Skip to content

Commit

Permalink
Added warnings to all key exchanges that do not provide protection ag…
Browse files Browse the repository at this point in the history 
…ainst quantum attacks.
  • Loading branch information
@jtesta
jtesta committed Nov 25, 2024
1 parent a01baad commit 28a1e23
Show file tree
Hide file tree
Showing 26 changed files with 475 additions and 162 deletions.
1 change: 1 addition & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,7 @@ For convenience, a web front-end on top of the command-line tool is available at
## ChangeLog

### v3.4.0-dev
- Added warning to all key exchanges that do not include protections against quantum attacks due to the Harvest Now, Decrypt Later strategy (see https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later).
- Migrated from deprecated `getopt` module to `argparse`; partial credit [oam7575](https://github.com/oam7575).

### v3.3.0 (2024-10-15)
Expand Down
199 changes: 100 additions & 99 deletions src/ssh_audit/ssh2_kexdb.py
View file

Large diffs are not rendered by default.

42 changes: 34 additions & 8 deletions test/docker/expected_results/dropbear_2019.78_test1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,9 @@
"info": [
"default key exchange from OpenSSH 7.4 to 8.9",
"available since OpenSSH 7.4, Dropbear SSH 2018.76"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
Expand All @@ -125,6 +128,9 @@
"info": [
"default key exchange from OpenSSH 6.5 to 7.3",
"available since OpenSSH 6.4, Dropbear SSH 2013.62"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
Expand All @@ -136,6 +142,9 @@
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
Expand All @@ -147,6 +156,9 @@
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
Expand All @@ -158,6 +170,9 @@
],
"info": [
"available since OpenSSH 5.7, Dropbear SSH 2013.62"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
Expand All @@ -168,7 +183,8 @@
"available since OpenSSH 7.3, Dropbear SSH 2016.73"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
"2048-bit modulus only provides 112-bits of symmetric strength",
"does not provide protection against post-quantum attacks"
]
}
},
Expand All @@ -182,7 +198,8 @@
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
"2048-bit modulus only provides 112-bits of symmetric strength",
"does not provide protection against post-quantum attacks"
]
}
},
Expand All @@ -191,6 +208,9 @@
"notes": {
"info": [
"available since Dropbear SSH 2013.57"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
}
Expand Down Expand Up @@ -349,12 +369,6 @@
"name": "twofish256-ctr",
"notes": ""
}
],
"kex": [
{
"name": "diffie-hellman-group16-sha512",
"notes": ""
}
]
}
},
Expand All @@ -371,9 +385,21 @@
}
],
"kex": [
{
"name": "curve25519-sha256",
"notes": ""
},
{
"name": "[email protected]",
"notes": ""
},
{
"name": "diffie-hellman-group14-sha256",
"notes": ""
},
{
"name": "[email protected]",
"notes": ""
}
],
"mac": [
Expand Down
22 changes: 16 additions & 6 deletions test/docker/expected_results/dropbear_2019.78_test1.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,22 +5,30 @@
(gen) compression: enabled ([email protected])

# key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 `- [info] default key exchange from OpenSSH 7.4 to 8.9
(kex) [email protected] -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
 `- [info] default key exchange from OpenSSH 6.5 to 7.3
(kex) curve25519-sha256 -- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
`- [info] default key exchange from OpenSSH 7.4 to 8.9
(kex) [email protected] -- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
`- [info] default key exchange from OpenSSH 6.5 to 7.3
(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
 `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
(kex) [email protected] -- [info] available since Dropbear SSH 2013.57
(kex) [email protected] -- [warn] does not provide protection against post-quantum attacks
`- [info] available since Dropbear SSH 2013.57

# host-key algorithms
(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
Expand Down Expand Up @@ -74,13 +82,15 @@
(rec) -hmac-sha1-96 -- mac algorithm to remove 
(rec) -ssh-dss -- key algorithm to remove 
(rec) -ssh-rsa -- key algorithm to remove 
(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append 
(rec) +twofish128-ctr -- enc algorithm to append 
(rec) +twofish256-ctr -- enc algorithm to append 
(rec) -aes128-cbc -- enc algorithm to remove 
(rec) -aes256-cbc -- enc algorithm to remove 
(rec) -curve25519-sha256 -- kex algorithm to remove 
(rec) [email protected] -- kex algorithm to remove 
(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove 
(rec) -hmac-sha2-256 -- mac algorithm to remove 
(rec) [email protected] -- kex algorithm to remove 

# additional info
(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
Expand Down
9 changes: 8 additions & 1 deletion test/docker/expected_results/openssh_4.0p1_test1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,9 @@
],
"info": [
"available since OpenSSH 2.3.0"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
Expand All @@ -186,7 +189,8 @@
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
"2048-bit modulus only provides 112-bits of symmetric strength",
"does not provide protection against post-quantum attacks"
]
}
},
Expand All @@ -201,6 +205,9 @@
"info": [
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
}
Expand Down
3 changes: 3 additions & 0 deletions test/docker/expected_results/openssh_4.0p1_test1.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,16 @@

