summaryrefslogtreecommitdiffstats
path: root/test/docker
diff options
context:
space:
mode:
Diffstat (limited to 'test/docker')
-rw-r--r--test/docker/.ed25519.sk1
-rw-r--r--test/docker/Dockerfile32
-rwxr-xr-xtest/docker/debug.sh9
-rw-r--r--test/docker/dropbear_dss_host_keybin0 -> 458 bytes
-rw-r--r--test/docker/dropbear_ecdsa_host_keybin0 -> 141 bytes
-rw-r--r--test/docker/dropbear_rsa_host_key_1024bin0 -> 421 bytes
-rw-r--r--test/docker/dropbear_rsa_host_key_3072bin0 -> 1189 bytes
-rw-r--r--test/docker/ed25519.pk1
-rw-r--r--test/docker/expected_results/dropbear_2019.78_test1.json371
-rw-r--r--test/docker/expected_results/dropbear_2019.78_test1.txt87
-rw-r--r--test/docker/expected_results/openssh_4.0p1_test1.json525
-rw-r--r--test/docker/expected_results/openssh_4.0p1_test1.txt130
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json6
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test1.txt3
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json31
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt28
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json23
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt9
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json22
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt9
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json32
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt9
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json31
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt9
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json6
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test7.txt18
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json19
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt24
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json19
-rw-r--r--test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt24
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test1.json558
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test1.txt134
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test2.json560
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test2.txt135
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test3.json559
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test3.txt134
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test4.json558
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test4.txt133
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test5.json557
-rw-r--r--test/docker/expected_results/openssh_5.6p1_test5.txt132
-rw-r--r--test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json43
-rw-r--r--test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.txt17
-rw-r--r--test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json66
-rw-r--r--test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt21
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json6
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test11.txt12
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json43
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt26
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json6
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test13.txt15
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json19
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt21
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json6
-rw-r--r--test/docker/expected_results/openssh_8.0p1_custom_policy_test6.txt3
-rw-r--r--test/docker/expected_results/openssh_8.0p1_test1.json462
-rw-r--r--test/docker/expected_results/openssh_8.0p1_test1.txt99
-rw-r--r--test/docker/expected_results/openssh_8.0p1_test2.json421
-rw-r--r--test/docker/expected_results/openssh_8.0p1_test2.txt91
-rw-r--r--test/docker/expected_results/openssh_8.0p1_test3.json206
-rw-r--r--test/docker/expected_results/openssh_8.0p1_test3.txt51
-rw-r--r--test/docker/expected_results/tinyssh_20190101_test1.json98
-rw-r--r--test/docker/expected_results/tinyssh_20190101_test1.txt29
-rw-r--r--test/docker/host_ca_ed255197
-rw-r--r--test/docker/host_ca_ed25519.pub1
-rw-r--r--test/docker/host_ca_rsa_102415
-rw-r--r--test/docker/host_ca_rsa_1024.pub1
-rw-r--r--test/docker/host_ca_rsa_307239
-rw-r--r--test/docker/host_ca_rsa_3072.pub1
-rw-r--r--test/docker/moduli_102444
-rw-r--r--test/docker/policies/policy_test1.txt10
-rw-r--r--test/docker/policies/policy_test10.txt39
-rw-r--r--test/docker/policies/policy_test11.txt35
-rw-r--r--test/docker/policies/policy_test12.txt35
-rw-r--r--test/docker/policies/policy_test13.txt38
-rw-r--r--test/docker/policies/policy_test14.txt38
-rw-r--r--test/docker/policies/policy_test2.txt10
-rw-r--r--test/docker/policies/policy_test3.txt10
-rw-r--r--test/docker/policies/policy_test4.txt10
-rw-r--r--test/docker/policies/policy_test5.txt10
-rw-r--r--test/docker/policies/policy_test6.txt12
-rw-r--r--test/docker/policies/policy_test7.txt39
-rw-r--r--test/docker/policies/policy_test8.txt39
-rw-r--r--test/docker/policies/policy_test9.txt39
-rw-r--r--test/docker/ssh1_host_keybin0 -> 536 bytes
-rw-r--r--test/docker/ssh1_host_key.pub1
-rw-r--r--test/docker/ssh_host_dsa_key12
-rw-r--r--test/docker/ssh_host_dsa_key.pub1
-rw-r--r--test/docker/ssh_host_ecdsa_key5
-rw-r--r--test/docker/ssh_host_ecdsa_key.pub1
-rw-r--r--test/docker/ssh_host_ed25519_key7
-rw-r--r--test/docker/ssh_host_ed25519_key-cert.pub1
-rw-r--r--test/docker/ssh_host_ed25519_key.pub1
-rw-r--r--test/docker/ssh_host_rsa_key_102415
-rw-r--r--test/docker/ssh_host_rsa_key_1024-cert_1024.pub1
-rw-r--r--test/docker/ssh_host_rsa_key_1024-cert_3072.pub1
-rw-r--r--test/docker/ssh_host_rsa_key_1024.pub1
-rw-r--r--test/docker/ssh_host_rsa_key_307239
-rw-r--r--test/docker/ssh_host_rsa_key_3072-cert_1024.pub1
-rw-r--r--test/docker/ssh_host_rsa_key_3072-cert_3072.pub1
-rw-r--r--test/docker/ssh_host_rsa_key_3072.pub1
100 files changed, 7260 insertions, 0 deletions
diff --git a/test/docker/.ed25519.sk b/test/docker/.ed25519.sk
new file mode 100644
index 0000000..58b097b
--- /dev/null
+++ b/test/docker/.ed25519.sk
@@ -0,0 +1 @@
+iܛV违Z/D<|Sz=:1vu}Jݷ"^Bb&UP CJ? \ No newline at end of file
diff --git a/test/docker/Dockerfile b/test/docker/Dockerfile
new file mode 100644
index 0000000..eef0139
--- /dev/null
+++ b/test/docker/Dockerfile
@@ -0,0 +1,32 @@
+FROM ubuntu:16.04
+
+COPY openssh-4.0p1/sshd /openssh/sshd-4.0p1
+COPY openssh-5.6p1/sshd /openssh/sshd-5.6p1
+COPY openssh-8.0p1/sshd /openssh/sshd-8.0p1
+COPY dropbear-2019.78/dropbear /dropbear/dropbear-2019.78
+COPY tinyssh-20190101/build/bin/tinysshd /tinysshd/tinyssh-20190101
+
+# Dropbear host keys.
+COPY dropbear_*_host_key* /etc/dropbear/
+
+# OpenSSH configs.
+COPY sshd_config* /etc/ssh/
+
+# OpenSSH host keys & moduli file.
+COPY ssh_host_* /etc/ssh/
+COPY ssh1_host_* /etc/ssh/
+COPY moduli_1024 /usr/local/etc/moduli
+
+# TinySSH host keys.
+COPY ed25519.pk /etc/tinyssh/
+COPY .ed25519.sk /etc/tinyssh/
+
+COPY debug.sh /debug.sh
+
+RUN apt update 2> /dev/null
+RUN apt install -y libssl-dev strace rsyslog ucspi-tcp 2> /dev/null
+RUN apt clean 2> /dev/null
+RUN useradd -s /bin/false sshd
+RUN mkdir /var/empty
+
+EXPOSE 22
diff --git a/test/docker/debug.sh b/test/docker/debug.sh
new file mode 100755
index 0000000..c4be343
--- /dev/null
+++ b/test/docker/debug.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# This script is run on in docker container. It will enable logging for sshd in
+# /var/log/auth.log.
+
+/etc/init.d/rsyslog start
+sleep 1
+/openssh/sshd-5.6p1 -o LogLevel=DEBUG3 -f /etc/ssh/sshd_config-5.6p1_test1
+/bin/bash
diff --git a/test/docker/dropbear_dss_host_key b/test/docker/dropbear_dss_host_key
new file mode 100644
index 0000000..3388632
--- /dev/null
+++ b/test/docker/dropbear_dss_host_key
Binary files differ
diff --git a/test/docker/dropbear_ecdsa_host_key b/test/docker/dropbear_ecdsa_host_key
new file mode 100644
index 0000000..318ebb0
--- /dev/null
+++ b/test/docker/dropbear_ecdsa_host_key
Binary files differ
diff --git a/test/docker/dropbear_rsa_host_key_1024 b/test/docker/dropbear_rsa_host_key_1024
new file mode 100644
index 0000000..d9ce331
--- /dev/null
+++ b/test/docker/dropbear_rsa_host_key_1024
Binary files differ
diff --git a/test/docker/dropbear_rsa_host_key_3072 b/test/docker/dropbear_rsa_host_key_3072
new file mode 100644
index 0000000..006249a
--- /dev/null
+++ b/test/docker/dropbear_rsa_host_key_3072
Binary files differ
diff --git a/test/docker/ed25519.pk b/test/docker/ed25519.pk
new file mode 100644
index 0000000..82cfb47
--- /dev/null
+++ b/test/docker/ed25519.pk
@@ -0,0 +1 @@
+1vu}Jݷ"^Bb&UP CJ? \ No newline at end of file
diff --git a/test/docker/expected_results/dropbear_2019.78_test1.json b/test/docker/expected_results/dropbear_2019.78_test1.json
new file mode 100644
index 0000000..55dd8b6
--- /dev/null
+++ b/test/docker/expected_results/dropbear_2019.78_test1.json
@@ -0,0 +1,371 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "2.0",
+ "raw": "SSH-2.0-dropbear_2019.78",
+ "software": "dropbear_2019.78"
+ },
+ "compression": [
+ "zlib@openssh.com",
+ "none"
+ ],
+ "cves": [],
+ "enc": [
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "3des-ctr",
+ "notes": {
+ "fail": [
+ "using broken & deprecated 3DES cipher"
+ ],
+ "info": [
+ "available since Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "3des-cbc",
+ "notes": {
+ "fail": [
+ "using broken & deprecated 3DES cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-rsa"
+ },
+ {
+ "hash": "63:7f:54:f7:0a:28:7f:75:0b:f4:07:0b:fc:66:51:a2",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-rsa"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "curve25519-sha256",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 7.4, Dropbear SSH 2018.76"
+ ]
+ }
+ },
+ {
+ "algorithm": "curve25519-sha256@libssh.org",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 6.4, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdh-sha2-nistp521",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdh-sha2-nistp384",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdh-sha2-nistp256",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha256",
+ "notes": {
+ "info": [
+ "available since OpenSSH 7.3, Dropbear SSH 2016.73"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 3.9, Dropbear SSH 0.53"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "kexguess2@matt.ucc.asn.au",
+ "notes": {
+ "info": [
+ "available since Dropbear SSH 2013.57"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ecdsa-sha2-nistp256",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ],
+ "warn": [
+ "using weak random number generator could reveal the key"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-rsa",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm",
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-dss",
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak random number generator could reveal the key"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "hmac-sha1-96",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-256",
+ "notes": {
+ "info": [
+ "available since OpenSSH 5.9, Dropbear SSH 2013.56"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "critical": {
+ "del": {
+ "enc": [
+ {
+ "name": "3des-cbc",
+ "notes": ""
+ },
+ {
+ "name": "3des-ctr",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha1",
+ "notes": ""
+ },
+ {
+ "name": "ecdh-sha2-nistp256",
+ "notes": ""
+ },
+ {
+ "name": "ecdh-sha2-nistp384",
+ "notes": ""
+ },
+ {
+ "name": "ecdh-sha2-nistp521",
+ "notes": ""
+ }
+ ],
+ "key": [
+ {
+ "name": "ecdsa-sha2-nistp256",
+ "notes": ""
+ },
+ {
+ "name": "ssh-dss",
+ "notes": ""
+ },
+ {
+ "name": "ssh-rsa",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-sha1",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1-96",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "informational": {
+ "add": {
+ "enc": [
+ {
+ "name": "twofish128-ctr",
+ "notes": ""
+ },
+ {
+ "name": "twofish256-ctr",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group16-sha512",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "aes128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes256-cbc",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha256",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-sha2-256",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/dropbear_2019.78_test1.txt b/test/docker/expected_results/dropbear_2019.78_test1.txt
new file mode 100644
index 0000000..c0d5dfc
--- /dev/null
+++ b/test/docker/expected_results/dropbear_2019.78_test1.txt
@@ -0,0 +1,87 @@
+# general
+(gen) banner: SSH-2.0-dropbear_2019.78
+(gen) software: Dropbear SSH 2019.78
+(gen) compatibility: OpenSSH 7.4+ (some functionality from 6.6), Dropbear SSH 2018.76+
+(gen) compression: enabled (zlib@openssh.com)
+
+# key exchange algorithms
+(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) kexguess2@matt.ucc.asn.au -- [info] available since Dropbear SSH 2013.57
+
+# host-key algorithms
+(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [warn] using weak random number generator could reveal the key
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm
+ `- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ssh-dss -- [fail] using small 1024-bit modulus
+ `- [warn] using weak random number generator could reveal the key
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+ `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+# encryption algorithms (ciphers)
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes128-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) aes256-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) 3des-ctr -- [fail] using broken & deprecated 3DES cipher
+ `- [info] available since Dropbear SSH 0.52
+(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+
+# message authentication code algorithms
+(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+
+# fingerprints
+(fin) ssh-rsa: SHA256:CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM
+
+# algorithm recommendations (for Dropbear SSH 2019.78)
+(rec) -3des-cbc -- enc algorithm to remove 
+(rec) -3des-ctr -- enc algorithm to remove 
+(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove 
+(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove 
+(rec) -hmac-sha1 -- mac algorithm to remove 
+(rec) -hmac-sha1-96 -- mac algorithm to remove 
+(rec) -ssh-dss -- key algorithm to remove 
+(rec) -ssh-rsa -- key algorithm to remove 
+(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append 
+(rec) +twofish128-ctr -- enc algorithm to append 
+(rec) +twofish256-ctr -- enc algorithm to append 
+(rec) -aes128-cbc -- enc algorithm to remove 
+(rec) -aes256-cbc -- enc algorithm to remove 
+(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove 
+(rec) -hmac-sha2-256 -- mac algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/openssh_4.0p1_test1.json b/test/docker/expected_results/openssh_4.0p1_test1.json
new file mode 100644
index 0000000..f5735a9
--- /dev/null
+++ b/test/docker/expected_results/openssh_4.0p1_test1.json
@@ -0,0 +1,525 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "1.99",
+ "raw": "SSH-1.99-OpenSSH_4.0",
+ "software": "OpenSSH_4.0"
+ },
+ "compression": [
+ "none",
+ "zlib"
+ ],
+ "cves": [
+ {
+ "cvssv2": 7.8,
+ "description": "command injection via anomalous argument transfers",
+ "name": "CVE-2020-15778"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames due to timing discrepancies",
+ "name": "CVE-2018-15473"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "readonly bypass via sftp",
+ "name": "CVE-2017-15906"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames via challenge response",
+ "name": "CVE-2016-20012"
+ },
+ {
+ "cvssv2": 5.5,
+ "description": "bypass command restrictions via crafted X11 forwarding data",
+ "name": "CVE-2016-3115"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "cause DoS via triggering error condition (memory corruption)",
+ "name": "CVE-2014-1692"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "leak data via debug messages",
+ "name": "CVE-2012-0814"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "cause DoS via large value in certain length field (memory consumption)",
+ "name": "CVE-2011-5000"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via large number of connections (slot exhaustion)",
+ "name": "CVE-2010-5107"
+ },
+ {
+ "cvssv2": 4.0,
+ "description": "cause DoS via crafted glob expression (CPU and memory consumption)",
+ "name": "CVE-2010-4755"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "bypass authentication check via crafted values",
+ "name": "CVE-2010-4478"
+ },
+ {
+ "cvssv2": 2.6,
+ "description": "recover plaintext data from ciphertext",
+ "name": "CVE-2008-5161"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via multiple login attempts (slot exhaustion)",
+ "name": "CVE-2008-4109"
+ },
+ {
+ "cvssv2": 6.5,
+ "description": "bypass command restrictions via modifying session file",
+ "name": "CVE-2008-1657"
+ },
+ {
+ "cvssv2": 6.9,
+ "description": "hijack forwarded X11 connections",
+ "name": "CVE-2008-1483"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "privilege escalation via causing an X client to be trusted",
+ "name": "CVE-2007-4752"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "discover valid usernames through different responses",
+ "name": "CVE-2007-2243"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "discover valid usernames through different responses",
+ "name": "CVE-2006-5052"
+ },
+ {
+ "cvssv2": 9.3,
+ "description": "cause DoS or execute arbitrary code (double free)",
+ "name": "CVE-2006-5051"
+ },
+ {
+ "cvssv2": 7.8,
+ "description": "cause DoS via crafted packet (CPU consumption)",
+ "name": "CVE-2006-4924"
+ },
+ {
+ "cvssv2": 4.6,
+ "description": "execute arbitrary code",
+ "name": "CVE-2006-0225"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "leak data about authentication credentials",
+ "name": "CVE-2005-2798"
+ }
+ ],
+ "enc": [
+ {
+ "algorithm": "aes128-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "3des-cbc",
+ "notes": {
+ "fail": [
+ "using broken & deprecated 3DES cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "blowfish-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated Blowfish cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "cast128-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated CAST cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "rijndael-cbc@lysator.liu.se",
+ "notes": {
+ "fail": [
+ "using deprecated & non-standardized Rijndael cipher"
+ ],
+ "info": [
+ "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-rsa"
+ },
+ {
+ "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-rsa"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha1",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 3.9, Dropbear SSH 0.53"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group1-sha1",
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus",
+ "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ssh-rsa",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm",
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-dss",
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak random number generator could reveal the key"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "hmac-md5",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160@openssh.com",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1-96",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-md5-96",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "critical": {
+ "del": {
+ "enc": [
+ {
+ "name": "3des-cbc",
+ "notes": ""
+ },
+ {
+ "name": "arcfour",
+ "notes": ""
+ },
+ {
+ "name": "blowfish-cbc",
+ "notes": ""
+ },
+ {
+ "name": "cast128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "rijndael-cbc@lysator.liu.se",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group1-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group-exchange-sha1",
+ "notes": ""
+ }
+ ],
+ "key": [
+ {
+ "name": "ssh-dss",
+ "notes": ""
+ },
+ {
+ "name": "ssh-rsa",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-md5",
+ "notes": ""
+ },
+ {
+ "name": "hmac-md5-96",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1-96",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "aes128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes192-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes256-cbc",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/openssh_4.0p1_test1.txt b/test/docker/expected_results/openssh_4.0p1_test1.txt
new file mode 100644
index 0000000..4810a47
--- /dev/null
+++ b/test/docker/expected_results/openssh_4.0p1_test1.txt
@@ -0,0 +1,130 @@
+# general
+(gen) banner: SSH-1.99-OpenSSH_4.0
+(gen) protocol SSH1 enabled
+(gen) software: OpenSSH 4.0
+(gen) compatibility: OpenSSH 3.9-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)
+(gen) compression: enabled (zlib)
+
+# security
+(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
+(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies
+(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp
+(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
+(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
+(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
+(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages
+(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)
+(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)
+(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)
+(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values
+(cve) CVE-2008-5161 -- (CVSSv2: 2.6) recover plaintext data from ciphertext
+(cve) CVE-2008-4109 -- (CVSSv2: 5.0) cause DoS via multiple login attempts (slot exhaustion)
+(cve) CVE-2008-1657 -- (CVSSv2: 6.5) bypass command restrictions via modifying session file
+(cve) CVE-2008-1483 -- (CVSSv2: 6.9) hijack forwarded X11 connections
+(cve) CVE-2007-4752 -- (CVSSv2: 7.5) privilege escalation via causing an X client to be trusted
+(cve) CVE-2007-2243 -- (CVSSv2: 5.0) discover valid usernames through different responses
+(cve) CVE-2006-5052 -- (CVSSv2: 5.0) discover valid usernames through different responses
+(cve) CVE-2006-5051 -- (CVSSv2: 9.3) cause DoS or execute arbitrary code (double free)
+(cve) CVE-2006-4924 -- (CVSSv2: 7.8) cause DoS via crafted packet (CPU consumption)
+(cve) CVE-2006-0225 -- (CVSSv2: 4.6) execute arbitrary code
+(cve) CVE-2005-2798 -- (CVSSv2: 5.0) leak data about authentication credentials
+(sec) SSH v1 enabled -- SSH v1 can be exploited to recover plaintext passwords
+
+# key exchange algorithms
+(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.3.0
+(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
+ `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
+ `- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+ `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
+
+# host-key algorithms
+(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm
+ `- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ssh-dss -- [fail] using small 1024-bit modulus
+ `- [warn] using weak random number generator could reveal the key
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+ `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+# encryption algorithms (ciphers)
+(enc) aes128-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 2.1.0
+(enc) arcfour -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 2.1.0
+(enc) aes192-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+(enc) aes256-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher
+ `- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+ `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+
+# message authentication code algorithms
+(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0
+(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+
+# fingerprints
+(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4
+
+# algorithm recommendations (for OpenSSH 4.0)
+(rec) -3des-cbc -- enc algorithm to remove 
+(rec) -arcfour -- enc algorithm to remove 
+(rec) -blowfish-cbc -- enc algorithm to remove 
+(rec) -cast128-cbc -- enc algorithm to remove 
+(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove 
+(rec) -hmac-md5 -- mac algorithm to remove 
+(rec) -hmac-md5-96 -- mac algorithm to remove 
+(rec) -hmac-ripemd160 -- mac algorithm to remove 
+(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove 
+(rec) -hmac-sha1 -- mac algorithm to remove 
+(rec) -hmac-sha1-96 -- mac algorithm to remove 
+(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove 
+(rec) -ssh-dss -- key algorithm to remove 
+(rec) -ssh-rsa -- key algorithm to remove 
+(rec) -aes128-cbc -- enc algorithm to remove 
+(rec) -aes192-cbc -- enc algorithm to remove 
+(rec) -aes256-cbc -- enc algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json
new file mode 100644
index 0000000..6480bca
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.json
@@ -0,0 +1,6 @@
+{
+ "errors": [],
+ "host": "localhost",
+ "passed": true,
+ "policy": "Docker policy: test1 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.txt
new file mode 100644
index 0000000..01146f8
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test1.txt
@@ -0,0 +1,3 @@
+Host: localhost:2222
+Policy: Docker policy: test1 (version 1)
+Result: ✔ Passed
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json
new file mode 100644
index 0000000..0a1e148
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.json
@@ -0,0 +1,31 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "3072"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "Host key (ssh-rsa-cert-v01@openssh.com) sizes"
+ },
+ {
+ "actual": [
+ "1024"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "CA signature size (ssh-rsa)"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Docker poliicy: test10 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt
new file mode 100644
index 0000000..425d463
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test10.txt
@@ -0,0 +1,28 @@
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host: localhost:2222
+Policy: Docker poliicy: test10 (version 1)
+Result: ❌ Failed!
