index 0000000..13a8130 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_test3.json @@ -0,0 +1,206 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": null, + "protocol": "2.0", + "raw": "SSH-2.0-OpenSSH_8.0", + "software": "OpenSSH_8.0" + }, + "compression": [ + "none", + "zlib@openssh.com" + ], + "cves": [ + { + "cvssv2": 7.0, + "description": "privilege escalation via supplemental groups", + "name": "CVE-2021-41617" + }, + { + "cvssv2": 7.8, + "description": "command injection via anomalous argument transfers", + "name": "CVE-2020-15778" + }, + { + "cvssv2": 7.8, + "description": "memory corruption and local code execution via pre-authentication integer overflow", + "name": "CVE-2019-16905" + }, + { + "cvssv2": 5.3, + "description": "enumerate usernames via challenge response", + "name": "CVE-2016-20012" + } + ], + "enc": [ + { + "algorithm": "chacha20-poly1305@openssh.com", + "notes": { + "info": [ + "default cipher since OpenSSH 6.9", + "available since OpenSSH 6.5" + ], + "warn": [ + "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation" + ] + } + }, + { + "algorithm": "aes256-gcm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "aes128-gcm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "aes256-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + }, + { + "algorithm": "aes192-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7" + ] + } + }, + { + "algorithm": "aes128-ctr", + "notes": { + "info": [ + "available since OpenSSH 3.7, Dropbear SSH 0.52" + ] + } + } + ], + "fingerprints": [ + { + "hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU", + "hash_alg": "SHA256", + "hostkey": "ssh-ed25519" + }, + { + "hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9", + "hash_alg": "MD5", + "hostkey": "ssh-ed25519" + } + ], + "kex": [ + { + "algorithm": "curve25519-sha256", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 7.4, Dropbear SSH 2018.76" + ] + } + }, + { + "algorithm": "curve25519-sha256@libssh.org", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 6.4, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "diffie-hellman-group-exchange-sha256", + "keysize": 4096, + "notes": { + "info": [ + "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).", + "available since OpenSSH 4.4" + ] + } + } + ], + "key": [ + { + "algorithm": "ssh-ed25519", + "notes": { + "info": [ + "available since OpenSSH 6.5" + ] + } + } + ], + "mac": [ + { + "algorithm": "hmac-sha2-256-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "hmac-sha2-512-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + }, + { + "algorithm": "umac-128-etm@openssh.com", + "notes": { + "info": [ + "available since OpenSSH 6.2" + ] + } + } + ], + "recommendations": { + "informational": { + "add": { + "kex": [ + { + "name": "diffie-hellman-group16-sha512", + "notes": "" + }, + { + "name": "diffie-hellman-group18-sha512", + "notes": "" + } + ], + "key": [ + { + "name": "rsa-sha2-256", + "notes": "" + }, + { + "name": "rsa-sha2-512", + "notes": "" + } + ] + } + }, + "warning": { + "del": { + "enc": [ + { + "name": "chacha20-poly1305@openssh.com", + "notes": "" + } + ] + } + } + }, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/openssh_8.0p1_test3.txt b/test/docker/expected_results/openssh_8.0p1_test3.txt new file mode 100644 index 0000000..27154b8 --- /dev/null +++ b/test/docker/expected_results/openssh_8.0p1_test3.txt @@ -0,0 +1,51 @@ +[0;36m# general[0m +[0;32m(gen) banner: SSH-2.0-OpenSSH_8.0[0m +[0;32m(gen) software: OpenSSH 8.0[0m +[0;32m(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+[0m +[0;32m(gen) compression: enabled (zlib@openssh.com)[0m + +[0;36m# security[0m +[0;33m(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups[0m +[0;33m(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers[0m +[0;33m(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow[0m +[0;33m(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response[0m + +[0;36m# key exchange algorithms[0m +[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m +[0;32m `- [info] default key exchange since OpenSSH 6.4[0m +[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m +[0;32m `- [info] default key exchange since OpenSSH 6.4[0m +[0;32m(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4[0m +[0;32m `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).[0m + +[0;36m# host-key algorithms[0m +[0;32m(key) ssh-ed25519 -- [info] available since OpenSSH 6.5[0m + +[0;36m# encryption algorithms (ciphers)[0m +[0;33m(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation[0m + `- [info] available since OpenSSH 6.5 + `- [info] default cipher since OpenSSH 6.9 +[0;32m(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2[0m +[0;32m(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2[0m +[0;32m(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m +[0;32m(enc) aes192-ctr -- [info] available since OpenSSH 3.7[0m +[0;32m(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52[0m + +[0;36m# message authentication code algorithms[0m +[0;32m(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2[0m +[0;32m(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2[0m +[0;32m(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2[0m + +[0;36m# fingerprints[0m +[0;32m(fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU[0m + +[0;36m# algorithm recommendations (for OpenSSH 8.0)[0m +[0;32m(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append [0m +[0;32m(rec) +diffie-hellman-group18-sha512 -- kex algorithm to append [0m +[0;32m(rec) +rsa-sha2-256 -- key algorithm to append [0m +[0;32m(rec) +rsa-sha2-512 -- key algorithm to append [0m +[0;33m(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove [0m + +[0;36m# additional info[0m +[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m + diff --git a/test/docker/expected_results/tinyssh_20190101_test1.json b/test/docker/expected_results/tinyssh_20190101_test1.json new file mode 100644 index 0000000..7cc7629 --- /dev/null +++ b/test/docker/expected_results/tinyssh_20190101_test1.json @@ -0,0 +1,98 @@ +{ + "additional_notes": [ + "" + ], + "banner": { + "comments": "", + "protocol": "2.0", + "raw": "", + "software": "tinyssh_noversion" + }, + "compression": [ + "none" + ], + "cves": [], + "enc": [ + { + "algorithm": "chacha20-poly1305@openssh.com", + "notes": { + "info": [ + "default cipher since OpenSSH 6.9", + "available since OpenSSH 6.5" + ], + "warn": [ + "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation" + ] + } + } + ], + "fingerprints": [ + { + "hash": "89ocln1x7KNqnMgWffGoYtD70ksJ4FrH7BMJHa7SrwU", + "hash_alg": "SHA256", + "hostkey": "ssh-ed25519" + }, + { + "hash": "dd:9c:6d:f9:b0:8c:af:fa:c2:65:81:5d:5d:56:f8:21", + "hash_alg": "MD5", + "hostkey": "ssh-ed25519" + } + ], + "kex": [ + { + "algorithm": "curve25519-sha256", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 7.4, Dropbear SSH 2018.76" + ] + } + }, + { + "algorithm": "curve25519-sha256@libssh.org", + "notes": { + "info": [ + "default key exchange since OpenSSH 6.4", + "available since OpenSSH 6.4, Dropbear SSH 2013.62" + ] + } + }, + { + "algorithm": "sntrup4591761x25519-sha512@tinyssh.org", + "notes": { + "info": [ + "the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security", + "available since OpenSSH 8.0" + ], + "warn": [ + "using experimental algorithm" + ] + } + } + ], + "key": [ + { + "algorithm": "ssh-ed25519", + "notes": { + "info": [ + "available since OpenSSH 6.5" + ] + } + } + ], + "mac": [ + { + "algorithm": "hmac-sha2-256", + "notes": { + "info": [ + "available since OpenSSH 5.9, Dropbear SSH 2013.56" + ], + "warn": [ + "using encrypt-and-MAC mode" + ] + } + } + ], + "recommendations": {}, + "target": "localhost:2222" +} diff --git a/test/docker/expected_results/tinyssh_20190101_test1.txt b/test/docker/expected_results/tinyssh_20190101_test1.txt new file mode 100644 index 0000000..7307169 --- /dev/null +++ b/test/docker/expected_results/tinyssh_20190101_test1.txt @@ -0,0 +1,29 @@ +[0;36m# general[0m +[0;32m(gen) software: TinySSH noversion[0m +[0;32m(gen) compatibility: OpenSSH 8.0-8.4, Dropbear SSH 2018.76+[0m +[0;32m(gen) compression: disabled[0m + +[0;36m# key exchange algorithms[0m +[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m +[0;32m `- [info] default key exchange since OpenSSH 6.4[0m +[0;32m(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m +[0;32m `- [info] default key exchange since OpenSSH 6.4[0m +[0;33m(kex) sntrup4591761x25519-sha512@tinyssh.org -- [warn] using experimental algorithm[0m + `- [info] available since OpenSSH 8.0 + `- [info] the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security + +[0;36m# host-key algorithms[0m +[0;32m(key) ssh-ed25519 -- [info] available since OpenSSH 6.5[0m + +[0;36m# encryption algorithms (ciphers)[0m +[0;33m(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation[0m + `- [info] available since OpenSSH 6.5 + `- [info] default cipher since OpenSSH 6.9 + +[0;36m# message authentication code algorithms[0m +[0;33m(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode[0m + `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 + +[0;36m# fingerprints[0m +[0;32m(fin) ssh-ed25519: SHA256:89ocln1x7KNqnMgWffGoYtD70ksJ4FrH7BMJHa7SrwU[0m + diff --git a/test/docker/host_ca_ed25519 b/test/docker/host_ca_ed25519 new file mode 100644 index 0000000..7b8c41b --- /dev/null +++ b/test/docker/host_ca_ed25519 @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACAbM9Wp3ZPcC8Ifhu6GjNDJaoMg7KxO0el2+r9J35TltQAAAKAa0zr8GtM6 +/AAAAAtzc2gtZWQyNTUxOQAAACAbM9Wp3ZPcC8Ifhu6GjNDJaoMg7KxO0el2+r9J35TltQ +AAAEC/j/BpfmgaZqNMTkJXO4cKZBr31N5z33IRFjh5m6IDDhsz1andk9wLwh+G7oaM0Mlq +gyDsrE7R6Xb6v0nflOW1AAAAHWpkb2dAbG9jYWxob3N0LndvbmRlcmxhbmQubG9s +-----END OPENSSH PRIVATE KEY----- diff --git a/test/docker/host_ca_ed25519.pub b/test/docker/host_ca_ed25519.pub new file mode 100644 index 0000000..01e745f --- /dev/null +++ b/test/docker/host_ca_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsz1andk9wLwh+G7oaM0MlqgyDsrE7R6Xb6v0nflOW1 jdog@localhost.wonderland.lol diff --git a/test/docker/host_ca_rsa_1024 b/test/docker/host_ca_rsa_1024 new file mode 100644 index 0000000..337b777 --- /dev/null +++ b/test/docker/host_ca_rsa_1024 @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXgIBAAKBgQDnRlN3AFnUe2lFf5XG9UhXLr/9POruNTFbMt0zrjOUSjmAS7hS +6pDv5VEToT6DaR1EQUYaqSMpHYzZhuCK52vrydOm5XFbJ7712r9MyZQUhoVZx8Su +dBHzVDIVO3jcMMWIlrfWBMnUaUHEqpmy88Y7gKDa2TWxJg1+hg51KqHrUQIDAQAB +AoGBANALOUXRcP1tTtOP4+In/709dsONKyDBhPavGMFGsWtyIavBcbxU+bBzrq1j +3WJFCmi99xxAjjqMNInxhMgvSaoJtsiY0/FFxqRy6l/ZnRjI6hrVKR8whrPKVgBF +pvbjeQIn9txeCYA8kwl/Si762u7byq+qvupE53xMP94J02KBAkEA/Q4+Hn1Rjblw +VXynF+oXIq6iZy+8PW+Y/FIL8d31ehzfcssCMdFV6S3/wBoQkWby30oGC/xGmHGR +6ffXGilByQJBAOn3NMrBPXNkaPeQtgV3tk4s1dRDQYhbqGNz6tcgThyyPdhJCmCy +jgUEhLwAetsDI8/+3avWbo6/csOV+BvpYUkCQQDQyEp6L1z0+FV1QqY99dZmt/yn +89t0OLnZG/xc7osU1/OHq3TBE3y1KU2D+j1HKdAiZ9l7VAYOykzf46qmG/n5AkEA +2kWjfcjcIIw7lULvXZh6fuI7NwTr3V/Nb8MUA1EDLqhnJCG4SdAqyKmXf6Fe/HYo +cgKPIaIykIAxfCCsULXg6QJAOxB0CKYJlopVBdjGMlGqOEneWTmb1A2INQDE2Una +LkSd0Rr8OiEzDeemV7j3Ec4BH0HxGMnHDxMybZwoZRnRPw== +-----END RSA PRIVATE KEY----- diff --git a/test/docker/host_ca_rsa_1024.pub b/test/docker/host_ca_rsa_1024.pub new file mode 100644 index 0000000..6d861d6 --- /dev/null +++ b/test/docker/host_ca_rsa_1024.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDnRlN3AFnUe2lFf5XG9UhXLr/9POruNTFbMt0zrjOUSjmAS7hS6pDv5VEToT6DaR1EQUYaqSMpHYzZhuCK52vrydOm5XFbJ7712r9MyZQUhoVZx8SudBHzVDIVO3jcMMWIlrfWBMnUaUHEqpmy88Y7gKDa2TWxJg1+hg51KqHrUQ== jdog@localhost.wonderland.lol diff --git a/test/docker/host_ca_rsa_3072 b/test/docker/host_ca_rsa_3072 new file mode 100644 index 0000000..dd04653 --- /dev/null +++ b/test/docker/host_ca_rsa_3072 @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG4wIBAAKCAYEAqxQEIbj8w0TrBY1fDO81curijQrdLOUr8Vl8XECWc5QGd1Lk +AG80NgdcCBPvjWxZSmYrKeqA78GUdN+KgycE0ztpxYSXKHZMaIM5Xe94BB+BocH9 +1vd/2iBzGeed1nV/zfAdq2AEHQj1TpII+a+z25yxv2PuwVTTwwo9I/6JgNq3evH4 +Hbwgr3SRfEEYZQ+YL8cOpBuNg1YZOR0k1yk23ZqAd92JybxZ4iCtOt7rcj2sFHzN +u1U544wWBwIL5yZZKTgBhY4dqfT2Ep7IzR5HdsdrvQV9qC92GM1zDE+U3AwrVKjH +s0YZq3jzcq/yvFDCcMMRz4/0pGFFU26oWma+n3vbAxKJoL+rhG8QM9+l2qFlLGsn +M0kUXAJXsPKbygpaP8Z3U4eKgTuJ2GuS9eLIFnB7mrwD75V6GgN9q5mY89DfkVSk +HaoqpY8pPdRkz9QAmMEuLtHmv29CVOpfX5v/rsm7wASAZqtUlmFu4rFGBLwvZbUl +Wu02HmgBT47g6EIfAgMBAAECggGAKVCdKtO03yd+pomcodAHFWiaK7uq7FOwCAo3 +WUQT0Xe3FAwFmgFBF6cxV5YQ7RN0gN4poGbMmpoiUxNFLSU4KhcYFSZPJutiyn6e +VQwm7L/7G2hw+AAvdSsPAPuJh6g6pC5Py/pVI/ns2/uyhTIkem3eEz18BF6LAXgw +icfHx0GKu/tBk1TCg/zfwaUq0gUxGKC27XTl+QjK8JsUMY33fQ755Xiv9PMytcR0 +cVoyfBVewFffi1UqtMQ48ZpR65G743RxrP4/wcwsfD7n5LJLdyxQkh3gIMTJ8dd/ +R5V4FlueorRgjTbLTjGDxNrCAJ+locezhEEPXsPh2q0KiIXGyz2AMxaOqFmhU8oK +aVVt8pWJ+YsrKIgc/A3s18ezO8uO5ZdtjQ+CWguduUGY7YgWezGLO1LPxhJC4d7b +Q/xpeKveTRlcScAqOUzKgSuEhcvPgj8paUcRUoiXm4qiJBY5sXJks+YGp8BGksH0 +O94no+Ns2G58MlL+RyXk3JWrc6zRAoHBANdPplY2sIuIiiEBu95f1Qar1nCBHhB2 +i+HpnsUOdSlbxwMxoF8ffeN9N+DQqaqPu1RhFa5xbB2EUSujvOnL7b/RWqe1X9Po +UIt5UjXctNP/HYcQDyjXY+rV5SZhHDyv6TBYurNZlvlBivliDz82THPRtqVxed3B +w2MeaSkKAQ8rA7PE+0j3TG+YtIij0mHOhNPJgEZ/XZ9MIQOGMycRJhwOlclBI5NP +Ak6p30ArnU2fX4qMkU3i+wqUfXS1hhDihwKBwQDLaHWPIWPVbWdcCbYQTcUmFC3i +xkxd0UuLcfS9csk61nvdFj7m8tMExX+3fIo/fHEtzDd98Alc1i6/f6ePl0CX6NDu +QIWLryI1QQRQidHCdw0wQ3N3VD4ZXJHDeqBxogVAkA7A/1QeXwcXE/Xj2ZgyDwhL +3+myjmvWtw9zJsXL0F3tpPzn+Mrf0KRkWOaluOw7hMMjVjrgu6g24HMWbHHVLRTx +dlAI7tgxCAPe2SEi+1mzaVUZ8cfgqYqC3X66UakCgcEAopxtK7+yJi/A4pzEnnYS +FS/CjMV3R0fA7aXbW0hIBCxkaW0Zib3m/eCcSxZMjZxwBpIsJctTtBcylprbGlgB +/1TF+tNoxEo4Sp4eEL/XciTC0Da4vEewFrPklM/S26KfovvgRYPsGeP+aco9aahA +pVhFcT36pBiq0DkvgucjValO6n5iqgDboYzbDDdttKCcgLc2Qgf/VUfRxy+bgm3Z +MmdxiMXBcIfDXlW9XmGSNAWhyqnPM9uxbZQoC/Tsg+QRAoHANHMcFSsz9f2+8DGk +27FiC76aUmZ1nJ9yTmO1CwDFOMHDsK+iyqSEmy9eDm8zqsko2flVuciicWjdJw4A +o/sJceJbtYO3q9weAwNf3HCdQPq30OEjrfpwBNQk1fYR1xtDJXHADC4Kf8ZbKq0/ +81/Rad8McZwsQ5mL3xLXDgdKa5KwFa48dIhnr6y6JxHxb3wule5W7w62Ierhpjzc +EEUoWSLFyrmKS7Ni1cnOTbFJZR7Q831Or2Dz/E9bYwFAQ0T5AoHAM4/zU+8rsbdD +FvvhWsj7Ivfh6pxx1Tl1Wccaauea9AJayHht0FOzkycpJrH1E+6F5MzhkFFU1SUY +60NZxzSZgbU0HBrJRcRFyo510iMcnctdTdyh8p7nweGoD0oqXzf6cHqrUep8Y8rQ +gkSVhPE31+NGlPbwz+NOflcaaAWYiDC6wjVt1asaZq292SJD4DF1fAUkbQ2hxgyQ ++G/6y5ovrcGnh7q63RLhW1TRf8dD2D2Av9UgXDmWZAZ5n838FS+X +-----END RSA PRIVATE KEY----- diff --git a/test/docker/host_ca_rsa_3072.pub b/test/docker/host_ca_rsa_3072.pub new file mode 100644 index 0000000..b728ed7 --- /dev/null +++ b/test/docker/host_ca_rsa_3072.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrFAQhuPzDROsFjV8M7zVy6uKNCt0s5SvxWXxcQJZzlAZ3UuQAbzQ2B1wIE++NbFlKZisp6oDvwZR034qDJwTTO2nFhJcodkxogzld73gEH4Ghwf3W93/aIHMZ553WdX/N8B2rYAQdCPVOkgj5r7PbnLG/Y+7BVNPDCj0j/omA2rd68fgdvCCvdJF8QRhlD5gvxw6kG42DVhk5HSTXKTbdmoB33YnJvFniIK063utyPawUfM27VTnjjBYHAgvnJlkpOAGFjh2p9PYSnsjNHkd2x2u9BX2oL3YYzXMMT5TcDCtUqMezRhmrePNyr/K8UMJwwxHPj/SkYUVTbqhaZr6fe9sDEomgv6uEbxAz36XaoWUsayczSRRcAlew8pvKClo/xndTh4qBO4nYa5L14sgWcHuavAPvlXoaA32rmZjz0N+RVKQdqiqljyk91GTP1ACYwS4u0ea/b0JU6l9fm/+uybvABIBmq1SWYW7isUYEvC9ltSVa7TYeaAFPjuDoQh8= jdog@localhost.wonderland.lol diff --git a/test/docker/moduli_1024 b/test/docker/moduli_1024 new file mode 100644 index 0000000..bd81dae --- /dev/null +++ b/test/docker/moduli_1024 @@ -0,0 +1,44 @@ +20190821035337 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC08BE313B +20190821035338 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC08C0B443 +20190821035338 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC08D1AF8B +20190821035338 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC08E76DDB +20190821035338 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC08E8F5D3 +20190821035338 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC08EE3F1B +20190821035338 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC08F28387 +20190821035339 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC08F69A57 +20190821035339 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0903B157 +20190821035339 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0905C973 +20190821035339 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0909BCD3 +20190821035339 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC090F4A2B +20190821035340 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0933BC13 +20190821035340 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC09395757 +20190821035340 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC093F40D7 +20190821035340 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC09478D4F +20190821035340 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0953A4D7 +20190821035340 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC095B5C7B +20190821035341 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC09696573 +20190821035341 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC096BA243 +20190821035341 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC096F3903 +20190821035341 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC09850E4B +20190821035341 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC098A1C23 +20190821035341 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC098E08E7 +20190821035342 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC09A4FF7F +20190821035342 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC09AE4707 +20190821035342 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC09B4CE73 +20190821035342 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC09C60C6F +20190821035342 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC09D2588F +20190821035343 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A025067 +20190821035343 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A0E38EB +20190821035343 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A213923 +20190821035344 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A390CA7 +20190821035344 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A3C7ADB +20190821035344 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A44D497 +20190821035344 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A479B13 +20190821035345 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A5EF01F +20190821035345 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A615D43 +20190821035345 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A6BEADB +20190821035345 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A86309F +20190821035345 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A991E8F +20190821035346 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0AA32C53 +20190821035346 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0AA9FAAB +20190821035346 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0AAC42BB diff --git a/test/docker/policies/policy_test1.txt b/test/docker/policies/policy_test1.txt new file mode 100644 index 0000000..11d8e5c --- /dev/null +++ b/test/docker/policies/policy_test1.txt @@ -0,0 +1,10 @@ +# +# Docker policy: test1 +# + +name = "Docker policy: test1" +version = 1 +host keys = ssh-rsa, ssh-dss +key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1 +ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se +macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96 diff --git a/test/docker/policies/policy_test10.txt b/test/docker/policies/policy_test10.txt new file mode 100644 index 0000000..82c821e --- /dev/null +++ b/test/docker/policies/policy_test10.txt @@ -0,0 +1,39 @@ +# +# Docker policy: test10 +# + +# The name of this policy (displayed in the output during scans). Must be in quotes. +name = "Docker poliicy: test10" + +# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings. +version = 1 + +# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal. +# banner = "SSH-2.0-OpenSSH_5.6" + +# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal. +# header = "[]" + +# The compression options that must match exactly (order matters). Commented out to ignore by default. +# compressions = none, zlib@openssh.com + +# RSA host key sizes. +hostkey_size_rsa-sha2-256 = 3072 +hostkey_size_rsa-sha2-512 = 3072 +hostkey_size_ssh-rsa = 3072 +hostkey_size_ssh-rsa-cert-v01@openssh.com = 4096 + +# RSA CA key sizes. +cakey_size_ssh-rsa-cert-v01@openssh.com = 4096 + +# The host key types that must match exactly (order matters). +host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1 + +# The ciphers that must match exactly (order matters). +ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se + +# The MACs that must match exactly (order matters). +macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96 diff --git a/test/docker/policies/policy_test11.txt b/test/docker/policies/policy_test11.txt new file mode 100644 index 0000000..d0fa4ae --- /dev/null +++ b/test/docker/policies/policy_test11.txt @@ -0,0 +1,35 @@ +# +# Docker policy: test11 +# + +# The name of this policy (displayed in the output during scans). Must be in quotes. +name = "Docker policy: test11" + +# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings. +version = 1 + +# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal. +# banner = "SSH-2.0-OpenSSH_8.0" + +# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal. +# header = "[]" + +# The compression options that must match exactly (order matters). Commented out to ignore by default. +# compressions = none, zlib@openssh.com + +# RSA host key sizes. +hostkey_size_rsa-sha2-256 = 3072 +hostkey_size_rsa-sha2-512 = 3072 +hostkey_size_ssh-rsa = 3072 + +# The host key types that must match exactly (order matters). +host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519 + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1 + +# The ciphers that must match exactly (order matters). +ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com + +# The MACs that must match exactly (order matters). +macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1 diff --git a/test/docker/policies/policy_test12.txt b/test/docker/policies/policy_test12.txt new file mode 100644 index 0000000..0b8a30b --- /dev/null +++ b/test/docker/policies/policy_test12.txt @@ -0,0 +1,35 @@ +# +# Docker policy: test12 +# + +# The name of this policy (displayed in the output during scans). Must be in quotes. +name = "Docker policy: test12" + +# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings. +version = 1 + +# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal. +# banner = "SSH-2.0-OpenSSH_8.0" + +# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal. +# header = "[]" + +# The compression options that must match exactly (order matters). Commented out to ignore by default. +# compressions = none, zlib@openssh.com + +# RSA host key sizes. +hostkey_size_rsa-sha2-256 = 4096 +hostkey_size_rsa-sha2-512 = 4096 +hostkey_size_ssh-rsa = 4096 + +# The host key types that must match exactly (order matters). +host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519 + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1 + +# The ciphers that must match exactly (order matters). +ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com + +# The MACs that must match exactly (order matters). +macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1 diff --git a/test/docker/policies/policy_test13.txt b/test/docker/policies/policy_test13.txt new file mode 100644 index 0000000..0f43e2a --- /dev/null +++ b/test/docker/policies/policy_test13.txt @@ -0,0 +1,38 @@ +# +# Docker policy: test13 +# + +# The name of this policy (displayed in the output during scans). Must be in quotes. +name = "Docker policy: test13" + +# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings. +version = 1 + +# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal. +# banner = "SSH-2.0-OpenSSH_8.0" + +# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal. +# header = "[]" + +# The compression options that must match exactly (order matters). Commented out to ignore by default. +# compressions = none, zlib@openssh.com + +# RSA host key sizes. +hostkey_size_rsa-sha2-256 = 3072 +hostkey_size_rsa-sha2-512 = 3072 +hostkey_size_ssh-rsa = 3072 + +# Group exchange DH modulus sizes. +dh_modulus_size_diffie-hellman-group-exchange-sha256 = 4096 + +# The host key types that must match exactly (order