SSH-Audit Algorithm Look Up

Summary

ssh-audit is an open-source command line tool written in Python for performing SSH client and server auditing. I recently contributed a new feature that provides a means of looking up an SSH algorithm name and returning the information that ssh-audit holds on it.

NB: A self-contained executable version of ssh-audit is available for Windows that omits the need for Python to be installed.

Purpose

The SSH protocol utilises various algorithm types (host key, key exchange, message authentication code [mac] and encryption cipher) at different stages of a session. There are many algorithms of each type, the number of which continues to grow as what was once considered secure is rendered obsolete.

The look up feature provides a convenient way to determine the current status of an algorithm. I find this particularly useful when working on projects that use an SSH component, as I often need to review product documentation and make notes on the algorithms it claims to support.

Usage

The look up feature is invoked as follows:

ssh-audit --lookup=<alg1,alg2,...>

Example

To return the information that ssh-audit holds on the encryption cipher aes256-cbc and the message authentication code (MAC) hmac-sha2-512:

thecliguy@SANDBOX:~$ ssh-audit --lookup=aes256-cbc,hmac-sha2-512
# message authentication code algorithms
(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
                    `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56

# encryption algorithms (ciphers)
(enc) aes256-cbc    -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
                    `- [warn] using weak cipher mode
                    `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47

It should be noted that the example above illustrates the information that ssh-audit returns in version 2.3.1 which is the most recent release at the time of writing this blog post in November 2020. The information returned is subject to change as new versions of ssh-audit are released to reflect current security standards.

Similar Algorithm Suggestions

SSH algorithm names are case sensitive, see section 4.6.1 of The Secure Shell (SSH) Protocol Assigned Numbers (RFC 4250) and section 6 of the SSH Protocol Architecture (RFC 4251).

The look up feature adheres to case sensitive names but has been designed with a degree of tolerance. If a user supplies a value for which there is no exact match then a case-insensitive search is performed returning any names where the value appears as a substring.

Here’s an example (using ssh-audit 2.3.1) where a look up is performed against RSA-sha2-256 for which there is no exact match but there are two similar matches, rsa-sha2-256 and rsa-sha2-256-cert-v01@openssh.com:

thecliguy@SANDBOX:~$ ssh-audit --lookup=RSA-sha2-256
# unknown algorithms
RSA-sha2-256

# suggested similar algorithms
RSA-sha2-256 --> (key) rsa-sha2-256
RSA-sha2-256 --> (key) rsa-sha2-256-cert-v01@openssh.com

Caveats

The information that ssh-audit holds on SSH algorithms is contained within the application itself, it does not fetch it from an external resource. You should therefore endeavour to use the latest version of ssh-audit so that the information returned reflects current security standards.

Comments

Leaving comments has been disabled for this post.

Copyright © 2018 - 2021 thecliguy.co.uk
For details, see Licences and Copyright