+
+Errors:
+ * CA signature size (ssh-rsa) did not match.
+ - Expected: 4096
+ - Actual: 1024
+
+ * Host key (ssh-rsa-cert-v01@openssh.com) sizes did not match.
+ - Expected: 4096
+ - Actual: 3072
+
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json
new file mode 100644
index 0000000..edf4254
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.json
@@ -0,0 +1,23 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "diffie-hellman-group-exchange-sha256",
+ "diffie-hellman-group-exchange-sha1",
+ "diffie-hellman-group14-sha1",
+ "diffie-hellman-group1-sha1"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "kex_alg1",
+ "kex_alg2"
+ ],
+ "mismatched_field": "Key exchanges"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Docker policy: test2 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt
new file mode 100644
index 0000000..e88e44b
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test2.txt
@@ -0,0 +1,9 @@
+Host: localhost:2222
+Policy: Docker policy: test2 (version 1)
+Result: ❌ Failed!
+
+Errors:
+ * Key exchanges did not match.
+ - Expected: kex_alg1, kex_alg2
+ - Actual: diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json
new file mode 100644
index 0000000..a98fa8d
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.json
@@ -0,0 +1,22 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "ssh-rsa",
+ "ssh-dss"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "ssh-rsa",
+ "ssh-dss",
+ "key_alg1"
+ ],
+ "mismatched_field": "Host keys"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Docker policy: test3 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt
new file mode 100644
index 0000000..cf7eefc
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test3.txt
@@ -0,0 +1,9 @@
+Host: localhost:2222
+Policy: Docker policy: test3 (version 1)
+Result: ❌ Failed!
+
+Errors:
+ * Host keys did not match.
+ - Expected: ssh-rsa, ssh-dss, key_alg1
+ - Actual: ssh-rsa, ssh-dss
+
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json
new file mode 100644
index 0000000..317f7e2
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.json
@@ -0,0 +1,32 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "aes128-ctr",
+ "aes192-ctr",
+ "aes256-ctr",
+ "arcfour256",
+ "arcfour128",
+ "aes128-cbc",
+ "3des-cbc",
+ "blowfish-cbc",
+ "cast128-cbc",
+ "aes192-cbc",
+ "aes256-cbc",
+ "arcfour",
+ "rijndael-cbc@lysator.liu.se"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "cipher_alg1",
+ "cipher_alg2"
+ ],
+ "mismatched_field": "Ciphers"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Docker policy: test4 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt
new file mode 100644
index 0000000..514b715
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test4.txt
@@ -0,0 +1,9 @@
+Host: localhost:2222
+Policy: Docker policy: test4 (version 1)
+Result: ❌ Failed!
+
+Errors:
+ * Ciphers did not match.
+ - Expected: cipher_alg1, cipher_alg2
+ - Actual: aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json
new file mode 100644
index 0000000..50c0b86
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.json
@@ -0,0 +1,31 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "hmac-md5",
+ "hmac-sha1",
+ "umac-64@openssh.com",
+ "hmac-ripemd160",
+ "hmac-ripemd160@openssh.com",
+ "hmac-sha1-96",
+ "hmac-md5-96"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "hmac-md5",
+ "hmac-sha1",
+ "umac-64@openssh.com",
+ "hmac-ripemd160",
+ "hmac-ripemd160@openssh.com",
+ "hmac_alg1",
+ "hmac-md5-96"
+ ],
+ "mismatched_field": "MACs"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Docker policy: test5 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt
new file mode 100644
index 0000000..746ca8c
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test5.txt
@@ -0,0 +1,9 @@
+Host: localhost:2222
+Policy: Docker policy: test5 (version 1)
+Result: ❌ Failed!
+
+Errors:
+ * MACs did not match.
+ - Expected: hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac_alg1, hmac-md5-96
+ - Actual: hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
+
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json
new file mode 100644
index 0000000..dcc1d6c
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.json
@@ -0,0 +1,6 @@
+{
+ "errors": [],
+ "host": "localhost",
+ "passed": true,
+ "policy": "Docker poliicy: test7 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.txt
new file mode 100644
index 0000000..1d3af14
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test7.txt
@@ -0,0 +1,18 @@
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host: localhost:2222
+Policy: Docker poliicy: test7 (version 1)
+Result: ✔ Passed
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json
new file mode 100644
index 0000000..e7f06a6
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.json
@@ -0,0 +1,19 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "1024"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "2048"
+ ],
+ "mismatched_field": "CA signature size (ssh-rsa)"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Docker poliicy: test8 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt
new file mode 100644
index 0000000..05ab91d
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test8.txt
@@ -0,0 +1,24 @@
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host: localhost:2222
+Policy: Docker poliicy: test8 (version 1)
+Result: ❌ Failed!
+
+Errors:
+ * CA signature size (ssh-rsa) did not match.
+ - Expected: 2048
+ - Actual: 1024
+
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json
new file mode 100644
index 0000000..51d1067
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.json
@@ -0,0 +1,19 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "3072"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "Host key (ssh-rsa-cert-v01@openssh.com) sizes"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Docker poliicy: test9 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt
new file mode 100644
index 0000000..94060ab
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_custom_policy_test9.txt
@@ -0,0 +1,24 @@
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host: localhost:2222
+Policy: Docker poliicy: test9 (version 1)
+Result: ❌ Failed!
+
+Errors:
+ * Host key (ssh-rsa-cert-v01@openssh.com) sizes did not match.
+ - Expected: 4096
+ - Actual: 3072
+
diff --git a/test/docker/expected_results/openssh_5.6p1_test1.json b/test/docker/expected_results/openssh_5.6p1_test1.json
new file mode 100644
index 0000000..53216e5
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test1.json
@@ -0,0 +1,558 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "2.0",
+ "raw": "SSH-2.0-OpenSSH_5.6",
+ "software": "OpenSSH_5.6"
+ },
+ "compression": [
+ "none",
+ "zlib@openssh.com"
+ ],
+ "cves": [
+ {
+ "cvssv2": 7.8,
+ "description": "command injection via anomalous argument transfers",
+ "name": "CVE-2020-15778"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames due to timing discrepancies",
+ "name": "CVE-2018-15473"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "readonly bypass via sftp",
+ "name": "CVE-2017-15906"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames via challenge response",
+ "name": "CVE-2016-20012"
+ },
+ {
+ "cvssv2": 5.5,
+ "description": "bypass command restrictions via crafted X11 forwarding data",
+ "name": "CVE-2016-3115"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via crafted network traffic (out of bounds read)",
+ "name": "CVE-2016-1907"
+ },
+ {
+ "cvssv2": 6.9,
+ "description": "privilege escalation via leveraging sshd uid",
+ "name": "CVE-2015-6564"
+ },
+ {
+ "cvssv2": 1.9,
+ "description": "conduct impersonation attack",
+ "name": "CVE-2015-6563"
+ },
+ {
+ "cvssv2": 5.8,
+ "description": "bypass environment restrictions via specific string before wildcard",
+ "name": "CVE-2014-2532"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "cause DoS via triggering error condition (memory corruption)",
+ "name": "CVE-2014-1692"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "leak data via debug messages",
+ "name": "CVE-2012-0814"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "cause DoS via large value in certain length field (memory consumption)",
+ "name": "CVE-2011-5000"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via large number of connections (slot exhaustion)",
+ "name": "CVE-2010-5107"
+ },
+ {
+ "cvssv2": 4.0,
+ "description": "cause DoS via crafted glob expression (CPU and memory consumption)",
+ "name": "CVE-2010-4755"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "bypass authentication check via crafted values",
+ "name": "CVE-2010-4478"
+ }
+ ],
+ "enc": [
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour256",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour128",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "3des-cbc",
+ "notes": {
+ "fail": [
+ "using broken & deprecated 3DES cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "blowfish-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated Blowfish cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "cast128-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated CAST cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "rijndael-cbc@lysator.liu.se",
+ "notes": {
+ "fail": [
+ "using deprecated & non-standardized Rijndael cipher"
+ ],
+ "info": [
+ "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-rsa"
+ },
+ {
+ "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-rsa"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha256",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 4.4"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha1",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 3.9, Dropbear SSH 0.53"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group1-sha1",
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus",
+ "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ssh-rsa",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm",
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-dss",
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak random number generator could reveal the key"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "hmac-md5",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-64@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 4.7"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode",
+ "using small 64-bit tag size"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160@openssh.com",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1-96",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-md5-96",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "critical": {
+ "chg": {
+ "kex": [
+ {
+ "name": "diffie-hellman-group-exchange-sha256",
+ "notes": "increase modulus size to 3072 bits or larger"
+ }
+ ]
+ },
+ "del": {
+ "enc": [
+ {
+ "name": "3des-cbc",
+ "notes": ""
+ },
+ {
+ "name": "arcfour128",
+ "notes": ""
+ },
+ {
+ "name": "arcfour",
+ "notes": ""
+ },
+ {
+ "name": "arcfour256",
+ "notes": ""
+ },
+ {
+ "name": "blowfish-cbc",
+ "notes": ""
+ },
+ {
+ "name": "cast128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "rijndael-cbc@lysator.liu.se",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group1-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group-exchange-sha1",
+ "notes": ""
+ }
+ ],
+ "key": [
+ {
+ "name": "ssh-dss",
+ "notes": ""
+ },
+ {
+ "name": "ssh-rsa",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-md5",
+ "notes": ""
+ },
+ {
+ "name": "hmac-md5-96",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1-96",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "aes128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes192-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes256-cbc",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "umac-64@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_test1.txt b/test/docker/expected_results/openssh_5.6p1_test1.txt
new file mode 100644
index 0000000..601dc39
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test1.txt
@@ -0,0 +1,134 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_5.6
+(gen) software: OpenSSH 5.6
+(gen) compatibility: OpenSSH 4.7-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
+(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies
+(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp
+(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
+(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
+(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
+(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid
+(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack
+(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard
+(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
+(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages
+(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)
+(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)
+(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)
+(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values
+
+# key exchange algorithms
+(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 4.4
+(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.3.0
+(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
+ `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
+ `- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+ `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
+
+# host-key algorithms
+(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm
+ `- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ssh-dss -- [fail] using small 1024-bit modulus
+ `- [warn] using weak random number generator could reveal the key
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+ `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+# encryption algorithms (ciphers)
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) arcfour256 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) arcfour128 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) aes128-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 2.1.0
+(enc) aes192-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+(enc) aes256-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) arcfour -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 2.1.0
+(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher
+ `- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+ `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+# message authentication code algorithms
+(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 4.7
+(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0
+(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+
+# fingerprints
+(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4
+
+# algorithm recommendations (for OpenSSH 5.6)
+(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) 
+(rec) -3des-cbc -- enc algorithm to remove 
+(rec) -arcfour -- enc algorithm to remove 
+(rec) -arcfour128 -- enc algorithm to remove 
+(rec) -arcfour256 -- enc algorithm to remove 
+(rec) -blowfish-cbc -- enc algorithm to remove 
+(rec) -cast128-cbc -- enc algorithm to remove 
+(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove 
+(rec) -hmac-md5 -- mac algorithm to remove 
+(rec) -hmac-md5-96 -- mac algorithm to remove 
+(rec) -hmac-ripemd160 -- mac algorithm to remove 
+(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove 
+(rec) -hmac-sha1 -- mac algorithm to remove 
+(rec) -hmac-sha1-96 -- mac algorithm to remove 
+(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove 
+(rec) -ssh-dss -- key algorithm to remove 
+(rec) -ssh-rsa -- key algorithm to remove 
+(rec) -aes128-cbc -- enc algorithm to remove 
+(rec) -aes192-cbc -- enc algorithm to remove 
+(rec) -aes256-cbc -- enc algorithm to remove 
+(rec) -umac-64@openssh.com -- mac algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/openssh_5.6p1_test2.json b/test/docker/expected_results/openssh_5.6p1_test2.json
new file mode 100644
index 0000000..a1dd987
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test2.json
@@ -0,0 +1,560 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "2.0",
+ "raw": "SSH-2.0-OpenSSH_5.6",
+ "software": "OpenSSH_5.6"
+ },
+ "compression": [
+ "none",
+ "zlib@openssh.com"
+ ],
+ "cves": [
+ {
+ "cvssv2": 7.8,
+ "description": "command injection via anomalous argument transfers",
+ "name": "CVE-2020-15778"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames due to timing discrepancies",
+ "name": "CVE-2018-15473"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "readonly bypass via sftp",
+ "name": "CVE-2017-15906"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames via challenge response",
+ "name": "CVE-2016-20012"
+ },
+ {
+ "cvssv2": 5.5,
+ "description": "bypass command restrictions via crafted X11 forwarding data",
+ "name": "CVE-2016-3115"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via crafted network traffic (out of bounds read)",
+ "name": "CVE-2016-1907"
+ },
+ {
+ "cvssv2": 6.9,
+ "description": "privilege escalation via leveraging sshd uid",
+ "name": "CVE-2015-6564"
+ },
+ {
+ "cvssv2": 1.9,
+ "description": "conduct impersonation attack",
+ "name": "CVE-2015-6563"
+ },
+ {
+ "cvssv2": 5.8,
+ "description": "bypass environment restrictions via specific string before wildcard",
+ "name": "CVE-2014-2532"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "cause DoS via triggering error condition (memory corruption)",
+ "name": "CVE-2014-1692"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "leak data via debug messages",
+ "name": "CVE-2012-0814"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "cause DoS via large value in certain length field (memory consumption)",
+ "name": "CVE-2011-5000"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via large number of connections (slot exhaustion)",
+ "name": "CVE-2010-5107"
+ },
+ {
+ "cvssv2": 4.0,
+ "description": "cause DoS via crafted glob expression (CPU and memory consumption)",
+ "name": "CVE-2010-4755"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "bypass authentication check via crafted values",
+ "name": "CVE-2010-4478"
+ }
+ ],
+ "enc": [
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour256",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour128",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "3des-cbc",
+ "notes": {
+ "fail": [
+ "using broken & deprecated 3DES cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "blowfish-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated Blowfish cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "cast128-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated CAST cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "rijndael-cbc@lysator.liu.se",
+ "notes": {
+ "fail": [
+ "using deprecated & non-standardized Rijndael cipher"
+ ],
+ "info": [
+ "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-rsa"
+ },
+ {
+ "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-rsa"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha256",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 4.4"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha1",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 3.9, Dropbear SSH 0.53"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group1-sha1",
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus",
+ "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ssh-rsa",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm",
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-rsa-cert-v01@openssh.com",
+ "ca_algorithm": "ssh-rsa",
+ "casize": 1024,
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm",
+ "using small 1024-bit hostkey modulus",
+ "using small 1024-bit CA key modulus"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 5.6"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "hmac-md5",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-64@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 4.7"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode",
+ "using small 64-bit tag size"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160@openssh.com",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1-96",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-md5-96",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "critical": {
+ "chg": {
+ "kex": [
+ {
+ "name": "diffie-hellman-group-exchange-sha256",
+ "notes": "increase modulus size to 3072 bits or larger"
+ }
+ ]
+ },
+ "del": {
+ "enc": [
+ {
+ "name": "3des-cbc",
+ "notes": ""
+ },
+ {
+ "name": "arcfour128",
+ "notes": ""
+ },
+ {
+ "name": "arcfour",
+ "notes": ""
+ },
+ {
+ "name": "arcfour256",
+ "notes": ""
+ },
+ {
+ "name": "blowfish-cbc",
+ "notes": ""
+ },
+ {
+ "name": "cast128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "rijndael-cbc@lysator.liu.se",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group1-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group-exchange-sha1",
