knweiss
commented
7 years ago Also, checking the bit sizes of the configured SSH user keys (e.g. RSA >= 2048 bit) would be another useful client-side check.
Open knweiss opened 7 years ago
knweiss
commented
7 years ago Also, checking the bit sizes of the configured SSH user keys (e.g. RSA >= 2048 bit) would be another useful client-side check.
knweiss
commented
7 years ago Or checking the (new) storage format of the private key (bcrypt KDF and number of rounds) or the public key (RFC 4716).
Or warning about the key age and hinting about key rotation if the local private key file has an old timestamp.
egberts
commented
6 years ago :thumbup:
jtesta
commented
4 years ago @knweiss @egberts I implemented SSH client testing in v2.1.0 of my fork: https://github.com/jtesta/ssh-audit/releases/tag/v2.1.0
egberts
commented
4 years ago Oh, and please do check for those pesky "ControlMaster" settings. It is getting problematic. A minimum warning message there.
What do you think about the idea of a SSH client audit feature?
Of course, admins can configure a good and up-to-date system-wide client config (
/etc/ssh/ssh_config). However, users also have their own (and often ancient!) settings in~/.ssh/config. AFAIK there is no tool that audits the client settings and gives recommendations.When I discovered the
ssh -G hostoption (available since OpenSSH 6.8) I thought this may be an interesting and easy way to audit the effective client settings for the respective destination.Also, it would be possible to not only check the configured algorithms but also insecure or dangerous features (e.g. X11Forwarding, Agent-Forwarding, etc).
It could look like this: