-
-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ecdsa-sha2-nistp<256/384/521> #107
Comments
I'd like to do that, but that opens an entire project around putting in references to everything else as well... which I'm also open to doing. I suppose we'd have to come up with a strategy for this. Perhaps references can be put in as "info" notes for each algorithm? Hmm... |
Can we not keep it simple and just add a reference directly against the note that it relates to? So in the case of
If you add references as independent note values then you have to invent a way of associating them with the relevant note. That could get very complicated to maintain. |
EDIT Not enough sleep and I am a goose. |
however ssh-audit 2.4.0 still gives warnings for these KEX
algorithm's ( and a few other things ) .
I have restarted / rebooted and rebuilt configuration files to try
and ensure that I haven't missed anything
In a new issue, can you post the exact output of ssh-audit, as well as
the sshd configuration changes you made? That would be very helpful
for debugging.
|
@jtesta oam7575 has now retracted the question, I guess the problem was down to user error? Getting back on topic, do you have any thoughts about how to progress this? Do you still want to go as far as building a mechanism to handle references, or can we keep it simple and simply add a reference directly against the note it relates to? |
On Sat, 2021-05-29 at 06:36 -0700, thecliguy wrote:
Getting back on topic, do you have any thoughts about how to progress
this? Do you still want to go as far as building a mechanism to
handle references, or can we keep it simple and simply add a
reference directly against the note it relates to?
I suppose we could put the references into comments. After all, that's
the entire purpose of the comments anyway!
I'll import the references from ssh-audit.com, since I already have a
database in the web app.
|
Just as an example, if you were to add a reference to |
<---- PEBKAC |
How about this:
|
I think it would make more sense to include it along the error:
As you could have multiple references:
Although I guess you could use the same format for adding references in a new sublevel:
|
@Keisial Thank you. 👍 You've illustrated the point that I have been trying to make very well. We must devise a way to clearly indicate to the user which comment a reference relates to. I think we need to build a relationship between comments and references. So perhaps we need to turn comments into some sort of data structure, EG:
|
@jtesta - Hello Joe, any ideas how to progress this...? Keisial and I appear to be of the same opinion which is that we need to make it clear to the user which comment a reference relates to, EG:
In order to achieve this I think we need to form a relationship between comments and references, EG:
If ssh-audit were to store references in What do you think about this? |
What do you think about this?
Yep, that looks good.
When verbose mode is enabled, the JSON output should include the
references as well.
|
Sorry for reviving this old issue, but can you please shed a light on which portion of the code marks these ecdsa-sha2-nistp as a FAIL? As in the code I can only find references to WARN:
Although I can also see: Thank you |
It appears you're looking at old source code. In the current master
branch, the WARN_CURVES_WEAK tag was renamed to
FAIL_NSA_BACKDOORED_CURVE at some point in the past (see
https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/ssh2_kexdb.py#L153
).
To answer your question about the database format, the second list of
strings for an algorithm denotes the failures. (The first list
describes when the algorithm was implemented. The third list holds
warnings. The fourth list holds notes.) A summary is found in
https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/ssh2_kexdb.py#L83
.
The test/ directory holds unit tests run by pytest (via Tox; at the top
level of the source code, run: pip3 install -U tox; python3 -m tox).
It also holds the configuration for the Docker tests (run with:
./docker_test.sh).
|
thank you... yes I was checking an old vesion on my machine, from 2022. The mystery is getting worse though. I checked the 2022 version after using the python2 version of ssh-audit, the one from 8 years ago, on a machine that only had python2 installed (and no chance to update, not even connection to the internet). The result from the old ssh-audit is exactly |
If I had read more carefully your replied I would have spared myself from several hours of NOOB (like I am) troubleshooting.
That's why WARN_CURVES_WEAK was reported as a 'fail'. |
@jtesta , ssh-audit 2.4.0 returns the following for host key algorithms
ecdsa-sha2-nistp256
,ecdsa-sha2-nistp384
andecdsa-sha2-nistp521
:Would it be possible to update the
[fail]
message to include a citation to a credible source that backs up the claim ofusing weak elliptic curves
?I've seen that you presented on the topic of Problems With Elliptic Curves In TLS and SSH at Rochester Security Summit (RSS) 2017.
Perhaps ssh-audit could cite your presentation?
The text was updated successfully, but these errors were encountered: