From f0f453c916e279980df981c1e1dee0d167dc124e Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 15 Apr 2024 19:07:52 +0200 Subject: Adding upstream version 3.1.0. Signed-off-by: Daniel Baumann --- src/ssh_audit/__init__.py | 0 src/ssh_audit/__main__.py | 16 + src/ssh_audit/algorithm.py | 61 ++ src/ssh_audit/algorithms.py | 223 +++++ src/ssh_audit/auditconf.py | 99 ++ src/ssh_audit/banner.py | 92 ++ src/ssh_audit/exitcodes.py | 6 + src/ssh_audit/fingerprint.py | 43 + src/ssh_audit/gextest.py | 235 +++++ src/ssh_audit/globals.py | 40 + src/ssh_audit/hostkeytest.py | 233 +++++ src/ssh_audit/kexdh.py | 409 ++++++++ src/ssh_audit/outputbuffer.py | 185 ++++ src/ssh_audit/policy.py | 605 ++++++++++++ src/ssh_audit/product.py | 31 + src/ssh_audit/protocol.py | 36 + src/ssh_audit/readbuf.py | 92 ++ src/ssh_audit/software.py | 227 +++++ src/ssh_audit/ssh1.py | 40 + src/ssh_audit/ssh1_crc32.py | 47 + src/ssh_audit/ssh1_kexdb.py | 84 ++ src/ssh_audit/ssh1_publickeymessage.py | 144 +++ src/ssh_audit/ssh2_kex.py | 134 +++ src/ssh_audit/ssh2_kexdb.py | 468 +++++++++ src/ssh_audit/ssh2_kexparty.py | 50 + src/ssh_audit/ssh_audit.py | 1595 +++++++++++++++++++++++++++++++ src/ssh_audit/ssh_socket.py | 345 +++++++ src/ssh_audit/timeframe.py | 77 ++ src/ssh_audit/utils.py | 165 ++++ src/ssh_audit/versionvulnerabilitydb.py | 170 ++++ src/ssh_audit/writebuf.py | 108 +++ 31 files changed, 6060 insertions(+) create mode 100644 src/ssh_audit/__init__.py create mode 100644 src/ssh_audit/__main__.py create mode 100644 src/ssh_audit/algorithm.py create mode 100644 src/ssh_audit/algorithms.py create mode 100644 src/ssh_audit/auditconf.py create mode 100644 src/ssh_audit/banner.py create mode 100644 src/ssh_audit/exitcodes.py create mode 100644 src/ssh_audit/fingerprint.py create mode 100644 src/ssh_audit/gextest.py create mode 100644 src/ssh_audit/globals.py create mode 100644 src/ssh_audit/hostkeytest.py create mode 100644 src/ssh_audit/kexdh.py create mode 100644 src/ssh_audit/outputbuffer.py create mode 100644 src/ssh_audit/policy.py create mode 100644 src/ssh_audit/product.py create mode 100644 src/ssh_audit/protocol.py create mode 100644 src/ssh_audit/readbuf.py create mode 100644 src/ssh_audit/software.py create mode 100644 src/ssh_audit/ssh1.py create mode 100644 src/ssh_audit/ssh1_crc32.py create mode 100644 src/ssh_audit/ssh1_kexdb.py create mode 100644 src/ssh_audit/ssh1_publickeymessage.py create mode 100644 src/ssh_audit/ssh2_kex.py create mode 100644 src/ssh_audit/ssh2_kexdb.py create mode 100644 src/ssh_audit/ssh2_kexparty.py create mode 100755 src/ssh_audit/ssh_audit.py create mode 100644 src/ssh_audit/ssh_socket.py create mode 100644 src/ssh_audit/timeframe.py create mode 100644 src/ssh_audit/utils.py create mode 100644 src/ssh_audit/versionvulnerabilitydb.py create mode 100644 src/ssh_audit/writebuf.py (limited to 'src/ssh_audit') diff --git a/src/ssh_audit/__init__.py b/src/ssh_audit/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/src/ssh_audit/__main__.py b/src/ssh_audit/__main__.py new file mode 100644 index 0000000..9ae64fa --- /dev/null +++ b/src/ssh_audit/__main__.py @@ -0,0 +1,16 @@ +import sys +import traceback + +from ssh_audit.ssh_audit import main +from ssh_audit import exitcodes + + +exit_code = exitcodes.GOOD + +try: + exit_code = main() +except Exception: + exit_code = exitcodes.UNKNOWN_ERROR + print(traceback.format_exc()) + +sys.exit(exit_code) diff --git a/src/ssh_audit/algorithm.py b/src/ssh_audit/algorithm.py new file mode 100644 index 0000000..e213264 --- /dev/null +++ b/src/ssh_audit/algorithm.py @@ -0,0 +1,61 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + +from ssh_audit.product import Product + + +class Algorithm: + + @staticmethod + def get_ssh_version(version_desc: str) -> Tuple[str, str, bool]: + is_client = version_desc.endswith('C') + if is_client: + version_desc = version_desc[:-1] + if version_desc.startswith('d'): + return Product.DropbearSSH, version_desc[1:], is_client + elif version_desc.startswith('l1'): + return Product.LibSSH, version_desc[2:], is_client + else: + return Product.OpenSSH, version_desc, is_client + + @classmethod + def get_since_text(cls, versions: List[Optional[str]]) -> Optional[str]: + tv = [] + if len(versions) == 0 or versions[0] is None: + return None + for v in versions[0].split(','): + ssh_prod, ssh_ver, is_cli = cls.get_ssh_version(v) + if not ssh_ver: + continue + if ssh_prod in [Product.LibSSH]: + continue + if is_cli: + ssh_ver = '{} (client only)'.format(ssh_ver) + tv.append('{} {}'.format(ssh_prod, ssh_ver)) + if len(tv) == 0: + return None + return 'available since ' + ', '.join(tv).rstrip(', ') diff --git a/src/ssh_audit/algorithms.py b/src/ssh_audit/algorithms.py new file mode 100644 index 0000000..5f75c85 --- /dev/null +++ b/src/ssh_audit/algorithms.py @@ -0,0 +1,223 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017-2021 Joe Testa (jtesta@positronsecurity.com) + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + +from ssh_audit.algorithm import Algorithm +from ssh_audit.product import Product +from ssh_audit.software import Software +from ssh_audit.ssh1_kexdb import SSH1_KexDB +from ssh_audit.ssh1_publickeymessage import SSH1_PublicKeyMessage +from ssh_audit.ssh2_kex import SSH2_Kex +from ssh_audit.ssh2_kexdb import SSH2_KexDB +from ssh_audit.timeframe import Timeframe +from ssh_audit.utils import Utils + + +class Algorithms: + def __init__(self, pkm: Optional[SSH1_PublicKeyMessage], kex: Optional[SSH2_Kex]) -> None: + self.__ssh1kex = pkm + self.__ssh2kex = kex + + @property + def ssh1kex(self) -> Optional[SSH1_PublicKeyMessage]: + return self.__ssh1kex + + @property + def ssh2kex(self) -> Optional[SSH2_Kex]: + return self.__ssh2kex + + @property + def ssh1(self) -> Optional['Algorithms.Item']: + if self.ssh1kex is None: + return None + item = Algorithms.Item(1, SSH1_KexDB.get_db()) + item.add('key', ['ssh-rsa1']) + item.add('enc', self.ssh1kex.supported_ciphers) + item.add('aut', self.ssh1kex.supported_authentications) + return item + + @property + def ssh2(self) -> Optional['Algorithms.Item']: + if self.ssh2kex is None: + return None + item = Algorithms.Item(2, SSH2_KexDB.get_db()) + item.add('kex', self.ssh2kex.kex_algorithms) + item.add('key', self.ssh2kex.key_algorithms) + item.add('enc', self.ssh2kex.server.encryption) + item.add('mac', self.ssh2kex.server.mac) + return item + + @property + def values(self) -> Iterable['Algorithms.Item']: + for item in [self.ssh1, self.ssh2]: + if item is not None: + yield item + + @property + def maxlen(self) -> int: + def _ml(items: Sequence[str]) -> int: + return max(len(i) for i in items) + maxlen = 0 + if self.ssh1kex is not None: + maxlen = max(_ml(self.ssh1kex.supported_ciphers), + _ml(self.ssh1kex.supported_authentications), + maxlen) + if self.ssh2kex is not None: + maxlen = max(_ml(self.ssh2kex.kex_algorithms), + _ml(self.ssh2kex.key_algorithms), + _ml(self.ssh2kex.server.encryption), + _ml(self.ssh2kex.server.mac), + maxlen) + return maxlen + + def get_ssh_timeframe(self, for_server: Optional[bool] = None) -> 'Timeframe': + timeframe = Timeframe() + for alg_pair in self.values: + alg_db = alg_pair.db + for alg_type, alg_list in alg_pair.items(): + for alg_name in alg_list: + alg_name_native = Utils.to_text(alg_name) + alg_desc = alg_db[alg_type].get(alg_name_native) + if alg_desc is None: + continue + versions = alg_desc[0] + timeframe.update(versions, for_server) + return timeframe + + def get_recommendations(self, software: Optional['Software'], for_server: bool = True) -> Tuple[Optional['Software'], Dict[int, Dict[str, Dict[str, Dict[str, int]]]]]: + # pylint: disable=too-many-locals,too-many-statements + vproducts = [Product.OpenSSH, + Product.DropbearSSH, + Product.LibSSH, + Product.TinySSH] + # Set to True if server is not one of vproducts, above. + unknown_software = False + if software is not None: + if software.product not in vproducts: + unknown_software = True + + # The code below is commented out because it would try to guess what the server is, + # usually resulting in wild & incorrect recommendations. + # if software is None: + # ssh_timeframe = self.get_ssh_timeframe(for_server) + # for product in vproducts: + # if product not in ssh_timeframe: + # continue + # version = ssh_timeframe.get_from(product, for_server) + # if version is not None: + # software = SSH.Software(None, product, version, None, None) + # break + rec: Dict[int, Dict[str, Dict[str, Dict[str, int]]]] = {} + if software is None: + unknown_software = True + for alg_pair in self.values: + sshv, alg_db = alg_pair.sshv, alg_pair.db + rec[sshv] = {} + for alg_type, alg_list in alg_pair.items(): + if alg_type == 'aut': + continue + rec[sshv][alg_type] = {'add': {}, 'del': {}, 'chg': {}} + for n, alg_desc in alg_db[alg_type].items(): + versions = alg_desc[0] + empty_version = False + if len(versions) == 0 or versions[0] is None: + empty_version = True + else: + matches = False + if unknown_software: + matches = True + for v in versions[0].split(','): + ssh_prefix, ssh_version, is_cli = Algorithm.get_ssh_version(v) + if not ssh_version: + continue + if (software is not None) and (ssh_prefix != software.product): + continue + if is_cli and for_server: + continue + if (software is not None) and (software.compare_version(ssh_version) < 0): + continue + matches = True + break + if not matches: + continue + adl, faults = len(alg_desc), 0 + for i in range(1, 3): + if not adl > i: + continue + fc = len(alg_desc[i]) + if fc > 0: + faults += pow(10, 2 - i) * fc + if n not in alg_list: + # Don't recommend certificate or token types; these will only appear in the server's list if they are fully configured & functional on the server. + if faults > 0 or (alg_type == 'key' and (('-cert-' in n) or (n.startswith('sk-')))) or empty_version: + continue + rec[sshv][alg_type]['add'][n] = 0 + else: + if faults == 0: + continue + if n in ['diffie-hellman-group-exchange-sha256', 'rsa-sha2-256', 'rsa-sha2-512', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com']: + rec[sshv][alg_type]['chg'][n] = faults + else: + rec[sshv][alg_type]['del'][n] = faults + # If we are working with unknown software, drop all add recommendations, because we don't know if they're valid. + if unknown_software: + rec[sshv][alg_type]['add'] = {} + add_count = len(rec[sshv][alg_type]['add']) + del_count = len(rec[sshv][alg_type]['del']) + chg_count = len(rec[sshv][alg_type]['chg']) + + if add_count == 0: + del rec[sshv][alg_type]['add'] + if del_count == 0: + del rec[sshv][alg_type]['del'] + if chg_count == 0: + del rec[sshv][alg_type]['chg'] + if len(rec[sshv][alg_type]) == 0: + del rec[sshv][alg_type] + if len(rec[sshv]) == 0: + del rec[sshv] + return software, rec + + class Item: + def __init__(self, sshv: int, db: Dict[str, Dict[str, List[List[Optional[str]]]]]) -> None: + self.__sshv = sshv + self.__db = db + self.__storage: Dict[str, List[str]] = {} + + @property + def sshv(self) -> int: + return self.__sshv + + @property + def db(self) -> Dict[str, Dict[str, List[List[Optional[str]]]]]: + return self.__db + + def add(self, key: str, value: List[str]) -> None: + self.__storage[key] = value + + def items(self) -> Iterable[Tuple[str, List[str]]]: + return self.__storage.items() diff --git a/src/ssh_audit/auditconf.py b/src/ssh_audit/auditconf.py new file mode 100644 index 0000000..e2994a6 --- /dev/null +++ b/src/ssh_audit/auditconf.py @@ -0,0 +1,99 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017-2021 Joe Testa (jtesta@positronsecurity.com) + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + +from ssh_audit.policy import Policy +from ssh_audit.utils import Utils + + +class AuditConf: + # pylint: disable=too-many-instance-attributes + def __init__(self, host: str = '', port: int = 22) -> None: + self.host = host + self.port = port + self.ssh1 = True + self.ssh2 = True + self.batch = False + self.client_audit = False + self.colors = True + self.json = False + self.json_print_indent = False + self.verbose = False + self.level = 'info' + self.ip_version_preference: List[int] = [] # Holds only 5 possible values: [] (no preference), [4] (use IPv4 only), [6] (use IPv6 only), [46] (use both IPv4 and IPv6, but prioritize v4), and [64] (use both IPv4 and IPv6, but prioritize v6). + self.ipv4 = False + self.ipv6 = False + self.make_policy = False # When True, creates a policy file from an audit scan. + self.policy_file: Optional[str] = None # File system path to a policy + self.policy: Optional[Policy] = None # Policy object + self.timeout = 5.0 + self.timeout_set = False # Set to True when the user explicitly sets it. + self.target_file: Optional[str] = None + self.target_list: List[str] = [] + self.threads = 32 + self.list_policies = False + self.lookup = '' + self.manual = False + self.debug = False + self.gex_test = '' + + def __setattr__(self, name: str, value: Union[str, int, float, bool, Sequence[int]]) -> None: + valid = False + if name in ['batch', 'client_audit', 'colors', 'json', 'json_print_indent', 'list_policies', 'manual', 'make_policy', 'ssh1', 'ssh2', 'timeout_set', 'verbose', 'debug']: + valid, value = True, bool(value) + elif name in ['ipv4', 'ipv6']: + valid, value = True, bool(value) + if len(self.ip_version_preference) == 2: # Being called more than twice is not valid. + valid = False + elif value: + self.ip_version_preference.append(4 if name == 'ipv4' else 6) + elif name == 'port': + valid, port = True, Utils.parse_int(value) + if port < 1 or port > 65535: + raise ValueError('invalid port: {}'.format(value)) + value = port + elif name in ['level']: + if value not in ('info', 'warn', 'fail'): + raise ValueError('invalid level: {}'.format(value)) + valid = True + elif name == 'host': + valid = True + elif name == 'timeout': + value = Utils.parse_float(value) + if value == -1.0: + raise ValueError('invalid timeout: {}'.format(value)) + valid = True + elif name in ['ip_version_preference', 'lookup', 'policy_file', 'policy', 'target_file', 'target_list', 'gex_test']: + valid = True + elif name == "threads": + valid, num_threads = True, Utils.parse_int(value) + if num_threads < 1: + raise ValueError('invalid number of threads: {}'.format(value)) + value = num_threads + + if valid: + object.__setattr__(self, name, value) diff --git a/src/ssh_audit/banner.py b/src/ssh_audit/banner.py new file mode 100644 index 0000000..da6ee17 --- /dev/null +++ b/src/ssh_audit/banner.py @@ -0,0 +1,92 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +import re + +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + +from ssh_audit.utils import Utils + + +class Banner: + _RXP, _RXR = r'SSH-\d\.\s*?\d+', r'(-\s*([^\s]*)(?:\s+(.*))?)?' + RX_PROTOCOL = re.compile(re.sub(r'\\d(\+?)', r'(\\d\g<1>)', _RXP)) + RX_BANNER = re.compile(r'^({0}(?:(?:-{0})*)){1}$'.format(_RXP, _RXR)) + + def __init__(self, protocol: Tuple[int, int], software: Optional[str], comments: Optional[str], valid_ascii: bool) -> None: + self.__protocol = protocol + self.__software = software + self.__comments = comments + self.__valid_ascii = valid_ascii + + @property + def protocol(self) -> Tuple[int, int]: + return self.__protocol + + @property + def software(self) -> Optional[str]: + return self.__software + + @property + def comments(self) -> Optional[str]: + return self.__comments + + @property + def valid_ascii(self) -> bool: + return self.__valid_ascii + + def __str__(self) -> str: + r = 'SSH-{}.{}'.format(self.protocol[0], self.protocol[1]) + if self.software is not None: + r += '-{}'.format(self.software) + if bool(self.comments): + r += ' {}'.format(self.comments) + return r + + def __repr__(self) -> str: + p = '{}.{}'.format(self.protocol[0], self.protocol[1]) + r = 'protocol={}'.format(p) + if self.software is not None: + r += ', software={}'.format(self.software) + if bool(self.comments): + r += ', comments={}'.format(self.comments) + return '<{}({})>'.format(self.__class__.__name__, r) + + @classmethod + def parse(cls, banner: str) -> Optional['Banner']: + valid_ascii = Utils.is_print_ascii(banner) + ascii_banner = Utils.to_print_ascii(banner) + mx = cls.RX_BANNER.match(ascii_banner) + if mx is None: + return None + protocol = min(re.findall(cls.RX_PROTOCOL, mx.group(1))) + protocol = (int(protocol[0]), int(protocol[1])) + software = (mx.group(3) or '').strip() or None + if software is None and (mx.group(2) or '').startswith('-'): + software = '' + comments = (mx.group(4) or '').strip() or None + if comments is not None: + comments = re.sub(r'\s+', ' ', comments) + return cls(protocol, software, comments, valid_ascii) diff --git a/src/ssh_audit/exitcodes.py b/src/ssh_audit/exitcodes.py new file mode 100644 index 0000000..5392f1d --- /dev/null +++ b/src/ssh_audit/exitcodes.py @@ -0,0 +1,6 @@ +# The program return values corresponding to failure(s) encountered, warning(s) encountered, connection errors, and no problems found, respectively. +FAILURE = 3 +WARNING = 2 +CONNECTION_ERROR = 1 +GOOD = 0 +UNKNOWN_ERROR = -1 diff --git a/src/ssh_audit/fingerprint.py b/src/ssh_audit/fingerprint.py new file mode 100644 index 0000000..a9d2caf --- /dev/null +++ b/src/ssh_audit/fingerprint.py @@ -0,0 +1,43 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017-2021 Joe Testa (jtesta@positronsecurity.com) + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +import base64 +import hashlib + + +class Fingerprint: + def __init__(self, fpd: bytes) -> None: + self.__fpd = fpd + + @property + def md5(self) -> str: + h = hashlib.md5(self.__fpd).hexdigest() + r = ':'.join(h[i:i + 2] for i in range(0, len(h), 2)) + return 'MD5:{}'.format(r) + + @property + def sha256(self) -> str: + h = base64.b64encode(hashlib.sha256(self.__fpd).digest()) + r = h.decode('ascii').rstrip('=') + return 'SHA256:{}'.format(r) diff --git a/src/ssh_audit/gextest.py b/src/ssh_audit/gextest.py new file mode 100644 index 0000000..f482839 --- /dev/null +++ b/src/ssh_audit/gextest.py @@ -0,0 +1,235 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017-2023 Joe Testa (jtesta@positronsecurity.com) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +import traceback + +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + +from ssh_audit.banner import Banner +from ssh_audit.kexdh import KexDHException, KexGroupExchange, KexGroupExchange_SHA1, KexGroupExchange_SHA256 +from ssh_audit.ssh2_kexdb import SSH2_KexDB +from ssh_audit.ssh2_kex import SSH2_Kex +from ssh_audit.ssh_socket import SSH_Socket +from ssh_audit.outputbuffer import OutputBuffer +from ssh_audit import exitcodes + + +# Performs DH group exchanges to find what moduli are supported, and checks +# their size. +class GEXTest: + + # Creates a new connection to the server. Returns True on success, or False. + @staticmethod + def reconnect(out: 'OutputBuffer', s: 'SSH_Socket', kex: 'SSH2_Kex', gex_alg: str) -> bool: + if s.is_connected(): + return True + + err = s.connect() + if err is not None: + out.v(err, write_now=True) + return False + + _, _, err = s.get_banner() + if err is not None: + out.v(err, write_now=True) + s.close() + return False + + # Send our KEX using the specified group-exchange and most of the + # server's own values. + s.send_kexinit(key_exchanges=[gex_alg], hostkeys=kex.key_algorithms, ciphers=kex.server.encryption, macs=kex.server.mac, compressions=kex.server.compression, languages=kex.server.languages) + + try: + # Parse the server's KEX. + _, payload = s.read_packet(2) + SSH2_Kex.parse(out, payload) + except KexDHException: + out.v("Failed to parse server's kex. Stack trace:\n%s" % str(traceback.format_exc()), write_now=True) + return False + + return True + + @staticmethod + def granular_modulus_size_test(out: 'OutputBuffer', s: 'SSH_Socket', kex: 'SSH2_Kex', bits_min: int, bits_pref: int, bits_max: int, modulus_dict: Dict[str, List[int]]) -> int: + ''' + Tests for granular modulus sizes. + Builds a dictionary, where a key represents a DH algorithm name and the + values are the modulus sizes (in bits) that have been returned by the + target server. + Returns an exitcodes.* flag. + ''' + + retval = exitcodes.GOOD + + out.d("Starting modulus_size_test...") + out.d("Bits Min: " + str(bits_min)) + out.d("Bits Pref: " + str(bits_pref)) + out.d("Bits Max: " + str(bits_max)) + + GEX_ALGS = { + 'diffie-hellman-group-exchange-sha1': KexGroupExchange_SHA1, + 'diffie-hellman-group-exchange-sha256': KexGroupExchange_SHA256, + } + + # Check if the server supports any of the group-exchange + # algorithms. If so, test each one. + for gex_alg, kex_group_class in GEX_ALGS.items(): + if gex_alg not in kex.kex_algorithms: + out.d('Server does not support the algorithm "' + gex_alg + '".', write_now=True) + else: + kex_group = kex_group_class(out) + out.d('Preparing to perform DH group exchange using ' + gex_alg + ' with min, pref and max modulus sizes of ' + str(bits_min) + ' bits, ' + str(bits_pref) + ' bits and ' + str(bits_max) + ' bits...', write_now=True) + + # It has been observed that reconnecting to some SSH servers + # multiple times in quick succession can eventually result + # in a "connection reset by peer" error. It may be possible + # to recover from such an error by sleeping for some time + # before continuing to issue reconnects. + modulus_size_returned, reconnect_failed = GEXTest._send_init(out, s, kex_group, kex, gex_alg, bits_min, bits_pref, bits_max) + if reconnect_failed: + out.fail('Reconnect failed.') + return exitcodes.FAILURE + + if modulus_size_returned > 0: + if gex_alg in modulus_dict: + if modulus_size_returned not in modulus_dict[gex_alg]: + modulus_dict[gex_alg].append(modulus_size_returned) + else: + modulus_dict[gex_alg] = [modulus_size_returned] + + return retval + + # Runs the DH moduli test against the specified target. + @staticmethod + def run(out: 'OutputBuffer', s: 'SSH_Socket', banner: Optional['Banner'], kex: 'SSH2_Kex') -> None: + GEX_ALGS = { + 'diffie-hellman-group-exchange-sha1': KexGroupExchange_SHA1, + 'diffie-hellman-group-exchange-sha256': KexGroupExchange_SHA256, + } + + # The previous RSA tests put the server in a state we can't + # test. So we need a new connection to start with a clean + # slate. + if s.is_connected(): + s.close() + + # Check if the server supports any of the group-exchange + # algorithms. If so, test each one. + for gex_alg, kex_group_class in GEX_ALGS.items(): # pylint: disable=too-many-nested-blocks + if gex_alg in kex.kex_algorithms: + out.d('Preparing to perform DH group exchange using ' + gex_alg + ' with min, pref and max modulus sizes of 512 bits, 1024 bits and 1536 bits...', write_now=True) + + kex_group = kex_group_class(out) + smallest_modulus, reconnect_failed = GEXTest._send_init(out, s, kex_group, kex, gex_alg, 512, 1024, 1536) + if reconnect_failed: + break + + # Try an array of specific modulus sizes... one at a time. + reconnect_failed = False + for bits in [512, 768, 1024, 1536, 2048, 3072, 4096]: + + # If we found one modulus size already, but we're about + # to test a larger one, don't bother. + if bits >= smallest_modulus > 0: + break + + smallest_modulus, reconnect_failed = GEXTest._send_init(out, s, kex_group, kex, gex_alg, bits, bits, bits) + + # If the smallest modulus is 2048 and the server is OpenSSH, then we may have triggered the fallback mechanism, which tends to happen in testing scenarios such as this but not in most real-world conditions (see X). To better test this condition, we will do an additional check to see if the server supports sizes between 2048 and 4096, and consider this the definitive result. + openssh_test_updated = False + if (smallest_modulus == 2048) and (banner is not None) and (banner.software is not None) and (banner.software.find('OpenSSH') != -1): + out.d('First pass found a minimum GEX modulus of 2048 against OpenSSH server. Performing a second pass to get a more accurate result...') + smallest_modulus, _ = GEXTest._send_init(out, s, kex_group, kex, gex_alg, 2048, 3072, 4096) + out.d('Modulus size returned by server during second pass: %d bits' % smallest_modulus, write_now=True) + openssh_test_updated = bool((smallest_modulus > 0) and (smallest_modulus != 2048)) + + if smallest_modulus > 0: + kex.set_dh_modulus_size(gex_alg, smallest_modulus) + + lst = SSH2_KexDB.get_db()['kex'][gex_alg] + + # We flag moduli smaller than 2048 as a failure. + if smallest_modulus < 2048: + text = 'using small %d-bit modulus' % smallest_modulus + + # For 'diffie-hellman-group-exchange-sha256', add + # a failure reason. + if len(lst) == 1: + lst.append([text]) + # For 'diffie-hellman-group-exchange-sha1', delete + # the existing failure reason (which is vague), and + # insert our own. + else: + del lst[1] + lst.insert(1, [text]) + + # Moduli smaller than 3072 get flagged as a warning. + elif smallest_modulus < 3072: + + # Ensure that a warning list exists for us to append to, below. + while len(lst) < 3: + lst.append([]) + + # Ensure this is only added once. + text = '2048-bit modulus only provides 112-bits of symmetric strength' + if text not in lst[2]: + lst[2].append(text) + + # If we retested against OpenSSH (because its fallback mechanism was triggered), add a special note for the user. + if openssh_test_updated: + text = "OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use %u. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477)." % smallest_modulus + + # Ensure that an info list exists for us to append to, below. + while len(lst) < 4: + lst.append([]) + + # Ensure this is only added once. + if text not in lst[3]: + lst[3].append(text) + + if reconnect_failed: + break + + @staticmethod + def _send_init(out: 'OutputBuffer', s: 'SSH_Socket', kex_group: 'KexGroupExchange', kex: 'SSH2_Kex', gex_alg: str, min_bits: int, pref_bits: int, max_bits: int) -> Tuple[int, bool]: + '''Internal function for sending the GEX initialization to the server with the minimum, preferred, and maximum modulus bits. Returns a Tuple of the modulus size received from the server (or -1 on error) and boolean signifying that the connection to the server failed.''' + + smallest_modulus = -1 + reconnect_failed = False + try: + if GEXTest.reconnect(out, s, kex, gex_alg) is False: + reconnect_failed = True + out.d('GEXTest._send_init(%s, %u, %u, %u): reconnection failed.' % (gex_alg, min_bits, pref_bits, max_bits), write_now=True) + else: + kex_group.send_init_gex(s, min_bits, pref_bits, max_bits) + kex_group.recv_reply(s, False) + smallest_modulus = kex_group.get_dh_modulus_size() + out.d('GEXTest._send_init(%s, %u, %u, %u): received modulus size: %d' % (gex_alg, min_bits, pref_bits, max_bits, smallest_modulus), write_now=True) + except KexDHException as e: + out.d('GEXTest._send_init(%s, %u, %u, %u): exception when performing DH group exchange init: %s' % (gex_alg, min_bits, pref_bits, max_bits, str(e)), write_now=True) + finally: + s.close() + + return smallest_modulus, reconnect_failed diff --git a/src/ssh_audit/globals.py b/src/ssh_audit/globals.py new file mode 100644 index 0000000..a931fcc --- /dev/null +++ b/src/ssh_audit/globals.py @@ -0,0 +1,40 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017-2023 Joe Testa (jtesta@positronsecurity.com) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +# The version to display. +VERSION = 'v3.1.0' + +# SSH software to impersonate +SSH_HEADER = 'SSH-{0}-OpenSSH_8.2' + +# The URL to the Github issues tracker. +GITHUB_ISSUES_URL = 'https://github.com/jtesta/ssh-audit/issues' + +# The man page. Only filled in on Windows systems. +WINDOWS_MAN_PAGE = '' + +# True when installed from a Snap package, otherwise False. +SNAP_PACKAGE = False + +# Error message when installed as a Snap package and a file access fails. +SNAP_PERMISSIONS_ERROR = 'Error while accessing file. It appears that ssh-audit was installed as a Snap package. In that case, there are two options: 1.) only try to read & write files in the $HOME/snap/ssh-audit/common/ directory, or 2.) grant permissions to read & write files in $HOME using the following command: "sudo snap connect ssh-audit:home :home"' diff --git a/src/ssh_audit/hostkeytest.py b/src/ssh_audit/hostkeytest.py new file mode 100644 index 0000000..3628b7a --- /dev/null +++ b/src/ssh_audit/hostkeytest.py @@ -0,0 +1,233 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017-2023 Joe Testa (jtesta@positronsecurity.com) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" + +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + +import traceback + +from ssh_audit.kexdh import KexDH, KexDHException, KexGroup1, KexGroup14_SHA1, KexGroup14_SHA256, KexCurve25519_SHA256, KexGroup16_SHA512, KexGroup18_SHA512, KexGroupExchange_SHA1, KexGroupExchange_SHA256, KexNISTP256, KexNISTP384, KexNISTP521 +from ssh_audit.ssh2_kex import SSH2_Kex +from ssh_audit.ssh2_kexdb import SSH2_KexDB +from ssh_audit.ssh_socket import SSH_Socket +from ssh_audit.outputbuffer import OutputBuffer + + +# Obtains host keys, checks their size, and derives their fingerprints. +class HostKeyTest: + # Tracks the RSA host key types. As of this writing, testing one in this family yields valid results for the rest. + RSA_FAMILY = ['ssh-rsa', 'rsa-sha2-256', 'rsa-sha2-512'] + + # Dict holding the host key types we should extract & parse. 