+ "notes": ""
+ }
+ ],
+ "key": [
+ {
+ "name": "ssh-rsa",
+ "notes": ""
+ },
+ {
+ "name": "ssh-rsa-cert-v01@openssh.com",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-md5",
+ "notes": ""
+ },
+ {
+ "name": "hmac-md5-96",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1-96",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "aes128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes192-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes256-cbc",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "umac-64@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_test2.txt b/test/docker/expected_results/openssh_5.6p1_test2.txt
new file mode 100644
index 0000000..6b3b975
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test2.txt
@@ -0,0 +1,135 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_5.6
+(gen) software: OpenSSH 5.6
+(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
+(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies
+(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp
+(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
+(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
+(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
+(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid
+(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack
+(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard
+(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
+(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages
+(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)
+(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)
+(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)
+(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values
+
+# key exchange algorithms
+(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 4.4
+(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.3.0
+(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
+ `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
+ `- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+ `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
+
+# host-key algorithms
+(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm
+ `- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/1024-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm
+ `- [fail] using small 1024-bit hostkey modulus
+ `- [fail] using small 1024-bit CA key modulus
+ `- [info] available since OpenSSH 5.6
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+
+# encryption algorithms (ciphers)
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) arcfour256 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) arcfour128 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) aes128-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 2.1.0
+(enc) aes192-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+(enc) aes256-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) arcfour -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 2.1.0
+(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher
+ `- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+ `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+# message authentication code algorithms
+(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 4.7
+(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0
+(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+
+# fingerprints
+(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4
+
+# algorithm recommendations (for OpenSSH 5.6)
+(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) 
+(rec) -3des-cbc -- enc algorithm to remove 
+(rec) -arcfour -- enc algorithm to remove 
+(rec) -arcfour128 -- enc algorithm to remove 
+(rec) -arcfour256 -- enc algorithm to remove 
+(rec) -blowfish-cbc -- enc algorithm to remove 
+(rec) -cast128-cbc -- enc algorithm to remove 
+(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove 
+(rec) -hmac-md5 -- mac algorithm to remove 
+(rec) -hmac-md5-96 -- mac algorithm to remove 
+(rec) -hmac-ripemd160 -- mac algorithm to remove 
+(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove 
+(rec) -hmac-sha1 -- mac algorithm to remove 
+(rec) -hmac-sha1-96 -- mac algorithm to remove 
+(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove 
+(rec) -ssh-rsa -- key algorithm to remove 
+(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove 
+(rec) -aes128-cbc -- enc algorithm to remove 
+(rec) -aes192-cbc -- enc algorithm to remove 
+(rec) -aes256-cbc -- enc algorithm to remove 
+(rec) -umac-64@openssh.com -- mac algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/openssh_5.6p1_test3.json b/test/docker/expected_results/openssh_5.6p1_test3.json
new file mode 100644
index 0000000..2cbd316
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test3.json
@@ -0,0 +1,559 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "2.0",
+ "raw": "SSH-2.0-OpenSSH_5.6",
+ "software": "OpenSSH_5.6"
+ },
+ "compression": [
+ "none",
+ "zlib@openssh.com"
+ ],
+ "cves": [
+ {
+ "cvssv2": 7.8,
+ "description": "command injection via anomalous argument transfers",
+ "name": "CVE-2020-15778"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames due to timing discrepancies",
+ "name": "CVE-2018-15473"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "readonly bypass via sftp",
+ "name": "CVE-2017-15906"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames via challenge response",
+ "name": "CVE-2016-20012"
+ },
+ {
+ "cvssv2": 5.5,
+ "description": "bypass command restrictions via crafted X11 forwarding data",
+ "name": "CVE-2016-3115"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via crafted network traffic (out of bounds read)",
+ "name": "CVE-2016-1907"
+ },
+ {
+ "cvssv2": 6.9,
+ "description": "privilege escalation via leveraging sshd uid",
+ "name": "CVE-2015-6564"
+ },
+ {
+ "cvssv2": 1.9,
+ "description": "conduct impersonation attack",
+ "name": "CVE-2015-6563"
+ },
+ {
+ "cvssv2": 5.8,
+ "description": "bypass environment restrictions via specific string before wildcard",
+ "name": "CVE-2014-2532"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "cause DoS via triggering error condition (memory corruption)",
+ "name": "CVE-2014-1692"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "leak data via debug messages",
+ "name": "CVE-2012-0814"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "cause DoS via large value in certain length field (memory consumption)",
+ "name": "CVE-2011-5000"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via large number of connections (slot exhaustion)",
+ "name": "CVE-2010-5107"
+ },
+ {
+ "cvssv2": 4.0,
+ "description": "cause DoS via crafted glob expression (CPU and memory consumption)",
+ "name": "CVE-2010-4755"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "bypass authentication check via crafted values",
+ "name": "CVE-2010-4478"
+ }
+ ],
+ "enc": [
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour256",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour128",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "3des-cbc",
+ "notes": {
+ "fail": [
+ "using broken & deprecated 3DES cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "blowfish-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated Blowfish cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "cast128-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated CAST cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "rijndael-cbc@lysator.liu.se",
+ "notes": {
+ "fail": [
+ "using deprecated & non-standardized Rijndael cipher"
+ ],
+ "info": [
+ "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-rsa"
+ },
+ {
+ "hash": "3c:c3:38:f8:55:39:c0:4a:5a:17:89:60:2c:a1:fc:6a",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-rsa"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha256",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 4.4"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha1",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 3.9, Dropbear SSH 0.53"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group1-sha1",
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus",
+ "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ssh-rsa",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm",
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-rsa-cert-v01@openssh.com",
+ "ca_algorithm": "ssh-rsa",
+ "casize": 3072,
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm",
+ "using small 1024-bit hostkey modulus"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 5.6"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "hmac-md5",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-64@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 4.7"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode",
+ "using small 64-bit tag size"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160@openssh.com",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1-96",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-md5-96",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "critical": {
+ "chg": {
+ "kex": [
+ {
+ "name": "diffie-hellman-group-exchange-sha256",
+ "notes": "increase modulus size to 3072 bits or larger"
+ }
+ ]
+ },
+ "del": {
+ "enc": [
+ {
+ "name": "3des-cbc",
+ "notes": ""
+ },
+ {
+ "name": "arcfour128",
+ "notes": ""
+ },
+ {
+ "name": "arcfour",
+ "notes": ""
+ },
+ {
+ "name": "arcfour256",
+ "notes": ""
+ },
+ {
+ "name": "blowfish-cbc",
+ "notes": ""
+ },
+ {
+ "name": "cast128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "rijndael-cbc@lysator.liu.se",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group1-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group-exchange-sha1",
+ "notes": ""
+ }
+ ],
+ "key": [
+ {
+ "name": "ssh-rsa",
+ "notes": ""
+ },
+ {
+ "name": "ssh-rsa-cert-v01@openssh.com",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-md5",
+ "notes": ""
+ },
+ {
+ "name": "hmac-md5-96",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1-96",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "aes128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes192-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes256-cbc",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "umac-64@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_test3.txt b/test/docker/expected_results/openssh_5.6p1_test3.txt
new file mode 100644
index 0000000..991c502
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test3.txt
@@ -0,0 +1,134 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_5.6
+(gen) software: OpenSSH 5.6
+(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
+(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies
+(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp
+(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
+(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
+(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
+(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid
+(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack
+(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard
+(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
+(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages
+(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)
+(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)
+(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)
+(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values
+
+# key exchange algorithms
+(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 4.4
+(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.3.0
+(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
+ `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
+ `- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+ `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
+
+# host-key algorithms
+(key) ssh-rsa (1024-bit) -- [fail] using broken SHA-1 hash algorithm
+ `- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/3072-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm
+ `- [fail] using small 1024-bit hostkey modulus
+ `- [info] available since OpenSSH 5.6
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+
+# encryption algorithms (ciphers)
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) arcfour256 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) arcfour128 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) aes128-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 2.1.0
+(enc) aes192-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+(enc) aes256-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) arcfour -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 2.1.0
+(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher
+ `- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+ `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+# message authentication code algorithms
+(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 4.7
+(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0
+(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+
+# fingerprints
+(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4
+
+# algorithm recommendations (for OpenSSH 5.6)
+(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) 
+(rec) -3des-cbc -- enc algorithm to remove 
+(rec) -arcfour -- enc algorithm to remove 
+(rec) -arcfour128 -- enc algorithm to remove 
+(rec) -arcfour256 -- enc algorithm to remove 
+(rec) -blowfish-cbc -- enc algorithm to remove 
+(rec) -cast128-cbc -- enc algorithm to remove 
+(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove 
+(rec) -hmac-md5 -- mac algorithm to remove 
+(rec) -hmac-md5-96 -- mac algorithm to remove 
+(rec) -hmac-ripemd160 -- mac algorithm to remove 
+(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove 
+(rec) -hmac-sha1 -- mac algorithm to remove 
+(rec) -hmac-sha1-96 -- mac algorithm to remove 
+(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove 
+(rec) -ssh-rsa -- key algorithm to remove 
+(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove 
+(rec) -aes128-cbc -- enc algorithm to remove 
+(rec) -aes192-cbc -- enc algorithm to remove 
+(rec) -aes256-cbc -- enc algorithm to remove 
+(rec) -umac-64@openssh.com -- mac algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/openssh_5.6p1_test4.json b/test/docker/expected_results/openssh_5.6p1_test4.json
new file mode 100644
index 0000000..90f5fc6
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test4.json
@@ -0,0 +1,558 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "2.0",
+ "raw": "SSH-2.0-OpenSSH_5.6",
+ "software": "OpenSSH_5.6"
+ },
+ "compression": [
+ "none",
+ "zlib@openssh.com"
+ ],
+ "cves": [
+ {
+ "cvssv2": 7.8,
+ "description": "command injection via anomalous argument transfers",
+ "name": "CVE-2020-15778"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames due to timing discrepancies",
+ "name": "CVE-2018-15473"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "readonly bypass via sftp",
+ "name": "CVE-2017-15906"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames via challenge response",
+ "name": "CVE-2016-20012"
+ },
+ {
+ "cvssv2": 5.5,
+ "description": "bypass command restrictions via crafted X11 forwarding data",
+ "name": "CVE-2016-3115"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via crafted network traffic (out of bounds read)",
+ "name": "CVE-2016-1907"
+ },
+ {
+ "cvssv2": 6.9,
+ "description": "privilege escalation via leveraging sshd uid",
+ "name": "CVE-2015-6564"
+ },
+ {
+ "cvssv2": 1.9,
+ "description": "conduct impersonation attack",
+ "name": "CVE-2015-6563"
+ },
+ {
+ "cvssv2": 5.8,
+ "description": "bypass environment restrictions via specific string before wildcard",
+ "name": "CVE-2014-2532"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "cause DoS via triggering error condition (memory corruption)",
+ "name": "CVE-2014-1692"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "leak data via debug messages",
+ "name": "CVE-2012-0814"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "cause DoS via large value in certain length field (memory consumption)",
+ "name": "CVE-2011-5000"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via large number of connections (slot exhaustion)",
+ "name": "CVE-2010-5107"
+ },
+ {
+ "cvssv2": 4.0,
+ "description": "cause DoS via crafted glob expression (CPU and memory consumption)",
+ "name": "CVE-2010-4755"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "bypass authentication check via crafted values",
+ "name": "CVE-2010-4478"
+ }
+ ],
+ "enc": [
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour256",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour128",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "3des-cbc",
+ "notes": {
+ "fail": [
+ "using broken & deprecated 3DES cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "blowfish-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated Blowfish cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "cast128-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated CAST cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "rijndael-cbc@lysator.liu.se",
+ "notes": {
+ "fail": [
+ "using deprecated & non-standardized Rijndael cipher"
+ ],
+ "info": [
+ "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-rsa"
+ },
+ {
+ "hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-rsa"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha256",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 4.4"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha1",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 3.9, Dropbear SSH 0.53"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group1-sha1",
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus",
+ "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ssh-rsa",
+ "keysize": 3072,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-rsa-cert-v01@openssh.com",
+ "ca_algorithm": "ssh-rsa",
+ "casize": 1024,
+ "keysize": 3072,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm",
+ "using small 1024-bit CA key modulus"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 5.6"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "hmac-md5",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-64@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 4.7"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode",
+ "using small 64-bit tag size"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160@openssh.com",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1-96",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-md5-96",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "critical": {
+ "chg": {
+ "kex": [
+ {
+ "name": "diffie-hellman-group-exchange-sha256",
+ "notes": "increase modulus size to 3072 bits or larger"
+ }
+ ]
+ },
+ "del": {
+ "enc": [
+ {
+ "name": "3des-cbc",
+ "notes": ""
+ },
+ {
+ "name": "arcfour128",
+ "notes": ""
+ },
+ {
+ "name": "arcfour",
+ "notes": ""
+ },
+ {
+ "name": "arcfour256",
+ "notes": ""
+ },
+ {
+ "name": "blowfish-cbc",
+ "notes": ""
+ },
+ {
+ "name": "cast128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "rijndael-cbc@lysator.liu.se",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group1-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group-exchange-sha1",
+ "notes": ""
+ }
+ ],
+ "key": [
+ {
+ "name": "ssh-rsa",
+ "notes": ""
+ },
+ {
+ "name": "ssh-rsa-cert-v01@openssh.com",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-md5",
+ "notes": ""
+ },
+ {
+ "name": "hmac-md5-96",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1-96",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "aes128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes192-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes256-cbc",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "umac-64@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_test4.txt b/test/docker/expected_results/openssh_5.6p1_test4.txt
new file mode 100644
index 0000000..2fb3e19
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test4.txt
@@ -0,0 +1,133 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_5.6
+(gen) software: OpenSSH 5.6
+(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
+(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies
+(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp
+(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
+(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
+(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
+(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid
+(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack
+(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard
+(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
+(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages
+(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)
+(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)
+(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)
+(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values
+
+# key exchange algorithms
+(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 4.4
+(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.3.0
+(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
+ `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
+ `- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+ `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
+
+# host-key algorithms
+(key) ssh-rsa (3072-bit) -- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/1024-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm
+ `- [fail] using small 1024-bit CA key modulus
+ `- [info] available since OpenSSH 5.6
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+
+# encryption algorithms (ciphers)
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) arcfour256 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) arcfour128 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) aes128-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 2.1.0
+(enc) aes192-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+(enc) aes256-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) arcfour -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 2.1.0
+(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher
+ `- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+ `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+# message authentication code algorithms
+(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 4.7
+(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0
+(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+
+# fingerprints
+(fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244
+
+# algorithm recommendations (for OpenSSH 5.6)
+(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) 
+(rec) -3des-cbc -- enc algorithm to remove 
+(rec) -arcfour -- enc algorithm to remove 
+(rec) -arcfour128 -- enc algorithm to remove 
+(rec) -arcfour256 -- enc algorithm to remove 
+(rec) -blowfish-cbc -- enc algorithm to remove 
+(rec) -cast128-cbc -- enc algorithm to remove 
+(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove 
+(rec) -hmac-md5 -- mac algorithm to remove 
+(rec) -hmac-md5-96 -- mac algorithm to remove 
+(rec) -hmac-ripemd160 -- mac algorithm to remove 
+(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove 
+(rec) -hmac-sha1 -- mac algorithm to remove 
+(rec) -hmac-sha1-96 -- mac algorithm to remove 
+(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove 
+(rec) -ssh-rsa -- key algorithm to remove 
+(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove 
+(rec) -aes128-cbc -- enc algorithm to remove 
+(rec) -aes192-cbc -- enc algorithm to remove 
+(rec) -aes256-cbc -- enc algorithm to remove 
+(rec) -umac-64@openssh.com -- mac algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/openssh_5.6p1_test5.json b/test/docker/expected_results/openssh_5.6p1_test5.json
new file mode 100644
index 0000000..0749cd1
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test5.json
@@ -0,0 +1,557 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "2.0",
+ "raw": "SSH-2.0-OpenSSH_5.6",
+ "software": "OpenSSH_5.6"
+ },
+ "compression": [
+ "none",
+ "zlib@openssh.com"
+ ],
+ "cves": [
+ {
+ "cvssv2": 7.8,
+ "description": "command injection via anomalous argument transfers",
+ "name": "CVE-2020-15778"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames due to timing discrepancies",
+ "name": "CVE-2018-15473"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "readonly bypass via sftp",
+ "name": "CVE-2017-15906"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames via challenge response",
+ "name": "CVE-2016-20012"
+ },
+ {
+ "cvssv2": 5.5,
+ "description": "bypass command restrictions via crafted X11 forwarding data",
+ "name": "CVE-2016-3115"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via crafted network traffic (out of bounds read)",
+ "name": "CVE-2016-1907"
+ },
+ {
+ "cvssv2": 6.9,
+ "description": "privilege escalation via leveraging sshd uid",
+ "name": "CVE-2015-6564"
+ },
+ {
+ "cvssv2": 1.9,
+ "description": "conduct impersonation attack",
+ "name": "CVE-2015-6563"
+ },
+ {
+ "cvssv2": 5.8,
+ "description": "bypass environment restrictions via specific string before wildcard",
+ "name": "CVE-2014-2532"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "cause DoS via triggering error condition (memory corruption)",
+ "name": "CVE-2014-1692"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "leak data via debug messages",
+ "name": "CVE-2012-0814"
+ },
+ {
+ "cvssv2": 3.5,
+ "description": "cause DoS via large value in certain length field (memory consumption)",
+ "name": "CVE-2011-5000"
+ },
+ {
+ "cvssv2": 5.0,
+ "description": "cause DoS via large number of connections (slot exhaustion)",
+ "name": "CVE-2010-5107"
+ },
+ {
+ "cvssv2": 4.0,
+ "description": "cause DoS via crafted glob expression (CPU and memory consumption)",
+ "name": "CVE-2010-4755"
+ },
+ {
+ "cvssv2": 7.5,
+ "description": "bypass authentication check via crafted values",
+ "name": "CVE-2010-4478"
+ }
+ ],
+ "enc": [
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour256",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour128",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 4.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "3des-cbc",
+ "notes": {
+ "fail": [
+ "using broken & deprecated 3DES cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "blowfish-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated Blowfish cipher"
+ ],
+ "info": [
+ "available since OpenSSH 1.2.2, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "cast128-cbc",
+ "notes": {
+ "fail": [
+ "using weak & deprecated CAST cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using weak cipher mode",
+ "using small 64-bit block size"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-cbc",
+ "notes": {
+ "info": [
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "arcfour",
+ "notes": {
+ "fail": [
+ "using broken RC4 cipher"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "rijndael-cbc@lysator.liu.se",
+ "notes": {
+ "fail": [
+ "using deprecated & non-standardized Rijndael cipher"
+ ],
+ "info": [
+ "disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0",
+ "available since OpenSSH 2.3.0"
+ ],
+ "warn": [
+ "using weak cipher mode"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-rsa"
+ },
+ {
+ "hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-rsa"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha256",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 4.4"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha1",
+ "keysize": 1024,
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus"
+ ],
+ "info": [
+ "available since OpenSSH 2.3.0"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 3.9, Dropbear SSH 0.53"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group1-sha1",
+ "notes": {
+ "fail": [
+ "using small 1024-bit modulus",
+ "vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)",
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
+ "available since OpenSSH 2.3.0, Dropbear SSH 0.28"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ssh-rsa",
+ "keysize": 3072,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-rsa-cert-v01@openssh.com",
+ "ca_algorithm": "ssh-rsa",
+ "casize": 3072,
+ "keysize": 3072,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 5.6"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "hmac-md5",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-64@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 4.7"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode",
+ "using small 64-bit tag size"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-ripemd160@openssh.com",
+ "notes": {
+ "fail": [
+ "using deprecated RIPEMD hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1-96",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.47"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-md5-96",
+ "notes": {
+ "fail": [
+ "using broken MD5 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.5.0"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "critical": {
+ "chg": {
+ "kex": [
+ {
+ "name": "diffie-hellman-group-exchange-sha256",
+ "notes": "increase modulus size to 3072 bits or larger"
+ }
+ ]
+ },
+ "del": {
+ "enc": [
+ {
+ "name": "3des-cbc",
+ "notes": ""
+ },
+ {
+ "name": "arcfour128",
+ "notes": ""
+ },
+ {
+ "name": "arcfour",
+ "notes": ""
+ },
+ {
+ "name": "arcfour256",
+ "notes": ""
+ },
+ {
+ "name": "blowfish-cbc",
+ "notes": ""
+ },
+ {
+ "name": "cast128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "rijndael-cbc@lysator.liu.se",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group1-sha1",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group-exchange-sha1",
+ "notes": ""
+ }
+ ],
+ "key": [
+ {
+ "name": "ssh-rsa",
+ "notes": ""
+ },
+ {
+ "name": "ssh-rsa-cert-v01@openssh.com",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-md5",
+ "notes": ""
+ },
+ {
+ "name": "hmac-md5-96",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160",
+ "notes": ""
+ },
+ {
+ "name": "hmac-ripemd160@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1-96",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "aes128-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes192-cbc",
+ "notes": ""
+ },
+ {
+ "name": "aes256-cbc",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "umac-64@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/openssh_5.6p1_test5.txt b/test/docker/expected_results/openssh_5.6p1_test5.txt
new file mode 100644
index 0000000..b9e7cd7
--- /dev/null
+++ b/test/docker/expected_results/openssh_5.6p1_test5.txt
@@ -0,0 +1,132 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_5.6
+(gen) software: OpenSSH 5.6
+(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
+(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies
+(cve) CVE-2017-15906 -- (CVSSv2: 5.3) readonly bypass via sftp
+(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
+(cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
+(cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
+(cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid
+(cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack
+(cve) CVE-2014-2532 -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard
+(cve) CVE-2014-1692 -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
+(cve) CVE-2012-0814 -- (CVSSv2: 3.5) leak data via debug messages
+(cve) CVE-2011-5000 -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)
+(cve) CVE-2010-5107 -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)
+(cve) CVE-2010-4755 -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)
+(cve) CVE-2010-4478 -- (CVSSv2: 7.5) bypass authentication check via crafted values
+
+# key exchange algorithms
+(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 4.4
+(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
+ `- [info] available since OpenSSH 2.3.0
+(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
+ `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
+ `- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+ `- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9
+
+# host-key algorithms
+(key) ssh-rsa (3072-bit) -- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/3072-bit RSA CA) -- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 5.6
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+
+# encryption algorithms (ciphers)
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) arcfour256 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) arcfour128 -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 4.2
+(enc) aes128-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) 3des-cbc -- [fail] using broken & deprecated 3DES cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) blowfish-cbc -- [fail] using weak & deprecated Blowfish cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) cast128-cbc -- [fail] using weak & deprecated CAST cipher
+ `- [warn] using weak cipher mode
+ `- [warn] using small 64-bit block size
+ `- [info] available since OpenSSH 2.1.0
+(enc) aes192-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+(enc) aes256-cbc -- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) arcfour -- [fail] using broken RC4 cipher
+ `- [info] available since OpenSSH 2.1.0
+(enc) rijndael-cbc@lysator.liu.se -- [fail] using deprecated & non-standardized Rijndael cipher
+ `- [warn] using weak cipher mode
+ `- [info] available since OpenSSH 2.3.0
+ `- [info] disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0
+
+# message authentication code algorithms
+(mac) hmac-md5 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 4.7
+(mac) hmac-ripemd160 -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+(mac) hmac-ripemd160@openssh.com -- [fail] using deprecated RIPEMD hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0
+(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-md5-96 -- [fail] using broken MD5 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.5.0
+
+# fingerprints
+(fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244
+
+# algorithm recommendations (for OpenSSH 5.6)
+(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) 
+(rec) -3des-cbc -- enc algorithm to remove 
+(rec) -arcfour -- enc algorithm to remove 
+(rec) -arcfour128 -- enc algorithm to remove 
+(rec) -arcfour256 -- enc algorithm to remove 
+(rec) -blowfish-cbc -- enc algorithm to remove 
+(rec) -cast128-cbc -- enc algorithm to remove 
+(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove 
+(rec) -hmac-md5 -- mac algorithm to remove 
+(rec) -hmac-md5-96 -- mac algorithm to remove 
+(rec) -hmac-ripemd160 -- mac algorithm to remove 
+(rec) -hmac-ripemd160@openssh.com -- mac algorithm to remove 
+(rec) -hmac-sha1 -- mac algorithm to remove 
+(rec) -hmac-sha1-96 -- mac algorithm to remove 
+(rec) -rijndael-cbc@lysator.liu.se -- enc algorithm to remove 
+(rec) -ssh-rsa -- key algorithm to remove 
+(rec) -ssh-rsa-cert-v01@openssh.com -- key algorithm to remove 
+(rec) -aes128-cbc -- enc algorithm to remove 
+(rec) -aes192-cbc -- enc algorithm to remove 
+(rec) -aes256-cbc -- enc algorithm to remove 
+(rec) -umac-64@openssh.com -- mac algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json
new file mode 100644
index 0000000..3dfe59c
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.json
@@ -0,0 +1,43 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "3072"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "Host key (rsa-sha2-256) sizes"
+ },
+ {
+ "actual": [
+ "3072"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "Host key (rsa-sha2-512) sizes"
+ },
+ {
+ "actual": [
+ "4096"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "3072"
+ ],
+ "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Hardened OpenSSH Server v8.0 (version 4)"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.txt b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.txt
new file mode 100644
index 0000000..f1f617e
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test1.txt
@@ -0,0 +1,17 @@
+Host: localhost:2222
+Policy: Hardened OpenSSH Server v8.0 (version 4)
+Result: ❌ Failed!
+
+Errors:
+ * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match.
+ - Expected: 3072
+ - Actual: 4096
+
+ * Host key (rsa-sha2-256) sizes did not match.
+ - Expected: 4096
+ - Actual: 3072
+
+ * Host key (rsa-sha2-512) sizes did not match.
+ - Expected: 4096
+ - Actual: 3072
+
diff --git a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json
new file mode 100644
index 0000000..0c54345
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.json
@@ -0,0 +1,66 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "3072"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "Host key (rsa-sha2-256) sizes"
+ },
+ {
+ "actual": [
+ "3072"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "Host key (rsa-sha2-512) sizes"
+ },
+ {
+ "actual": [
+ "umac-64-etm@openssh.com",
+ "umac-128-etm@openssh.com",
+ "hmac-sha2-256-etm@openssh.com",
+ "hmac-sha2-512-etm@openssh.com",
+ "hmac-sha1-etm@openssh.com",
+ "umac-64@openssh.com",
+ "umac-128@openssh.com",
+ "hmac-sha2-256",
+ "hmac-sha2-512",
+ "hmac-sha1"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "hmac-sha2-256-etm@openssh.com",
+ "hmac-sha2-512-etm@openssh.com",
+ "umac-128-etm@openssh.com"
+ ],
+ "mismatched_field": "MACs"
+ },
+ {
+ "actual": [
+ "4096"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "3072"
+ ],
+ "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Hardened OpenSSH Server v8.0 (version 4)"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt
new file mode 100644
index 0000000..8f1d9dc
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_builtin_policy_test2.txt
@@ -0,0 +1,21 @@
+Host: localhost:2222
+Policy: Hardened OpenSSH Server v8.0 (version 4)
+Result: ❌ Failed!
+
+Errors:
+ * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match.
+ - Expected: 3072
+ - Actual: 4096
+
+ * Host key (rsa-sha2-256) sizes did not match.
+ - Expected: 4096
+ - Actual: 3072
+
+ * Host key (rsa-sha2-512) sizes did not match.
+ - Expected: 4096
+ - Actual: 3072
+
+ * MACs did not match.
+ - Expected: hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com
+ - Actual: umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
+
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json
new file mode 100644
index 0000000..b6a8308
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.json
@@ -0,0 +1,6 @@
+{
+ "errors": [],
+ "host": "localhost",
+ "passed": true,
+ "policy": "Docker policy: test11 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.txt
new file mode 100644
index 0000000..0ac0671
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test11.txt
@@ -0,0 +1,12 @@
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host: localhost:2222
+Policy: Docker policy: test11 (version 1)
+Result: ✔ Passed
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json
new file mode 100644
index 0000000..8ddcf39
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.json
@@ -0,0 +1,43 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "3072"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "Host key (rsa-sha2-256) sizes"
+ },
+ {
+ "actual": [
+ "3072"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "Host key (rsa-sha2-512) sizes"
+ },
+ {
+ "actual": [
+ "3072"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "4096"
+ ],
+ "mismatched_field": "Host key (ssh-rsa) sizes"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Docker policy: test12 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt
new file mode 100644
index 0000000..de615e0
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test12.txt
@@ -0,0 +1,26 @@
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host: localhost:2222
+Policy: Docker policy: test12 (version 1)
+Result: ❌ Failed!
+
+Errors:
+ * Host key (rsa-sha2-256) sizes did not match.
+ - Expected: 4096
+ - Actual: 3072
+
+ * Host key (rsa-sha2-512) sizes did not match.
+ - Expected: 4096
+ - Actual: 3072
+
+ * Host key (ssh-rsa) sizes did not match.
+ - Expected: 4096
+ - Actual: 3072
+
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json
new file mode 100644
index 0000000..4f942bd
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.json
@@ -0,0 +1,6 @@
+{
+ "errors": [],
+ "host": "localhost",
+ "passed": true,
+ "policy": "Docker policy: test13 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.txt
new file mode 100644
index 0000000..7734d88
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test13.txt
@@ -0,0 +1,15 @@
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host: localhost:2222
+Policy: Docker policy: test13 (version 1)
+Result: ✔ Passed
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json
new file mode 100644
index 0000000..fc8eb61
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.json
@@ -0,0 +1,19 @@
+{
+ "errors": [
+ {
+ "actual": [
+ "4096"
+ ],
+ "expected_optional": [
+ ""
+ ],
+ "expected_required": [
+ "8192"
+ ],
+ "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes"
+ }
+ ],
+ "host": "localhost",
+ "passed": false,
+ "policy": "Docker policy: test14 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt
new file mode 100644
index 0000000..17987a5
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test14.txt
@@ -0,0 +1,21 @@
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+
+WARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.
+
+Host: localhost:2222
+Policy: Docker policy: test14 (version 1)
+Result: ❌ Failed!
+
+Errors:
+ * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match.
