SSH-Audit Algorithm Look Up24 Nov 2020 · Comments: · Tags: SSH, ssh-audit, python, security
ssh-audit is an open-source command
line tool written in Python for performing SSH client and server auditing. I
recently contributed a new feature that provides a means of looking up an
SSH algorithm name and returning the information that
ssh-audit holds on it.
NB: A self-contained executable version of
ssh-audit is available for
Windows, which negates the need to install Python.
The SSH protocol utilises various algorithm types (host key, key exchange, message authentication code [mac] and encryption cipher) at different stages of a session. There are many algorithms of each type, the number of which continues to grow as what was once considered secure is rendered obsolete.
The look up feature provides a convenient way to determine the current status of an algorithm. I find this particularly useful when working on projects that use an SSH component, as I often need to review product documentation and make notes on the algorithms it claims to support.
The look up feature is invoked as follows:
To return the information that
ssh-audit holds on the encryption cipher
aes256-cbc and the message authentication code (MAC)
thecliguy@SANDBOX:~$ ssh-audit --lookup=aes256-cbc,hmac-sha2-512 # message authentication code algorithms (mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 # encryption algorithms (ciphers) (enc) aes256-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm `- [warn] using weak cipher mode `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
It should be noted that the example above illustrates the information that
ssh-audit returns in version 2.3.1 which is the most recent release at the
time of writing this blog post in November 2020. The information returned is
subject to change as new versions of
ssh-audit are released to reflect
current security standards.
Similar Algorithm Suggestions
SSH algorithm names are case sensitive, see section 4.6.1 of The Secure Shell (SSH) Protocol Assigned Numbers (RFC 4250) and section 6 of the SSH Protocol Architecture (RFC 4251).
The look up feature adheres to case sensitive names but has been designed with a degree of tolerance. If a user supplies a value for which there is no exact match then a case-insensitive search is performed returning any names where the value appears as a substring.
Here’s an example (using
ssh-audit 2.3.1) where a look up is performed against
RSA-sha2-256 for which there is no exact match but there are two similar
thecliguy@SANDBOX:~$ ssh-audit --lookup=RSA-sha2-256 # unknown algorithms RSA-sha2-256 # suggested similar algorithms RSA-sha2-256 --> (key) rsa-sha2-256 RSA-sha2-256 --> (key) email@example.com
The information that
ssh-audit holds on SSH algorithms is contained within the
application itself, it does not fetch it from an external resource. You should
therefore endeavour to use the latest version of
ssh-audit so that the
information returned reflects current security standards.