matters). +host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519 + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1 + +# The ciphers that must match exactly (order matters). +ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com + +# The MACs that must match exactly (order matters). +macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1 diff --git a/test/docker/policies/policy_test14.txt b/test/docker/policies/policy_test14.txt new file mode 100644 index 0000000..51b366d --- /dev/null +++ b/test/docker/policies/policy_test14.txt @@ -0,0 +1,38 @@ +# +# Docker policy: test14 +# + +# The name of this policy (displayed in the output during scans). Must be in quotes. +name = "Docker policy: test14" + +# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings. +version = 1 + +# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal. +# banner = "SSH-2.0-OpenSSH_8.0" + +# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal. +# header = "[]" + +# The compression options that must match exactly (order matters). Commented out to ignore by default. +# compressions = none, zlib@openssh.com + +# RSA host key sizes. +hostkey_size_rsa-sha2-256 = 3072 +hostkey_size_rsa-sha2-512 = 3072 +hostkey_size_ssh-rsa = 3072 + +# Group exchange DH modulus sizes. +dh_modulus_size_diffie-hellman-group-exchange-sha256 = 8192 + +# The host key types that must match exactly (order matters). +host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519 + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1 + +# The ciphers that must match exactly (order matters). +ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com + +# The MACs that must match exactly (order matters). +macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1 diff --git a/test/docker/policies/policy_test2.txt b/test/docker/policies/policy_test2.txt new file mode 100644 index 0000000..2b7821c --- /dev/null +++ b/test/docker/policies/policy_test2.txt @@ -0,0 +1,10 @@ +# +# Docker policy: test2 +# + +name = "Docker policy: test2" +version = 1 +host keys = ssh-rsa, ssh-dss +key exchanges = kex_alg1, kex_alg2 +ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se +macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96 diff --git a/test/docker/policies/policy_test3.txt b/test/docker/policies/policy_test3.txt new file mode 100644 index 0000000..f4ff3a0 --- /dev/null +++ b/test/docker/policies/policy_test3.txt @@ -0,0 +1,10 @@ +# +# Docker policy: test3 +# + +name = "Docker policy: test3" +version = 1 +host keys = ssh-rsa, ssh-dss, key_alg1 +key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1 +ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se +macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96 diff --git a/test/docker/policies/policy_test4.txt b/test/docker/policies/policy_test4.txt new file mode 100644 index 0000000..500d96f --- /dev/null +++ b/test/docker/policies/policy_test4.txt @@ -0,0 +1,10 @@ +# +# Docker policy: test4 +# + +name = "Docker policy: test4" +version = 1 +host keys = ssh-rsa, ssh-dss +key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1 +ciphers = cipher_alg1, cipher_alg2 +macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96 diff --git a/test/docker/policies/policy_test5.txt b/test/docker/policies/policy_test5.txt new file mode 100644 index 0000000..6285814 --- /dev/null +++ b/test/docker/policies/policy_test5.txt @@ -0,0 +1,10 @@ +# +# Docker policy: test5 +# + +name = "Docker policy: test5" +version = 1 +host keys = ssh-rsa, ssh-dss +key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1 +ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se +macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac_alg1, hmac-md5-96 diff --git a/test/docker/policies/policy_test6.txt b/test/docker/policies/policy_test6.txt new file mode 100644 index 0000000..0a4aacb --- /dev/null +++ b/test/docker/policies/policy_test6.txt @@ -0,0 +1,12 @@ +# +# Docker policy: test6 +# + +name = "Docker policy: test6" +version = 1 +banner = "SSH-2.0-OpenSSH_8.0" +compressions = none, zlib@openssh.com +host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519 +key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1 +ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com +macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1 diff --git a/test/docker/policies/policy_test7.txt b/test/docker/policies/policy_test7.txt new file mode 100644 index 0000000..05cd27f --- /dev/null +++ b/test/docker/policies/policy_test7.txt @@ -0,0 +1,39 @@ +# +# Docker policy: test7 +# + +# The name of this policy (displayed in the output during scans). Must be in quotes. +name = "Docker poliicy: test7" + +# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings. +version = 1 + +# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal. +# banner = "SSH-2.0-OpenSSH_5.6" + +# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal. +# header = "[]" + +# The compression options that must match exactly (order matters). Commented out to ignore by default. +# compressions = none, zlib@openssh.com + +# RSA host key sizes. +hostkey_size_rsa-sha2-256 = 3072 +hostkey_size_rsa-sha2-512 = 3072 +hostkey_size_ssh-rsa = 3072 +hostkey_size_ssh-rsa-cert-v01@openssh.com = 3072 + +# RSA CA key sizes. +cakey_size_ssh-rsa-cert-v01@openssh.com = 1024 + +# The host key types that must match exactly (order matters). +host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1 + +# The ciphers that must match exactly (order matters). +ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se + +# The MACs that must match exactly (order matters). +macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96 diff --git a/test/docker/policies/policy_test8.txt b/test/docker/policies/policy_test8.txt new file mode 100644 index 0000000..6268585 --- /dev/null +++ b/test/docker/policies/policy_test8.txt @@ -0,0 +1,39 @@ +# +# Docker policy: test8 +# + +# The name of this policy (displayed in the output during scans). Must be in quotes. +name = "Docker poliicy: test8" + +# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings. +version = 1 + +# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal. +# banner = "SSH-2.0-OpenSSH_5.6" + +# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal. +# header = "[]" + +# The compression options that must match exactly (order matters). Commented out to ignore by default. +# compressions = none, zlib@openssh.com + +# RSA host key sizes. +hostkey_size_rsa-sha2-256 = 3072 +hostkey_size_rsa-sha2-512 = 3072 +hostkey_size_ssh-rsa = 3072 +hostkey_size_ssh-rsa-cert-v01@openssh.com = 3072 + +# RSA CA key sizes. +cakey_size_ssh-rsa-cert-v01@openssh.com = 2048 + +# The host key types that must match exactly (order matters). +host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1 + +# The ciphers that must match exactly (order matters). +ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se + +# The MACs that must match exactly (order matters). +macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96 diff --git a/test/docker/policies/policy_test9.txt b/test/docker/policies/policy_test9.txt new file mode 100644 index 0000000..63652ce --- /dev/null +++ b/test/docker/policies/policy_test9.txt @@ -0,0 +1,39 @@ +# +# Docker policy: test9 +# + +# The name of this policy (displayed in the output during scans). Must be in quotes. +name = "Docker poliicy: test9" + +# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings. +version = 1 + +# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal. +# banner = "SSH-2.0-OpenSSH_5.6" + +# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal. +# header = "[]" + +# The compression options that must match exactly (order matters). Commented out to ignore by default. +# compressions = none, zlib@openssh.com + +# RSA host key sizes. +hostkey_size_rsa-sha2-256 = 3072 +hostkey_size_rsa-sha2-512 = 3072 +hostkey_size_ssh-rsa = 3072 +hostkey_size_ssh-rsa-cert-v01@openssh.com = 4096 + +# RSA CA key sizes. +cakey_size_ssh-rsa-cert-v01@openssh.com = 1024 + +# The host key types that must match exactly (order matters). +host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1 + +# The ciphers that must match exactly (order matters). +ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se + +# The MACs that must match exactly (order matters). +macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96 diff --git a/test/docker/ssh1_host_key b/test/docker/ssh1_host_key Binary files differnew file mode 100644 index 0000000..c98971c --- /dev/null +++ b/test/docker/ssh1_host_key diff --git a/test/docker/ssh1_host_key.pub b/test/docker/ssh1_host_key.pub new file mode 100644 index 0000000..b66c66f --- /dev/null +++ b/test/docker/ssh1_host_key.pub @@ -0,0 +1 @@ +1024 35 150823875409720459951648542224727752099073441604930026287525797402159071426070997897033651155038337251362080634963146983947007228274330777134724953282680928153520263171933106732090266742784258910450489054624715996015082463159338507115031336180486071622718809324273851629938883104520608180885444242395900180011 root@ubuntu1604server diff --git a/test/docker/ssh_host_dsa_key b/test/docker/ssh_host_dsa_key new file mode 100644 index 0000000..ecd47f9 --- /dev/null +++ b/test/docker/ssh_host_dsa_key @@ -0,0 +1,12 @@ +-----BEGIN DSA PRIVATE KEY----- +MIIBugIBAAKBgQDth1eV+A8j191R0ey0dVXL2LGNGYM+a+PomSa7suK8xNCeVLKC +YpQ6VSWpAf6FbRWev1UVo8IpbglwFZPcyFPK2G1H7p45ows2SN4CleszDD56e6W0 +3Plc+qMqSJ6LTjr4M5+HqTDOM3CS72d7MXUkfHQiagyrWQhXyc0kFsNJLwIVAKg7 +b5+NiIZzpg5IEH0tlYFQpuhBAoGAGcbq79QqNNZRuPCE/F05sCoTRGCmFnDjCuCg +WN7wNRotjMz/S3pHtCCeuTT1jT6Hy0ZFHftv0t/GF8GBRgeokUbS4ytHpOkFWcTz +8oFguDL44nq8eNfSY6bzEl84qsgEe4HP93mB4FR1ZUUgI4b7gCBOYEFl3yPiH7H1 +p7Z9E1oCgYAl1UPQkeRhElz+AgEbNsnMKu1+6O3/z95D1Wvv4OEwAImbytlBaC7p +kwJElJNsMMfGqCC8OHdJ0e4VQQUwk/GOhD0MFhVQHBtVZYbiWmVkpfHf1ouUQg3f +1IZmz2SSt6cPPEu+BEQ/Sn3mFRJ5XSTHLtnI0HJeDND5u1+6p1nXawIURv3Maige +oxmfqC24VoROJEq+sew= +-----END DSA PRIVATE KEY----- diff --git a/test/docker/ssh_host_dsa_key.pub b/test/docker/ssh_host_dsa_key.pub new file mode 100644 index 0000000..a32a5a0 --- /dev/null +++ b/test/docker/ssh_host_dsa_key.pub @@ -0,0 +1 @@ +ssh-dss AAAAB3NzaC1kc3MAAACBAO2HV5X4DyPX3VHR7LR1VcvYsY0Zgz5r4+iZJruy4rzE0J5UsoJilDpVJakB/oVtFZ6/VRWjwiluCXAVk9zIU8rYbUfunjmjCzZI3gKV6zMMPnp7pbTc+Vz6oypInotOOvgzn4epMM4zcJLvZ3sxdSR8dCJqDKtZCFfJzSQWw0kvAAAAFQCoO2+fjYiGc6YOSBB9LZWBUKboQQAAAIAZxurv1Co01lG48IT8XTmwKhNEYKYWcOMK4KBY3vA1Gi2MzP9Leke0IJ65NPWNPofLRkUd+2/S38YXwYFGB6iRRtLjK0ek6QVZxPPygWC4Mvjierx419JjpvMSXziqyAR7gc/3eYHgVHVlRSAjhvuAIE5gQWXfI+IfsfWntn0TWgAAAIAl1UPQkeRhElz+AgEbNsnMKu1+6O3/z95D1Wvv4OEwAImbytlBaC7pkwJElJNsMMfGqCC8OHdJ0e4VQQUwk/GOhD0MFhVQHBtVZYbiWmVkpfHf1ouUQg3f1IZmz2SSt6cPPEu+BEQ/Sn3mFRJ5XSTHLtnI0HJeDND5u1+6p1nXaw== diff --git a/test/docker/ssh_host_ecdsa_key b/test/docker/ssh_host_ecdsa_key new file mode 100644 index 0000000..69eea7b --- /dev/null +++ b/test/docker/ssh_host_ecdsa_key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEICq/YV5QenL0uW5g5tCjY3EWs+UBFmskY+Jjt2vd2aEmoAoGCCqGSM49 +AwEHoUQDQgAEdYSxDVUjOpW479L/nRDiAdxRB5Kuy2bgkP/LA2pnWPcGIWmFa4QU +YN2U3JsFKcLIcx5cvTehQfgrHDnaSKVdKA== +-----END EC PRIVATE KEY----- diff --git a/test/docker/ssh_host_ecdsa_key.pub b/test/docker/ssh_host_ecdsa_key.pub new file mode 100644 index 0000000..4e17058 --- /dev/null +++ b/test/docker/ssh_host_ecdsa_key.pub @@ -0,0 +1 @@ +ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHWEsQ1VIzqVuO/S/50Q4gHcUQeSrstm4JD/ywNqZ1j3BiFphWuEFGDdlNybBSnCyHMeXL03oUH4Kxw52kilXSg= diff --git a/test/docker/ssh_host_ed25519_key b/test/docker/ssh_host_ed25519_key new file mode 100644 index 0000000..3388574 --- /dev/null +++ b/test/docker/ssh_host_ed25519_key @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACC/9RD2Ao95ODDIH8i11ekTALut8AUNqWoQx0jHlP4xygAAAKDiqVOs4qlT +rAAAAAtzc2gtZWQyNTUxOQAAACC/9RD2Ao95ODDIH8i11ekTALut8AUNqWoQx0jHlP4xyg +AAAECTmHGkq0Qea0QqTJYMXL0bpxVU7mhgwYninfVWxrA017/1EPYCj3k4MMgfyLXV6RMA +u63wBQ2pahDHSMeU/jHKAAAAHWpkb2dAbG9jYWxob3N0LndvbmRlcmxhbmQubG9s +-----END OPENSSH PRIVATE KEY----- diff --git a/test/docker/ssh_host_ed25519_key-cert.pub