Closed antivirtel closed 2 years ago
Hi there. In your first example for CentOS 6, you posted this:
# algorithm recommendations (for OpenSSH 5.3)
(rec) -ssh-rsa -- key algorithm to remove
(rec) +diffie-hellman-group-exchange-sha256-- kex algorithm to append
(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove
Its actually advising you to remove diffie-hellman-group14-sha1
, not include it.
Regarding diffie-hellman-group-exchange-sha256
, that can be good or bad, depending on the moduli the server is configured with. In OpenSSH, that's controlled by the /etc/ssh/moduli file (see the hardening guides here for removing the weak moduli: https://www.sshaudit.com/hardening_guides.html).
OpenVAS is also alerting for that
Seems like OpenVAS isn't using a proper modulus test for diffie-hellman-group-exchange-sha256
. I'd guess it sees that key exchange algorithm and is just assuming the worst. On many default platforms, that conclusion is valid, but its a false positive for properly hardened systems.
Hi,
I've just used the v2.5.0 release of ssh-audit, it is a great tool, but it seems like it's still suggesting vulnerable things like
diffie-hellman-group14-sha1
eg. for EL6(CentOS 6) SSHd versions:However we know that they're vulnerable/weak, OpenVAS is also alerting for that:
From the above, other than not to use EL6 anymore (which we know the reality of, in progress of migration, have to keep them around until they're mirated). I don't think SSH-audit should suggest the below:
I also see the same with other (more recent) OSes: EL7:
Ubuntu 20.04 LTS:
If you agree, can you please remove any suggestions which are about Diffie Hellman algorithms?
Ps. when does a new release is expected with the new changes?
Thank you!