Closed mamoona-aslam closed 9 months ago
I suppose I'm having trouble understanding the issue you've run into.
Could you please copy/paste the output of ssh-audit v3.1.0 (or the master branch) against a target? Then I could understand what the problem might be.
the strict-kex is not related to the kex curve25519-sha256
it is related to the vulnerable cipher Chacha20-poly1503
or cbc
, this is also what the messages in my scan say. Maybe the list of KEX sorted curve25519 right above the signalling algorithm? in that case the report just need to be read more carefully @mamoona-aslam
The problem is resolved. you were right @ecki , the `chacha20-poly15031 cipher was highlighted as being vulnerbale. as the target which i checked against was a debian machine, with the security patch the terrapin vulnerability issue is fixed
i ran Terrapin-scanner and came across issue regarding Strick key exchange.
I raised a ticket and got the response
No, kex-strict-s-v00@openssh.com is the indicator used to signal the support for the strict key exchange countermeasure and is unrelated to curve25519-sha256. The ssh-audit issue that you linked also got that wrong. The quote there confuses the last sentence of section 1.8 of the OpenSSH PROTOCOL file (describing curve25519-sha256@openssh.com) with the beginning of section 1.9 (released as 1.10; describing strict key exchange). Those are not related.
Kindly please look into it?