search

mozilla / ssh_scan

DEPRECATED - A prototype SSH configuration and policy scanner (Blog: https://mozilla.github.io/ssh_scan/)
Mozilla Public License 2.0
792 stars 105 forks source link

Add Insecure Host Key Algorithms #517

Closed bka-dev closed 2 years ago

bka-dev commented 4 years ago

Scenario

Currently other tools report weak host key algorithms like ssh-dss and ecdsa-sha2-nistp256 and recommend using ssh-rsa and ssh-ed25519 instead.

ssh-dss is discontinued since OpenSSH 7.0, whereas for ecdsa-sha2-nistp256 it's not quite clear if this algorithm is really weak or not.

I noticed that ssh-scan is reporting none of the algorithms above, because host key algorithms are not checked in general. It seems like the data is present in the scan output already, it's just not highlighted at the moment.

Versions

0.0.42

Expected Output

ssh-scan should audit the host key algorithms as well and give recommendations to use strong algorithms.

References https://www.openssh.com/legacy.html

claudijd commented 4 years ago

@bka-dev I'm not working on ssh_scan as much these days, if you would like to send a PR for the changes, I would totally welcome that. If it's already in the scan result, adding some rules to the policy shouldn't be too challenging.