Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
security
ssh-audit
ssh-audit.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ssh-audit.changes of Package ssh-audit
------------------------------------------------------------------- Tue Oct 15 20:29:22 UTC 2024 - Martin Hauke <mardnh@gmx.de> - Update to version 3.3.0 * Added Python 3.13 support. * Added built-in policies for Ubuntu 24.04 LTS server & client, OpenSSH 9.8, and OpenSSH 9.9. * Added IPv6 support for DHEat and connection rate tests. * Added TCP port information to JSON policy scan results. * Added LANcom LCOS server recognition and Ed448 key extraction * Now reports ECDSA and DSS fingerprints when in verbose mode. * Removed CVE information based on server/client version numbers, as this was wildly inaccurate (see this thread for the full discussion, as well as the results of the community vote on this matter). * Fixed crash when running with -P and -T options simultaneously. * Fixed host key tests from only reporting a key type at most once despite multiple hosts supporting it. * Fixed invalid JSON output when a socket error occurs while performing a client audit. * When scanning multiple targets (using -T/--targets), the -p/--port option will now be used as the default port (set to 22 if -p/--port is not given). Hosts specified in the file can override this default with an explicit port number (i.e.: "host1:1234"). For example, when using -T targets.txt -p 222, all hosts in targets.txt that do not explicitly include a port number will default to 222; when using -T targets.txt (without -p), all hosts will use a default of 22. * Updated built-in server & client policies for Amazon Linux 2023, Debian 12, Rocky Linux 9, and Ubuntu 22.04 to improve host key efficiency and cipher resistance to quantum attacks. * Added 1 new cipher: grasshopper-ctr128. * Added 2 new key exchanges: mlkem768x25519-sha256, sntrup761x25519-sha512. ------------------------------------------------------------------- Tue Apr 23 06:57:55 UTC 2024 - Martin Hauke <mardnh@gmx.de> - Update to version 3.2.0 * Added implementation of the DHEat denial-of-service attack (see --dheat option; CVE-2002-20001). * Expanded filter of CBC ciphers to flag for the Terrapin vulnerability. It now includes more rarely found ciphers. * Fixed parsing of ecdsa-sha2-nistp* CA signatures on host keys. Additionally, they are now flagged as potentially back-doored, just as standard host keys are. * Gracefully handle rare exceptions (i.e.: crashes) while performing GEX tests. * Built-in policies now include a change log (use -L -v to view them). * Custom policies now support the allow_algorithm_subset_and_reordering directive to allow targets to pass with a subset and/or re-ordered list of host keys, kex, ciphers, and MACs. This allows for the creation of a baseline policy where targets can optionally implement stricter controls; * Custom policies now support the allow_larger_keys directive to allow targets to pass with larger host keys, CA keys, and Diffie-Hellman keys. This allows for the creation of a baseline policy where targets can optionally implement stricter controls * Color output is disabled if the NO_COLOR environment variable is set (see https://no-color.org/). * Added 1 new key exchange algorithm: gss-nistp384-sha384-*. * Added 1 new cipher: aes128-ocb@libassh.org. ------------------------------------------------------------------- Wed Dec 20 18:41:05 UTC 2023 - Michael Vetter <mvetter@suse.com> - Update to 3.1.0: * Added test for the Terrapin message prefix truncation vulnerability (CVE-2023-48795). * Dropped support for Python 3.7 (EOL was reached in June 2023). * Added Python 3.12 support. * In server policies, reduced expected DH modulus sizes from 4096 to 3072 to match the online hardening guides (note that 3072-bit moduli provide the equivalent of 128-bit symmetric security). * In Ubuntu 22.04 client policy, moved host key types sk-ssh-ed25519@openssh.com and ssh-ed25519 to the end of all certificate types. * Updated Ubuntu Server & Client policies for 20.04 and 22.04 to account for key exchange list changes due to Terrapin vulnerability patches. * Re-organized option host key types for OpenSSH 9.2 server policy to correspond with updated Debian 12 hardening guide. * Added built-in policies for OpenSSH 9.5 and 9.6. * Added an additional_notes field to the JSON output. ------------------------------------------------------------------- Sat Sep 9 16:52:36 UTC 2023 - Martin Hauke <mardnh@gmx.de> - Update to version 3.0.0 * Results from concurrent scans against multiple hosts are no longer