'cert' is True to denote that a host key type handles certificates (thus requires additional parsing). 'variable_key_len' is True for host key types that can have variable sizes (True only for RSA types, as the rest are of fixed-size). After the host key type is fully parsed, the key 'parsed' is added with a value of True. + HOST_KEY_TYPES = { + 'ssh-rsa': {'cert': False, 'variable_key_len': True}, + 'rsa-sha2-256': {'cert': False, 'variable_key_len': True}, + 'rsa-sha2-512': {'cert': False, 'variable_key_len': True}, + + 'ssh-rsa-cert-v01@openssh.com': {'cert': True, 'variable_key_len': True}, + 'rsa-sha2-256-cert-v01@openssh.com': {'cert': True, 'variable_key_len': True}, + 'rsa-sha2-512-cert-v01@openssh.com': {'cert': True, 'variable_key_len': True}, + + 'ssh-ed25519': {'cert': False, 'variable_key_len': False}, + 'ssh-ed25519-cert-v01@openssh.com': {'cert': True, 'variable_key_len': False}, + } + + TWO2K_MODULUS_WARNING = '2048-bit modulus only provides 112-bits of symmetric strength' + SMALL_ECC_MODULUS_WARNING = '224-bit ECC modulus only provides 112-bits of symmetric strength' + + + @staticmethod + def run(out: 'OutputBuffer', s: 'SSH_Socket', server_kex: 'SSH2_Kex') -> None: + KEX_TO_DHGROUP = { + 'diffie-hellman-group1-sha1': KexGroup1, + 'diffie-hellman-group14-sha1': KexGroup14_SHA1, + 'diffie-hellman-group14-sha256': KexGroup14_SHA256, + 'curve25519-sha256': KexCurve25519_SHA256, + 'curve25519-sha256@libssh.org': KexCurve25519_SHA256, + 'diffie-hellman-group16-sha512': KexGroup16_SHA512, + 'diffie-hellman-group18-sha512': KexGroup18_SHA512, + 'diffie-hellman-group-exchange-sha1': KexGroupExchange_SHA1, + 'diffie-hellman-group-exchange-sha256': KexGroupExchange_SHA256, + 'ecdh-sha2-nistp256': KexNISTP256, + 'ecdh-sha2-nistp384': KexNISTP384, + 'ecdh-sha2-nistp521': KexNISTP521, + # 'kexguess2@matt.ucc.asn.au': ??? + } + + # Pick the first kex algorithm that the server supports, which we + # happen to support as well. + kex_str = None + kex_group = None + for server_kex_alg in server_kex.kex_algorithms: + if server_kex_alg in KEX_TO_DHGROUP: + kex_str = server_kex_alg + kex_group = KEX_TO_DHGROUP[kex_str](out) + break + + if kex_str is not None and kex_group is not None: + HostKeyTest.perform_test(out, s, server_kex, kex_str, kex_group, HostKeyTest.HOST_KEY_TYPES) + + @staticmethod + def perform_test(out: 'OutputBuffer', s: 'SSH_Socket', server_kex: 'SSH2_Kex', kex_str: str, kex_group: 'KexDH', host_key_types: Dict[str, Dict[str, bool]]) -> None: + hostkey_modulus_size = 0 + ca_modulus_size = 0 + + # If the connection still exists, close it so we can test + # using a clean slate (otherwise it may exist in a non-testable + # state). + if s.is_connected(): + s.close() + + # For each host key type... + for host_key_type in host_key_types: + key_fail_comments = [] + key_warn_comments = [] + + # Skip those already handled (i.e.: those in the RSA family, as testing one tests them all). + if 'parsed' in host_key_types[host_key_type] and host_key_types[host_key_type]['parsed']: + continue + + # If this host key type is supported by the server, we test it. + if host_key_type in server_kex.key_algorithms: + out.d('Preparing to obtain ' + host_key_type + ' host key...', write_now=True) + + cert = host_key_types[host_key_type]['cert'] + + # If the connection is closed, re-open it and get the kex again. + if not s.is_connected(): + err = s.connect() + if err is not None: + out.v(err, write_now=True) + return + + _, _, err = s.get_banner() + if err is not None: + out.v(err, write_now=True) + s.close() + return + + # Send our KEX using the specified group-exchange and most of the server's own values. + s.send_kexinit(key_exchanges=[kex_str], hostkeys=[host_key_type], ciphers=server_kex.server.encryption, macs=server_kex.server.mac, compressions=server_kex.server.compression, languages=server_kex.server.languages) + + try: + # Parse the server's KEX. + _, payload = s.read_packet() + SSH2_Kex.parse(out, payload) + except Exception: + out.v("Failed to parse server's kex. Stack trace:\n%s" % str(traceback.format_exc()), write_now=True) + return + + # Do the initial DH exchange. The server responds back + # with the host key and its length. Bingo. We also get back the host key fingerprint. + kex_group.send_init(s) + raw_hostkey_bytes = b'' + try: + kex_reply = kex_group.recv_reply(s) + raw_hostkey_bytes = kex_reply if kex_reply is not None else b'' + except KexDHException: + out.v("Failed to parse server's host key. Stack trace:\n%s" % str(traceback.format_exc()), write_now=True) + + # Since parsing this host key failed, there's nothing more to do but close the socket and move on to the next host key type. + s.close() + continue + + hostkey_modulus_size = kex_group.get_hostkey_size() + ca_key_type = kex_group.get_ca_type() + ca_modulus_size = kex_group.get_ca_size() + out.d("Hostkey type: [%s]; hostkey size: %u; CA type: [%s]; CA modulus size: %u" % (host_key_type, hostkey_modulus_size, ca_key_type, ca_modulus_size), write_now=True) + + # Record all the host key info. + server_kex.set_host_key(host_key_type, raw_hostkey_bytes, hostkey_modulus_size, ca_key_type, ca_modulus_size) + + # Set the hostkey size for all RSA key types since 'ssh-rsa', 'rsa-sha2-256', etc. are all using the same host key. Note, however, that this may change in the future. + if cert is False and host_key_type in HostKeyTest.RSA_FAMILY: + for rsa_type in HostKeyTest.RSA_FAMILY: + server_kex.set_host_key(rsa_type, raw_hostkey_bytes, hostkey_modulus_size, ca_key_type, ca_modulus_size) + + # Close the socket, as the connection has + # been put in a state that later tests can't use. + s.close() + + # If the host key modulus or CA modulus was successfully parsed, check to see that its a safe size. + if hostkey_modulus_size > 0 or ca_modulus_size > 0: + # The minimum good modulus size for RSA host keys is 3072. However, since ECC cryptosystems are fundamentally different, the minimum good is 256. + hostkey_min_good = cakey_min_good = 3072 + hostkey_min_warn = cakey_min_warn = 2048 + hostkey_warn_str = cakey_warn_str = HostKeyTest.TWO2K_MODULUS_WARNING + if host_key_type.startswith('ssh-ed25519') or host_key_type.startswith('ecdsa-sha2-nistp'): + hostkey_min_good = 256 + hostkey_min_warn = 224 + hostkey_warn_str = HostKeyTest.SMALL_ECC_MODULUS_WARNING + if ca_key_type.startswith('ssh-ed25519') or host_key_type.startswith('ecdsa-sha2-nistp'): + cakey_min_good = 256 + cakey_min_warn = 224 + cakey_warn_str = HostKeyTest.SMALL_ECC_MODULUS_WARNING + + # Keys smaller than 2048 result in a failure. Keys smaller 3072 result in a warning. Update the database accordingly. + if (cert is False) and (hostkey_modulus_size < hostkey_min_good): + + # If the key is under 2048, add to the failure list. + if hostkey_modulus_size < hostkey_min_warn: + key_fail_comments.append('using small %d-bit modulus' % hostkey_modulus_size) + elif hostkey_warn_str not in key_warn_comments: # Issue a warning about 2048-bit moduli. + key_warn_comments.append(hostkey_warn_str) + + elif (cert is True) and ((hostkey_modulus_size < hostkey_min_good) or (0 < ca_modulus_size < cakey_min_good)): + # If the host key is smaller than 2048-bit/224-bit, flag this as a failure. + if hostkey_modulus_size < hostkey_min_warn: + key_fail_comments.append('using small %d-bit hostkey modulus' % hostkey_modulus_size) + # Otherwise, this is just a warning. + elif (hostkey_modulus_size < hostkey_min_good) and (hostkey_warn_str not in key_warn_comments): + key_warn_comments.append(hostkey_warn_str) + + # If the CA key is smaller than 2048-bit/224-bit, flag this as a failure. + if 0 < ca_modulus_size < cakey_min_warn: + key_fail_comments.append('using small %d-bit CA key modulus' % ca_modulus_size) + # Otherwise, this is just a warning. + elif (0 < ca_modulus_size < cakey_min_good) and (cakey_warn_str not in key_warn_comments): + key_warn_comments.append(cakey_warn_str) + + # If this host key type is in the RSA family, then mark them all as parsed (since results in one are valid for them all). + if host_key_type in HostKeyTest.RSA_FAMILY: + for rsa_type in HostKeyTest.RSA_FAMILY: + host_key_types[rsa_type]['parsed'] = True + + # If the current key is a member of the RSA family, then populate all RSA family members with the same + # failure and/or warning comments. + db = SSH2_KexDB.get_db() + while len(db['key'][rsa_type]) < 3: + db['key'][rsa_type].append([]) + + db['key'][rsa_type][1].extend(key_fail_comments) + db['key'][rsa_type][2].extend(key_warn_comments) + + else: + host_key_types[host_key_type]['parsed'] = True + db = SSH2_KexDB.get_db() + while len(db['key'][host_key_type]) < 3: + db['key'][host_key_type].append([]) + + db['key'][host_key_type][1].extend(key_fail_comments) + db['key'][host_key_type][2].extend(key_warn_comments) diff --git a/src/ssh_audit/kexdh.py b/src/ssh_audit/kexdh.py new file mode 100644 index 0000000..cdefd4e --- /dev/null +++ b/src/ssh_audit/kexdh.py @@ -0,0 +1,409 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017-2023 Joe Testa (jtesta@positronsecurity.com) + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +import binascii +import os +import random +import struct +import traceback + +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + +from ssh_audit.outputbuffer import OutputBuffer +from ssh_audit.protocol import Protocol +from ssh_audit.ssh_socket import SSH_Socket + + +class KexDHException(Exception): + pass + + +class KexDH: # pragma: nocover + def __init__(self, out: 'OutputBuffer', kex_name: str, hash_alg: str, g: int, p: int) -> None: + self.out = out + self.__kex_name = kex_name # pylint: disable=unused-private-member + self.__hash_alg = hash_alg # pylint: disable=unused-private-member + self.__g = 0 + self.__p = 0 + self.__q = 0 + self.__x = 0 + self.__e = 0 + self.set_params(g, p) + + self.__ed25519_pubkey: Optional[bytes] = None # pylint: disable=unused-private-member + self.__hostkey_type = '' + self.__hostkey_e = 0 # pylint: disable=unused-private-member + self.__hostkey_n = 0 # pylint: disable=unused-private-member + self.__hostkey_n_len = 0 # Length of the host key modulus. + self.__ca_key_type = '' # Type of CA key ('ssh-rsa', etc). + self.__ca_n_len = 0 # Length of the CA key modulus (if hostkey is a cert). + + def set_params(self, g: int, p: int) -> None: + self.__g = g + self.__p = p + self.__q = (self.__p - 1) // 2 + self.__x = 0 + self.__e = 0 + + def send_init(self, s: SSH_Socket, init_msg: int = Protocol.MSG_KEXDH_INIT) -> None: + r = random.SystemRandom() + self.__x = r.randrange(2, self.__q) + self.__e = pow(self.__g, self.__x, self.__p) + s.write_byte(init_msg) + s.write_mpint2(self.__e) + s.send_packet() + + # Parse a KEXDH_REPLY or KEXDH_GEX_REPLY message from the server. This + # contains the host key, among other things. Function returns the host + # key blob (from which the fingerprint can be calculated). + def recv_reply(self, s: 'SSH_Socket', parse_host_key_size: bool = True) -> Optional[bytes]: + # Reset the CA info, in case it was set from a prior invokation. + self.__hostkey_type = '' + self.__hostkey_e = 0 # pylint: disable=unused-private-member + self.__hostkey_n = 0 # pylint: disable=unused-private-member + self.__hostkey_n_len = 0 + self.__ca_key_type = '' + self.__ca_n_len = 0 + + packet_type, payload = s.read_packet(2) + + # Skip any & all MSG_DEBUG messages. + while packet_type == Protocol.MSG_DEBUG: + packet_type, payload = s.read_packet(2) + + if packet_type != -1 and packet_type not in [Protocol.MSG_KEXDH_REPLY, Protocol.MSG_KEXDH_GEX_REPLY]: # pylint: disable=no-else-raise + raise KexDHException('Expected MSG_KEXDH_REPLY (%d) or MSG_KEXDH_GEX_REPLY (%d), but got %d instead.' % (Protocol.MSG_KEXDH_REPLY, Protocol.MSG_KEXDH_GEX_REPLY, packet_type)) + elif packet_type == -1: + # A connection error occurred. We can't parse anything, so just + # return. The host key modulus (and perhaps certificate modulus) + # will remain at length 0. + self.out.d("KexDH.recv_reply(): received packge_type == -1.") + return None + + # Get the host key blob, F, and signature. + ptr = 0 + hostkey, _, ptr = KexDH.__get_bytes(payload, ptr) + + # If we are not supposed to parse the host key size (i.e.: it is a type that is of fixed size such as ed25519), then stop here. + if not parse_host_key_size: + return hostkey + + _, _, ptr = KexDH.__get_bytes(payload, ptr) + _, _, ptr = KexDH.__get_bytes(payload, ptr) + + # Now pick apart the host key blob. + # Get the host key type (i.e.: 'ssh-rsa', 'ssh-ed25519', etc). + ptr = 0 + hostkey_type, _, ptr = KexDH.__get_bytes(hostkey, ptr) + self.__hostkey_type = hostkey_type.decode('ascii') + self.out.d("Parsing host key type: %s" % self.__hostkey_type) + + # If this is an RSA certificate, skip over the nonce. + if self.__hostkey_type.startswith('ssh-rsa-cert-v0'): + self.out.d("RSA certificate found, so skipping nonce.") + _, _, ptr = KexDH.__get_bytes(hostkey, ptr) # Read & skip over the nonce. + + # The public key exponent. + hostkey_e, _, ptr = KexDH.__get_bytes(hostkey, ptr) + self.__hostkey_e = int(binascii.hexlify(hostkey_e), 16) # pylint: disable=unused-private-member + + # ED25519 moduli are fixed at 32 bytes. + if self.__hostkey_type == 'ssh-ed25519': + self.out.d("%s has a fixed host key modulus of 32." % self.__hostkey_type) + self.__hostkey_n_len = 32 + else: + # Here is the modulus size & actual modulus of the host key public key. + hostkey_n, self.__hostkey_n_len, ptr = KexDH.__get_bytes(hostkey, ptr) + self.__hostkey_n = int(binascii.hexlify(hostkey_n), 16) # pylint: disable=unused-private-member + + # If this is a certificate, continue parsing to extract the CA type and key length. Even though a hostkey type might be 'ssh-ed25519-cert-v01@openssh.com', its CA may still be RSA. + if self.__hostkey_type.startswith('ssh-rsa-cert-v0') or self.__hostkey_type.startswith('ssh-ed25519-cert-v0'): + # Get the CA key type and key length. + self.__ca_key_type, self.__ca_n_len = self.__parse_ca_key(hostkey, self.__hostkey_type, ptr) + self.out.d("KexDH.__parse_ca_key(): CA key type: [%s]; CA key length: %u" % (self.__ca_key_type, self.__ca_n_len)) + + return hostkey + + def __parse_ca_key(self, hostkey: bytes, hostkey_type: str, ptr: int) -> Tuple[str, int]: + ca_key_type = '' + ca_key_n_len = 0 + + # If this is a certificate, continue parsing to extract the CA type and key length. Even though a hostkey type might be 'ssh-ed25519-cert-v01@openssh.com', its CA may still be RSA. + # if hostkey_type.startswith('ssh-rsa-cert-v0') or hostkey_type.startswith('ssh-ed25519-cert-v0'): + self.out.d("Parsing CA for hostkey type [%s]..." % hostkey_type) + + # Skip over the serial number. + ptr += 8 + + # Get the certificate type. + cert_type = int(binascii.hexlify(hostkey[ptr:ptr + 4]), 16) + ptr += 4 + + # Only SSH2_CERT_TYPE_HOST (2) makes sense in this context. + if cert_type == 2: + + # Skip the key ID (this is the serial number of the + # certificate). + key_id, key_id_len, ptr = KexDH.__get_bytes(hostkey, ptr) # pylint: disable=unused-variable + + # The principles, which are... I don't know what. + principles, principles_len, ptr = KexDH.__get_bytes(hostkey, ptr) # pylint: disable=unused-variable + + # Skip over the timestamp that this certificate is valid after. + ptr += 8 + + # Skip over the timestamp that this certificate is valid before. + ptr += 8 + + # TODO: validate the principles, and time range. + + # The critical options. + critical_options, critical_options_len, ptr = KexDH.__get_bytes(hostkey, ptr) # pylint: disable=unused-variable + + # Certificate extensions. + extensions, extensions_len, ptr = KexDH.__get_bytes(hostkey, ptr) # pylint: disable=unused-variable + + # Another nonce. + nonce, nonce_len, ptr = KexDH.__get_bytes(hostkey, ptr) # pylint: disable=unused-variable + + # Finally, we get to the CA key. + ca_key, ca_key_len, ptr = KexDH.__get_bytes(hostkey, ptr) # pylint: disable=unused-variable + + # Last in the host key blob is the CA signature. It isn't + # interesting to us, so we won't bother parsing any further. + # The CA key has the modulus, however... + ptr = 0 + + # 'ssh-rsa', 'rsa-sha2-256', etc. + ca_key_type_bytes, ca_key_type_len, ptr = KexDH.__get_bytes(ca_key, ptr) # pylint: disable=unused-variable + ca_key_type = ca_key_type_bytes.decode('ascii') + self.out.d("Found CA type: [%s]" % ca_key_type) + + # ED25519 CA's don't explicitly include the modulus size in the public key, since its fixed at 32 in all cases. + if ca_key_type == 'ssh-ed25519': + ca_key_n_len = 32 + else: + # CA's public key exponent. + ca_key_e, ca_key_e_len, ptr = KexDH.__get_bytes(ca_key, ptr) # pylint: disable=unused-variable + + # CA's modulus. Bingo. + ca_key_n, ca_key_n_len, ptr = KexDH.__get_bytes(ca_key, ptr) # pylint: disable=unused-variable + + else: + self.out.d("Certificate type %u found; this is not usually valid in the context of a host key! Skipping it..." % cert_type) + + return ca_key_type, ca_key_n_len + + @staticmethod + def __get_bytes(buf: bytes, ptr: int) -> Tuple[bytes, int, int]: + num_bytes = struct.unpack('>I', buf[ptr:ptr + 4])[0] + ptr += 4 + return buf[ptr:ptr + num_bytes], num_bytes, ptr + num_bytes + + # Converts a modulus length in bytes to its size in bits, after some + # possible adjustments. + @staticmethod + def __adjust_key_size(size: int) -> int: + size = size * 8 + # Actual keys are observed to be about 8 bits bigger than expected + # (i.e.: 1024-bit keys have a 1032-bit modulus). Check if this is + # the case, and subtract 8 if so. This simply improves readability + # in the UI. + if (size >> 3) % 2 != 0: + size = size - 8 + return size + + # Returns the hostkey type. + def get_hostkey_type(self) -> str: + return self.__hostkey_type + + # Returns the size of the hostkey, in bits. + def get_hostkey_size(self) -> int: + return KexDH.__adjust_key_size(self.__hostkey_n_len) + + # Returns the CA type ('ssh-rsa', 'ssh-ed25519', etc). + def get_ca_type(self) -> str: + return self.__ca_key_type + + # Returns the size of the CA key, in bits. + def get_ca_size(self) -> int: + return KexDH.__adjust_key_size(self.__ca_n_len) + + # Returns the size of the DH modulus, in bits. + def get_dh_modulus_size(self) -> int: + # -2 to account for the '0b' prefix in the string. + return len(bin(self.__p)) - 2 + + +class KexGroup1(KexDH): # pragma: nocover + def __init__(self, out: 'OutputBuffer') -> None: + # rfc2409: second oakley group + p = int('ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece65381ffffffffffffffff', 16) + super(KexGroup1, self).__init__(out, 'KexGroup1', 'sha1', 2, p) + + +class KexGroup14(KexDH): # pragma: nocover + def __init__(self, out: 'OutputBuffer', hash_alg: str) -> None: + # rfc3526: 2048-bit modp group + p = int('ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca18217c32905e462e36ce3be39e772c180e86039b2783a2ec07a28fb5c55df06f4c52c9de2bcbf6955817183995497cea956ae515d2261898fa051015728e5a8aacaa68ffffffffffffffff', 16) + super(KexGroup14, self).__init__(out, 'KexGroup14', hash_alg, 2, p) + + +class KexGroup14_SHA1(KexGroup14): + def __init__(self, out: 'OutputBuffer') -> None: + super(KexGroup14_SHA1, self).__init__(out, 'sha1') + + +class KexGroup14_SHA256(KexGroup14): + def __init__(self, out: 'OutputBuffer') -> None: + super(KexGroup14_SHA256, self).__init__(out, 'sha256') + + +class KexGroup16_SHA512(KexDH): + def __init__(self, out: 'OutputBuffer') -> None: + # rfc3526: 4096-bit modp group + p = int('ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca18217c32905e462e36ce3be39e772c180e86039b2783a2ec07a28fb5c55df06f4c52c9de2bcbf6955817183995497cea956ae515d2261898fa051015728e5a8aaac42dad33170d04507a33a85521abdf1cba64ecfb850458dbef0a8aea71575d060c7db3970f85a6e1e4c7abf5ae8cdb0933d71e8c94e04a25619dcee3d2261ad2ee6bf12ffa06d98a0864d87602733ec86a64521f2b18177b200cbbe117577a615d6c770988c0bad946e208e24fa074e5ab3143db5bfce0fd108e4b82d120a92108011a723c12a787e6d788719a10bdba5b2699c327186af4e23c1a946834b6150bda2583e9ca2ad44ce8dbbbc2db04de8ef92e8efc141fbecaa6287c59474e6bc05d99b2964fa090c3a2233ba186515be7ed1f612970cee2d7afb81bdd762170481cd0069127d5b05aa993b4ea988d8fddc186ffb7dc90a6c08f4df435c934063199ffffffffffffffff', 16) + super(KexGroup16_SHA512, self).__init__(out, 'KexGroup16_SHA512', 'sha512', 2, p) + + +class KexGroup18_SHA512(KexDH): + def __init__(self, out: 'OutputBuffer') -> None: + # rfc3526: 8192-bit modp group + p = int('ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca18217c32905e462e36ce3be39e772c180e86039b2783a2ec07a28fb5c55df06f4c52c9de2bcbf6955817183995497cea956ae515d2261898fa051015728e5a8aaac42dad33170d04507a33a85521abdf1cba64ecfb850458dbef0a8aea71575d060c7db3970f85a6e1e4c7abf5ae8cdb0933d71e8c94e04a25619dcee3d2261ad2ee6bf12ffa06d98a0864d87602733ec86a64521f2b18177b200cbbe117577a615d6c770988c0bad946e208e24fa074e5ab3143db5bfce0fd108e4b82d120a92108011a723c12a787e6d788719a10bdba5b2699c327186af4e23c1a946834b6150bda2583e9ca2ad44ce8dbbbc2db04de8ef92e8efc141fbecaa6287c59474e6bc05d99b2964fa090c3a2233ba186515be7ed1f612970cee2d7afb81bdd762170481cd0069127d5b05aa993b4ea988d8fddc186ffb7dc90a6c08f4df435c93402849236c3fab4d27c7026c1d4dcb2602646dec9751e763dba37bdf8ff9406ad9e530ee5db382f413001aeb06a53ed9027d831179727b0865a8918da3edbebcf9b14ed44ce6cbaced4bb1bdb7f1447e6cc254b332051512bd7af426fb8f401378cd2bf5983ca01c64b92ecf032ea15d1721d03f482d7ce6e74fef6d55e702f46980c82b5a84031900b1c9e59e7c97fbec7e8f323a97a7e36cc88be0f1d45b7ff585ac54bd407b22b4154aacc8f6d7ebf48e1d814cc5ed20f8037e0a79715eef29be32806a1d58bb7c5da76f550aa3d8a1fbff0eb19ccb1a313d55cda56c9ec2ef29632387fe8d76e3c0468043e8f663f4860ee12bf2d5b0b7474d6e694f91e6dbe115974a3926f12fee5e438777cb6a932df8cd8bec4d073b931ba3bc832b68d9dd300741fa7bf8afc47ed2576f6936ba424663aab639c5ae4f5683423b4742bf1c978238f16cbe39d652de3fdb8befc848ad922222e04a4037c0713eb57a81a23f0c73473fc646cea306b4bcbc8862f8385ddfa9d4b7fa2c087e879683303ed5bdd3a062b3cf5b3a278a66d2a13f83f44f82ddf310ee074ab6a364597e899a0255dc164f31cc50846851df9ab48195ded7ea1b1d510bd7ee74d73faf36bc31ecfa268359046f4eb879f924009438b481c6cd7889a002ed5ee382bc9190da6fc026e479558e4475677e9aa9e3050e2765694dfc81f56e880b96e7160c980dd98edd3dfffffffffffffffff', 16) + super(KexGroup18_SHA512, self).__init__(out, 'KexGroup18_SHA512', 'sha512', 2, p) + + +class KexCurve25519_SHA256(KexDH): + def __init__(self, out: 'OutputBuffer') -> None: + super(KexCurve25519_SHA256, self).__init__(out, 'KexCurve25519_SHA256', 'sha256', 0, 0) + + # To start an ED25519 kex, we simply send a random 256-bit number as the + # public key. + def send_init(self, s: 'SSH_Socket', init_msg: int = Protocol.MSG_KEXDH_INIT) -> None: + self.__ed25519_pubkey = os.urandom(32) + s.write_byte(init_msg) + s.write_string(self.__ed25519_pubkey) + s.send_packet() + + +class KexNISTP256(KexDH): + def __init__(self, out: 'OutputBuffer') -> None: + super(KexNISTP256, self).__init__(out, 'KexNISTP256', 'sha256', 0, 0) + + # Because the server checks that the value sent here is valid (i.e.: it lies + # on the curve, among other things), we would have to write a lot of code + # or import an elliptic curve library in order to randomly generate a + # valid elliptic point each time. Hence, we will simply send a static + # value, which is enough for us to extract the server's host key. + def send_init(self, s: 'SSH_Socket', init_msg: int = Protocol.MSG_KEXDH_INIT) -> None: + s.write_byte(init_msg) + s.write_string(b'\x04\x0b\x60\x44\x9f\x8a\x11\x9e\xc7\x81\x0c\xa9\x98\xfc\xb7\x90\xaa\x6b\x26\x8c\x12\x4a\xc0\x09\xbb\xdf\xc4\x2c\x4c\x2c\x99\xb6\xe1\x71\xa0\xd4\xb3\x62\x47\x74\xb3\x39\x0c\xf2\x88\x4a\x84\x6b\x3b\x15\x77\xa5\x77\xd2\xa9\xc9\x94\xf9\xd5\x66\x19\xcd\x02\x34\xd1') + s.send_packet() + + +class KexNISTP384(KexDH): + def __init__(self, out: 'OutputBuffer') -> None: + super(KexNISTP384, self).__init__(out, 'KexNISTP384', 'sha256', 0, 0) + + # See comment for KexNISTP256.send_init(). + def send_init(self, s: 'SSH_Socket', init_msg: int = Protocol.MSG_KEXDH_INIT) -> None: + s.write_byte(init_msg) + s.write_string(b'\x04\xe2\x9b\x84\xce\xa1\x39\x50\xfe\x1e\xa3\x18\x70\x1c\xe2\x7a\xe4\xb5\x6f\xdf\x93\x9f\xd4\xf4\x08\xcc\x9b\x02\x10\xa4\xca\x77\x9c\x2e\x51\x44\x1d\x50\x7a\x65\x4e\x7e\x2f\x10\x2d\x2d\x4a\x32\xc9\x8e\x18\x75\x90\x6c\x19\x10\xda\xcc\xa8\xe9\xf4\xc4\x3a\x53\x80\x35\xf4\x97\x9c\x04\x16\xf9\x5a\xdc\xcc\x05\x94\x29\xfa\xc4\xd6\x87\x4e\x13\x21\xdb\x3d\x12\xac\xbd\x20\x3b\x60\xff\xe6\x58\x42') + s.send_packet() + + +class KexNISTP521(KexDH): + def __init__(self, out: 'OutputBuffer') -> None: + super(KexNISTP521, self).__init__(out, 'KexNISTP521', 'sha256', 0, 0) + + # See comment for KexNISTP256.send_init(). + def send_init(self, s: 'SSH_Socket', init_msg: int = Protocol.MSG_KEXDH_INIT) -> None: + s.write_byte(init_msg) + s.write_string(b'\x04\x01\x02\x90\x29\xe9\x8f\xa8\x04\xaf\x1c\x00\xf9\xc6\x29\xc0\x39\x74\x8e\xea\x47\x7e\x7c\xf7\x15\x6e\x43\x3b\x59\x13\x53\x43\xb0\xae\x0b\xe7\xe6\x7c\x55\x73\x52\xa5\x2a\xc1\x42\xde\xfc\xf4\x1f\x8b\x5a\x8d\xfa\xcd\x0a\x65\x77\xa8\xce\x68\xd2\xc6\x26\xb5\x3f\xee\x4b\x01\x7b\xd2\x96\x23\x69\x53\xc7\x01\xe1\x0d\x39\xe9\x87\x49\x3b\xc8\xec\xda\x0c\xf9\xca\xad\x89\x42\x36\x6f\x93\x78\x78\x31\x55\x51\x09\x51\xc0\x96\xd7\xea\x61\xbf\xc2\x44\x08\x80\x43\xed\xc6\xbb\xfb\x94\xbd\xf8\xdf\x2b\xd8\x0b\x2e\x29\x1b\x8c\xc4\x8a\x04\x2d\x3a') + s.send_packet() + + +class KexGroupExchange(KexDH): + def __init__(self, out: 'OutputBuffer', classname: str, hash_alg: str) -> None: + super(KexGroupExchange, self).__init__(out, classname, hash_alg, 0, 0) + + def send_init(self, s: 'SSH_Socket', init_msg: int = Protocol.MSG_KEXDH_GEX_REQUEST) -> None: + self.send_init_gex(s) + + # The group exchange starts with sending a message to the server with + # the minimum, maximum, and preferred number of bits are for the DH group. + # The server responds with a generator and prime modulus that matches that, + # then the handshake continues on like a normal DH handshake (except the + # SSH message types differ). + def send_init_gex(self, s: 'SSH_Socket', minbits: int = 1024, prefbits: int = 2048, maxbits: int = 8192) -> None: + + # Send the initial group exchange request. Tell the server what range + # of modulus sizes we will accept, along with our preference. + s.write_byte(Protocol.MSG_KEXDH_GEX_REQUEST) + s.write_int(minbits) + s.write_int(prefbits) + s.write_int(maxbits) + s.send_packet() + + packet_type, payload = s.read_packet(2) + if packet_type not in [Protocol.MSG_KEXDH_GEX_GROUP, Protocol.MSG_DEBUG]: + raise KexDHException('Expected MSG_KEXDH_GEX_REPLY (%d), but got %d instead.' % (Protocol.MSG_KEXDH_GEX_REPLY, packet_type)) + + # Skip any & all MSG_DEBUG messages. + while packet_type == Protocol.MSG_DEBUG: + packet_type, payload = s.read_packet(2) + + try: + # Parse the modulus (p) and generator (g) values from the server. + ptr = 0 + p_len = struct.unpack('>I', payload[ptr:ptr + 4])[0] + ptr += 4 + + p = int(binascii.hexlify(payload[ptr:ptr + p_len]), 16) + ptr += p_len + + g_len = struct.unpack('>I', payload[ptr:ptr + 4])[0] + ptr += 4 + + g = int(binascii.hexlify(payload[ptr:ptr + g_len]), 16) + ptr += g_len + except struct.error: + raise KexDHException("Error while parsing modulus and generator during GEX init: %s" % str(traceback.format_exc())) from None + + # Now that we got the generator and modulus, perform the DH exchange + # like usual. + super(KexGroupExchange, self).set_params(g, p) + super(KexGroupExchange, self).send_init(s, Protocol.MSG_KEXDH_GEX_INIT) + + +class KexGroupExchange_SHA1(KexGroupExchange): + def __init__(self, out: 'OutputBuffer') -> None: + super(KexGroupExchange_SHA1, self).__init__(out, 'KexGroupExchange_SHA1', 'sha1') + + +class KexGroupExchange_SHA256(KexGroupExchange): + def __init__(self, out: 'OutputBuffer') -> None: + super(KexGroupExchange_SHA256, self).__init__(out, 'KexGroupExchange_SHA256', 'sha256') diff --git a/src/ssh_audit/outputbuffer.py b/src/ssh_audit/outputbuffer.py new file mode 100644 index 0000000..38723e3 --- /dev/null +++ b/src/ssh_audit/outputbuffer.py @@ -0,0 +1,185 @@ +""" + The MIT License (MIT) + + Copyright (C) 2021 Joe Testa (jtesta@positronsecurity.com) + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +import os +import sys + +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + +from ssh_audit.utils import Utils + + +class OutputBuffer: + LEVELS: Sequence[str] = ('info', 'warn', 'fail') + COLORS = {'head': 36, 'good': 32, 'warn': 33, 'fail': 31} + + # Use brighter colors on Windows for better readability. + if Utils.is_windows(): + COLORS = {'head': 96, 'good': 92, 'warn': 93, 'fail': 91} + + def __init__(self, buffer_output: bool = True) -> None: + self.buffer_output = buffer_output + self.buffer: List[str] = [] + self.in_section = False + self.section: List[str] = [] + self.batch = False + self.verbose = False + self.debug = False + self.use_colors = True + self.json = False + self.__level = 0 + self.__is_color_supported = ('colorama' in sys.modules) or (os.name == 'posix') + self.line_ended = True + + def _print(self, level: str, s: str = '', line_ended: bool = True) -> None: + '''Saves output to buffer (if in buffered mode), or immediately prints to stdout otherwise.''' + + # If we're logging only 'warn' or above, and this is an 'info', ignore message. + if self.get_level(level) < self.