This PR updates the lib/ssh package to be on par with x/crypto/ssh v0.7.0. I chose not to update to v0.14.0 to avoid possible incompatibilities with the x/crypto dependency of the project. Updating lib/ssh is necessary for zgrab2 to stay relevant in the future and retain its ability to scan a large variety of different SSH servers.
The following key changes ported from x/crypto are relevant for zgrab2:
Support for AEAD algorithms (AES-GCM and ChaCha20-Poly1305)
Support for RFC-compliant Curve25519 key exchange (currently, only the deprecated libssh-variant is supported)
Support for Encrypt-then-MAC (-etm@openssh.com) MAC algorithms
Support for SSH extension negotiation (RFC8308)
In addition, I integrated some minor improvements myself:
Capture SSH extensions sent by the server after SSH_MSG_NEWKEYS. This requires either --userauth or the new --extensions flag to be present.
Removed unused lib/ssh/terminal and lib/ssh/agent packages
Fixed tests to be compatible with the changes from zgrab2 (see also #391)
Redesign the DontAuthenticate config flag by splitting it into two separate flags (DontAuthenticate and CollectUserAuth) for better readability
How to Test
Simply scan a few SSH servers and observe the results. I was able to perform an entire IPv4 address range scan without issues.
Notes & Caveats
Without this PR (or a similar one), the SSH scanning capabilities of zgrab2 will slowly decline due to its lack of recent key exchange and cipher algorithms. In the future, it may be beneficial to implement additional algorithms to increase the overall coverage of zgrab2. However, since supported algorithms can be captured without supporting the actual algorithms, a sufficient amount of data is already available to the user.
This PR updates the lib/ssh package to be on par with x/crypto/ssh v0.7.0. I chose not to update to v0.14.0 to avoid possible incompatibilities with the x/crypto dependency of the project. Updating lib/ssh is necessary for zgrab2 to stay relevant in the future and retain its ability to scan a large variety of different SSH servers.
The following key changes ported from x/crypto are relevant for zgrab2:
In addition, I integrated some minor improvements myself:
--userauthor the new--extensionsflag to be present.DontAuthenticateconfig flag by splitting it into two separate flags (DontAuthenticateandCollectUserAuth) for better readabilityHow to Test
Simply scan a few SSH servers and observe the results. I was able to perform an entire IPv4 address range scan without issues.
Notes & Caveats
Without this PR (or a similar one), the SSH scanning capabilities of zgrab2 will slowly decline due to its lack of recent key exchange and cipher algorithms. In the future, it may be beneficial to implement additional algorithms to increase the overall coverage of zgrab2. However, since supported algorithms can be captured without supporting the actual algorithms, a sufficient amount of data is already available to the user.