%global commit d19b154a466ce9ed741387141ec53554017b2546 %global shortcommit %(c=%{commit}; echo ${c:0:7}) %global gitdate 20240423 Name: ssh-audit Version: 3.2.0 Release: 1.git%{gitdate}%{?dist} Summary: ssh-audit is a tool for ssh server & client configuration auditing License: MIT URL: https://github.com/jtesta/ssh-audit Source0: https://github.com/jtesta/%{name}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz BuildArch: noarch BuildRequires: pyproject-rpm-macros BuildRequires: python3-devel BuildRequires: python3-setuptools BuildRequires: python3-wheel %description ssh-audit is a tool for ssh server & client configuration auditing. %generate_buildrequires %pyproject_buildrequires -r %prep %autosetup -p1 -n %{name}-%{commit} %build %pyproject_wheel %install %pyproject_install %pyproject_save_files ssh_audit install -t %{buildroot}%{_mandir}/man1 -Dpm 0644 ssh-audit.1 %files -n %{name} -f %{pyproject_files} %{_bindir}/ssh-audit %doc README.md %license LICENSE %{_mandir}/man1/ssh-audit.1* %changelog * Tue Apr 23 2024 Paweł Marciniak - 3.2.0-1.git20240423 - Bumped version to v3.3.0-dev. - Updated docker run command. - Set version to 3.2.0 for release. - Updated DHEat rate connection warning message. - Added multi-line real-time output for connection rate testing. - Revised connection rate warning during standard audits. - Sockets now time out after 30 seconds during connection rate testing. - Fixed non-interactive connection rate tests. Revised warning for lack of connection throttling. - Added aes128-ocb@libassh.org cipher. - Added warnings for Windows platform. - Improved DHEat statistics output. - Removed vulture from Tox (it rarely made any findings, and when it did, pylint reported the same issues). * Thu Apr 18 2024 Paweł Marciniak - 3.2.0-1.git20240418 - Added implementation for DHEat denial-of-service attack (CVE-2002-20001). (#211, #217) * Wed Mar 27 2024 Paweł Marciniak - 3.2.0-1.git20240327 - Updated notes on OpenSSH default key exchanges. (#258) - Updated availability of algorithms in Dropbear. (#257) - Added allow_larger_keys flag to custom policies to control whether targets can have larger keys, and added Docker tests to complete work started in PR #242. - use less-than instead of not-equal when comparing key sizes (#242) * Tue Mar 19 2024 Paweł Marciniak - 3.2.0-1.git20240319 - Added tests and other cleanups resulting from merging PR #252. - [WIP] Adding allowed algorithms (#252) - Added note that sntrup761x25519-sha512@openssh.com is the default OpenSSH kex since version 9.0. - Added extra GSS wildcard matching test. - Re-organized README. - Added built-in policies for Amazon Linux 2023, Debian 12, and Rocky Linux 9. - Built-in policy change logs no longer printed within quotes. - Built-in policies now include a change log. - Split built-in policies from policy.py to builtin_policies.py. - Added 1 new key exchange algorithm: gss-nistp384-sha384-* - Updated README. - use alpine, reduce layers (#249) - Fixed new pylint warnings. - Added built-in policy for OpenSSH 9.7. - Properly upgrade packages and clean up apt cache in Dockerfile (#218) - Gracefully handle rare exceptions (i.e.: crashes) while performing GEX tests. - Snap builds are now architecture-independent. (#232) - Updated '-m', '--manual' description in README. - Bumped copyright year. - The built-in man page (, ) is now available on Docker, PyPI, and Snap builds, in addition to the Windows build. (#231) - Fixed parsing of ecdsa-sha2-nistp* CA signatures on host keys. Additionally, they are now flagged as potentially back-doored, just as standard host keys are. (#239) * Fri Feb 02 