improperly combined. * Hostname resolution failure no longer causes scans against multiple hosts to terminate unexpectedly. * Algorithm recommendations resulting from warnings are now printed in yellow instead of red. * Added failure, warning, and info notes to JSON output (note that this results in a breaking change to the banner protocol, "enc", and "mac" fields). * Fixed crash during GEX tests. * Refined GEX testing against OpenSSH servers: when the fallback mechanism is suspected of being triggered, perform an additional test to obtain more accurate results. * The color of all notes will be printed in green when the related algorithm is rated good. * Prioritized host key certificate algorithms for Ubuntu 22.04 LTS client policy. * Marked all NIST K-, B-, and T-curves as unproven since they are so rarely used. * Added built-in policy for OpenSSH 9.4. * Added 12 new host keys * Added 15 new key exchanges. * Added 8 new ciphers. * Added 14 new MACs. ------------------------------------------------------------------- Mon May 1 11:39:44 UTC 2023 - Martin Hauke <mardnh@gmx.de> - Update to version 2.9.0 * Dropped support for Python 3.6 * Updated CVE database. * Added -g and --gex-test for granular GEX modulus size tests. * JSON 'target' field now always includes port number. * JSON output now includes recommendations and CVE data. * Mixed host key/CA key types (i.e.: RSA host keys signed with ED25519 CAs, etc.) are now properly handled. * Warnings are now printed for 2048-bit moduli. * SHA-1 algorithms now cause failures. * CBC mode ciphers are now warnings instead of failures. * Generic failure/warning messages replaced with more specific reasons (i.e.:'using weak cipher' => 'using broken RC4 cipher') * Updated built-in policies to include missing host key size information. * Added built-in policies for OpenSSH 8.8, 8.9, 9.0, 9.1, 9.2, and 9.3. * Added 33 new host keys. * Added 46 new key exchanges. * Added 28 new ciphers. * Added 5 new MACs. ------------------------------------------------------------------- Mon Aug 30 10:11:06 UTC 2021 - Martin Hauke <mardnh@gmx.de> - Require correct python version ------------------------------------------------------------------- Thu Aug 26 20:12:17 UTC 2021 - Martin Hauke <mardnh@gmx.de> - Update to version 2.5.0 * Fixed crash when running host key tests. * Handles server connection failures more gracefully. * Now prints JSON with indents when -jj is used (useful for debugging). * Added MD5 fingerprints to verbose output. * Added -d/--debug option for getting debugging output. * Updated JSON output to include MD5 fingerprints. Note that this results in a breaking change in the 'fingerprints' dictionary format. * Updated OpenSSH 8.1 (and earlier) policies to include rsa-sha2-512 and rsa-sha2-256. * Added OpenSSH v8.6 & v8.7 policies. * Added 3 new key exchanges: + gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q== + gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q== + gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q== * Added 3 new MACs: + hmac-ripemd160-96 + AEAD_AES_128_GCM + AEAD_AES_256_GCM ------------------------------------------------------------------- Mon Mar 1 08:59:13 UTC 2021 - Martin Hauke <mardnh@gmx.de> - Update to version 2.4.0 * Added multi-threaded scanning support. * Added version check for OpenSSH user enumeration (CVE-2018-15473). * Added deprecation note to host key types based on SHA-1. * Added extra warnings for SSHv1. * Added built-in hardened OpenSSH v8.5 policy. * Upgraded warnings to failures for host key types based on SHA-1 * Fixed crash when receiving unexpected response during host key test. * Fixed hang against older Cisco devices during host key test & gex test. * Fixed improper termination while scanning multiple targets when one target returns an error. * Dropped support for Python 3.5 (which reached EOL in Sept.2020) * Added 1 new key exchange: sntrup761x25519-sha512@openssh.com. ------------------------------------------------------------------- Fri Oct 30 19:27:23 UTC 2020 - Martin Hauke <mardnh@gmx.de> - Update to version 2.3.1 * Now parses public key sizes for rsa-sha2-256-cert-v01@openssh.com and rsa-sha2-512-cert-v01@openssh.com host key types. * Flag ssh-rsa-cert-v01@openssh.com as a failure due to SHA-1 hash. * Fixed bug in recommendation output which suppressed some algorithms inappropriately. * Built-in policies now include CA key requirements (if certificates are in use). * Lookup function (--lookup) now performs case-insensitive lookups of similar algorithms. * Migrated pre-made policies from external files to internal database. * Split single 3,500 line script into many files (by class). * Added setup.py support * Added 1 new cipher: des-cbc@ssh.com. - Install manpage - Use py-* rpm macros ------------------------------------------------------------------- Mon Sep 28 08:44:00 UTC 2020 - Martin Hauke <mardnh@gmx.de> - Update to version 2.3.0 The highlight of this release is support for policy scanning (this allows an admin to test a server against a hardened/standard configuration). * Added new policy auditing functionality to test adherence to a hardening guide/standard configuration (see -L/--list-policies, -M/--make-policy and -P/--policy). * Created new man page (see ssh-audit.1 file). * 1024-bit moduli upgraded from warnings to failures. * Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments. * Added feature to look up algorithms in internal database (see --lookup) * Suppress recommendation of token host key types. * Added check for use-after-free vulnerability in PuTTY v0.73. * Added 11 new host key types: ssh-rsa1, ssh-dss-sha256@ssh.com, ssh-gost2001, ssh-gost2012-256, ssh-gost2012-512, spki-sign-rsa, ssh-ed448, x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp521, x509v3-rsa2048-sha256. * Added 8 new key exchanges: diffie-hellman-group1-sha256, kexAlgoCurve25519SHA256, Curve25519SHA256, gss-group14-sha256-, gss-group15-sha512-, gss-group16-sha512-, gss-nistp256-sha256-, gss-curve25519-sha256-. * Added 5 new ciphers: blowfish, AEAD_AES_128_GCM, AEAD_AES_256_GCM, crypticore128@ssh.com, seed-cbc@ssh.com. * Added 3 new MACs: chacha20-poly1305@openssh.com, hmac-sha3-224, crypticore-mac@ssh.com. - Update ssh-audit.keyring ------------------------------------------------------------------- Wed Mar 11 18:35:53 UTC 2020 - Martin Hauke <mardnh@gmx.de> - Update to version 2.2.0 * Marked host key type ssh-rsa as weak due to practical SHA-1 collisions. * Added 10 new host key types: ecdsa-sha2-1.3.132.0.10, x509v3-sign-dss, x509v3-sign-rsa, x509v3-sign-rsa-sha256@ssh.com, x509v3-ssh-dss, x509v3-ssh-rsa, sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, and sk-ssh-ed25519@openssh.com. * Added 18 new key exchanges: diffie-hellman-group14-sha256@ssh.com, diffie-hellman-group15-sha256@ssh.com, diffie-hellman-group15-sha384@ssh.com, diffie-hellman-group16-sha384@ssh.com, diffie-hellman-group16-sha512@ssh.com, diffie-hellman-group18-sha512@ssh.com, ecdh-sha2-curve25519, ecdh-sha2-nistb233, ecdh-sha2-nistb409, ecdh-sha2-nistk163, ecdh-sha2-nistk233, ecdh-sha2-nistk283, ecdh-sha2-nistk409, ecdh-sha2-nistp192, ecdh-sha2-nistp224, ecdh-sha2-nistt571, gss-gex-sha1-, and gss-group1-sha1-. * Added 9 new ciphers: camellia128-cbc, camellia128-ctr, camellia192-cbc, camellia192-ctr, camellia256-cbc, camellia256-ctr, aes128-gcm, aes256-gcm, and chacha20-poly1305. * Added 2 new MACs: aes128-gcm and aes256-gcm. ------------------------------------------------------------------- Tue Feb 4 12:35:48 UTC 2020 - Martin Hauke <mardnh@gmx.de> - Rename keyring to %name.keyring ------------------------------------------------------------------- Mon Feb 3 19:49:46 UTC 2020 - Martin Hauke <mardnh@gmx.de> * Remove _service file; use download URL for all files * Run spec-cleaner * Don't package ssh-audit with the .py extension * Run testsuite ------------------------------------------------------------------- Sun Dec 29 21:24:33 UTC 2019 - Lars Vogdt <lars@linux-schulserver.de> - update to 2.1.1: This maintenance release focuses on improving support for client testing. The full changelog is: + Added 2 new host key types: rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com. + Added 2 new ciphers: des, 3des. + Added 3 new PuTTY vulnerabilities. + During client testing, client IP address is now listed in output. - added _service file - add signatures for source verification ------------------------------------------------------------------- Fri Nov 15 13:41:10 UTC 2019 - Lars Vogdt <lars@linux-schulserver.de> - update to 2.1.0: The highlights of this release include client-testing functionality to audit the protocols accepted by client software, a JSON output format, support for new algorithms, and bugfixes. Below is the full changelog: + Added client software auditing functionality (see -c / --client-audit option). + Added JSON output option (see -j / --json option; credit Andreas Jaggi). + Fixed crash while scanning Solaris Sun_SSH. ------------------------------------------------------------------- Wed Sep 25 07:49:28 UTC 2019 - lars@linux-schulserver.de - 2.0.0 - initial version 2.0.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor