MCPcopy
hub / github.com/jtesta/ssh-audit

github.com/jtesta/ssh-audit @v3.3.0 sqlite

repository ↗ · DeepWiki ↗ · release v3.3.0 ↗
546 symbols 2,148 edges 52 files 91 documented · 17%
README

ssh-audit

License Build Status PRs Welcome

PyPI Downloads Homebrew Downloads Docker Pulls Snap Downloads

Github Sponsors

ssh-audit is a tool for ssh server & client configuration auditing.

jtesta/ssh-audit (v2.0+) is the updated and maintained version of ssh-audit forked from arthepsy/ssh-audit (v1.x) due to inactivity.

Features

  • SSH1 and SSH2 protocol server support;
  • analyze SSH client configuration;
  • grab banner, recognize device or software and operating system, detect compression;
  • gather key-exchange, host-key, encryption and message authentication code algorithms;
  • output algorithm security information (available since, removed/disabled, unsafe/weak/legacy, etc);
  • output algorithm recommendations (append or remove based on recognized software version);
  • analyze SSH version compatibility based on algorithm information;
  • historical information from OpenSSH, Dropbear SSH and libssh;
  • policy scans to ensure adherence to a hardened/standard configuration;
  • runs on Linux and Windows;
  • supports Python 3.8 - 3.13;
  • no dependencies

Usage

usage: ssh-audit.py [options] <host>

   -h,  --help             print this help
   -1,  --ssh1             force ssh version 1 only
   -2,  --ssh2             force ssh version 2 only
   -4,  --ipv4             enable IPv4 (order of precedence)
   -6,  --ipv6             enable IPv6 (order of precedence)
   -b,  --batch            batch output
   -c,  --client-audit     starts a server on port 2222 to audit client
                               software config (use -p to change port;
                               use -t to change timeout)
        --conn-rate-test=N[:max_rate]  perform a connection rate test (useful
                                       for collecting metrics related to
                                       susceptibility of the DHEat vuln).
                                       Testing is conducted with N concurrent
                                       sockets with an optional maximum rate
                                       of connections per second.
   -d,  --debug            Enable debug output.
        --dheat=N[:kex[:e_len]]    continuously perform the DHEat DoS attack
                                   (CVE-2002-20001) against the target using N
                                   concurrent sockets.  Optionally, a specific
                                   key exchange algorithm can be specified
                                   instead of allowing it to be automatically
                                   chosen.  Additionally, a small length of
                                   the fake e value sent to the server can
                                   be chosen for a more efficient attack (such
                                   as 4).
   -g,  --gex-test=<x[,y,...]>  dh gex modulus size test
                   <min1:pref1:max1[,min2:pref2:max2,...]>
                   <x-y[:step]>
   -j,  --json             JSON output (use -jj to enable indents)
   -l,  --level=<level>    minimum output level (info|warn|fail)
   -L,  --list-policies    list all the official, built-in policies. Use with -v
                               to view policy change logs.
        --lookup=<alg1,alg2,...>    looks up an algorithm(s) without
                                    connecting to a server
   -m,  --manual           print the man page (Docker, PyPI, Snap, and Windows
                                    builds only)
   -M,  --make-policy=<policy.txt>  creates a policy based on the target server
                                    (i.e.: the target server has the ideal
                                    configuration that other servers should
                                    adhere to)
   -n,  --no-colors        disable colors
   -p,  --port=<port>      port to connect
   -P,  --policy=<"policy name" | policy.txt>  run a policy test using the
                                                   specified policy
        --skip-rate-test   skip the connection rate test during standard audits
                               (used to safely infer whether the DHEat attack
                               is viable)
   -t,  --timeout=<secs>   timeout (in seconds) for connection and reading
                               (default: 5)
   -T,  --targets=<hosts.txt>  a file containing a list of target hosts (one
                                   per line, format HOST[:PORT]).  Use -p/--port
                                   to set the default port for all hosts.  Use
                                   --threads to control concurrent scans.
        --threads=<threads>    number of threads to use when scanning multiple
                                   targets (-T/--targets) (default: 32)
   -v,  --verbose          verbose output
  • if both IPv4 and IPv6 are used, order of precedence can be set by using either -46 or -64.
  • batch flag -b will output sections without header and without empty lines (implies verbose flag).
  • verbose flag -v will prefix each line with section type and algorithm name.
  • an exit code of 0 is returned when all algorithms are considered secure (for a standard audit), or when a policy check passes (for a policy audit).