__level: + return + + if self.use_colors and self.colors_supported and len(s) > 0 and level != 'info': + s = "\033[0;%dm%s\033[0m" % (self.COLORS[level], s) + + if self.buffer_output: + # Select which list to add to. If we are in a 'with' statement, then this goes in the section buffer, otherwise the general buffer. + buf = self.section if self.in_section else self.buffer + + # Determine if a new line should be added, or if the last line should be appended. + if not self.line_ended: + last_entry = -1 if len(buf) > 0 else 0 + buf[last_entry] = buf[last_entry] + s + else: + buf.append(s) + + # When False, this tells the next call to append to the last line we just added. + self.line_ended = line_ended + else: + print(s) + + def get_buffer(self) -> str: + '''Returns all buffered output, then clears the buffer.''' + self.flush_section() + + buffer_str = "\n".join(self.buffer) + self.buffer = [] + return buffer_str + + def write(self) -> None: + '''Writes the output to stdout.''' + self.flush_section() + print(self.get_buffer(), flush=True) + + def reset(self) -> None: + self.flush_section() + self.get_buffer() + + @property + def level(self) -> str: + '''Returns the minimum level for output.''' + if self.__level < len(self.LEVELS): + return self.LEVELS[self.__level] + return 'unknown' + + @level.setter + def level(self, name: str) -> None: + '''Sets the minimum level for output (one of: 'info', 'warn', 'fail').''' + self.__level = self.get_level(name) + + def get_level(self, name: str) -> int: + cname = 'info' if name == 'good' else name + if cname not in self.LEVELS: + return sys.maxsize + return self.LEVELS.index(cname) + + @property + def colors_supported(self) -> bool: + '''Returns True if the system supports color output.''' + return self.__is_color_supported + + # When used in a 'with' block, the output to goes into a section; this can be sorted separately when add_section_to_buffer() is later called. + def __enter__(self) -> 'OutputBuffer': + self.in_section = True + return self + + def __exit__(self, *args: Any) -> None: + self.in_section = False + + def flush_section(self, sort_section: bool = False) -> None: + '''Appends section output (optionally sorting it first) to the end of the buffer, then clears the section output.''' + if sort_section: + self.section.sort() + + self.buffer.extend(self.section) + self.section = [] + + def is_section_empty(self) -> bool: + '''Returns True if the section buffer is empty, otherwise False.''' + return len(self.section) == 0 + + def head(self, s: str, line_ended: bool = True) -> 'OutputBuffer': + if not self.batch: + self._print('head', s, line_ended) + return self + + def fail(self, s: str, line_ended: bool = True) -> 'OutputBuffer': + self._print('fail', s, line_ended) + return self + + def warn(self, s: str, line_ended: bool = True) -> 'OutputBuffer': + self._print('warn', s, line_ended) + return self + + def info(self, s: str, line_ended: bool = True) -> 'OutputBuffer': + self._print('info', s, line_ended) + return self + + def good(self, s: str, line_ended: bool = True) -> 'OutputBuffer': + self._print('good', s, line_ended) + return self + + def sep(self) -> 'OutputBuffer': + if not self.batch: + self._print('info') + return self + + def v(self, s: str, write_now: bool = False) -> 'OutputBuffer': + '''Prints a message if verbose output is enabled.''' + if self.verbose or self.debug: + self.info(s) + if write_now: + self.write() + + return self + + def d(self, s: str, write_now: bool = False) -> 'OutputBuffer': + '''Prints a message if verbose output is enabled.''' + if self.debug: + self.info(s) + if write_now: + self.write() + + return self diff --git a/src/ssh_audit/policy.py b/src/ssh_audit/policy.py new file mode 100644 index 0000000..56bda07 --- /dev/null +++ b/src/ssh_audit/policy.py @@ -0,0 +1,605 @@ +""" + The MIT License (MIT) + + Copyright (C) 2020-2023 Joe Testa (jtesta@positronsecurity.com) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +import copy +import json +import sys + +from typing import Dict, List, Tuple +from typing import Optional, Any, Union, cast +from datetime import date + +from ssh_audit import exitcodes +from ssh_audit.banner import Banner +from ssh_audit.globals import SNAP_PACKAGE, SNAP_PERMISSIONS_ERROR +from ssh_audit.ssh2_kex import SSH2_Kex + + +# Validates policy files and performs policy testing +class Policy: + + # Each field maps directly to a private member variable of the Policy class. + BUILTIN_POLICIES: Dict[str, Dict[str, Union[Optional[str], Optional[List[str]], bool, Dict[str, Any]]]] = { + + # Ubuntu Server policies + + 'Hardened Ubuntu Server 16.04 LTS (version 4)': {'version': '4', 'banner': None, 'compressions': None, 'host_keys': ['ssh-ed25519'], 'optional_host_keys': ['ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256@libssh.org', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened Ubuntu Server 18.04 LTS (version 4)': {'version': '4', 'banner': None, 'compressions': None, 'host_keys': ['ssh-ed25519'], 'optional_host_keys': ['ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened Ubuntu Server 20.04 LTS (version 5)': {'version': '5', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'kex-strict-s-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened Ubuntu Server 22.04 LTS (version 5)': {'version': '5', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'kex-strict-s-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + + # Generic OpenSSH Server policies + + 'Hardened OpenSSH Server v7.7 (version 4)': {'version': '4', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened OpenSSH Server v7.8 (version 4)': {'version': '4', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened OpenSSH Server v7.9 (version 4)': {'version': '4', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened OpenSSH Server v8.0 (version 4)': {'version': '4', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened OpenSSH Server v8.1 (version 4)': {'version': '4', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened OpenSSH Server v8.2 (version 4)': {'version': '4', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened OpenSSH Server v8.3 (version 4)': {'version': '4', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened OpenSSH Server v8.4 (version 4)': {'version': '4', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened OpenSSH Server v8.5 (version 4)': {'version': '4', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened OpenSSH Server v8.6 (version 4)': {'version': '4', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened OpenSSH Server v8.7 (version 4)': {'version': '4', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened OpenSSH Server v8.8 (version 3)': {'version': '3', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened OpenSSH Server v8.9 (version 3)': {'version': '3', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened OpenSSH Server v9.0 (version 3)': {'version': '3', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened OpenSSH Server v9.1 (version 3)': {'version': '3', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened OpenSSH Server v9.2 (version 3)': {'version': '3', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519-cert-v01@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'sk-ssh-ed25519@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened OpenSSH Server v9.3 (version 3)': {'version': '3', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened OpenSSH Server v9.4 (version 2)': {'version': '2', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened OpenSSH Server v9.5 (version 1)': {'version': '1', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + 'Hardened OpenSSH Server v9.6 (version 1)': {'version': '1', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['sk-ssh-ed25519@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com'], 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-s', 'kex-strict-s-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "rsa-sha2-256-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "rsa-sha2-512-cert-v01@openssh.com": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "sk-ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "sk-ssh-ed25519@openssh.com": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "ssh-ed25519-cert-v01@openssh.com": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True}, + + + # Ubuntu Client policies + + 'Hardened Ubuntu Client 16.04 LTS (version 2)': {'version': '2', 'banner': None, 'compressions': None, 'host_keys': ['ssh-ed25519', 'ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256', 'rsa-sha2-512'], 'optional_host_keys': None, 'kex': ['curve25519-sha256@libssh.org', 'diffie-hellman-group-exchange-sha256', 'ext-info-c'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False}, + + 'Hardened Ubuntu Client 18.04 LTS (version 2)': {'version': '2', 'banner': None, 'compressions': None, 'host_keys': ['ssh-ed25519', 'ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256', 'rsa-sha2-512'], 'optional_host_keys': None, 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-c'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False}, + + 'Hardened Ubuntu Client 20.04 LTS (version 3)': {'version': '3', 'banner': None, 'compressions': None, 'host_keys': ['ssh-ed25519', 'ssh-ed25519-cert-v01@openssh.com', 'sk-ssh-ed25519@openssh.com', 'sk-ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-256', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512', 'rsa-sha2-512-cert-v01@openssh.com'], 'optional_host_keys': None, 'kex': ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-c', 'kex-strict-c-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False}, + + 'Hardened Ubuntu Client 22.04 LTS (version 4)': {'version': '4', 'banner': None, 'compressions': None, 'host_keys': ['sk-ssh-ed25519-cert-v01@openssh.com', 'ssh-ed25519-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'sk-ssh-ed25519@openssh.com', 'ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': None, 'kex': ['sntrup761x25519-sha512@openssh.com', 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-c', 'kex-strict-c-v00@openssh.com'], 'ciphers': ['chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'umac-128-etm@openssh.com'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False}, + + } + + WARNING_DEPRECATED_DIRECTIVES = "\nWARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.\n" + + def __init__(self, policy_file: Optional[str] = None, policy_data: Optional[str] = None, manual_load: bool = False, json_output: bool = False) -> None: + self._name: Optional[str] = None + self._version: Optional[str] = None + self._banner: Optional[str] = None + self._compressions: Optional[List[str]] = None + self._host_keys: Optional[List[str]] = None + self._optional_host_keys: Optional[List[str]] = None + self._kex: Optional[List[str]] = None + self._ciphers: Optional[List[str]] = None + self._macs: Optional[List[str]] = None + self._hostkey_sizes: Optional[Dict[str, Dict[str, Union[int, str, bytes]]]] = None + self._dh_modulus_sizes: Optional[Dict[str, int]] = None + self._server_policy = True + + self._name_and_version: str = '' + + # If invoked while JSON output is expected, send warnings to stderr instead of stdout (which would corrupt the JSON output). + if json_output: + self._warning_target = sys.stderr + else: + self._warning_target = sys.stdout + + # Ensure that only one mode was specified. + num_modes = 0 + if policy_file is not None: + num_modes += 1 + if policy_data is not None: + num_modes += 1 + if manual_load is True: + num_modes += 1 + + if num_modes != 1: + raise RuntimeError('Exactly one of the following can be specified only: policy_file, policy_data, or manual_load') + + if manual_load: + return + + if policy_file is not None: + try: + with open(policy_file, "r", encoding='utf-8') as f: + policy_data = f.read() + except FileNotFoundError: + print("Error: policy file not found: %s" % policy_file) + sys.exit(exitcodes.UNKNOWN_ERROR) + except PermissionError as e: + # If installed as a Snap package, print a more useful message with potential work-arounds. + if SNAP_PACKAGE: + print(SNAP_PERMISSIONS_ERROR) + else: + print("Error: insufficient permissions: %s" % str(e)) + sys.exit(exitcodes.UNKNOWN_ERROR) + + lines = [] + if policy_data is not None: + lines = policy_data.split("\n") + + for line in lines: + line = line.strip() + if (len(line) == 0) or line.startswith('#'): + continue + + key = None + val = None + try: + key, val = line.split('=') + except ValueError as ve: + raise ValueError("could not parse line: %s" % line) from ve + + key = key.strip() + val = val.strip() + + if key not in ['name', 'version', 'banner', 'compressions', 'host keys', 'optional host keys', 'key exchanges', 'ciphers', 'macs', 'client policy', 'host_key_sizes', 'dh_modulus_sizes'] and not key.startswith('hostkey_size_') and not key.startswith('cakey_size_') and not key.startswith('dh_modulus_size_'): + raise ValueError("invalid field found in policy: %s" % line) + + if key in ['name', 'banner']: + + # If the banner value is blank, set it to "" so that the code below handles it. + if len(val) < 2: + val = "\"\"" + + if (val[0] != '"') or (val[-1] != '"'): + raise ValueError('the value for the %s field must be enclosed in quotes: %s' % (key, val)) + + # Remove the surrounding quotes, and unescape quotes & newlines. + val = val[1:-1]. replace("\\\"", "\"").replace("\\n", "\n") + + if key == 'name': + self._name = val + elif key == 'banner': + self._banner = val + + elif key == 'version': + self._version = val + + elif key in ['compressions', 'host keys', 'optional host keys', 'key exchanges', 'ciphers', 'macs']: + try: + algs = val.split(',') + except ValueError: + # If the value has no commas, then set the algorithm list to just the value. + algs = [val] + + # Strip whitespace in each algorithm name. + algs = [alg.strip() for alg in algs] + + if key == 'compressions': + self._compressions = algs + elif key == 'host keys': + self._host_keys = algs + elif key == 'optional host keys': + self._optional_host_keys = algs + elif key == 'key exchanges': + self._kex = algs + elif key == 'ciphers': + self._ciphers = algs + elif key == 'macs': + self._macs = algs + + elif key.startswith('hostkey_size_'): # Old host key size format. + print(Policy.WARNING_DEPRECATED_DIRECTIVES, file=self._warning_target) # Warn the user that the policy file is using deprecated directives. + + hostkey_type = key[13:] + hostkey_size = int(val) + + if self._hostkey_sizes is None: + self._hostkey_sizes = {} + + self._hostkey_sizes[hostkey_type] = {'hostkey_size': hostkey_size, 'ca_key_type': '', 'ca_key_size': 0} + + elif key.startswith('cakey_size_'): # Old host key size format. + print(Policy.WARNING_DEPRECATED_DIRECTIVES, file=self._warning_target) # Warn the user that the policy file is using deprecated directives. + + hostkey_type = key[11:] + ca_key_size = int(val) + + ca_key_type = 'ssh-ed25519' + if hostkey_type in ['ssh-rsa-cert-v01@openssh.com', 'rsa-sha2-256-cert-v01@openssh.com', 'rsa-sha2-512-cert-v01@openssh.com']: + ca_key_type = 'ssh-rsa' + + if self._hostkey_sizes is None: + self._hostkey_sizes = {} + self._hostkey_sizes[hostkey_type] = {'hostkey_size': hostkey_size, 'ca_key_type': ca_key_type, 'ca_key_size': ca_key_size} + + elif key == 'host_key_sizes': # New host key size format. + self._hostkey_sizes = json.loads(val) + + # Fill in the trimmed fields that were omitted from the policy. + self._normalize_hostkey_sizes() + + elif key.startswith('dh_modulus_size_'): # Old DH modulus format. + print(Policy.WARNING_DEPRECATED_DIRECTIVES, file=self._warning_target) # Warn the user that the policy file is using deprecated directives. + + dh_type = key[16:] + dh_size = int(val) + + if self._dh_modulus_sizes is None: + self._dh_modulus_sizes = {} + + self._dh_modulus_sizes[dh_type] = dh_size + + elif key == 'dh_modulus_sizes': # New DH modulus format. + self._dh_modulus_sizes = json.loads(val) + + elif key.startswith('client policy') and val.lower() == 'true': + self._server_policy = False + + + if self._name is None: + raise ValueError('The policy does not have a name field.') + if self._version is None: + raise ValueError('The policy does not have a version field.') + + self._name_and_version = "%s (version %s)" % (self._name, self._version) + + + @staticmethod + def _append_error(errors: List[Any], mismatched_field: str, expected_required: Optional[List[str]], expected_optional: Optional[List[str]], actual: List[str]) -> None: + if expected_required is None: + expected_required = [''] + if expected_optional is None: + expected_optional = [''] + errors.append({'mismatched_field': mismatched_field, 'expected_required': expected_required, 'expected_optional': expected_optional, 'actual': actual}) + + + def _normalize_hostkey_sizes(self) -> None: + '''Normalizes the self._hostkey_sizes structure to ensure all required fields are present.''' + + if self._hostkey_sizes is not None: + for host_key_type in self._hostkey_sizes: + if 'ca_key_type' not in self._hostkey_sizes[host_key_type]: + self._hostkey_sizes[host_key_type]['ca_key_type'] = '' + if 'ca_key_size' not in self._hostkey_sizes[host_key_type]: + self._hostkey_sizes[host_key_type]['ca_key_size'] = 0 + if 'raw_hostkey_bytes' not in self._hostkey_sizes[host_key_type]: + self._hostkey_sizes[host_key_type]['raw_hostkey_bytes'] = b'' + + + @staticmethod + def create(source: Optional[str], banner: Optional['Banner'], kex: Optional['SSH2_Kex'], client_audit: bool) -> str: + '''Creates a policy based on a server configuration. Returns a string.''' + + today = date.today().strftime('%Y/%m/%d') + compressions = None + host_keys = None + kex_algs = None + ciphers = None + macs = None + dh_modulus_sizes_str = '' + client_policy_str = '' + host_keys_json = '' + + if client_audit: + client_policy_str = "\n# Set to true to signify this is a policy for clients, not servers.\nclient policy = true\n" + + if kex is not None: + if kex.server.compression is not None: + compressions = ', '.join(kex.server.compression) + if kex.key_algorithms is not None: + host_keys = ', '.join(kex.key_algorithms) + if kex.kex_algorithms is not None: + kex_algs = ', '.join(kex.kex_algorithms) + if kex.server.encryption is not None: + ciphers = ', '.join(kex.server.encryption) + if kex.server.mac is not None: + macs = ', '.join(kex.server.mac) + + if kex.host_keys(): + + # Make a deep copy of the host keys dict, then delete all the raw hostkey bytes from the copy. + host_keys_trimmed = copy.deepcopy(kex.host_keys()) + for hostkey_alg in host_keys_trimmed: + del host_keys_trimmed[hostkey_alg]['raw_hostkey_bytes'] + + # Delete the CA signature if any of its fields are empty. + if host_keys_trimmed[hostkey_alg]['ca_key_type'] == '' or host_keys_trimmed[hostkey_alg]['ca_key_size'] == 0: + del host_keys_trimmed[hostkey_alg]['ca_key_type'] + del host_keys_trimmed[hostkey_alg]['ca_key_size'] + + host_keys_json = "\n# Dictionary containing all host key and size information. Optionally contains the certificate authority's signature algorithm ('ca_key_type') and signature length ('ca_key_size'), if any.\nhost_key_sizes = %s\n" % json.dumps(host_keys_trimmed) + + if kex.dh_modulus_sizes(): + dh_modulus_sizes_str = "\n# Group exchange DH modulus sizes.\ndh_modulus_sizes = %s\n" % json.dumps(kex.dh_modulus_sizes()) + + + policy_data = '''# +# Custom policy based on %s (created on %s) +# +%s +# The name of this policy (displayed in the output during scans). Must be in quotes. +name = "Custom Policy (based on %s on %s)" + +# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings. +version = 1 + +# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal. +# banner = "%s" + +# The compression options that must match exactly (order matters). Commented out to ignore by default. +# compressions = %s +%s%s +# The host key types that must match exactly (order matters). +host keys = %s + +# Host key types that may optionally appear. +#optional host keys = ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = %s + +# The ciphers that must match exactly (order matters). +ciphers = %s + +# The MACs that must match exactly (order matters). +macs = %s +''' % (source, today, client_policy_str, source, today, banner, compressions, host_keys_json, dh_modulus_sizes_str, host_keys, kex_algs, ciphers, macs) + + return policy_data + + + def evaluate(self, banner: Optional['Banner'], kex: Optional['SSH2_Kex']) -> Tuple[bool, List[Dict[str, str]], str]: + '''Evaluates a server configuration against this policy. Returns a tuple of a boolean (True if server adheres to policy) and an array of strings that holds error messages.''' + + ret = True + errors: List[Any] = [] + + banner_str = str(banner) + if (self._banner is not None) and (banner_str != self._banner): + ret = False + self._append_error(errors, 'Banner', [self._banner], None, [banner_str]) + + # All subsequent tests require a valid kex, so end here if we don't have one. + if kex is None: + return ret, errors, self._get_error_str(errors) + + if (self._compressions is not None) and (kex.server.compression != self._compressions): + ret = False + self._append_error(errors, 'Compression', self._compressions, None, kex.server.compression) + + # If a list of optional host keys was given in the policy, remove any of its entries from the list retrieved from the server. This allows us to do an exact comparison with the expected list below. + pruned_host_keys = kex.key_algorithms + if self._optional_host_keys is not None: + pruned_host_keys = [x for x in kex.key_algorithms if x not in self._optional_host_keys] + + if (self._host_keys is not None) and (pruned_host_keys != self._host_keys): + ret = False + self._append_error(errors, 'Host keys', self._host_keys, self._optional_host_keys, kex.key_algorithms) + + if self._hostkey_sizes is not None: + hostkey_types = list(self._hostkey_sizes.keys()) + hostkey_types.sort() # Sorted to make testing output repeatable. + for hostkey_type in hostkey_types: + expected_hostkey_size = self._hostkey_sizes[hostkey_type]['hostkey_size'] + server_host_keys = kex.host_keys() + if hostkey_type in server_host_keys: + actual_hostkey_size = server_host_keys[hostkey_type]['hostkey_size'] + if actual_hostkey_size != expected_hostkey_size: + ret = False + self._append_error(errors, 'Host key (%s) sizes' % hostkey_type, [str(expected_hostkey_size)], None, [str(actual_hostkey_size)]) + + # If we have expected CA signatures set, check them against what the server returned. + if self._hostkey_sizes is not None and len(cast(str, self._hostkey_sizes[hostkey_type]['ca_key_type'])) > 0 and cast(int, self._hostkey_sizes[hostkey_type]['ca_key_size']) > 0: + expected_ca_key_type = cast(str, self._hostkey_sizes[hostkey_type]['ca_key_type']) + expected_ca_key_size = cast(int, self._hostkey_sizes[hostkey_type]['ca_key_size']) + actual_ca_key_type = cast(str, server_host_keys[hostkey_type]['ca_key_type']) + actual_ca_key_size = cast(int, server_host_keys[hostkey_type]['ca_key_size']) + + # Ensure that the CA signature type is what's expected (i.e.: the server doesn't have an RSA sig when we're expecting an ED25519 sig). + if actual_ca_key_type != expected_ca_key_type: + ret = False + self._append_error(errors, 'CA signature type', [expected_ca_key_type], None, [actual_ca_key_type]) + # Ensure that the actual and expected signature sizes match. + elif actual_ca_key_size != expected_ca_key_size: + ret = False + self._append_error(errors, 'CA signature size (%s)' % actual_ca_key_type, [str(expected_ca_key_size)], None, [str(actual_ca_key_size)]) + + if kex.kex_algorithms != self._kex: + ret = False + self._append_error(errors, 'Key exchanges', self._kex, None, kex.kex_algorithms) + + if (self._ciphers is not None) and (kex.server.encryption != self._ciphers): + ret = False + self._append_error(errors, 'Ciphers', self._ciphers, None, kex.server.encryption) + + if (self._macs is not None) and (kex.server.mac != self._macs): + ret = False + self._append_error(errors, 'MACs', self._macs, None, kex.server.mac) + + if self._dh_modulus_sizes is not None: + dh_modulus_types = list(self._dh_modulus_sizes.keys()) + dh_modulus_types.sort() # Sorted to make testing output repeatable. + for dh_modulus_type in dh_modulus_types: + expected_dh_modulus_size = self._dh_modulus_sizes[dh_modulus_type] + if dh_modulus_type in kex.dh_modulus_sizes(): + actual_dh_modulus_size = kex.dh_modulus_sizes()[dh_modulus_type] + if expected_dh_modulus_size != actual_dh_modulus_size: + ret = False + self._append_error(errors, 'Group exchange (%s) modulus sizes' % dh_modulus_type, [str(expected_dh_modulus_size)], None, [str(actual_dh_modulus_size)]) + + return ret, errors, self._get_error_str(errors) + + + @staticmethod + def _get_error_str(errors: List[Any]) -> str: + '''Transforms an error struct to a flat string of error messages.''' + + error_list = [] + spacer = '' + for e in errors: + e_str = " * %s did not match.\n" % e['mismatched_field'] + if ('expected_optional' in e) and (e['expected_optional'] != ['']): + e_str += " - Expected (required): %s\n - Expected (optional): %s\n" % (Policy._normalize_error_field(e['expected_required']), Policy._normalize_error_field(e['expected_optional'])) + spacer = ' ' + else: + e_str += " - Expected: %s\n" % Policy._normalize_error_field(e['expected_required']) + spacer = ' ' + e_str += " - Actual:%s%s\n" % (spacer, Policy._normalize_error_field(e['actual'])) + error_list.append(e_str) + + error_list.sort() # To ensure repeatable results for testing. + + error_str = '' + if len(error_list) > 0: + error_str = "\n".join(error_list) + + return error_str + + + def get_name_and_version(self) -> str: + '''Returns a string of this Policy's name and version.''' + return self._name_and_version + + + def is_server_policy(self) -> bool: + '''Returns True if this is a server policy, or False if this is a client policy.''' + return self._server_policy + + + @staticmethod + def list_builtin_policies() -> Tuple[List[str], List[str]]: + '''Returns two lists: a list of names of built-in server policies, and a list of names of built-in client policies, respectively.''' + server_policy_names = [] + client_policy_names = [] + + for policy_name, policy in Policy.BUILTIN_POLICIES.items(): + if policy['server_policy']: + server_policy_names.append(policy_name) + else: + client_policy_names.append(policy_name) + + server_policy_names.sort() + client_policy_names.sort() + return server_policy_names, client_policy_names + + + @staticmethod + def load_builtin_policy(policy_name: str, json_output: bool = False) -> Optional['Policy']: + '''Returns a Policy with the specified built-in policy name loaded, or None if no policy of that name exists.''' + p = None + if policy_name in Policy.BUILTIN_POLICIES: + policy_struct = Policy.BUILTIN_POLICIES[policy_name] + p = Policy(manual_load=True, json_output=json_output) + policy_name_without_version = policy_name[0:policy_name.rfind(' (')] + p._name = policy_name_without_version # pylint: disable=protected-access + p._version = cast(str, policy_struct['version']) # pylint: disable=protected-access + p._banner = cast(Optional[str], policy_struct['banner']) # pylint: disable=protected-access + p._compressions = cast(Optional[List[str]], policy_struct['compressions']) # pylint: disable=protected-access + p._host_keys = cast(Optional[List[str]], policy_struct['host_keys']) # pylint: disable=protected-access + p._optional_host_keys = cast(Optional[List[str]], policy_struct['optional_host_keys']) # pylint: disable=protected-access + p._kex = cast(Optional[List[str]], policy_struct['kex']) # pylint: disable=protected-access + p._ciphers = cast(Optional[List[str]], policy_struct['ciphers']) # pylint: disable=protected-access + p._macs = cast(Optional[List[str]], policy_struct['macs']) # pylint: disable=protected-access + p._hostkey_sizes = cast(Optional[Dict[str, Dict[str, Union[int, str, bytes]]]], policy_struct['hostkey_sizes']) # pylint: disable=protected-access + p._dh_modulus_sizes = cast(Optional[Dict[str, int]], policy_struct['dh_modulus_sizes']) # pylint: disable=protected-access + p._server_policy = cast(bool, policy_struct['server_policy']) # pylint: disable=protected-access + p._name_and_version = "%s (version %s)" % (p._name, p._version) # pylint: disable=protected-access + + # Ensure this struct has all the necessary fields. + p._normalize_hostkey_sizes() # pylint: disable=protected-access + + return p + + + @staticmethod + def _normalize_error_field(field: List[str]) -> Any: + '''If field is an array with a string parsable as an integer, return that integer. Otherwise, return the field joined with commas.''' + if len(field) == 1: + try: + return int(field[0]) + except ValueError: + return field[0] + else: + return ', '.join(field) + + + def __str__(self) -> str: + undefined = '{undefined}' + + name = undefined + version = undefined + banner = undefined + compressions_str = undefined + host_keys_str = undefined + optional_host_keys_str = undefined + kex_str = undefined + ciphers_str = undefined + macs_str = undefined + hostkey_sizes_str = undefined + dh_modulus_sizes_str = undefined + + + if self._name is not None: + name = '[%s]' % self._name + if self._version is not None: + version = '[%s]' % self._version + if self._banner is not None: + banner = '[%s]' % self._banner + + if self._compressions is not None: + compressions_str = ', '.join(self._compressions) + if self._host_keys is not None: + host_keys_str = ', '.join(self._host_keys) + if self._optional_host_keys is not None: + optional_host_keys_str = ', '.join(self._optional_host_keys) + if self._kex is not None: + kex_str = ', '.join(self._kex) + if self._ciphers is not None: + ciphers_str = ', '.join(self._ciphers) + if self._macs is not None: + macs_str = ', '.join(self._macs) + if self._hostkey_sizes is not None: + hostkey_sizes_str = str(self._hostkey_sizes) + if self._dh_modulus_sizes is not None: + dh_modulus_sizes_str = str(self._dh_modulus_sizes) + + return "Name: %s\nVersion: %s\nBanner: %s\nCompressions: %s\nHost Keys: %s\nOptional Host Keys: %s\nKey Exchanges: %s\nCiphers: %s\nMACs: %s\nHost Key Sizes: %s\nDH Modulus Sizes: %s\nServer Policy: %r" % (name, version, banner, compressions_str, host_keys_str, optional_host_keys_str, kex_str, ciphers_str, macs_str, hostkey_sizes_str, dh_modulus_sizes_str, self._server_policy) diff --git a/src/ssh_audit/product.py b/src/ssh_audit/product.py new file mode 100644 index 0000000..2d8ae06 --- /dev/null +++ b/src/ssh_audit/product.py @@ -0,0 +1,31 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" + + +class Product: # pylint: disable=too-few-public-methods + OpenSSH = 'OpenSSH' + DropbearSSH = 'Dropbear SSH' + LibSSH = 'libssh' + TinySSH = 'TinySSH' + PuTTY = 'PuTTY' diff --git a/src/ssh_audit/protocol.py b/src/ssh_audit/protocol.py new file mode 100644 index 0000000..1b1b216 --- /dev/null +++ b/src/ssh_audit/protocol.py @@ -0,0 +1,36 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" + + +class Protocol: # pylint: disable=too-few-public-methods + SMSG_PUBLIC_KEY = 2 + MSG_DEBUG = 4 + MSG_KEXINIT = 20 + MSG_NEWKEYS = 21 + MSG_KEXDH_INIT = 30 + MSG_KEXDH_REPLY = 31 + MSG_KEXDH_GEX_REQUEST = 34 + MSG_KEXDH_GEX_GROUP = 31 + MSG_KEXDH_GEX_INIT = 32 + MSG_KEXDH_GEX_REPLY = 33 diff --git a/src/ssh_audit/readbuf.py b/src/ssh_audit/readbuf.py new file mode 100644 index 0000000..c9405c4 --- /dev/null +++ b/src/ssh_audit/readbuf.py @@ -0,0 +1,92 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +import io +import struct + +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + + +class ReadBuf: + def __init__(self, data: Optional[bytes] = None) -> None: + super(ReadBuf, self).