+ - Expected: 8192
+ - Actual: 4096
+
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json b/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json
new file mode 100644
index 0000000..8804aae
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.json
@@ -0,0 +1,6 @@
+{
+ "errors": [],
+ "host": "localhost",
+ "passed": true,
+ "policy": "Docker policy: test6 (version 1)"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.txt b/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.txt
new file mode 100644
index 0000000..b0e9441
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_custom_policy_test6.txt
@@ -0,0 +1,3 @@
+Host: localhost:2222
+Policy: Docker policy: test6 (version 1)
+Result: ✔ Passed
diff --git a/test/docker/expected_results/openssh_8.0p1_test1.json b/test/docker/expected_results/openssh_8.0p1_test1.json
new file mode 100644
index 0000000..350af5e
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_test1.json
@@ -0,0 +1,462 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "2.0",
+ "raw": "SSH-2.0-OpenSSH_8.0",
+ "software": "OpenSSH_8.0"
+ },
+ "compression": [
+ "none",
+ "zlib@openssh.com"
+ ],
+ "cves": [
+ {
+ "cvssv2": 7.0,
+ "description": "privilege escalation via supplemental groups",
+ "name": "CVE-2021-41617"
+ },
+ {
+ "cvssv2": 7.8,
+ "description": "command injection via anomalous argument transfers",
+ "name": "CVE-2020-15778"
+ },
+ {
+ "cvssv2": 7.8,
+ "description": "memory corruption and local code execution via pre-authentication integer overflow",
+ "name": "CVE-2019-16905"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames via challenge response",
+ "name": "CVE-2016-20012"
+ }
+ ],
+ "enc": [
+ {
+ "algorithm": "chacha20-poly1305@openssh.com",
+ "notes": {
+ "info": [
+ "default cipher since OpenSSH 6.9",
+ "available since OpenSSH 6.5"
+ ],
+ "warn": [
+ "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-gcm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-gcm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-ed25519"
+ },
+ {
+ "hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-ed25519"
+ },
+ {
+ "hash": "nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-rsa"
+ },
+ {
+ "hash": "18:e2:51:fe:21:6c:78:d0:b8:cf:32:d4:bd:56:42:e1",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-rsa"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "curve25519-sha256",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 7.4, Dropbear SSH 2018.76"
+ ]
+ }
+ },
+ {
+ "algorithm": "curve25519-sha256@libssh.org",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 6.4, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdh-sha2-nistp256",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdh-sha2-nistp384",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdh-sha2-nistp521",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha256",
+ "keysize": 4096,
+ "notes": {
+ "info": [
+ "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).",
+ "available since OpenSSH 4.4"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group16-sha512",
+ "notes": {
+ "info": [
+ "available since OpenSSH 7.3, Dropbear SSH 2016.73"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group18-sha512",
+ "notes": {
+ "info": [
+ "available since OpenSSH 7.3"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha256",
+ "notes": {
+ "info": [
+ "available since OpenSSH 7.3, Dropbear SSH 2016.73"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 3.9, Dropbear SSH 0.53"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "rsa-sha2-512",
+ "keysize": 3072,
+ "notes": {
+ "info": [
+ "available since OpenSSH 7.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "rsa-sha2-256",
+ "keysize": 3072,
+ "notes": {
+ "info": [
+ "available since OpenSSH 7.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-rsa",
+ "keysize": 3072,
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
+ "available since OpenSSH 2.5.0, Dropbear SSH 0.28"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdsa-sha2-nistp256",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ],
+ "warn": [
+ "using weak random number generator could reveal the key"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-ed25519",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.5"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "umac-64-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ],
+ "warn": [
+ "using small 64-bit tag size"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-128-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-256-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-512-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1-etm@openssh.com",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-64@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 4.7"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode",
+ "using small 64-bit tag size"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-128@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-256",
+ "notes": {
+ "info": [
+ "available since OpenSSH 5.9, Dropbear SSH 2013.56"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-512",
+ "notes": {
+ "info": [
+ "available since OpenSSH 5.9, Dropbear SSH 2013.56"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "critical": {
+ "del": {
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha1",
+ "notes": ""
+ },
+ {
+ "name": "ecdh-sha2-nistp256",
+ "notes": ""
+ },
+ {
+ "name": "ecdh-sha2-nistp384",
+ "notes": ""
+ },
+ {
+ "name": "ecdh-sha2-nistp521",
+ "notes": ""
+ }
+ ],
+ "key": [
+ {
+ "name": "ecdsa-sha2-nistp256",
+ "notes": ""
+ },
+ {
+ "name": "ssh-rsa",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-sha1",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1-etm@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "chacha20-poly1305@openssh.com",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha256",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-sha2-256",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha2-512",
+ "notes": ""
+ },
+ {
+ "name": "umac-128@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "umac-64-etm@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "umac-64@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_test1.txt b/test/docker/expected_results/openssh_8.0p1_test1.txt
new file mode 100644
index 0000000..cde69a5
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_test1.txt
@@ -0,0 +1,99 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_8.0
+(gen) software: OpenSSH 8.0
+(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups
+(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
+(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow
+(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
+
+# key exchange algorithms
+(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4
+ `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
+(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
+(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+
+# host-key algorithms
+(key) rsa-sha2-512 (3072-bit) -- [info] available since OpenSSH 7.2
+(key) rsa-sha2-256 (3072-bit) -- [info] available since OpenSSH 7.2
+(key) ssh-rsa (3072-bit) -- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+ `- [info] deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8
+(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [warn] using weak random number generator could reveal the key
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
+
+# encryption algorithms (ciphers)
+(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
+ `- [info] available since OpenSSH 6.5
+ `- [info] default cipher since OpenSSH 6.9
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2
+(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
+
+# message authentication code algorithms
+(mac) umac-64-etm@openssh.com -- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 6.2
+(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) hmac-sha1-etm@openssh.com -- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 6.2
+(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 4.7
+(mac) umac-128@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+
+# fingerprints
+(fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU
+(fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244
+
+# algorithm recommendations (for OpenSSH 8.0)
+(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove 
+(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove 
+(rec) -hmac-sha1 -- mac algorithm to remove 
+(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove 
+(rec) -ssh-rsa -- key algorithm to remove 
+(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove 
+(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove 
+(rec) -hmac-sha2-256 -- mac algorithm to remove 
+(rec) -hmac-sha2-512 -- mac algorithm to remove 
+(rec) -umac-128@openssh.com -- mac algorithm to remove 
+(rec) -umac-64-etm@openssh.com -- mac algorithm to remove 
+(rec) -umac-64@openssh.com -- mac algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/openssh_8.0p1_test2.json b/test/docker/expected_results/openssh_8.0p1_test2.json
new file mode 100644
index 0000000..a05ae96
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_test2.json
@@ -0,0 +1,421 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "2.0",
+ "raw": "SSH-2.0-OpenSSH_8.0",
+ "software": "OpenSSH_8.0"
+ },
+ "compression": [
+ "none",
+ "zlib@openssh.com"
+ ],
+ "cves": [
+ {
+ "cvssv2": 7.0,
+ "description": "privilege escalation via supplemental groups",
+ "name": "CVE-2021-41617"
+ },
+ {
+ "cvssv2": 7.8,
+ "description": "command injection via anomalous argument transfers",
+ "name": "CVE-2020-15778"
+ },
+ {
+ "cvssv2": 7.8,
+ "description": "memory corruption and local code execution via pre-authentication integer overflow",
+ "name": "CVE-2019-16905"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames via challenge response",
+ "name": "CVE-2016-20012"
+ }
+ ],
+ "enc": [
+ {
+ "algorithm": "chacha20-poly1305@openssh.com",
+ "notes": {
+ "info": [
+ "default cipher since OpenSSH 6.9",
+ "available since OpenSSH 6.5"
+ ],
+ "warn": [
+ "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-gcm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-gcm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-ed25519"
+ },
+ {
+ "hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-ed25519"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "curve25519-sha256",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 7.4, Dropbear SSH 2018.76"
+ ]
+ }
+ },
+ {
+ "algorithm": "curve25519-sha256@libssh.org",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 6.4, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdh-sha2-nistp256",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdh-sha2-nistp384",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "ecdh-sha2-nistp521",
+ "notes": {
+ "fail": [
+ "using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency"
+ ],
+ "info": [
+ "available since OpenSSH 5.7, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha256",
+ "keysize": 4096,
+ "notes": {
+ "info": [
+ "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).",
+ "available since OpenSSH 4.4"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group16-sha512",
+ "notes": {
+ "info": [
+ "available since OpenSSH 7.3, Dropbear SSH 2016.73"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group18-sha512",
+ "notes": {
+ "info": [
+ "available since OpenSSH 7.3"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha256",
+ "notes": {
+ "info": [
+ "available since OpenSSH 7.3, Dropbear SSH 2016.73"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group14-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 3.9, Dropbear SSH 0.53"
+ ],
+ "warn": [
+ "2048-bit modulus only provides 112-bits of symmetric strength"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ssh-ed25519",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.5"
+ ]
+ }
+ },
+ {
+ "algorithm": "ssh-ed25519-cert-v01@openssh.com",
+ "ca_algorithm": "ssh-ed25519",
+ "casize": 256,
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.5"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "umac-64-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ],
+ "warn": [
+ "using small 64-bit tag size"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-128-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-256-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-512-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1-etm@openssh.com",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-64@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 4.7"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode",
+ "using small 64-bit tag size"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-128@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-256",
+ "notes": {
+ "info": [
+ "available since OpenSSH 5.9, Dropbear SSH 2013.56"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-512",
+ "notes": {
+ "info": [
+ "available since OpenSSH 5.9, Dropbear SSH 2013.56"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha1",
+ "notes": {
+ "fail": [
+ "using broken SHA-1 hash algorithm"
+ ],
+ "info": [
+ "available since OpenSSH 2.1.0, Dropbear SSH 0.28"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "critical": {
+ "del": {
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha1",
+ "notes": ""
+ },
+ {
+ "name": "ecdh-sha2-nistp256",
+ "notes": ""
+ },
+ {
+ "name": "ecdh-sha2-nistp384",
+ "notes": ""
+ },
+ {
+ "name": "ecdh-sha2-nistp521",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-sha1",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha1-etm@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "informational": {
+ "add": {
+ "key": [
+ {
+ "name": "rsa-sha2-256",
+ "notes": ""
+ },
+ {
+ "name": "rsa-sha2-512",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "chacha20-poly1305@openssh.com",
+ "notes": ""
+ }
+ ],
+ "kex": [
+ {
+ "name": "diffie-hellman-group14-sha256",
+ "notes": ""
+ }
+ ],
+ "mac": [
+ {
+ "name": "hmac-sha2-256",
+ "notes": ""
+ },
+ {
+ "name": "hmac-sha2-512",
+ "notes": ""
+ },
+ {
+ "name": "umac-128@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "umac-64-etm@openssh.com",
+ "notes": ""
+ },
+ {
+ "name": "umac-64@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_test2.txt b/test/docker/expected_results/openssh_8.0p1_test2.txt
new file mode 100644
index 0000000..8cbb69a
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_test2.txt
@@ -0,0 +1,91 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_8.0
+(gen) software: OpenSSH 8.0
+(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups
+(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
+(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow
+(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
+
+# key exchange algorithms
+(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
+ `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4
+ `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
+(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
+(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
+ `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+
+# host-key algorithms
+(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
+(key) ssh-ed25519-cert-v01@openssh.com (256-bit cert/256-bit ssh-ed25519 CA) -- [info] available since OpenSSH 6.5
+
+# encryption algorithms (ciphers)
+(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
+ `- [info] available since OpenSSH 6.5
+ `- [info] default cipher since OpenSSH 6.9
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2
+(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
+
+# message authentication code algorithms
+(mac) umac-64-etm@openssh.com -- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 6.2
+(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) hmac-sha1-etm@openssh.com -- [fail] using broken SHA-1 hash algorithm
+ `- [info] available since OpenSSH 6.2
+(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [warn] using small 64-bit tag size
+ `- [info] available since OpenSSH 4.7
+(mac) umac-128@openssh.com -- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
+ `- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+
+# fingerprints
+(fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU
+
+# algorithm recommendations (for OpenSSH 8.0)
+(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove 
+(rec) -hmac-sha1 -- mac algorithm to remove 
+(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove 
+(rec) +rsa-sha2-256 -- key algorithm to append 
+(rec) +rsa-sha2-512 -- key algorithm to append 
+(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove 
+(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove 
+(rec) -hmac-sha2-256 -- mac algorithm to remove 
+(rec) -hmac-sha2-512 -- mac algorithm to remove 
+(rec) -umac-128@openssh.com -- mac algorithm to remove 
+(rec) -umac-64-etm@openssh.com -- mac algorithm to remove 
+(rec) -umac-64@openssh.com -- mac algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/openssh_8.0p1_test3.json b/test/docker/expected_results/openssh_8.0p1_test3.json
new file mode 100644
index 0000000..13a8130
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_test3.json
@@ -0,0 +1,206 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": null,
+ "protocol": "2.0",
+ "raw": "SSH-2.0-OpenSSH_8.0",
+ "software": "OpenSSH_8.0"
+ },
+ "compression": [
+ "none",
+ "zlib@openssh.com"
+ ],
+ "cves": [
+ {
+ "cvssv2": 7.0,
+ "description": "privilege escalation via supplemental groups",
+ "name": "CVE-2021-41617"
+ },
+ {
+ "cvssv2": 7.8,
+ "description": "command injection via anomalous argument transfers",
+ "name": "CVE-2020-15778"
+ },
+ {
+ "cvssv2": 7.8,
+ "description": "memory corruption and local code execution via pre-authentication integer overflow",
+ "name": "CVE-2019-16905"
+ },
+ {
+ "cvssv2": 5.3,
+ "description": "enumerate usernames via challenge response",
+ "name": "CVE-2016-20012"
+ }
+ ],
+ "enc": [
+ {
+ "algorithm": "chacha20-poly1305@openssh.com",
+ "notes": {
+ "info": [
+ "default cipher since OpenSSH 6.9",
+ "available since OpenSSH 6.5"
+ ],
+ "warn": [
+ "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-gcm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-gcm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes256-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes192-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7"
+ ]
+ }
+ },
+ {
+ "algorithm": "aes128-ctr",
+ "notes": {
+ "info": [
+ "available since OpenSSH 3.7, Dropbear SSH 0.52"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-ed25519"
+ },
+ {
+ "hash": "1e:0c:7b:34:73:bf:52:41:b0:f9:d1:a9:ab:98:c7:c9",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-ed25519"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "curve25519-sha256",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 7.4, Dropbear SSH 2018.76"
+ ]
+ }
+ },
+ {
+ "algorithm": "curve25519-sha256@libssh.org",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 6.4, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "diffie-hellman-group-exchange-sha256",
