Merged arthepsy/ssh-audit#47

Author: jtesta

.appveyor.yml

@@ -0,0 +1,37 @@
+version: '1.7.1.dev.{build}'
+
+build: off
+branches:
+  only:
+    - master
+    - develop
+
+environment:
+  matrix:
+    - PYTHON: "C:\\Python26"
+    - PYTHON: "C:\\Python26-x64"
+    - PYTHON: "C:\\Python27"
+    - PYTHON: "C:\\Python27-x64"
+    - PYTHON: "C:\\Python33"
+    - PYTHON: "C:\\Python33-x64"
+    - PYTHON: "C:\\Python34"
+    - PYTHON: "C:\\Python34-x64"
+    - PYTHON: "C:\\Python35"
+    - PYTHON: "C:\\Python35-x64"
+    - PYTHON: "C:\\Python36"
+    - PYTHON: "C:\\Python36-x64"
+matrix:
+  fast_finish: true 
+
+cache:
+  - '%LOCALAPPDATA%\pip\Cache'
+  - .downloads -> .appveyor.yml
+
+install:
+  - "cmd /c .\\test\\tools\\ci-win.cmd install"
+
+test_script:
+  - "cmd /c .\\test\\tools\\ci-win.cmd test"
+
+on_failure:
+  - ps: get-content .tox\*\log\*

.gitignore

@@ -1,5 +1,11 @@
 *~
 *.pyc
-html/
-venv/
-.cache/
+venv*/
+.cache/
+.tox
+.coverage*
+reports/
+.scannerwork/
+pypi/sshaudit/LICENSE
+pypi/sshaudit/README.md
+pypi/sshaudit/sshaudit.py

.travis.yml

@@ -1,18 +1,80 @@
 language: python
-python:
-  - 2.6
-  - 2.7
-  - 3.3
-  - 3.4
-  - 3.5
-  - pypy
-  - pypy3
+sudo: false
+matrix:
+  include:
+    # (default)
+    - os: linux
+      python: 2.6
+    - os: linux
+      python: 2.7
+      env: SQ=1
+    - os: linux
+      python: 3.3
+    - os: linux
+      python: 3.4
+    - os: linux
+      python: 3.5
+    - os: linux
+      python: 3.6
+    - os: linux
+      python: pypy
+    - os: linux
+      python: pypy3
+    - os: linux
+      python: 3.7-dev
+    # Ubuntu 12.04
+    - os: linux
+      dist: precise
+      language: generic
+      env: PY_VER=py26,py27,py33,py34,py35,py36,pypy,pypy3 PY_ORIGIN=pyenv
+    # Ubuntu 14.04
+    - os: linux
+      dist: trusty
+      language: generic
+      env: PY_VER=py26,py27,py33,py34,py35,py36,pypy,pypy3 PY_ORIGIN=pyenv
+    # macOS 10.12 Sierra
+    - os: osx
+      osx_image: xcode8.3
+      language: generic
+      env: PY_VER=py26,py27,py33,py34,py35,py36,pypy,pypy3
+    # Mac OS X 10.11 El Capitan
+    - os: osx
+      osx_image: xcode7.3
+      language: generic
+      env: PY_VER=py26,py27,py33,py34,py35,py36,pypy,pypy3
+    # Mac OS X 10.10 Yosemite
+    - os: osx
+      osx_image: xcode6.4
+      language: generic
+      env: PY_VER=py26,py27,py33,py34,py35,py36,pypy,pypy3
+  allow_failures:
+    # PyPy3 on Travis CI is out of date
+    - python: pypy3
+    # Python nightly could fail
+    - python: 3.7-dev
+    - env: PY_VER=py37
+    - env: PY_VER=py37/pyenv
+    - env: PY_VER=py37 PY_ORIGIN=pyenv
+  fast_finish: true
+
+cache:
+  - pip
+  - directories:
+    - $HOME/.pyenv.cache
+    - $HOME/.bin
+
+before_install:
+  - source test/tools/ci-linux.sh
+  - ci_step_before_install
+
 install:
-  - pip install --upgrade pytest
-  - pip install --upgrade pytest-cov
-  - pip install --upgrade coveralls
+  - ci_step_install
+
 script:
-  - py.test --cov-report= --cov=ssh-audit -v test
+  - ci_step_script
+
 after_success:
-  - coveralls
+  - ci_step_success
 
+after_failure:
+  - ci_step_failure

LICENSE

@@ -1,6 +1,8 @@
 The MIT License (MIT)
 