2024 Paweł Marciniak - 3.2.0-1.git20240202 - Disable color when the NO_COLOR environment variable is set. (#234) - Added note regarding general OpenSSH policies failing against platforms with back-ported features. (#236) * Fri Dec 22 2023 Paweł Marciniak - 3.1.0-2.git20231222 - Added missing dev tag to Change Log: v3.2.0 -> v3.2.0-dev - Expanded filter of CBC ciphers to flag for the Terrapin vulnerability. * Thu Dec 21 2023 Paweł Marciniak - 3.1.0-2.git20231221 - Spelling fixes (#233) - Bumped version number to v3.2.0-dev. - Updated packaging instructions and Docker build steps. - Bumped version to 3.1.0 in preparation for stable release. Updated Change Log in README. * Wed Dec 20 2023 Paweł Marciniak - 3.1.0-2.git20231220 - Updated notes on fixing Terrapin vulnerability. * Wed Dec 20 2023 Paweł Marciniak - 3.1.0-1.git20231220 - Added 'additional_notes' field to JSON output. - Added built-in policies for OpenSSH 9.5 and 9.6. - Don't recommend enabling the chacha & CBC ciphers, nor ETM MACs in case the user disabled them to address the Terrapin vulnerability. (#229) - Added note that when a target is properly configured against the Terrapin vulnerability that unpatched peers may still create vulnerable connections. Updated Ubuntu Server & Client 20.04 & 22.04 policies to include new key exchange markers related to Terrapin counter-measures. * Tue Dec 19 2023 Paweł Marciniak - 3.1.0-1.git20231219 - Added test for the Terrapin vulnerability (CVE-2023-48795) (#227). * Tue Nov 28 2023 Paweł Marciniak - 3.1.0-1.git20231128 - Removed Python 3.7 from Github Actions testing. - Dropped support for Python 3.7. - Re-organized option host key types for OpenSSH 9.2 to correspond with updated Debian 12 hardening guide. - In Ubuntu 22.04 client policy, moved host key types and to the end of all certificate types. - In server policies, reduced expected DH modulus sizes from 4096 to 3072 to match online hardening guides. * Tue Oct 24 2023 Paweł Marciniak - 3.1.0-1.git20231024 - Add cleanup for apt cache files (#215) - Added Python 3.12 to Tox tests. - Added --rm to docker run commands so stopped containers are automatically removed. * Mon Sep 11 2023 Paweł Marciniak - 3.1.0-1.git20230911 - Bumped version to v3.1.0-dev. - Updated Docker Makefile and packaging instructions. * Thu Sep 07 2023 Paweł Marciniak - 3.0.0-1.git20230907 - Bumped version to v3.0.0. - Updated README. - Docker: Build multi-arch container images for amd64, arm64 and arm/v7 (#194) * Wed Sep 06 2023 Paweł Marciniak - 2.9.0-1.git20230906 - Marked all NIST K-, B-, and T-curves as unproven since they are so rarely used. Added 12 new host keys: 'ecdsa-sha2-curve25519', 'ecdsa-sha2-nistb233', 'ecdsa-sha2-nistb409', 'ecdsa-sha2-nistk163', 'ecdsa-sha2-nistk233', 'ecdsa-sha2-nistk283', 'ecdsa-sha2-nistk409', 'ecdsa-sha2-nistp224', 'ecdsa-sha2-nistp192', 'ecdsa-sha2-nistt571', 'ssh-dsa', 'x509v3-sign-rsa-sha256'. Added 15 key exchanges: 'curve448-sha512@libssh.org', 'ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org', 'ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org', 'ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org', 'ecdh-sha2-brainpoolp256r1@genua.de', 'ecdh-sha2-brainpoolp384r1@genua.de', 'ecdh-sha2-brainpoolp521r1@genua.de', 'kexAlgoDH14SHA1', 'kexAlgoDH1SHA1', 'kexAlgoECDH256', 'kexAlgoECDH384', 'kexAlgoECDH521', 'sm2kep-sha2-nistp256', 'x25519-kyber-512r3-sha256-d00@amazon.com', 'x25519-kyber512-sha512@aws.amazon.com'. Added 8 new ciphers: 'aes192-gcm@openssh.com', 'cast128-12-cbc', 'cast128-12-cfb', 'cast128-12-ecb', 'cast128-12-ofb', 'des-cfb', 'des-ecb', 'des-ofb'. Added 14 new MACs: 'cbcmac-3des', 'cbcmac-aes', 'cbcmac-blowfish', 'cbcmac-des', 'cbcmac-rijndael', 'cbcmac-twofish', 'hmac-sha256-96', 'md5', 'md5-8', 'ripemd160', 'ripemd160-8', 'sha1', 'sha1-8', 'umac-128'. - Refined JSON notes output. Fixed Docker & Tox tests. - Improved JSON output (#185) - Updated README. - Prioritized certificate host key types for Ubuntu 22.04 client policy. (#193) - Fixed most warnings from Shellcheck scans. (#197) * Mon Sep 04 2023 Paweł Marciniak - 2.9.0-1.git20230904 - The color of all notes will be printed in green when the related algorithm is rated good. - Added built-in policy for OpenSSH 9.4. - Perform full Docker image update when building. - Fixed flake8 tests. - Refined GEX testing against OpenSSH servers: when the fallback mechanism is suspected of being triggered, perform an additional test to obtain more accurate results. - Fixed crash during GEX tests. * Wed Jun 21 2023 Paweł Marciniak - 2.9.0-1.git20230621 - Updated README. - Recommendation output now respects level (#196) - Updated README and test for resolve function. - Removed sys.exit from _resolve in ssh_socket.py (#187) - Now prints the reason why socket listening operations fail. - Results from concurrent scans against multiple hosts are no longer improperly combined (#190). * Mon Jun 19 2023 Paweł Marciniak - 2.9.0-1.git20230619 - Added 'curve448-sha512@libssh.org' kex. (#195) * Tue Jun 06 2023 Paweł Marciniak - 2.9.0-1.git20230606 - Bumped version to 3.0.0-dev. - Updated PyPI and Snap build processes. * Sat Apr 29 2023 Paweł Marciniak - 2.9.0-1.git20230429 - Added release date of v2.9.0. - Bumped version to v2.9.0. - Simplified host key test logic. - RSA key size comments duplicated for all RSA sig algs (#182) - Added built-in policies for OpenSSH 8.8, 8.9, 9.0, 9.1, 9.2, and 9.3. * Thu Apr 27 2023 Paweł Marciniak - 2.5.0-2.git20230427 - Rolled back Windows multithreading crash fix, as upgrading from Python v3.9 to v3.11 may have fixed the root cause. (#152) - Updated README. - Fixed built-in policy formatting and filled in missing host key size information. * Wed Apr 26 2023 Paweł Marciniak - 2.5.0-2.git20230426 - Windows build script now automatically installs/updates package dependencies. - Updated snap base image. Now installing snapcraft tool from snap instead of apt. - Updated changelog. - Fixed Windows-specific crash when multiple threads are used (#152). - Added support for mixed host key/CA key types (i.e.: RSA host keys signed by ED25519 CAs) (#120). * Tue Apr 25 2023 Paweł Marciniak - 2.5.0-2.git20230425 - Alphabetized algorithm database. - Updated README. * Sat Mar 25 2023 Paweł Marciniak - 2.5.0-2.git20230325 - Added Repology table. - Added recommendations and CVE information to JSON output (#122). - Updated colorama initialization. - Updated testing descriptions. - Updated base image. Removed all suid & sgid bits from image. Drop root privileges by default. - Generic failure/warning messages replaced with more specific reasons. SHA-1 algorithms now cause failures. CBC mode ciphers are now warnings instead of failures. * Wed Mar 22 2023 Paweł Marciniak - 2.5.0-2.git20230322 - Added support for kex GSS wildcards (#143). - Fixed docker tests affected by previous commit. - Deprecation of ssh-rsa signature algorithm in OpenSSH 8.8 (#171) * Tue Mar 21 2023 Paweł Marciniak - 2.5.0-2.git20230321 - Add note regarding OpenSSH's 2048-bit GEX fallback, and suppress the related recommendation since the user cannot control it (partly related to #168). - Added --accept option to automatically update failed tests. - Improved debugging output. * Tue Feb 07 2023 Paweł Marciniak - 