SSH-audit
What is SSH-audit?
ssh-audit is a tool for ssh server & client configuration auditing.
To learn more about the ssh-audit scanner itself visit ssh-audit GitHub.
Deployment
The ssh-audit chart can be deployed via helm:
# Install HelmChart (use -n to configure another namespace)
helm upgrade --install ssh-audit oci://ghcr.io/securecodebox/helm/ssh-audit
Scanner Configuration
The following security scan configuration example are based on the ssh-audit Documentation, please take a look at the original documentation for more configuration examples.
usage: ssh-audit.py [options] <host>
-h, --help print this help
-1, --ssh1 force ssh version 1 only
-2, --ssh2 force ssh version 2 only
-4, --ipv4 enable IPv4 (order of precedence)
-6, --ipv6 enable IPv6 (order of precedence)
-b, --batch batch output
-c, --client-audit starts a server on port 2222 to audit client
software config (use -p to change port;
use -t to change timeout)
-d, --debug Enable debug output.
-g, --gex-test=<x[,y,...]> dh gex modulus size test
<min1:pref1:max1[,min2:pref2:max2,...]>
<x-y[:step]>
-j, --json JSON output (use -jj to enable indents)
-l, --level=<level> minimum output level (info|warn|fail)
-L, --list-policies list all the official, built-in policies
--lookup=<alg1,alg2,...> looks up an algorithm(s) without
connecting to a server
-m, --manual print the man page (Windows only)
-M, --make-policy=<policy.txt> creates a policy based on the target server
(i.e.: the target server has the ideal
configuration that other servers should
adhere to)
-n, --no-colors disable colors
-p, --port=<port> port to connect
-P, --policy=<"policy name" | policy.txt> run a policy test using the
specified policy
-t, --timeout=<secs> timeout (in seconds) for connection and reading
(default: 5)
-T, --targets=<hosts.txt> a file containing a list of target hosts (one
per line, format HOST[:PORT])
--threads=<threads> number of threads to use when scanning multiple
targets (-T/--targets) (default: 32)
-v, --verbose verbose output
Requirements
Kubernetes: >=v1.11.0-0
Values
Key | Type | Default | Description |
---|---|---|---|
cascadingRules.enabled | bool | false | Enables or disables the installation of the default cascading rules for this scanner |
parser.affinity | object | {} | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
parser.env | list | [] | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
parser.image.pullPolicy | string | "IfNotPresent" | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
parser.image.repository | string | "docker.io/securecodebox/parser-ssh-audit" | |
parser.image.tag | string | defaults to the charts version | Parser image tag |
parser.nodeSelector | object | {} | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) |
parser.resources | object | { requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } } | Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
parser.scopeLimiterAliases | object | {} | Optional finding aliases to be used in the scopeLimiter. |
parser.tolerations | list | [] | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
parser.ttlSecondsAfterFinished | string | nil | seconds after which the Kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
scanner.activeDeadlineSeconds | string | nil | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) |
scanner.affinity | object | {} | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) |
scanner.env | list | [] | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
scanner.extraContainers | list | [] | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) |
scanner.extraVolumeMounts | list | [] | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
scanner.extraVolumes | list | [] | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
scanner.image.repository | string | "docker.io/securecodebox/scanner-ssh-audit" | |
scanner.image.tag | string | nil | |
scanner.nameAppend | string | nil | append a string to the default scantype name. |
scanner.nodeSelector | object | {} | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) |
scanner.podSecurityContext | object | {} | Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
scanner.resources | object | {} | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
scanner.securityContext | object | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":false} | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
scanner.securityContext.allowPrivilegeEscalation | bool | false | Ensure that users privileges cannot be escalated |
scanner.securityContext.capabilities.drop[0] | string | "all" | This drops all linux privileges from the container. |
scanner.securityContext.privileged | bool | false | Ensures that the scanner container is not run in privileged mode |
scanner.securityContext.readOnlyRootFilesystem | bool | false | Prevents write access to the containers file system |
scanner.securityContext.runAsNonRoot | bool | false | Enforces that the scanner image is run as a non root user |
scanner.suspend | bool | false | if set to true the scan job will be suspended after creation. You can then resume the job using kubectl resume <jobname> or using a job scheduler like kueue |
scanner.tolerations | list | [] | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
scanner.ttlSecondsAfterFinished | string | nil | seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
License
Code of secureCodeBox is licensed under the Apache License 2.0.