__init__() + self._buf = io.BytesIO(data) if data is not None else io.BytesIO() + self._len = len(data) if data is not None else 0 + + @property + def unread_len(self) -> int: + return self._len - self._buf.tell() + + def read(self, size: int) -> bytes: + return self._buf.read(size) + + def read_byte(self) -> int: + v: int = struct.unpack('B', self.read(1))[0] + return v + + def read_bool(self) -> bool: + return self.read_byte() != 0 + + def read_int(self) -> int: + v: int = struct.unpack('>I', self.read(4))[0] + return v + + def read_list(self) -> List[str]: + list_size = self.read_int() + return self.read(list_size).decode('utf-8', 'replace').split(',') + + def read_string(self) -> bytes: + n = self.read_int() + return self.read(n) + + @classmethod + def _parse_mpint(cls, v: bytes, pad: bytes, f: str) -> int: + r = 0 + if len(v) % 4 != 0: + v = pad * (4 - (len(v) % 4)) + v + for i in range(0, len(v), 4): + r = (r << 32) | struct.unpack(f, v[i:i + 4])[0] + return r + + def read_mpint1(self) -> int: + # NOTE: Data Type Enc @ http://www.snailbook.com/docs/protocol-1.5.txt + bits = struct.unpack('>H', self.read(2))[0] + n = (bits + 7) // 8 + return self._parse_mpint(self.read(n), b'\x00', '>I') + + def read_mpint2(self) -> int: + # NOTE: Section 5 @ https://www.ietf.org/rfc/rfc4251.txt + v = self.read_string() + if len(v) == 0: + return 0 + pad, f = (b'\xff', '>i') if ord(v[0:1]) & 0x80 != 0 else (b'\x00', '>I') + return self._parse_mpint(v, pad, f) + + def read_line(self) -> str: + return self._buf.readline().rstrip().decode('utf-8', 'replace') + + def reset(self) -> None: + self._buf = io.BytesIO() + self._len = 0 diff --git a/src/ssh_audit/software.py b/src/ssh_audit/software.py new file mode 100644 index 0000000..f13ebeb --- /dev/null +++ b/src/ssh_audit/software.py @@ -0,0 +1,227 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +import re + +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + +from ssh_audit.banner import Banner +from ssh_audit.product import Product + + +class Software: + def __init__(self, vendor: Optional[str], product: str, version: str, patch: Optional[str], os_version: Optional[str]) -> None: + self.__vendor = vendor + self.__product = product + self.__version = version + self.__patch = patch + self.__os = os_version + + @property + def vendor(self) -> Optional[str]: + return self.__vendor + + @property + def product(self) -> str: + return self.__product + + @property + def version(self) -> str: + return self.__version + + @property + def patch(self) -> Optional[str]: + return self.__patch + + @property + def os(self) -> Optional[str]: + return self.__os + + def compare_version(self, other: Union[None, 'Software', str]) -> int: + # pylint: disable=too-many-branches,too-many-return-statements + if other is None: + return 1 + if isinstance(other, Software): + other = '{}{}'.format(other.version, other.patch or '') + else: + other = str(other) + mx = re.match(r'^([\d\.]+\d+)(.*)$', other) + if mx is not None: + oversion, opatch = mx.group(1), mx.group(2).strip() + else: + oversion, opatch = other, '' + if self.version < oversion: + return -1 + elif self.version > oversion: + return 1 + spatch = self.patch or '' + if self.product == Product.DropbearSSH: + if not re.match(r'^test\d.*$', opatch): + opatch = 'z{}'.format(opatch) + if not re.match(r'^test\d.*$', spatch): + spatch = 'z{}'.format(spatch) + elif self.product == Product.OpenSSH: + mx1 = re.match(r'^p(\d).*', opatch) + mx2 = re.match(r'^p(\d).*', spatch) + if not (bool(mx1) and bool(mx2)): + if mx1 is not None: + opatch = mx1.group(1) + if mx2 is not None: + spatch = mx2.group(1) + # OpenBSD version and p1 versions are considered the same. + if ((spatch == '') and (opatch == '1')) or ((spatch == '1') and (opatch == '')): + return 0 + if spatch < opatch: + return -1 + elif spatch > opatch: + return 1 + return 0 + + def between_versions(self, vfrom: str, vtill: str) -> bool: + if bool(vfrom) and self.compare_version(vfrom) < 0: + return False + if bool(vtill) and self.compare_version(vtill) > 0: + return False + return True + + def display(self, full: bool = True) -> str: + r = '{} '.format(self.vendor) if bool(self.vendor) else '' + r += self.product + if bool(self.version): + r += ' {}'.format(self.version) + if full: + patch = self.patch or '' + if self.product == Product.OpenSSH: + mx = re.match(r'^(p\d)(.*)$', patch) + if mx is not None: + r += mx.group(1) + patch = mx.group(2).strip() + if bool(patch): + r += ' ({})'.format(patch) + if bool(self.os): + r += ' running on {}'.format(self.os) + return r + + def __str__(self) -> str: + return self.display() + + def __repr__(self) -> str: + r = 'vendor={}, '.format(self.vendor) if bool(self.vendor) else '' + r += 'product={}'.format(self.product) + if bool(self.version): + r += ', version={}'.format(self.version) + if bool(self.patch): + r += ', patch={}'.format(self.patch) + if bool(self.os): + r += ', os={}'.format(self.os) + return '<{}({})>'.format(self.__class__.__name__, r) + + @staticmethod + def _fix_patch(patch: str) -> Optional[str]: + return re.sub(r'^[-_\.]+', '', patch) or None + + @staticmethod + def _fix_date(d: Optional[str]) -> Optional[str]: + if d is not None and len(d) == 8: + return '{}-{}-{}'.format(d[:4], d[4:6], d[6:8]) + else: + return None + + @classmethod + def _extract_os_version(cls, c: Optional[str]) -> Optional[str]: + if c is None: + return None + mx = re.match(r'^NetBSD(?:_Secure_Shell)?(?:[\s-]+(\d{8})(.*))?$', c) + if mx is not None: + d = cls._fix_date(mx.group(1)) + return 'NetBSD' if d is None else 'NetBSD ({})'.format(d) + mx = re.match(r'^FreeBSD(?:\slocalisations)?[\s-]+(\d{8})(.*)$', c) + if not bool(mx): + mx = re.match(r'^[^@]+@FreeBSD\.org[\s-]+(\d{8})(.*)$', c) + if mx is not None: + d = cls._fix_date(mx.group(1)) + return 'FreeBSD' if d is None else 'FreeBSD ({})'.format(d) + w = ['RemotelyAnywhere', 'DesktopAuthority', 'RemoteSupportManager'] + for win_soft in w: + mx = re.match(r'^in ' + win_soft + r' ([\d\.]+\d)$', c) + if mx is not None: + ver = mx.group(1) + return 'Microsoft Windows ({} {})'.format(win_soft, ver) + generic = ['NetBSD', 'FreeBSD'] + for g in generic: + if c.startswith(g) or c.endswith(g): + return g + return None + + @classmethod + def parse(cls, banner: 'Banner') -> Optional['Software']: + # pylint: disable=too-many-return-statements + software = str(banner.software) + mx = re.match(r'^dropbear_([\d\.]+\d+)(.*)', software) + v: Optional[str] = None + if mx is not None: + patch = cls._fix_patch(mx.group(2)) + v, p = 'Matt Johnston', Product.DropbearSSH + v = None + return cls(v, p, mx.group(1), patch, None) + mx = re.match(r'^OpenSSH[_\.-]+([\d\.]+\d+)(.*)', software) + if mx is not None: + patch = cls._fix_patch(mx.group(2)) + v, p = 'OpenBSD', Product.OpenSSH + v = None + os_version = cls._extract_os_version(banner.comments) + return cls(v, p, mx.group(1), patch, os_version) + mx = re.match(r'^libssh-([\d\.]+\d+)(.*)', software) + if mx is not None: + patch = cls._fix_patch(mx.group(2)) + v, p = None, Product.LibSSH + os_version = cls._extract_os_version(banner.comments) + return cls(v, p, mx.group(1), patch, os_version) + mx = re.match(r'^libssh_([\d\.]+\d+)(.*)', software) + if mx is not None: + patch = cls._fix_patch(mx.group(2)) + v, p = None, Product.LibSSH + os_version = cls._extract_os_version(banner.comments) + return cls(v, p, mx.group(1), patch, os_version) + mx = re.match(r'^RomSShell_([\d\.]+\d+)(.*)', software) + if mx is not None: + patch = cls._fix_patch(mx.group(2)) + v, p = 'Allegro Software', 'RomSShell' + return cls(v, p, mx.group(1), patch, None) + mx = re.match(r'^mpSSH_([\d\.]+\d+)', software) + if mx is not None: + v, p = 'HP', 'iLO (Integrated Lights-Out) sshd' + return cls(v, p, mx.group(1), None, None) + mx = re.match(r'^Cisco-([\d\.]+\d+)', software) + if mx is not None: + v, p = 'Cisco', 'IOS/PIX sshd' + return cls(v, p, mx.group(1), None, None) + mx = re.match(r'^tinyssh_(.*)', software) + if mx is not None: + return cls(None, Product.TinySSH, mx.group(1), None, None) + mx = re.match(r'^PuTTY_Release_(.*)', software) + if mx: + return cls(None, Product.PuTTY, mx.group(1), None, None) + return None diff --git a/src/ssh_audit/ssh1.py b/src/ssh_audit/ssh1.py new file mode 100644 index 0000000..f966b74 --- /dev/null +++ b/src/ssh_audit/ssh1.py @@ -0,0 +1,40 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + +from ssh_audit.ssh1_crc32 import SSH1_CRC32 + + +class SSH1: + _crc32: Optional[SSH1_CRC32] = None + CIPHERS = ['none', 'idea', 'des', '3des', 'tss', 'rc4', 'blowfish'] + AUTHS = ['none', 'rhosts', 'rsa', 'password', 'rhosts_rsa', 'tis', 'kerberos'] + + @classmethod + def crc32(cls, v: bytes) -> int: + if cls._crc32 is None: + cls._crc32 = SSH1_CRC32() + return cls._crc32.calc(v) diff --git a/src/ssh_audit/ssh1_crc32.py b/src/ssh_audit/ssh1_crc32.py new file mode 100644 index 0000000..55089ed --- /dev/null +++ b/src/ssh_audit/ssh1_crc32.py @@ -0,0 +1,47 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + + +class SSH1_CRC32: + def __init__(self) -> None: + self._table = [0] * 256 + for i in range(256): + crc = 0 + n = i + for _ in range(8): + x = (crc ^ n) & 1 + crc = (crc >> 1) ^ (x * 0xedb88320) + n = n >> 1 + self._table[i] = crc + + def calc(self, v: bytes) -> int: + crc, length = 0, len(v) + for i in range(length): + n = ord(v[i:i + 1]) + n = n ^ (crc & 0xff) + crc = (crc >> 8) ^ self._table[n] + return crc diff --git a/src/ssh_audit/ssh1_kexdb.py b/src/ssh_audit/ssh1_kexdb.py new file mode 100644 index 0000000..3a7de1b --- /dev/null +++ b/src/ssh_audit/ssh1_kexdb.py @@ -0,0 +1,84 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +# pylint: disable=unused-import +import copy +import threading + +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + + +class SSH1_KexDB: # pylint: disable=too-few-public-methods + + FAIL_PLAINTEXT = 'no encryption/integrity' + FAIL_OPENSSH37_REMOVE = 'removed since OpenSSH 3.7' + FAIL_NA_BROKEN = 'not implemented in OpenSSH, broken algorithm' + FAIL_NA_UNSAFE = 'not implemented in OpenSSH (server), unsafe algorithm' + TEXT_CIPHER_IDEA = 'cipher used by commercial SSH' + + DB_PER_THREAD: Dict[int, Dict[str, Dict[str, List[List[Optional[str]]]]]] = {} + + MASTER_DB: Dict[str, Dict[str, List[List[Optional[str]]]]] = { + 'key': { + 'ssh-rsa1': [['1.2.2']], + }, + 'enc': { + 'none': [['1.2.2'], [FAIL_PLAINTEXT]], + 'idea': [[None], [], [], [TEXT_CIPHER_IDEA]], + 'des': [['2.3.0C'], [FAIL_NA_UNSAFE]], + '3des': [['1.2.2']], + 'tss': [[''], [FAIL_NA_BROKEN]], + 'rc4': [[], [FAIL_NA_BROKEN]], + 'blowfish': [['1.2.2']], + }, + 'aut': { + 'rhosts': [['1.2.2', '3.6'], [FAIL_OPENSSH37_REMOVE]], + 'rsa': [['1.2.2']], + 'password': [['1.2.2']], + 'rhosts_rsa': [['1.2.2']], + 'tis': [['1.2.2']], + 'kerberos': [['1.2.2', '3.6'], [FAIL_OPENSSH37_REMOVE]], + } + } + + + @staticmethod + def get_db() -> Dict[str, Dict[str, List[List[Optional[str]]]]]: + '''Returns a copy of the MASTER_DB that is private to the calling thread. This prevents multiple threads from polluting the results of other threads.''' + calling_thread_id = threading.get_ident() + + if calling_thread_id not in SSH1_KexDB.DB_PER_THREAD: + SSH1_KexDB.DB_PER_THREAD[calling_thread_id] = copy.deepcopy(SSH1_KexDB.MASTER_DB) + + return SSH1_KexDB.DB_PER_THREAD[calling_thread_id] + + + @staticmethod + def thread_exit() -> None: + '''Deletes the calling thread's copy of the MASTER_DB. This is needed because, in rare circumstances, a terminated thread's ID can be re-used by new threads.''' + + calling_thread_id = threading.get_ident() + + if calling_thread_id in SSH1_KexDB.DB_PER_THREAD: + del SSH1_KexDB.DB_PER_THREAD[calling_thread_id] diff --git a/src/ssh_audit/ssh1_publickeymessage.py b/src/ssh_audit/ssh1_publickeymessage.py new file mode 100644 index 0000000..67c4dec --- /dev/null +++ b/src/ssh_audit/ssh1_publickeymessage.py @@ -0,0 +1,144 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + +from ssh_audit.ssh1 import SSH1 +from ssh_audit.readbuf import ReadBuf +from ssh_audit.utils import Utils +from ssh_audit.writebuf import WriteBuf + + +class SSH1_PublicKeyMessage: + def __init__(self, cookie: bytes, skey: Tuple[int, int, int], hkey: Tuple[int, int, int], pflags: int, cmask: int, amask: int) -> None: + if len(skey) != 3: + raise ValueError('invalid server key pair: {}'.format(skey)) + if len(hkey) != 3: + raise ValueError('invalid host key pair: {}'.format(hkey)) + self.__cookie = cookie + self.__server_key = skey + self.__host_key = hkey + self.__protocol_flags = pflags + self.__supported_ciphers_mask = cmask + self.__supported_authentications_mask = amask + + @property + def cookie(self) -> bytes: + return self.__cookie + + @property + def server_key_bits(self) -> int: + return self.__server_key[0] + + @property + def server_key_public_exponent(self) -> int: + return self.__server_key[1] + + @property + def server_key_public_modulus(self) -> int: + return self.__server_key[2] + + @property + def host_key_bits(self) -> int: + return self.__host_key[0] + + @property + def host_key_public_exponent(self) -> int: + return self.__host_key[1] + + @property + def host_key_public_modulus(self) -> int: + return self.__host_key[2] + + @property + def host_key_fingerprint_data(self) -> bytes: + # pylint: disable=protected-access + mod = WriteBuf._create_mpint(self.host_key_public_modulus, False) + e = WriteBuf._create_mpint(self.host_key_public_exponent, False) + return mod + e + + @property + def protocol_flags(self) -> int: + return self.__protocol_flags + + @property + def supported_ciphers_mask(self) -> int: + return self.__supported_ciphers_mask + + @property + def supported_ciphers(self) -> List[str]: + ciphers = [] + for i in range(len(SSH1.CIPHERS)): # pylint: disable=consider-using-enumerate + if self.__supported_ciphers_mask & (1 << i) != 0: + ciphers.append(Utils.to_text(SSH1.CIPHERS[i])) + return ciphers + + @property + def supported_authentications_mask(self) -> int: + return self.__supported_authentications_mask + + @property + def supported_authentications(self) -> List[str]: + auths = [] + for i in range(1, len(SSH1.AUTHS)): + if self.__supported_authentications_mask & (1 << i) != 0: + auths.append(Utils.to_text(SSH1.AUTHS[i])) + return auths + + def write(self, wbuf: 'WriteBuf') -> None: + wbuf.write(self.cookie) + wbuf.write_int(self.server_key_bits) + wbuf.write_mpint1(self.server_key_public_exponent) + wbuf.write_mpint1(self.server_key_public_modulus) + wbuf.write_int(self.host_key_bits) + wbuf.write_mpint1(self.host_key_public_exponent) + wbuf.write_mpint1(self.host_key_public_modulus) + wbuf.write_int(self.protocol_flags) + wbuf.write_int(self.supported_ciphers_mask) + wbuf.write_int(self.supported_authentications_mask) + + @property + def payload(self) -> bytes: + wbuf = WriteBuf() + self.write(wbuf) + return wbuf.write_flush() + + @classmethod + def parse(cls, payload: bytes) -> 'SSH1_PublicKeyMessage': + buf = ReadBuf(payload) + cookie = buf.read(8) + server_key_bits = buf.read_int() + server_key_exponent = buf.read_mpint1() + server_key_modulus = buf.read_mpint1() + skey = (server_key_bits, server_key_exponent, server_key_modulus) + host_key_bits = buf.read_int() + host_key_exponent = buf.read_mpint1() + host_key_modulus = buf.read_mpint1() + hkey = (host_key_bits, host_key_exponent, host_key_modulus) + pflags = buf.read_int() + cmask = buf.read_int() + amask = buf.read_int() + pkm = cls(cookie, skey, hkey, pflags, cmask, amask) + return pkm diff --git a/src/ssh_audit/ssh2_kex.py b/src/ssh_audit/ssh2_kex.py new file mode 100644 index 0000000..d71724f --- /dev/null +++ b/src/ssh_audit/ssh2_kex.py @@ -0,0 +1,134 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017-2020 Joe Testa (jtesta@positronsecurity.com) + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +from typing import Dict, List +from typing import Union + +from ssh_audit.outputbuffer import OutputBuffer +from ssh_audit.readbuf import ReadBuf +from ssh_audit.ssh2_kexparty import SSH2_KexParty +from ssh_audit.writebuf import WriteBuf + + +class SSH2_Kex: + def __init__(self, outputbuffer: 'OutputBuffer', cookie: bytes, kex_algs: List[str], key_algs: List[str], cli: 'SSH2_KexParty', srv: 'SSH2_KexParty', follows: bool, unused: int = 0) -> None: # pylint: disable=too-many-arguments + self.__outputbuffer = outputbuffer + self.__cookie = cookie + self.__kex_algs = kex_algs + self.__key_algs = key_algs + self.__client = cli + self.__server = srv + self.__follows = follows + self.__unused = unused + + self.__dh_modulus_sizes: Dict[str, int] = {} + self.__host_keys: Dict[str, Dict[str, Union[bytes, str, int]]] = {} + + @property + def cookie(self) -> bytes: + return self.__cookie + + @property + def kex_algorithms(self) -> List[str]: + return self.__kex_algs + + @property + def key_algorithms(self) -> List[str]: + return self.__key_algs + + # client_to_server + @property + def client(self) -> 'SSH2_KexParty': + return self.__client + + # server_to_client + @property + def server(self) -> 'SSH2_KexParty': + return self.__server + + @property + def follows(self) -> bool: + return self.__follows + + @property + def unused(self) -> int: + return self.__unused + + def set_dh_modulus_size(self, gex_alg: str, modulus_size: int) -> None: + self.__dh_modulus_sizes[gex_alg] = modulus_size + + def dh_modulus_sizes(self) -> Dict[str, int]: + return self.__dh_modulus_sizes + + def set_host_key(self, key_type: str, raw_hostkey_bytes: bytes, hostkey_size: int, ca_key_type: str, ca_key_size: int) -> None: + + if key_type not in self.__host_keys: + self.__host_keys[key_type] = {'raw_hostkey_bytes': raw_hostkey_bytes, 'hostkey_size': hostkey_size, 'ca_key_type': ca_key_type, 'ca_key_size': ca_key_size} + else: # A host key may only have one CA signature... + self.__outputbuffer.d("WARNING: called SSH2_Kex.set_host_key() multiple times with the same host key type (%s)! Existing info: %r, %r, %r; Duplicate (ignored) info: %r, %r, %r" % (key_type, self.__host_keys[key_type]['hostkey_size'], self.__host_keys[key_type]['ca_key_type'], self.__host_keys[key_type]['ca_key_size'], hostkey_size, ca_key_type, ca_key_size)) + + def host_keys(self) -> Dict[str, Dict[str, Union[bytes, str, int]]]: + return self.__host_keys + + def write(self, wbuf: 'WriteBuf') -> None: + wbuf.write(self.cookie) + wbuf.write_list(self.kex_algorithms) + wbuf.write_list(self.key_algorithms) + wbuf.write_list(self.client.encryption) + wbuf.write_list(self.server.encryption) + wbuf.write_list(self.client.mac) + wbuf.write_list(self.server.mac) + wbuf.write_list(self.client.compression) + wbuf.write_list(self.server.compression) + wbuf.write_list(self.client.languages) + wbuf.write_list(self.server.languages) + wbuf.write_bool(self.follows) + wbuf.write_int(self.__unused) + + @property + def payload(self) -> bytes: + wbuf = WriteBuf() + self.write(wbuf) + return wbuf.write_flush() + + @classmethod + def parse(cls, outputbuffer: 'OutputBuffer', payload: bytes) -> 'SSH2_Kex': + buf = ReadBuf(payload) + cookie = buf.read(16) + kex_algs = buf.read_list() + key_algs = buf.read_list() + cli_enc = buf.read_list() + srv_enc = buf.read_list() + cli_mac = buf.read_list() + srv_mac = buf.read_list() + cli_compression = buf.read_list() + srv_compression = buf.read_list() + cli_languages = buf.read_list() + srv_languages = buf.read_list() + follows = buf.read_bool() + unused = buf.read_int() + cli = SSH2_KexParty(cli_enc, cli_mac, cli_compression, cli_languages) + srv = SSH2_KexParty(srv_enc, srv_mac, srv_compression, srv_languages) + kex = cls(outputbuffer, cookie, kex_algs, key_algs, cli, srv, follows, unused) + return kex diff --git a/src/ssh_audit/ssh2_kexdb.py b/src/ssh_audit/ssh2_kexdb.py new file mode 100644 index 0000000..36130da --- /dev/null +++ b/src/ssh_audit/ssh2_kexdb.py @@ -0,0 +1,468 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017-2023 Joe Testa (jtesta@positronsecurity.com) + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +# pylint: disable=unused-import +import copy +import threading + +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + + +class SSH2_KexDB: # pylint: disable=too-few-public-methods + FAIL_1024BIT_MODULUS = 'using small 1024-bit modulus' + FAIL_3DES = 'using broken & deprecated 3DES cipher' + FAIL_BLOWFISH = 'using weak & deprecated Blowfish cipher' + FAIL_CAST = 'using weak & deprecated CAST cipher' + FAIL_DES = 'using broken DES cipher' + FAIL_IDEA = 'using deprecated IDEA cipher' + FAIL_LOGJAM_ATTACK = 'vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)' + FAIL_MD5 = 'using broken MD5 hash algorithm' + FAIL_NSA_BACKDOORED_CURVE = 'using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency' + FAIL_PLAINTEXT = 'no encryption/integrity' + FAIL_RC4 = 'using broken RC4 cipher' + FAIL_RIJNDAEL = 'using deprecated & non-standardized Rijndael cipher' + FAIL_RIPEMD = 'using deprecated RIPEMD hash algorithm' + FAIL_SEED = 'using deprecated SEED cipher' + FAIL_SERPENT = 'using deprecated Serpent cipher' + FAIL_SHA1 = 'using broken SHA-1 hash algorithm' + FAIL_SMALL_ECC_MODULUS = 'using small ECC modulus' + FAIL_UNKNOWN = 'using unknown algorithm' + FAIL_UNPROVEN = 'using unproven algorithm' + FAIL_UNTRUSTED = 'using untrusted algorithm developed in secret by a government entity' + + WARN_2048BIT_MODULUS = '2048-bit modulus only provides 112-bits of symmetric strength' + WARN_BLOCK_SIZE = 'using small 64-bit block size' + WARN_CIPHER_MODE = 'using weak cipher mode' + WARN_ENCRYPT_AND_MAC = 'using encrypt-and-MAC mode' + WARN_EXPERIMENTAL = 'using experimental algorithm' + WARN_RNDSIG_KEY = 'using weak random number generator could reveal the key' + WARN_TAG_SIZE = 'using small 64-bit tag size' + WARN_TAG_SIZE_96 = 'using small 96-bit tag size' + + INFO_DEFAULT_OPENSSH_CIPHER = 'default cipher since OpenSSH 6.9' + INFO_DEFAULT_OPENSSH_KEX = 'default key exchange since OpenSSH 6.4' + INFO_DEPRECATED_IN_OPENSSH88 = 'deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8' + INFO_DISABLED_IN_DBEAR67 = 'disabled in Dropbear SSH 2015.67' + INFO_DISABLED_IN_OPENSSH70 = 'disabled in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0' + INFO_NEVER_IMPLEMENTED_IN_OPENSSH = 'despite the @openssh.com tag, this was never implemented in OpenSSH' + INFO_REMOVED_IN_OPENSSH61 = 'removed since OpenSSH 6.1, removed from specification' + INFO_REMOVED_IN_OPENSSH69 = 'removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9' + INFO_REMOVED_IN_OPENSSH70 = 'removed in OpenSSH 7.0: https://www.openssh.com/txt/release-7.0' + INFO_WITHDRAWN_PQ_ALG = 'the sntrup4591761 algorithm was withdrawn, as it may not provide strong post-quantum security' + INFO_EXTENSION_NEGOTIATION = 'pseudo-algorithm that denotes the peer supports RFC8308 extensions' + INFO_STRICT_KEX = 'pseudo-algorithm that denotes the peer supports a stricter key exchange method as a counter-measure to the Terrapin attack (CVE-2023-48795)' + + # Maintains a dictionary per calling thread that yields its own copy of MASTER_DB. This prevents results from one thread polluting the results of another thread. + DB_PER_THREAD: Dict[int, Dict[str, Dict[str, List[List[Optional[str]]]]]] = {} + + MASTER_DB: Dict[str, Dict[str, List[List[Optional[str]]]]] = { + # Format: 'algorithm_name': [['version_first_appeared_in'], [reason_for_failure1, reason_for_failure2, ...], [warning1, warning2, ...], [info1, info2, ...]] + 'kex': { + 'Curve25519SHA256': [[]], + 'curve25519-sha256': [['7.4,d2018.76'], [], [], [INFO_DEFAULT_OPENSSH_KEX]], + 'curve25519-sha256@libssh.org': [['6.4,d2013.62,l10.6.0'], [], [], [INFO_DEFAULT_OPENSSH_KEX]], + 'curve448-sha512': [[]], + 'curve448-sha512@libssh.org': [[]], + 'diffie-hellman-group14-sha1': [['3.9,d0.53,l10.6.0'], [FAIL_SHA1], [WARN_2048BIT_MODULUS]], + 'diffie-hellman-group14-sha224@ssh.com': [[]], + 'diffie-hellman-group14-sha256': [['7.3,d2016.73'], [], [WARN_2048BIT_MODULUS]], + 'diffie-hellman-group14-sha256@ssh.com': [[], [], [WARN_2048BIT_MODULUS]], + 'diffie-hellman-group15-sha256': [[]], + 'diffie-hellman-group15-sha256@ssh.com': [[]], + 'diffie-hellman-group15-sha384@ssh.com': [[]], + 'diffie-hellman-group15-sha512': [[]], + 'diffie-hellman-group16-sha256': [[]], + 'diffie-hellman-group16-sha384@ssh.com': [[]], + 'diffie-hellman-group16-sha512': [['7.3,d2016.73']], + 'diffie-hellman-group16-sha512@ssh.com': [[]], + 'diffie-hellman-group17-sha512': [[]], + 'diffie-hellman_group17-sha512': [[]], + 'diffie-hellman-group18-sha512': [['7.3']], + 'diffie-hellman-group18-sha512@ssh.com': [[]], + 'diffie-hellman-group1-sha1': [['2.3.0,d0.28,l10.2', '6.6', '6.9'], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1], [], [INFO_REMOVED_IN_OPENSSH69]], + 'diffie-hellman-group1-sha256': [[], [FAIL_1024BIT_MODULUS]], + 'diffie-hellman-group-exchange-sha1': [['2.3.0', '6.6', None], [FAIL_SHA1]], + 'diffie-hellman-group-exchange-sha224@ssh.com': [[]], + 'diffie-hellman-group-exchange-sha256': [['4.4']], + 'diffie-hellman-group-exchange-sha256@ssh.com': [[]], + 'diffie-hellman-group-exchange-sha384@ssh.com': [[]], + 'diffie-hellman-group-exchange-sha512@ssh.com': [[]], + 'ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org': [[], [FAIL_NSA_BACKDOORED_CURVE]], + 'ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org': [[], [FAIL_NSA_BACKDOORED_CURVE]], + 'ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org': [[], [FAIL_NSA_BACKDOORED_CURVE]], + 'ecdh-sha2-1.2.840.10045.3.1.1': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE]], # NIST P-192 / secp192r1 + 'ecdh-sha2-1.2.840.10045.3.1.7': [[], [FAIL_NSA_BACKDOORED_CURVE]], # NIST P-256 / secp256r1 + 'ecdh-sha2-1.3.132.0.10': [[]], # ECDH over secp256k1 (i.e.: the Bitcoin curve) + 'ecdh-sha2-1.3.132.0.16': [[], [FAIL_UNPROVEN]], # sect283k1 + 'ecdh-sha2-1.3.132.0.1': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], # sect163k1 + 'ecdh-sha2-1.3.132.0.26': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], # sect233k1 + 'ecdh-sha2-1.3.132.0.27': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE]], # sect233r1 + 'ecdh-sha2-1.3.132.0.33': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE]], # NIST P-224 / secp224r1 + 'ecdh-sha2-1.3.132.0.34': [[], [FAIL_NSA_BACKDOORED_CURVE]], # NIST P-384 / secp384r1 + 'ecdh-sha2-1.3.132.0.35': [[], [FAIL_NSA_BACKDOORED_CURVE]], # NIST P-521 / secp521r1 + 'ecdh-sha2-1.3.132.0.36': [[], [FAIL_UNPROVEN]], # sect409k1 + 'ecdh-sha2-1.3.132.0.37': [[], [FAIL_NSA_BACKDOORED_CURVE]], # sect409r1 + 'ecdh-sha2-1.3.132.0.38': [[], [FAIL_UNPROVEN]], # sect571k1 + + # Note: the base64 strings, according to draft 6 of RFC5656, is Base64(MD5(DER(OID))). The final RFC5656 dropped the base64 strings in favor of plain OID concatenation, but apparently some SSH servers implement them anyway. See: https://datatracker.ietf.org/doc/html/draft-green-secsh-ecc-06#section-9.2 + 'ecdh-sha2-4MHB+NBt3AlaSRQ7MnB4cg==': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], # sect163k1 + 'ecdh-sha2-5pPrSUQtIaTjUSt5VZNBjg==': [[], [FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE]], # NIST P-192 / secp192r1 + 'ecdh-sha2-9UzNcgwTlEnSCECZa7V1mw==': [[], [FAIL_NSA_BACKDOORED_CURVE]], # NIST P-256 / secp256r1 + 'ecdh-sha2-brainpoolp256r1@genua.de': [[], [FAIL_UNPROVEN]], + 'ecdh-sha2-brainpoolp384r1@genua.de': [[], [FAIL_UNPROVEN]], + 'ecdh-sha2-brainpoolp521r1@genua.de': [[], [FAIL_UNPROVEN]], + 'ecdh-sha2-curve25519': [[], []], + 'ecdh-sha2-D3FefCjYoJ/kfXgAyLddYA==': [[], [FAIL_NSA_BACKDOORED_CURVE]], # sect409r1 + 'ecdh-sha2-h/SsxnLCtRBh7I9ATyeB3A==': [[], [FAIL_NSA_BACKDOORED_CURVE]], # NIST P-521 / secp521r1 + 'ecdh-sha2-m/FtSAmrV4j/Wy6RVUaK7A==': [[], [FAIL_UNPROVEN]], # sect409k1 + 'ecdh-sha2-mNVwCXAoS1HGmHpLvBC94w==': [[], [FAIL_UNPROVEN]], # sect571k1 + 'ecdh-sha2-nistb233': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], + 'ecdh-sha2-nistb409': [[], [FAIL_UNPROVEN]], + 'ecdh-sha2-nistk163': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], + 'ecdh-sha2-nistk233': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], + 'ecdh-sha2-nistk283': [[], [FAIL_UNPROVEN]], + 'ecdh-sha2-nistk409': [[], [FAIL_UNPROVEN]], + 'ecdh-sha2-nistp192': [[], [FAIL_NSA_BACKDOORED_CURVE]], + 'ecdh-sha2-nistp224': [[], [FAIL_NSA_BACKDOORED_CURVE]], + 'ecdh-sha2-nistp256': [['5.7,d2013.62,l10.6.0'], [FAIL_NSA_BACKDOORED_CURVE]], + 'ecdh-sha2-nistp384': [['5.7,d2013.62'], [FAIL_NSA_BACKDOORED_CURVE]], + 'ecdh-sha2-nistp521': [['5.7,d2013.62'], [FAIL_NSA_BACKDOORED_CURVE]], + 'ecdh-sha2-nistt571': [[], [FAIL_UNPROVEN]], + 'ecdh-sha2-qCbG5Cn/jjsZ7nBeR7EnOA==': [[FAIL_SMALL_ECC_MODULUS, FAIL_NSA_BACKDOORED_CURVE]], # sect233r1 + 'ecdh-sha2-qcFQaMAMGhTziMT0z+Tuzw==': [[], [FAIL_NSA_BACKDOORED_CURVE]], # NIST P-384 / secp384r1 + 'ecdh-sha2-VqBg4QRPjxx1EXZdV0GdWQ==': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_SMALL_ECC_MODULUS]], # NIST P-224 / secp224r1 + 'ecdh-sha2-wiRIU8TKjMZ418sMqlqtvQ==': [[], [FAIL_UNPROVEN]], # sect283k1 + 'ecdh-sha2-zD/b3hu/71952ArpUG4OjQ==': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS]], # sect233k1 + 'ecmqv-sha2': [[], [FAIL_UNPROVEN]], + 'ext-info-c': [[], [], [], [INFO_EXTENSION_NEGOTIATION]], # Extension negotiation (RFC 8308) + 'ext-info-s': [[], [], [], [INFO_EXTENSION_NEGOTIATION]], # Extension negotiation (RFC 8308) + 'kex-strict-c-v00@openssh.com': [[], [], [], [INFO_STRICT_KEX]], # Strict KEX marker (countermeasure for CVE-2023-48795). + 'kex-strict-s-v00@openssh.com': [[], [], [], [INFO_STRICT_KEX]], # Strict KEX marker (countermeasure for CVE-2023-48795). + + # The GSS kex algorithms get special wildcard handling, since they include variable base64 data after their standard prefixes. + 'gss-13.3.132.0.10-sha256-*': [[], [FAIL_UNKNOWN]], + 'gss-curve25519-sha256-*': [[]], + 'gss-curve448-sha512-*': [[]], + 'gss-gex-sha1-*': [[], [FAIL_SHA1]], + 'gss-gex-sha256-*': [[]], + 'gss-group14-sha1-*': [[], [FAIL_SHA1], [WARN_2048BIT_MODULUS]], + 'gss-group14-sha256-*': [[], [], [WARN_2048BIT_MODULUS]], + 'gss-group15-sha512-*': [[]], + 'gss-group16-sha512-*': [[]], + 'gss-group17-sha512-*': [[]], + 'gss-group18-sha512-*': [[]], + 'gss-group1-sha1-*': [[], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1]], + 'gss-nistp256-sha256-*': [[], [FAIL_NSA_BACKDOORED_CURVE]], + 'gss-nistp384-sha256-*': [[], [FAIL_NSA_BACKDOORED_CURVE]], + 'gss-nistp521-sha512-*': [[], [FAIL_NSA_BACKDOORED_CURVE]], + 'kexAlgoCurve25519SHA256': [[]], + 'kexAlgoDH14SHA1': [[], [FAIL_SHA1], [WARN_2048BIT_MODULUS]], + 'kexAlgoDH1SHA1': [[], [FAIL_1024BIT_MODULUS, FAIL_LOGJAM_ATTACK, FAIL_SHA1]], + 'kexAlgoECDH256': [[], [FAIL_NSA_BACKDOORED_CURVE]], + 'kexAlgoECDH384': [[], [FAIL_NSA_BACKDOORED_CURVE]], + 'kexAlgoECDH521': [[], [FAIL_NSA_BACKDOORED_CURVE]], + 'kexguess2@matt.ucc.asn.au': [['d2013.57']], + 'm383-sha384@libassh.org': [[], [FAIL_UNPROVEN]], + 'm511-sha512@libassh.org': [[], [FAIL_UNPROVEN]], + 'rsa1024-sha1': [[], [FAIL_1024BIT_MODULUS, FAIL_SHA1]], + 'rsa2048-sha256': [[], [], [WARN_2048BIT_MODULUS]], + 'sm2kep-sha2-nistp256': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_UNTRUSTED]], + 'sntrup4591761x25519-sha512@tinyssh.org': [['8.0', '8.4'], [], [WARN_EXPERIMENTAL], [INFO_WITHDRAWN_PQ_ALG]], + 'sntrup761x25519-sha512@openssh.com': [['8.5'], [], []], + 'x25519-kyber-512r3-sha256-d00@amazon.com': [[]], + 'x25519-kyber512-sha512@aws.amazon.com': [[]], + }, + 'key': { + 'dsa2048-sha224@libassh.org': [[], [FAIL_UNPROVEN], [WARN_2048BIT_MODULUS]], + 'dsa2048-sha256@libassh.org': [[], [FAIL_UNPROVEN], [WARN_2048BIT_MODULUS]], + 'dsa3072-sha256@libassh.org': [[], [FAIL_UNPROVEN]], + 'ecdsa-sha2-1.3.132.0.10-cert-v01@openssh.com': [[], [FAIL_UNKNOWN]], + 'ecdsa-sha2-1.3.132.0.10': [[], [], [WARN_RNDSIG_KEY]], # ECDSA over secp256k1 (i.e.: the Bitcoin curve) + 'ecdsa-sha2-curve25519': [[], [], [WARN_RNDSIG_KEY]], # ECDSA with Curve25519? Bizarre... + 'ecdsa-sha2-nistb233': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_RNDSIG_KEY]], + 'ecdsa-sha2-nistb409': [[], [FAIL_UNPROVEN], [WARN_RNDSIG_KEY]], + 'ecdsa-sha2-nistk163': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_RNDSIG_KEY]], + 'ecdsa-sha2-nistk233': [[], [FAIL_UNPROVEN, FAIL_SMALL_ECC_MODULUS], [WARN_RNDSIG_KEY]], + 'ecdsa-sha2-nistk283': [[], [FAIL_UNPROVEN], [WARN_RNDSIG_KEY]], + 'ecdsa-sha2-nistk409': [[], [FAIL_UNPROVEN], [WARN_RNDSIG_KEY]], + 'ecdsa-sha2-nistp224': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_SMALL_ECC_MODULUS], [WARN_RNDSIG_KEY]], + 'ecdsa-sha2-nistp192': [[], [FAIL_NSA_BACKDOORED_CURVE, FAIL_SMALL_ECC_MODULUS], [WARN_RNDSIG_KEY]], + 'ecdsa-sha2-nistp256': [['5.7,d2013.62,l10.6.4'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_RNDSIG_KEY]], + 'ecdsa-sha2-nistp256-cert-v01@openssh.com': [['5.7'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_RNDSIG_KEY]], + 'ecdsa-sha2-nistp384': [['5.7,d2013.62,l10.6.4'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_RNDSIG_KEY]], + 'ecdsa-sha2-nistp384-cert-v01@openssh.com': [['5.7'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_RNDSIG_KEY]], + 'ecdsa-sha2-nistp521': [['5.7,d2013.62,l10.6.4'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_RNDSIG_KEY]], + 'ecdsa-sha2-nistp521-cert-v01@openssh.com': [['5.7'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_RNDSIG_KEY]], + 'ecdsa-sha2-nistt571': [[], [FAIL_UNPROVEN], [WARN_RNDSIG_KEY]], + 'eddsa-e382-shake256@libassh.org': [[], [FAIL_UNPROVEN]], + 'eddsa-e521-shake256@libassh.org': [[], [FAIL_UNPROVEN]], + 'null': [[], [FAIL_PLAINTEXT]], + 'pgp-sign-dss': [[], [FAIL_1024BIT_MODULUS]], + 'pgp-sign-rsa': [[], [FAIL_1024BIT_MODULUS]], + 'rsa-sha2-256': [['7.2']], + 'rsa-sha2-256-cert-v01@openssh.com': [['7.8']], + 'rsa-sha2-512': [['7.2']], + 'rsa-sha2-512-cert-v01@openssh.com': [['7.8']], + 'sk-ecdsa-sha2-nistp256-cert-v01@openssh.com': [['8.2'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_RNDSIG_KEY]], + 'sk-ecdsa-sha2-nistp256@openssh.com': [['8.2'], [FAIL_NSA_BACKDOORED_CURVE], [WARN_RNDSIG_KEY]], + 'sk-ssh-ed25519-cert-v01@openssh.com': [['8.2']], + 'sk-ssh-ed25519@openssh.com': [['8.2']], + 'spi-sign-rsa': [[]], + 'spki-sign-dss': [[], [FAIL_1024BIT_MODULUS]], + 'spki-sign-rsa': [[], [FAIL_1024BIT_MODULUS]], + 'ssh-dsa': [[], [FAIL_1024BIT_MODULUS], [WARN_RNDSIG_KEY]], + 'ssh-dss': [['2.1.0,d0.28,l10.2', '6.9'], [FAIL_1024BIT_MODULUS], [WARN_RNDSIG_KEY], [INFO_DISABLED_IN_OPENSSH70]], + 'ssh-dss-cert-v00@openssh.com': [['5.4', '6.9'], [FAIL_1024BIT_MODULUS], [WARN_RNDSIG_KEY], [INFO_DISABLED_IN_OPENSSH70]], + 'ssh-dss-cert-v01@openssh.com': [['5.6', '6.9'], [FAIL_1024BIT_MODULUS], [WARN_RNDSIG_KEY]], + 'ssh-dss-sha224@ssh.com': [[], [FAIL_1024BIT_MODULUS]], + 'ssh-dss-sha256@ssh.com': [[], [FAIL_1024BIT_MODULUS]], + 'ssh-dss-sha384@ssh.com': [[], [FAIL_1024BIT_MODULUS]], + 'ssh-dss-sha512@ssh.com': [[], [FAIL_1024BIT_MODULUS]], + 'ssh-ed25519': [['6.5,l10.7.0']], + 'ssh-ed25519-cert-v01@openssh.com': [['6.5']], + 'ssh-ed448': [[]], + 'ssh-ed448-cert-v01@openssh.com': [[], [], [], [INFO_NEVER_IMPLEMENTED_IN_OPENSSH]], + 'ssh-gost2001': [[], [FAIL_UNTRUSTED]], + 'ssh-gost2012-256': [[], [FAIL_UNTRUSTED]], + 'ssh-gost2012-512': [[], [FAIL_UNTRUSTED]], + 'ssh-rsa1': [[], [FAIL_SHA1]], + 'ssh-rsa': [['2.5.0,d0.28,l10.2'], [FAIL_SHA1], [], [INFO_DEPRECATED_IN_OPENSSH88]], + 'ssh-rsa-cert-v00@openssh.com': [['5.4', '6.9'], [FAIL_SHA1], [], [INFO_REMOVED_IN_OPENSSH70]], + 'ssh-rsa-cert-v01@openssh.com': [['5.6'], [FAIL_SHA1], [], [INFO_DEPRECATED_IN_OPENSSH88]], + 'ssh-rsa-sha224@ssh.com': [[]], + 'ssh-rsa-sha2-256': [[]], + 'ssh-rsa-sha2-512': [[]], + 'ssh-rsa-sha256@ssh.com': [[]], + 'ssh-rsa-sha384@ssh.com': [[]], + 'ssh-rsa-sha512@ssh.com': [[]], + 'ssh-xmss-cert-v01@openssh.com': [['7.7'], [WARN_EXPERIMENTAL]], + 'ssh-xmss@openssh.com': [['7.7'], [WARN_EXPERIMENTAL]], + 'webauthn-sk-ecdsa-sha2-nistp256@openssh.com': [['8.3'], [FAIL_NSA_BACKDOORED_CURVE]], + 'x509v3-ecdsa-sha2-1.3.132.0.10': [[], [FAIL_UNKNOWN]], + 'x509v3-ecdsa-sha2-nistp256': [[], [FAIL_NSA_BACKDOORED_CURVE]], + 'x509v3-ecdsa-sha2-nistp384': [[], [FAIL_NSA_BACKDOORED_CURVE]], + 'x509v3-ecdsa-sha2-nistp521': [[], [FAIL_NSA_BACKDOORED_CURVE]], + 'x509v3-rsa2048-sha256': [[]], + 'x509v3-sign-dss': [[], [FAIL_1024BIT_MODULUS], [WARN_RNDSIG_KEY]], + 'x509v3-sign-dss-sha1': [[], [FAIL_1024BIT_MODULUS, FAIL_SHA1]], + 'x509v3-sign-dss-sha224@ssh.com': [[], [FAIL_1024BIT_MODULUS]], + 'x509v3-sign-dss-sha256@ssh.com': [[], [FAIL_1024BIT_MODULUS]], + 'x509v3-sign-dss-sha384@ssh.com': [[], [FAIL_1024BIT_MODULUS]], + 'x509v3-sign-dss-sha512@ssh.com': [[], [FAIL_1024BIT_MODULUS]], + 'x509v3-sign-rsa': [[], [FAIL_SHA1]], + 'x509v3-sign-rsa-sha1': [[], [FAIL_SHA1]], + 'x509v3-sign-rsa-sha224@ssh.com': [[]], + 'x509v3-sign-rsa-sha256': [[]], + 'x509v3-sign-rsa-sha256@ssh.com': [[]], + 'x509v3-sign-rsa-sha384@ssh.com': [[]], + 'x509v3-sign-rsa-sha512@ssh.com': [[]], + 'x509v3-ssh-dss': [[], [FAIL_1024BIT_MODULUS], [WARN_RNDSIG_KEY]], + 'x509v3-ssh-rsa': [[], [FAIL_SHA1], [], [INFO_DEPRECATED_IN_OPENSSH88]], + }, + 'enc': { + '3des-cbc': [['1.2.2,d0.28,l10.2', '6.6', None], [FAIL_3DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], + '3des-cfb': [[], [FAIL_3DES], [WARN_CIPHER_MODE]], + '3des-ctr': [['d0.52'], [FAIL_3DES]], + '3des-ecb': [[], [FAIL_3DES], [WARN_CIPHER_MODE]], + '3des': [[], [FAIL_3DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], + '3des-ofb': [[], [FAIL_3DES], [WARN_CIPHER_MODE]], + 'AEAD_AES_128_GCM': [[]], + 'AEAD_AES_256_GCM': [[]], + 'aes128-cbc': [['2.3.0,d0.28,l10.2', '6.6', None], [], [WARN_CIPHER_MODE]], + 'aes128-ctr': [['3.7,d0.52,l10.4.1']], + 'aes128-gcm': [[]], + 'aes128-gcm@openssh.com': [['6.2']], + 'aes192-cbc': [['2.3.0,l10.2', '6.6', None], [], [WARN_CIPHER_MODE]], + 'aes192-ctr': [['3.7,l10.4.1']], + 'aes192-gcm@openssh.com': [[], [], [], [INFO_NEVER_IMPLEMENTED_IN_OPENSSH]], + 'aes256-cbc': [['2.3.0,d0.47,l10.2', '6.6', None], [], [WARN_CIPHER_MODE]], + 'aes256-ctr': [['3.7,d0.52,l10.4.1']], + 'aes256-gcm': [[]], + 'aes256-gcm@openssh.com': [['6.2']], + 'arcfour128': [['4.2', '6.6', '7.1'], [FAIL_RC4]], + 'arcfour': [['2.1.0', '6.6', '7.1'], [FAIL_RC4]], + 'arcfour256': [['4.2', '6.6', '7.1'], [FAIL_RC4]], + 'blowfish-cbc': [['1.2.2,d0.28,l10.2', '6.6,d0.52', '7.1,d0.52'], [FAIL_BLOWFISH], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], + 'blowfish-cfb': [[], [FAIL_BLOWFISH], [WARN_CIPHER_MODE]], + 'blowfish-ctr': [[], [FAIL_BLOWFISH], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], + 'blowfish-ecb': [[], [FAIL_BLOWFISH], [WARN_CIPHER_MODE]], + 'blowfish': [[], [FAIL_BLOWFISH], [WARN_BLOCK_SIZE]], + 'blowfish-ofb': [[], [FAIL_BLOWFISH], [WARN_CIPHER_MODE]], + 'camellia128-cbc@openssh.org': [[], [], [WARN_CIPHER_MODE]], + 'camellia128-cbc': [[], [], [WARN_CIPHER_MODE]], + 'camellia128-ctr': [[]], + 'camellia128-ctr@openssh.org': [[]], + 'camellia192-cbc@openssh.org': [[], [], [WARN_CIPHER_MODE]], + 'camellia192-cbc': [[], [], [WARN_CIPHER_MODE]], + 'camellia192-ctr': [[]], + 'camellia192-ctr@openssh.org': [[]], + 'camellia256-cbc@openssh.org': [[], [], [WARN_CIPHER_MODE]], + 'camellia256-cbc': [[], [], [WARN_CIPHER_MODE]], + 'camellia256-ctr': [[]], + 'camellia256-ctr@openssh.org': [[]], + 'cast128-12-cbc@ssh.com': [[], [FAIL_CAST], [WARN_CIPHER_MODE]], + 'cast128-cbc': [['2.1.0', '6.6', '7.1'], [FAIL_CAST], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], + 'cast128-12-cbc': [[], [FAIL_CAST], [WARN_CIPHER_MODE]], + 'cast128-12-cfb': [[], [FAIL_CAST], [WARN_CIPHER_MODE]], + 'cast128-12-ecb': [[], [FAIL_CAST], [WARN_CIPHER_MODE]], + 'cast128-12-ofb': [[], [FAIL_CAST], [WARN_CIPHER_MODE]], + 'cast128-cfb': [[], [FAIL_CAST], [WARN_CIPHER_MODE]], + 'cast128-ctr': [[], [FAIL_CAST]], + 'cast128-ecb': [[], [FAIL_CAST], [WARN_CIPHER_MODE]], + 'cast128-ofb': [[], [FAIL_CAST], [WARN_CIPHER_MODE]], + 'chacha20-poly1305': [[], [], [], [INFO_DEFAULT_OPENSSH_CIPHER]], + 'chacha20-poly1305@openssh.com': [['6.5'], [], [], [INFO_DEFAULT_OPENSSH_CIPHER]], + 'crypticore128@ssh.com': [[], [FAIL_UNPROVEN]], + 'des-cbc': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], + 'des-cfb': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], + 'des-ecb': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], + 'des-ofb': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], + 'des-cbc-ssh1': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], + 'des-cbc@ssh.com': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], + 'des': [[], [FAIL_DES], [WARN_CIPHER_MODE, WARN_BLOCK_SIZE]], + 'idea-cbc': [[], [FAIL_IDEA], [WARN_CIPHER_MODE]], + 'idea-cfb': [[], [FAIL_IDEA], [WARN_CIPHER_MODE]], + 'idea-ctr': [[], [FAIL_IDEA]], + 'idea-ecb': [[], [FAIL_IDEA], [WARN_CIPHER_MODE]], + 'idea-ofb': [[], [FAIL_IDEA], [WARN_CIPHER_MODE]], + 'none': [['1.2.2,d2013.56,l10.2'], [FAIL_PLAINTEXT]], + 'rijndael128-cbc': [['2.3.0', '7.0'], [FAIL_RIJNDAEL], [WARN_CIPHER_MODE], [INFO_DISABLED_IN_OPENSSH70]], + 'rijndael192-cbc': [['2.3.0', '7.0'], [FAIL_RIJNDAEL], [WARN_CIPHER_MODE], [INFO_DISABLED_IN_OPENSSH70]], + 'rijndael256-cbc': [['2.3.0', '7.0'], [FAIL_RIJNDAEL], [WARN_CIPHER_MODE], [INFO_DISABLED_IN_OPENSSH70]], + 'rijndael-cbc@lysator.liu.se': [['2.3.0', '6.6', '7.0'], [FAIL_RIJNDAEL], [WARN_CIPHER_MODE], [INFO_DISABLED_IN_OPENSSH70]], + 'rijndael-cbc@ssh.com': [[], [FAIL_RIJNDAEL], [WARN_CIPHER_MODE]], + 'seed-cbc@ssh.com': [[], [FAIL_SEED], [WARN_CIPHER_MODE]], + 'seed-ctr@ssh.com': [[], [FAIL_SEED]], + 'serpent128-cbc': [[], [FAIL_SERPENT], [WARN_CIPHER_MODE]], + 'serpent128-ctr': [[], [FAIL_SERPENT]], + 'serpent128-gcm@libassh.org': [[], [FAIL_SERPENT]], + 'serpent192-cbc': [[], [FAIL_SERPENT], [WARN_CIPHER_MODE]], + 'serpent192-ctr': [[], [FAIL_SERPENT]], + 'serpent256-cbc': [[], [FAIL_SERPENT], [WARN_CIPHER_MODE]], + 'serpent256-ctr': [[], [FAIL_SERPENT]], + 'serpent256-gcm@libassh.org': [[], [FAIL_SERPENT]], + 'twofish128-cbc': [['d0.47', 'd2014.66'], [], [WARN_CIPHER_MODE], [INFO_DISABLED_IN_DBEAR67]], + 'twofish128-ctr': [['d2015.68']], + 'twofish128-gcm@libassh.org': [[]], + 'twofish192-cbc': [[], [], [WARN_CIPHER_MODE]], + 'twofish192-ctr': [[]], + 'twofish256-cbc': [['d0.47', 'd2014.66'], [], [WARN_CIPHER_MODE], [INFO_DISABLED_IN_DBEAR67]], + 'twofish256-ctr': [['d2015.68']], + 'twofish256-gcm@libassh.org': [[]], + 'twofish-cbc': [['d0.28', 'd2014.66'], [], [WARN_CIPHER_MODE], [INFO_DISABLED_IN_DBEAR67]], + 'twofish-cfb': [[], [], [WARN_CIPHER_MODE]], + 'twofish-ctr': [[]], + 'twofish-ecb': [[], [], [WARN_CIPHER_MODE]], + 'twofish-ofb': [[], [], [WARN_CIPHER_MODE]], + }, + 'mac': { + 'AEAD_AES_128_GCM': [[]], + 'AEAD_AES_256_GCM': [[]], + 'aes128-gcm': [[]], + 'aes256-gcm': [[]], + 'cbcmac-3des': [[], [FAIL_UNPROVEN, FAIL_3DES]], + 'cbcmac-aes': [[], [FAIL_UNPROVEN]], + 'cbcmac-blowfish': [[], [FAIL_UNPROVEN, FAIL_BLOWFISH]], + 'cbcmac-des': [[], [FAIL_UNPROVEN, FAIL_DES]], + 'cbcmac-rijndael': [[], [FAIL_UNPROVEN, FAIL_RIJNDAEL]], + 'cbcmac-twofish': [[], [FAIL_UNPROVEN]], + 'chacha20-poly1305@openssh.com': [[], [], [], [INFO_NEVER_IMPLEMENTED_IN_OPENSSH]], # Despite the @openssh.com tag, this was never shipped as a MAC in OpenSSH (only as a cipher); it is only implemented as a MAC in Syncplify. + 'crypticore-mac@ssh.com': [[], [FAIL_UNPROVEN]], + 'hmac-md5': [['2.1.0,d0.28', '6.6', '7.1'], [FAIL_MD5], [WARN_ENCRYPT_AND_MAC]], + 'hmac-md5-96': [['2.5.0', '6.6', '7.1'], [FAIL_MD5], [WARN_ENCRYPT_AND_MAC]], + 'hmac-md5-96-etm@openssh.com': [['6.2', '6.6', '7.1'], [FAIL_MD5]], + 'hmac-md5-etm@openssh.com': [['6.2', '6.6', '7.1'], [FAIL_MD5]], + 'hmac-ripemd160': [['2.5.0', '6.6', '7.1'], [FAIL_RIPEMD], [WARN_ENCRYPT_AND_MAC]], + 'hmac-ripemd160-96': [[], [FAIL_RIPEMD], [WARN_ENCRYPT_AND_MAC, WARN_TAG_SIZE]], + 'hmac-ripemd160-etm@openssh.com': [['6.2', '6.6', '7.1'], [FAIL_RIPEMD]], + 'hmac-ripemd160@openssh.com': [['2.1.0', '6.6', '7.1'], [FAIL_RIPEMD], [WARN_ENCRYPT_AND_MAC]], + 'hmac-ripemd': [[], [FAIL_RIPEMD], [WARN_ENCRYPT_AND_MAC]], + 'hmac-sha1': [['2.1.0,d0.28,l10.2'], [FAIL_SHA1], [WARN_ENCRYPT_AND_MAC]], + 'hmac-sha1-96': [['2.5.0,d0.47', '6.6', '7.1'], [FAIL_SHA1], [WARN_ENCRYPT_AND_MAC]], + 'hmac-sha1-96-etm@openssh.com': [['6.2', '6.6', None], [FAIL_SHA1]], + 'hmac-sha1-96@openssh.com': [[], [FAIL_SHA1], [WARN_TAG_SIZE, WARN_ENCRYPT_AND_MAC], [INFO_NEVER_IMPLEMENTED_IN_OPENSSH]], + 'hmac-sha1-etm@openssh.com': [['6.2'], [FAIL_SHA1]], + 'hmac-sha2-224': [[], [], [WARN_TAG_SIZE, WARN_ENCRYPT_AND_MAC]], + 'hmac-sha224@ssh.com': [[], [], [WARN_ENCRYPT_AND_MAC]], + 'hmac-sha2-256': [['5.9,d2013.56,l10.7.0'], [], [WARN_ENCRYPT_AND_MAC]], + 'hmac-sha2-256-96': [['5.9', '6.0'], [], [WARN_ENCRYPT_AND_MAC], [INFO_REMOVED_IN_OPENSSH61]], + 'hmac-sha2-256-96-etm@openssh.com': [[], [], [WARN_TAG_SIZE_96], [INFO_NEVER_IMPLEMENTED_IN_OPENSSH]], # Only ever implemented in AsyncSSH (?). + 'hmac-sha2-256-etm@openssh.com': [['6.2']], + 'hmac-sha2-384': [[], [], [WARN_ENCRYPT_AND_MAC]], + 'hmac-sha2-512': [['5.9,d2013.56,l10.7.0'], [], [WARN_ENCRYPT_AND_MAC]], + 'hmac-sha2-512-96': [['5.9', '6.0'], [], [WARN_ENCRYPT_AND_MAC], [INFO_REMOVED_IN_OPENSSH61]], + 'hmac-sha2-512-96-etm@openssh.com': [[], [], [WARN_TAG_SIZE_96], [INFO_NEVER_IMPLEMENTED_IN_OPENSSH]], # Only ever implemented in AsyncSSH (?). + 'hmac-sha2-512-etm@openssh.com': [['6.2']], + 'hmac-sha256-2@ssh.com': [[], [], [WARN_ENCRYPT_AND_MAC]], + 'hmac-sha256-96@ssh.com': [[], [], [WARN_ENCRYPT_AND_MAC, WARN_TAG_SIZE]], + 'hmac-sha256-96': [[], [], [WARN_ENCRYPT_AND_MAC, WARN_TAG_SIZE]], + 'hmac-sha256@ssh.com': [[], [], [WARN_ENCRYPT_AND_MAC]], + 'hmac-sha256': [[], [], [WARN_ENCRYPT_AND_MAC]], + 'hmac-sha2-56': [[], [], [WARN_TAG_SIZE, WARN_ENCRYPT_AND_MAC]], + 'hmac-sha3-224': [[], [], [WARN_ENCRYPT_AND_MAC]], + 'hmac-sha3-256': [[], [], [WARN_ENCRYPT_AND_MAC]], + 'hmac-sha3-384': [[], [], [WARN_ENCRYPT_AND_MAC]], + 'hmac-sha3-512': [[], [], [WARN_ENCRYPT_AND_MAC]], + 'hmac-sha384@ssh.com': [[], [], [WARN_ENCRYPT_AND_MAC]], + 'hmac-sha512@ssh.com': [[], [], [WARN_ENCRYPT_AND_MAC]], + 'hmac-sha512': [[], [], [WARN_ENCRYPT_AND_MAC]], + 'hmac-whirlpool': [[], [], [WARN_ENCRYPT_AND_MAC]], + 'md5': [[], [FAIL_PLAINTEXT]], + 'md5-8': [[], [FAIL_PLAINTEXT]], + 'none': [['d2013.56'], [FAIL_PLAINTEXT]], + 'ripemd160': [[], [FAIL_PLAINTEXT]], + 'ripemd160-8': [[], [FAIL_PLAINTEXT]], + 'sha1': [[], [FAIL_PLAINTEXT]], + 'sha1-8': [[], [FAIL_PLAINTEXT]], + 'umac-128': [[], [], [WARN_ENCRYPT_AND_MAC]], + 'umac-128-etm@openssh.com': [['6.2']], + 'umac-128@openssh.com': [['6.2'], [], [WARN_ENCRYPT_AND_MAC]], + 'umac-32@openssh.com': [[], [], [WARN_ENCRYPT_AND_MAC, WARN_TAG_SIZE], [INFO_NEVER_IMPLEMENTED_IN_OPENSSH]], + 'umac-64-etm@openssh.com': [['6.2'], [], [WARN_TAG_SIZE]], + 'umac-64@openssh.com': [['4.7'], [], [WARN_ENCRYPT_AND_MAC, WARN_TAG_SIZE]], + 'umac-96@openssh.com': [[], [], [WARN_ENCRYPT_AND_MAC], [INFO_NEVER_IMPLEMENTED_IN_OPENSSH]], + } + } + + + @staticmethod + def get_db() -> Dict[str, Dict[str, List[List[Optional[str]]]]]: + '''Returns a copy of the MASTER_DB that is private to the calling thread. This prevents multiple threads from polluting the results of other threads.''' + calling_thread_id = threading.get_ident() + + if calling_thread_id not in SSH2_KexDB.DB_PER_THREAD: + SSH2_KexDB.DB_PER_THREAD[calling_thread_id] = copy.deepcopy(SSH2_KexDB.MASTER_DB) + + return SSH2_KexDB.DB_PER_THREAD[calling_thread_id] + + + @staticmethod + def thread_exit() -> None: + '''Deletes the calling thread's copy of the MASTER_DB. This is needed because, in rare circumstances, a terminated thread's ID can be re-used by new threads.''' + + calling_thread_id = threading.get_ident() + + if calling_thread_id in SSH2_KexDB.DB_PER_THREAD: + del SSH2_KexDB.DB_PER_THREAD[calling_thread_id] diff --git a/src/ssh_audit/ssh2_kexparty.py b/src/ssh_audit/ssh2_kexparty.py new file mode 100644 index 0000000..52b5ac5 --- /dev/null +++ b/src/ssh_audit/ssh2_kexparty.py @@ -0,0 +1,50 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + + +class SSH2_KexParty: + def __init__(self, enc: List[str], mac: List[str], compression: List[str], languages: List[str]) -> None: + self.__enc = enc + self.__mac = mac + self.__compression = compression + self.__languages = languages + + @property + def encryption(self) -> List[str]: + return self.__enc + + @property + def mac(self) -> List[str]: + return self.__mac + + @property + def compression(self) -> List[str]: + return self.__compression + + @property + def languages(self) -> List[str]: + return self.__languages diff --git a/src/ssh_audit/ssh_audit.py b/src/ssh_audit/ssh_audit.py new file mode 100755 index 0000000..481fc8e --- /dev/null +++ b/src/ssh_audit/ssh_audit.py @@ -0,0 +1,1595 @@ +#!/usr/bin/env python3 +""" + The MIT License (MIT) + + Copyright (C) 2017-2023 Joe Testa (jtesta@positronsecurity.com) + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +import concurrent.futures +import copy +import getopt +import json +import os +import re +import sys +import traceback + +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import cast, Callable, Optional, Union, Any # noqa: F401 + +from ssh_audit.globals import SNAP_PACKAGE +from ssh_audit.globals import SNAP_PERMISSIONS_ERROR +from ssh_audit.globals import VERSION +from ssh_audit.globals import WINDOWS_MAN_PAGE +from ssh_audit.algorithm import Algorithm +from ssh_audit.algorithms import Algorithms +from ssh_audit.auditconf import AuditConf +from ssh_audit.banner import Banner +from ssh_audit import exitcodes +from ssh_audit.fingerprint import Fingerprint +from ssh_audit.gextest import GEXTest +from ssh_audit.hostkeytest import HostKeyTest +from ssh_audit.outputbuffer import OutputBuffer +from ssh_audit.policy import Policy +from ssh_audit.product import Product +from ssh_audit.protocol import Protocol +from ssh_audit.software import Software +from ssh_audit.ssh1_kexdb import SSH1_KexDB +from ssh_audit.ssh1_publickeymessage import SSH1_PublicKeyMessage +from ssh_audit.ssh2_kex import SSH2_Kex +from ssh_audit.ssh2_kexdb import SSH2_KexDB +from ssh_audit.ssh_socket import SSH_Socket +from ssh_audit.utils import Utils +from ssh_audit.versionvulnerabilitydb import VersionVulnerabilityDB + + +# no_idna_workaround = False + +# Only import colorama under Windows. Other OSes can natively handle terminal colors. +if sys.platform == 'win32': + try: + from colorama import just_fix_windows_console + just_fix_windows_console() + except ImportError: + pass + + # This is a workaround for a Python bug that causes a crash on Windows when multiple threads are used (see https://github.com/python/cpython/issues/73474). Importing the idna module and using it in a no-op seems to fix the issue. Otherwise, if idna isn't available at run-time, force single threaded scans. + # try: + # import idna # noqa: F401 + # + # ''.encode('idna') + # except ImportError: + # no_idna_workaround = True + + +def usage(uout: OutputBuffer, err: Optional[str] = None) -> None: + retval = exitcodes.GOOD + p = os.path.basename(sys.argv[0]) + uout.head('# {} {}, https://github.com/jtesta/ssh-audit\n'.format(p, VERSION)) + if err is not None and len(err) > 0: + uout.fail(err + '\n') + retval = exitcodes.UNKNOWN_ERROR + uout.info('usage: {0} [options] \n'.format(p)) + uout.info(' -h, --help print this help') + uout.info(' -1, --ssh1 force ssh version 1 only') + uout.info(' -2, --ssh2 force ssh version 2 only') + uout.info(' -4, --ipv4 enable IPv4 (order of precedence)') + uout.info(' -6, --ipv6 enable IPv6 (order of precedence)') + uout.info(' -b, --batch batch output') + uout.info(' -c, --client-audit starts a server on port 2222 to audit client\n software config (use -p to change port;\n use -t to change timeout)') + uout.info(' -d, --debug debug output') + uout.info(' -g, --gex-test= dh gex modulus size test') + uout.info(' ') + uout.info(' ') + uout.info(' -j, --json JSON output (use -jj to enable indents)') + uout.info(' -l, --level= minimum output level (info|warn|fail)') + uout.info(' -L, --list-policies list all the official, built-in policies') + uout.info(' --lookup= looks up an algorithm(s) without\n connecting to a server') + uout.info(' -M, --make-policy= creates a policy based on the target server\n (i.e.: the target server has the ideal\n configuration that other servers should\n adhere to)') + uout.info(' -m, --manual print the man page (Windows only)') + uout.info(' -n, --no-colors disable colors') + uout.info(' -p, --port= port to connect') + uout.info(' -P, --policy= run a policy test using the specified policy') + uout.info(' -t, --timeout= timeout (in seconds) for connection and reading\n (default: 5)') + uout.info(' -T, --targets= a file containing a list of target hosts (one\n per line, format HOST[:PORT]). Use --threads\n to control concurrent scans.') + uout.info(' --threads= number of threads to use when scanning multiple\n targets (-T/--targets) (default: 32)') + uout.info(' -v, --verbose verbose output') + uout.sep() + uout.write() + sys.exit(retval) + + +def output_algorithms(out: OutputBuffer, title: str, alg_db: Dict[str, Dict[str, List[List[Optional[str]]]]], alg_type: str, algorithms: List[str], unknown_algs: List[str], is_json_output: bool, program_retval: int, maxlen: int = 0, host_keys: Optional[Dict[str, Dict[str, Union[bytes, str, int]]]] = None, dh_modulus_sizes: Optional[Dict[str, int]] = None) -> int: # pylint: disable=too-many-arguments + with out: + for algorithm in algorithms: + program_retval = output_algorithm(out, alg_db, alg_type, algorithm, unknown_algs, program_retval, maxlen, host_keys=host_keys, dh_modulus_sizes=dh_modulus_sizes) + if not out.is_section_empty() and not is_json_output: + out.head('# ' + title) + out.flush_section() + out.sep() + + return program_retval + + +def output_algorithm(out: OutputBuffer, alg_db: Dict[str, Dict[str, List[List[Optional[str]]]]], alg_type: str, alg_name: str, unknown_algs: List[str], program_retval: int, alg_max_len: int = 0, host_keys: Optional[Dict[str, Dict[str, Union[bytes, str, int]]]] = None, dh_modulus_sizes: Optional[Dict[str, int]] = None) -> int: # pylint: disable=too-many-arguments + prefix = '(' + alg_type + ') ' + if alg_max_len == 0: + alg_max_len = len(alg_name) + padding = '' if out.batch else ' ' * (alg_max_len - len(alg_name)) + + # If this is an RSA host key or DH GEX, append the size to its name and fix + # the padding. + alg_name_with_size = None + if (dh_modulus_sizes is not None) and (alg_name in dh_modulus_sizes): + alg_name_with_size = '%s (%u-bit)' % (alg_name, dh_modulus_sizes[alg_name]) + padding = padding[0:-11] + elif (host_keys is not None) and (alg_name in host_keys): + hostkey_size = cast(int, host_keys[alg_name]['hostkey_size']) + ca_key_type = cast(str, host_keys[alg_name]['ca_key_type']) + ca_key_size = cast(int, host_keys[alg_name]['ca_key_size']) + + # If this is an RSA variant, just print "RSA". + if ca_key_type in HostKeyTest.RSA_FAMILY: + ca_key_type = "RSA" + + if len(ca_key_type) > 0 and ca_key_size > 0: + alg_name_with_size = '%s (%u-bit cert/%u-bit %s CA)' % (alg_name, hostkey_size, ca_key_size, ca_key_type) + padding = padding[0:-15] + elif alg_name in HostKeyTest.RSA_FAMILY: + alg_name_with_size = '%s (%u-bit)' % (alg_name, hostkey_size) + padding = padding[0:-11] + + # If this is a kex algorithm and starts with 'gss-', then normalize its name (i.e.: 'gss-gex-sha1-vz8J1E9PzLr8b1K+0remTg==' => 'gss-gex-sha1-*'). The base64 field can vary, so we'll convert it to the wildcard that our database uses and we'll just resume doing a straight match like all other algorithm names. + alg_name_original = alg_name + if alg_type == 'kex' and alg_name.startswith('gss-'): + last_dash = alg_name.rindex('-') + alg_name = "%s-*" % alg_name[0:last_dash] + + texts = [] + if len(alg_name.strip()) == 0: + return program_retval + alg_name_native = Utils.to_text(alg_name) + if alg_name_native in alg_db[alg_type]: + alg_desc = alg_db[alg_type][alg_name_native] + ldesc = len(alg_desc) + for idx, level in enumerate(['fail', 'warn', 'info']): + if level == 'info': + versions = alg_desc[0] + since_text = Algorithm.get_since_text(versions) + if since_text is not None and len(since_text) > 0: + texts.append((level, since_text)) + idx = idx + 1 + if ldesc > idx: + for t in alg_desc[idx]: + if t is None: + continue + texts.append((level, t)) + if len(texts) == 0: + texts.append(('info', '')) + else: + texts.append(('warn', 'unknown algorithm')) + unknown_algs.append(alg_name) + + # For kex GSS algorithms, now that we already did the database lookup (above), restore the original algorithm name so its reported properly in the output. + if alg_name != alg_name_original: + alg_name = alg_name_original + + alg_name = alg_name_with_size if alg_name_with_size is not None else alg_name + first = True + use_good_for_all = False + for level, text in texts: + if level == 'fail': + program_retval = exitcodes.FAILURE + elif level == 'warn' and program_retval != exitcodes.FAILURE: # If a failure was found previously, don't downgrade to warning. + program_retval = exitcodes.WARNING + + f = getattr(out, level) + comment = (padding + ' -- [' + level + '] ' + text) if text != '' else '' + + # If the first algorithm's comment is an 'info', this implies that it is rated good. Hence, the out.good() function should be used to write all subsequent notes for this algorithm as well. + if (first and level == 'info') or use_good_for_all: + f = out.good + use_good_for_all = True + + if first: + f(prefix + alg_name + comment) + first = False + else: # pylint: disable=else-if-used + if out.verbose: + f(prefix + alg_name + comment) + elif text != '': + comment = padding + ' `- [' + level + '] ' + text + f(' ' * len(prefix + alg_name) + comment) + + return program_retval + + +def output_compatibility(out: OutputBuffer, algs: Algorithms, client_audit: bool, for_server: bool = True) -> None: + + # Don't output any compatibility info if we're doing a client audit. + if client_audit: + return + + ssh_timeframe = algs.get_ssh_timeframe(for_server) + comp_text = [] + for ssh_prod in [Product.OpenSSH, Product.DropbearSSH]: + if ssh_prod not in ssh_timeframe: + continue + v_from = ssh_timeframe.get_from(ssh_prod, for_server) + v_till = ssh_timeframe.get_till(ssh_prod, for_server) + if v_from is None: + continue + if v_till is None: + comp_text.append('{} {}+'.format(ssh_prod, v_from)) + elif v_from == v_till: + comp_text.append('{} {}'.format(ssh_prod, v_from)) + else: + software = Software(None, ssh_prod, v_from, None, None) + if software.compare_version(v_till) > 0: + tfmt = '{0} {1}+ (some functionality from {2})' + else: + tfmt = '{0} {1}-{2}' + comp_text.append(tfmt.format(ssh_prod, v_from, v_till)) + if len(comp_text) > 0: + out.good('(gen) compatibility: ' + ', '.join(comp_text)) + + +def output_security_sub(out: OutputBuffer, sub: str, software: Optional[Software], client_audit: bool, padlen: int) -> List[Dict[str, Union[str, float]]]: + ret: List[Dict[str, Union[str, float]]] = [] + + secdb = VersionVulnerabilityDB.CVE if sub == 'cve' else VersionVulnerabilityDB.TXT + if software is None or software.product not in secdb: + return ret + for line in secdb[software.product]: + vfrom: str = '' + vtill: str = '' + vfrom, vtill = line[0:2] + if not software.between_versions(vfrom, vtill): + continue + target: int = 0 + name: str = '' + target, name = line[2:4] + is_server = target & 1 == 1 + is_client = target & 2 == 2 + # is_local = target & 4 == 4 + + # If this security entry applies only to servers, but we're testing a client, then skip it. Similarly, skip entries that apply only to clients, but we're testing a server. + if (is_server and not is_client and client_audit) or (is_client and not is_server and not client_audit): + continue + p = '' if out.batch else ' ' * (padlen - len(name)) + if sub == 'cve': + cvss: float = 0.0 + descr: str = '' + cvss, descr = line[4:6] + + # Critical CVSS scores (>= 8.0) are printed as a fail, otherwise they are printed as a warning. + out_func = out.warn + if cvss >= 8.0: + out_func = out.fail + out_func('(cve) {}{} -- (CVSSv2: {}) {}'.format(name, p, cvss, descr)) + ret.append({'name': name, 'cvssv2': cvss, 'description': descr}) + else: + descr = line[4] + out.fail('(sec) {}{} -- {}'.format(name, p, descr)) + + return ret + + +def output_security(out: OutputBuffer, banner: Optional[Banner], client_audit: bool, padlen: int, is_json_output: bool) -> List[Dict[str, Union[str, float]]]: + cves = [] + + with out: + if banner is not None: + software = Software.parse(banner) + cves = output_security_sub(out, 'cve', software, client_audit, padlen) + _ = output_security_sub(out, 'txt', software, client_audit, padlen) + if banner.protocol[0] == 1: + p = '' if out.batch else ' ' * (padlen - 14) + out.fail('(sec) SSH v1 enabled{} -- SSH v1 can be exploited to recover plaintext passwords'.format(p)) + if not out.is_section_empty() and not is_json_output: + out.head('# security') + out.flush_section() + out.sep() + + return cves + + +def output_fingerprints(out: OutputBuffer, algs: Algorithms, is_json_output: bool) -> None: + with out: + fps = {} + if algs.ssh1kex is not None: + name = 'ssh-rsa1' + fp = Fingerprint(algs.ssh1kex.host_key_fingerprint_data) + # bits = algs.ssh1kex.host_key_bits + fps[name] = fp + if algs.ssh2kex is not None: + host_keys = algs.ssh2kex.host_keys() + for host_key_type in algs.ssh2kex.host_keys(): + if host_keys[host_key_type] is None: + continue + + fp = Fingerprint(cast(bytes, host_keys[host_key_type]['raw_hostkey_bytes'])) + + # Workaround for Python's order-indifference in dicts. We might get a random RSA type (ssh-rsa, rsa-sha2-256, or rsa-sha2-512), so running the tool against the same server three times may give three different host key types here. So if we have any RSA type, we will simply hard-code it to 'ssh-rsa'. + if host_key_type in HostKeyTest.RSA_FAMILY: + host_key_type = 'ssh-rsa' + + # Skip over certificate host types (or we would return invalid fingerprints), and only add one fingerprint in the RSA family. + if '-cert-' not in host_key_type: + fps[host_key_type] = fp + # Similarly, the host keys can be processed in random order due to Python's order-indifference in dicts. So we sort this list before printing; this makes automated testing possible. + fp_types = sorted(fps.keys()) + for fp_type in fp_types: + fp = fps[fp_type] + out.good('(fin) {}: {}'.format(fp_type, fp.sha256)) + + # Output the MD5 hash too if verbose mode is enabled. + if out.verbose: + out.info('(fin) {}: {} -- [info] do not rely on MD5 fingerprints for server identification; it is insecure for this use case'.format(fp_type, fp.md5)) + + if not out.is_section_empty() and not is_json_output: + out.head('# fingerprints') + out.flush_section() + out.sep() + + +# Returns True if no warnings or failures encountered in configuration. +def output_recommendations(out: OutputBuffer, algs: Algorithms, algorithm_recommendation_suppress_list: List[str], software: Optional[Software], is_json_output: bool, padlen: int = 0) -> bool: + + ret = True + # PuTTY's algorithms cannot be modified, so there's no point in issuing recommendations. + if (software is not None) and (software.product == Product.PuTTY): + max_vuln_version = 0.0 + max_cvssv2_severity = 0.0 + # Search the CVE database for the most recent vulnerable version and the max CVSSv2 score. + for cve_list in VersionVulnerabilityDB.CVE['PuTTY']: + vuln_version = float(cve_list[1]) + cvssv2_severity = cve_list[4] + + if vuln_version > max_vuln_version: + max_vuln_version = vuln_version + if cvssv2_severity > max_cvssv2_severity: + max_cvssv2_severity = cvssv2_severity + + fn = out.warn + if max_cvssv2_severity > 8.0: + fn = out.fail + + # Assuming that PuTTY versions will always increment by 0.01, we can calculate the first safe version by adding 0.01 to the latest vulnerable version. + current_version = float(software.version) + upgrade_to_version = max_vuln_version + 0.01 + if current_version < upgrade_to_version: + out.head('# recommendations') + fn('(rec) Upgrade to PuTTY v%.2f' % upgrade_to_version) + out.sep() + ret = False + return ret + + level_to_output = { + "informational": out.good, + "warning": out.warn, + "critical": out.fail + } + + with out: + recommendations = get_algorithm_recommendations(algs, algorithm_recommendation_suppress_list, software, for_server=True) + + for level in recommendations: # pylint: disable=consider-using-dict-items + for action in recommendations[level]: + for alg_type in recommendations[level][action]: + for alg_name_and_notes in recommendations[level][action][alg_type]: + name = alg_name_and_notes['name'] + notes = alg_name_and_notes['notes'] + + p = '' if out.batch else ' ' * (padlen - len(name)) + + fn = level_to_output[level] + + if action == 'del': + an, sg = 'remove', '-' + ret = False + elif action == 'add': + an, sg = 'append', '+' + elif action == 'chg': + an, sg = 'change', '!' + ret = False + + if notes != '': + notes = " (%s)" % notes + + fm = '(rec) {0}{1}{2}-- {3} algorithm to {4}{5} ' + fn(fm.format(sg, name, p, alg_type, an, notes)) + + if not out.is_section_empty() and not is_json_output: + if software is not None: + title = '(for {})'.format(software.display(False)) + else: + title = '' + out.head('# algorithm recommendations {}'.format(title)) + out.flush_section(sort_section=True) # Sort the output so that it is always stable (needed for repeatable testing). + out.sep() + return ret + + +# Output additional information & notes. +def output_info(out: OutputBuffer, software: Optional['Software'], client_audit: bool, any_problems: bool, is_json_output: bool, additional_notes: str) -> None: + with out: + # Tell user that PuTTY cannot be hardened at the protocol-level. + if client_audit and (software is not None) and (software.product == Product.PuTTY): + out.warn('(nfo) PuTTY does not have the option of restricting any algorithms during the SSH handshake.') + + # If any warnings or failures were given, print a link to the hardening guides. + if any_problems: + out.warn('(nfo) For hardening guides on common OSes, please see: ') + + # Add any additional notes. + if len(additional_notes) > 0: + out.warn("(nfo) %s" % additional_notes) + + if not out.is_section_empty() and not is_json_output: + out.head('# additional info') + out.flush_section() + out.sep() + + +def post_process_findings(banner: Optional[Banner], algs: Algorithms, client_audit: bool) -> Tuple[List[str], str]: + '''Perform post-processing on scan results before reporting them to the user. Returns a list of algorithms that should not be recommended''' + + def _add_terrapin_warning(db: Dict[str, Dict[str, List[List[Optional[str]]]]], category: str, algorithm_name: str) -> None: + '''Adds a warning regarding the Terrapin vulnerability for the specified algorithm.''' + # Ensure that a slot for warnings exists for this algorithm. + while len(db[category][algorithm_name]) < 3: + db[category][algorithm_name].append([]) + + db[category][algorithm_name][2].append("vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation") + + def _get_chacha_ciphers_enabled(algs: Algorithms) -> List[str]: + '''Returns a list of chacha20-poly1305 ciphers that the peer supports.''' + ret = [] + + if algs.ssh2kex is not None: + ciphers_supported = algs.ssh2kex.client.encryption if client_audit else algs.ssh2kex.server.encryption + for cipher in ciphers_supported: + if cipher.startswith("chacha20-poly1305"): + ret.append(cipher) + + return ret + + def _get_chacha_ciphers_not_enabled(db: Dict[str, Dict[str, List[List[Optional[str]]]]], algs: Algorithms) -> List[str]: + '''Returns a list of all chacha20-poly1305 in our algorithm database.''' + ret = [] + + for cipher in db["enc"]: + if cipher.startswith("chacha20-poly1305") and cipher not in _get_chacha_ciphers_enabled(algs): + ret.append(cipher) + + return ret + + def _get_cbc_ciphers_enabled(algs: Algorithms) -> List[str]: + '''Returns a list of CBC ciphers that the peer supports.''' + ret = [] + + if algs.ssh2kex is not None: + ciphers_supported = algs.ssh2kex.client.encryption if client_audit else algs.ssh2kex.server.encryption + for cipher in ciphers_supported: + if cipher.endswith("-cbc"): + ret.append(cipher) + + return ret + + def _get_cbc_ciphers_not_enabled(db: Dict[str, Dict[str, List[List[Optional[str]]]]], algs: Algorithms) -> List[str]: + '''Returns a list of all CBC ciphers in our algorithm database.''' + ret = [] + + for cipher in db["enc"]: + if cipher.endswith("-cbc") and cipher not in _get_cbc_ciphers_enabled(algs): + ret.append(cipher) + + return ret + + def _get_etm_macs_enabled(algs: Algorithms) -> List[str]: + '''Returns a list of ETM MACs that the peer supports.''' + ret = [] + + if algs.ssh2kex is not None: + macs_supported = algs.ssh2kex.client.mac if client_audit else algs.ssh2kex.server.mac + for mac in macs_supported: + if mac.endswith("-etm@openssh.com"): + ret.append(mac) + + return ret + + def _get_etm_macs_not_enabled(db: Dict[str, Dict[str, List[List[Optional[str]]]]], algs: Algorithms) -> List[str]: + '''Returns a list of ETM MACs in our algorithm database.''' + ret = [] + + for mac in db["mac"]: + if mac.endswith("-etm@openssh.com") and mac not in _get_etm_macs_enabled(algs): + ret.append(mac) + + return ret + + + algorithm_recommendation_suppress_list = [] + algs_to_note = [] + + + # + # Post-processing of the OpenSSH diffie-hellman-group-exchange-sha256 fallback mechanism bug/feature. + # + + # If the server is OpenSSH, and the diffie-hellman-group-exchange-sha256 key exchange was found with modulus size 2048, add a note regarding the bug that causes the server to support 2048-bit moduli no matter the configuration. + if (algs.ssh2kex is not None and 'diffie-hellman-group-exchange-sha256' in algs.ssh2kex.kex_algorithms and 'diffie-hellman-group-exchange-sha256' in algs.ssh2kex.dh_modulus_sizes() and algs.ssh2kex.dh_modulus_sizes()['diffie-hellman-group-exchange-sha256'] == 2048) and (banner is not None and banner.software is not None and banner.software.find('OpenSSH') != -1): + + # Ensure a list for notes exists. + db = SSH2_KexDB.get_db() + while len(db['kex']['diffie-hellman-group-exchange-sha256']) < 4: + db['kex']['diffie-hellman-group-exchange-sha256'].append([]) + + db['kex']['diffie-hellman-group-exchange-sha256'][3].append("A bug in OpenSSH causes it to fall back to a 2048-bit modulus regardless of server configuration (https://bugzilla.mindrot.org/show_bug.cgi?id=2793)") + + # Ensure that this algorithm doesn't appear in the recommendations section since the user cannot control this OpenSSH bug. + algorithm_recommendation_suppress_list.append('diffie-hellman-group-exchange-sha256') + + # Check for the Terrapin vulnerability (CVE-2023-48795), and mark the vulnerable algorithms. + kex_strict_marker = False + if algs.ssh2kex is not None and \ + ((client_audit and 'kex-strict-c-v00@openssh.com' in algs.ssh2kex.kex_algorithms) or (not client_audit and 'kex-strict-s-v00@openssh.com' in algs.ssh2kex.kex_algorithms)): # Strict KEX marker is present. + kex_strict_marker = True + + db = SSH2_KexDB.get_db() + + + # + # Post-processing of algorithms related to the Terrapin vulnerability (CVE-2023-48795). + # + + # Without the strict KEX marker, the chacha20-poly1305 ciphers are always vulnerable. + for chacha_cipher in _get_chacha_ciphers_enabled(algs): + if kex_strict_marker: + # Inform the user that the target is correctly configured, but another peer may still choose this algorithm without using strict KEX negotiation, which would still result in vulnerability. + algs_to_note.append(chacha_cipher) + else: + _add_terrapin_warning(db, "enc", chacha_cipher) + + cbc_ciphers_enabled = _get_cbc_ciphers_enabled(algs) + etm_macs_enabled = _get_etm_macs_enabled(algs) + + # Without the strict KEX marker, if at least one CBC cipher and at least one ETM MAC is supported, mark them all as vulnerable. + if len(cbc_ciphers_enabled) > 0 and len(etm_macs_enabled) > 0: + for cipher in cbc_ciphers_enabled: + if kex_strict_marker: + # Inform the user that the target is correctly configured, but another peer may still choose this algorithm without using strict KEX negotiation, which would still result in vulnerability. + algs_to_note.append(cipher) + else: + _add_terrapin_warning(db, "enc", cipher) + + for mac in etm_macs_enabled: + if kex_strict_marker: + # Inform the user that the target is correctly configured, but another peer may still choose this algorithm without using strict KEX negotiation, which would still result in vulnerability. + algs_to_note.append(mac) + else: + _add_terrapin_warning(db, "mac", mac) + + # Return a note telling the user that, while this target is properly configured, if connected to a vulnerable peer, then a vulnerable connection is still possible. + notes = "" + if len(algs_to_note) > 0: + notes = "Be aware that, while this target properly supports the strict key exchange method (via the kex-strict-?-v00@openssh.com marker) needed to protect against the Terrapin vulnerability (CVE-2023-48795), all peers must also support this feature as well, otherwise the vulnerability will still be present. The following algorithms would allow an unpatched peer to create vulnerable SSH channels with this target: %s. If any CBC ciphers are in this list, you may remove them while leaving the *-etm@openssh.com MACs in place; these MACs are fine while paired with non-CBC cipher types." % ", ".join(algs_to_note) + + # Add the chacha ciphers, CBC ciphers, and ETM MACs to the recommendation suppression list if they are not enabled on the server. That way they are not recommended to the user to enable if they were explicitly disabled to handle the Terrapin vulnerability. However, they can still be recommended for disabling. + algorithm_recommendation_suppress_list += _get_chacha_ciphers_not_enabled(db, algs) + algorithm_recommendation_suppress_list += _get_cbc_ciphers_not_enabled(db, algs) + algorithm_recommendation_suppress_list += _get_etm_macs_not_enabled(db, algs) + + return algorithm_recommendation_suppress_list, notes + + +# Returns a exitcodes.* flag to denote if any failures or warnings were encountered. +def output(out: OutputBuffer, aconf: AuditConf, banner: Optional[Banner], header: List[str], client_host: Optional[str] = None, kex: Optional[SSH2_Kex] = None, pkm: Optional[SSH1_PublicKeyMessage] = None, print_target: bool = False) -> int: + + program_retval = exitcodes.GOOD + client_audit = client_host is not None # If set, this is a client audit. + sshv = 1 if pkm is not None else 2 + algs = Algorithms(pkm, kex) + + # Perform post-processing on the findings to make final adjustments before outputting the results. + algorithm_recommendation_suppress_list, additional_notes = post_process_findings(banner, algs, client_audit) + + with out: + if print_target: + host = aconf.host + + # Print the port if it's not the default of 22. + if aconf.port != 22: + + # Check if this is an IPv6 address, as that is printed in a different format. + if Utils.is_ipv6_address(aconf.host): + host = '[%s]:%d' % (aconf.host, aconf.port) + else: + host = '%s:%d' % (aconf.host, aconf.port) + + out.good('(gen) target: {}'. format(host)) + if client_audit: + out.good('(gen) client IP: {}'.format(client_host)) + if len(header) > 0: + out.info('(gen) header: ' + '\n'.join(header)) + if banner is not None: + banner_line = '(gen) banner: {}'.format(banner) + if sshv == 1 or banner.protocol[0] == 1: + out.fail(banner_line) + out.fail('(gen) protocol SSH1 enabled') + else: + out.good(banner_line) + + if not banner.valid_ascii: + # NOTE: RFC 4253, Section 4.2 + out.warn('(gen) banner contains non-printable ASCII') + + software = Software.parse(banner) + if software is not None: + out.good('(gen) software: {}'.format(software)) + else: + software = None + output_compatibility(out, algs, client_audit) + if kex is not None: + compressions = [x for x in kex.server.compression if x != 'none'] + if len(compressions) > 0: + cmptxt = 'enabled ({})'.format(', '.join(compressions)) + else: + cmptxt = 'disabled' + out.good('(gen) compression: {}'.format(cmptxt)) + if not out.is_section_empty() and not aconf.json: # Print output when it exists and JSON output isn't requested. + out.head('# general') + out.flush_section() + out.sep() + maxlen = algs.maxlen + 1 + cves = output_security(out, banner, client_audit, maxlen, aconf.json) + # Filled in by output_algorithms() with unidentified algs. + unknown_algorithms: List[str] = [] + + # SSHv1 + if pkm is not None: + adb = SSH1_KexDB.get_db() + ciphers = pkm.supported_ciphers + auths = pkm.supported_authentications + title, atype = 'SSH1 host-key algorithms', 'key' + program_retval = output_algorithms(out, title, adb, atype, ['ssh-rsa1'], unknown_algorithms, aconf.json, program_retval, maxlen) + title, atype = 'SSH1 encryption algorithms (ciphers)', 'enc' + program_retval = output_algorithms(out, title, adb, atype, ciphers, unknown_algorithms, aconf.json, program_retval, maxlen) + title, atype = 'SSH1 authentication types', 'aut' + program_retval = output_algorithms(out, title, adb, atype, auths, unknown_algorithms, aconf.json, program_retval, maxlen) + + # SSHv2 + if kex is not None: + adb = SSH2_KexDB.get_db() + title, atype = 'key exchange algorithms', 'kex' + program_retval = output_algorithms(out, title, adb, atype, kex.kex_algorithms, unknown_algorithms, aconf.json, program_retval, maxlen, dh_modulus_sizes=kex.dh_modulus_sizes()) + title, atype = 'host-key algorithms', 'key' + program_retval = output_algorithms(out, title, adb, atype, kex.key_algorithms, unknown_algorithms, aconf.json, program_retval, maxlen, host_keys=kex.host_keys()) + title, atype = 'encryption algorithms (ciphers)', 'enc' + program_retval = output_algorithms(out, title, adb, atype, kex.server.encryption, unknown_algorithms, aconf.json, program_retval, maxlen) + title, atype = 'message authentication code algorithms', 'mac' + program_retval = output_algorithms(out, title, adb, atype, kex.server.mac, unknown_algorithms, aconf.json, program_retval, maxlen) + + output_fingerprints(out, algs, aconf.json) + perfect_config = output_recommendations(out, algs, algorithm_recommendation_suppress_list, software, aconf.json, maxlen) + output_info(out, software, client_audit, not perfect_config, aconf.json, additional_notes) + + if aconf.json: + out.reset() + # Build & write the JSON struct. + out.info(json.dumps(build_struct(aconf.host + ":" + str(aconf.port), banner, cves, kex=kex, client_host=client_host, software=software, algorithms=algs, algorithm_recommendation_suppress_list=algorithm_recommendation_suppress_list, additional_notes=additional_notes), indent=4 if aconf.json_print_indent else None, sort_keys=True)) + elif len(unknown_algorithms) > 0: # If we encountered any unknown algorithms, ask the user to report them. + out.warn("\n\n!!! WARNING: unknown algorithm(s) found!: %s. Please email the full output above to the maintainer (jtesta@positronsecurity.com), or create a Github issue at .\n" % ','.join(unknown_algorithms)) + + return program_retval + + +def evaluate_policy(out: OutputBuffer, aconf: AuditConf, banner: Optional['Banner'], client_host: Optional[str], kex: Optional['SSH2_Kex'] = None) -> bool: + + if aconf.policy is None: + raise RuntimeError('Internal error: cannot evaluate against null Policy!') + + passed, error_struct, error_str = aconf.policy.evaluate(banner, kex) + if aconf.json: + json_struct = {'host': aconf.host, 'policy': aconf.policy.get_name_and_version(), 'passed': passed, 'errors': error_struct} + out.info(json.dumps(json_struct, indent=4 if aconf.json_print_indent else None, sort_keys=True)) + else: + spacing = '' + if aconf.client_audit: + out.info("Client IP: %s" % client_host) + spacing = " " # So the fields below line up with 'Client IP: '. + else: + host = aconf.host + if aconf.port != 22: + # Check if this is an IPv6 address, as that is printed in a different format. + if Utils.is_ipv6_address(aconf.host): + host = '[%s]:%d' % (aconf.host, aconf.port) + else: + host = '%s:%d' % (aconf.host, aconf.port) + + out.info("Host: %s" % host) + out.info("Policy: %s%s" % (spacing, aconf.policy.get_name_and_version())) + out.info("Result: %s" % spacing, line_ended=False) + + # Use these nice unicode characters in the result message, unless we're on Windows (the cmd.exe terminal doesn't display them properly). + icon_good = "✔ " + icon_fail = "❌ " + if Utils.is_windows(): + icon_good = "" + icon_fail = "" + + if passed: + out.good("%sPassed" % icon_good) + else: + out.fail("%sFailed!" % icon_fail) + out.warn("\nErrors:\n%s" % error_str) + + return passed + + +def get_algorithm_recommendations(algs: Optional[Algorithms], algorithm_recommendation_suppress_list: Optional[List[str]], software: Optional[Software], for_server: bool = True) -> Dict[str, Any]: + '''Returns the algorithm recommendations.''' + ret: Dict[str, Any] = {} + + if algs is None or software is None: + return ret + + software, alg_rec = algs.get_recommendations(software, for_server) + for sshv in range(2, 0, -1): + if sshv not in alg_rec: + continue + for alg_type in ['kex', 'key', 'enc', 'mac']: + if alg_type not in alg_rec[sshv]: + continue + for action in ['del', 'add', 'chg']: + if action not in alg_rec[sshv][alg_type]: + continue + + for name in alg_rec[sshv][alg_type][action]: + + # If this algorithm should be suppressed, skip it. + if algorithm_recommendation_suppress_list is not None and name in algorithm_recommendation_suppress_list: + continue + + level = 'informational' + points = alg_rec[sshv][alg_type][action][name] + if points >= 10: + level = 'critical' + elif points >= 1: + level = 'warning' + + if level not in ret: + ret[level] = {} + + if action not in ret[level]: + ret[level][action] = {} + + if alg_type not in ret[level][action]: + ret[level][action][alg_type] = [] + + notes = '' + if action == 'chg': + notes = 'increase modulus size to 3072 bits or larger' + + ret[level][action][alg_type].append({'name': name, 'notes': notes}) + + return ret + + +def list_policies(out: OutputBuffer) -> None: + '''Prints a list of server & client policies.''' + + server_policy_names, client_policy_names = Policy.list_builtin_policies() + + if len(server_policy_names) > 0: + out.head('\nServer policies:\n') + out.info(" * \"%s\"" % "\"\n * \"".join(server_policy_names)) + + if len(client_policy_names) > 0: + out.head('\nClient policies:\n') + out.info(" * \"%s\"" % "\"\n * \"".join(client_policy_names)) + + out.sep() + if len(server_policy_names) == 0 and len(client_policy_names) == 0: + out.fail("Error: no built-in policies found!") + else: + out.info("\nHint: Use -P and provide the full name of a policy to run a policy scan with.\n") + out.write() + + +def make_policy(aconf: AuditConf, banner: Optional['Banner'], kex: Optional['SSH2_Kex'], client_host: Optional[str]) -> None: + + # Set the source of this policy to the server host if this is a server audit, otherwise set it to the client address. + source: Optional[str] = aconf.host + if aconf.client_audit: + source = client_host + + policy_data = Policy.create(source, banner, kex, aconf.client_audit) + + if aconf.policy_file is None: + raise RuntimeError('Internal error: cannot write policy file since filename is None!') + + succeeded = False + err = '' + try: + # Open with mode 'x' (creates the file, or fails if it already exist). + with open(aconf.policy_file, 'x', encoding='utf-8') as f: + f.write(policy_data) + succeeded = True + except FileExistsError: + err = "Error: file already exists: %s" % aconf.policy_file + except PermissionError as e: + # If installed as a Snap package, print a more useful message with potential work-arounds. + if SNAP_PACKAGE: + print(SNAP_PERMISSIONS_ERROR) + sys.exit(exitcodes.UNKNOWN_ERROR) + else: + err = "Error: insufficient permissions: %s" % str(e) + + if succeeded: + print("Wrote policy to %s. Customize as necessary, then run a policy scan with -P option." % aconf.policy_file) + else: + print(err) + + +def process_commandline(out: OutputBuffer, args: List[str], usage_cb: Callable[..., None]) -> 'AuditConf': # pylint: disable=too-many-statements + # pylint: disable=too-many-branches + aconf = AuditConf() + + enable_colors = not any(i in args for i in ['--no-colors', '-n']) + aconf.colors = enable_colors + out.use_colors = enable_colors + + try: + sopts = 'h1246M:p:P:jbcnvl:t:T:Lmdg:' + lopts = ['help', 'ssh1', 'ssh2', 'ipv4', 'ipv6', 'make-policy=', 'port=', 'policy=', 'json', 'batch', 'client-audit', 'no-colors', 'verbose', 'level=', 'timeout=', 'targets=', 'list-policies', 'lookup=', 'threads=', 'manual', 'debug', 'gex-test='] + opts, args = getopt.gnu_getopt(args, sopts, lopts) + except getopt.GetoptError as err: + usage_cb(out, str(err)) + aconf.ssh1, aconf.ssh2 = False, False + host: str = '' + oport: Optional[str] = None + port: int = 0 + for o, a in opts: + if o in ('-h', '--help'): + usage_cb(out) + elif o in ('-1', '--ssh1'): + aconf.ssh1 = True + elif o in ('-2', '--ssh2'): + aconf.ssh2 = True + elif o in ('-4', '--ipv4'): + aconf.ipv4 = True + elif o in ('-6', '--ipv6'): + aconf.ipv6 = True + elif o in ('-p', '--port'): + oport = a + elif o in ('-b', '--batch'): + aconf.batch = True + aconf.verbose = True + elif o in ('-c', '--client-audit'): + aconf.client_audit = True + elif o in ('-j', '--json'): + if aconf.json: # If specified twice, enable indent printing. + aconf.json_print_indent = True + else: + aconf.json = True + elif o in ('-v', '--verbose'): + aconf.verbose = True + out.verbose = True + elif o in ('-l', '--level'): + if a not in ('info', 'warn', 'fail'): + usage_cb(out, 'level {} is not valid'.format(a)) + aconf.level = a + elif o in ('-t', '--timeout'): + aconf.timeout = float(a) + aconf.timeout_set = True + elif o in ('-M', '--make-policy'): + aconf.make_policy = True + aconf.policy_file = a + elif o in ('-P', '--policy'): + aconf.policy_file = a + elif o in ('-T', '--targets'): + aconf.target_file = a + + # If we're on Windows, and we can't use the idna workaround, force only one thread to be used (otherwise a crash would occur). + # if no_idna_workaround: + # print("\nWARNING: the idna module was not found on this system, thus only single-threaded scanning will be done (this is a workaround for this Windows-specific crash: https://github.com/python/cpython/issues/73474). Multi-threaded scanning can be enabled by installing the idna module (pip install idna).