Basic server auditing:

ssh-audit localhost
ssh-audit 127.0.0.1
ssh-audit 127.0.0.1:222
ssh-audit ::1
ssh-audit [::1]:222

To run a standard audit against many servers (place targets into servers.txt, one on each line in the format of HOST[:PORT]):

ssh-audit -T servers.txt

To audit a client configuration (listens on port 2222 by default; connect using ssh -p 2222 anything@localhost):

ssh-audit -c

To audit a client configuration, with a listener on port 4567:

ssh-audit -c -p 4567

To list all official built-in policies (hint: use resulting policy names with -P/--policy):

ssh-audit -L

To run a policy audit against a server:

ssh-audit -P ["policy name" | path/to/server_policy.txt] targetserver

To run a policy audit against a client:

ssh-audit -c -P ["policy name" | path/to/client_policy.txt]

To run a policy audit against many servers:

ssh-audit -T servers.txt -P ["policy name" | path/to/server_policy.txt]

To create a policy based on a target server (which can be manually edited):

ssh-audit -M new_policy.txt targetserver

To run the DHEat CPU exhaustion DoS attack (CVE-2002-20001) against a target using 10 concurrent sockets:

ssh-audit --dheat=10 targetserver

To run the DHEat attack using the diffie-hellman-group-exchange-sha256 key exchange algorithm:

ssh-audit --dheat=10:diffie-hellman-group-exchange-sha256 targetserver

To run the DHEat attack using the diffie-hellman-group-exchange-sha256 key exchange algorithm along with very small but non-standard packet lengths (this may result in the same CPU exhaustion, but with many less bytes per second being sent):

ssh-audit --dheat=10:diffie-hellman-group-exchange-sha256:4 targetserver

Screenshots

Server Standard Audit Example

Below is a screen shot of the standard server-auditing output when connecting to an unhardened OpenSSH v5.3 service: screenshot

Server Policy Audit Example

Below is a screen shot of the policy auditing output when connecting to an un-hardened Ubuntu Server 20.04 machine (hint: use -L/--list-policies to see names of built-in policies to use with -P/--policy): screenshot

After applying the steps in the hardening guide (see below), the output changes to the following: screenshot

Client Standard Audit Example

Below is a screen shot of the client-auditing output when an unhardened OpenSSH v7.2 client connects: client_screenshot

Hardening Guides

Guides to harden server & client configuration can be found here: https://www.ssh-audit.com/hardening_guides.html

Pre-Built Packages

Pre-built packages are available for Windows (see the Releases page), PyPI, Snap, and Docker:

To install from PyPI:

$ pip3 install ssh-audit

To install the Snap package:

$ snap install ssh-audit

To install from Dockerhub:

$ docker pull positronsecurity/ssh-audit

(Then run with: docker run -it --rm -p 2222:2222 positronsecurity/ssh-audit 10.1.1.1)

The status of various other platform packages can be found below (via Repology):

Packaging status

Web Front-End

For convenience, a web front-end on top of the command-line tool is available at https://www.ssh-audit.com/.

ChangeLog

v3.3.0 (2024-10-15)

  • Added Python 3.13 support.
  • Added built-in policies for Ubuntu 24.04 LTS server & client, OpenSSH 9.8, and OpenSSH 9.9.
  • Added IPv6 support for DHEat and connection rate tests.
  • Added TCP port information to JSON policy scan results; credit Fabian Malte Kopp.
  • Added LANcom LCOS server recognition and Ed448 key extraction; credit Daniel Lenski.
  • Now reports ECDSA and DSS fingerprints when in verbose mode; partial credit Daniel Lenski.
  • Removed CVE information based on server/client version numbers, as this was wildly inaccurate (see this thread for the full discussion, as well as the results of the community vote on this matter).
  • Fixed crash when running with -P and -T options simultaneously.
  • Fixed host key tests from only reporting a key type at most once despite multiple hosts supporting it; credit Daniel Lenski.
  • Fixed DHEat connection rate testing on MacOS X and BSD platforms; credit Drew Noel and Michael Osipov.
  • Fixed invalid JSON output when a socket error occurs while performing a client audit.
  • Fixed --conn-rate-test feature on Windows.
  • When scanning multiple targets (using -T/--targets), the -p/--port option will now be used as the default port (set to 22 if -p/--port is not given). Hosts specified in the file can override this default with an explicit port number (i.e.: "host1:1234"). For example, when using -T targets.txt -p 222, all hosts in targets.txt that do not explicitly include a port number will default to 222; when using -T targets.txt (without -p), all hosts will use a default of 22.
  • Updated built-in server & client policies for Amazon Linux 2023, Debian 12, Rocky Linux 9, and Ubuntu 22.04 to improve host key efficiency and cipher resistance to quantum attacks.
  • Added 1 new cipher: grasshopper-ctr128.
  • Added 2 new key exchanges: mlkem768x25519-sha256, sntrup761x25519-sha512.

v3.2.0 (2024-04-22)

  • Added implementation of the DHEat denial-of-service attack (see --dheat option; CVE-2002-20001).
  • Expanded filter of CBC ciphers to flag for the Terrapin vulnerability. It now includes more rarely found ciphers.
  • Fixed parsing of ecdsa-sha2-nistp* CA signatures on host keys. Additionally, they are now flagged as potentially back-doored, just as standard host keys are.
  • Gracefully handle rare exceptions (i.e.: crashes) while performing GEX tests.
  • The built-in man page (-m, --manual) is now available on Docker, PyPI, and Snap builds, in addition to the Windows build.
  • Snap builds are now architecture-independent.
  • Changed Docker base image from python:3-slim to python:3-alpine, resulting in a 59% reduction in image size; credit Daniel Thamdrup.
  • Added built-in policies for Amazon Linux 2023, Debian 12, OpenSSH 9.7, and Rocky Linux 9.
  • Built-in policies now include a change log (use -L -v to view them).
  • Custom policies now support the `allow_algorithm_subset_and_reorderin

Core symbols most depended-on inside this repo

info
called by 70
src/ssh_audit/outputbuffer.py
compare_version
called by 68
src/ssh_audit/software.py
write_list
called by 51
src/ssh_audit/writebuf.py
display
called by 50
src/ssh_audit/software.py
d
called by 43
src/ssh_audit/outputbuffer.py
parse
called by 39
src/ssh_audit/banner.py
write
called by 30
src/ssh_audit/outputbuffer.py
fail
called by 28
src/ssh_audit/outputbuffer.py

Shape

Method 448
Class 62
Function 36

Languages

Python100%

Modules by API surface

src/ssh_audit/kexdh.py46 symbols
src/ssh_audit/ssh_audit.py31 symbols
test/conftest.py27 symbols
test/test_policy.py25 symbols
src/ssh_audit/dheat.py22 symbols
src/ssh_audit/outputbuffer.py21 symbols
test/test_errors.py19 symbols
src/ssh_audit/ssh_socket.py19 symbols
test/test_buffer.py18 symbols
src/ssh_audit/utils.py18 symbols
src/ssh_audit/ssh1_publickeymessage.py18 symbols
test/test_ssh1.py17 symbols

For agents

$ claude mcp add ssh-audit \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact