SSH is used for SFTP.
https://en.wikipedia.org/wiki/ProFTPD

Hello
I scan my Debian 8 with OpenSSH version: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
I get recomendation:

algorithm recommendations (for OpenSSH 6.7)

(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove
(rec) -ssh-dss -- key algorithm to remove

But how to remove this algoritm?
I can`t use:
HostKeyAlgorithms ssh-rsa,rsa-sha2-512,rsa-sha2-256
because HostKeyAlgorithms support only for version OpenSSH 7.0+

Best Regards
TaKeN

A useful feature to have would be enumerating and grabbing the hostkeys/fingerprints from the remote SSH server and storing them as part of the output.

Something similar to what I did here, maybe? https://github.com/0x27/ssh_keyscanner

You could simplify the code by simply removing almost all version 1 code from the script. Just tell the user that version 1 is insecure and unsupported. OpenSSH have removed all SSH version 1 code from their implementation since 7.6.

Since colorama isn't needed on posix systems, don't even import it.
Please add os.name != 'posix' for it so that it is clear that it isn't needed.

Since ssh-audit can used in a script, it would be nice if ssh-audit would exit with exit code of 2 if there are 1 or more recommendations. I'd be fine with this requiring an optional command argument.

Would be great to have the output in some format that is easy to parse. I am thinking of something like the 'greppable' output of nmap (-oG).

Okay, I see from "example" that it's just ./ssh-audit.py but some sort of "clone repo, run ./ssh-audit.py" would be more explicitly clear about how to get to that point

I found some non-standard SSH algorithms in use out in the wild that are not currently supported:

des-cbc-ssh1
blowfish-ctr
hmac-sha256
[email protected]
hmac-sha2-384

What do you think about the idea of a SSH client audit feature?

Of course, admins can configure a good and up-to-date system-wide client config (/etc/ssh/ssh_config). However, users also have their own (and often ancient!) settings in ~/.ssh/config. AFAIK there is no tool that audits the client settings and gives recommendations.

When I discovered the ssh -G host option (available since OpenSSH 6.8) I thought this may be an interesting and easy way to audit the effective client settings for the respective destination.

Also, it would be possible to not only check the configured algorithms but also insecure or dangerous features (e.g. X11Forwarding, Agent-Forwarding, etc).

It could look like this:

$ ssh-audit -c host

For an sshd configuration, it is valid to have the Banner option in /etc/ssh/sshd_config set to none.

However, ssh-audit then always throws a [exception] did not receive banner..

It would be nice if ssh-audit could optionally skip checking for a banner.

(address changed to protect the innocent)

./ssh-audit.py -6 2000:100:100:1::3
[exception] [Errno -9] Address family for hostname not supported

./ssh-audit.py -6 [2000:100:100:1::3]
[exception] [Errno -2] Name or service not known

./ssh-audit.py -6 "[2000:100:100:1::3]"
[exception] [Errno -2] Name or service not known

However, using a name (whether dns or /etc/hosts) works correctly.

Feature request: Add an option to configure the minimum output level.

Then it would be possible to report e.g. only fails (--level=fail) or fails and warnings (--level=warn).

https://freedom-to-tinker.com/2015/10/14/how-is-nsa-breaking-so-much-crypto/

What about publishing to pypi to make it installable via pip?

warning : read the update section

related to #37

ssh-audit display the wrong banner instead of displaying the real one or saying he doesn't know this one:

ssh-audit x.x.x.x -p 2222                                                                                                            
# general                                                                                                                                              
(gen) banner: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.6                                                                                                  
(gen) software: OpenSSH 7.2p2                                                                                                                          
(gen) compatibility: OpenSSH 7.2+, Dropbear SSH 2013.62+                                                                                               
(gen) compression: enabled ([email protected])

But when doing ssh -v or sftp -v (because it is a sftp server) I can see: debug1: Remote protocol version 2.0, remote software version mod_sftp/0.9.9.

To be sure I used nmap:

nmap -Pn -p 2222 x.x.x.x -sVC                                                                         
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-28 11:06 CET
Nmap scan report for x.com (x.x.x.x)                                                                  
Host is up (0.023s latency).

PORT     STATE SERVICE VERSION
2222/tcp open  ssh     ProFTPD mod_sftp 0.9.9 (protocol 2.0)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                        
Nmap done: 1 IP address (1 host up) scanned in 62.67 seconds

So:

1. You need to display the real banner, the one grabbed not making an internal match or something and displying a wrong banner when the ssh provider is not known from ssh-audit because it can lead to severe mistakes.
2. As #37 said, adding mod_sftp support (module sftp support in ProFTPD).

Update Also a real SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.6 is running on port 22 so I suspect that ssh-audit is ignoring the option for port 2222.