2.5.0-2.git20230207 - Fix tox tests. - usage now respects no color (#162) - Fixed setuptools config file. - Bumped copyright year. - Updated supported Python versions. - Now issues a warning when 2048-bit moduli are encountered. - Renamed WARN_CURVES_WEAK to FAIL_CURVES_WEAK. * Sat Feb 04 2023 Paweł Marciniak - 2.5.0-2.git20230204 - Added 2 new ciphers: 'rijndael-cbc@ssh.com', 'cast128-12-cbc@ssh.com'. Added 21 new host key types: . - Added the following 9 new host key types: 'dsa2048-sha224@libassh.org', 'dsa2048-sha256@libassh.org', 'dsa3072-sha256@libassh.org', 'ecdsa-sha2-1.3.132.0.10-cert-v01@openssh.com', 'eddsa-e382-shake256@libassh.org', 'eddsa-e521-shake256@libassh.org', 'null', 'pgp-sign-dss', 'pgp-sign-rsa'. Added the following 22 new key exchange algorithms: 'diffie-hellman-group-exchange-sha224@ssh.com', 'diffie-hellman-group-exchange-sha384@ssh.com', 'diffie-hellman-group14-sha224@ssh.com', 'diffie-hellman_group17-sha512', 'ecmqv-sha2', 'gss-13.3.132.0.10-sha256-*', 'gss-curve25519-sha256-*', 'gss-curve448-sha512-*', 'gss-gex-sha1-*', 'gss-gex-sha256-*', 'gss-group1-sha1-*', 'gss-group14-sha1-*', 'gss-group14-sha256-*', 'gss-group15-sha512-*', 'gss-group16-sha512-*', 'gss-group17-sha512-*', 'gss-group18-sha512-*', 'gss-nistp256-sha256-*', 'gss-nistp384-sha256-*', 'gss-nistp521-sha512-*', 'm383-sha384@libassh.org', 'm511-sha512@libassh.org'. Added the following 26 new ciphers: '3des-cfb', '3des-ecb', '3des-ofb', 'blowfish-cfb', 'blowfish-ecb', 'blowfish-ofb', 'camellia128-cbc@openssh.org', 'camellia128-ctr@openssh.org', 'camellia192-cbc@openssh.org', 'camellia192-ctr@openssh.org', 'camellia256-cbc@openssh.org', 'camellia256-ctr@openssh.org', 'cast128-cfb', 'cast128-ecb', 'cast128-ofb', 'idea-cfb', 'idea-ecb', 'idea-ofb', 'seed-ctr@ssh.com', 'serpent128-gcm@libassh.org', 'serpent256-gcm@libassh.org', 'twofish-cfb', 'twofish-ecb', 'twofish-ofb', 'twofish128-gcm@libassh.org', 'twofish256-gcm@libassh.org'. Added the following 4 new HMAC algorithms: 'hmac-sha224@ssh.com', 'hmac-sha256-2@ssh.com', 'hmac-sha384@ssh.com', 'hmac-whirlpool'. * Thu Feb 02 2023 Paweł Marciniak - 2.5.0-2.git20230202 - Added Ubuntu Client 22.04 hardening policy. - Removed unused CI configs. - Added Tox testing for Python 3.11. Fixed flake8 & pylint errors. * Sat Dec 10 2022 Paweł Marciniak - 2.5.0-2.git20221210 - Gex test usage text (#158) - updated vulnerability database (#157) - Added 'ssh-xmss@openssh.com' and 'ssh-xmss-cert-v01@openssh.com' experimental host keys (#146). - Added hmac-sha1-96@openssh.com MAC. (#148) - Removed pytest version pin from Tox. - Upgrade all Tox dependencies before running Tox. - Enabled Python 3.10 tests in Tox. - Removed CI tests for Python 3.6. - Added support for host key 'webauthn-sk-ecdsa-sha2-nistp256@openssh.com' (#149). - Fixed pylint & flake8 warnings and errors. - Added Ubuntu Server 22.04 LTS hardening policy. * Sun Apr 10 2022 Paweł Marciniak - 2.5.0-2.git20220410 - Usage now includes '-g' and '--gex-test' parameters - Removed experimental warning tag from sntrup761x25519-sha512@openssh.com. * Fri Mar 25 2022 Paweł Marciniak - 2.5.0-2.git20220325 - Updated example. - Fixed pylint errors, consolidated error checking for granular GEX tests, renamed functions for better readability. - Corrected accidental text update and a minor typo. - DH GEX Modulus Size Testing * Tue Feb 22 2022 Paweł Marciniak - 2.5.0-2.git20220222 - Updated CVE vulnerability flag. - Fixed tests. - add a bunch of openssh CVEs (#126) * Sat Feb 12 2022 Paweł Marciniak - 2.5.0-2.git20211021 - Switching to the "commit "release * Sun Sep 5 2021 Paweł Marciniak - 2.5.0-1 - Release 2.5.0