Added release date for v2.3.0. Added link for policy tutorial.

* Adding ssh-audit.py to algorithm_lookup_branch

* Removed the use of an error handler from algorithm_lookup and implemented suggestions made by jugmac00 and jtesta

.appveyor.yml

@@ -0,0 +1,33 @@
+version: 'v2.2.1-dev.{build}'
+
+build: off
+branches:
+  only:
+    - master
+    - develop
+
+environment:
+  matrix:
+    - PYTHON: "C:\\Python35"
+    - PYTHON: "C:\\Python35-x64"
+    - PYTHON: "C:\\Python36"
+    - PYTHON: "C:\\Python36-x64"
+    - PYTHON: "C:\\Python37"
+    - PYTHON: "C:\\Python37-x64"
+    - PYTHON: "C:\\Python38"
+    - PYTHON: "C:\\Python38-x64"
+matrix:
+  fast_finish: true 
+
+cache:
+  - '%LOCALAPPDATA%\pip\Cache'
+  - .downloads -> .appveyor.yml
+
+install:
+  - "cmd /c .\\test\\tools\\ci-win.cmd install"
+
+test_script:
+  - "cmd /c .\\test\\tools\\ci-win.cmd test"
+
+on_failure:
+  - ps: get-content .tox\*\log\*

.deepsource.toml

@@ -0,0 +1,8 @@
+version = 1
+
+[[analyzers]]
+name = "python"
+enabled = true
+
+  [analyzers.meta]
+  runtime_version = "3.x.x"

.gitignore

@@ -1,5 +1,19 @@
 *~
 *.pyc
-html/
-venv/
-.cache/
+*.exe
+*.asc
+venv*/
+.cache/
+.mypy_cache/
+.tox
+.coverage*
+reports/
+.scannerwork/
+packages/sshaudit/LICENSE
+packages/sshaudit/README.md
+packages/sshaudit/sshaudit.py
+packages/parts/
+packages/prime/
+packages/snap/
+packages/stage/
+packages/ssh-audit_*.snap

.travis.yml

@@ -1,18 +1,19 @@
 language: python
-python:
-  - 2.6
-  - 2.7
-  - 3.3
-  - 3.4
-  - 3.5
-  - pypy
-  - pypy3
-install:
-  - pip install --upgrade pytest
-  - pip install --upgrade pytest-cov
-  - pip install --upgrade coveralls
-script:
-  - py.test --cov-report= --cov=ssh-audit -v test
-after_success:
-  - coveralls
 
+python:
+  - "3.5"
+  - "3.6"
+  - "3.7"
+  - "3.8"
+
+cache:
+  - pip
+
+install:
+  - pip install -U pip tox tox-travis coveralls codecov
+
+script:
+  - tox
+
+after_success:
+  - codecov

CONTRIBUTING.md

@@ -0,0 +1,26 @@
+# Contributing to ssh-audit
+
+We are very much open to receiving patches from the community!  To encourage participation, passing Travis tests, unit tests, etc., *is OPTIONAL*.  As long as the patch works properly, it can be merged (please submit pull requests to the `dev` branch).
+
+However, if you can submit patches that pass all of our automated tests, then you'll lighten the load for the project maintainer (who already has enough to do!).  This document describes what tests are done and what documentation is maintained.
+
+*Anything extra you can do is appreciated!*
+
+
+## Tox Tests
+
+Tox is used to do unit testing, linting with [pylint](http://pylint.pycqa.org/en/latest/) & [flake8](https://flake8.pycqa.org/en/latest/), and static type-checking with [mypy](https://mypy.readthedocs.io/en/stable/).
+
+Install tox with `apt install tox`, then simply run `tox` in the top-level directory.  Look for any error messages in the (verbose) output.
+
+
+## Docker Tests
+
+Docker is used to run ssh-audit against various real SSH servers (OpenSSH, Dropbear, and TinySSH).  The output is then diff'ed against the expected result.  Any differences result in failure.
+
+The docker tests are run with `./docker_test.sh`.  The first time it is run, it will download and compile the SSH servers; this may take awhile.  Subsequent runs, however, will take only a minute to complete, as the docker image will already be up-to-date.
+
+
+## Man Page
+
+The `ssh-audit.1` man page documents the various features of ssh-audit.  If features are added, or significant behavior is modified, the man page needs to be updated.

LICENSE

@@ -0,0 +1,23 @@
+The MIT License (MIT)
+
+Copyright (C) 2017-2020 Joe Testa (jtesta@positronsecurity.com)
+Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
+
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1,10 +1,17 @@
 # ssh-audit
-[![build status](https://api.travis-ci.org/arthepsy/ssh-audit.svg)](https://travis-ci.org/arthepsy/ssh-audit)
-[![coverage status](https://coveralls.io/repos/github/arthepsy/ssh-audit/badge.svg)](https://coveralls.io/github/arthepsy/ssh-audit)  
-**ssh-audit** is a tool for ssh server auditing.  
+<!--
+[![travis build status](https://api.travis-ci.org/arthepsy/ssh-audit.svg?branch=develop)](https://travis-ci.org/arthepsy/ssh-audit)
+[![appveyor build status](https://ci.appveyor.com/api/projects/status/4m5r73m0r023edil/branch/develop?svg=true)](https://ci.appveyor.com/project/arthepsy/ssh-audit)
+[![codecov](https://codecov.io/gh/arthepsy/ssh-audit/branch/develop/graph/badge.svg)](https://codecov.io/gh/arthepsy/ssh-audit)
+[![Quality Gate](https://sonarqube.com/api/badges/gate?key=arthepsy-github%3Assh-audit%3Adevelop&template=ROUNDED)](https://sq.evolutiongaming.com/dashboard?id=arthepsy-github%3Assh-audit%3Adevelop)  
+-->
+**ssh-audit** is a tool for ssh server & client configuration auditing.
+
+[jtesta/ssh-audit](https://github.com/jtesta/ssh-audit/) (v2.0+) is the updated and maintained version of ssh-audit forked from [arthepsy/ssh-audit](https://github.com/arthepsy/ssh-audit) (v1.x) due to inactivity.
 
 ## Features
 - SSH1 and SSH2 protocol server support;
+- analyze SSH client configuration;
 - grab banner, recognize device or software and operating system, detect compression;
 - gather key-exchange, host-key, encryption and message authentication code algorithms;
 - output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
@@ -12,31 +19,185 @@
 - output security information (related issues, assigned CVE list, etc);
 - analyze SSH version compatibility based on algorithm information;
 - historical information from OpenSSH, Dropbear SSH and libssh;
-- no dependencies, compatible with Python 2.6+, Python 3.x and PyPy;
+- policy scans to ensure adherence to a hardened/standard configuration;
+- runs on Linux and Windows;
+- no dependencies
 
 ## Usage
 ```
-usage: ssh-audit.py [-1246pbnvl] <host>
+usage: ssh-audit.py [options] <host>
 
+   -h,  --help             print this help
    -1,  --ssh1             force ssh version 1 only
    -2,  --ssh2             force ssh version 2 only
    -4,  --ipv4             enable IPv4 (order of precedence)
    -6,  --ipv6             enable IPv6 (order of precedence)
-   -p,  --port=<port>      port to connect
    -b,  --batch            batch output
-   -n,  --no-colors        disable colors
-   -v,  --verbose          verbose output
+   -c,  --client-audit     starts a server on port 2222 to audit client
+                               software config (use -p to change port;
+                               use -t to change timeout)
+   -j,  --json             JSON output
    -l,  --level=<level>    minimum output level (info|warn|fail)
-   
+   -L,  --list-policies    list all the official, built-in policies
+        --lookup=<alg1,alg2,...>    looks up an algorithm(s) without
+                                    connecting to a server
+   -M,  --make-policy=<policy.txt>  creates a policy based on the target server
+                                    (i.e.: the target server has the ideal
+                                    configuration that other servers should
+                                    adhere to)
+   -n,  --no-colors        disable colors
+   -p,  --port=<port>      port to connect
+   -P,  --policy=<policy.txt>  run a policy test using the specified policy
+   -t,  --timeout=<secs>   timeout (in seconds) for connection and reading
+                               (default: 5)
+   -T,  --targets=<hosts.txt>  a file containing a list of target hosts (one
+                                   per line, format HOST[:PORT])
+   -v,  --verbose          verbose output
 ```
 * if both IPv4 and IPv6 are used, order of precedence can be set by using either `-46` or `-64`.  
 * batch flag `-b` will output sections without header and without empty lines (implies verbose flag).  
 * verbose flag `-v` will prefix each line with section type and algorithm name.  
+* an exit code of 0 is returned when all algorithms are considered secure (for a standard audit), or when a policy check passes (for a policy audit).
 
-### example
-![screenshot](https://cloud.githubusercontent.com/assets/7356025/19233757/3e09b168-8ef0-11e6-91b4-e880bacd0b8a.png)
+Basic server auditing:
+```
+ssh-audit localhost
+ssh-audit 127.0.0.1
+ssh-audit 127.0.0.1:222
+ssh-audit ::1
+ssh-audit [::1]:222
+```
+
+To run a standard audit against many servers (place targets into servers.txt, one on each line in the format of `HOST[:PORT]`):
+
+```
+ssh-audit -T servers.txt
+```
+
+To audit a client configuration (listens on port 2222 by default; connect using `ssh anything@localhost`):
+
+```
+ssh-audit -c
+```
+
+To audit a client configuration, with a listener on port 4567:
+```
+ssh-audit -c -p 4567
+```
+
+To  list all official built-in policies (hint: use resulting file paths with `-P`/`--policy`):
+```
+ssh-audit -L
+```
+
+To run a policy audit against a server:
+```
+ssh-audit -P path/to/server_policy targetserver
+```
+
+To run a policy audit against a client:
+```
+ssh-audit -c -P path/to/client_policy
+```
+
+To run a policy audit against many servers:
+```
+ssh-audit -T servers.txt -P path/to/server_policy
+```
+
+To create a policy based on a target server (which can be manually edited; see official built-in policies for syntax examples):
+```
+ssh-audit -M new_policy.txt targetserver
+```
+
+### Server Standard Audit Example
+Below is a screen shot of the standard server-auditing output when connecting to an unhardened OpenSSH v5.3 service:
+![screenshot](https://user-images.githubusercontent.com/2982011/64388792-317e6f80-d00e-11e9-826e-a4934769bb07.png)
+
+### Server Policy Audit Example
+Below is a screen shot of the policy auditing output when connecting to an un-hardened Ubuntu Server 20.04 machine:
+![screenshot](https://user-images.githubusercontent.com/2982011/94370881-95178700-00c0-11eb-8705-3157a4669dc0.png)
+
+After applying the steps in the hardening guide (see below), the output changes to the following:
+![screenshot](https://user-images.githubusercontent.com/2982011/94370873-87620180-00c0-11eb-9a59-469f61a56ce1.png)
+
+### Client Standard Audit Example
+Below is a screen shot of the client-auditing output when an unhardened OpenSSH v7.2 client connects:
+![client_screenshot](https://user-images.githubusercontent.com/2982011/68867998-b946c100-06c4-11ea-975f-1f47e4178a74.png)
+
+### Hardening Guides
+Guides to harden server & client configuration can be found here: [https://www.ssh-audit.com/hardening_guides.html](https://www.ssh-audit.com/hardening_guides.html)
+
+### Pre-Built Packages
+Pre-built packages are available for Windows (see the releases page), on PyPI, Snap, and Homebrew.
+
+To install from PyPI:
+```
+$ pip3 install ssh-audit
+```
+
+To install the Snap package:
+```
+$ snap install ssh-audit
+```
+
+To install on Homebrew:
+```
+$ brew install ssh-audit
+```
+
+### Web Front-End
+For convenience, a web front-end on top of the command-line tool is available at [https://www.ssh-audit.com/](https://www.ssh-audit.com/).
 
 ## ChangeLog
+### v2.3.0 (2020-09-27)
+ - Added new policy auditing functionality to test adherence to a hardening guide/standard configuration (see `-L`/`--list-policies`, `-M`/`--make-policy` and `-P`/`--policy`).  For an in-depth tutorial, see <https://www.positronsecurity.com/blog/2020-09-27-ssh-policy-configuration-checks-with-ssh-audit/>.
+ - Created new man page (see `ssh-audit.1` file).
+ - 1024-bit moduli upgraded from warnings to failures.
+ - Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit [Jürgen Gmach](https://github.com/jugmac00).
+ - Added feature to look up algorithms in internal database (see `--lookup`); credit [Adam Russell](https://github.com/thecliguy).
+ - Suppress recommendation of token host key types.
+ - Added check for use-after-free vulnerability in PuTTY v0.73.
+ - Added 11 new host key types: `ssh-rsa1`, `ssh-dss-sha256@ssh.com`, `ssh-gost2001`, `ssh-gost2012-256`, `ssh-gost2012-512`, `spki-sign-rsa`, `ssh-ed448`, `x509v3-ecdsa-sha2-nistp256`, `x509v3-ecdsa-sha2-nistp384`, `x509v3-ecdsa-sha2-nistp521`, `x509v3-rsa2048-sha256`.
+ - Added 8 new key exchanges: `diffie-hellman-group1-sha256`, `kexAlgoCurve25519SHA256`, `Curve25519SHA256`, `gss-group14-sha256-`, `gss-group15-sha512-`, `gss-group16-sha512-`, `gss-nistp256-sha256-`, `gss-curve25519-sha256-`.
+ - Added 5 new ciphers: `blowfish`, `AEAD_AES_128_GCM`, `AEAD_AES_256_GCM`, `crypticore128@ssh.com`, `seed-cbc@ssh.com`.
+ - Added 3 new MACs: `chacha20-poly1305@openssh.com`, `hmac-sha3-224`, `crypticore-mac@ssh.com`.
+
+### v2.2.0 (2020-03-11)
+ - Marked host key type `ssh-rsa` as weak due to [practical SHA-1 collisions](https://eprint.iacr.org/2020/014.pdf).
+ - Added Windows builds.
+ - Added 10 new host key types: `ecdsa-sha2-1.3.132.0.10`, `x509v3-sign-dss`, `x509v3-sign-rsa`, `x509v3-sign-rsa-sha256@ssh.com`, `x509v3-ssh-dss`, `x509v3-ssh-rsa`, `sk-ecdsa-sha2-nistp256-cert-v01@openssh.com`, `sk-ecdsa-sha2-nistp256@openssh.com`, `sk-ssh-ed25519-cert-v01@openssh.com`, and `sk-ssh-ed25519@openssh.com`.
+ - Added 18 new key exchanges: `diffie-hellman-group14-sha256@ssh.com`, `diffie-hellman-group15-sha256@ssh.com`, `diffie-hellman-group15-sha384@ssh.com`, `diffie-hellman-group16-sha384@ssh.com`, `diffie-hellman-group16-sha512@ssh.com`, `diffie-hellman-group18-sha512@ssh.com`, `ecdh-sha2-curve25519`, `ecdh-sha2-nistb233`, `ecdh-sha2-nistb409`, `ecdh-sha2-nistk163`, `ecdh-sha2-nistk233`, `ecdh-sha2-nistk283`, `ecdh-sha2-nistk409`, `ecdh-sha2-nistp192`, `ecdh-sha2-nistp224`, `ecdh-sha2-nistt571`, `gss-gex-sha1-`, and `gss-group1-sha1-`.
+ - Added 9 new ciphers: `camellia128-cbc`, `camellia128-ctr`, `camellia192-cbc`, `camellia192-ctr`, `camellia256-cbc`, `camellia256-ctr`, `aes128-gcm`, `aes256-gcm`, and `chacha20-poly1305`.
+ - Added 2 new MACs: `aes128-gcm` and `aes256-gcm`.
+
+### v2.1.1 (2019-11-26)
+ - Added 2 new host key types: `rsa-sha2-256-cert-v01@openssh.com`, `rsa-sha2-512-cert-v01@openssh.com`.
+ - Added 2 new ciphers: `des`, `3des`.
+ - Added 3 new PuTTY vulnerabilities.
+ - During client testing, client IP address is now listed in output.
+
+### v2.1.0 (2019-11-14)
+ - Added client software auditing functionality (see `-c` / `--client-audit` option).
+ - Added JSON output option (see `-j` / `--json` option; credit [Andreas Jaggi](https://github.com/x-way)).
+ - Fixed crash while scanning Solaris Sun_SSH.
+ - Added 9 new key exchanges: `gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==`, `gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==`, `gss-group14-sha1-`, `gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==`, `gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==`, `gss-group15-sha512-toWM5Slw5Ew8Mqkay+al2g==`, `diffie-hellman-group15-sha256`, `ecdh-sha2-1.3.132.0.10`, `curve448-sha512`.
+ - Added 1 new host key type: `ecdsa-sha2-1.3.132.0.10`.
+ - Added 4 new ciphers: `idea-cbc`, `serpent128-cbc`, `serpent192-cbc`, `serpent256-cbc`.
+ - Added 6 new MACs: `hmac-sha2-256-96-etm@openssh.com`, `hmac-sha2-512-96-etm@openssh.com`, `hmac-ripemd`, `hmac-sha256-96@ssh.com`, `umac-32@openssh.com`, `umac-96@openssh.com`.
+
+### v2.0.0 (2019-08-29)
+ - Forked from https://github.com/arthepsy/ssh-audit (development was stalled, and developer went MIA).
+ - Added RSA host key length test.
+ - Added RSA certificate key length test.
+ - Added Diffie-Hellman modulus size test.
+ - Now outputs host key fingerprints for RSA and ED25519.
+ - Added 5 new key exchanges: `sntrup4591761x25519-sha512@tinyssh.org`, `diffie-hellman-group-exchange-sha256@ssh.com`, `diffie-hellman-group-exchange-sha512@ssh.com`, `diffie-hellman-group16-sha256`, `diffie-hellman-group17-sha512`.
+ - Added 3 new encryption algorithms: `des-cbc-ssh1`, `blowfish-ctr`, `twofish-ctr`.
+ - Added 10 new MACs: `hmac-sha2-56`, `hmac-sha2-224`, `hmac-sha2-384`, `hmac-sha3-256`, `hmac-sha3-384`, `hmac-sha3-512`, `hmac-sha256`, `hmac-sha256@ssh.com`, `hmac-sha512`, `hmac-512@ssh.com`.
+ - Added command line argument (`-t` / `--timeout`) for connection & reading timeouts.
+ - Updated CVEs for libssh & Dropbear.
+
 ### v1.7.0 (2016-10-26)
  - implement options to allow specify IPv4/IPv6 usage and order of precedence
  - implement option to specify remote port (old behavior kept for compatibility)