CPU architectures
The scanner is currently supported for these CPU architectures:
- linux/amd64
Examples
dummy-ssh
- Scan
- Findings
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "ssh-ssh-demo-cluster-internal"
spec:
scanType: "ssh-audit"
parameters:
- "dummy-ssh.demo-targets.svc"
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
[
{
"name": "SSH Service",
"description": "Information about Used SSH Algorithms",
"category": "SSH Service",
"osi_layer": "APPLICATION",
"severity": "INFORMATIONAL",
"location": "ssh://dummy-ssh.demo-targets.svc",
"port": "22",
"attributes":
{
"hostname": "dummy-ssh.demo-targets.svc",
"ip_address": null,
"server_banner": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8",
"ssh_version": "2.0",
"ssh_lib_cpe": "OpenSSH_7.2p2",
"key_algorithms":
[
{
"algorithm": "ssh-rsa",
"keysize": 2048,
"notes":
{
"fail": ["using broken SHA-1 hash algorithm"],
"info":
[
"deprecated in OpenSSH 8.8: https://www.openssh.com/txt/release-8.8",
"available since OpenSSH 2.5.0, Dropbear SSH 0.28",
],
"warn":
[
"2048-bit modulus only provides 112-bits of symmetric strength",
],
},
},
{
"algorithm": "rsa-sha2-512",
"keysize": 2048,
"notes":
{
"info": ["available since OpenSSH 7.2"],
"warn":
[
"2048-bit modulus only provides 112-bits of symmetric strength",
],
},
},
{
"algorithm": "rsa-sha2-256",
"keysize": 2048,
"notes":
{
"info": ["available since OpenSSH 7.2, Dropbear SSH 2020.79"],
"warn":
[
"2048-bit modulus only provides 112-bits of symmetric strength",
],
},
},
{
"algorithm": "ecdsa-sha2-nistp256",
"notes":
{
"fail":
[
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency",
],
"info": ["available since OpenSSH 5.7, Dropbear SSH 2013.62"],
"warn":
["using weak random number generator could reveal the key"],
},
},
{
"algorithm": "ssh-ed25519",
"notes":
{"info": ["available since OpenSSH 6.5, Dropbear SSH 2020.79"]},
},
],
"encryption_algorithms":
[
{
"algorithm": "chacha20-poly1305@openssh.com",
"notes":
{
"info":
[
"default cipher since OpenSSH 6.9",
"available since OpenSSH 6.5, Dropbear SSH 2020.79",
],
"warn":
[
"vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation",
],
},
},
{
"algorithm": "aes128-ctr",
"notes":
{"info": ["available since OpenSSH 3.7, Dropbear SSH 0.52"]},
},
{
"algorithm": "aes192-ctr",
"notes": {"info": ["available since OpenSSH 3.7"]},
},
{
"algorithm": "aes256-ctr",
"notes":
{"info": ["available since OpenSSH 3.7, Dropbear SSH 0.52"]},
},
{
"algorithm": "aes128-gcm@openssh.com",
"notes": {"info": ["available since OpenSSH 6.2"]},
},
{
"algorithm": "aes256-gcm@openssh.com",
"notes": {"info": ["available since OpenSSH 6.2"]},
},
],
"mac_algorithms":
[
{
"algorithm": "umac-64-etm@openssh.com",
"notes":
{
"info": ["available since OpenSSH 6.2"],
"warn": ["using small 64-bit tag size"],
},
},
{
"algorithm": "umac-128-etm@openssh.com",
"notes": {"info": ["available since OpenSSH 6.2"]},
},
{
"algorithm": "hmac-sha2-256-etm@openssh.com",
"notes": {"info": ["available since OpenSSH 6.2"]},
},
{
"algorithm": "hmac-sha2-512-etm@openssh.com",