# key exchange algorithms
(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 2.3.0
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
 `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
 `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
 `- [fail] using broken SHA-1 hash algorithm
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9

Expand Down
12 changes: 11 additions & 1 deletion test/docker/expected_results/openssh_5.6p1_test1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,9 @@
],
"info": [
"available since OpenSSH 4.4"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
Expand All @@ -207,6 +210,9 @@
],
"info": [
"available since OpenSSH 2.3.0"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
Expand All @@ -220,7 +226,8 @@
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
"2048-bit modulus only provides 112-bits of symmetric strength",
"does not provide protection against post-quantum attacks"
]
}
},
Expand All @@ -235,6 +242,9 @@
"info": [
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
}
Expand Down
4 changes: 4 additions & 0 deletions test/docker/expected_results/openssh_5.6p1_test1.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,19 @@

# key exchange algorithms
(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 2.3.0
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
 `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
 `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
 `- [fail] using broken SHA-1 hash algorithm
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9

Expand Down
12 changes: 11 additions & 1 deletion test/docker/expected_results/openssh_5.6p1_test2.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,9 @@
],
"info": [
"available since OpenSSH 4.4"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
Expand All @@ -197,6 +200,9 @@
],
"info": [
"available since OpenSSH 2.3.0"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
Expand All @@ -210,7 +216,8 @@
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
"2048-bit modulus only provides 112-bits of symmetric strength",
"does not provide protection against post-quantum attacks"
]
}
},
Expand All @@ -225,6 +232,9 @@
"info": [
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
}
Expand Down
4 changes: 4 additions & 0 deletions test/docker/expected_results/openssh_5.6p1_test2.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,19 @@

# key exchange algorithms
(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 2.3.0
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
 `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
(kex) diffie-hellman-group1-sha1 -- [fail] using small 1024-bit modulus
 `- [fail] vulnerable to the Logjam attack: https://en.wikipedia.org/wiki/Logjam_(computer_security)
 `- [fail] using broken SHA-1 hash algorithm
 `- [warn] does not provide protection against post-quantum attacks
`- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
`- [info] removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9

Expand Down
12 changes: 11 additions & 1 deletion test/docker/expected_results/openssh_5.6p1_test3.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,9 @@
],
"info": [
"available since OpenSSH 4.4"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
Expand All @@ -197,6 +200,9 @@
],
"info": [
"available since OpenSSH 2.3.0"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
},
Expand All @@ -210,7 +216,8 @@
"available since OpenSSH 3.9, Dropbear SSH 0.53"
],
"warn": [
"2048-bit modulus only provides 112-bits of symmetric strength"
"2048-bit modulus only provides 112-bits of symmetric strength",
"does not provide protection against post-quantum attacks"
]
}
},
Expand All @@ -225,6 +232,9 @@
"info": [
"removed in OpenSSH 6.9: https://www.openssh.com/txt/release-6.9",
"available since OpenSSH 2.3.0, Dropbear SSH 0.28"
],
"warn": [
"does not provide protection against post-quantum attacks"
]
}
}
Expand Down
Loading

3 comments on commit 28a1e23

@perkelix
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I sympathize with the intent of this change, the resulting recommendations pretty much leave only one valid key exchange algorithm for OpenSSH 9.2p1. What happens once that one is also found to be unreliable?

A minor point: This change also results in the output turning into an illogical color coding between info lines (see screenshot).Image

@jtesta
Copy link
Owner Author

@jtesta jtesta commented on 28a1e23 Nov 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens once that one is also found to be unreliable?

Then it, too, will be marked accordingly. The purpose of ssh-audit is to present the facts to the user. If 100% of all SSH key exchange algorithms had problems, then that's exactly what it should report.

The threat of the Harvest Now, Decrypt Later strategy is being taken very seriously by the cryptographic community. And so system admins should be made aware so they can make migration plans. Unfortunately, this does mean that most modern platforms have only one safe key exchange at this time. It won't be until platforms ship OpenSSH 9.9 or later that a second good option becomes available (with mlkem768x25519-sha256).

@perkelix
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough.

Just as long as it's clearly marked as a suggested migration strategy, rahter than as yet another vague statement that there's something shady about NIST curves so please disable them now.

Right now, a lot of ssh-audit's recommended removals contradict OpenSSH developers' own views over what must or should be deprecated. In many cases, ssh-audit's recommendations and the accompanying hardening guide are considered overzealous. This results in the above case where ssh-audit only considers one of the pre-9.9 algorithms to be safe, again just as for the NIST case, without specifying why, leaving people on very thin ice. This is not a desirable outcome.

Please sign in to comment.