\n") + # aconf.threads = 1 + elif o == '--threads': + aconf.threads = int(a) + # if no_idna_workaround: + # aconf.threads = 1 + elif o in ('-L', '--list-policies'): + aconf.list_policies = True + elif o == '--lookup': + aconf.lookup = a + elif o in ('-m', '--manual'): + aconf.manual = True + elif o in ('-d', '--debug'): + aconf.debug = True + out.debug = True + elif o in ('-g', '--gex-test'): + permitted_syntax = get_permitted_syntax_for_gex_test() + + if not any(re.search(regex_str, a) for regex_str in permitted_syntax.values()): + usage_cb(out, '{} {} is not valid'.format(o, a)) + + if re.search(permitted_syntax['RANGE'], a): + extracted_digits = re.findall(r'\d+', a) + bits_left_bound = int(extracted_digits[0]) + bits_right_bound = int(extracted_digits[1]) + + bits_step = 1 + if (len(extracted_digits)) == 3: + bits_step = int(extracted_digits[2]) + + if bits_step <= 0: + usage_cb(out, '{} {} is not valid'.format(o, bits_step)) + + if all(x < 0 for x in (bits_left_bound, bits_right_bound)): + usage_cb(out, '{} {} {} is not valid'.format(o, bits_left_bound, bits_right_bound)) + + aconf.gex_test = a + + + if len(args) == 0 and aconf.client_audit is False and aconf.target_file is None and aconf.list_policies is False and aconf.lookup == '' and aconf.manual is False: + usage_cb(out) + + if aconf.manual: + return aconf + + if aconf.lookup != '': + return aconf + + if aconf.list_policies: + list_policies(out) + sys.exit(exitcodes.GOOD) + + if aconf.client_audit is False and aconf.target_file is None: + if oport is not None: + host = args[0] + else: + host, port = Utils.parse_host_and_port(args[0]) + if not host and aconf.target_file is None: + usage_cb(out, 'host is empty') + + if port == 0 and oport is None: + if aconf.client_audit: # The default port to listen on during a client audit is 2222. + port = 2222 + else: + port = 22 + + if oport is not None: + port = Utils.parse_int(oport) + if port <= 0 or port > 65535: + usage_cb(out, 'port {} is not valid'.format(oport)) + + aconf.host = host + aconf.port = port + if not (aconf.ssh1 or aconf.ssh2): + aconf.ssh1, aconf.ssh2 = True, True + + # If a file containing a list of targets was given, read it. + if aconf.target_file is not None: + try: + with open(aconf.target_file, 'r', encoding='utf-8') as f: + aconf.target_list = f.readlines() + except PermissionError as e: + # If installed as a Snap package, print a more useful message with potential work-arounds. + if SNAP_PACKAGE: + print(SNAP_PERMISSIONS_ERROR) + else: + print("Error: insufficient permissions: %s" % str(e)) + sys.exit(exitcodes.UNKNOWN_ERROR) + + # Strip out whitespace from each line in target file, and skip empty lines. + aconf.target_list = [target.strip() for target in aconf.target_list if target not in ("", "\n")] + + # If a policy file was provided, validate it. + if (aconf.policy_file is not None) and (aconf.make_policy is False): + + # First, see if this is a built-in policy name. If not, assume a file path was provided, and try to load it from disk. + aconf.policy = Policy.load_builtin_policy(aconf.policy_file, json_output=aconf.json) + if aconf.policy is None: + try: + aconf.policy = Policy(policy_file=aconf.policy_file, json_output=aconf.json) + except Exception as e: + out.fail("Error while loading policy file: %s: %s" % (str(e), traceback.format_exc())) + out.write() + sys.exit(exitcodes.UNKNOWN_ERROR) + + # If the user wants to do a client audit, but provided a server policy, terminate. + if aconf.client_audit and aconf.policy.is_server_policy(): + out.fail("Error: client audit selected, but server policy provided.") + out.write() + sys.exit(exitcodes.UNKNOWN_ERROR) + + # If the user wants to do a server audit, but provided a client policy, terminate. + if aconf.client_audit is False and aconf.policy.is_server_policy() is False: + out.fail("Error: server audit selected, but client policy provided.") + out.write() + sys.exit(exitcodes.UNKNOWN_ERROR) + + return aconf + + +def build_struct(target_host: str, banner: Optional['Banner'], cves: List[Dict[str, Union[str, float]]], kex: Optional['SSH2_Kex'] = None, pkm: Optional['SSH1_PublicKeyMessage'] = None, client_host: Optional[str] = None, software: Optional[Software] = None, algorithms: Optional[Algorithms] = None, algorithm_recommendation_suppress_list: Optional[List[str]] = None, additional_notes: str = "") -> Any: # pylint: disable=too-many-arguments + + def fetch_notes(algorithm: str, alg_type: str) -> Dict[str, List[Optional[str]]]: + '''Returns a dictionary containing the messages in the "fail", "warn", and "info" levels for this algorithm.''' + alg_db = SSH2_KexDB.get_db() + alg_info = {} + if algorithm in alg_db[alg_type]: + alg_desc = alg_db[alg_type][algorithm] + alg_desc_len = len(alg_desc) + + # If a list for the failure notes exists, add it to the return value. Similarly, add the related lists for the warnings and informational notes. + if (alg_desc_len >= 2) and (len(alg_desc[1]) > 0): + alg_info["fail"] = alg_desc[1] + if (alg_desc_len >= 3) and (len(alg_desc[2]) > 0): + alg_info["warn"] = alg_desc[2] + if (alg_desc_len >= 4) and (len(alg_desc[3]) > 0): + alg_info["info"] = alg_desc[3] + + # Add information about when this algorithm was implemented in OpenSSH/Dropbear. + since_text = Algorithm.get_since_text(alg_desc[0]) + if (since_text is not None) and (len(since_text) > 0): + # Add the "info" key with an empty list if the if-block above didn't create it already. + if "info" not in alg_info: + alg_info["info"] = [] + alg_info["info"].append(since_text) + else: + alg_info["fail"] = [SSH2_KexDB.FAIL_UNKNOWN] + + return alg_info + + banner_str = '' + banner_protocol = None + banner_software = None + banner_comments = None + if banner is not None: + banner_str = str(banner) + banner_protocol = '.'.join(str(x) for x in banner.protocol) + banner_software = banner.software + banner_comments = banner.comments + + res: Any = { + "banner": { + "raw": banner_str, + "protocol": banner_protocol, + "software": banner_software, + "comments": banner_comments, + }, + } + + # If we're scanning a client host, put the client's IP into the results. Otherwise, include the target host. + if client_host is not None: + res['client_ip'] = client_host + else: + res['target'] = target_host + + if kex is not None: + res['compression'] = kex.server.compression + + res['kex'] = [] + dh_alg_sizes = kex.dh_modulus_sizes() + for algorithm in kex.kex_algorithms: + alg_notes = fetch_notes(algorithm, 'kex') + entry: Any = { + 'algorithm': algorithm, + 'notes': alg_notes, + } + if algorithm in dh_alg_sizes: + hostkey_size = dh_alg_sizes[algorithm] + entry['keysize'] = hostkey_size + res['kex'].append(entry) + res['key'] = [] + host_keys = kex.host_keys() + for algorithm in kex.key_algorithms: + alg_notes = fetch_notes(algorithm, 'key') + entry = { + 'algorithm': algorithm, + 'notes': alg_notes, + } + if algorithm in host_keys: + hostkey_info = host_keys[algorithm] + hostkey_size = cast(int, hostkey_info['hostkey_size']) + + ca_type = '' + ca_size = 0 + if 'ca_key_type' in hostkey_info: + ca_type = cast(str, hostkey_info['ca_key_type']) + if 'ca_key_size' in hostkey_info: + ca_size = cast(int, hostkey_info['ca_key_size']) + + if algorithm in HostKeyTest.RSA_FAMILY or algorithm.startswith('ssh-rsa-cert-v0'): + entry['keysize'] = hostkey_size + if ca_size > 0: + entry['ca_algorithm'] = ca_type + entry['casize'] = ca_size + res['key'].append(entry) + + res['enc'] = [] + for algorithm in kex.server.encryption: + alg_notes = fetch_notes(algorithm, 'enc') + entry = { + 'algorithm': algorithm, + 'notes': alg_notes, + } + res['enc'].append(entry) + + res['mac'] = [] + for algorithm in kex.server.mac: + alg_notes = fetch_notes(algorithm, 'mac') + entry = { + 'algorithm': algorithm, + 'notes': alg_notes, + } + res['mac'].append(entry) + + res['fingerprints'] = [] + host_keys = kex.host_keys() + + # Normalize all RSA key types to 'ssh-rsa'. Otherwise, due to Python's order-indifference dictionary types, we would iterate key types in unpredictable orders, which interferes with the docker testing framework (i.e.: tests would fail because elements are reported out of order, even though the output is semantically the same). + for host_key_type in list(host_keys.keys())[:]: + if host_key_type in HostKeyTest.RSA_FAMILY: + val = host_keys[host_key_type] + del host_keys[host_key_type] + host_keys['ssh-rsa'] = val + + for host_key_type in sorted(host_keys): + if host_keys[host_key_type] is None: + continue + + fp = Fingerprint(cast(bytes, host_keys[host_key_type]['raw_hostkey_bytes'])) + + # Skip over certificate host types (or we would return invalid fingerprints). + if '-cert-' in host_key_type: + continue + + # Add the SHA256 and MD5 fingerprints. + res['fingerprints'].append({ + 'hostkey': host_key_type, + 'hash_alg': 'SHA256', + 'hash': fp.sha256[7:] + }) + res['fingerprints'].append({ + 'hostkey': host_key_type, + 'hash_alg': 'MD5', + 'hash': fp.md5[4:] + }) + else: + pkm_supported_ciphers = None + pkm_supported_authentications = None + pkm_fp = None + if pkm is not None: + pkm_supported_ciphers = pkm.supported_ciphers + pkm_supported_authentications = pkm.supported_authentications + pkm_fp = Fingerprint(pkm.host_key_fingerprint_data).sha256 + + res['key'] = ['ssh-rsa1'] + res['enc'] = pkm_supported_ciphers + res['aut'] = pkm_supported_authentications + res['fingerprints'] = [{ + 'type': 'ssh-rsa1', + 'fp': pkm_fp, + }] + + # Add in the CVE information. + res['cves'] = cves + + # Add in the recommendations. + res['recommendations'] = get_algorithm_recommendations(algorithms, algorithm_recommendation_suppress_list, software, for_server=True) + + # Add in the additional notes. Currently just one string, but in the future this may grow to multiple strings. Hence, an array is needed to prevent future schema breakage. + res['additional_notes'] = [additional_notes] + + return res + + +# Returns one of the exitcodes.* flags. +def audit(out: OutputBuffer, aconf: AuditConf, sshv: Optional[int] = None, print_target: bool = False) -> int: + program_retval = exitcodes.GOOD + out.batch = aconf.batch + out.verbose = aconf.verbose + out.debug = aconf.debug + out.level = aconf.level + out.use_colors = aconf.colors + s = SSH_Socket(out, aconf.host, aconf.port, aconf.ip_version_preference, aconf.timeout, aconf.timeout_set) + + if aconf.client_audit: + out.v("Listening for client connection on port %d..." % aconf.port, write_now=True) + s.listen_and_accept() + else: + out.v("Starting audit of %s:%d..." % ('[%s]' % aconf.host if Utils.is_ipv6_address(aconf.host) else aconf.host, aconf.port), write_now=True) + err = s.connect() + + if err is not None: + out.fail(err) + + # If we're running against multiple targets, return a connection error to the calling worker thread. Otherwise, write the error message to the console and exit. + if len(aconf.target_list) > 0: + return exitcodes.CONNECTION_ERROR + else: + out.write() + sys.exit(exitcodes.CONNECTION_ERROR) + + if sshv is None: + sshv = 2 if aconf.ssh2 else 1 + err = None + banner, header, err = s.get_banner(sshv) + if banner is None: + if err is None: + err = '[exception] did not receive banner.' + else: + err = '[exception] did not receive banner: {}'.format(err) + if err is None: + s.send_kexinit() # Send the algorithms we support (except we don't since this isn't a real SSH connection). + + packet_type, payload = s.read_packet(sshv) + if packet_type < 0: + try: + if len(payload) > 0: + payload_txt = payload.decode('utf-8') + else: + payload_txt = 'empty' + except UnicodeDecodeError: + payload_txt = '"{}"'.format(repr(payload).lstrip('b')[1:-1]) + if payload_txt == 'Protocol major versions differ.': + if sshv == 2 and aconf.ssh1: + ret = audit(out, aconf, 1) + out.write() + return ret + err = '[exception] error reading packet ({})'.format(payload_txt) + else: + err_pair = None + if sshv == 1 and packet_type != Protocol.SMSG_PUBLIC_KEY: + err_pair = ('SMSG_PUBLIC_KEY', Protocol.SMSG_PUBLIC_KEY) + elif sshv == 2 and packet_type != Protocol.MSG_KEXINIT: + err_pair = ('MSG_KEXINIT', Protocol.MSG_KEXINIT) + if err_pair is not None: + fmt = '[exception] did not receive {0} ({1}), ' + \ + 'instead received unknown message ({2})' + err = fmt.format(err_pair[0], err_pair[1], packet_type) + if err is not None: + output(out, aconf, banner, header) + out.fail(err) + return exitcodes.CONNECTION_ERROR + if sshv == 1: + program_retval = output(out, aconf, banner, header, pkm=SSH1_PublicKeyMessage.parse(payload)) + elif sshv == 2: + try: + kex = SSH2_Kex.parse(out, payload) + except Exception: + out.fail("Failed to parse server's kex. Stack trace:\n%s" % str(traceback.format_exc())) + return exitcodes.CONNECTION_ERROR + + if aconf.client_audit is False: + HostKeyTest.run(out, s, kex) + if aconf.gex_test != '': + return run_gex_granular_modulus_size_test(out, s, kex, aconf) + else: + GEXTest.run(out, s, banner, kex) + + # This is a standard audit scan. + if (aconf.policy is None) and (aconf.make_policy is False): + program_retval = output(out, aconf, banner, header, client_host=s.client_host, kex=kex, print_target=print_target) + + # This is a policy test. + elif (aconf.policy is not None) and (aconf.make_policy is False): + program_retval = exitcodes.GOOD if evaluate_policy(out, aconf, banner, s.client_host, kex=kex) else exitcodes.FAILURE + + # A new policy should be made from this scan. + elif (aconf.policy is None) and (aconf.make_policy is True): + make_policy(aconf, banner, kex, s.client_host) + + else: + raise RuntimeError('Internal error while handling output: %r %r' % (aconf.policy is None, aconf.make_policy)) + + return program_retval + + +def algorithm_lookup(out: OutputBuffer, alg_names: str) -> int: + '''Looks up a comma-separated list of algorithms and outputs their security properties. Returns an exitcodes.* flag.''' + retval = exitcodes.GOOD + alg_types = { + 'kex': 'key exchange algorithms', + 'key': 'host-key algorithms', + 'mac': 'message authentication code algorithms', + 'enc': 'encryption algorithms (ciphers)' + } + + algorithm_names = alg_names.split(",") + adb = SSH2_KexDB.get_db() + + # Use nested dictionary comprehension to iterate an outer dictionary where + # each key is an alg type that consists of a value (which is itself a + # dictionary) of alg names. Filter the alg names against the user supplied + # list of names. + algorithms_dict = { + outer_k: { + inner_k + for (inner_k, inner_v) in outer_v.items() + if inner_k in algorithm_names + } + for (outer_k, outer_v) in adb.items() + } + + unknown_algorithms: List[str] = [] + padding = len(max(algorithm_names, key=len)) + + for alg_type in alg_types: + if len(algorithms_dict[alg_type]) > 0: + title = str(alg_types.get(alg_type)) + retval = output_algorithms(out, title, adb, alg_type, list(algorithms_dict[alg_type]), unknown_algorithms, False, retval, padding) + + algorithms_dict_flattened = [ + alg_name + for val in algorithms_dict.values() + for alg_name in val + ] + + algorithms_not_found = [ + alg_name + for alg_name in algorithm_names + if alg_name not in algorithms_dict_flattened + ] + + similar_algorithms = [ + alg_unknown + " --> (" + alg_type + ") " + alg_name + for alg_unknown in algorithms_not_found + for alg_type, alg_names in adb.items() + for alg_name in alg_names + # Perform a case-insensitive comparison using 'casefold' + # and match substrings using the 'in' operator. + if alg_unknown.casefold() in alg_name.casefold() + ] + + if len(algorithms_not_found) > 0: + retval = exitcodes.FAILURE + out.head('# unknown algorithms') + for algorithm_not_found in algorithms_not_found: + out.fail(algorithm_not_found) + + out.sep() + + if len(similar_algorithms) > 0: + retval = exitcodes.FAILURE + out.head('# suggested similar algorithms') + for similar_algorithm in similar_algorithms: + out.warn(similar_algorithm) + + return retval + + +# Worker thread for scanning multiple targets concurrently. +def target_worker_thread(host: str, port: int, shared_aconf: AuditConf) -> Tuple[int, str]: + ret = -1 + string_output = '' + + out = OutputBuffer() + out.verbose = shared_aconf.verbose + my_aconf = copy.deepcopy(shared_aconf) + my_aconf.host = host + my_aconf.port = port + + # If we're outputting JSON, turn off colors and ensure 'info' level messages go through. + if my_aconf.json: + out.json = True + out.use_colors = False + + out.v("Running against: %s:%d..." % (my_aconf.host, my_aconf.port), write_now=True) + try: + ret = audit(out, my_aconf, print_target=True) + string_output = out.get_buffer() + except Exception: + ret = -1 + string_output = "An exception occurred while scanning %s:%d:\n%s" % (host, port, str(traceback.format_exc())) + + return ret, string_output + + +def windows_manual(out: OutputBuffer) -> int: + '''Prints the man page on Windows. Returns an exitcodes.* flag.''' + + retval = exitcodes.GOOD + + if sys.platform != 'win32': + out.fail("The '-m' and '--manual' parameters are reserved for use on Windows only.\nUsers of other operating systems should read the man page.") + retval = exitcodes.FAILURE + return retval + + # If colors are disabled, strip the ANSI color codes from the man page. + windows_man_page = WINDOWS_MAN_PAGE + if not out.use_colors: + windows_man_page = re.sub(r'\x1b\[\d+?m', '', windows_man_page) + + out.info(windows_man_page) + return retval + + +def get_permitted_syntax_for_gex_test() -> Dict[str, str]: + syntax = { + 'RANGE': r'^\d+-\d+(:\d+)?$', + 'LIST_WITHOUT_MIN_PREF_MAX': r'^\d+(,\d+)*$', + 'LIST_WITH_MIN_PREF_MAX': r'^\d+:\d+:\d+(,\d+:\d+:\d+)*$' + } + return syntax + + +def run_gex_granular_modulus_size_test(out: OutputBuffer, s: 'SSH_Socket', kex: 'SSH2_Kex', aconf: AuditConf) -> int: + '''Extracts the user specified modulus sizes and submits them for testing against the target server. Returns an exitcodes.* flag.''' + + permitted_syntax = get_permitted_syntax_for_gex_test() + + mod_dict: Dict[str, List[int]] = {} + + # Range syntax. + if re.search(permitted_syntax['RANGE'], aconf.gex_test): + extracted_digits = re.findall(r'\d+', aconf.gex_test) + bits_left_bound = int(extracted_digits[0]) + bits_right_bound = int(extracted_digits[1]) + + bits_step = 1 + if (len(extracted_digits)) == 3: + bits_step = int(extracted_digits[2]) + + # If the left value is greater than the right value, then the sequence + # operates from right to left. + if bits_left_bound <= bits_right_bound: + bits_in_range_to_test = range(bits_left_bound, bits_right_bound + 1, bits_step) + else: + bits_in_range_to_test = range(bits_left_bound, bits_right_bound - 1, -abs(bits_step)) + + out.v("A separate test will be performed against each of the following modulus sizes: " + ", ".join([str(x) for x in bits_in_range_to_test]) + ".", write_now=True) + + for i_bits in bits_in_range_to_test: + program_retval = GEXTest.granular_modulus_size_test(out, s, kex, i_bits, i_bits, i_bits, mod_dict) + if program_retval != exitcodes.GOOD: + return program_retval + + # Two variations of list syntax. + if re.search(permitted_syntax['LIST_WITHOUT_MIN_PREF_MAX'], aconf.gex_test): + bits_in_list_to_test = aconf.gex_test.split(',') + out.v("A separate test will be performed against each of the following modulus sizes: " + ", ".join([str(x) for x in bits_in_list_to_test]) + ".", write_now=True) + for s_bits in bits_in_list_to_test: + program_retval = GEXTest.granular_modulus_size_test(out, s, kex, int(s_bits), int(s_bits), int(s_bits), mod_dict) + if program_retval != exitcodes.GOOD: + return program_retval + + if re.search(permitted_syntax['LIST_WITH_MIN_PREF_MAX'], aconf.gex_test): + sets_of_min_pref_max = aconf.gex_test.split(',') + out.v("A separate test will be performed against each of the following sets of 'min:pref:max' modulus sizes: " + ', '.join(sets_of_min_pref_max), write_now=True) + for set_of_min_pref_max in sets_of_min_pref_max: + bits_in_list_to_test = set_of_min_pref_max.split(':') + program_retval = GEXTest.granular_modulus_size_test(out, s, kex, int(bits_in_list_to_test[0]), int(bits_in_list_to_test[1]), int(bits_in_list_to_test[2]), mod_dict) + if program_retval != exitcodes.GOOD: + return program_retval + + if mod_dict: + if aconf.json: + json_struct = {'dh-gex-modulus-size': mod_dict} + out.info(json.dumps(json_struct, indent=4 if aconf.json_print_indent else None, sort_keys=True)) + else: + out.head('# diffie-hellman group exchange modulus size') + max_key_len = len(max(mod_dict, key=len)) + + for key, value in mod_dict.items(): + padding = (max_key_len - len(key)) + 1 + out.info(key + " " * padding + '--> ' + ', '.join([str(i) for i in value])) + + return program_retval + + +def main() -> int: + out = OutputBuffer() + aconf = process_commandline(out, sys.argv[1:], usage) + + # If we're on Windows, but the colorama module could not be imported, print a warning if we're in verbose mode. + if (sys.platform == 'win32') and ('colorama' not in sys.modules): + out.v("WARNING: colorama module not found. Colorized output will be disabled.", write_now=True) + + # If we're outputting JSON, turn off colors and ensure 'info' level messages go through. + if aconf.json: + out.json = True + out.use_colors = False + + if aconf.manual: + # If the colorama module was not be imported, turn off colors in order + # to output a plain text version of the man page. + if (sys.platform == 'win32') and ('colorama' not in sys.modules): + out.use_colors = False + retval = windows_manual(out) + out.write() + sys.exit(retval) + + if aconf.lookup != '': + retval = algorithm_lookup(out, aconf.lookup) + out.write() + sys.exit(retval) + + # If multiple targets were specified... + if len(aconf.target_list) > 0: + ret = exitcodes.GOOD + + # If JSON output is desired, each target's results will be reported in its own list entry. + if aconf.json: + print('[', end='') + + # Loop through each target in the list. + target_servers = [] + for _, target in enumerate(aconf.target_list): + host, port = Utils.parse_host_and_port(target, default_port=22) + target_servers.append((host, port)) + + # A ranked list of return codes. Those with higher indices will take precedence over lower ones. For example, if three servers are scanned, yielding WARNING, GOOD, and UNKNOWN_ERROR, the overall result will be UNKNOWN_ERROR, since its index is the highest. Errors have highest priority, followed by failures, then warnings. + ranked_return_codes = [exitcodes.GOOD, exitcodes.WARNING, exitcodes.FAILURE, exitcodes.CONNECTION_ERROR, exitcodes.UNKNOWN_ERROR] + + # Queue all worker threads. + num_target_servers = len(target_servers) + num_processed = 0 + out.v("Scanning %u targets with %s%u threads..." % (num_target_servers, '(at most) ' if aconf.threads > num_target_servers else '', aconf.threads), write_now=True) + with concurrent.futures.ThreadPoolExecutor(max_workers=aconf.threads) as executor: + future_to_server = {executor.submit(target_worker_thread, target_server[0], target_server[1], aconf): target_server for target_server in target_servers} + for future in concurrent.futures.as_completed(future_to_server): + worker_ret, worker_output = future.result() + + # If this worker's return code is ranked higher that what we've cached so far, update our cache. + if ranked_return_codes.index(worker_ret) > ranked_return_codes.index(ret): + ret = worker_ret + + # print("Worker for %s:%d returned %d: [%s]" % (target_server[0], target_server[1], worker_ret, worker_output)) + print(worker_output, end='' if aconf.json else "\n") + + # Don't print a delimiter after the last target was handled. + num_processed += 1 + if num_processed < num_target_servers: + if aconf.json: + print(", ", end='') + else: + print(("-" * 80) + "\n") + + if aconf.json: + print(']') + + # Send notification that this thread is exiting. This deletes the thread's local copy of the algorithm databases. + SSH1_KexDB.thread_exit() + SSH2_KexDB.thread_exit() + + else: # Just a scan against a single target. + ret = audit(out, aconf) + out.write() + + return ret + + +if __name__ == '__main__': # pragma: nocover + exit_code = exitcodes.GOOD + + try: + exit_code = main() + except Exception: + exit_code = exitcodes.UNKNOWN_ERROR + print(traceback.format_exc()) + + sys.exit(exit_code) diff --git a/src/ssh_audit/ssh_socket.py b/src/ssh_audit/ssh_socket.py new file mode 100644 index 0000000..5b8169c --- /dev/null +++ b/src/ssh_audit/ssh_socket.py @@ -0,0 +1,345 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017-2021 Joe Testa (jtesta@positronsecurity.com) + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +import errno +import os +import select +import socket +import struct +import sys + +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + +from ssh_audit import exitcodes +from ssh_audit.banner import Banner +from ssh_audit.globals import SSH_HEADER +from ssh_audit.outputbuffer import OutputBuffer +from ssh_audit.protocol import Protocol +from ssh_audit.readbuf import ReadBuf +from ssh_audit.ssh1 import SSH1 +from ssh_audit.ssh2_kex import SSH2_Kex +from ssh_audit.ssh2_kexparty import SSH2_KexParty +from ssh_audit.utils import Utils +from ssh_audit.writebuf import WriteBuf + + +class SSH_Socket(ReadBuf, WriteBuf): + class InsufficientReadException(Exception): + pass + + SM_BANNER_SENT = 1 + + def __init__(self, outputbuffer: 'OutputBuffer', host: Optional[str], port: int, ip_version_preference: List[int] = [], timeout: Union[int, float] = 5, timeout_set: bool = False) -> None: # pylint: disable=dangerous-default-value + super(SSH_Socket, self).__init__() + self.__outputbuffer = outputbuffer + self.__sock: Optional[socket.socket] = None + self.__sock_map: Dict[int, socket.socket] = {} + self.__block_size = 8 + self.__state = 0 + self.__header: List[str] = [] + self.__banner: Optional[Banner] = None + if host is None: + raise ValueError('undefined host') + nport = Utils.parse_int(port) + if nport < 1 or nport > 65535: + raise ValueError('invalid port: {}'.format(port)) + self.__host = host + self.__port = nport + self.__ip_version_preference = ip_version_preference # Holds only 5 possible values: [] (no preference), [4] (use IPv4 only), [6] (use IPv6 only), [46] (use both IPv4 and IPv6, but prioritize v4), and [64] (use both IPv4 and IPv6, but prioritize v6). + self.__timeout = timeout + self.__timeout_set = timeout_set + self.client_host: Optional[str] = None + self.client_port = None + + def _resolve(self) -> Iterable[Tuple[int, Tuple[Any, ...]]]: + """Resolves a hostname into a list of IPs + Raises + ------ + socket.gaierror [Errno -2] + If the hostname cannot be resolved. + """ + # If __ip_version_preference has only one entry, then it means that ONLY that IP version should be used. + if len(self.__ip_version_preference) == 1: + family = socket.AF_INET if self.__ip_version_preference[0] == 4 else socket.AF_INET6 + else: + family = socket.AF_UNSPEC + stype = socket.SOCK_STREAM + r = socket.getaddrinfo(self.__host, self.__port, family, stype) + + # If the user has a preference for using IPv4 over IPv6 (or vice-versa), then sort the list returned by getaddrinfo() so that the preferred address type comes first. + if len(self.__ip_version_preference) == 2: + r = sorted(r, key=lambda x: x[0], reverse=(self.__ip_version_preference[0] == 6)) # pylint: disable=superfluous-parens + for af, socktype, _proto, _canonname, addr in r: + if socktype == socket.SOCK_STREAM: + yield af, addr + + # Listens on a server socket and accepts one connection (used for + # auditing client connections). + def listen_and_accept(self) -> None: + + try: + # Socket to listen on all IPv4 addresses. + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + s.bind(('0.0.0.0', self.__port)) + s.listen() + self.__sock_map[s.fileno()] = s + except Exception as e: + print("Warning: failed to listen on any IPv4 interfaces: %s" % str(e)) + + try: + # Socket to listen on all IPv6 addresses. + s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) + s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + s.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, 1) + s.bind(('::', self.__port)) + s.listen() + self.__sock_map[s.fileno()] = s + except Exception as e: + print("Warning: failed to listen on any IPv6 interfaces: %s" % str(e)) + + # If we failed to listen on any interfaces, terminate. + if len(self.__sock_map.keys()) == 0: + print("Error: failed to listen on any IPv4 and IPv6 interfaces!") + sys.exit(exitcodes.CONNECTION_ERROR) + + # Wait for an incoming connection. If a timeout was explicitly + # set by the user, terminate when it elapses. + fds = None + time_elapsed = 0.0 + interval = 1.0 + while True: + # Wait for a connection on either socket. + fds = select.select(self.__sock_map.keys(), [], [], interval) + time_elapsed += interval + + # We have incoming data on at least one of the sockets. + if len(fds[0]) > 0: + break + + if self.__timeout_set and time_elapsed >= self.__timeout: + print("Timeout elapsed. Terminating...") + sys.exit(exitcodes.CONNECTION_ERROR) + + # Accept the connection. + c, addr = self.__sock_map[fds[0][0]].accept() + self.client_host = addr[0] + self.client_port = addr[1] + c.settimeout(self.__timeout) + self.__sock = c + + def connect(self) -> Optional[str]: + '''Returns None on success, or an error string.''' + err = None + s = None + try: + for af, addr in self._resolve(): + s = socket.socket(af, socket.SOCK_STREAM) + s.settimeout(self.__timeout) + self.__outputbuffer.d(("Connecting to %s:%d..." % ('[%s]' % addr[0] if Utils.is_ipv6_address(addr[0]) else addr[0], addr[1])), write_now=True) + s.connect(addr) + self.__sock = s + return None + except socket.error as e: + err = e + self._close_socket(s) + if err is None: + errm = 'host {} has no DNS records'.format(self.__host) + else: + errt = (self.__host, self.__port, err) + errm = 'cannot connect to {} port {}: {}'.format(*errt) + return '[exception] {}'.format(errm) + + def get_banner(self, sshv: int = 2) -> Tuple[Optional['Banner'], List[str], Optional[str]]: + self.__outputbuffer.d('Getting banner...', write_now=True) + + if self.__sock is None: + return self.__banner, self.__header, 'not connected' + if self.__banner is not None: + return self.__banner, self.__header, None + + banner = SSH_HEADER.format('1.5' if sshv == 1 else '2.0') + if self.__state < self.SM_BANNER_SENT: + self.send_banner(banner) + + s = 0 + e = None + while s >= 0: + s, e = self.recv() + if s < 0: + continue + while self.unread_len > 0: + line = self.read_line() + if len(line.strip()) == 0: + continue + self.__banner = Banner.parse(line) + if self.__banner is not None: + return self.__banner, self.__header, None + self.__header.append(line) + + return self.__banner, self.__header, e + + def recv(self, size: int = 2048) -> Tuple[int, Optional[str]]: + if self.__sock is None: + return -1, 'not connected' + try: + data = self.__sock.recv(size) + except socket.timeout: + return -1, 'timed out' + except socket.error as e: + if e.args[0] in (errno.EAGAIN, errno.EWOULDBLOCK): + return 0, 'retry' + return -1, str(e.args[-1]) + if len(data) == 0: + return -1, None + pos = self._buf.tell() + self._buf.seek(0, 2) + self._buf.write(data) + self._len += len(data) + self._buf.seek(pos, 0) + return len(data), None + + def send(self, data: bytes) -> Tuple[int, Optional[str]]: + if self.__sock is None: + return -1, 'not connected' + try: + self.__sock.send(data) + return 0, None + except socket.error as e: + return -1, str(e.args[-1]) + + # Send a KEXINIT with the lists of key exchanges, hostkeys, ciphers, MACs, compressions, and languages that we "support". + def send_kexinit(self, key_exchanges: List[str] = ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group14-sha256'], hostkeys: List[str] = ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-rsa', 'ecdsa-sha2-nistp256', 'ssh-ed25519'], ciphers: List[str] = ['chacha20-poly1305@openssh.com', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'aes128-gcm@openssh.com', 'aes256-gcm@openssh.com'], macs: List[str] = ['umac-64-etm@openssh.com', 'umac-128-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'hmac-sha1-etm@openssh.com', 'umac-64@openssh.com', 'umac-128@openssh.com', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'], compressions: List[str] = ['none', 'zlib@openssh.com'], languages: List[str] = ['']) -> None: # pylint: disable=dangerous-default-value + '''Sends the list of supported host keys, key exchanges, ciphers, and MACs. Emulates OpenSSH v8.2.''' + + self.__outputbuffer.d('KEX initialisation...', write_now=True) + + kexparty = SSH2_KexParty(ciphers, macs, compressions, languages) + kex = SSH2_Kex(self.__outputbuffer, os.urandom(16), key_exchanges, hostkeys, kexparty, kexparty, False, 0) + + self.write_byte(Protocol.MSG_KEXINIT) + kex.write(self) + self.send_packet() + + def send_banner(self, banner: str) -> None: + self.send(banner.encode() + b'\r\n') + if self.__state < self.SM_BANNER_SENT: + self.__state = self.SM_BANNER_SENT + + def ensure_read(self, size: int) -> None: + while self.unread_len < size: + s, e = self.recv() + if s < 0: + raise SSH_Socket.InsufficientReadException(e) + + def read_packet(self, sshv: int = 2) -> Tuple[int, bytes]: + try: + header = WriteBuf() + self.ensure_read(4) + packet_length = self.read_int() + header.write_int(packet_length) + # XXX: validate length + if sshv == 1: + padding_length = 8 - packet_length % 8 + self.ensure_read(padding_length) + padding = self.read(padding_length) + header.write(padding) + payload_length = packet_length + check_size = padding_length + payload_length + else: + self.ensure_read(1) + padding_length = self.read_byte() + header.write_byte(padding_length) + payload_length = packet_length - padding_length - 1 + check_size = 4 + 1 + payload_length + padding_length + if check_size % self.__block_size != 0: + self.__outputbuffer.fail('[exception] invalid ssh packet (block size)').write() + sys.exit(exitcodes.CONNECTION_ERROR) + self.ensure_read(payload_length) + if sshv == 1: + payload = self.read(payload_length - 4) + header.write(payload) + crc = self.read_int() + header.write_int(crc) + else: + payload = self.read(payload_length) + header.write(payload) + packet_type = ord(payload[0:1]) + if sshv == 1: + rcrc = SSH1.crc32(padding + payload) + if crc != rcrc: + self.__outputbuffer.fail('[exception] packet checksum CRC32 mismatch.').write() + sys.exit(exitcodes.CONNECTION_ERROR) + else: + self.ensure_read(padding_length) + padding = self.read(padding_length) + payload = payload[1:] + return packet_type, payload + except SSH_Socket.InsufficientReadException as ex: + if ex.args[0] is None: + header.write(self.read(self.unread_len)) + e = header.write_flush().strip() + else: + e = ex.args[0].encode('utf-8') + return -1, e + + def send_packet(self) -> Tuple[int, Optional[str]]: + payload = self.write_flush() + padding = -(len(payload) + 5) % 8 + if padding < 4: + padding += 8 + plen = len(payload) + padding + 1 + pad_bytes = b'\x00' * padding + data = struct.pack('>Ib', plen, padding) + payload + pad_bytes + return self.send(data) + + def is_connected(self) -> bool: + """Returns true if this Socket is connected, False otherwise.""" + return self.__sock is not None + + def close(self) -> None: + self.__cleanup() + self.reset() + self.__state = 0 + self.__header = [] + self.__banner = None + + def _close_socket(self, s: Optional[socket.socket]) -> None: + try: + if s is not None: + s.shutdown(socket.SHUT_RDWR) + s.close() # pragma: nocover + except Exception: + pass + + def __del__(self) -> None: + self.__cleanup() + + def __cleanup(self) -> None: + self._close_socket(self.__sock) + for sock in self.__sock_map.values(): + self._close_socket(sock) + self.__sock = None diff --git a/src/ssh_audit/timeframe.py b/src/ssh_audit/timeframe.py new file mode 100644 index 0000000..cb98d9b --- /dev/null +++ b/src/ssh_audit/timeframe.py @@ -0,0 +1,77 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + +from ssh_audit.algorithm import Algorithm + + +class Timeframe: + def __init__(self) -> None: + self.__storage: Dict[str, List[Optional[str]]] = {} + + def __contains__(self, product: str) -> bool: + return product in self.__storage + + def __getitem__(self, product: str) -> Sequence[Optional[str]]: + return tuple(self.__storage.get(product, [None] * 4)) + + def __str__(self) -> str: + return self.__storage.__str__() + + def __repr__(self) -> str: + return self.__str__() + + def get_from(self, product: str, for_server: bool = True) -> Optional[str]: + return self[product][0 if bool(for_server) else 2] + + def get_till(self, product: str, for_server: bool = True) -> Optional[str]: + return self[product][1 if bool(for_server) else 3] + + def _update(self, versions: Optional[str], pos: int) -> None: + ssh_versions: Dict[str, str] = {} + for_srv, for_cli = pos < 2, pos > 1 + for v in (versions or '').split(','): + ssh_prod, ssh_ver, is_cli = Algorithm.get_ssh_version(v) + if not ssh_ver or (is_cli and for_srv) or (not is_cli and for_cli and ssh_prod in ssh_versions): + continue + ssh_versions[ssh_prod] = ssh_ver + for ssh_product, ssh_version in ssh_versions.items(): + if ssh_product not in self.__storage: + self.__storage[ssh_product] = [None] * 4 + prev = self[ssh_product][pos] + if (prev is None or (prev < ssh_version and pos % 2 == 0) or (prev > ssh_version and pos % 2 == 1)): + self.__storage[ssh_product][pos] = ssh_version + + def update(self, versions: List[Optional[str]], for_server: Optional[bool] = None) -> 'Timeframe': + for_cli = for_server is None or for_server is False + for_srv = for_server is None or for_server is True + vlen = len(versions) + for i in range(min(3, vlen)): + if for_srv and i < 2: + self._update(versions[i], i) + if for_cli and (i % 2 == 0 or vlen == 2): + self._update(versions[i], 3 - 0**i) + return self diff --git a/src/ssh_audit/utils.py b/src/ssh_audit/utils.py new file mode 100644 index 0000000..a17ecb6 --- /dev/null +++ b/src/ssh_audit/utils.py @@ -0,0 +1,165 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017-2020 Joe Testa (jtesta@positronsecurity.com) + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +import ipaddress +import re +import sys + +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + + +class Utils: + @classmethod + def _type_err(cls, v: Any, target: str) -> TypeError: + return TypeError('cannot convert {} to {}'.format(type(v), target)) + + @classmethod + def to_bytes(cls, v: Union[bytes, str], enc: str = 'utf-8') -> bytes: + if isinstance(v, bytes): + return v + elif isinstance(v, str): + return v.encode(enc) + raise cls._type_err(v, 'bytes') + + @classmethod + def to_text(cls, v: Union[str, bytes], enc: str = 'utf-8') -> str: + if isinstance(v, str): + return v + elif isinstance(v, bytes): + return v.decode(enc) + raise cls._type_err(v, 'unicode text') + + @classmethod + def _is_ascii(cls, v: str, char_filter: Callable[[int], bool] = lambda x: x <= 127) -> bool: + r = False + if isinstance(v, str): + for c in v: + i = cls.ctoi(c) + if not char_filter(i): + return r + r = True + return r + + @classmethod + def _to_ascii(cls, v: str, char_filter: Callable[[int], bool] = lambda x: x <= 127, errors: str = 'replace') -> str: + if isinstance(v, str): + r = bytearray() + for c in v: + i = cls.ctoi(c) + if char_filter(i): + r.append(i) + else: + if errors == 'ignore': + continue + r.append(63) + return cls.to_text(r.decode('ascii')) + raise cls._type_err(v, 'ascii') + + @classmethod + def is_ascii(cls, v: str) -> bool: + return cls._is_ascii(v) + + @classmethod + def to_ascii(cls, v: str, errors: str = 'replace') -> str: + return cls._to_ascii(v, errors=errors) + + @classmethod + def is_print_ascii(cls, v: str) -> bool: + return cls._is_ascii(v, lambda x: 126 >= x >= 32) + + @classmethod + def to_print_ascii(cls, v: str, errors: str = 'replace') -> str: + return cls._to_ascii(v, lambda x: 126 >= x >= 32, errors) + + @classmethod + def unique_seq(cls, seq: Sequence[Any]) -> Sequence[Any]: + seen: Set[Any] = set() + + def _seen_add(x: Any) -> bool: + seen.add(x) + return False + + if isinstance(seq, tuple): + return tuple(x for x in seq if x not in seen and not _seen_add(x)) + else: + return [x for x in seq if x not in seen and not _seen_add(x)] + + @classmethod + def ctoi(cls, c: Union[str, int]) -> int: + if isinstance(c, str): + return ord(c[0]) + else: + return c + + @staticmethod + def parse_int(v: Any) -> int: + try: + return int(v) + except ValueError: + return 0 + + @staticmethod + def parse_float(v: Any) -> float: + try: + return float(v) + except ValueError: + return -1.0 + + @staticmethod + def parse_host_and_port(host_and_port: str, default_port: int = 0) -> Tuple[str, int]: + '''Parses a string into a tuple of its host and port. The port is 0 if not specified.''' + host = host_and_port + port = default_port + + mx = re.match(r'^\[([^\]]+)\](?::(\d+))?$', host_and_port) + if mx is not None: + host = mx.group(1) + port_str = mx.group(2) + if port_str is not None: + port = int(port_str) + else: + s = host_and_port.split(':') + if len(s) == 2: + host = s[0] + if len(s[1]) > 0: + port = int(s[1]) + + return host, port + + @staticmethod + def is_ipv6_address(address: str) -> bool: + '''Returns True if address is an IPv6 address, otherwise False.''' + is_ipv6 = True + try: + ipaddress.IPv6Address(address) + except ipaddress.AddressValueError: + is_ipv6 = False + + return is_ipv6 + + @staticmethod + def is_windows() -> bool: + return sys.platform in ['win32', 'cygwin'] diff --git a/src/ssh_audit/versionvulnerabilitydb.py b/src/ssh_audit/versionvulnerabilitydb.py new file mode 100644 index 0000000..82ed51d --- /dev/null +++ b/src/ssh_audit/versionvulnerabilitydb.py @@ -0,0 +1,170 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017-2020 Joe Testa (jtesta@positronsecurity.com) + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + + +class VersionVulnerabilityDB: # pylint: disable=too-few-public-methods + # Format: [starting_vuln_version, last_vuln_version, affected, CVE_ID, CVSSv2, description] + # affected: 1 = server, 2 = client, 4 = local + # Example: if it affects servers, both remote & local, then affected + # = 1. If it affects servers, but is a local issue only, + # then affected = 1 + 4 = 5. + CVE: Dict[str, List[List[Any]]] = { + 'Dropbear SSH': [ + ['0.0', '2020.81', 2, 'CVE-2021-36369', 7.5, 'trivial authentication attack to bypass FIDO tokens and SSH-ASKPASS'], + ['0.0', '2018.76', 1, 'CVE-2018-15599', 5.0, 'remote users may enumerate users on the system'], + ['0.0', '2017.74', 5, 'CVE-2017-9079', 4.7, 'local users can read certain files as root'], + ['0.0', '2017.74', 5, 'CVE-2017-9078', 9.3, 'local users may elevate privileges to root under certain conditions'], + ['0.0', '2016.73', 5, 'CVE-2016-7409', 2.1, 'local users can read process memory under limited conditions'], + ['0.0', '2016.73', 1, 'CVE-2016-7408', 6.5, 'remote users can execute arbitrary code'], + ['0.0', '2016.73', 5, 'CVE-2016-7407', 10.0, 'local users can execute arbitrary code'], + ['0.0', '2016.73', 1, 'CVE-2016-7406', 10.0, 'remote users can execute arbitrary code'], + ['0.44', '2015.71', 1, 'CVE-2016-3116', 5.5, 'bypass command restrictions via xauth command injection'], + ['0.28', '2013.58', 1, 'CVE-2013-4434', 5.0, 'discover valid usernames through different time delays'], + ['0.28', '2013.58', 1, 'CVE-2013-4421', 5.0, 'cause DoS via a compressed packet (memory consumption)'], + ['0.52', '2011.54', 1, 'CVE-2012-0920', 7.1, 'execute arbitrary code or bypass command restrictions'], + ['0.40', '0.48.1', 1, 'CVE-2007-1099', 7.5, 'conduct a MitM attack (no warning for hostkey mismatch)'], + ['0.28', '0.47', 1, 'CVE-2006-1206', 7.5, 'cause DoS via large number of connections (slot exhaustion)'], + ['0.39', '0.47', 1, 'CVE-2006-0225', 4.6, 'execute arbitrary commands via scp with crafted filenames'], + ['0.28', '0.46', 1, 'CVE-2005-4178', 6.5, 'execute arbitrary code via buffer overflow vulnerability'], + ['0.28', '0.42', 1, 'CVE-2004-2486', 7.5, 'execute arbitrary code via DSS verification code']], + 'libssh': [ + ['0.6.4', '0.6.4', 1, 'CVE-2018-10933', 6.4, 'authentication bypass'], + ['0.7.0', '0.7.5', 1, 'CVE-2018-10933', 6.4, 'authentication bypass'], + ['0.8.0', '0.8.3', 1, 'CVE-2018-10933', 6.4, 'authentication bypass'], + ['0.1', '0.7.2', 1, 'CVE-2016-0739', 4.3, 'conduct a MitM attack (weakness in DH key generation)'], + ['0.5.1', '0.6.4', 1, 'CVE-2015-3146', 5.0, 'cause DoS via kex packets (null pointer dereference)'], + ['0.5.1', '0.6.3', 1, 'CVE-2014-8132', 5.0, 'cause DoS via kex init packet (dangling pointer)'], + ['0.4.7', '0.6.2', 1, 'CVE-2014-0017', 1.9, 'leak data via PRNG state reuse on forking servers'], + ['0.4.7', '0.5.3', 1, 'CVE-2013-0176', 4.3, 'cause DoS via kex packet (null pointer dereference)'], + ['0.4.7', '0.5.2', 1, 'CVE-2012-6063', 7.5, 'cause DoS or execute arbitrary code via sftp (double free)'], + ['0.4.7', '0.5.2', 1, 'CVE-2012-4562', 7.5, 'cause DoS or execute arbitrary code (overflow check)'], + ['0.4.7', '0.5.2', 1, 'CVE-2012-4561', 5.0, 'cause DoS via unspecified vectors (invalid pointer)'], + ['0.4.7', '0.5.2', 1, 'CVE-2012-4560', 7.5, 'cause DoS or execute arbitrary code (buffer overflow)'], + ['0.4.7', '0.5.2', 1, 'CVE-2012-4559', 6.8, 'cause DoS or execute arbitrary code (double free)']], + 'OpenSSH': [ + ['6.2', '8.7', 5, 'CVE-2021-41617', 7.0, 'privilege escalation via supplemental groups'], + ['1.0', '8.8', 2, 'CVE-2021-36368', 3.7, 'trivial authentication attack to bypass FIDO tokens and SSH-ASKPASS'], + ['8.2', '8.4', 2, 'CVE-2021-28041', 7.1, 'double free via ssh-agent'], + ['1.0', '8.3', 5, 'CVE-2020-15778', 7.8, 'command injection via anomalous argument transfers'], + ['5.7', '8.3', 2, 'CVE-2020-14145', 5.9, 'information leak via algorithm negotiation'], + ['8.2', '8.2', 2, 'CVE-2020-12062', 7.5, 'arbitrary files overwrite via scp'], + ['7.7', '8.0', 7, 'CVE-2019-16905', 7.8, 'memory corruption and local code execution via pre-authentication integer overflow'], + ['1.0', '7.9', 2, 'CVE-2019-6111', 5.9, 'arbitrary files overwrite via scp'], + ['1.0', '7.9', 2, 'CVE-2019-6110', 6.8, 'output manipulation'], + ['1.0', '7.9', 2, 'CVE-2019-6109', 6.8, 'output manipulation'], + ['1.0', '7.9', 2, 'CVE-2018-20685', 5.3, 'directory permissions modification via scp'], + ['5.9', '7.8', 1, 'CVE-2018-15919', 5.3, 'username enumeration via GS2'], + ['1.0', '7.7', 1, 'CVE-2018-15473', 5.3, 'enumerate usernames due to timing discrepancies'], + ['1.2', '6.292', 1, 'CVE-2017-15906', 5.3, 'readonly bypass via sftp'], + ['1.0', '8.7', 1, 'CVE-2016-20012', 5.3, 'enumerate usernames via challenge response'], + ['7.2', '7.2p2', 1, 'CVE-2016-6515', 7.8, 'cause DoS via long password string (crypt CPU consumption)'], + ['1.2.2', '7.2', 1, 'CVE-2016-3115', 5.5, 'bypass command restrictions via crafted X11 forwarding data'], + ['5.4', '7.1', 1, 'CVE-2016-1907', 5.0, 'cause DoS via crafted network traffic (out of bounds read)'], + ['5.4', '7.1p1', 2, 'CVE-2016-0778', 4.6, 'cause DoS via requesting many forwardings (heap based buffer overflow)'], + ['5.0', '7.1p1', 2, 'CVE-2016-0777', 4.0, 'leak data via allowing transfer of entire buffer'], + ['6.0', '7.2p2', 5, 'CVE-2015-8325', 7.2, 'privilege escalation via triggering crafted environment'], + ['6.8', '6.9', 5, 'CVE-2015-6565', 7.2, 'cause DoS via writing to a device (terminal disruption)'], + ['5.0', '6.9', 5, 'CVE-2015-6564', 6.9, 'privilege escalation via leveraging sshd uid'], + ['5.0', '6.9', 5, 'CVE-2015-6563', 1.9, 'conduct impersonation attack'], + ['6.9p1', '6.9p1', 1, 'CVE-2015-5600', 8.5, 'cause Dos or aid in conduct brute force attack (CPU consumption)'], + ['6.0', '6.6', 1, 'CVE-2015-5352', 4.3, 'bypass access restrictions via a specific connection'], + ['6.0', '6.6', 2, 'CVE-2014-2653', 5.8, 'bypass SSHFP DNS RR check via unacceptable host certificate'], + ['5.0', '6.5', 1, 'CVE-2014-2532', 5.8, 'bypass environment restrictions via specific string before wildcard'], + ['1.2', '6.4', 1, 'CVE-2014-1692', 7.5, 'cause DoS via triggering error condition (memory corruption)'], + ['6.2', '6.3', 1, 'CVE-2013-4548', 6.0, 'bypass command restrictions via crafted packet data'], + ['1.2', '5.6', 1, 'CVE-2012-0814', 3.5, 'leak data via debug messages'], + ['1.2', '5.8', 1, 'CVE-2011-5000', 3.5, 'cause DoS via large value in certain length field (memory consumption)'], + ['5.6', '5.7', 2, 'CVE-2011-0539', 5.0, 'leak data or conduct hash collision attack'], + ['1.2', '6.1', 1, 'CVE-2010-5107', 5.0, 'cause DoS via large number of connections (slot exhaustion)'], + ['1.2', '5.8', 1, 'CVE-2010-4755', 4.0, 'cause DoS via crafted glob expression (CPU and memory consumption)'], + ['1.2', '5.6', 1, 'CVE-2010-4478', 7.5, 'bypass authentication check via crafted values'], + ['4.3', '4.8', 1, 'CVE-2009-2904', 6.9, 'privilege escalation via hard links to setuid programs'], + ['4.0', '5.1', 1, 'CVE-2008-5161', 2.6, 'recover plaintext data from ciphertext'], + ['1.2', '4.6', 1, 'CVE-2008-4109', 5.0, 'cause DoS via multiple login attempts (slot exhaustion)'], + ['1.2', '4.8', 1, 'CVE-2008-1657', 6.5, 'bypass command restrictions via modifying session file'], + ['1.2.2', '4.9', 1, 'CVE-2008-1483', 6.9, 'hijack forwarded X11 connections'], + ['4.0', '4.6', 1, 'CVE-2007-4752', 7.5, 'privilege escalation via causing an X client to be trusted'], + ['4.3p2', '4.3p2', 1, 'CVE-2007-3102', 4.3, 'allow attacker to write random data to audit log'], + ['1.2', '4.6', 1, 'CVE-2007-2243', 5.0, 'discover valid usernames through different responses'], + ['4.4', '4.4', 1, 'CVE-2006-5794', 7.5, 'bypass authentication'], + ['4.1', '4.1p1', 1, 'CVE-2006-5229', 2.6, 'discover valid usernames through different time delays'], + ['1.2', '4.3p2', 1, 'CVE-2006-5052', 5.0, 'discover valid usernames through different responses'], + ['1.2', '4.3p2', 1, 'CVE-2006-5051', 9.3, 'cause DoS or execute arbitrary code (double free)'], + ['4.5', '4.5', 1, 'CVE-2006-4925', 5.0, 'cause DoS via invalid protocol sequence (crash)'], + ['1.2', '4.3p2', 1, 'CVE-2006-4924', 7.8, 'cause DoS via crafted packet (CPU consumption)'], + ['3.8.1p1', '3.8.1p1', 1, 'CVE-2006-0883', 5.0, 'cause DoS via connecting multiple times (client connection refusal)'], + ['3.0', '4.2p1', 1, 'CVE-2006-0225', 4.6, 'execute arbitrary code'], + ['2.1', '4.1p1', 1, 'CVE-2005-2798', 5.0, 'leak data about authentication credentials'], + ['3.5', '3.5p1', 1, 'CVE-2004-2760', 6.8, 'leak data through different connection states'], + ['2.3', '3.7.1p2', 1, 'CVE-2004-2069', 5.0, 'cause DoS via large number of connections (slot exhaustion)'], + ['3.0', '3.4p1', 1, 'CVE-2004-0175', 4.3, 'leak data through directoy traversal'], + ['1.2', '3.9p1', 1, 'CVE-2003-1562', 7.6, 'leak data about authentication credentials'], + ['3.1p1', '3.7.1p1', 1, 'CVE-2003-0787', 7.5, 'privilege escalation via modifying stack'], + ['3.1p1', '3.7.1p1', 1, 'CVE-2003-0786', 10.0, 'privilege escalation via bypassing authentication'], + ['1.0', '3.7.1', 1, 'CVE-2003-0695', 7.5, 'cause DoS or execute arbitrary code'], + ['1.0', '3.7', 1, 'CVE-2003-0693', 10.0, 'execute arbitrary code'], + ['3.0', '3.6.1p2', 1, 'CVE-2003-0386', 7.5, 'bypass address restrictions for connection'], + ['3.1p1', '3.6.1p1', 1, 'CVE-2003-0190', 5.0, 'discover valid usernames through different time delays'], + ['3.2.2', '3.2.2', 1, 'CVE-2002-0765', 7.5, 'bypass authentication'], + ['1.2.2', '3.3p1', 1, 'CVE-2002-0640', 10.0, 'execute arbitrary code'], + ['1.2.2', '3.3p1', 1, 'CVE-2002-0639', 10.0, 'execute arbitrary code'], + ['2.1', '3.2', 1, 'CVE-2002-0575', 7.5, 'privilege escalation'], + ['2.1', '3.0.2p1', 2, 'CVE-2002-0083', 10.0, 'privilege escalation'], + ['3.0', '3.0p1', 1, 'CVE-2001-1507', 7.5, 'bypass authentication'], + ['1.2.3', '3.0.1p1', 5, 'CVE-2001-0872', 7.2, 'privilege escalation via crafted environment variables'], + ['1.2.3', '2.1.1', 1, 'CVE-2001-0361', 4.0, 'recover plaintext from ciphertext'], + ['1.2', '2.1', 1, 'CVE-2000-0525', 10.0, 'execute arbitrary code (improper privileges)']], + 'PuTTY': [ + # info for CVE-2021-36367 - only PuTTY up to 0.71 is affected - see https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/reject-trivial-auth.html + ['0.0', '0.71', 2, 'CVE-2021-36367', 8.1, 'trivial authentication attack to bypass FIDO tokens and SSH-ASKPASS'], + ['0.0', '0.74', 2, 'CVE-2021-33500', 5.0, 'denial of service of the complete windows desktop'], + ['0.68', '0.73', 2, 'CVE-2020-14002', 4.3, 'Observable Discrepancy which allows man-in-the-middle attackers to target initial connection attempts'], + ['0.54', '0.73', 2, 'CVE-2020-XXXX', 5.0, 'out of bounds memory read'], + ['0.0', '0.72', 2, 'CVE-2019-17069', 5.0, 'potential DOS by remote SSHv1 server'], + ['0.71', '0.72', 2, 'CVE-2019-17068', 5.0, 'xterm bracketed paste mode command injection'], + ['0.52', '0.72', 2, 'CVE-2019-17067', 7.5, 'port rebinding weakness in port forward tunnel handling'], + ['0.0', '0.71', 2, 'CVE-2019-XXXX', 5.0, 'undefined vulnerability in obsolete SSHv1 protocol handling'], + ['0.0', '0.71', 6, 'CVE-2019-XXXX', 5.0, 'local privilege escalation in Pageant'], + ['0.0', '0.70', 2, 'CVE-2019-9898', 7.5, 'potential recycling of random numbers'], + ['0.0', '0.70', 2, 'CVE-2019-9897', 5.0, 'multiple denial-of-service issues from writing to the terminal'], + ['0.0', '0.70', 6, 'CVE-2019-9896', 4.6, 'local application hijacking through malicious Windows help file'], + ['0.0', '0.70', 2, 'CVE-2019-9894', 6.4, 'buffer overflow in RSA key exchange'], + ['0.0', '0.69', 6, 'CVE-2016-6167', 4.4, 'local application hijacking through untrusted DLL loading'], + ['0.0', '0.67', 2, 'CVE-2017-6542', 7.5, 'buffer overflow in UNIX client that can result in privilege escalation or denial-of-service'], + ['0.0', '0.66', 2, 'CVE-2016-2563', 7.5, 'buffer overflow in SCP command-line utility'], + ['0.0', '0.65', 2, 'CVE-2015-5309', 4.3, 'integer overflow in terminal-handling code'], + ] + } + TXT: Dict[str, List[List[Any]]] = { + 'Dropbear SSH': [ + ['0.28', '0.34', 1, 'remote root exploit', 'remote format string buffer overflow exploit (exploit-db#387)']], + 'libssh': [ + ['0.3.3', '0.3.3', 1, 'null pointer check', 'missing null pointer check in "crypt_set_algorithms_server"'], + ['0.3.3', '0.3.3', 1, 'integer overflow', 'integer overflow in "buffer_get_data"'], + ['0.3.3', '0.3.3', 3, 'heap overflow', 'heap overflow in "packet_decrypt"']] + } diff --git a/src/ssh_audit/writebuf.py b/src/ssh_audit/writebuf.py new file mode 100644 index 0000000..5f25d8c --- /dev/null +++ b/src/ssh_audit/writebuf.py @@ -0,0 +1,108 @@ +""" + The MIT License (MIT) + + Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu) + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +""" +import io +import struct + +# pylint: disable=unused-import +from typing import Dict, List, Set, Sequence, Tuple, Iterable # noqa: F401 +from typing import Callable, Optional, Union, Any # noqa: F401 + + +class WriteBuf: + def __init__(self, data: Optional[bytes] = None) -> None: + super(WriteBuf, self).__init__() + self._wbuf = io.BytesIO(data) if data is not None else io.BytesIO() + + def write(self, data: bytes) -> 'WriteBuf': + self._wbuf.write(data) + return self + + def write_byte(self, v: int) -> 'WriteBuf': + return self.write(struct.pack('B', v)) + + def write_bool(self, v: bool) -> 'WriteBuf': + return self.write_byte(1 if v else 0) + + def write_int(self, v: int) -> 'WriteBuf': + return self.write(struct.pack('>I', v)) + + def write_string(self, v: Union[bytes, str]) -> 'WriteBuf': + if not isinstance(v, bytes): + v = bytes(bytearray(v, 'utf-8')) + self.write_int(len(v)) + return self.write(v) + + def write_list(self, v: List[str]) -> 'WriteBuf': + return self.write_string(','.join(v)) + + @classmethod + def _bitlength(cls, n: int) -> int: + try: + return n.bit_length() + except AttributeError: + return len(bin(n)) - (2 if n > 0 else 3) + + @classmethod + def _create_mpint(cls, n: int, signed: bool = True, bits: Optional[int] = None) -> bytes: + if bits is None: + bits = cls._bitlength(n) + length = bits // 8 + (1 if n != 0 else 0) + ql = (length + 7) // 8 + fmt, v2 = '>{}Q'.format(ql), [0] * ql + for i in range(ql): + v2[ql - i - 1] = n & 0xffffffffffffffff + n >>= 64 + data = bytes(struct.pack(fmt, *v2)[-length:]) + if not signed: + data = data.lstrip(b'\x00') + elif data.startswith(b'\xff\x80'): + data = data[1:] + return data + + def write_mpint1(self, n: int) -> 'WriteBuf': + # NOTE: Data Type Enc @ http://www.snailbook.com/docs/protocol-1.5.txt + bits = self._bitlength(n) + data = self._create_mpint(n, False, bits) + self.write(struct.pack('>H', bits)) + return self.write(data) + + def write_mpint2(self, n: int) -> 'WriteBuf': + # NOTE: Section 5 @ https://www.ietf.org/rfc/rfc4251.txt + data = self._create_mpint(n) + return self.write_string(data) + + def write_line(self, v: Union[bytes, str]) -> 'WriteBuf': + if not isinstance(v, bytes): + v = bytes(bytearray(v, 'utf-8')) + v += b'\r\n' + return self.write(v) + + def write_flush(self) -> bytes: + payload = self._wbuf.getvalue() + self._wbuf.truncate(0) + self._wbuf.seek(0) + return payload + + def reset(self) -> None: + self._wbuf = io.BytesIO() -- cgit v1.2.3