"notes": {"info": ["available since OpenSSH 6.2"]},
},
{
"algorithm": "hmac-sha1-etm@openssh.com",
"notes":
{
"fail": ["using broken SHA-1 hash algorithm"],
"info": ["available since OpenSSH 6.2"],
},
},
{
"algorithm": "umac-64@openssh.com",
"notes":
{
"info": ["available since OpenSSH 4.7"],
"warn":
[
"using encrypt-and-MAC mode",
"using small 64-bit tag size",
],
},
},
{
"algorithm": "umac-128@openssh.com",
"notes":
{
"info": ["available since OpenSSH 6.2"],
"warn": ["using encrypt-and-MAC mode"],
},
},
{
"algorithm": "hmac-sha2-256",
"notes":
{
"info": ["available since OpenSSH 5.9, Dropbear SSH 2013.56"],
"warn": ["using encrypt-and-MAC mode"],
},
},
{
"algorithm": "hmac-sha2-512",
"notes":
{
"info": ["available since OpenSSH 5.9, Dropbear SSH 2013.56"],
"warn": ["using encrypt-and-MAC mode"],
},
},
{
"algorithm": "hmac-sha1",
"notes":
{
"fail": ["using broken SHA-1 hash algorithm"],
"info": ["available since OpenSSH 2.1.0, Dropbear SSH 0.28"],
"warn": ["using encrypt-and-MAC mode"],
},
},
],
"compression_algorithms": ["none", "zlib@openssh.com"],
"key_exchange_algorithms":
[
{
"algorithm": "curve25519-sha256@libssh.org",
"notes":
{
"info":
[
"default key exchange from OpenSSH 6.5 to 7.3",
"available since OpenSSH 6.4, Dropbear SSH 2013.62",
],
},
},
{
"algorithm": "ecdh-sha2-nistp256",
"notes":
{
"fail":
[
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency",
],
"info": ["available since OpenSSH 5.7, Dropbear SSH 2013.62"],
},
},
{
"algorithm": "ecdh-sha2-nistp384",
"notes":
{
"fail":
[
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency",
],
"info": ["available since OpenSSH 5.7, Dropbear SSH 2013.62"],
},
},
{
"algorithm": "ecdh-sha2-nistp521",
"notes":
{
"fail":
[
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency",
],
"info": ["available since OpenSSH 5.7, Dropbear SSH 2013.62"],
},
},
{
"algorithm": "diffie-hellman-group-exchange-sha256",
"keysize": 3072,
"notes":
{
"info":
[
"OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).",
"available since OpenSSH 4.4",
],
},
},
{
"algorithm": "diffie-hellman-group14-sha1",
"notes":
{
"fail": ["using broken SHA-1 hash algorithm"],
"info": ["available since OpenSSH 3.9, Dropbear SSH 0.53"],
"warn":
[
"2048-bit modulus only provides 112-bits of symmetric strength",
],
},
},
],
"fingerprints":
[
{
"hash": "pa+Jwax5syiezfL29o6j6uaWBoJeK/LZJ8OXUwPrE5A",
"hash_alg": "SHA256",
"hostkey": "ecdsa-sha2-nistp256",
},
{
"hash": "f5:fb:82:83:cd:0e:1f:af:2a:45:17:0b:b7:3c:9f:ee",
"hash_alg": "MD5",
"hostkey": "ecdsa-sha2-nistp256",
},
{
"hash": "eLwgzyjvrpwDbDr+pDbIfUhlNANB4DPH9/0w1vGa87E",
"hash_alg": "SHA256",
"hostkey": "ssh-ed25519",
},
{
"hash": "c8:65:6b:d1:59:03:56:21:d9:0f:84:83:ce:ac:40:86",
"hash_alg": "MD5",
"hostkey": "ssh-ed25519",
},
{
"hash": "MbRX/CgQyN6/p8/ZjORurfaJqDhu4VEIWfXo0BnxaCE",
"hash_alg": "SHA256",
"hostkey": "ssh-rsa",
},
{
"hash": "a5:6f:62:26:81:03:b7:5e:06:48:10:04:79:4b:ac:32",
"hash_alg": "MD5",
"hostkey": "ssh-rsa",
},
],
},
"id": "d0005b42-7481-4dae-91b2-5d3293d78b3f",
"parsed_at": "2024-12-06T08:42:46.521Z",
},
{
"name": "Insecure SSH KEX Algorithms",
"description": "Discouraged SSH key exchange algorithms in use",
"mitigation": "Remove these KEX algorithms",
"severity": "HIGH",
"category": "SSH Policy Violation",
"location": "ssh://dummy-ssh.demo-targets.svc",
"attributes":
{
"algorithms":
[
"diffie-hellman-group14-sha1",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
],
},
"id": "1d136f73-222a-49a5-9d24-73eff949e7fc",
"parsed_at": "2024-12-06T08:42:46.522Z",
},
{
"name": "Insecure SSH Key Algorithms",
"description": "Discouraged SSH key algorithms in use",
"mitigation": "Remove these key algorithms",
"severity": "HIGH",
"category": "SSH Policy Violation",
"location": "ssh://dummy-ssh.demo-targets.svc",
"attributes": {"algorithms": ["ecdsa-sha2-nistp256", "ssh-rsa"]},
"id": "20b8e8c7-01f5-46ac-ae78-ca7b04d61100",
"parsed_at": "2024-12-06T08:42:46.522Z",
},
{
"name": "Insecure SSH MAC Algorithms",
"description": "Discouraged SSH message authentication code algorithms in use",
"mitigation": "Remove these MAC algorithms",
"severity": "HIGH",
"category": "SSH Policy Violation",
"location": "ssh://dummy-ssh.demo-targets.svc",
"attributes": {"algorithms": ["hmac-sha1", "hmac-sha1-etm@openssh.com"]},
"id": "1af1e73f-6244-4192-9c9b-8fe62796306e",
"parsed_at": "2024-12-06T08:42:46.522Z",
},
{
"name": "SSH Key Algorithms must be changed",
"description": "Weak SSH key algorithms in use",
"mitigation": "Change these key algorithms",
"severity": "MEDIUM",
"category": "SSH Policy Violation",
"location": "ssh://dummy-ssh.demo-targets.svc",
"attributes":
{
"algorithms":
[
"rsa-sha2-256 (Note: increase modulus size to 3072 bits or larger)",
"rsa-sha2-512 (Note: increase modulus size to 3072 bits or larger)",
],
},
"id": "87516897-4ac4-4e9e-b74b-58835faf47c2",
"parsed_at": "2024-12-06T08:42:46.522Z",
},
{
"name": "Insecure SSH Encryption Algorithms",
"description": "Discouraged SSH Encryption algorithms are in use",
"mitigation": "Remove these encryption algorithms",
"severity": "MEDIUM",
"category": "SSH Policy Violation",
"location": "ssh://dummy-ssh.demo-targets.svc",
"attributes": {"algorithms": ["chacha20-poly1305@openssh.com"]},
"id": "74b1328b-6e8d-49ad-a1ea-40319890ed13",
"parsed_at": "2024-12-06T08:42:46.522Z",
},
{
"name": "Insecure SSH MAC Algorithms",
"description": "Discouraged SSH message authentication code algorithms in use",
"mitigation": "Remove these MAC algorithms",
"severity": "MEDIUM",
"category": "SSH Policy Violation",
"location": "ssh://dummy-ssh.demo-targets.svc",
"attributes":
{
"algorithms":
[
"hmac-sha2-256",
"hmac-sha2-512",
"umac-128@openssh.com",
"umac-64-etm@openssh.com",
"umac-64@openssh.com",
],
},
"id": "965e1a1f-9bf5-4066-9774-fbb4bde786c7",
"parsed_at": "2024-12-06T08:42:46.522Z",
},
]
port-example
- Scan
- Findings
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "ssh-audit-port-example"
spec:
scanType: "ssh-audit"
parameters:
- "127.0.0.1"
- "-p"
- "29683"
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
[
{
"name": "SSH Service",
"description": "Information about Used SSH Algorithms",
"category": "SSH Service",
"osi_layer": "APPLICATION",
"severity": "INFORMATIONAL",
"location": "ssh://127.0.0.1",
"port": "29683",
"attributes":
{
"hostname": "127.0.0.1",
"ip_address": null,
"server_banner": "SSH-2.0-OpenSSH_8.9p1",
"ssh_version": "2.0",
"ssh_lib_cpe": "OpenSSH_8.9p1",
"key_algorithms":
[
{
"algorithm": "rsa-sha2-512",
"keysize": 3072,
"notes": {"info": ["available since OpenSSH 7.2"]},
},
{
"algorithm": "rsa-sha2-256",
"keysize": 3072,
"notes":
{"info": ["available since OpenSSH 7.2, Dropbear SSH 2020.79"]},
},
{
"algorithm": "ecdsa-sha2-nistp256",
"notes":
{
"fail":
[
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency",
],
"info": ["available since OpenSSH 5.7, Dropbear SSH 2013.62"],
"warn":
["using weak random number generator could reveal the key"],
},
},
{
"algorithm": "ssh-ed25519",
"notes":
{"info": ["available since OpenSSH 6.5, Dropbear SSH 2020.79"]},
},
],
"encryption_algorithms":
[
{
"algorithm": "chacha20-poly1305@openssh.com",
"notes":
{
"info":
[
"default cipher since OpenSSH 6.9",
"available since OpenSSH 6.5, Dropbear SSH 2020.79",
],
},
},
{
"algorithm": "aes256-gcm@openssh.com",
"notes": {"info": ["available since OpenSSH 6.2"]},
},
{
"algorithm": "aes128-gcm@openssh.com",
"notes": {"info": ["available since OpenSSH 6.2"]},
},
{
"algorithm": "aes256-ctr",
"notes":
{"info": ["available since OpenSSH 3.7, Dropbear SSH 0.52"]},
},
{
"algorithm": "aes192-ctr",
"notes": {"info": ["available since OpenSSH 3.7"]},
},
{
"algorithm": "aes128-ctr",
"notes":
{"info": ["available since OpenSSH 3.7, Dropbear SSH 0.52"]},
},
],
"mac_algorithms":
[
{
"algorithm": "hmac-sha2-512-etm@openssh.com",
"notes": {"info": ["available since OpenSSH 6.2"]},
},
{
"algorithm": "hmac-sha2-256-etm@openssh.com",
"notes": {"info": ["available since OpenSSH 6.2"]},
},
{
"algorithm": "umac-128-etm@openssh.com",
"notes": {"info": ["available since OpenSSH 6.2"]},
},
{
"algorithm": "umac-128@openssh.com",
"notes":
{
"info": ["available since OpenSSH 6.2"],
"warn": ["using encrypt-and-MAC mode"],
},
},
{
"algorithm": "hmac-sha2-512",
"notes":
{
"info": ["available since OpenSSH 5.9, Dropbear SSH 2013.56"],
"warn": ["using encrypt-and-MAC mode"],
},
},
{
"algorithm": "hmac-sha2-256",
"notes":
{
"info": ["available since OpenSSH 5.9, Dropbear SSH 2013.56"],
"warn": ["using encrypt-and-MAC mode"],
},
},
],
"compression_algorithms": ["none"],
"key_exchange_algorithms":
[
{
"algorithm": "curve25519-sha256@libssh.org",
"notes":
{
"info":
[
"default key exchange from OpenSSH 6.5 to 7.3",
"available since OpenSSH 6.4, Dropbear SSH 2013.62",
],
},
},
{
"algorithm": "diffie-hellman-group-exchange-sha256",
"keysize": 3072,
"notes":
{
"info":
[
"OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).",
"available since OpenSSH 4.4",
],
},
},
{
"algorithm": "ecdh-sha2-nistp521",
"notes":
{
"fail":
[
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency",
],
"info": ["available since OpenSSH 5.7, Dropbear SSH 2013.62"],
},
},
{
"algorithm": "ecdh-sha2-nistp384",
"notes":
{
"fail":
[
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency",
],
"info": ["available since OpenSSH 5.7, Dropbear SSH 2013.62"],
},
},
{
"algorithm": "ecdh-sha2-nistp256",
"notes":
{
"fail":
[
"using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency",
],
"info": ["available since OpenSSH 5.7, Dropbear SSH 2013.62"],
},
},
{
"algorithm": "kex-strict-s-v00@openssh.com",
"notes":
{
"info":
[
"pseudo-algorithm that denotes the peer supports a stricter key exchange method as a counter-measure to the Terrapin attack (CVE-2023-48795)",
],
},
},
],
"fingerprints":
[
{
"hash": "WrPtjtUCUKDiCnCXydph/tHIISUeJiLMLwdBLpfI2KU",
"hash_alg": "SHA256",
"hostkey": "ecdsa-sha2-nistp256",
},
{
"hash": "ed:ea:4c:10:1a:37:41:5f:dd:84:29:4b:ba:ab:8a:27",
"hash_alg": "MD5",
"hostkey": "ecdsa-sha2-nistp256",
},
{
"hash": "zDyiQDFSdBbKGL0vFgMWa0cdEI1R4QGtkEMHY/BlqT0",
"hash_alg": "SHA256",
"hostkey": "ssh-ed25519",
},
{
"hash": "c8:2c:ee:3b:bc:ae:0e:8b:0d:6f:f2:b6:77:25:69:aa",
"hash_alg": "MD5",
"hostkey": "ssh-ed25519",
},
{
"hash": "khLYpAPy+wFXAh+p6PBgNrmO4Qjs0KIDBuyb83m/1j4",
"hash_alg": "SHA256",
"hostkey": "ssh-rsa",
},
{
"hash": "62:b4:fe:be:11:54:61:6b:c3:b8:e4:98:f3:41:84:73",
"hash_alg": "MD5",
"hostkey": "ssh-rsa",
},
],
},
"id": "b67fbf0f-a155-4a61-8d93-07dec82791cb",
"parsed_at": "2024-12-06T13:40:41.412Z",
},
{
"name": "Insecure SSH KEX Algorithms",
"description": "Discouraged SSH key exchange algorithms in use",
"mitigation": "Remove these KEX algorithms",
"severity": "HIGH",
"category": "SSH Policy Violation",
"location": "ssh://127.0.0.1",
"attributes":
{
"algorithms":
["ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521"],
},
"id": "13a450b2-7f35-46d6-a5ec-d5783d7127b8",
"parsed_at": "2024-12-06T13:40:41.428Z",
},
{
"name": "Insecure SSH Key Algorithms",
"description": "Discouraged SSH key algorithms in use",
"mitigation": "Remove these key algorithms",
"severity": "HIGH",
"category": "SSH Policy Violation",
"location": "ssh://127.0.0.1",
"attributes": {"algorithms": ["ecdsa-sha2-nistp256"]},
"id": "7b956353-6d69-4480-bde1-41c237e2e88a",
"parsed_at": "2024-12-06T13:40:41.428Z",
},
{
"name": "SSH KEX Algorithms must be added",
"description": "SSH key exchange algorithms missing",
"mitigation": "Add these KEX algorithms",
"severity": "LOW",
"category": "SSH Policy Violation",
"location": "ssh://127.0.0.1",
"attributes":
{
"algorithms":
[
"curve25519-sha256",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"sntrup761x25519-sha512@openssh.com",
],
},
"id": "ace0c10c-19bd-4956-a01a-91bc4a81c36c",
"parsed_at": "2024-12-06T13:40:41.428Z",
},
{
"name": "Insecure SSH MAC Algorithms",
"description": "Discouraged SSH message authentication code algorithms in use",
"mitigation": "Remove these MAC algorithms",
"severity": "MEDIUM",
"category": "SSH Policy Violation",
"location": "ssh://127.0.0.1",
"attributes":
{
"algorithms":
["hmac-sha2-256", "hmac-sha2-512", "umac-128@openssh.com"],
},
"id": "13c38794-58d3-4de6-b823-82407e21aa87",
"parsed_at": "2024-12-06T13:40:41.428Z",
},
]