jtesta / ssh-audit

SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
MIT License
3.44k stars 179 forks source link

mismatch between audit policy and hardening guide config order #248

Closed perkelix closed 8 months ago

perkelix commented 9 months ago

As mentioned in #172, there is a mismatch between the configurations generated by the hardening guide scripts and ssh-audit's server policies. Some algorithms don't appear in the order expected by policies. This has been verified using Debian 12 and Ubuntu policies. Additionally, policies fail if the (kex) kex-strict-s-v00@openssh.com was backported as a Terrapin fix. This backport exists on Debian 12 which ships v9.2p1.

jtesta commented 8 months ago

I added a built-in policy for Debian 12 (in https://github.com/jtesta/ssh-audit/commit/b70fb0bc4c7ae0100c5e2cf4fb605b8af848b74c):

$ ./ssh-audit.py -L

Server policies:
[...]
  * "Hardened Debian 12 (version 1)"
[...]

If you use this more specific policy for scanning Debian 12 after applying the hardening guide at https://ssh-audit.com/hardening_guides.html#debian_12, you should get a passing score.

I'm closing this issue now, since I think I fixed the root cause of your problem, but if you run into any other problems against Debian 12, please re-open this issue. Thanks for reporting!