Updated Ubuntu 22.04 built-in policy.

jtesta · Oct 1, 2024 · 1f1a51d · 1f1a51d
1 parent 77a63de
commit 1f1a51d
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -225,15 +225,15 @@ For convenience, a web front-end on top of the command-line tool is available at
  - Added IPv6 support for DHEat and connection rate tests.
  - Added TCP port information to JSON policy scan results; credit [Fabian Malte Kopp](https://github.com/dreizehnutters).
  - Added LANcom LCOS server recognition and Ed448 key extraction; credit [Daniel Lenski](https://github.com/dlenskiSB).
+  - Now reports ECDSA and DSS fingerprints when in verbose mode; partial credit [Daniel Lenski](https://github.com/dlenskiSB).
  - Removed CVE information based on server/client version numbers, as this was wildly inaccurate (see [this thread](https://github.com/jtesta/ssh-audit/issues/240) for the full discussion, as well as the results of the community vote on this matter).
  - Fixed crash when running with `-P` and `-T` options simultaneously.
  - Fixed host key tests from only reporting a key type at most once despite multiple hosts supporting it; credit [Daniel Lenski](https://github.com/dlenskiSB).
  - Fixed DHEat connection rate testing on MacOS X and BSD platforms; credit [Drew Noel](https://github.com/drewmnoel) and [Michael Osipov](https://github.com/michael-o).
  - Fixed invalid JSON output when a socket error occurs while performing a client audit.
  - Fixed `--conn-rate-test` feature on Windows.
  - When scanning multiple targets (using `-T`/`--targets`), the `-p`/`--port` option will now be used as the default port (set to 22 if `-p`/`--port` is not given).  Hosts specified in the file can override this default with an explicit port number (i.e.: "host1:1234").  For example, when using `-T targets.txt -p 222`, all hosts in `targets.txt` that do not explicitly include a port number will default to 222; when using `-T targets.txt` (without `-p`), all hosts will use a default of 22.
- - Now reports ECDSA and DSS fingerprints when in verbose mode; partial credit [Daniel Lenski](https://github.com/dlenskiSB).
- - Updated built-in policies for Debian 12 and Rocky Linux 9 to improve host key efficiency and cipher resistance to quantum attacks.
+ - Updated built-in server policies for Debian 12, Rocky Linux 9, and Ubuntu 22.04 to improve host key efficiency and cipher resistance to quantum attacks.
  - Added 1 new cipher: `grasshopper-ctr128`.
  - Added 2 new key exchanges: `mlkem768x25519-sha256`, `sntrup761x25519-sha512`.
 

diff --git a/src/ssh_audit/builtin_policies.py b/src/ssh_audit/builtin_policies.py
@@ -54,6 +54,8 @@
 
     'Hardened Ubuntu Server 22.04 LTS (version 5)': {'version': '5', 'changelog': 'Added [email protected] to kex list.', 'banner': None, 'compressions': None, 'host_keys': ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-ed25519'], 'optional_host_keys': ['[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]'], 'kex': ['[email protected]', 'curve25519-sha256', '[email protected]', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', '[email protected]'], 'ciphers': ['[email protected]', '[email protected]', '[email protected]', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['[email protected]', '[email protected]', '[email protected]'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "[email protected]": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "[email protected]": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "[email protected]": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "[email protected]": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "[email protected]": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
 
+    'Hardened Ubuntu Server 22.04 LTS (version 6)': {'version': '6', 'changelog': 'Re-ordered host keys to prioritize ED25519 due to efficiency. Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', 'banner': None, 'compressions': None, 'host_keys': ['ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': ['[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]'], 'kex': ['[email protected]', 'curve25519-sha256', '[email protected]', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', '[email protected]'], 'ciphers': ['[email protected]', '[email protected]', 'aes256-ctr', 'aes192-ctr', '[email protected]', 'aes128-ctr'], 'macs': ['[email protected]', '[email protected]', '[email protected]'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "[email protected]": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "[email protected]": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "[email protected]": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "[email protected]": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "[email protected]": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
+
     'Hardened Ubuntu Server 24.04 LTS (version 1)': {'version': '1', 'changelog': 'Initial version.', 'banner': None, 'compressions': None, 'host_keys': ['ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': ['[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]'], 'kex': ['[email protected]', 'curve25519-sha256', '[email protected]', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group16-sha512', 'ext-info-s', '[email protected]'], 'ciphers': ['[email protected]', '[email protected]', 'aes256-ctr', 'aes192-ctr', '[email protected]', 'aes128-ctr'], 'macs': ['[email protected]', '[email protected]', '[email protected]'], 'hostkey_sizes': {"rsa-sha2-256": {"hostkey_size": 4096}, "[email protected]": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "rsa-sha2-512": {"hostkey_size": 4096}, "[email protected]": {"ca_key_size": 4096, "ca_key_type": "ssh-rsa", "hostkey_size": 4096}, "[email protected]": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}, "[email protected]": {"hostkey_size": 256}, "ssh-ed25519": {"hostkey_size": 256}, "[email protected]": {"ca_key_size": 256, "ca_key_type": "ssh-ed25519", "hostkey_size": 256}}, 'dh_modulus_sizes': {'diffie-hellman-group-exchange-sha256': 3072}, 'server_policy': True},
 
     # Generic OpenSSH Server policies