docker_test.sh

@@ -0,0 +1,631 @@
+#!/bin/bash
+
+#
+# This script will set up a docker image with multiple versions of OpenSSH, then
+# use it to run tests.
+#
+# For debugging purposes, here is a cheat sheet for manually running the docker image:
+#
+# docker run -p 2222:22 -it ssh-audit-test:X /bin/bash
+# docker run -p 2222:22 --security-opt seccomp:unconfined -it ssh-audit-test /debug.sh
+# docker run -d -p 2222:22 ssh-audit-test:X /openssh/sshd-5.6p1 -D -f /etc/ssh/sshd_config-5.6p1_test1
+# docker run -d -p 2222:22 ssh-audit-test:X /openssh/sshd-8.0p1 -D -f /etc/ssh/sshd_config-8.0p1_test1
+#
+
+
+# This is the docker tag for the image.  If this tag doesn't exist, then we assume the
+# image is out of date, and generate a new one with this tag.
+IMAGE_VERSION=3
+
+# This is the name of our docker image.
+IMAGE_NAME=ssh-audit-test
+
+
+# Terminal colors.
+CLR="\033[0m"
+RED="\033[0;31m"
+GREEN="\033[0;32m"
+REDB="\033[1;31m"   # Red + bold
+GREENB="\033[1;32m" # Green + bold
+
+# Program return values.
+PROGRAM_RETVAL_FAILURE=3
+PROGRAM_RETVAL_WARNING=2
+PROGRAM_RETVAL_CONNECTION_ERROR=1
+PROGRAM_RETVAL_GOOD=0
+
+
+# Returns 0 if current docker image exists.
+function check_if_docker_image_exists {
+    images=`docker image ls | egrep "$IMAGE_NAME[[:space:]]+$IMAGE_VERSION"`
+}
+
+
+# Uncompresses and compiles the specified version of Dropbear.
+function compile_dropbear {
+    version=$1
+    compile 'Dropbear' $version
+}
+
+
+# Uncompresses and compiles the specified version of OpenSSH.
+function compile_openssh {
+    version=$1
+    compile 'OpenSSH' $version
+}
+
+
+# Uncompresses and compiles the specified version of TinySSH.
+function compile_tinyssh {
+    version=$1
+    compile 'TinySSH' $version
+}
+
+
+function compile {
+    project=$1
+    version=$2
+
+    tarball=
+    uncompress_options=
+    source_dir=
+    server_executable=
+    if [[ $project == 'OpenSSH' ]]; then
+	tarball="openssh-${version}.tar.gz"
+	uncompress_options="xzf"
+	source_dir="openssh-${version}"
+	server_executable=sshd
+    elif [[ $project == 'Dropbear' ]]; then
+	tarball="dropbear-${version}.tar.bz2"
+	uncompress_options="xjf"
+	source_dir="dropbear-${version}"
+	server_executable=dropbear
+    elif [[ $project == 'TinySSH' ]]; then
+	tarball="${version}.tar.gz"
+	uncompress_options="xzf"
+	source_dir="tinyssh-${version}"
+	server_executable='build/bin/tinysshd'
+    fi
+
+    echo "Uncompressing ${project} ${version}..."
+    tar $uncompress_options $tarball
+
+    echo "Compiling ${project} ${version}..."
+    pushd $source_dir > /dev/null
+
+    # TinySSH has no configure script... only a Makefile.
+    if [[ $project == 'TinySSH' ]]; then
+	make -j 10
+    else
+	./configure && make -j 10
+    fi
+
+    if [[ ! -f $server_executable ]]; then
+	echo -e "${REDB}Error: ${server_executable} not built!${CLR}"
+	exit 1
+    fi
+
+    echo -e "\n${GREEN}Successfully built ${project} ${version}${CLR}\n"
+    popd > /dev/null
+}
+
+
+# Creates a new docker image.
+function create_docker_image {
+    # Create a new temporary directory.
+    TMP_DIR=`mktemp -d /tmp/sshaudit-docker-XXXXXXXXXX`
+
+    # Copy the Dockerfile and all files in the test/docker/ dir to our new temp directory.
+    find test/docker/ -maxdepth 1 -type f | xargs cp -t $TMP_DIR
+
+    # Make the temp directory our working directory for the duration of the build
+    # process.
+    pushd $TMP_DIR > /dev/null
+
+    # Get the release keys.
+    get_dropbear_release_key
+    get_openssh_release_key
+    get_tinyssh_release_key
+
+    # Aside from checking the GPG signatures, we also compare against this known-good
+    # SHA-256 hash just in case.
+    get_openssh '4.0p1' '5adb9b2c2002650e15216bf94ed9db9541d9a17c96fcd876784861a8890bc92b'
+    get_openssh '5.6p1' '538af53b2b8162c21a293bb004ae2bdb141abd250f61b4cea55244749f3c6c2b'
+    get_openssh '8.0p1' 'bd943879e69498e8031eb6b7f44d08cdc37d59a7ab689aa0b437320c3481fd68'
+    get_dropbear '2019.78' '525965971272270995364a0eb01f35180d793182e63dd0b0c3eb0292291644a4'
+    get_tinyssh '20190101' '554a9a94e53b370f0cd0c5fbbd322c34d1f695cbcea6a6a32dcb8c9f595b3fea'
+
+    # Compile the versions of OpenSSH.
+    compile_openssh '4.0p1'
+    compile_openssh '5.6p1'
+    compile_openssh '8.0p1'
+
+    # Compile the versions of Dropbear.
+    compile_dropbear '2019.78'
+
+    # Compile the versions of TinySSH.
+    compile_tinyssh '20190101'
+
+
+    # Rename the default config files so we know they are our originals.
+    mv openssh-4.0p1/sshd_config sshd_config-4.0p1_orig
+    mv openssh-5.6p1/sshd_config sshd_config-5.6p1_orig
+    mv openssh-8.0p1/sshd_config sshd_config-8.0p1_orig
+
+
+    # Create the configurations for each test.
+
+
+    #
+    # OpenSSH v4.0p1
+    #
+
+    # Test 1: Basic test.
+    create_openssh_config '4.0p1' 'test1' "HostKey /etc/ssh/ssh1_host_key\nHostKey /etc/ssh/ssh_host_rsa_key_1024\nHostKey /etc/ssh/ssh_host_dsa_key"
+
+
+    #
+    # OpenSSH v5.6p1
+    #
+
+    # Test 1: Basic test.
+    create_openssh_config '5.6p1' 'test1' "HostKey /etc/ssh/ssh_host_rsa_key_1024\nHostKey /etc/ssh/ssh_host_dsa_key"
+
+    # Test 2: RSA 1024 host key with RSA 1024 certificate.
+    create_openssh_config '5.6p1' 'test2' "HostKey /etc/ssh/ssh_host_rsa_key_1024\nHostCertificate /etc/ssh/ssh_host_rsa_key_1024-cert_1024.pub"
+    
+    # Test 3: RSA 1024 host key with RSA 3072 certificate.
+    create_openssh_config '5.6p1' 'test3' "HostKey /etc/ssh/ssh_host_rsa_key_1024\nHostCertificate /etc/ssh/ssh_host_rsa_key_1024-cert_3072.pub"
+
+    # Test 4: RSA 3072 host key with RSA 1024 certificate.
+    create_openssh_config '5.6p1' 'test4' "HostKey /etc/ssh/ssh_host_rsa_key_3072\nHostCertificate /etc/ssh/ssh_host_rsa_key_3072-cert_1024.pub"
+
+    # Test 5: RSA 3072 host key with RSA 3072 certificate.
+    create_openssh_config '5.6p1' 'test5' "HostKey /etc/ssh/ssh_host_rsa_key_3072\nHostCertificate /etc/ssh/ssh_host_rsa_key_3072-cert_3072.pub"
+
+
+    #
+    # OpenSSH v8.0p1
+    #
+
+    # Test 1: Basic test.
+    create_openssh_config '8.0p1' 'test1' "HostKey /etc/ssh/ssh_host_rsa_key_3072\nHostKey /etc/ssh/ssh_host_ecdsa_key\nHostKey /etc/ssh/ssh_host_ed25519_key"
+
+    # Test 2: ED25519 certificate test.
+    create_openssh_config '8.0p1' 'test2' "HostKey /etc/ssh/ssh_host_ed25519_key\nHostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"
+
+    # Test 3: Hardened installation test.
+    create_openssh_config '8.0p1' 'test3' "HostKey /etc/ssh/ssh_host_ed25519_key\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com"
+
+
+    # Now build the docker image!
+    docker build --tag $IMAGE_NAME:$IMAGE_VERSION .
+
+    popd > /dev/null
+    rm -rf $TMP_DIR
+}
+
+
+# Creates an OpenSSH configuration file for a specific test.
+function create_openssh_config {
+    openssh_version=$1
+    test_number=$2
+    config_text=$3
+
+    cp sshd_config-${openssh_version}_orig sshd_config-${openssh_version}_${test_number}
+    echo -e "${config_text}" >> sshd_config-${openssh_version}_${test_number}
+}
+
+
+# Downloads the Dropbear release key and adds it to the local keyring.
+function get_dropbear_release_key {
+    get_release_key 'Dropbear' 'https://matt.ucc.asn.au/dropbear/releases/dropbear-key-2015.asc' 'F29C6773' 'F734 7EF2 EE2E 07A2 6762  8CA9 4493 1494 F29C 6773'
+}
+
+
+# Downloads the OpenSSH release key and adds it to the local keyring.
+function get_openssh_release_key {
+    get_release_key 'OpenSSH' 'https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc' '6D920D30' '59C2 118E D206 D927 E667  EBE3 D3E5 F56B 6D92 0D30'
+}
+
+
+# Downloads the TinySSH release key and adds it to the local keyring.
+function get_tinyssh_release_key {
+    get_release_key 'TinySSH' '' '96939FF9' 'AADF 2EDF 5529 F170 2772  C8A2 DEC4 D246 931E F49B'
+}
+
+
+function get_release_key {
+    project=$1
+    key_url=$2
+    key_id=$3
+    release_key_fingerprint_expected=$4
+
+    # The TinySSH release key isn't on any website, apparently.
+    if [[ $project == 'TinySSH' ]]; then
+	gpg --recv-key $key_id
+    else
+	echo -e "\nGetting ${project} release key...\n"
+	wget -O key.asc $2
+
+	echo -e "\nImporting ${project} release key...\n"
+	gpg --import key.asc
+
+	rm key.asc
+    fi
+
+    local release_key_fingerprint_actual=`gpg --fingerprint ${key_id}`
+    if [[ $release_key_fingerprint_actual != *"$release_key_fingerprint_expected"* ]]; then
+        echo -e "\n${REDB}Error: ${project} release key fingerprint does not match expected value!\n\tExpected: $release_key_fingerprint_expected\n\tActual: $release_key_fingerprint_actual\n\nTerminating.${CLR}"
+        exit -1
+    fi
+    echo -e "\n\n${GREEN}${project} release key matches expected value.${CLR}\n"
+}
+
+
+# Downloads the specified version of Dropbear.
+function get_dropbear {
+    version=$1
+    tarball_checksum_expected=$2
+    get_source 'Dropbear' $version $tarball_checksum_expected
+}
+
+
+# Downloads the specified version of OpenSSH.
+function get_openssh {
+    version=$1
+    tarball_checksum_expected=$2
+    get_source 'OpenSSH' $version $tarball_checksum_expected
+}
+
+
+# Downloads the specified version of TinySSH.
+function get_tinyssh {
+    version=$1
+    tarball_checksum_expected=$2
+    get_source 'TinySSH' $version $tarball_checksum_expected
+}
+
+
+function get_source {
+    project=$1
+    version=$2
+    tarball_checksum_expected=$3
+
+    base_url_source=
+    base_url_sig=
+    tarball=
+    sig=
+    signer=
+    if [[ $project == 'OpenSSH' ]]; then
+	base_url_source='https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/'
+	base_url_sig=$base_url_source
+	tarball="openssh-${version}.tar.gz"
+	sig="${tarball}.asc"
+	signer="Damien Miller "
+    elif [[ $project == 'Dropbear' ]]; then
+	base_url_source='https://matt.ucc.asn.au/dropbear/releases/'
+	base_url_sig=$base_url_source
+	tarball="dropbear-${version}.tar.bz2"
+	sig="${tarball}.asc"
+	signer="Dropbear SSH Release Signing <matt@ucc.asn.au>"
+    elif [[ $project == 'TinySSH' ]]; then
+	base_url_source='https://github.com/janmojzis/tinyssh/archive/'
+	base_url_sig="https://github.com/janmojzis/tinyssh/releases/download/${version}/"
+	tarball="${version}.tar.gz"
+	sig="${tarball}.asc"
+	signer="Jan Mojžíš <jan.mojzis@gmail.com>"
+    fi
+
+    echo -e "\nGetting ${project} ${version} sources...\n"
+    wget "${base_url_source}${tarball}"
+
+    echo -e "\nGetting ${project} ${version} signature...\n"
+    wget "${base_url_sig}${sig}"
+
+
+    # Older OpenSSH releases were .sigs.
+    if [[ ($project == 'OpenSSH') && (! -f $sig) ]]; then
+	wget ${base_url_sig}openssh-${version}.tar.gz.sig
+	sig=openssh-${version}.tar.gz.sig
+    fi
+
+    local gpg_verify=`gpg --verify ${sig} ${tarball} 2>&1`
+    if [[ $gpg_verify != *"Good signature from \"${signer}"* ]]; then
+        echo -e "\n\n${REDB}Error: ${project} signature invalid!\n$gpg_verify\n\nTerminating.${CLR}"
+        exit -1
+    fi
+
+    # Check GPG's return value.  0 denotes a valid signature, and 1 is returned
+    # on invalid signatures.
+    if [[ $? != 0 ]]; then
+        echo -e "\n\n${REDB}Error: ${project} signature invalid!  Verification returned code: $?\n\nTerminating.${CLR}"
+        exit -1
+    fi
+
+    echo -e "${GREEN}Signature on ${project} sources verified.${CLR}\n"
+
+    local checksum_actual=`sha256sum ${tarball} | cut -f1 -d" "`
+    if [[ $checksum_actual != $tarball_checksum_expected ]]; then
+        echo -e "${REDB}Error: ${project} checksum is invalid!\n  Expected: ${tarball_checksum_expected}\n  Actual:   ${checksum_actual}\n\n  Terminating.${CLR}"
+        exit -1
+    fi
+}
+
+
+# Runs a Dropbear test.  Upon failure, a diff between the expected and actual results
+# is shown, then the script immediately terminates.
+function run_dropbear_test {
+    dropbear_version=$1
+    test_number=$2
+    options=$3
+    expected_retval=$4
+
+    run_test 'Dropbear' $dropbear_version $test_number "$options" $expected_retval
+}
+
+
+# Runs an OpenSSH test.  Upon failure, a diff between the expected and actual results
+# is shown, then the script immediately terminates.
+function run_openssh_test {
+    openssh_version=$1
+    test_number=$2
+    expected_retval=$3
+
+    run_test 'OpenSSH' $openssh_version $test_number '' $expected_retval
+}
+
+
+# Runs a TinySSH test.  Upon failure, a diff between the expected and actual results
+# is shown, then the script immediately terminates.
+function run_tinyssh_test {
+    tinyssh_version=$1
+    test_number=$2
+    expected_retval=$3
+
+    run_test 'TinySSH' $tinyssh_version $test_number '' $expected_retval
+}
+
+
+function run_test {
+    server_type=$1
+    version=$2
+    test_number=$3
+    options=$4
+    expected_retval=$5
+
+    server_exec=
+    test_result_stdout=
+    test_result_json=
+    expected_result_stdout=
+    expected_result_json=
+    test_name=
+    if [[ $server_type == 'OpenSSH' ]]; then
+	server_exec="/openssh/sshd-${version} -D -f /etc/ssh/sshd_config-${version}_${test_number}"
+	test_result_stdout="${TEST_RESULT_DIR}/openssh_${version}_${test_number}.txt"
+	test_result_json="${TEST_RESULT_DIR}/openssh_${version}_${test_number}.json"
+	expected_result_stdout="test/docker/expected_results/openssh_${version}_${test_number}.txt"
+	expected_result_json="test/docker/expected_results/openssh_${version}_${test_number}.json"
+	test_name="OpenSSH ${version} ${test_number}"
+	options=
+    elif [[ $server_type == 'Dropbear' ]]; then
+	server_exec="/dropbear/dropbear-${version} -F ${options}"
+	test_result_stdout="${TEST_RESULT_DIR}/dropbear_${version}_${test_number}.txt"
+	test_result_json="${TEST_RESULT_DIR}/dropbear_${version}_${test_number}.json"
+	expected_result_stdout="test/docker/expected_results/dropbear_${version}_${test_number}.txt"
+	expected_result_json="test/docker/expected_results/dropbear_${version}_${test_number}.json"
+	test_name="Dropbear ${version} ${test_number}"
+    elif [[ $server_type == 'TinySSH' ]]; then
+	server_exec="/usr/bin/tcpserver -HRDl0 0.0.0.0 22 /tinysshd/tinyssh-20190101 -v /etc/tinyssh/"
+	test_result_stdout="${TEST_RESULT_DIR}/tinyssh_${version}_${test_number}.txt"
+	test_result_json="${TEST_RESULT_DIR}/tinyssh_${version}_${test_number}.json"
+	expected_result_stdout="test/docker/expected_results/tinyssh_${version}_${test_number}.txt"
+	expected_result_json="test/docker/expected_results/tinyssh_${version}_${test_number}.json"
+	test_name="TinySSH ${version} ${test_number}"
+    fi
+
+    cid=`docker run -d -p 2222:22 ${IMAGE_NAME}:${IMAGE_VERSION} ${server_exec}`
+    if [[ $? != 0 ]]; then
+	echo -e "${REDB}Failed to run docker image! (exit code: $?)${CLR}"
+	exit 1
+    fi
+
+    ./ssh-audit.py localhost:2222 > $test_result_stdout
+    actual_retval=$?
+    if [[ $actual_retval != $expected_retval ]]; then
+	echo -e "${REDB}Unexpected return value.  Expected: ${expected_retval}; Actual: ${actual_retval}${CLR}"
+	docker container stop -t 0 $cid > /dev/null
+	exit 1
+    fi
+
+    ./ssh-audit.py -j localhost:2222 > $test_result_json
+    actual_retval=$?
+    if [[ $actual_retval != $expected_retval ]]; then
+	echo -e "${REDB}Unexpected return value.  Expected: ${expected_retval}; Actual: ${actual_retval}${CLR}"
+	docker container stop -t 0 $cid > /dev/null
+	exit 1
+    fi
+
+    docker container stop -t 0 $cid > /dev/null
+    if [[ $? != 0 ]]; then
+       echo -e "${REDB}Failed to stop docker container ${cid}! (exit code: $?)${CLR}"
+       exit 1
+    fi
+
+    # TinySSH outputs a random string in each banner, which breaks our test.  So
+    # we need to filter out the banner part of the output so we get stable, repeatable
+    # results.
+    if [[ $server_type == 'TinySSH' ]]; then
+	grep -v "(gen) banner: " ${test_result_stdout} > "${test_result_stdout}.tmp"
+	mv "${test_result_stdout}.tmp" ${test_result_stdout}
+	cat "${test_result_json}" | perl -pe 's/"comments": ".*?"/"comments": ""/' | perl -pe 's/"raw": ".+?"/"raw": ""/' > "${test_result_json}.tmp"
+	mv "${test_result_json}.tmp" ${test_result_json}
+    fi
+
+    diff=`diff -u ${expected_result_stdout} ${test_result_stdout}`
+    if [[ $? != 0 ]]; then
+	echo -e "${test_name} ${REDB}FAILED${CLR}.\n\n${diff}\n"
+	exit 1
+    fi
+
+    diff=`diff -u ${expected_result_json} ${test_result_json}`
+    if [[ $? != 0 ]]; then
+	echo -e "${test_name} ${REDB}FAILED${CLR}.\n\n${diff}\n"
+	exit 1
+    fi
+    echo -e "${test_name} ${GREEN}passed${CLR}."
+}
+
+
+function run_policy_test {
+    config_number=$1  # The configuration number to use.
+    test_number=$2    # The policy test number to run.
+    expected_exit_code=$3  # The expected exit code of ssh-audit.py.
+
+    version=
+    config=
+    if [[ ${config_number} == 'config1' ]]; then
+        version='5.6p1'
+        config='sshd_config-5.6p1_test1'
+    elif [[ ${config_number} == 'config2' ]]; then
+        version='8.0p1'
+        config='sshd_config-8.0p1_test1'
+    elif [[ ${config_number} == 'config3' ]]; then
+        version='5.6p1'
+        config='sshd_config-5.6p1_test4'
+    fi
+
+    server_exec="/openssh/sshd-${version} -D -f /etc/ssh/${config}"
+    policy_path="test/docker/policies/policy_${test_number}.txt"
+    test_result_stdout="${TEST_RESULT_DIR}/openssh_${version}_policy_${test_number}.txt"
+    test_result_json="${TEST_RESULT_DIR}/openssh_${version}_policy_${test_number}.json"
+    expected_result_stdout="test/docker/expected_results/openssh_${version}_policy_${test_number}.txt"
+    expected_result_json="test/docker/expected_results/openssh_${version}_policy_${test_number}.json"
+    test_name="OpenSSH ${version} policy ${test_number}"
+
+    #echo "Running: docker run -d -p 2222:22 ${IMAGE_NAME}:${IMAGE_VERSION} ${server_exec}"
+    cid=`docker run -d -p 2222:22 ${IMAGE_NAME}:${IMAGE_VERSION} ${server_exec}`
+    if [[ $? != 0 ]]; then
+	echo -e "${REDB}Failed to run docker image! (exit code: $?)${CLR}"
+	exit 1
+    fi
+
+    #echo "Running: ./ssh-audit.py -P ${policy_path} localhost:2222 > ${test_result_stdout}"
+    ./ssh-audit.py -P ${policy_path} localhost:2222 > ${test_result_stdout}
+    actual_exit_code=$?
+    if [[ ${actual_exit_code} != ${expected_exit_code} ]]; then
+	echo -e "${test_name} ${REDB}FAILED${CLR} (expected exit code: ${expected_exit_code}; actual exit code: ${actual_exit_code}\n"
+        cat ${test_result_stdout}
+	docker container stop -t 0 $cid > /dev/null
+	exit 1
+    fi
+
+    #echo "Running: ./ssh-audit.py -P ${policy_path} -j localhost:2222 > ${test_result_json}"
+    ./ssh-audit.py -P ${policy_path} -j localhost:2222 > ${test_result_json}
+    actual_exit_code=$?
+    if [[ ${actual_exit_code} != ${expected_exit_code} ]]; then
+	echo -e "${test_name} ${REDB}FAILED${CLR} (expected exit code: ${expected_exit_code}; actual exit code: ${actual_exit_code}\n"
+        cat ${test_result_json}
+	docker container stop -t 0 $cid > /dev/null
+	exit 1
+    fi
+
+    docker container stop -t 0 $cid > /dev/null
+    if [[ $? != 0 ]]; then
+       echo -e "${REDB}Failed to stop docker container ${cid}! (exit code: $?)${CLR}"
+       exit 1
+    fi
+
+    diff=`diff -u ${expected_result_stdout} ${test_result_stdout}`
+    if [[ $? != 0 ]]; then
+	echo -e "${test_name} ${REDB}FAILED${CLR}.\n\n${diff}\n"
+	exit 1
+    fi
+
+    diff=`diff -u ${expected_result_json} ${test_result_json}`
+    if [[ $? != 0 ]]; then
+	echo -e "${test_name} ${REDB}FAILED${CLR}.\n\n${diff}\n"
+	exit 1
+    fi
+
+    echo -e "${test_name} ${GREEN}passed${CLR}."
+}
+
+
+# First check if docker is functional.
+docker version > /dev/null
+if [[ $? != 0 ]]; then
+    echo -e "${REDB}Error: 'docker version' command failed (error code: $?).  Is docker installed and functioning?${CLR}"
+    exit 1
+fi
+
+# Check if the docker image is the most up-to-date version.  If not, create it.
+check_if_docker_image_exists
+if [[ $? == 0 ]]; then
+    echo -e "\n${GREEN}Docker image $IMAGE_NAME:$IMAGE_VERSION already exists.${CLR}"
+else
+    echo -e "\nCreating docker image $IMAGE_NAME:$IMAGE_VERSION..."
+    create_docker_image
+    echo -e "\n${GREEN}Done creating docker image!${CLR}"
+fi
+
+# Create a temporary directory to write test results to.
+TEST_RESULT_DIR=`mktemp -d /tmp/ssh-audit_test-results_XXXXXXXXXX`
+
+# Now run all the tests.
+echo -e "\nRunning tests..."
+run_openssh_test '4.0p1' 'test1' $PROGRAM_RETVAL_FAILURE
+echo
+run_openssh_test '5.6p1' 'test1' $PROGRAM_RETVAL_FAILURE
+run_openssh_test '5.6p1' 'test2' $PROGRAM_RETVAL_FAILURE
+run_openssh_test '5.6p1' 'test3' $PROGRAM_RETVAL_FAILURE
+run_openssh_test '5.6p1' 'test4' $PROGRAM_RETVAL_FAILURE
+run_openssh_test '5.6p1' 'test5' $PROGRAM_RETVAL_FAILURE
+echo
+run_openssh_test '8.0p1' 'test1' $PROGRAM_RETVAL_FAILURE
+run_openssh_test '8.0p1' 'test2' $PROGRAM_RETVAL_FAILURE
+run_openssh_test '8.0p1' 'test3' $PROGRAM_RETVAL_GOOD
+echo
+run_dropbear_test '2019.78' 'test1' '-r /etc/dropbear/dropbear_rsa_host_key_1024 -r /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_ecdsa_host_key' 3
+echo
+run_tinyssh_test '20190101' 'test1' $PROGRAM_RETVAL_WARNING
+echo
+echo
+run_policy_test 'config1' 'test1' $PROGRAM_RETVAL_GOOD
+run_policy_test 'config1' 'test2' $PROGRAM_RETVAL_FAILURE
+run_policy_test 'config1' 'test3' $PROGRAM_RETVAL_FAILURE
+run_policy_test 'config1' 'test4' $PROGRAM_RETVAL_FAILURE
+run_policy_test 'config1' 'test5' $PROGRAM_RETVAL_FAILURE
+run_policy_test 'config2' 'test6' $PROGRAM_RETVAL_GOOD
+
+# Passing test with host key certificate and CA key certificates.
+run_policy_test 'config3' 'test7' $PROGRAM_RETVAL_GOOD
+
+# Failing test with host key certificate and non-compliant CA key length.
+run_policy_test 'config3' 'test8' $PROGRAM_RETVAL_FAILURE
+
+# Failing test with non-compliant host key certificate and CA key certificate.
+run_policy_test 'config3' 'test9' $PROGRAM_RETVAL_FAILURE
+
+# Failing test with non-compliant host key certificate and non-compliant CA key certificate.
+run_policy_test 'config3' 'test10' $PROGRAM_RETVAL_FAILURE
+
+# Passing test with host key size check.
+run_policy_test 'config2' 'test11' $PROGRAM_RETVAL_GOOD
+
+# Failing test with non-compliant host key size check.
+run_policy_test 'config2' 'test12' $PROGRAM_RETVAL_FAILURE
+
+# Passing test with DH modulus test.
+run_policy_test 'config2' 'test13' $PROGRAM_RETVAL_GOOD
+
+# Failing test with DH modulus test.
+run_policy_test 'config2' 'test14' $PROGRAM_RETVAL_FAILURE
+
+
+# The test functions above will terminate the script on failure, so if we reached here,
+# all tests are successful.
+echo -e "\n${GREENB}ALL TESTS PASS!${CLR}\n"
+
+rm -rf $TEST_RESULT_DIR
+exit 0