b/test/docker/ssh_host_ed25519_key-cert.pub new file mode 100644 index 0000000..8eef563 --- /dev/null +++ b/test/docker/ssh_host_ed25519_key-cert.pub @@ -0,0 +1 @@ +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIO1W0I8tD0c4LypvHY1XNch3BQCw9Yy28/4KmAYql80DAAAAIL/1EPYCj3k4MMgfyLXV6RMAu63wBQ2pahDHSMeU/jHKAAAAAAAAAAAAAAACAAAABHRlc3QAAAAIAAAABHRlc3QAAAAAXV7hvAAAAACBa2YhAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAbM9Wp3ZPcC8Ifhu6GjNDJaoMg7KxO0el2+r9J35TltQAAAFMAAAALc3NoLWVkMjU1MTkAAABAW60bCSeIG4Ta+57zgkSbW4LIGCxtOuJJ+pP3i3S0xJJfHGnOtXbg0NQm7pulNl/wd01kgJO9A7RjbhTh7TV1AA== ssh_host_ed25519_key.pub diff --git a/test/docker/ssh_host_ed25519_key.pub b/test/docker/ssh_host_ed25519_key.pub new file mode 100644 index 0000000..e56a56a --- /dev/null +++ b/test/docker/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL/1EPYCj3k4MMgfyLXV6RMAu63wBQ2pahDHSMeU/jHK diff --git a/test/docker/ssh_host_rsa_key_1024 b/test/docker/ssh_host_rsa_key_1024 new file mode 100644 index 0000000..e9023b6 --- /dev/null +++ b/test/docker/ssh_host_rsa_key_1024 @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXgIBAAKBgQDeCC1U7VqVg9AfrfWrXACiW6pzYOuP8tim68z+YN/dUU7JhFZ4 +0toteQkLcJBAD2miQ6ZJYkjVfhQ4FRFeOW5vcN0UYHn8ttb2mKdGJdt24ZYY5Z6J +WHQhPOpSgtWyUv6RnxU2ligEeaoPaiepUUOhoyLf4WcF7voVCAKZNqeTtQIDAQAB +AoGATGZ16s5NqDsWJ4B9k3xx/2wZZ+BGzl6a7D0habq97XLn8HGoK6UqTBFk6lnO +WSy0hZBPrNq0AzqCDJY7RrfuZqgVAu/+HEFuXencgt8Z//ueYBaGK8yAC+OrMnDG +LbSoIGRq8saaFtCzt47c+uSVsrhJ4TvK5gbceZuD/2uw10ECQQD79T0j+YWsLISK +PKvYHqEXSMPN6b+lK9hRPLoF9NMksNLSjuxxhkYHz+hJPVNT+wPtRMAYmMdPXfKa +FjuErXVFAkEA4ZgJIOeJ7OHfqGEgd29m36yFy0UaUJ+cmYuJzHAYWgW3TOanqpZm +A8EENuXvH0DtYRVytv4m/cIRVVPxWtXzsQJBALXlQUOEc0VuSi1GScVXr3KQ3JL+ +ipWixqM3VRDRw9D8Ouc5uWbnygz/wrGFLXA2ioozlP7s5Q7eQzOMk2FgnIUCQQCz +j5QUgLcjuVWQbF6vMhisCGImPUaIzcKT5KE1/DMl1E7mAuGJwlRIwKVeHP6L3d4T +3EKGrRzT9lhdlocRSiLBAkEAi3xI0MOZp4xGviPc1C1TKuqdJSr8fHwbtLozwNQO +nnF6m5S72JzZEThDBZS9zcdBp9EFpTvUGzx/O0GI454eoA== +-----END RSA PRIVATE KEY----- diff --git a/test/docker/ssh_host_rsa_key_1024-cert_1024.pub b/test/docker/ssh_host_rsa_key_1024-cert_1024.pub new file mode 100644 index 0000000..17c7738 --- /dev/null +++ b/test/docker/ssh_host_rsa_key_1024-cert_1024.pub @@ -0,0 +1 @@ +ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgFqxXSa9HTqCw5YW3DdIwVREPGxI+i56w32RnHWRg0NoAAAADAQABAAAAgQDeCC1U7VqVg9AfrfWrXACiW6pzYOuP8tim68z+YN/dUU7JhFZ40toteQkLcJBAD2miQ6ZJYkjVfhQ4FRFeOW5vcN0UYHn8ttb2mKdGJdt24ZYY5Z6JWHQhPOpSgtWyUv6RnxU2ligEeaoPaiepUUOhoyLf4WcF7voVCAKZNqeTtQAAAAAAAAAAAAAAAgAAAAR0ZXN0AAAACAAAAAR0ZXN0AAAAAF1evHgAAAAAgWtAtQAAAAAAAAAAAAAAAAAAAJcAAAAHc3NoLXJzYQAAAAMBAAEAAACBAOdGU3cAWdR7aUV/lcb1SFcuv/086u41MVsy3TOuM5RKOYBLuFLqkO/lUROhPoNpHURBRhqpIykdjNmG4Irna+vJ06blcVsnvvXav0zJlBSGhVnHxK50EfNUMhU7eNwwxYiWt9YEydRpQcSqmbLzxjuAoNrZNbEmDX6GDnUqoetRAAAAjwAAAAdzc2gtcnNhAAAAgFRc2g0eWXGmqSa6Z8rcMPHf4rNMornEHSnTzZ8Rdh4YBhDa9xMRRy6puaWPDzXxOfZh7eSjCwrzUMEXTgCIO4oX62xm/6kUnAmKhXle0+inR/hdPg03daE0SBJ4spBT49lJ4WIW38RKFNzjmYg70rTPAnP8oM/F3CC1GV117/Vv ssh_host_rsa_key_1024.pub diff --git a/test/docker/ssh_host_rsa_key_1024-cert_3072.pub b/test/docker/ssh_host_rsa_key_1024-cert_3072.pub new file mode 100644 index 0000000..ea0160a --- /dev/null +++ b/test/docker/ssh_host_rsa_key_1024-cert_3072.pub @@ -0,0 +1 @@ +ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgrJGcfyW8V6VWGT7lD1ardj2RtTP8TOjmLRNbuoGkyZQAAAADAQABAAAAgQDeCC1U7VqVg9AfrfWrXACiW6pzYOuP8tim68z+YN/dUU7JhFZ40toteQkLcJBAD2miQ6ZJYkjVfhQ4FRFeOW5vcN0UYHn8ttb2mKdGJdt24ZYY5Z6JWHQhPOpSgtWyUv6RnxU2ligEeaoPaiepUUOhoyLf4WcF7voVCAKZNqeTtQAAAAAAAAAAAAAAAgAAAAR0ZXN0AAAACAAAAAR0ZXN0AAAAAF1evHgAAAAAgWtA7gAAAAAAAAAAAAAAAAAAAZcAAAAHc3NoLXJzYQAAAAMBAAEAAAGBAKsUBCG4/MNE6wWNXwzvNXLq4o0K3SzlK/FZfFxAlnOUBndS5ABvNDYHXAgT741sWUpmKynqgO/BlHTfioMnBNM7acWElyh2TGiDOV3veAQfgaHB/db3f9ogcxnnndZ1f83wHatgBB0I9U6SCPmvs9ucsb9j7sFU08MKPSP+iYDat3rx+B28IK90kXxBGGUPmC/HDqQbjYNWGTkdJNcpNt2agHfdicm8WeIgrTre63I9rBR8zbtVOeOMFgcCC+cmWSk4AYWOHan09hKeyM0eR3bHa70FfagvdhjNcwxPlNwMK1Sox7NGGat483Kv8rxQwnDDEc+P9KRhRVNuqFpmvp972wMSiaC/q4RvEDPfpdqhZSxrJzNJFFwCV7Dym8oKWj/Gd1OHioE7idhrkvXiyBZwe5q8A++VehoDfauZmPPQ35FUpB2qKqWPKT3UZM/UAJjBLi7R5r9vQlTqX1+b/67Ju8AEgGarVJZhbuKxRgS8L2W1JVrtNh5oAU+O4OhCHwAAAY8AAAAHc3NoLXJzYQAAAYCO78ONpHp+EGWDqDLb/GPFDH32o6oaRRrIH/Bhvg1FOi5XngnHTdU7xWdnJqNE2Sl6VOrg0sTCMYcX9fZ8tVREnCo3aF7Iwow5Br67QYKayRzHANQqHaVK46lpI1gz81V00u54tX1F8oEUqm6sRmFKFuklt6CjfbR+tnpj7DrfeOTKEBOGJP2uU0jMsJr2DrBeXrzONjIJtIJ1AxWjXd2LeIWO2C6yTkcN5ggThMMaeu6QuuBPpC2PN2COfu+Mgto9g103+/SS4Wa8CzinZZn2Xe1isUxI8QRNrShy4Hl/bIZQL7mi/0rxkfw+fA7IzMk462V99gPVSp+/jK0sbUJoC3QeeglS5hWodjW+VGZfgweGQ+AE/OxkNSv+kDPMYEkjfOf4qhxS5QFvButLt6zp2UNbE5+OWvYpdjO9/DOa0ro+wCw07+dVKIcDpU2csiCcJvQ/HmKAmhch7jOHa0WaxSX0tt0xTPJWTvr6E4WZOgEnk9AvWmrKjF5tEzGYwTU= ssh_host_rsa_key_1024.pub diff --git a/test/docker/ssh_host_rsa_key_1024.pub b/test/docker/ssh_host_rsa_key_1024.pub new file mode 100644 index 0000000..1da6065 --- /dev/null +++ b/test/docker/ssh_host_rsa_key_1024.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDeCC1U7VqVg9AfrfWrXACiW6pzYOuP8tim68z+YN/dUU7JhFZ40toteQkLcJBAD2miQ6ZJYkjVfhQ4FRFeOW5vcN0UYHn8ttb2mKdGJdt24ZYY5Z6JWHQhPOpSgtWyUv6RnxU2ligEeaoPaiepUUOhoyLf4WcF7voVCAKZNqeTtQ== diff --git a/test/docker/ssh_host_rsa_key_3072 b/test/docker/ssh_host_rsa_key_3072 new file mode 100644 index 0000000..3a2c719 --- /dev/null +++ b/test/docker/ssh_host_rsa_key_3072 @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG5AIBAAKCAYEAzhHp7eFnrQAJqOd7aihyQyIDKgxCF7H51Q3Ft3+8af+lX3Ol +Ie77Gi5GNNM+eRB4OzG+CBslxN5I3pM//sZ+gyylA1VuWZZkOlgtbOHutIkO2ldk +XtoGidla0VAxLcUcUK6cCmqwBTT31Hp4Qimp2zyeg/l5q0DhWKguY13lrm5b3YZY +rj7CW3Ktzxf8SbYz6du8KF0dHCWilzq+FLeGzXr7Yul5njVF5njkGvZ9duQ0qiVR +zqZkrkLEWgQlCM0T+PyUbvedL1MfDZPHGh7ZhU0snOvJRsxAr31tlknq+WwauZYd +DzJf1g1URcM65UwEsPlfgOW3ZoZogR1v57Im+KdsKhq2B3snEtJgdQh06JyO0ur4 +uUXo1mMtvBFhiptUtwP4g9v/IN4neeK+wBRom46m2Q1bMUBPneBOa8r2SY/3ynrz +XuVIWFOQtF60aJ+BNqvgUVCKOmz1KzoJwTqGm+EFaKM5z+UQWjIbSE3Ge4X5hXtk +Ou52v+tyDUk6boZLAgMBAAECggGAdrhxWmA7N7tG1W2Pd6iXs7+brRTk2vvpYGqP +11kbNsJXBzf8EiG5vuqb/gEaA+uOKSRORCNHzjT2LG0POHwpFO+aneIRMkHnuolk +mk9ME+zGhtpEdDUOAUsc/GxD+QePeZgvQ/0VLdrHUT3BnPSd7DXvaT9IbnZxnX8/ +QnYtRiJEgMrOuoxjswXNxvsdmWYEYJ38uBB1Hes80f3A1vSpECbjP6gdLh2pCM/r +MvGBdQaipMfdar4IUTEcKHQs1fY3mlAxnWRjYCqJPmq10d3NrdUrHb2zBE1HCC4h +aj2ycTxFhDJqGV6Y2AboHqh2c7lPJ+R2UjI9mIpALZSviHB1POcpWCAGA3NKjri9 +8jgxl3bj03ikJNfCuvlqRTa8at63W2zZTMRsxamoiO023uUOEMNBPwWXP/rVhQ8g +ufih0SY44j0EMPIuu2PoQV4ZSOtDw8xdPrchVCa078/pP5cRa4uV0bl2K4as+cYC +BhjEq2Org3ulDW2n6Mz5ZS7NbAkxAoHBAP/bgPGKX7rfrHa5MRHIgbLSmZtUoF51 +YGelc8ytRx6UT6wriJ1jQRXiI5mZlIXyVxMpIz9s4+h59kF+LpZuNLc3vTYpPOQn +RUDBVY6+SPC5MancL7bfBoHahpWEJuJB/WUE7eWvQM03/LsBtU6Nq+R632t5KdqF +A4y86qgD1vIjcBWvySLFJZGOCoNbj7ZinoBUO3ueYK6SUj8xH6TAqOJsTPvquRT3 +AFBpFBmrVc24wW7wTiLkQOhkIQs1J/ZhYwKBwQDOL07qF8wsoQBBTTXkZ59BCauz +R8kfqe5oUBwsmGJdiIHX6gutBA07sSwzVekIvCCkJFXk3TxLoBSMHEZEIdnS+HVt +gMIacYuhbh+XztdY0kadH/SMbVQD/2LZcL99vcZPq1QF3cHb0Buip5+fyAYjoEc7 +oVgvewD/TwdNcMjos/kMNh6l04kLi6vQG3WhoSBPWaoB669ppBNXSrWKe43nXVi6 +EvjGEiL+HCCnmD6LiD6p797Owu9AChP6fXInD/kCgcEAiLP3SRbt3yLzOtvn4+CF +q83qVJv6s31zbO1x2cIbZbNIfm0kKTOG6vJQoxjzyj2ZWJt6QcEkZGoFsSiCK83m +TJ5zciTGbACvd9HUrNfukO/iISeMNuEi0O65Sdm6DNnFUdw4X6grr3pihmh7PuVj +GkisZvft7Nt08hVeKzch+W4FzRCHHxTG5eZGp7icKI64sUhQH9SXQ67aUvkkNxrZ +IWFMIK1hBlqSyGPcYXqx9aDpeSTcGrhqFcCqBxr3pySRAoHAfJNO3delEC3yxoHN +FwSYzyX1rOuplE0K89G7RCKKBDNPKFKL3Wx+Rluk9htpIlLwcdxWXWJiZNsCrykC +N3YwcuyVnqTWIj4KfG3Z/tIFgPADpDnDevkvcv7iDbi2qlV4NXix2p2C3LnfiKY4 +psSnGO1lPJ0eeAmcr6VjJyIG8bqTthIY8F5gBi7Mj3+X0iFVMTxeoKxzHqP435wP +Fe3S7kCTNFH0J1Cb/eamwDwXRhz6p5h7iXd0MMAmFAmpZ/qZAoHBAPDSIvk2ocf1 +FVW8pKtKOJFIs8iQVIaOLKwPJVP8/JsB1+7mQx5KMoROb5pNpX2edN4vvG0CgqpJ +KekleqpH6nQCqYGFZ1BDhORElNILxeJHcNl0eAG++IJ2PfIpTZV30edDqMm0x7EI +8POZWAx809VzcYbE2jsgpN/EuiaG30EAI5yNvyzmZRCyQykH+eltHlCx17MWBxRQ +bb2UUfpdInTMS2vyrvkeUACkC1DGYdBVVBqqPTkHZg+Kcbs8ntQqEQ== +-----END RSA PRIVATE KEY----- diff --git a/test/docker/ssh_host_rsa_key_3072-cert_1024.pub b/test/docker/ssh_host_rsa_key_3072-cert_1024.pub new file mode 100644 index 0000000..da6b9ec --- /dev/null +++ b/test/docker/ssh_host_rsa_key_3072-cert_1024.pub @@ -0,0 +1 @@ +ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgGHz1JwF/1IcxW3pdQtpqbUjIHaFuk0cR/+l50vG+9hIAAAADAQABAAABgQDOEent4WetAAmo53tqKHJDIgMqDEIXsfnVDcW3f7xp/6Vfc6Uh7vsaLkY00z55EHg7Mb4IGyXE3kjekz/+xn6DLKUDVW5ZlmQ6WC1s4e60iQ7aV2Re2gaJ2VrRUDEtxRxQrpwKarAFNPfUenhCKanbPJ6D+XmrQOFYqC5jXeWublvdhliuPsJbcq3PF/xJtjPp27woXR0cJaKXOr4Ut4bNevti6XmeNUXmeOQa9n125DSqJVHOpmSuQsRaBCUIzRP4/JRu950vUx8Nk8caHtmFTSyc68lGzECvfW2WSer5bBq5lh0PMl/WDVRFwzrlTASw+V+A5bdmhmiBHW/nsib4p2wqGrYHeycS0mB1CHTonI7S6vi5RejWYy28EWGKm1S3A/iD2/8g3id54r7AFGibjqbZDVsxQE+d4E5ryvZJj/fKevNe5UhYU5C0XrRon4E2q+BRUIo6bPUrOgnBOoab4QVooznP5RBaMhtITcZ7hfmFe2Q67na/63INSTpuhksAAAAAAAAAAAAAAAIAAAAEdGVzdAAAAAgAAAAEdGVzdAAAAABdXry0AAAAAIFrQR8AAAAAAAAAAAAAAAAAAACXAAAAB3NzaC1yc2EAAAADAQABAAAAgQDnRlN3AFnUe2lFf5XG9UhXLr/9POruNTFbMt0zrjOUSjmAS7hS6pDv5VEToT6DaR1EQUYaqSMpHYzZhuCK52vrydOm5XFbJ7712r9MyZQUhoVZx8SudBHzVDIVO3jcMMWIlrfWBMnUaUHEqpmy88Y7gKDa2TWxJg1+hg51KqHrUQAAAI8AAAAHc3NoLXJzYQAAAIB4HaEexgQ9T6rScEbiHZx+suCaYXI7ywLYyoSEO48K8o+MmO83UTLtpPa3DXlT8hSYL8Aq6Bb5AMkDawsgsC484owPqObT/5ndLG/fctNBFcCTSL0ftte+A8xH0pZaGRoKbdxxgMqX4ubrCXpbMLGF9aAeh7MRa756XzqGlsCiSA== ssh_host_rsa_key_3072.pub diff --git a/test/docker/ssh_host_rsa_key_3072-cert_3072.pub b/test/docker/ssh_host_rsa_key_3072-cert_3072.pub new file mode 100644 index 0000000..78f49ea --- /dev/null +++ b/test/docker/ssh_host_rsa_key_3072-cert_3072.pub @@ -0,0 +1 @@ +ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg9MVX4OlkEy3p9eC+JJp8h7j76EmI46EY/RXxCGSWTC0AAAADAQABAAABgQDOEent4WetAAmo53tqKHJDIgMqDEIXsfnVDcW3f7xp/6Vfc6Uh7vsaLkY00z55EHg7Mb4IGyXE3kjekz/+xn6DLKUDVW5ZlmQ6WC1s4e60iQ7aV2Re2gaJ2VrRUDEtxRxQrpwKarAFNPfUenhCKanbPJ6D+XmrQOFYqC5jXeWublvdhliuPsJbcq3PF/xJtjPp27woXR0cJaKXOr4Ut4bNevti6XmeNUXmeOQa9n125DSqJVHOpmSuQsRaBCUIzRP4/JRu950vUx8Nk8caHtmFTSyc68lGzECvfW2WSer5bBq5lh0PMl/WDVRFwzrlTASw+V+A5bdmhmiBHW/nsib4p2wqGrYHeycS0mB1CHTonI7S6vi5RejWYy28EWGKm1S3A/iD2/8g3id54r7AFGibjqbZDVsxQE+d4E5ryvZJj/fKevNe5UhYU5C0XrRon4E2q+BRUIo6bPUrOgnBOoab4QVooznP5RBaMhtITcZ7hfmFe2Q67na/63INSTpuhksAAAAAAAAAAAAAAAIAAAAEdGVzdAAAAAgAAAAEdGVzdAAAAABdXr0sAAAAAIFrQWwAAAAAAAAAAAAAAAAAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCrFAQhuPzDROsFjV8M7zVy6uKNCt0s5SvxWXxcQJZzlAZ3UuQAbzQ2B1wIE++NbFlKZisp6oDvwZR034qDJwTTO2nFhJcodkxogzld73gEH4Ghwf3W93/aIHMZ553WdX/N8B2rYAQdCPVOkgj5r7PbnLG/Y+7BVNPDCj0j/omA2rd68fgdvCCvdJF8QRhlD5gvxw6kG42DVhk5HSTXKTbdmoB33YnJvFniIK063utyPawUfM27VTnjjBYHAgvnJlkpOAGFjh2p9PYSnsjNHkd2x2u9BX2oL3YYzXMMT5TcDCtUqMezRhmrePNyr/K8UMJwwxHPj/SkYUVTbqhaZr6fe9sDEomgv6uEbxAz36XaoWUsayczSRRcAlew8pvKClo/xndTh4qBO4nYa5L14sgWcHuavAPvlXoaA32rmZjz0N+RVKQdqiqljyk91GTP1ACYwS4u0ea/b0JU6l9fm/+uybvABIBmq1SWYW7isUYEvC9ltSVa7TYeaAFPjuDoQh8AAAGPAAAAB3NzaC1yc2EAAAGAG8tCiBMSq3Of3Gmcrid2IfPmaaemYivgEEuK8ubq1rznF0vtR07/NUQ7WVzfJhUSeG0gtJ3A1ey60NjcBn0DHao4Q3ATIXnkSOIKjNolZ2urqYv9fT1LAC4I5XWGzK2aKK0NEqAYr06YPtcGOBQk5+3GPAWSJ4eQycKRz5BSuMYbKaVxU0kGSvbavG07ZntMQhia/lILyq84PjXh/JlRVpIqY+LAS0qwqkUR3gWMTmvYvYI7fXU84ReVB1ut75bY7Xx0DXHPl1Zc2MNDLGcKsByZtoO9ueZRyOlZMUJcVP5fK+OUuZKjMbCaaJnV55BQ78/rftIPYsTEEO2Sf9WT86ADa3k4S0pyWqlTxBzZcDWNt+fZFNm9wcqcYS32nDKtfixcDN8E/IJIWY7aoabPqoYnKUVQBOcIEnZf1HqsKUVmF44Dp9mKhefUs3BtcdK63j/lNXzzMrPwZQAreJqH/uV3TgYBLjMPl++ctX6tCe6Hv5zFKNhnOCSBSzcsCgIU ssh_host_rsa_key_3072.pub diff --git a/test/docker/ssh_host_rsa_key_3072.pub b/test/docker/ssh_host_rsa_key_3072.pub new file mode 100644 index 0000000..ad83cd1 --- /dev/null +++ b/test/docker/ssh_host_rsa_key_3072.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOEent4WetAAmo53tqKHJDIgMqDEIXsfnVDcW3f7xp/6Vfc6Uh7vsaLkY00z55EHg7Mb4IGyXE3kjekz/+xn6DLKUDVW5ZlmQ6WC1s4e60iQ7aV2Re2gaJ2VrRUDEtxRxQrpwKarAFNPfUenhCKanbPJ6D+XmrQOFYqC5jXeWublvdhliuPsJbcq3PF/xJtjPp27woXR0cJaKXOr4Ut4bNevti6XmeNUXmeOQa9n125DSqJVHOpmSuQsRaBCUIzRP4/JRu950vUx8Nk8caHtmFTSyc68lGzECvfW2WSer5bBq5lh0PMl/WDVRFwzrlTASw+V+A5bdmhmiBHW/nsib4p2wqGrYHeycS0mB1CHTonI7S6vi5RejWYy28EWGKm1S3A/iD2/8g3id54r7AFGibjqbZDVsxQE+d4E5ryvZJj/fKevNe5UhYU5C0XrRon4E2q+BRUIo6bPUrOgnBOoab4QVooznP5RBaMhtITcZ7hfmFe2Q67na/63INSTpuhks= |