A SSH configuration and policy scanner
- Minimal Dependancies - Uses native Ruby and BinData to do it's work, no heavy dependancies.
- Not Just a Script - Implementation is portable for use in another project or for automation of tasks.
- Simple - Just point ssh_scan at an SSH service and get a JSON report of what is supports and it's policy status
- Configurable - Make your own custom policies that fit your unique policy requirements.
To install as a gem, type
gem install ssh_scan
ssh_scanTo install from source, type
git clone https://github.com/mozilla/ssh_scan.git
cd ssh_scan
gem install bindata
./bin/ssh_scanRun ssh_scan -h to get this
ssh_scan v0.0.8 (https://github.com/mozilla/ssh_scan)
Usage: ssh_scan [options]
-t, --target [IP/Hostname] IP/Hostname (IPv4/IPv6/FQDNs)
-p, --port [PORT] Port (Default: 22)
-P, --policy [FILE] Policy file (Default: Mozilla Modern)
-u, --unit-test [FILE] Throw appropriate exit codes based on compliance status
-v, --version Display just version info
-h, --help Show this message
Examples:
ssh_scan -t 192.168.1.1
ssh_scan -t server.example.com
ssh_scan -t ::1
ssh_scan -t 192.168.1.1 -p 22222
ssh_scan -t 192.168.1.1 -P custom_policy.yml
ssh_scan -t 192.168.1.1 --unit-test -P custom_policy.yml
See here for example video
See here for example output
See here for example policies
This project is integrated with travis-ci and is regularly tested to work with the following rubies:
To checkout the current build status for these rubies, click here.
If you are interested in contributing to this project, please see CONTRIBUTING.md
Sources of Inspiration for ssh_scan
- Mozilla OpenSSH Security Guide - For providing a sane baseline policy recommendation for SSH configuration parameters (eg. Ciphers, Macs, and KexAlgos).