packages/MANIFEST.in

@@ -0,0 +1 @@
+include sshaudit/LICENSE

packages/Makefile.pypi

@@ -0,0 +1,14 @@
+all:
+	cp ../ssh-audit.py sshaudit/sshaudit.py
+	cp ../LICENSE sshaudit/LICENSE
+	cp ../README.md sshaudit/README.md
+	python3 setup.py sdist bdist_wheel
+
+uploadtest:
+	twine upload --repository-url https://test.pypi.org/legacy/ dist/*
+
+uploadprod:
+	twine upload dist/*
+
+clean:
+	rm -rf parts/ prime/ snap/ stage/ build/ dist/ *.egg-info/ sshaudit/sshaudit.py sshaudit/LICENSE sshaudit/README.md ssh-audit*.snap

packages/Makefile.snap

@@ -0,0 +1,8 @@
+all:
+	cp ../ssh-audit.py sshaudit/sshaudit.py
+	cp ../README.md sshaudit/README.md
+	echo -e "\n\nDid you remember to bump the version number in snapcraft.yaml?\n\n"
+	snapcraft
+
+clean:
+	rm -rf parts/ prime/ snap/ stage/ build/ dist/ *.egg-info/ sshaudit/sshaudit.py sshaudit/LICENSE sshaudit/README.md ssh-audit*.snap

packages/notes.txt

@@ -0,0 +1,41 @@
+= PyPI =
+
+To create package and upload to test server:
+
+# apt install virtualenv
+$ virtualenv -p /usr/bin/python3 /tmp/pypi_upload
+$ cd /tmp/pypi_upload; source bin/activate
+$ pip3 install twine
+$ cp -R path/to/ssh-audit .
+$ cd ssh-audit/packages
+$ make -f Makefile.pypi
+$ make -f Makefile.pypi uploadtest
+
+
+To download from test server and verify:
+
+$ virtualenv -p /usr/bin/python3 /tmp/pypi_test
+$ cd /tmp/pypi_test; source bin/activate
+$ pip3 install --index-url https://test.pypi.org/simple ssh-audit
+
+
+To upload to production server:
+
+$ cd /tmp/pypi_upload; source bin/activate
+$ cd ssh-audit/pypi
+$ make -f Makefile.pypi uploadprod
+
+
+To download from production server and verify:
+
+$ virtualenv -p /usr/bin/python3 /tmp/pypi_prod
+$ cd /tmp/pypi_prod; source bin/activate
+$ pip3 install ssh-audit
+
+----
+
+= Snap =
+
+To create the snap package, simply run:
+
+$ make -f Makefile.snap

packages/setup.py

@@ -0,0 +1,58 @@
+# -*- coding: utf-8 -*-
+
+
+import re
+import sys
+from setuptools import setup
+
+print_warning = False
+m = re.search(r'^VERSION\s*=\s*\'v(\d\.\d\.\d)\'', open('sshaudit/sshaudit.py').read(), re.M)
+if m is None:
+    # If we failed to parse the stable version, see if this is the development version.
+    m = re.search(r'^VERSION\s*=\s*\'v(\d\.\d\.\d-dev)\'', open('sshaudit/sshaudit.py').read(), re.M)
+    if m is None:
+        print("Error: could not parse VERSION variable from ssh-audit.py.")
+        sys.exit(1)
+    else:  # Continue with the development version, but print a warning later.
+        print_warning = True
+
+version = m.group(1)
+print("\n\nPackaging ssh-audit v%s...\n\n" % version)
+
+with open("sshaudit/README.md", "rb") as f:
+    long_descr = f.read().decode("utf-8")
+
+
+setup(
+    name="ssh-audit",
+    packages=["sshaudit"],
+    license='MIT',
+    entry_points={
+        "console_scripts": ['ssh-audit = sshaudit.sshaudit:main']
+    },
+    version=version,
+    description="An SSH server & client configuration security auditing tool",
+    long_description=long_descr,
+    long_description_content_type="text/markdown",
+    author="Joe Testa",
+    author_email="jtesta@positronsecurity.com",
+    url="https://github.com/jtesta/ssh-audit",
+    classifiers=[
+        "Development Status :: 5 - Production/Stable",
+        "Intended Audience :: Information Technology",
+        "Intended Audience :: System Administrators",
+        "License :: OSI Approved :: MIT License",
+        "Operating System :: OS Independent",
+        "Programming Language :: Python :: 3",
+        "Programming Language :: Python :: 3.5",
+        "Programming Language :: Python :: 3.6",
+        "Programming Language :: Python :: 3.7",
+        "Programming Language :: Python :: 3.8",
+        "Programming Language :: Python :: Implementation :: CPython",
+        "Programming Language :: Python :: Implementation :: PyPy",
+        "Topic :: Security",
+        "Topic :: Security :: Cryptography"
+    ])
+
+if print_warning:
+    print("\n\n    !!! WARNING: development version detected (%s).  Are you sure you want to package this version?  Probably not...\n" % version)

packages/snapcraft.yaml

@@ -0,0 +1,21 @@
+name: ssh-audit
+version: '2.2.0-1'
+license: 'MIT'
+summary: ssh-audit
+description: |
+  SSH server and client security configuration auditor.  Official repository: <https://github.com/jtesta/ssh-audit>
+
+base: core18
+grade: stable
+confinement: strict
+
+apps:
+  ssh-audit:
+    command: bin/ssh-audit
+    plugs: [network,network-bind]
+
+parts:
+  ssh-audit:
+    plugin: python
+    python-version: python3
+    source: .

