use less-than instead of not-equal when comparing key sizes

jtesta / ssh-audit

SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)

MIT License

3.44k stars 179 forks source link

use less-than instead of not-equal when comparing key sizes #242

Closed szubersk closed 8 months ago

szubersk commented 10 months ago

When evaluating policy compliance, use less-than operator so keys bigger than expected (and hence very often better) don't fail policy evaulation. This change reduces the amount of false-positives and allows for more flexibility when hardening SSH installations.

pepoluan commented 9 months ago

Can we merge this? Please?

pepoluan commented 9 months ago

Alternatively ...

Make the comparison a function that looks kinda like this:

def key_size_complies(expected: int, actual: int):
    if global_flag_keysize_must_match:
        return expected == actual
    return expected <= actual

So just in case there are companies that requires exact key size (rather than minimum key size), we can set global_flag_keysize_must_match to True (perhaps via an option like --keysize-exact)

Or alternatively turn the logic around so people relying on prior behavior doesn't get an unexpected suprise, so make the option --keysize-as-minimum.

szubersk commented 8 months ago

@jtesta what do you think about this PR?

jtesta commented 8 months ago

@pepoluan , @szubersk : I'll be reviewing this PR soon. I'm planning for a release by the end of this month, and either this PR or something similar will likely be included.

jtesta commented 8 months ago

@szubersk : thanks for submitting this PR!