search

jtesta / ssh-audit

SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
MIT License
3.44k stars 179 forks source link

RFC8308 7.2- Extension Negotiation in the Secure Shell (SSH) Protocol (ext-info-s, ext-info-c) #291

Closed perkelix closed 2 months ago

perkelix commented 3 months ago

According to OpenSSH's feature list, ext-info-s and ext-info-c were implemented starting with version 7.2, but ssh-audit seemingly doesn't report the existence of these features on hosts running something earlier than 9.8. Is this intentional?

jtesta commented 3 months ago

I see ext-info-s properly reported. The master branch of ssh-audit, when run against an Ubuntu 24.04 target, produces the following output:

$ ./ssh-audit.py 10.x.x.x
# general
(gen) banner: SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.5
(gen) software: OpenSSH 9.6p1
(gen) compatibility: OpenSSH 8.5+, Dropbear SSH 2020.79+
(gen) compression: enabled (zlib@openssh.com)

# key exchange algorithms
[...]
(kex) ext-info-s                            -- [info] pseudo-algorithm that denotes the peer supports RFC8308 extensions
[...]
perkelix commented 3 months ago

The same branch fails to report ext-info-s or ext-info-c against Debian 12:

# general
(gen) banner: SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3
(gen) software: OpenSSH 9.2p1
(gen) compatibility: OpenSSH 8.5+, Dropbear SSH 2020.79+
(gen) compression: enabled (zlib@openssh.com)

# key exchange algorithms
(kex) sntrup761x25519-sha512@openssh.com    -- [info] available since OpenSSH 8.5
                                            `- [info] default key exchange since OpenSSH 9.0
(kex) curve25519-sha256                     -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
                                            `- [info] default key exchange from OpenSSH 7.4 to 8.9
(kex) curve25519-sha256@libssh.org          -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
                                            `- [info] default key exchange from OpenSSH 6.5 to 7.3
(kex) diffie-hellman-group16-sha512         -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512         -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4
                                                      `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
(kex) kex-strict-s-v00@openssh.com          -- [info] pseudo-algorithm that denotes the peer supports a stricter key exchange method as a counter-measure to the Terrapin attack (CVE-2023-48795)
jtesta commented 3 months ago

Against a fully updated Debian 12 target, it appears that the platform does not return ext-info-s:

$ telnet 10.x.x.x 22
Trying 10.x.x.x...
Connected to 10.x.x.x.
Escape character is '^]'.
SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3
SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3
T
gx�ڐ�3�{��Q��k�&sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,kex-strict-s-v00@openssh.com9rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.comlchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com�umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1�umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1none,zlib@openssh.comnone,zlib@openssh.com
perkelix commented 3 months ago

I already confirmed that it does not, yet it should, since the feature was implemented in OpenSSH 7.2.

jtesta commented 3 months ago

Some Linux distros make drastic changes to OpenSSH before shipping on their platforms. I suppose Debian disabled that feature, then.

ssh-audit appears to work correctly, though.

jtesta commented 3 months ago

@perkelix: do you have any other concerns about ssh-audit not functioning properly?

perkelix commented 3 months ago

Other than the fact that it doesn't report something that is allegedly implemented since an earleir version of OpenSSH than what's in Debian 12? No.

jtesta commented 2 months ago

I don't have an explanation as to why Debian removed that feature from OpenSSH before shipping it (it may have happened in https://salsa.debian.org/ssh-team/openssh/-/blob/bookworm/debian/patches/gssapi.patch?ref_type=heads#L3814). But I do know that ssh-audit is properly reporting the state of a fully updated Debian 12 target.

cjwatson commented 1 month ago

Hi, Debian openssh maintainer here. Sorry for the delay in following up here; @perkelix brought this issue to my attention a while ago, but I had an annoyingly-timed Covid infection and am only now catching up.

It is not true that Debian removed the ext-info-s feature from OpenSSH before shipping it, and the GSS-API key exchange patch has nothing to do with this. I'm emphasizing that because mistaken claims have a way of getting copied around the internet and getting me in trouble, so I want to correct the record.

Rather, as far as I can tell, support for having the server advertise RFC8308 ext-info support was only added in OpenSSH 9.6 (as opposed to having the client advertise it, which was added in OpenSSH 7.2 as part of handling server-sig-algs). To prove this, I bisected upstream builds with no Debian patches and default configuration, and reached https://anongit.mindrot.org/openssh.git/commit/?id=a7ed931caeb68947d30af8a795f4108b6efad761 as the first commit for which ssh-audit reports ext-info-s in its list of key exchange algorithms.

I don't think any action is needed on the Debian side here; this upstream change wasn't part of a security fix and isn't one I'd currently be inclined to backport. But perhaps ssh-audit could usefully make it clear that this feature is only available as of OpenSSH 9.6?

cjwatson commented 1 month ago

I've also notified OpenSSH upstream of what seems to be a minor error in their list of which specifications are implemented in which versions: https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-October/041597.html

jtesta commented 1 month ago

@cjwatson: thanks for investigating this! I've updated the output of ssh-audit so that it reports the right version of OpenSSH that supports those algorithms in https://github.com/jtesta/ssh-audit/commit/d0628f6eb430a15413f840ea1a99b1659b00b21f.

Against an OpenSSH 9.9 client, ssh-audit now reports:

# general
(gen) client IP: 10.x.x.x
(gen) banner: SSH-2.0-OpenSSH_9.9
[...]

# key exchange algorithms
[...]
(kex) ext-info-c                                   -- [info] available since OpenSSH 7.2
                                                   `- [info] pseudo-algorithm that denotes the peer supports RFC8308 extensions

Against an OpenSSH 9.9 server:

# general
(gen) banner: SSH-2.0-OpenSSH_9.9
[...]

# key exchange algorithms
[...]
(kex) ext-info-s                            -- [info] available since OpenSSH 9.6
                                            `- [info] pseudo-algorithm that denotes the peer supports RFC8308 extensions
perkelix commented 1 month ago

@cjwatson thanks for looking into this. I see that the info is now fixed upstream on OpenSSH's website.