==> this is it, if I put ssh-audit -p 2222 x.x.x.x instead of ssh-audit x.x.x.x -p 2222 i have the good banner:

(gen) banner: SSH-2.0-mod_sftp/0.9.9                                                                                                                   
(gen) compatibility: OpenSSH 5.9-6.6, Dropbear SSH 2013.62+ (some functionality from 0.52)                                                             
(gen) compression: enabled ([email protected], zlib)

So I suggest to support options in any order even after the host like nmap and many other tools are doing.

To audit localhost or local network terminals (e.g. 192.168.1.1)?

When using Python3, the following line raises an AttributeError:

payload = str(payload).decode('utf-8')

For example:

$ ./ssh-audit.py -1 github.com
Traceback (most recent call last):
  File "./ssh-audit.py", line 1685, in <module>
    audit(conf)
  File "./ssh-audit.py", line 1654, in audit
    payload = str(payload).decode('utf-8')
AttributeError: 'str' object has no attribute 'decode'

I am using release 1.6.0 (76509a1).

I am not sure if it is the only place where there is a problem with Python3 compatibility, might be worth a full check.

• implement version comparison
• gather supported algorithms by versions
• gather security notes (CVEs, other)
• integrate for software recognition
• integrate for algorithm recommendations

There's the sshd -T feature. It checks the validity of the /etc/ssh/sshd_config configuration file and outputs the effective configuration to stdout and then exits.

I thought this may be an interesting and easy way to audit the effective server settings.

I.e. it would be possible to not only check the configured algorithms but also insecure or dangerous features (e.g. X11Forwarding, Agent-Forwarding, etc).

Obviously, this check would only run locally (i.e. not remote) but it would make sshd hardening easier.

In my case I can only reach my servers through a ProxyJump in my SSH configuration. It seems there currently isn't a way to run ssh-audit against those servers behind a jump host.
I would like to request a feature to support this scenario.

SSHFP DNS records are a useful feature which enables one to save SSH fingerprints in DNS, so that you don't have to check them manually. It would be useful if ssh-audit could check for existence of such records, compare them with actual fingerprints if they match and put recommendations to disable DSA and ECDSA records (if they exist) and enable RSA and ED25519 (if they don't exist).

It should also recommend to disable SHA1 type records, if enabled and enable SHA256, if disabled.

Thank for your work.
But after this audit, what are your guidelines for sshd_config ?
I've seen this one : https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29 but your audit still show some warning.

Azlux

According to the release notes for OpenSSH 8.0 (https://www.openssh.com/releasenotes.html), a new quantum-resistant key exchange algorithm was implemented:

 * ssh(1), sshd(8): Add experimental quantum-computing resistant
   key exchange method, based on a combination of Streamlined NTRU
   Prime 4591^761 and X25519.

I think it's depreciated?

Using the git version of ssh-audit, curve25519-sha256 is currently flagged as an unknown algorithm whereas [email protected] is correctly identified.

Looking at the sshd_config man page for OpenSSH 7.6p1, both are valid for KexAlgorithms. The default sequence is listed as

curve25519-sha256,[email protected],
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group14-sha1

Some software such as SecureCRT 8.5.2 require the usage of curve25519-sha256 instead of [email protected]

It exists for TLS, not sure if it exists for SSH?

Hey,

i cannot figure out why are you marking 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521' as weak. I checked out some distros and even OpenBSD have them enabled by default. Care to explain your reasoning behind it?

Thanks.

We tested some of our OpenSSH servers with ssh-audit and noticed a couple of "using encrypt-and-MAC mode" warnings. I am a cryptography expert and I do not understand why there is a warning? I do not know of any security weaknesses in encrypt-and-mac. E.g. "hmac-sha2-256" is a perfectly safe algorithm. Why is there a warning? One should never use mac-then-encrypt, but this is not the case here? Can you explain about that?

Very neat tool, thanks for making it!

I think it would be neat to have a flag which would output 'good' sshd_config config line. Something that crossed my mind while I was testing my ssh servers.

Thanks,
G

You are using the "{}".format() that is not compatible with my python 2.6.9:

~ # ./ssh-audit.py -v ts01lin
# general
[info] banner: SSH-2.0-OpenSSH_6.6.1
Traceback (most recent call last):
  File "./ssh-audit.py", line 619, in <module>
    main()
  File "./ssh-audit.py", line 615, in main
    output(banner, header, kex)
  File "./ssh-audit.py", line 551, in output
    output_compatibility(kex)
  File "./ssh-audit.py", line 536, in output_compatibility
    comp_text.append('{} {}-{}'.format(sshd_name, v[0], v[1]))
ValueError: zero length field name in format

RFC 8308 adds support for extension negotiation. Of the four extensions defined, it seems like one, server-sig-algs (in section 3.1) might be interesting to analyze from a security standpoint.