v3.2.0
This release features a new --dheat
option to test targets for the DHEat denial-of-service attack (see CVE-2002-20001). Also included are changes to custom policies that allow targets to surpass the specified security level; this allows for the creation of baseline policies (partial credit yannik1015 and Damian Szuberski).
This version is also available as a PyPI package (pip3 install ssh-audit
), Docker image (docker pull positronsecurity/ssh-audit
), Snap package (snap install ssh-audit
), or as a Windows executable (see below, though be aware that sometimes Windows Defender inappropriately detects it as malware!).
- Added implementation of the DHEat denial-of-service attack (see
--dheat
option; CVE-2002-20001). - Expanded filter of CBC ciphers to flag for the Terrapin vulnerability. It now includes more rarely found ciphers.
- Fixed parsing of
ecdsa-sha2-nistp*
CA signatures on host keys. Additionally, they are now flagged as potentially back-doored, just as standard host keys are. - Gracefully handle rare exceptions (i.e.: crashes) while performing GEX tests.
- The built-in man page (
-m
,--manual
) is now available on Docker, PyPI, and Snap builds, in addition to the Windows build. - Snap builds are now architecture-independent.
- Changed Docker base image from
python:3-slim
topython:3-alpine
, resulting in a 59% reduction in image size; credit Daniel Thamdrup. - Added built-in policies for Amazon Linux 2023, Debian 12, OpenSSH 9.7, and Rocky Linux 9.
- Built-in policies now include a change log (use
-L -v
to view them). - Custom policies now support the
allow_algorithm_subset_and_reordering
directive to allow targets to pass with a subset and/or re-ordered list of host keys, kex, ciphers, and MACs. This allows for the creation of a baseline policy where targets can optionally implement stricter controls; partial credit yannik1015. - Custom policies now support the
allow_larger_keys
directive to allow targets to pass with larger host keys, CA keys, and Diffie-Hellman keys. This allows for the creation of a baseline policy where targets can optionally implement stricter controls; partial credit Damian Szuberski. - Color output is disabled if the
NO_COLOR
environment variable is set (see https://no-color.org/). - Added 1 new key exchange algorithm:
gss-nistp384-sha384-*
. - Added 1 new cipher:
[email protected]
.