-Copyright (C) 2016 Andris Raugulis ([email protected])
+Copyright (C) 2017 Andris Raugulis ([email protected])
+Copyright (C) 2017-2019 Joe Testa ([email protected])
+
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,42 +1,73 @@
 # ssh-audit
-[![build status](https://api.travis-ci.org/arthepsy/ssh-audit.svg)](https://travis-ci.org/arthepsy/ssh-audit)
-[![coverage status](https://coveralls.io/repos/github/arthepsy/ssh-audit/badge.svg)](https://coveralls.io/github/arthepsy/ssh-audit)  
-**ssh-audit** is a tool for ssh server auditing.  
+<!--
+[![travis build status](https://api.travis-ci.org/arthepsy/ssh-audit.svg?branch=develop)](https://travis-ci.org/arthepsy/ssh-audit)
+[![appveyor build status](https://ci.appveyor.com/api/projects/status/4m5r73m0r023edil/branch/develop?svg=true)](https://ci.appveyor.com/project/arthepsy/ssh-audit)
+[![codecov](https://codecov.io/gh/arthepsy/ssh-audit/branch/develop/graph/badge.svg)](https://codecov.io/gh/arthepsy/ssh-audit)
+[![Quality Gate](https://sonarqube.com/api/badges/gate?key=arthepsy-github%3Assh-audit%3Adevelop&template=ROUNDED)](https://sq.evolutiongaming.com/dashboard?id=arthepsy-github%3Assh-audit%3Adevelop)  
+-->
+**ssh-audit** is a tool for ssh server & client configuration auditing.
 
 ## Features
 - SSH1 and SSH2 protocol server support;
+- analyze SSH client configuration;
 - grab banner, recognize device or software and operating system, detect compression;
 - gather key-exchange, host-key, encryption and message authentication code algorithms;
 - output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
 - output algorithm recommendations (append or remove based on recognized software version);
 - output security information (related issues, assigned CVE list, etc);
 - analyze SSH version compatibility based on algorithm information;
 - historical information from OpenSSH, Dropbear SSH and libssh;
-- no dependencies, compatible with Python 2.6+, Python 3.x and PyPy;
+- no dependencies
 
 ## Usage
 ```
-usage: ssh-audit.py [-1246pbnvl] <host>
+usage: ssh-audit.py [-1246pbcnvlt] <host>
 
    -1,  --ssh1             force ssh version 1 only
    -2,  --ssh2             force ssh version 2 only
    -4,  --ipv4             enable IPv4 (order of precedence)
    -6,  --ipv6             enable IPv6 (order of precedence)
    -p,  --port=<port>      port to connect
    -b,  --batch            batch output
+   -c,  --client-audit     starts a server on port 2222 to audit client
+                               software config (use -p to change port)
    -n,  --no-colors        disable colors
    -v,  --verbose          verbose output
    -l,  --level=<level>    minimum output level (info|warn|fail)
-   
+   -t,  --timeout=<secs>   timeout (in seconds) for connection and reading
+                               (default: 5)
 ```
 * if both IPv4 and IPv6 are used, order of precedence can be set by using either `-46` or `-64`.  
 * batch flag `-b` will output sections without header and without empty lines (implies verbose flag).  
 * verbose flag `-v` will prefix each line with section type and algorithm name.  
 
-### example
-![screenshot](https://cloud.githubusercontent.com/assets/7356025/19233757/3e09b168-8ef0-11e6-91b4-e880bacd0b8a.png)
+### Server Audit Example
+![screenshot](https://user-images.githubusercontent.com/2982011/64388792-317e6f80-d00e-11e9-826e-a4934769bb07.png)
+
+### Client Audit Example
+TODO
 
 ## ChangeLog
+### v2.1.0 (???)
+ - Added client software auditing functionality (see `-c` / `--client-audit` option).
+ - Fixed crash while scanning Solaris Sun_SSH.
+ - Added 9 new key exchanges: `gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==`, `gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==`, `gss-group14-sha1-`, `gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==`, `gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==`, `gss-group15-sha512-toWM5Slw5Ew8Mqkay+al2g==`, `diffie-hellman-group15-sha256`, `ecdh-sha2-1.3.132.0.10`, `curve448-sha512`.
+ - Added 1 new host key type: `ecdsa-sha2-1.3.132.0.10`.
+ - Added 4 new ciphers: `idea-cbc`, `serpent128-cbc`, `serpent192-cbc`, `serpent256-cbc`.
+ - Added 6 new MACs: `[email protected]`, `[email protected]`, `hmac-ripemd`, `[email protected]`, `[email protected]`, `[email protected]`.
+
+### v2.0.0 (2019-08-29)
+ - Forked from https://github.com/arthepsy/ssh-audit (development was stalled, and developer went MIA).
+ - Added RSA host key length test.
+ - Added RSA certificate key length test.
+ - Added Diffie-Hellman modulus size test.
+ - Now outputs host key fingerprints for RSA and ED25519.
+ - Added 5 new key exchanges: `[email protected]`, `[email protected]`, `[email protected]`, `diffie-hellman-group16-sha256`, `diffie-hellman-group17-sha512`.
+ - Added 3 new encryption algorithms: `des-cbc-ssh1`, `blowfish-ctr`, `twofish-ctr`.
+ - Added 10 new MACs: `hmac-sha2-56`, `hmac-sha2-224`, `hmac-sha2-384`, `hmac-sha3-256`, `hmac-sha3-384`, `hmac-sha3-512`, `hmac-sha256`, `[email protected]`, `hmac-sha512`, `[email protected]`.
+ - Added command line argument (-t / --timeout) for connection & reading timeouts.
+ - Updated CVEs for libssh & Dropbear.
+
 ### v1.7.0 (2016-10-26)
  - implement options to allow specify IPv4/IPv6 usage and order of precedence
  - implement option to specify remote port (old behavior kept for compatibility)