Updated built-in client policy for Ubuntu 22.04.

README.md

@@ -233,7 +233,7 @@ For convenience, a web front-end on top of the command-line tool is available at
  - Fixed invalid JSON output when a socket error occurs while performing a client audit.
  - Fixed `--conn-rate-test` feature on Windows.
  - When scanning multiple targets (using `-T`/`--targets`), the `-p`/`--port` option will now be used as the default port (set to 22 if `-p`/`--port` is not given).  Hosts specified in the file can override this default with an explicit port number (i.e.: "host1:1234").  For example, when using `-T targets.txt -p 222`, all hosts in `targets.txt` that do not explicitly include a port number will default to 222; when using `-T targets.txt` (without `-p`), all hosts will use a default of 22.
- - Updated built-in server policies for Debian 12, Rocky Linux 9, and Ubuntu 22.04 to improve host key efficiency and cipher resistance to quantum attacks.
+ - Updated built-in server & client policies for Debian 12, Rocky Linux 9, and Ubuntu 22.04 to improve host key efficiency and cipher resistance to quantum attacks.
  - Added 1 new cipher: `grasshopper-ctr128`.
  - Added 2 new key exchanges: `mlkem768x25519-sha256`, `sntrup761x25519-sha512`.
 

src/ssh_audit/builtin_policies.py

@@ -130,6 +130,8 @@
 
     'Hardened Ubuntu Client 22.04 LTS (version 4)': {'version': '4', 'changelog': 'Added [email protected] to kex list.', 'banner': None, 'compressions': None, 'host_keys': ['[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', 'ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': None, 'kex': ['[email protected]', 'curve25519-sha256', '[email protected]', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-c', '[email protected]'], 'ciphers': ['[email protected]', '[email protected]', '[email protected]', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr'], 'macs': ['[email protected]', '[email protected]', '[email protected]'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False},
 
+    'Hardened Ubuntu Client 22.04 LTS (version 5)': {'version': '5', 'changelog': 'Re-ordered cipher list to prioritize larger key sizes as a countermeasure to quantum attacks.', 'banner': None, 'compressions': None, 'host_keys': ['[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', 'ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': None, 'kex': ['[email protected]', 'curve25519-sha256', '[email protected]', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'ext-info-c', '[email protected]'], 'ciphers': ['[email protected]', '[email protected]', 'aes256-ctr', 'aes192-ctr', '[email protected]', 'aes128-ctr'], 'macs': ['[email protected]', '[email protected]', '[email protected]'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False},
+
     'Hardened Ubuntu Client 24.04 LTS (version 1)': {'version': '1', 'changelog': 'Initial version.', 'banner': None, 'compressions': None, 'host_keys': ['[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', 'ssh-ed25519', 'rsa-sha2-512', 'rsa-sha2-256'], 'optional_host_keys': None, 'kex': ['[email protected]', 'curve25519-sha256', '[email protected]', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group16-sha512', 'ext-info-c', '[email protected]'], 'ciphers': ['[email protected]', '[email protected]', 'aes256-ctr', 'aes192-ctr', '[email protected]', 'aes128-ctr'], 'macs': ['[email protected]', '[email protected]', '[email protected]'], 'hostkey_sizes': None, 'dh_modulus_sizes': None, 'server_policy': False},
 
 }