+ "keysize": 4096,
+ "notes": {
+ "info": [
+ "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).",
+ "available since OpenSSH 4.4"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ssh-ed25519",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.5"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "hmac-sha2-256-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "hmac-sha2-512-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ },
+ {
+ "algorithm": "umac-128-etm@openssh.com",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.2"
+ ]
+ }
+ }
+ ],
+ "recommendations": {
+ "informational": {
+ "add": {
+ "kex": [
+ {
+ "name": "diffie-hellman-group16-sha512",
+ "notes": ""
+ },
+ {
+ "name": "diffie-hellman-group18-sha512",
+ "notes": ""
+ }
+ ],
+ "key": [
+ {
+ "name": "rsa-sha2-256",
+ "notes": ""
+ },
+ {
+ "name": "rsa-sha2-512",
+ "notes": ""
+ }
+ ]
+ }
+ },
+ "warning": {
+ "del": {
+ "enc": [
+ {
+ "name": "chacha20-poly1305@openssh.com",
+ "notes": ""
+ }
+ ]
+ }
+ }
+ },
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/openssh_8.0p1_test3.txt b/test/docker/expected_results/openssh_8.0p1_test3.txt
new file mode 100644
index 0000000..27154b8
--- /dev/null
+++ b/test/docker/expected_results/openssh_8.0p1_test3.txt
@@ -0,0 +1,51 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_8.0
+(gen) software: OpenSSH 8.0
+(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups
+(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
+(cve) CVE-2019-16905 -- (CVSSv2: 7.8) memory corruption and local code execution via pre-authentication integer overflow
+(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
+
+# key exchange algorithms
+(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) diffie-hellman-group-exchange-sha256 (4096-bit) -- [info] available since OpenSSH 4.4
+ `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 4096. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
+
+# host-key algorithms
+(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
+
+# encryption algorithms (ciphers)
+(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
+ `- [info] available since OpenSSH 6.5
+ `- [info] default cipher since OpenSSH 6.9
+(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
+(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2
+(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr -- [info] available since OpenSSH 3.7
+(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+
+# message authentication code algorithms
+(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2
+(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2
+
+# fingerprints
+(fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU
+
+# algorithm recommendations (for OpenSSH 8.0)
+(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append 
+(rec) +diffie-hellman-group18-sha512 -- kex algorithm to append 
+(rec) +rsa-sha2-256 -- key algorithm to append 
+(rec) +rsa-sha2-512 -- key algorithm to append 
+(rec) -chacha20-poly1305@openssh.com -- enc algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+
diff --git a/test/docker/expected_results/tinyssh_20190101_test1.json b/test/docker/expected_results/tinyssh_20190101_test1.json
new file mode 100644
index 0000000..7cc7629
--- /dev/null
+++ b/test/docker/expected_results/tinyssh_20190101_test1.json
@@ -0,0 +1,98 @@
+{
+ "additional_notes": [
+ ""
+ ],
+ "banner": {
+ "comments": "",
+ "protocol": "2.0",
+ "raw": "",
+ "software": "tinyssh_noversion"
+ },
+ "compression": [
+ "none"
+ ],
+ "cves": [],
+ "enc": [
+ {
+ "algorithm": "chacha20-poly1305@openssh.com",
+ "notes": {
+ "info": [
+ "default cipher since OpenSSH 6.9",
+ "available since OpenSSH 6.5"
+ ],
+ "warn": [
+ "vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation"
+ ]
+ }
+ }
+ ],
+ "fingerprints": [
+ {
+ "hash": "89ocln1x7KNqnMgWffGoYtD70ksJ4FrH7BMJHa7SrwU",
+ "hash_alg": "SHA256",
+ "hostkey": "ssh-ed25519"
+ },
+ {
+ "hash": "dd:9c:6d:f9:b0:8c:af:fa:c2:65:81:5d:5d:56:f8:21",
+ "hash_alg": "MD5",
+ "hostkey": "ssh-ed25519"
+ }
+ ],
+ "kex": [
+ {
+ "algorithm": "curve25519-sha256",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 7.4, Dropbear SSH 2018.76"
+ ]
+ }
+ },
+ {
+ "algorithm": "curve25519-sha256@libssh.org",
+ "notes": {
+ "info": [
+ "default key exchange since OpenSSH 6.4",
+ "available since OpenSSH 6.4, Dropbear SSH 2013.62"
+ ]
+ }
+ },
+ {
+ "algorithm": "sntrup4591761x25519-sha512@tinyssh.org",
+ "notes": {
+ "info": [
+ "the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security",
+ "available since OpenSSH 8.0"
+ ],
+ "warn": [
+ "using experimental algorithm"
+ ]
+ }
+ }
+ ],
+ "key": [
+ {
+ "algorithm": "ssh-ed25519",
+ "notes": {
+ "info": [
+ "available since OpenSSH 6.5"
+ ]
+ }
+ }
+ ],
+ "mac": [
+ {
+ "algorithm": "hmac-sha2-256",
+ "notes": {
+ "info": [
+ "available since OpenSSH 5.9, Dropbear SSH 2013.56"
+ ],
+ "warn": [
+ "using encrypt-and-MAC mode"
+ ]
+ }
+ }
+ ],
+ "recommendations": {},
+ "target": "localhost:2222"
+}
diff --git a/test/docker/expected_results/tinyssh_20190101_test1.txt b/test/docker/expected_results/tinyssh_20190101_test1.txt
new file mode 100644
index 0000000..7307169
--- /dev/null
+++ b/test/docker/expected_results/tinyssh_20190101_test1.txt
@@ -0,0 +1,29 @@
+# general
+(gen) software: TinySSH noversion
+(gen) compatibility: OpenSSH 8.0-8.4, Dropbear SSH 2018.76+
+(gen) compression: disabled
+
+# key exchange algorithms
+(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
+ `- [info] default key exchange since OpenSSH 6.4
+(kex) sntrup4591761x25519-sha512@tinyssh.org -- [warn] using experimental algorithm
+ `- [info] available since OpenSSH 8.0
+ `- [info] the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security
+
+# host-key algorithms
+(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
+
+# encryption algorithms (ciphers)
+(enc) chacha20-poly1305@openssh.com -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
+ `- [info] available since OpenSSH 6.5
+ `- [info] default cipher since OpenSSH 6.9
+
+# message authentication code algorithms
+(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
+ `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+
+# fingerprints
+(fin) ssh-ed25519: SHA256:89ocln1x7KNqnMgWffGoYtD70ksJ4FrH7BMJHa7SrwU
+
diff --git a/test/docker/host_ca_ed25519 b/test/docker/host_ca_ed25519
new file mode 100644
index 0000000..7b8c41b
--- /dev/null
+++ b/test/docker/host_ca_ed25519
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACAbM9Wp3ZPcC8Ifhu6GjNDJaoMg7KxO0el2+r9J35TltQAAAKAa0zr8GtM6
+/AAAAAtzc2gtZWQyNTUxOQAAACAbM9Wp3ZPcC8Ifhu6GjNDJaoMg7KxO0el2+r9J35TltQ
+AAAEC/j/BpfmgaZqNMTkJXO4cKZBr31N5z33IRFjh5m6IDDhsz1andk9wLwh+G7oaM0Mlq
+gyDsrE7R6Xb6v0nflOW1AAAAHWpkb2dAbG9jYWxob3N0LndvbmRlcmxhbmQubG9s
+-----END OPENSSH PRIVATE KEY-----
diff --git a/test/docker/host_ca_ed25519.pub b/test/docker/host_ca_ed25519.pub
new file mode 100644
index 0000000..01e745f
--- /dev/null
+++ b/test/docker/host_ca_ed25519.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsz1andk9wLwh+G7oaM0MlqgyDsrE7R6Xb6v0nflOW1 jdog@localhost.wonderland.lol
diff --git a/test/docker/host_ca_rsa_1024 b/test/docker/host_ca_rsa_1024
new file mode 100644
index 0000000..337b777
--- /dev/null
+++ b/test/docker/host_ca_rsa_1024
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDnRlN3AFnUe2lFf5XG9UhXLr/9POruNTFbMt0zrjOUSjmAS7hS
+6pDv5VEToT6DaR1EQUYaqSMpHYzZhuCK52vrydOm5XFbJ7712r9MyZQUhoVZx8Su
+dBHzVDIVO3jcMMWIlrfWBMnUaUHEqpmy88Y7gKDa2TWxJg1+hg51KqHrUQIDAQAB
+AoGBANALOUXRcP1tTtOP4+In/709dsONKyDBhPavGMFGsWtyIavBcbxU+bBzrq1j
+3WJFCmi99xxAjjqMNInxhMgvSaoJtsiY0/FFxqRy6l/ZnRjI6hrVKR8whrPKVgBF
+pvbjeQIn9txeCYA8kwl/Si762u7byq+qvupE53xMP94J02KBAkEA/Q4+Hn1Rjblw
+VXynF+oXIq6iZy+8PW+Y/FIL8d31ehzfcssCMdFV6S3/wBoQkWby30oGC/xGmHGR
+6ffXGilByQJBAOn3NMrBPXNkaPeQtgV3tk4s1dRDQYhbqGNz6tcgThyyPdhJCmCy
+jgUEhLwAetsDI8/+3avWbo6/csOV+BvpYUkCQQDQyEp6L1z0+FV1QqY99dZmt/yn
+89t0OLnZG/xc7osU1/OHq3TBE3y1KU2D+j1HKdAiZ9l7VAYOykzf46qmG/n5AkEA
+2kWjfcjcIIw7lULvXZh6fuI7NwTr3V/Nb8MUA1EDLqhnJCG4SdAqyKmXf6Fe/HYo
+cgKPIaIykIAxfCCsULXg6QJAOxB0CKYJlopVBdjGMlGqOEneWTmb1A2INQDE2Una
+LkSd0Rr8OiEzDeemV7j3Ec4BH0HxGMnHDxMybZwoZRnRPw==
+-----END RSA PRIVATE KEY-----
diff --git a/test/docker/host_ca_rsa_1024.pub b/test/docker/host_ca_rsa_1024.pub
new file mode 100644
index 0000000..6d861d6
--- /dev/null
+++ b/test/docker/host_ca_rsa_1024.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDnRlN3AFnUe2lFf5XG9UhXLr/9POruNTFbMt0zrjOUSjmAS7hS6pDv5VEToT6DaR1EQUYaqSMpHYzZhuCK52vrydOm5XFbJ7712r9MyZQUhoVZx8SudBHzVDIVO3jcMMWIlrfWBMnUaUHEqpmy88Y7gKDa2TWxJg1+hg51KqHrUQ== jdog@localhost.wonderland.lol
diff --git a/test/docker/host_ca_rsa_3072 b/test/docker/host_ca_rsa_3072
new file mode 100644
index 0000000..dd04653
--- /dev/null
+++ b/test/docker/host_ca_rsa_3072
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEAqxQEIbj8w0TrBY1fDO81curijQrdLOUr8Vl8XECWc5QGd1Lk
+AG80NgdcCBPvjWxZSmYrKeqA78GUdN+KgycE0ztpxYSXKHZMaIM5Xe94BB+BocH9
+1vd/2iBzGeed1nV/zfAdq2AEHQj1TpII+a+z25yxv2PuwVTTwwo9I/6JgNq3evH4
+Hbwgr3SRfEEYZQ+YL8cOpBuNg1YZOR0k1yk23ZqAd92JybxZ4iCtOt7rcj2sFHzN
+u1U544wWBwIL5yZZKTgBhY4dqfT2Ep7IzR5HdsdrvQV9qC92GM1zDE+U3AwrVKjH
+s0YZq3jzcq/yvFDCcMMRz4/0pGFFU26oWma+n3vbAxKJoL+rhG8QM9+l2qFlLGsn
+M0kUXAJXsPKbygpaP8Z3U4eKgTuJ2GuS9eLIFnB7mrwD75V6GgN9q5mY89DfkVSk
+HaoqpY8pPdRkz9QAmMEuLtHmv29CVOpfX5v/rsm7wASAZqtUlmFu4rFGBLwvZbUl
+Wu02HmgBT47g6EIfAgMBAAECggGAKVCdKtO03yd+pomcodAHFWiaK7uq7FOwCAo3
+WUQT0Xe3FAwFmgFBF6cxV5YQ7RN0gN4poGbMmpoiUxNFLSU4KhcYFSZPJutiyn6e
+VQwm7L/7G2hw+AAvdSsPAPuJh6g6pC5Py/pVI/ns2/uyhTIkem3eEz18BF6LAXgw
+icfHx0GKu/tBk1TCg/zfwaUq0gUxGKC27XTl+QjK8JsUMY33fQ755Xiv9PMytcR0
+cVoyfBVewFffi1UqtMQ48ZpR65G743RxrP4/wcwsfD7n5LJLdyxQkh3gIMTJ8dd/
+R5V4FlueorRgjTbLTjGDxNrCAJ+locezhEEPXsPh2q0KiIXGyz2AMxaOqFmhU8oK
+aVVt8pWJ+YsrKIgc/A3s18ezO8uO5ZdtjQ+CWguduUGY7YgWezGLO1LPxhJC4d7b
+Q/xpeKveTRlcScAqOUzKgSuEhcvPgj8paUcRUoiXm4qiJBY5sXJks+YGp8BGksH0
+O94no+Ns2G58MlL+RyXk3JWrc6zRAoHBANdPplY2sIuIiiEBu95f1Qar1nCBHhB2
+i+HpnsUOdSlbxwMxoF8ffeN9N+DQqaqPu1RhFa5xbB2EUSujvOnL7b/RWqe1X9Po
+UIt5UjXctNP/HYcQDyjXY+rV5SZhHDyv6TBYurNZlvlBivliDz82THPRtqVxed3B
+w2MeaSkKAQ8rA7PE+0j3TG+YtIij0mHOhNPJgEZ/XZ9MIQOGMycRJhwOlclBI5NP
+Ak6p30ArnU2fX4qMkU3i+wqUfXS1hhDihwKBwQDLaHWPIWPVbWdcCbYQTcUmFC3i
+xkxd0UuLcfS9csk61nvdFj7m8tMExX+3fIo/fHEtzDd98Alc1i6/f6ePl0CX6NDu
+QIWLryI1QQRQidHCdw0wQ3N3VD4ZXJHDeqBxogVAkA7A/1QeXwcXE/Xj2ZgyDwhL
+3+myjmvWtw9zJsXL0F3tpPzn+Mrf0KRkWOaluOw7hMMjVjrgu6g24HMWbHHVLRTx
+dlAI7tgxCAPe2SEi+1mzaVUZ8cfgqYqC3X66UakCgcEAopxtK7+yJi/A4pzEnnYS
+FS/CjMV3R0fA7aXbW0hIBCxkaW0Zib3m/eCcSxZMjZxwBpIsJctTtBcylprbGlgB
+/1TF+tNoxEo4Sp4eEL/XciTC0Da4vEewFrPklM/S26KfovvgRYPsGeP+aco9aahA
+pVhFcT36pBiq0DkvgucjValO6n5iqgDboYzbDDdttKCcgLc2Qgf/VUfRxy+bgm3Z
+MmdxiMXBcIfDXlW9XmGSNAWhyqnPM9uxbZQoC/Tsg+QRAoHANHMcFSsz9f2+8DGk
+27FiC76aUmZ1nJ9yTmO1CwDFOMHDsK+iyqSEmy9eDm8zqsko2flVuciicWjdJw4A
+o/sJceJbtYO3q9weAwNf3HCdQPq30OEjrfpwBNQk1fYR1xtDJXHADC4Kf8ZbKq0/
+81/Rad8McZwsQ5mL3xLXDgdKa5KwFa48dIhnr6y6JxHxb3wule5W7w62Ierhpjzc
+EEUoWSLFyrmKS7Ni1cnOTbFJZR7Q831Or2Dz/E9bYwFAQ0T5AoHAM4/zU+8rsbdD
+FvvhWsj7Ivfh6pxx1Tl1Wccaauea9AJayHht0FOzkycpJrH1E+6F5MzhkFFU1SUY
+60NZxzSZgbU0HBrJRcRFyo510iMcnctdTdyh8p7nweGoD0oqXzf6cHqrUep8Y8rQ
+gkSVhPE31+NGlPbwz+NOflcaaAWYiDC6wjVt1asaZq292SJD4DF1fAUkbQ2hxgyQ
++G/6y5ovrcGnh7q63RLhW1TRf8dD2D2Av9UgXDmWZAZ5n838FS+X
+-----END RSA PRIVATE KEY-----
diff --git a/test/docker/host_ca_rsa_3072.pub b/test/docker/host_ca_rsa_3072.pub
new file mode 100644
index 0000000..b728ed7
--- /dev/null
+++ b/test/docker/host_ca_rsa_3072.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrFAQhuPzDROsFjV8M7zVy6uKNCt0s5SvxWXxcQJZzlAZ3UuQAbzQ2B1wIE++NbFlKZisp6oDvwZR034qDJwTTO2nFhJcodkxogzld73gEH4Ghwf3W93/aIHMZ553WdX/N8B2rYAQdCPVOkgj5r7PbnLG/Y+7BVNPDCj0j/omA2rd68fgdvCCvdJF8QRhlD5gvxw6kG42DVhk5HSTXKTbdmoB33YnJvFniIK063utyPawUfM27VTnjjBYHAgvnJlkpOAGFjh2p9PYSnsjNHkd2x2u9BX2oL3YYzXMMT5TcDCtUqMezRhmrePNyr/K8UMJwwxHPj/SkYUVTbqhaZr6fe9sDEomgv6uEbxAz36XaoWUsayczSRRcAlew8pvKClo/xndTh4qBO4nYa5L14sgWcHuavAPvlXoaA32rmZjz0N+RVKQdqiqljyk91GTP1ACYwS4u0ea/b0JU6l9fm/+uybvABIBmq1SWYW7isUYEvC9ltSVa7TYeaAFPjuDoQh8= jdog@localhost.wonderland.lol
diff --git a/test/docker/moduli_1024 b/test/docker/moduli_1024
new file mode 100644
index 0000000..bd81dae
--- /dev/null
+++ b/test/docker/moduli_1024
@@ -0,0 +1,44 @@
+20190821035337 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC08BE313B
+20190821035338 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC08C0B443
+20190821035338 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC08D1AF8B
+20190821035338 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC08E76DDB
+20190821035338 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC08E8F5D3
+20190821035338 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC08EE3F1B
+20190821035338 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC08F28387
+20190821035339 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC08F69A57
+20190821035339 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0903B157
+20190821035339 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0905C973
+20190821035339 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0909BCD3
+20190821035339 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC090F4A2B
+20190821035340 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0933BC13
+20190821035340 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC09395757
+20190821035340 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC093F40D7
+20190821035340 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC09478D4F
+20190821035340 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0953A4D7
+20190821035340 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC095B5C7B
+20190821035341 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC09696573
+20190821035341 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC096BA243
+20190821035341 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC096F3903
+20190821035341 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC09850E4B
+20190821035341 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC098A1C23
+20190821035341 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC098E08E7
+20190821035342 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC09A4FF7F
+20190821035342 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC09AE4707
+20190821035342 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC09B4CE73
+20190821035342 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC09C60C6F
+20190821035342 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC09D2588F
+20190821035343 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A025067
+20190821035343 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A0E38EB
+20190821035343 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A213923
+20190821035344 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A390CA7
+20190821035344 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A3C7ADB
+20190821035344 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A44D497
+20190821035344 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A479B13
+20190821035345 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A5EF01F
+20190821035345 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A615D43
+20190821035345 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A6BEADB
+20190821035345 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A86309F
+20190821035345 2 6 100 1023 5 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0A991E8F
+20190821035346 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0AA32C53
+20190821035346 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0AA9FAAB
+20190821035346 2 6 100 1023 2 F0B5E9E385A451D4F46BD2E354B5FCAAC21CA960E5D3D11F877DD50541ED125161E4A5055D528D67E525115BBFAB0B2A4AB8CF5BA98A8BBA41803ED5D4CF766E9ECD39A8D8D914B6F346E0EB2BA6936082751676DCE5C4817EFC7A8105C2A094B22C25245BE13CA4085F2985D3B7A2636FF4018A7E4EA9840BF5FFBC0AAC42BB
diff --git a/test/docker/policies/policy_test1.txt b/test/docker/policies/policy_test1.txt
new file mode 100644
index 0000000..11d8e5c
--- /dev/null
+++ b/test/docker/policies/policy_test1.txt
@@ -0,0 +1,10 @@
+#
+# Docker policy: test1
+#
+
+name = "Docker policy: test1"
+version = 1
+host keys = ssh-rsa, ssh-dss
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
diff --git a/test/docker/policies/policy_test10.txt b/test/docker/policies/policy_test10.txt
new file mode 100644
index 0000000..82c821e
--- /dev/null
+++ b/test/docker/policies/policy_test10.txt
@@ -0,0 +1,39 @@
+#
+# Docker policy: test10
+#
+
+# The name of this policy (displayed in the output during scans). Must be in quotes.
+name = "Docker poliicy: test10"
+
+# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_5.6"
+
+# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters). Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+hostkey_size_ssh-rsa-cert-v01@openssh.com = 4096
+
+# RSA CA key sizes.
+cakey_size_ssh-rsa-cert-v01@openssh.com = 4096
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+
+# The MACs that must match exactly (order matters).
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
diff --git a/test/docker/policies/policy_test11.txt b/test/docker/policies/policy_test11.txt
new file mode 100644
index 0000000..d0fa4ae
--- /dev/null
+++ b/test/docker/policies/policy_test11.txt
@@ -0,0 +1,35 @@
+#
+# Docker policy: test11
+#
+
+# The name of this policy (displayed in the output during scans). Must be in quotes.
+name = "Docker policy: test11"
+
+# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_8.0"
+
+# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters). Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
+
+# The MACs that must match exactly (order matters).
+macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
diff --git a/test/docker/policies/policy_test12.txt b/test/docker/policies/policy_test12.txt
new file mode 100644
index 0000000..0b8a30b
--- /dev/null
+++ b/test/docker/policies/policy_test12.txt
@@ -0,0 +1,35 @@
+#
+# Docker policy: test12
+#
+
+# The name of this policy (displayed in the output during scans). Must be in quotes.
+name = "Docker policy: test12"
+
+# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_8.0"
+
+# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters). Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 4096
+hostkey_size_rsa-sha2-512 = 4096
+hostkey_size_ssh-rsa = 4096
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
+
+# The MACs that must match exactly (order matters).
+macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
diff --git a/test/docker/policies/policy_test13.txt b/test/docker/policies/policy_test13.txt
new file mode 100644
index 0000000..0f43e2a
--- /dev/null
+++ b/test/docker/policies/policy_test13.txt
@@ -0,0 +1,38 @@
+#
+# Docker policy: test13
+#
+
+# The name of this policy (displayed in the output during scans). Must be in quotes.
+name = "Docker policy: test13"
+
+# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_8.0"
+
+# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters). Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 4096
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
+
+# The MACs that must match exactly (order matters).
+macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
diff --git a/test/docker/policies/policy_test14.txt b/test/docker/policies/policy_test14.txt
new file mode 100644
index 0000000..51b366d
--- /dev/null
+++ b/test/docker/policies/policy_test14.txt
@@ -0,0 +1,38 @@
+#
+# Docker policy: test14
+#
+
+# The name of this policy (displayed in the output during scans). Must be in quotes.
+name = "Docker policy: test14"
+
+# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_8.0"
+
+# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters). Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 8192
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
+
+# The MACs that must match exactly (order matters).
+macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
diff --git a/test/docker/policies/policy_test2.txt b/test/docker/policies/policy_test2.txt
new file mode 100644
index 0000000..2b7821c
--- /dev/null
+++ b/test/docker/policies/policy_test2.txt
@@ -0,0 +1,10 @@
+#
+# Docker policy: test2
+#
+
+name = "Docker policy: test2"
+version = 1
+host keys = ssh-rsa, ssh-dss
+key exchanges = kex_alg1, kex_alg2
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
diff --git a/test/docker/policies/policy_test3.txt b/test/docker/policies/policy_test3.txt
new file mode 100644
index 0000000..f4ff3a0
--- /dev/null
+++ b/test/docker/policies/policy_test3.txt
@@ -0,0 +1,10 @@
+#
+# Docker policy: test3
+#
+
+name = "Docker policy: test3"
+version = 1
+host keys = ssh-rsa, ssh-dss, key_alg1
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
diff --git a/test/docker/policies/policy_test4.txt b/test/docker/policies/policy_test4.txt
new file mode 100644
index 0000000..500d96f
--- /dev/null
+++ b/test/docker/policies/policy_test4.txt
@@ -0,0 +1,10 @@
+#
+# Docker policy: test4
+#
+
+name = "Docker policy: test4"
+version = 1
+host keys = ssh-rsa, ssh-dss
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+ciphers = cipher_alg1, cipher_alg2
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
diff --git a/test/docker/policies/policy_test5.txt b/test/docker/policies/policy_test5.txt
new file mode 100644
index 0000000..6285814
--- /dev/null
+++ b/test/docker/policies/policy_test5.txt
@@ -0,0 +1,10 @@
+#
+# Docker policy: test5
+#
+
+name = "Docker policy: test5"
+version = 1
+host keys = ssh-rsa, ssh-dss
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac_alg1, hmac-md5-96
diff --git a/test/docker/policies/policy_test6.txt b/test/docker/policies/policy_test6.txt
new file mode 100644
index 0000000..0a4aacb
--- /dev/null
+++ b/test/docker/policies/policy_test6.txt
@@ -0,0 +1,12 @@
+#
+# Docker policy: test6
+#
+
+name = "Docker policy: test6"
+version = 1
+banner = "SSH-2.0-OpenSSH_8.0"
+compressions = none, zlib@openssh.com
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
+ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
+macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
diff --git a/test/docker/policies/policy_test7.txt b/test/docker/policies/policy_test7.txt
new file mode 100644
index 0000000..05cd27f
--- /dev/null
+++ b/test/docker/policies/policy_test7.txt
@@ -0,0 +1,39 @@
+#
+# Docker policy: test7
+#
+
+# The name of this policy (displayed in the output during scans). Must be in quotes.
+name = "Docker poliicy: test7"
+
+# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_5.6"
+
+# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters). Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+hostkey_size_ssh-rsa-cert-v01@openssh.com = 3072
+
+# RSA CA key sizes.
+cakey_size_ssh-rsa-cert-v01@openssh.com = 1024
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+
+# The MACs that must match exactly (order matters).
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
diff --git a/test/docker/policies/policy_test8.txt b/test/docker/policies/policy_test8.txt
new file mode 100644
index 0000000..6268585
--- /dev/null
+++ b/test/docker/policies/policy_test8.txt
@@ -0,0 +1,39 @@
+#
+# Docker policy: test8
+#
+
+# The name of this policy (displayed in the output during scans). Must be in quotes.
+name = "Docker poliicy: test8"
+
+# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_5.6"
+
+# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters). Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+hostkey_size_ssh-rsa-cert-v01@openssh.com = 3072
+
+# RSA CA key sizes.
+cakey_size_ssh-rsa-cert-v01@openssh.com = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+
+# The MACs that must match exactly (order matters).
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
diff --git a/test/docker/policies/policy_test9.txt b/test/docker/policies/policy_test9.txt
new file mode 100644
index 0000000..63652ce
--- /dev/null
+++ b/test/docker/policies/policy_test9.txt
@@ -0,0 +1,39 @@
+#
+# Docker policy: test9
+#
+
+# The name of this policy (displayed in the output during scans). Must be in quotes.
+name = "Docker poliicy: test9"
+
+# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_5.6"
+
+# The header that must match exactly. Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters). Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+hostkey_size_ssh-rsa-cert-v01@openssh.com = 4096
+
+# RSA CA key sizes.
+cakey_size_ssh-rsa-cert-v01@openssh.com = 1024
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+
+# The MACs that must match exactly (order matters).
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
diff --git a/test/docker/ssh1_host_key b/test/docker/ssh1_host_key
new file mode 100644
index 0000000..c98971c
--- /dev/null
+++ b/test/docker/ssh1_host_key
Binary files differ
diff --git a/test/docker/ssh1_host_key.pub b/test/docker/ssh1_host_key.pub
new file mode 100644
index 0000000..b66c66f
--- /dev/null
+++ b/test/docker/ssh1_host_key.pub
@@ -0,0 +1 @@
+1024 35 150823875409720459951648542224727752099073441604930026287525797402159071426070997897033651155038337251362080634963146983947007228274330777134724953282680928153520263171933106732090266742784258910450489054624715996015082463159338507115031336180486071622718809324273851629938883104520608180885444242395900180011 root@ubuntu1604server
diff --git a/test/docker/ssh_host_dsa_key b/test/docker/ssh_host_dsa_key
new file mode 100644
index 0000000..ecd47f9
--- /dev/null
+++ b/test/docker/ssh_host_dsa_key
@@ -0,0 +1,12 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIIBugIBAAKBgQDth1eV+A8j191R0ey0dVXL2LGNGYM+a+PomSa7suK8xNCeVLKC
+YpQ6VSWpAf6FbRWev1UVo8IpbglwFZPcyFPK2G1H7p45ows2SN4CleszDD56e6W0
+3Plc+qMqSJ6LTjr4M5+HqTDOM3CS72d7MXUkfHQiagyrWQhXyc0kFsNJLwIVAKg7
+b5+NiIZzpg5IEH0tlYFQpuhBAoGAGcbq79QqNNZRuPCE/F05sCoTRGCmFnDjCuCg
+WN7wNRotjMz/S3pHtCCeuTT1jT6Hy0ZFHftv0t/GF8GBRgeokUbS4ytHpOkFWcTz
+8oFguDL44nq8eNfSY6bzEl84qsgEe4HP93mB4FR1ZUUgI4b7gCBOYEFl3yPiH7H1
+p7Z9E1oCgYAl1UPQkeRhElz+AgEbNsnMKu1+6O3/z95D1Wvv4OEwAImbytlBaC7p
+kwJElJNsMMfGqCC8OHdJ0e4VQQUwk/GOhD0MFhVQHBtVZYbiWmVkpfHf1ouUQg3f
+1IZmz2SSt6cPPEu+BEQ/Sn3mFRJ5XSTHLtnI0HJeDND5u1+6p1nXawIURv3Maige
+oxmfqC24VoROJEq+sew=
+-----END DSA PRIVATE KEY-----
diff --git a/test/docker/ssh_host_dsa_key.pub b/test/docker/ssh_host_dsa_key.pub
new file mode 100644
index 0000000..a32a5a0
--- /dev/null
+++ b/test/docker/ssh_host_dsa_key.pub
@@ -0,0 +1 @@
+ssh-dss AAAAB3NzaC1kc3MAAACBAO2HV5X4DyPX3VHR7LR1VcvYsY0Zgz5r4+iZJruy4rzE0J5UsoJilDpVJakB/oVtFZ6/VRWjwiluCXAVk9zIU8rYbUfunjmjCzZI3gKV6zMMPnp7pbTc+Vz6oypInotOOvgzn4epMM4zcJLvZ3sxdSR8dCJqDKtZCFfJzSQWw0kvAAAAFQCoO2+fjYiGc6YOSBB9LZWBUKboQQAAAIAZxurv1Co01lG48IT8XTmwKhNEYKYWcOMK4KBY3vA1Gi2MzP9Leke0IJ65NPWNPofLRkUd+2/S38YXwYFGB6iRRtLjK0ek6QVZxPPygWC4Mvjierx419JjpvMSXziqyAR7gc/3eYHgVHVlRSAjhvuAIE5gQWXfI+IfsfWntn0TWgAAAIAl1UPQkeRhElz+AgEbNsnMKu1+6O3/z95D1Wvv4OEwAImbytlBaC7pkwJElJNsMMfGqCC8OHdJ0e4VQQUwk/GOhD0MFhVQHBtVZYbiWmVkpfHf1ouUQg3f1IZmz2SSt6cPPEu+BEQ/Sn3mFRJ5XSTHLtnI0HJeDND5u1+6p1nXaw==
diff --git a/test/docker/ssh_host_ecdsa_key b/test/docker/ssh_host_ecdsa_key
new file mode 100644
index 0000000..69eea7b
--- /dev/null
+++ b/test/docker/ssh_host_ecdsa_key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICq/YV5QenL0uW5g5tCjY3EWs+UBFmskY+Jjt2vd2aEmoAoGCCqGSM49
+AwEHoUQDQgAEdYSxDVUjOpW479L/nRDiAdxRB5Kuy2bgkP/LA2pnWPcGIWmFa4QU
+YN2U3JsFKcLIcx5cvTehQfgrHDnaSKVdKA==
+-----END EC PRIVATE KEY-----
diff --git a/test/docker/ssh_host_ecdsa_key.pub b/test/docker/ssh_host_ecdsa_key.pub
new file mode 100644
index 0000000..4e17058
--- /dev/null
+++ b/test/docker/ssh_host_ecdsa_key.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHWEsQ1VIzqVuO/S/50Q4gHcUQeSrstm4JD/ywNqZ1j3BiFphWuEFGDdlNybBSnCyHMeXL03oUH4Kxw52kilXSg=
diff --git a/test/docker/ssh_host_ed25519_key b/test/docker/ssh_host_ed25519_key
new file mode 100644
index 0000000..3388574
--- /dev/null
+++ b/test/docker/ssh_host_ed25519_key
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACC/9RD2Ao95ODDIH8i11ekTALut8AUNqWoQx0jHlP4xygAAAKDiqVOs4qlT
+rAAAAAtzc2gtZWQyNTUxOQAAACC/9RD2Ao95ODDIH8i11ekTALut8AUNqWoQx0jHlP4xyg
+AAAECTmHGkq0Qea0QqTJYMXL0bpxVU7mhgwYninfVWxrA017/1EPYCj3k4MMgfyLXV6RMA
+u63wBQ2pahDHSMeU/jHKAAAAHWpkb2dAbG9jYWxob3N0LndvbmRlcmxhbmQubG9s
+-----END OPENSSH PRIVATE KEY-----
diff --git a/test/docker/ssh_host_ed25519_key-cert.pub b/test/docker/ssh_host_ed25519_key-cert.pub
new file mode 100644
index 0000000..8eef563
--- /dev/null
+++ b/test/docker/ssh_host_ed25519_key-cert.pub
@@ -0,0 +1 @@
+ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIO1W0I8tD0c4LypvHY1XNch3BQCw9Yy28/4KmAYql80DAAAAIL/1EPYCj3k4MMgfyLXV6RMAu63wBQ2pahDHSMeU/jHKAAAAAAAAAAAAAAACAAAABHRlc3QAAAAIAAAABHRlc3QAAAAAXV7hvAAAAACBa2YhAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAbM9Wp3ZPcC8Ifhu6GjNDJaoMg7KxO0el2+r9J35TltQAAAFMAAAALc3NoLWVkMjU1MTkAAABAW60bCSeIG4Ta+57zgkSbW4LIGCxtOuJJ+pP3i3S0xJJfHGnOtXbg0NQm7pulNl/wd01kgJO9A7RjbhTh7TV1AA== ssh_host_ed25519_key.pub
diff --git a/test/docker/ssh_host_ed25519_key.pub b/test/docker/ssh_host_ed25519_key.pub
new file mode 100644
index 0000000..e56a56a
--- /dev/null
+++ b/test/docker/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL/1EPYCj3k4MMgfyLXV6RMAu63wBQ2pahDHSMeU/jHK
diff --git a/test/docker/ssh_host_rsa_key_1024 b/test/docker/ssh_host_rsa_key_1024
new file mode 100644
index 0000000..e9023b6
--- /dev/null
+++ b/test/docker/ssh_host_rsa_key_1024
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDeCC1U7VqVg9AfrfWrXACiW6pzYOuP8tim68z+YN/dUU7JhFZ4
+0toteQkLcJBAD2miQ6ZJYkjVfhQ4FRFeOW5vcN0UYHn8ttb2mKdGJdt24ZYY5Z6J
+WHQhPOpSgtWyUv6RnxU2ligEeaoPaiepUUOhoyLf4WcF7voVCAKZNqeTtQIDAQAB
+AoGATGZ16s5NqDsWJ4B9k3xx/2wZZ+BGzl6a7D0habq97XLn8HGoK6UqTBFk6lnO
+WSy0hZBPrNq0AzqCDJY7RrfuZqgVAu/+HEFuXencgt8Z//ueYBaGK8yAC+OrMnDG
+LbSoIGRq8saaFtCzt47c+uSVsrhJ4TvK5gbceZuD/2uw10ECQQD79T0j+YWsLISK
+PKvYHqEXSMPN6b+lK9hRPLoF9NMksNLSjuxxhkYHz+hJPVNT+wPtRMAYmMdPXfKa
+FjuErXVFAkEA4ZgJIOeJ7OHfqGEgd29m36yFy0UaUJ+cmYuJzHAYWgW3TOanqpZm
+A8EENuXvH0DtYRVytv4m/cIRVVPxWtXzsQJBALXlQUOEc0VuSi1GScVXr3KQ3JL+
+ipWixqM3VRDRw9D8Ouc5uWbnygz/wrGFLXA2ioozlP7s5Q7eQzOMk2FgnIUCQQCz
+j5QUgLcjuVWQbF6vMhisCGImPUaIzcKT5KE1/DMl1E7mAuGJwlRIwKVeHP6L3d4T
+3EKGrRzT9lhdlocRSiLBAkEAi3xI0MOZp4xGviPc1C1TKuqdJSr8fHwbtLozwNQO
+nnF6m5S72JzZEThDBZS9zcdBp9EFpTvUGzx/O0GI454eoA==
+-----END RSA PRIVATE KEY-----
diff --git a/test/docker/ssh_host_rsa_key_1024-cert_1024.pub b/test/docker/ssh_host_rsa_key_1024-cert_1024.pub
new file mode 100644
index 0000000..17c7738
--- /dev/null
+++ b/test/docker/ssh_host_rsa_key_1024-cert_1024.pub
@@ -0,0 +1 @@
+ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgFqxXSa9HTqCw5YW3DdIwVREPGxI+i56w32RnHWRg0NoAAAADAQABAAAAgQDeCC1U7VqVg9AfrfWrXACiW6pzYOuP8tim68z+YN/dUU7JhFZ40toteQkLcJBAD2miQ6ZJYkjVfhQ4FRFeOW5vcN0UYHn8ttb2mKdGJdt24ZYY5Z6JWHQhPOpSgtWyUv6RnxU2ligEeaoPaiepUUOhoyLf4WcF7voVCAKZNqeTtQAAAAAAAAAAAAAAAgAAAAR0ZXN0AAAACAAAAAR0ZXN0AAAAAF1evHgAAAAAgWtAtQAAAAAAAAAAAAAAAAAAAJcAAAAHc3NoLXJzYQAAAAMBAAEAAACBAOdGU3cAWdR7aUV/lcb1SFcuv/086u41MVsy3TOuM5RKOYBLuFLqkO/lUROhPoNpHURBRhqpIykdjNmG4Irna+vJ06blcVsnvvXav0zJlBSGhVnHxK50EfNUMhU7eNwwxYiWt9YEydRpQcSqmbLzxjuAoNrZNbEmDX6GDnUqoetRAAAAjwAAAAdzc2gtcnNhAAAAgFRc2g0eWXGmqSa6Z8rcMPHf4rNMornEHSnTzZ8Rdh4YBhDa9xMRRy6puaWPDzXxOfZh7eSjCwrzUMEXTgCIO4oX62xm/6kUnAmKhXle0+inR/hdPg03daE0SBJ4spBT49lJ4WIW38RKFNzjmYg70rTPAnP8oM/F3CC1GV117/Vv ssh_host_rsa_key_1024.pub
diff --git a/test/docker/ssh_host_rsa_key_1024-cert_3072.pub b/test/docker/ssh_host_rsa_key_1024-cert_3072.pub
new file mode 100644
index 0000000..ea0160a
--- /dev/null
+++ b/test/docker/ssh_host_rsa_key_1024-cert_3072.pub
@@ -0,0 +1 @@
+ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgrJGcfyW8V6VWGT7lD1ardj2RtTP8TOjmLRNbuoGkyZQAAAADAQABAAAAgQDeCC1U7VqVg9AfrfWrXACiW6pzYOuP8tim68z+YN/dUU7JhFZ40toteQkLcJBAD2miQ6ZJYkjVfhQ4FRFeOW5vcN0UYHn8ttb2mKdGJdt24ZYY5Z6JWHQhPOpSgtWyUv6RnxU2ligEeaoPaiepUUOhoyLf4WcF7voVCAKZNqeTtQAAAAAAAAAAAAAAAgAAAAR0ZXN0AAAACAAAAAR0ZXN0AAAAAF1evHgAAAAAgWtA7gAAAAAAAAAAAAAAAAAAAZcAAAAHc3NoLXJzYQAAAAMBAAEAAAGBAKsUBCG4/MNE6wWNXwzvNXLq4o0K3SzlK/FZfFxAlnOUBndS5ABvNDYHXAgT741sWUpmKynqgO/BlHTfioMnBNM7acWElyh2TGiDOV3veAQfgaHB/db3f9ogcxnnndZ1f83wHatgBB0I9U6SCPmvs9ucsb9j7sFU08MKPSP+iYDat3rx+B28IK90kXxBGGUPmC/HDqQbjYNWGTkdJNcpNt2agHfdicm8WeIgrTre63I9rBR8zbtVOeOMFgcCC+cmWSk4AYWOHan09hKeyM0eR3bHa70FfagvdhjNcwxPlNwMK1Sox7NGGat483Kv8rxQwnDDEc+P9KRhRVNuqFpmvp972wMSiaC/q4RvEDPfpdqhZSxrJzNJFFwCV7Dym8oKWj/Gd1OHioE7idhrkvXiyBZwe5q8A++VehoDfauZmPPQ35FUpB2qKqWPKT3UZM/UAJjBLi7R5r9vQlTqX1+b/67Ju8AEgGarVJZhbuKxRgS8L2W1JVrtNh5oAU+O4OhCHwAAAY8AAAAHc3NoLXJzYQAAAYCO78ONpHp+EGWDqDLb/GPFDH32o6oaRRrIH/Bhvg1FOi5XngnHTdU7xWdnJqNE2Sl6VOrg0sTCMYcX9fZ8tVREnCo3aF7Iwow5Br67QYKayRzHANQqHaVK46lpI1gz81V00u54tX1F8oEUqm6sRmFKFuklt6CjfbR+tnpj7DrfeOTKEBOGJP2uU0jMsJr2DrBeXrzONjIJtIJ1AxWjXd2LeIWO2C6yTkcN5ggThMMaeu6QuuBPpC2PN2COfu+Mgto9g103+/SS4Wa8CzinZZn2Xe1isUxI8QRNrShy4Hl/bIZQL7mi/0rxkfw+fA7IzMk462V99gPVSp+/jK0sbUJoC3QeeglS5hWodjW+VGZfgweGQ+AE/OxkNSv+kDPMYEkjfOf4qhxS5QFvButLt6zp2UNbE5+OWvYpdjO9/DOa0ro+wCw07+dVKIcDpU2csiCcJvQ/HmKAmhch7jOHa0WaxSX0tt0xTPJWTvr6E4WZOgEnk9AvWmrKjF5tEzGYwTU= ssh_host_rsa_key_1024.pub
diff --git a/test/docker/ssh_host_rsa_key_1024.pub b/test/docker/ssh_host_rsa_key_1024.pub
new file mode 100644
index 0000000..1da6065
--- /dev/null
+++ b/test/docker/ssh_host_rsa_key_1024.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDeCC1U7VqVg9AfrfWrXACiW6pzYOuP8tim68z+YN/dUU7JhFZ40toteQkLcJBAD2miQ6ZJYkjVfhQ4FRFeOW5vcN0UYHn8ttb2mKdGJdt24ZYY5Z6JWHQhPOpSgtWyUv6RnxU2ligEeaoPaiepUUOhoyLf4WcF7voVCAKZNqeTtQ==
diff --git a/test/docker/ssh_host_rsa_key_3072 b/test/docker/ssh_host_rsa_key_3072
new file mode 100644
index 0000000..3a2c719
--- /dev/null
+++ b/test/docker/ssh_host_rsa_key_3072
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEAzhHp7eFnrQAJqOd7aihyQyIDKgxCF7H51Q3Ft3+8af+lX3Ol
+Ie77Gi5GNNM+eRB4OzG+CBslxN5I3pM//sZ+gyylA1VuWZZkOlgtbOHutIkO2ldk
+XtoGidla0VAxLcUcUK6cCmqwBTT31Hp4Qimp2zyeg/l5q0DhWKguY13lrm5b3YZY
+rj7CW3Ktzxf8SbYz6du8KF0dHCWilzq+FLeGzXr7Yul5njVF5njkGvZ9duQ0qiVR
+zqZkrkLEWgQlCM0T+PyUbvedL1MfDZPHGh7ZhU0snOvJRsxAr31tlknq+WwauZYd
+DzJf1g1URcM65UwEsPlfgOW3ZoZogR1v57Im+KdsKhq2B3snEtJgdQh06JyO0ur4
+uUXo1mMtvBFhiptUtwP4g9v/IN4neeK+wBRom46m2Q1bMUBPneBOa8r2SY/3ynrz
+XuVIWFOQtF60aJ+BNqvgUVCKOmz1KzoJwTqGm+EFaKM5z+UQWjIbSE3Ge4X5hXtk
+Ou52v+tyDUk6boZLAgMBAAECggGAdrhxWmA7N7tG1W2Pd6iXs7+brRTk2vvpYGqP
+11kbNsJXBzf8EiG5vuqb/gEaA+uOKSRORCNHzjT2LG0POHwpFO+aneIRMkHnuolk
+mk9ME+zGhtpEdDUOAUsc/GxD+QePeZgvQ/0VLdrHUT3BnPSd7DXvaT9IbnZxnX8/
+QnYtRiJEgMrOuoxjswXNxvsdmWYEYJ38uBB1Hes80f3A1vSpECbjP6gdLh2pCM/r
+MvGBdQaipMfdar4IUTEcKHQs1fY3mlAxnWRjYCqJPmq10d3NrdUrHb2zBE1HCC4h
+aj2ycTxFhDJqGV6Y2AboHqh2c7lPJ+R2UjI9mIpALZSviHB1POcpWCAGA3NKjri9
+8jgxl3bj03ikJNfCuvlqRTa8at63W2zZTMRsxamoiO023uUOEMNBPwWXP/rVhQ8g
+ufih0SY44j0EMPIuu2PoQV4ZSOtDw8xdPrchVCa078/pP5cRa4uV0bl2K4as+cYC
+BhjEq2Org3ulDW2n6Mz5ZS7NbAkxAoHBAP/bgPGKX7rfrHa5MRHIgbLSmZtUoF51
+YGelc8ytRx6UT6wriJ1jQRXiI5mZlIXyVxMpIz9s4+h59kF+LpZuNLc3vTYpPOQn
+RUDBVY6+SPC5MancL7bfBoHahpWEJuJB/WUE7eWvQM03/LsBtU6Nq+R632t5KdqF
+A4y86qgD1vIjcBWvySLFJZGOCoNbj7ZinoBUO3ueYK6SUj8xH6TAqOJsTPvquRT3
+AFBpFBmrVc24wW7wTiLkQOhkIQs1J/ZhYwKBwQDOL07qF8wsoQBBTTXkZ59BCauz
+R8kfqe5oUBwsmGJdiIHX6gutBA07sSwzVekIvCCkJFXk3TxLoBSMHEZEIdnS+HVt
+gMIacYuhbh+XztdY0kadH/SMbVQD/2LZcL99vcZPq1QF3cHb0Buip5+fyAYjoEc7
+oVgvewD/TwdNcMjos/kMNh6l04kLi6vQG3WhoSBPWaoB669ppBNXSrWKe43nXVi6
+EvjGEiL+HCCnmD6LiD6p797Owu9AChP6fXInD/kCgcEAiLP3SRbt3yLzOtvn4+CF
+q83qVJv6s31zbO1x2cIbZbNIfm0kKTOG6vJQoxjzyj2ZWJt6QcEkZGoFsSiCK83m
+TJ5zciTGbACvd9HUrNfukO/iISeMNuEi0O65Sdm6DNnFUdw4X6grr3pihmh7PuVj
+GkisZvft7Nt08hVeKzch+W4FzRCHHxTG5eZGp7icKI64sUhQH9SXQ67aUvkkNxrZ
+IWFMIK1hBlqSyGPcYXqx9aDpeSTcGrhqFcCqBxr3pySRAoHAfJNO3delEC3yxoHN
+FwSYzyX1rOuplE0K89G7RCKKBDNPKFKL3Wx+Rluk9htpIlLwcdxWXWJiZNsCrykC
+N3YwcuyVnqTWIj4KfG3Z/tIFgPADpDnDevkvcv7iDbi2qlV4NXix2p2C3LnfiKY4
+psSnGO1lPJ0eeAmcr6VjJyIG8bqTthIY8F5gBi7Mj3+X0iFVMTxeoKxzHqP435wP
+Fe3S7kCTNFH0J1Cb/eamwDwXRhz6p5h7iXd0MMAmFAmpZ/qZAoHBAPDSIvk2ocf1
+FVW8pKtKOJFIs8iQVIaOLKwPJVP8/JsB1+7mQx5KMoROb5pNpX2edN4vvG0CgqpJ
+KekleqpH6nQCqYGFZ1BDhORElNILxeJHcNl0eAG++IJ2PfIpTZV30edDqMm0x7EI
+8POZWAx809VzcYbE2jsgpN/EuiaG30EAI5yNvyzmZRCyQykH+eltHlCx17MWBxRQ
+bb2UUfpdInTMS2vyrvkeUACkC1DGYdBVVBqqPTkHZg+Kcbs8ntQqEQ==
+-----END RSA PRIVATE KEY-----
diff --git a/test/docker/ssh_host_rsa_key_3072-cert_1024.pub b/test/docker/ssh_host_rsa_key_3072-cert_1024.pub
new file mode 100644
index 0000000..da6b9ec
--- /dev/null
+++ b/test/docker/ssh_host_rsa_key_3072-cert_1024.pub
@@ -0,0 +1 @@
+ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgGHz1JwF/1IcxW3pdQtpqbUjIHaFuk0cR/+l50vG+9hIAAAADAQABAAABgQDOEent4WetAAmo53tqKHJDIgMqDEIXsfnVDcW3f7xp/6Vfc6Uh7vsaLkY00z55EHg7Mb4IGyXE3kjekz/+xn6DLKUDVW5ZlmQ6WC1s4e60iQ7aV2Re2gaJ2VrRUDEtxRxQrpwKarAFNPfUenhCKanbPJ6D+XmrQOFYqC5jXeWublvdhliuPsJbcq3PF/xJtjPp27woXR0cJaKXOr4Ut4bNevti6XmeNUXmeOQa9n125DSqJVHOpmSuQsRaBCUIzRP4/JRu950vUx8Nk8caHtmFTSyc68lGzECvfW2WSer5bBq5lh0PMl/WDVRFwzrlTASw+V+A5bdmhmiBHW/nsib4p2wqGrYHeycS0mB1CHTonI7S6vi5RejWYy28EWGKm1S3A/iD2/8g3id54r7AFGibjqbZDVsxQE+d4E5ryvZJj/fKevNe5UhYU5C0XrRon4E2q+BRUIo6bPUrOgnBOoab4QVooznP5RBaMhtITcZ7hfmFe2Q67na/63INSTpuhksAAAAAAAAAAAAAAAIAAAAEdGVzdAAAAAgAAAAEdGVzdAAAAABdXry0AAAAAIFrQR8AAAAAAAAAAAAAAAAAAACXAAAAB3NzaC1yc2EAAAADAQABAAAAgQDnRlN3AFnUe2lFf5XG9UhXLr/9POruNTFbMt0zrjOUSjmAS7hS6pDv5VEToT6DaR1EQUYaqSMpHYzZhuCK52vrydOm5XFbJ7712r9MyZQUhoVZx8SudBHzVDIVO3jcMMWIlrfWBMnUaUHEqpmy88Y7gKDa2TWxJg1+hg51KqHrUQAAAI8AAAAHc3NoLXJzYQAAAIB4HaEexgQ9T6rScEbiHZx+suCaYXI7ywLYyoSEO48K8o+MmO83UTLtpPa3DXlT8hSYL8Aq6Bb5AMkDawsgsC484owPqObT/5ndLG/fctNBFcCTSL0ftte+A8xH0pZaGRoKbdxxgMqX4ubrCXpbMLGF9aAeh7MRa756XzqGlsCiSA== ssh_host_rsa_key_3072.pub
diff --git a/test/docker/ssh_host_rsa_key_3072-cert_3072.pub b/test/docker/ssh_host_rsa_key_3072-cert_3072.pub
new file mode 100644
index 0000000..78f49ea
--- /dev/null
+++ b/test/docker/ssh_host_rsa_key_3072-cert_3072.pub
@@ -0,0 +1 @@
+ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg9MVX4OlkEy3p9eC+JJp8h7j76EmI46EY/RXxCGSWTC0AAAADAQABAAABgQDOEent4WetAAmo53tqKHJDIgMqDEIXsfnVDcW3f7xp/6Vfc6Uh7vsaLkY00z55EHg7Mb4IGyXE3kjekz/+xn6DLKUDVW5ZlmQ6WC1s4e60iQ7aV2Re2gaJ2VrRUDEtxRxQrpwKarAFNPfUenhCKanbPJ6D+XmrQOFYqC5jXeWublvdhliuPsJbcq3PF/xJtjPp27woXR0cJaKXOr4Ut4bNevti6XmeNUXmeOQa9n125DSqJVHOpmSuQsRaBCUIzRP4/JRu950vUx8Nk8caHtmFTSyc68lGzECvfW2WSer5bBq5lh0PMl/WDVRFwzrlTASw+V+A5bdmhmiBHW/nsib4p2wqGrYHeycS0mB1CHTonI7S6vi5RejWYy28EWGKm1S3A/iD2/8g3id54r7AFGibjqbZDVsxQE+d4E5ryvZJj/fKevNe5UhYU5C0XrRon4E2q+BRUIo6bPUrOgnBOoab4QVooznP5RBaMhtITcZ7hfmFe2Q67na/63INSTpuhksAAAAAAAAAAAAAAAIAAAAEdGVzdAAAAAgAAAAEdGVzdAAAAABdXr0sAAAAAIFrQWwAAAAAAAAAAAAAAAAAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCrFAQhuPzDROsFjV8M7zVy6uKNCt0s5SvxWXxcQJZzlAZ3UuQAbzQ2B1wIE++NbFlKZisp6oDvwZR034qDJwTTO2nFhJcodkxogzld73gEH4Ghwf3W93/aIHMZ553WdX/N8B2rYAQdCPVOkgj5r7PbnLG/Y+7BVNPDCj0j/omA2rd68fgdvCCvdJF8QRhlD5gvxw6kG42DVhk5HSTXKTbdmoB33YnJvFniIK063utyPawUfM27VTnjjBYHAgvnJlkpOAGFjh2p9PYSnsjNHkd2x2u9BX2oL3YYzXMMT5TcDCtUqMezRhmrePNyr/K8UMJwwxHPj/SkYUVTbqhaZr6fe9sDEomgv6uEbxAz36XaoWUsayczSRRcAlew8pvKClo/xndTh4qBO4nYa5L14sgWcHuavAPvlXoaA32rmZjz0N+RVKQdqiqljyk91GTP1ACYwS4u0ea/b0JU6l9fm/+uybvABIBmq1SWYW7isUYEvC9ltSVa7TYeaAFPjuDoQh8AAAGPAAAAB3NzaC1yc2EAAAGAG8tCiBMSq3Of3Gmcrid2IfPmaaemYivgEEuK8ubq1rznF0vtR07/NUQ7WVzfJhUSeG0gtJ3A1ey60NjcBn0DHao4Q3ATIXnkSOIKjNolZ2urqYv9fT1LAC4I5XWGzK2aKK0NEqAYr06YPtcGOBQk5+3GPAWSJ4eQycKRz5BSuMYbKaVxU0kGSvbavG07ZntMQhia/lILyq84PjXh/JlRVpIqY+LAS0qwqkUR3gWMTmvYvYI7fXU84ReVB1ut75bY7Xx0DXHPl1Zc2MNDLGcKsByZtoO9ueZRyOlZMUJcVP5fK+OUuZKjMbCaaJnV55BQ78/rftIPYsTEEO2Sf9WT86ADa3k4S0pyWqlTxBzZcDWNt+fZFNm9wcqcYS32nDKtfixcDN8E/IJIWY7aoabPqoYnKUVQBOcIEnZf1HqsKUVmF44Dp9mKhefUs3BtcdK63j/lNXzzMrPwZQAreJqH/uV3TgYBLjMPl++ctX6tCe6Hv5zFKNhnOCSBSzcsCgIU ssh_host_rsa_key_3072.pub
diff --git a/test/docker/ssh_host_rsa_key_3072.pub b/test/docker/ssh_host_rsa_key_3072.pub
new file mode 100644
index 0000000..ad83cd1
--- /dev/null
+++ b/test/docker/ssh_host_rsa_key_3072.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOEent4WetAAmo53tqKHJDIgMqDEIXsfnVDcW3f7xp/6Vfc6Uh7vsaLkY00z55EHg7Mb4IGyXE3kjekz/+xn6DLKUDVW5ZlmQ6WC1s4e60iQ7aV2Re2gaJ2VrRUDEtxRxQrpwKarAFNPfUenhCKanbPJ6D+XmrQOFYqC5jXeWublvdhliuPsJbcq3PF/xJtjPp27woXR0cJaKXOr4Ut4bNevti6XmeNUXmeOQa9n125DSqJVHOpmSuQsRaBCUIzRP4/JRu950vUx8Nk8caHtmFTSyc68lGzECvfW2WSer5bBq5lh0PMl/WDVRFwzrlTASw+V+A5bdmhmiBHW/nsib4p2wqGrYHeycS0mB1CHTonI7S6vi5RejWYy28EWGKm1S3A/iD2/8g3id54r7AFGibjqbZDVsxQE+d4E5ryvZJj/fKevNe5UhYU5C0XrRon4E2q+BRUIo6bPUrOgnBOoab4QVooznP5RBaMhtITcZ7hfmFe2Q67na/63INSTpuhks=