Closed perkelix closed 8 months ago
I added a built-in policy for Debian 12 (in https://github.com/jtesta/ssh-audit/commit/b70fb0bc4c7ae0100c5e2cf4fb605b8af848b74c):
$ ./ssh-audit.py -L
Server policies:
[...]
* "Hardened Debian 12 (version 1)"
[...]
If you use this more specific policy for scanning Debian 12 after applying the hardening guide at https://ssh-audit.com/hardening_guides.html#debian_12, you should get a passing score.
I'm closing this issue now, since I think I fixed the root cause of your problem, but if you run into any other problems against Debian 12, please re-open this issue. Thanks for reporting!
As mentioned in #172, there is a mismatch between the configurations generated by the hardening guide scripts and ssh-audit's server policies. Some algorithms don't appear in the order expected by policies. This has been verified using Debian 12 and Ubuntu policies. Additionally, policies fail if the (kex) kex-strict-s-v00@openssh.com was backported as a Terrapin fix. This backport exists on Debian 12 which ships v9.2p1.