packages/sshaudit/__main__.py

@@ -0,0 +1,4 @@
+# -*- coding: utf-8 -*-
+
+from .sshaudit import main
+main()

packages/windows_build.txt

@@ -0,0 +1,17 @@
+Below are notes for creating a Windows executable.
+
+An executable can only be made on a Windows host because the PyInstaller tool (https://www.pyinstaller.org/) does not support cross-compilation.
+
+On a Windows machine, do the following:
+
+1.) Install Python v3.7.x from https://www.python.org/.  (As of this writing v3.8.0 isn't supported.)  To make life easier, check the option to add Python to the PATH environment variable.
+
+2.) Using pip, install pyinstaller and colorama:
+
+    pip install pyinstaller colorama
+
+3.) Create the executable with:
+
+    pyinstaller -F --icon packages\windows_icon.ico ssh-audit.py
+
+4.) The 'dist' folder will have the resulting ssh-audit.exe.

policies/openssh_7_7.txt

@@ -0,0 +1,24 @@
+#
+# Official policy for hardened OpenSSH v7.7.
+#
+
+name = "Hardened OpenSSH v7.7"
+version = 1
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/openssh_7_8.txt

@@ -0,0 +1,24 @@
+#
+# Official policy for hardened OpenSSH v7.8.
+#
+
+name = "Hardened OpenSSH v7.8"
+version = 1
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/openssh_7_9.txt

@@ -0,0 +1,24 @@
+#
+# Official policy for hardened OpenSSH v7.9.
+#
+
+name = "Hardened OpenSSH v7.9"
+version = 1
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/openssh_8_0.txt

@@ -0,0 +1,24 @@
+#
+# Official policy for hardened OpenSSH v8.0.
+#
+
+name = "Hardened OpenSSH v8.0"
+version = 1
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/openssh_8_1.txt

@@ -0,0 +1,24 @@
+#
+# Official policy for hardened OpenSSH v8.1.
+#
+
+name = "Hardened OpenSSH v8.1"
+version = 1
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = sk-ssh-ed25519@openssh.com, ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/openssh_8_2.txt

@@ -0,0 +1,28 @@
+#
+# Official policy for hardened OpenSSH v8.2.
+#
+
+name = "Hardened OpenSSH v8.2"
+version = 1
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 4096
+hostkey_size_rsa-sha2-512 = 4096
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = sk-ssh-ed25519@openssh.com, ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/openssh_8_3.txt

@@ -0,0 +1,28 @@
+#
+# Official policy for hardened OpenSSH v8.3.
+#
+
+name = "Hardened OpenSSH v8.3"
+version = 1
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 4096
+hostkey_size_rsa-sha2-512 = 4096
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = sk-ssh-ed25519@openssh.com, ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/openssh_8_4.txt

@@ -0,0 +1,28 @@
+#
+# Official policy for hardened OpenSSH v8.4.
+#
+
+name = "Hardened OpenSSH v8.4"
+version = 1
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 4096
+hostkey_size_rsa-sha2-512 = 4096
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = sk-ssh-ed25519@openssh.com, ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/ubuntu_client_16_04.txt

@@ -0,0 +1,19 @@
+#
+# Official policy for hardened OpenSSH on Ubuntu 16.04 LTS.
+#
+
+client policy = true
+name = "Hardened Ubuntu Client 16.04 LTS"
+version = 1
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519, ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256, rsa-sha2-512, ssh-rsa-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256@libssh.org, diffie-hellman-group-exchange-sha256, ext-info-c
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/ubuntu_client_18_04.txt

@@ -0,0 +1,19 @@
+#
+# Official policy for hardened OpenSSH on Ubuntu 18.04 LTS.
+#
+
+client policy = true
+name = "Hardened Ubuntu Client 18.04 LTS"
+version = 1
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519, ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256, rsa-sha2-512, ssh-rsa-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256, ext-info-c
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/ubuntu_client_20_04.txt

@@ -0,0 +1,19 @@
+#
+# Official policy for hardened OpenSSH on Ubuntu 20.04 LTS.
+#
+
+client policy = true
+name = "Hardened Ubuntu Client 20.04 LTS"
+version = 1
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519, ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512, rsa-sha2-512-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256, ext-info-c
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/ubuntu_server_16_04.txt

@@ -0,0 +1,24 @@
+#
+# Official policy for hardened OpenSSH on Ubuntu Server 16.04 LTS.
+#
+
+name = "Hardened Ubuntu Server 16.04 LTS"
+version = 1
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256@libssh.org, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/ubuntu_server_18_04.txt

@@ -0,0 +1,24 @@
+#
+# Official policy for hardened OpenSSH on Ubuntu Server 18.04 LTS.
+#
+
+name = "Hardened Ubuntu Server 18.04 LTS"
+version = 1
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/ubuntu_server_20_04.txt

@@ -0,0 +1,28 @@
+#
+# Official policy for hardened OpenSSH on Ubuntu Server 20.04 LTS.
+#
+
+name = "Hardened Ubuntu Server 20.04 LTS"
+version = 1
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 4096
+hostkey_size_rsa-sha2-512 = 4096
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = sk-ssh-ed25519@openssh.com, ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

ssh-audit.1

@@ -0,0 +1,221 @@
+.TH SSH-AUDIT 1 "July 16, 2020"
+.SH NAME
+\fBssh-audit\fP \- SSH server & client configuration auditor
+.SH SYNOPSIS
+.B ssh-audit
+.RI [ options ] " <target_host>"
+.SH DESCRIPTION
+.PP
+\fBssh-audit\fP analyzes the configuration of SSH servers & clients, then warns the user of weak, obsolete, and/or un-tested cryptographic primitives.  It is very useful for hardening SSH tunnels, which by default tend to be optimized for compatibility, not security.
+.PP
+See <https://www.ssh\-audit.com/> for official hardening guides for common platforms.
+
+.SH OPTIONS
+.TP
+.B -h, \-\-help
+.br
+Print short summary of options.
+
+.TP
+.B -1, \-\-ssh1
+.br
+Only perform an audit using SSH protocol version 1.
+
+.TP
+.B -2, \-\-ssh2
+.br
+Only perform an audit using SSH protocol version 2.
+
+.TP
+.B -4, \-\-ipv4
+.br
+Prioritize the usage of IPv4.
+
+.TP
+.B -6, \-\-ipv6
+.br
+Prioritize the usage of IPv6.
+
+.TP
+.B -b, \-\-batch
+.br
+Enables grepable output.
+
+.TP
+.B -c, \-\-client\-audit
+.br
+Starts a server on port 2222 to audit client software configuration.  Use -p/--port=<port> to change port and -t/--timeout=<secs> to change listen timeout.
+
+.TP
+.B -j, \-\-json
+.br
+Output results in JSON format.
+
+.TP
+.B -l, \-\-level=<info|warn|fail>
+.br
+Specify the minimum output level.  Default is info.
+
+.TP
+.B -L, \-\-list-policies
+.br
+List all official, built-in policies for common systems.  Their file paths can then be provided using -P/--policy=<path/to/policy.txt>.
+
+.TP
+.B \-\-lookup=<alg1,alg2,...>
+.br
+Look up the security information of an algorithm(s) in the internal database.  Does not connect to a server.
+
+.TP
+.B -M, \-\-make-policy=<policy.txt>
+.br
+Creates a policy based on the target server.  Useful when other servers should be compared to the target server's custom configuration (i.e.: a cluster environment).  Note that the resulting policy can be edited manually.
+
+.TP
+.B -n, \-\-no-colors
+.br
+Disable color output.
+
+.TP
+.B -p, \-\-port=<port>
+.br
+The TCP port to connect to when auditing a server, or the port to listen on when auditing a client.
+
+.TP
+.B -P, \-\-policy=<policy.txt>
+.br
+Runs a policy audit against a target using the specified policy (see \fBPOLICY AUDIT\fP section for detailed description of this mode of operation).  Combine with -c/--client-audit to audit a client configuration instead of a server.  Use -L/--list-policies to list all official, built-in policies for common systems.
+
+.TP
+.B -t, \-\-timeout=<secs>
+.br
+The timeout, in seconds, for creating connections and reading data from the socket.  Default is 5.
+
+.TP
+.B -T, \-\-targets=<hosts.txt>
+.br
+A file containing a list of target hosts.  Each line must have one host, in the format of HOST[:PORT].
+
+.TP
+.B -v, \-\-verbose
+.br
+Enable verbose output.
+
+
+.SH STANDARD AUDIT
+.PP
+By default, \fBssh-audit\fP performs a standard audit.  That is, it enumerates all host key types, key exchanges, ciphers, MACs, and other information, then color-codes them in output to the user.  Cryptographic primitives with potential issues are displayed in yellow; primitives with serious flaws are displayed in red.
+
+
+.SH POLICY AUDIT
+.PP
+When the -P/--policy=<policy.txt> option is used, \fBssh-audit\fP performs a policy audit.  The target's host key types, key exchanges, ciphers, MACs, and other information is compared to a set of expected values defined in the specified policy file.  If everything matches, only a short message stating a passing result is reported.  Otherwise, the field(s) that did not match are reported.
+
+.PP
+Policy auditing is helpful for ensuring a group of related servers are properly hardened to an exact specification.
+
+.PP
+The set of official built-in policies can be viewed with -L/--list-policies.  Multiple servers can be audited with -T/--targets=<servers.txt>.  Custom policies can be made from an ideal target server with -M/--make-policy=<custom_policy.txt>.
+
+
+.SH EXAMPLES
+.LP
+Basic server auditing:
+.RS
+.nf
+ssh-audit localhost
+ssh-audit 127.0.0.1
+ssh-audit 127.0.0.1:222
+ssh-audit ::1
+ssh-audit [::1]:222
+.fi
+.RE
+
+.LP
+To run a standard audit against many servers (place targets into servers.txt, one on each line in the format of HOST[:PORT]):
+.RS
+.nf
+ssh-audit -T servers.txt
+.fi
+.RE
+
+.LP
+To audit a client configuration (listens on port 2222 by default; connect using "ssh anything@localhost"):
+.RS
+.nf
+ssh-audit -c
+.fi
+.RE
+
+.LP
+To audit a client configuration, with a listener on port 4567:
+.RS
+.nf
+ssh-audit -c -p 4567
+.fi
+.RE
+
+.LP
+To list all official built-in policies (hint: use resulting file paths with -P/--policy):
+.RS
+.nf
+ssh-audit -L
+.fi
+.RE
+
+.LP
+To run a policy audit against a server:
+.RS
+.nf
+ssh-audit -P path/to/server_policy targetserver
+.fi
+.RE
+
+.LP
+To run a policy audit against a client:
+.RS
+.nf
+ssh-audit -c -P path/to/client_policy
+.fi
+.RE
+
+.LP
+To run a policy audit against many servers:
+.RS
+.nf
+ssh-audit -T servers.txt -P path/to/server_policy
+.fi
+.RE
+
+.LP
+To create a policy based on a target server (which can be manually edited; see official built-in policies for syntax examples):
+.RS
+.nf
+ssh-audit -M new_policy.txt targetserver
+.fi
+.RE
+
+.SH RETURN VALUES
+When a successful connection is made and all algorithms are rated as "good", \fBssh-audit\fP returns 0.  Other possible return values are:
+
+.RS
+.nf
+1 = connection error
+2 = at least one algorithm warning was found
+3 = at least one algorithm failure was found
+<any other non-zero value> = unknown error
+.fi
+.RE
+
+.SH SSH HARDENING GUIDES
+Hardening guides for common platforms can be found at: <https://www.ssh\-audit.com/>
+
+.SH BUG REPORTS
+Please file bug reports as a Github Issue at: <https://github.com/jtesta/ssh\-audit/issues>
+
+.SH AUTHOR
+.LP
+\fBssh-audit\fP was originally written by Andris Raugulis <moo@arthepsy.eu>, and maintained from 2015 to 2017.
+.br
+.LP
+Maintainership was assumed and development was resumed in 2017 by Joe Testa <jtesta@positronsecurity.com>.

test/conftest.py

@@ -1,5 +1,3 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
 import os
 import io
 import sys
@@ -7,124 +5,143 @@ import socket
 import pytest
 
 
-if sys.version_info[0] == 2:
-	import StringIO  # pylint: disable=import-error
-	StringIO = StringIO.StringIO
-else:
-	StringIO = io.StringIO
-
-
 @pytest.fixture(scope='module')
 def ssh_audit():
-	__rdir = os.path.join(os.path.dirname(os.path.abspath(__file__)), '..')
-	sys.path.append(os.path.abspath(__rdir))
-	return __import__('ssh-audit')
+    __rdir = os.path.join(os.path.dirname(os.path.abspath(__file__)), '..')
+    sys.path.append(os.path.abspath(__rdir))
+    return __import__('ssh-audit')
 
 
 # pylint: disable=attribute-defined-outside-init
 class _OutputSpy(list):
-	def begin(self):
-		self.__out = StringIO()
-		self.__old_stdout = sys.stdout
-		sys.stdout = self.__out
-		
-	def flush(self):
-		lines = self.__out.getvalue().splitlines()
-		sys.stdout = self.__old_stdout
-		self.__out = None
-		return lines
+    def begin(self):
+        self.__out = io.StringIO()
+        self.__old_stdout = sys.stdout
+        sys.stdout = self.__out
+
+    def flush(self):
+        lines = self.__out.getvalue().splitlines()
+        sys.stdout = self.__old_stdout
+        self.__out = None
+        return lines
 
 
 @pytest.fixture(scope='module')
 def output_spy():
-	return _OutputSpy()
+    return _OutputSpy()
 
 
-class _VirtualSocket(object):
-	def __init__(self):
-		self.sock_address = ('127.0.0.1', 0)
-		self.peer_address = None
-		self._connected = False
-		self.timeout = -1.0
-		self.rdata = []
-		self.sdata = []
-		self.errors = {}
-	
-	def _check_err(self, method):
-		method_error = self.errors.get(method)
-		if method_error:
-			raise method_error
-	
-	def connect(self, address):
-		return self._connect(address, False)
-	
-	def _connect(self, address, ret=True):
-		self.peer_address = address
-		self._connected = True
-		self._check_err('connect')
-		return self if ret else None
-	
-	def settimeout(self, timeout):
-		self.timeout = timeout
-	
-	def gettimeout(self):
-		return self.timeout
-	
-	def getpeername(self):
-		if self.peer_address is None or not self._connected:
-			raise socket.error(57, 'Socket is not connected')
-		return self.peer_address
-	
-	def getsockname(self):
-		return self.sock_address
-	
-	def bind(self, address):
-		self.sock_address = address
-	
-	def listen(self, backlog):
-		pass
-	
-	def accept(self):
-		# pylint: disable=protected-access
-		conn = _VirtualSocket()
-		conn.sock_address = self.sock_address
-		conn.peer_address = ('127.0.0.1', 0)
-		conn._connected = True
-		return conn, conn.peer_address
-	
-	def recv(self, bufsize, flags=0):
-		# pylint: disable=unused-argument
-		if not self._connected:
-			raise socket.error(54, 'Connection reset by peer')
-		if not len(self.rdata) > 0:
-			return b''
-		data = self.rdata.pop(0)
-		if isinstance(data, Exception):
-			raise data
-		return data
-	
-	def send(self, data):
-		if self.peer_address is None or not self._connected:
-			raise socket.error(32, 'Broken pipe')
-		self._check_err('send')
-		self.sdata.append(data)
+class _VirtualGlobalSocket:
+    def __init__(self, vsocket):
+        self.vsocket = vsocket
+        self.addrinfodata = {}
+
+    # pylint: disable=unused-argument
+    def create_connection(self, address, timeout=0, source_address=None):
+        # pylint: disable=protected-access
+        return self.vsocket._connect(address, True)
+
+    # pylint: disable=unused-argument
+    def socket(self,
+               family=socket.AF_INET,
+               socktype=socket.SOCK_STREAM,
+               proto=0,
+               fileno=None):
+        return self.vsocket
+
+    def getaddrinfo(self, host, port, family=0, socktype=0, proto=0, flags=0):
+        key = '{}#{}'.format(host, port)
+        if key in self.addrinfodata:
+            data = self.addrinfodata[key]
+            if isinstance(data, Exception):
+                raise data
+            return data
+        if host == 'localhost':
+            r = []
+            if family in (0, socket.AF_INET):
+                r.append((socket.AF_INET, 1, 6, '', ('127.0.0.1', port)))
+            if family in (0, socket.AF_INET6):
+                r.append((socket.AF_INET6, 1, 6, '', ('::1', port)))
+            return r
+        return []
+
+
+class _VirtualSocket:
+    def __init__(self):
+        self.sock_address = ('127.0.0.1', 0)
+        self.peer_address = None
+        self._connected = False
+        self.timeout = -1.0
+        self.rdata = []
+        self.sdata = []
+        self.errors = {}
+        self.gsock = _VirtualGlobalSocket(self)
+
+    def _check_err(self, method):
+        method_error = self.errors.get(method)
+        if method_error:
+            raise method_error
+
+    def connect(self, address):
+        return self._connect(address, False)
+
+    def _connect(self, address, ret=True):
+        self.peer_address = address
+        self._connected = True
+        self._check_err('connect')
+        return self if ret else None
+
+    def settimeout(self, timeout):
+        self.timeout = timeout
+
+    def gettimeout(self):
+        return self.timeout
+
+    def getpeername(self):
+        if self.peer_address is None or not self._connected:
+            raise OSError(57, 'Socket is not connected')
+        return self.peer_address
+
+    def getsockname(self):
+        return self.sock_address
+
+    def bind(self, address):
+        self.sock_address = address
+
+    def listen(self, backlog):
+        pass
+
+    def accept(self):
+        # pylint: disable=protected-access
+        conn = _VirtualSocket()
+        conn.sock_address = self.sock_address
+        conn.peer_address = ('127.0.0.1', 0)
+        conn._connected = True
+        return conn, conn.peer_address
+
+    def recv(self, bufsize, flags=0):
+        # pylint: disable=unused-argument
+        if not self._connected:
+            raise OSError(54, 'Connection reset by peer')
+        if not len(self.rdata) > 0:
+            return b''
+        data = self.rdata.pop(0)
+        if isinstance(data, Exception):
+            raise data
+        return data
+
+    def send(self, data):
+        if self.peer_address is None or not self._connected:
+            raise OSError(32, 'Broken pipe')
+        self._check_err('send')
+        self.sdata.append(data)
 
 
 @pytest.fixture()
 def virtual_socket(monkeypatch):
-	vsocket = _VirtualSocket()
-	
-	# pylint: disable=unused-argument
-	def _socket(family=socket.AF_INET,
-	            socktype=socket.SOCK_STREAM,
-	            proto=0,
-	            fileno=None):
-		return vsocket
-	
-	def _cc(address, timeout=0, source_address=None):
-		# pylint: disable=protected-access
-		return vsocket._connect(address, True)
-	
-	monkeypatch.setattr(socket, 'create_connection', _cc)
-	monkeypatch.setattr(socket, 'socket', _socket)
-	return vsocket
+    vsocket = _VirtualSocket()
+    gsock = vsocket.gsock
+    monkeypatch.setattr(socket, 'create_connection', gsock.create_connection)
+    monkeypatch.setattr(socket, 'socket', gsock.socket)
+    monkeypatch.setattr(socket, 'getaddrinfo', gsock.getaddrinfo)
+    return vsocket

test/coverage.sh

@@ -1,10 +0,0 @@
-#!/bin/sh
-_cdir=$(cd -- "$(dirname "$0")" && pwd)
-type py.test > /dev/null 2>&1
-if [ $? -ne 0 ]; then
-	echo "err: py.test (Python testing framework) not found."
-	exit 1
-fi
-cd -- "${_cdir}/.."
-mkdir -p html
-py.test -v --cov-report=html:html/coverage --cov=ssh-audit test

test/docker/.ed25519.sk

@@ -0,0 +1 @@
+iܛ<EFBFBD><EFBFBD><EFBFBD><1C><><EFBFBD>V<EFBFBD>违<EFBFBD>Z/D<><<3C><>|S<>z<EFBFBD>=<3D>:<3A>1vu}<7D><><11>J<EFBFBD>ݷ<EFBFBD><DDB7>"<22>^Bb&U<><03>P<EFBFBD><50>

test/docker/Dockerfile

@@ -0,0 +1,32 @@
+FROM ubuntu:16.04
+
+COPY openssh-4.0p1/sshd /openssh/sshd-4.0p1
+COPY openssh-5.6p1/sshd /openssh/sshd-5.6p1
+COPY openssh-8.0p1/sshd /openssh/sshd-8.0p1
+COPY dropbear-2019.78/dropbear /dropbear/dropbear-2019.78
+COPY tinyssh-20190101/build/bin/tinysshd /tinysshd/tinyssh-20190101
+
+# Dropbear host keys.
+COPY dropbear_*_host_key* /etc/dropbear/
+
+# OpenSSH configs.
+COPY sshd_config* /etc/ssh/
+
+# OpenSSH host keys & moduli file.
+COPY ssh_host_* /etc/ssh/
+COPY ssh1_host_* /etc/ssh/
+COPY moduli_1024 /usr/local/etc/moduli
+
+# TinySSH host keys.
+COPY ed25519.pk /etc/tinyssh/
+COPY .ed25519.sk /etc/tinyssh/
+
+COPY debug.sh /debug.sh
+
+RUN apt update 2> /dev/null
+RUN apt install -y libssl-dev strace rsyslog ucspi-tcp 2> /dev/null
+RUN apt clean 2> /dev/null
+RUN useradd -s /bin/false sshd
+RUN mkdir /var/empty
+
+EXPOSE 22

test/docker/debug.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# This script is run on in docker container.  It will enable logging for sshd in
+# /var/log/auth.log.
+
+/etc/init.d/rsyslog start
+sleep 1
+/openssh/sshd-5.6p1 -o LogLevel=DEBUG3 -f /etc/ssh/sshd_config-5.6p1_test1
+/bin/bash

test/docker/ed25519.pk

@@ -0,0 +1 @@
+1vu}<7D><><11>J<EFBFBD>ݷ<EFBFBD><DDB7>"<22>^Bb&U<><03>P<EFBFBD><50>

test/docker/expected_results/dropbear_2019.78_test1.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-dropbear_2019.78", "software": "dropbear_2019.78"}, "compression": ["zlib@openssh.com", "none"], "enc": ["aes128-ctr", "aes256-ctr", "aes128-cbc", "aes256-cbc", "3des-ctr", "3des-cbc"], "fingerprints": [{"fp": "SHA256:CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM", "type": "ssh-rsa"}], "kex": [{"algorithm": "curve25519-sha256"}, {"algorithm": "curve25519-sha256@libssh.org"}, {"algorithm": "ecdh-sha2-nistp521"}, {"algorithm": "ecdh-sha2-nistp384"}, {"algorithm": "ecdh-sha2-nistp256"}, {"algorithm": "diffie-hellman-group14-sha256"}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "kexguess2@matt.ucc.asn.au"}], "key": [{"algorithm": "ecdsa-sha2-nistp256"}, {"algorithm": "ssh-rsa", "keysize": 1024}, {"algorithm": "ssh-dss"}], "mac": ["hmac-sha1-96", "hmac-sha1", "hmac-sha2-256"]}

test/docker/expected_results/dropbear_2019.78_test1.txt

@@ -0,0 +1,84 @@
+# general
+(gen) banner: SSH-2.0-dropbear_2019.78
+(gen) software: Dropbear SSH 2019.78
+(gen) compatibility: OpenSSH 7.4+ (some functionality from 6.6), Dropbear SSH 2018.76+
+(gen) compression: enabled (zlib@openssh.com)
+
+# key exchange algorithms
+(kex) curve25519-sha256              -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
+(kex) curve25519-sha256@libssh.org   -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp521             -- [fail] using weak elliptic curves
+                                     `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp384             -- [fail] using weak elliptic curves
+                                     `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp256             -- [fail] using weak elliptic curves
+                                     `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) diffie-hellman-group14-sha256  -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+(kex) diffie-hellman-group14-sha1    -- [warn] using weak hashing algorithm
+                                     `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) kexguess2@matt.ucc.asn.au      -- [info] available since Dropbear SSH 2013.57
+
+# host-key algorithms
+(key) ecdsa-sha2-nistp256            -- [fail] using weak elliptic curves
+                                     `- [warn] using weak random number generator could reveal the key
+                                     `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(key) ssh-rsa (1024-bit)             -- [fail] using weak hashing algorithm
+                                     `- [warn] using small 1024-bit modulus
+                                     `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+(key) ssh-dss                        -- [fail] using small 1024-bit modulus
+                                     `- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm
+                                     `- [warn] using weak random number generator could reveal the key
+                                     `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+
+# encryption algorithms (ciphers)
+(enc) aes128-ctr                     -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes256-ctr                     -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes128-cbc                     -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                     `- [warn] using weak cipher mode
+                                     `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) aes256-cbc                     -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                     `- [warn] using weak cipher mode
+                                     `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) 3des-ctr                       -- [fail] using weak cipher
+                                     `- [info] available since Dropbear SSH 0.52
+(enc) 3des-cbc                       -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                     `- [warn] disabled (in client) since OpenSSH 7.4, unsafe algorithm
+                                     `- [warn] using weak cipher
+                                     `- [warn] using weak cipher mode
+                                     `- [warn] using small 64-bit block size
+                                     `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+
+# message authentication code algorithms
+(mac) hmac-sha1-96                   -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                     `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                     `- [warn] using encrypt-and-MAC mode
+                                     `- [warn] using weak hashing algorithm
+                                     `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-sha1                      -- [warn] using encrypt-and-MAC mode
+                                     `- [warn] using weak hashing algorithm
+                                     `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha2-256                  -- [warn] using encrypt-and-MAC mode
+                                     `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+
+# fingerprints
+(fin) ssh-rsa: SHA256:CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM
+
+# algorithm recommendations (for Dropbear SSH 2019.78)
+(rec) -3des-cbc                      -- enc algorithm to remove 
+(rec) -3des-ctr                      -- enc algorithm to remove 
+(rec) -aes128-cbc                    -- enc algorithm to remove 
+(rec) -aes256-cbc                    -- enc algorithm to remove 
+(rec) -ecdh-sha2-nistp256            -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp384            -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp521            -- kex algorithm to remove 
+(rec) -hmac-sha1-96                  -- mac algorithm to remove 
+(rec) -ssh-dss                       -- key algorithm to remove 
+(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append 
+(rec) +twofish128-ctr                -- enc algorithm to append 
+(rec) +twofish256-ctr                -- enc algorithm to append 
+(rec) -diffie-hellman-group14-sha1   -- kex algorithm to remove 
+(rec) -hmac-sha1                     -- mac algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+

test/docker/expected_results/openssh_4.0p1_test1.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [1, 99], "raw": "SSH-1.99-OpenSSH_4.0", "software": "OpenSSH_4.0"}, "compression": ["none", "zlib"], "enc": ["aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "arcfour", "aes192-cbc", "aes256-cbc", "rijndael-cbc@lysator.liu.se", "aes128-ctr", "aes192-ctr", "aes256-ctr"], "fingerprints": [{"fp": "SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", "type": "ssh-rsa"}], "kex": [{"algorithm": "diffie-hellman-group-exchange-sha1", "keysize": 1024}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "diffie-hellman-group1-sha1"}], "key": [{"algorithm": "ssh-rsa", "keysize": 1024}, {"algorithm": "ssh-dss"}], "mac": ["hmac-md5", "hmac-sha1", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"]}

test/docker/expected_results/openssh_4.0p1_test1.txt

@@ -0,0 +1,139 @@
+# general
+(gen) banner: SSH-1.99-OpenSSH_4.0
+(gen) protocol SSH1 enabled
+(gen) software: OpenSSH 4.0
+(gen) compatibility: OpenSSH 3.9-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)
+(gen) compression: enabled (zlib)
+
+# security
+(cve) CVE-2016-3115                       -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
+(cve) CVE-2014-1692                       -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
+(cve) CVE-2012-0814                       -- (CVSSv2: 3.5) leak data via debug messages
+(cve) CVE-2011-5000                       -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)
+(cve) CVE-2010-5107                       -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)
+(cve) CVE-2010-4755                       -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)
+(cve) CVE-2010-4478                       -- (CVSSv2: 7.5) bypass authentication check via crafted values
+(cve) CVE-2008-5161                       -- (CVSSv2: 2.6) recover plaintext data from ciphertext
+(cve) CVE-2008-4109                       -- (CVSSv2: 5.0) cause DoS via multiple login attempts (slot exhaustion)
+(cve) CVE-2008-1657                       -- (CVSSv2: 6.5) bypass command restrictions via modifying session file
+(cve) CVE-2008-1483                       -- (CVSSv2: 6.9) hijack forwarded X11 connections
+(cve) CVE-2007-4752                       -- (CVSSv2: 7.5) privilege escalation via causing an X client to be trusted
+(cve) CVE-2007-2243                       -- (CVSSv2: 5.0) discover valid usernames through different responses
+(cve) CVE-2006-5052                       -- (CVSSv2: 5.0) discover valid usernames through different responses
+(cve) CVE-2006-5051                       -- (CVSSv2: 9.3) cause DoS or execute arbitrary code (double free)
+(cve) CVE-2006-4924                       -- (CVSSv2: 7.8) cause DoS via crafted packet (CPU consumption)
+(cve) CVE-2006-0225                       -- (CVSSv2: 4.6) execute arbitrary code
+(cve) CVE-2005-2798                       -- (CVSSv2: 5.0) leak data about authentication credentials
+
+# key exchange algorithms
+(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
+                                                    `- [warn] using weak hashing algorithm
+                                                    `- [info] available since OpenSSH 2.3.0
+(kex) diffie-hellman-group14-sha1         -- [warn] using weak hashing algorithm
+                                          `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) diffie-hellman-group1-sha1          -- [fail] using small 1024-bit modulus
+                                          `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                          `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack
+                                          `- [warn] using weak hashing algorithm
+                                          `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+
+# host-key algorithms
+(key) ssh-rsa (1024-bit)                  -- [fail] using weak hashing algorithm
+                                          `- [warn] using small 1024-bit modulus
+                                          `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+(key) ssh-dss                             -- [fail] using small 1024-bit modulus
+                                          `- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm
+                                          `- [warn] using weak random number generator could reveal the key
+                                          `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+
+# encryption algorithms (ciphers)
+(enc) aes128-cbc                          -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                          `- [warn] using weak cipher mode
+                                          `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) 3des-cbc                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                          `- [warn] disabled (in client) since OpenSSH 7.4, unsafe algorithm
+                                          `- [warn] using weak cipher
+                                          `- [warn] using weak cipher mode
+                                          `- [warn] using small 64-bit block size
+                                          `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) blowfish-cbc                        -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                          `- [fail] disabled since Dropbear SSH 0.53
+                                          `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                          `- [warn] using weak cipher mode
+                                          `- [warn] using small 64-bit block size
+                                          `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) cast128-cbc                         -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                          `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                          `- [warn] using weak cipher mode
+                                          `- [warn] using small 64-bit block size
+                                          `- [info] available since OpenSSH 2.1.0
+(enc) arcfour                             -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                          `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                          `- [warn] using weak cipher
+                                          `- [info] available since OpenSSH 2.1.0
+(enc) aes192-cbc                          -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                          `- [warn] using weak cipher mode
+                                          `- [info] available since OpenSSH 2.3.0
+(enc) aes256-cbc                          -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                          `- [warn] using weak cipher mode
+                                          `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) rijndael-cbc@lysator.liu.se         -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                          `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                          `- [warn] using weak cipher mode
+                                          `- [info] available since OpenSSH 2.3.0
+(enc) aes128-ctr                          -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr                          -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr                          -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+
+# message authentication code algorithms
+(mac) hmac-md5                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                          `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                          `- [warn] using encrypt-and-MAC mode
+                                          `- [warn] using weak hashing algorithm
+                                          `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha1                           -- [warn] using encrypt-and-MAC mode
+                                          `- [warn] using weak hashing algorithm
+                                          `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-ripemd160                      -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                          `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                          `- [warn] using encrypt-and-MAC mode
+                                          `- [info] available since OpenSSH 2.5.0
+(mac) hmac-ripemd160@openssh.com          -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                          `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                          `- [warn] using encrypt-and-MAC mode
+                                          `- [info] available since OpenSSH 2.1.0
+(mac) hmac-sha1-96                        -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                          `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                          `- [warn] using encrypt-and-MAC mode
+                                          `- [warn] using weak hashing algorithm
+                                          `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-md5-96                         -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                          `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                          `- [warn] using encrypt-and-MAC mode
+                                          `- [warn] using weak hashing algorithm
+                                          `- [info] available since OpenSSH 2.5.0
+
+# fingerprints
+(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4
+
+# algorithm recommendations (for OpenSSH 4.0)
+(rec) -3des-cbc                           -- enc algorithm to remove 
+(rec) -aes128-cbc                         -- enc algorithm to remove 
+(rec) -aes192-cbc                         -- enc algorithm to remove 
+(rec) -aes256-cbc                         -- enc algorithm to remove 
+(rec) -arcfour                            -- enc algorithm to remove 
+(rec) -blowfish-cbc                       -- enc algorithm to remove 
+(rec) -cast128-cbc                        -- enc algorithm to remove 
+(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove 
+(rec) -diffie-hellman-group1-sha1         -- kex algorithm to remove 
+(rec) -hmac-md5                           -- mac algorithm to remove 
+(rec) -hmac-md5-96                        -- mac algorithm to remove 
+(rec) -hmac-ripemd160                     -- mac algorithm to remove 
+(rec) -hmac-ripemd160@openssh.com         -- mac algorithm to remove 
+(rec) -hmac-sha1-96                       -- mac algorithm to remove 
+(rec) -rijndael-cbc@lysator.liu.se        -- enc algorithm to remove 
+(rec) -ssh-dss                            -- key algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+

test/docker/expected_results/openssh_5.6p1_policy_test1.json

@@ -0,0 +1 @@
+{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test1 (version 1)"}

test/docker/expected_results/openssh_5.6p1_policy_test1.txt

@@ -0,0 +1,3 @@
+Host:   localhost:2222
+Policy: Docker policy: test1 (version 1)
+Result: ✔ Passed

test/docker/expected_results/openssh_5.6p1_policy_test10.json

@@ -0,0 +1 @@
+{"errors": [{"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (ssh-rsa-cert-v01@openssh.com) sizes"}, {"actual": ["1024"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes"}], "host": "localhost", "passed": false, "policy": "Docker poliicy: test10 (version 1)"}

test/docker/expected_results/openssh_5.6p1_policy_test10.txt

@@ -0,0 +1,7 @@
+Host:   localhost:2222
+Policy: Docker poliicy: test10 (version 1)
+Result: ❌ Failed!
+
+Errors:
+  * RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 1024
+  * RSA host key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 3072

test/docker/expected_results/openssh_5.6p1_policy_test2.json

@@ -0,0 +1 @@
+{"errors": [{"actual": ["diffie-hellman-group-exchange-sha256", "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1"], "expected_optional": [""], "expected_required": ["kex_alg1", "kex_alg2"], "mismatched_field": "Key exchanges"}], "host": "localhost", "passed": false, "policy": "Docker policy: test2 (version 1)"}

test/docker/expected_results/openssh_5.6p1_policy_test2.txt

@@ -0,0 +1,6 @@
+Host:   localhost:2222
+Policy: Docker policy: test2 (version 1)
+Result: ❌ Failed!
+
+Errors:
+  * Key exchanges did not match. Expected: ['kex_alg1', 'kex_alg2']; Actual: ['diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1']

test/docker/expected_results/openssh_5.6p1_policy_test3.json

@@ -0,0 +1 @@
+{"errors": [{"actual": ["ssh-rsa", "ssh-dss"], "expected_optional": [""], "expected_required": ["ssh-rsa", "ssh-dss", "key_alg1"], "mismatched_field": "Host keys"}], "host": "localhost", "passed": false, "policy": "Docker policy: test3 (version 1)"}

test/docker/expected_results/openssh_5.6p1_policy_test3.txt

@@ -0,0 +1,6 @@
+Host:   localhost:2222
+Policy: Docker policy: test3 (version 1)
+Result: ❌ Failed!
+
+Errors:
+  * Host keys did not match. Expected: ['ssh-rsa', 'ssh-dss', 'key_alg1']; Actual: ['ssh-rsa', 'ssh-dss']

test/docker/expected_results/openssh_5.6p1_policy_test4.json

@@ -0,0 +1 @@
+{"errors": [{"actual": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "expected_optional": [""], "expected_required": ["cipher_alg1", "cipher_alg2"], "mismatched_field": "Ciphers"}], "host": "localhost", "passed": false, "policy": "Docker policy: test4 (version 1)"}

test/docker/expected_results/openssh_5.6p1_policy_test4.txt

@@ -0,0 +1,6 @@
+Host:   localhost:2222
+Policy: Docker policy: test4 (version 1)
+Result: ❌ Failed!
+
+Errors:
+  * Ciphers did not match. Expected: ['cipher_alg1', 'cipher_alg2']; Actual: ['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se']

test/docker/expected_results/openssh_5.6p1_policy_test5.json

@@ -0,0 +1 @@
+{"errors": [{"actual": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"], "expected_optional": [""], "expected_required": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac_alg1", "hmac-md5-96"], "mismatched_field": "MACs"}], "host": "localhost", "passed": false, "policy": "Docker policy: test5 (version 1)"}

test/docker/expected_results/openssh_5.6p1_policy_test5.txt

@@ -0,0 +1,6 @@
+Host:   localhost:2222
+Policy: Docker policy: test5 (version 1)
+Result: ❌ Failed!
+
+Errors:
+  * MACs did not match. Expected: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac_alg1', 'hmac-md5-96']; Actual: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96']

test/docker/expected_results/openssh_5.6p1_policy_test7.json

@@ -0,0 +1 @@
+{"errors": [], "host": "localhost", "passed": true, "policy": "Docker poliicy: test7 (version 1)"}

test/docker/expected_results/openssh_5.6p1_policy_test7.txt

@@ -0,0 +1,3 @@
+Host:   localhost:2222
+Policy: Docker poliicy: test7 (version 1)
+Result: ✔ Passed

test/docker/expected_results/openssh_5.6p1_policy_test8.json

@@ -0,0 +1 @@
+{"errors": [{"actual": ["1024"], "expected_optional": [""], "expected_required": ["2048"], "mismatched_field": "RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes"}], "host": "localhost", "passed": false, "policy": "Docker poliicy: test8 (version 1)"}

test/docker/expected_results/openssh_5.6p1_policy_test8.txt

@@ -0,0 +1,6 @@
+Host:   localhost:2222
+Policy: Docker poliicy: test8 (version 1)
+Result: ❌ Failed!
+
+Errors:
+  * RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 2048; Actual: 1024

test/docker/expected_results/openssh_5.6p1_policy_test9.json

@@ -0,0 +1 @@
+{"errors": [{"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (ssh-rsa-cert-v01@openssh.com) sizes"}], "host": "localhost", "passed": false, "policy": "Docker poliicy: test9 (version 1)"}

test/docker/expected_results/openssh_5.6p1_policy_test9.txt

@@ -0,0 +1,6 @@
+Host:   localhost:2222
+Policy: Docker poliicy: test9 (version 1)
+Result: ❌ Failed!
+
+Errors:
+  * RSA host key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 3072

test/docker/expected_results/openssh_5.6p1_test1.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_5.6", "software": "OpenSSH_5.6"}, "compression": ["none", "zlib@openssh.com"], "enc": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "fingerprints": [{"fp": "SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", "type": "ssh-rsa"}], "kex": [{"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 1024}, {"algorithm": "diffie-hellman-group-exchange-sha1", "keysize": 1024}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "diffie-hellman-group1-sha1"}], "key": [{"algorithm": "ssh-rsa", "keysize": 1024}, {"algorithm": "ssh-dss"}], "mac": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"]}

test/docker/expected_results/openssh_5.6p1_test1.txt

@@ -0,0 +1,148 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_5.6
+(gen) software: OpenSSH 5.6
+(gen) compatibility: OpenSSH 4.7-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2016-3115                         -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
+(cve) CVE-2016-1907                         -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
+(cve) CVE-2015-6564                         -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid
+(cve) CVE-2015-6563                         -- (CVSSv2: 1.9) conduct impersonation attack
+(cve) CVE-2014-2532                         -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard
+(cve) CVE-2014-1692                         -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
+(cve) CVE-2012-0814                         -- (CVSSv2: 3.5) leak data via debug messages
+(cve) CVE-2011-5000                         -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)
+(cve) CVE-2010-5107                         -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)
+(cve) CVE-2010-4755                         -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)
+(cve) CVE-2010-4478                         -- (CVSSv2: 7.5) bypass authentication check via crafted values
+
+# key exchange algorithms
+(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
+                                                      `- [info] available since OpenSSH 4.4
+(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
+                                                    `- [warn] using weak hashing algorithm
+                                                    `- [info] available since OpenSSH 2.3.0
+(kex) diffie-hellman-group14-sha1           -- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus
+                                            `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+
+# host-key algorithms
+(key) ssh-rsa (1024-bit)                    -- [fail] using weak hashing algorithm
+                                            `- [warn] using small 1024-bit modulus
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+(key) ssh-dss                               -- [fail] using small 1024-bit modulus
+                                            `- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm
+                                            `- [warn] using weak random number generator could reveal the key
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+
+# encryption algorithms (ciphers)
+(enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) arcfour256                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher
+                                            `- [info] available since OpenSSH 4.2
+(enc) arcfour128                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher
+                                            `- [info] available since OpenSSH 4.2
+(enc) aes128-cbc                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) 3des-cbc                              -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.4, unsafe algorithm
+                                            `- [warn] using weak cipher
+                                            `- [warn] using weak cipher mode
+                                            `- [warn] using small 64-bit block size
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) blowfish-cbc                          -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [fail] disabled since Dropbear SSH 0.53
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [warn] using small 64-bit block size
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) cast128-cbc                           -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [warn] using small 64-bit block size
+                                            `- [info] available since OpenSSH 2.1.0
+(enc) aes192-cbc                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0
+(enc) aes256-cbc                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) arcfour                               -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher
+                                            `- [info] available since OpenSSH 2.1.0
+(enc) rijndael-cbc@lysator.liu.se           -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0
+
+# message authentication code algorithms
+(mac) hmac-md5                              -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha1                             -- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) umac-64@openssh.com                   -- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using small 64-bit tag size
+                                            `- [info] available since OpenSSH 4.7
+(mac) hmac-ripemd160                        -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [info] available since OpenSSH 2.5.0
+(mac) hmac-ripemd160@openssh.com            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [info] available since OpenSSH 2.1.0
+(mac) hmac-sha1-96                          -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-md5-96                           -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.5.0
+
+# fingerprints
+(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4
+
+# algorithm recommendations (for OpenSSH 5.6)
+(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 2048 bits or larger) 
+(rec) -3des-cbc                             -- enc algorithm to remove 
+(rec) -aes128-cbc                           -- enc algorithm to remove 
+(rec) -aes192-cbc                           -- enc algorithm to remove 
+(rec) -aes256-cbc                           -- enc algorithm to remove 
+(rec) -arcfour                              -- enc algorithm to remove 
+(rec) -arcfour128                           -- enc algorithm to remove 
+(rec) -arcfour256                           -- enc algorithm to remove 
+(rec) -blowfish-cbc                         -- enc algorithm to remove 
+(rec) -cast128-cbc                          -- enc algorithm to remove 
+(rec) -diffie-hellman-group-exchange-sha1   -- kex algorithm to remove 
+(rec) -diffie-hellman-group1-sha1           -- kex algorithm to remove 
+(rec) -hmac-md5                             -- mac algorithm to remove 
+(rec) -hmac-md5-96                          -- mac algorithm to remove 
+(rec) -hmac-ripemd160                       -- mac algorithm to remove 
+(rec) -hmac-ripemd160@openssh.com           -- mac algorithm to remove 
+(rec) -hmac-sha1-96                         -- mac algorithm to remove 
+(rec) -rijndael-cbc@lysator.liu.se          -- enc algorithm to remove 
+(rec) -ssh-dss                              -- key algorithm to remove 
+(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+

test/docker/expected_results/openssh_5.6p1_test2.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_5.6", "software": "OpenSSH_5.6"}, "compression": ["none", "zlib@openssh.com"], "enc": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "fingerprints": [{"fp": "SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", "type": "ssh-rsa"}], "kex": [{"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 1024}, {"algorithm": "diffie-hellman-group-exchange-sha1", "keysize": 1024}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "diffie-hellman-group1-sha1"}], "key": [{"algorithm": "ssh-rsa", "keysize": 1024}, {"algorithm": "ssh-rsa-cert-v01@openssh.com", "casize": 1024, "keysize": 1024}], "mac": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"]}

test/docker/expected_results/openssh_5.6p1_test2.txt

@@ -0,0 +1,147 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_5.6
+(gen) software: OpenSSH 5.6
+(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2016-3115                         -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
+(cve) CVE-2016-1907                         -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
+(cve) CVE-2015-6564                         -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid
+(cve) CVE-2015-6563                         -- (CVSSv2: 1.9) conduct impersonation attack
+(cve) CVE-2014-2532                         -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard
+(cve) CVE-2014-1692                         -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
+(cve) CVE-2012-0814                         -- (CVSSv2: 3.5) leak data via debug messages
+(cve) CVE-2011-5000                         -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)
+(cve) CVE-2010-5107                         -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)
+(cve) CVE-2010-4755                         -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)
+(cve) CVE-2010-4478                         -- (CVSSv2: 7.5) bypass authentication check via crafted values
+
+# key exchange algorithms
+(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
+                                                      `- [info] available since OpenSSH 4.4
+(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
+                                                    `- [warn] using weak hashing algorithm
+                                                    `- [info] available since OpenSSH 2.3.0
+(kex) diffie-hellman-group14-sha1           -- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus
+                                            `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+
+# host-key algorithms
+(key) ssh-rsa (1024-bit)                    -- [fail] using weak hashing algorithm
+                                            `- [warn] using small 1024-bit modulus
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/1024-bit CA) -- [fail] using small 1024-bit modulus
+                                                               `- [info] available since OpenSSH 5.6
+
+# encryption algorithms (ciphers)
+(enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) arcfour256                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher
+                                            `- [info] available since OpenSSH 4.2
+(enc) arcfour128                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher
+                                            `- [info] available since OpenSSH 4.2
+(enc) aes128-cbc                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) 3des-cbc                              -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.4, unsafe algorithm
+                                            `- [warn] using weak cipher
+                                            `- [warn] using weak cipher mode
+                                            `- [warn] using small 64-bit block size
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) blowfish-cbc                          -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [fail] disabled since Dropbear SSH 0.53
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [warn] using small 64-bit block size
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) cast128-cbc                           -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [warn] using small 64-bit block size
+                                            `- [info] available since OpenSSH 2.1.0
+(enc) aes192-cbc                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0
+(enc) aes256-cbc                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) arcfour                               -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher
+                                            `- [info] available since OpenSSH 2.1.0
+(enc) rijndael-cbc@lysator.liu.se           -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0
+
+# message authentication code algorithms
+(mac) hmac-md5                              -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha1                             -- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) umac-64@openssh.com                   -- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using small 64-bit tag size
+                                            `- [info] available since OpenSSH 4.7
+(mac) hmac-ripemd160                        -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [info] available since OpenSSH 2.5.0
+(mac) hmac-ripemd160@openssh.com            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [info] available since OpenSSH 2.1.0
+(mac) hmac-sha1-96                          -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-md5-96                           -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.5.0
+
+# fingerprints
+(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4
+
+# algorithm recommendations (for OpenSSH 5.6)
+(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 2048 bits or larger) 
+(rec) !ssh-rsa-cert-v01@openssh.com         -- key algorithm to change (increase modulus size to 2048 bits or larger) 
+(rec) -3des-cbc                             -- enc algorithm to remove 
+(rec) -aes128-cbc                           -- enc algorithm to remove 
+(rec) -aes192-cbc                           -- enc algorithm to remove 
+(rec) -aes256-cbc                           -- enc algorithm to remove 
+(rec) -arcfour                              -- enc algorithm to remove 
+(rec) -arcfour128                           -- enc algorithm to remove 
+(rec) -arcfour256                           -- enc algorithm to remove 
+(rec) -blowfish-cbc                         -- enc algorithm to remove 
+(rec) -cast128-cbc                          -- enc algorithm to remove 
+(rec) -diffie-hellman-group-exchange-sha1   -- kex algorithm to remove 
+(rec) -diffie-hellman-group1-sha1           -- kex algorithm to remove 
+(rec) -hmac-md5                             -- mac algorithm to remove 
+(rec) -hmac-md5-96                          -- mac algorithm to remove 
+(rec) -hmac-ripemd160                       -- mac algorithm to remove 
+(rec) -hmac-ripemd160@openssh.com           -- mac algorithm to remove 
+(rec) -hmac-sha1-96                         -- mac algorithm to remove 
+(rec) -rijndael-cbc@lysator.liu.se          -- enc algorithm to remove 
+(rec) -ssh-rsa                              -- key algorithm to remove 
+(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+

test/docker/expected_results/openssh_5.6p1_test3.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_5.6", "software": "OpenSSH_5.6"}, "compression": ["none", "zlib@openssh.com"], "enc": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "fingerprints": [{"fp": "SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", "type": "ssh-rsa"}], "kex": [{"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 1024}, {"algorithm": "diffie-hellman-group-exchange-sha1", "keysize": 1024}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "diffie-hellman-group1-sha1"}], "key": [{"algorithm": "ssh-rsa", "keysize": 1024}, {"algorithm": "ssh-rsa-cert-v01@openssh.com", "casize": 3072, "keysize": 1024}], "mac": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"]}

test/docker/expected_results/openssh_5.6p1_test3.txt

@@ -0,0 +1,147 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_5.6
+(gen) software: OpenSSH 5.6
+(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2016-3115                         -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
+(cve) CVE-2016-1907                         -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
+(cve) CVE-2015-6564                         -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid
+(cve) CVE-2015-6563                         -- (CVSSv2: 1.9) conduct impersonation attack
+(cve) CVE-2014-2532                         -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard
+(cve) CVE-2014-1692                         -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
+(cve) CVE-2012-0814                         -- (CVSSv2: 3.5) leak data via debug messages
+(cve) CVE-2011-5000                         -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)
+(cve) CVE-2010-5107                         -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)
+(cve) CVE-2010-4755                         -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)
+(cve) CVE-2010-4478                         -- (CVSSv2: 7.5) bypass authentication check via crafted values
+
+# key exchange algorithms
+(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
+                                                      `- [info] available since OpenSSH 4.4
+(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
+                                                    `- [warn] using weak hashing algorithm
+                                                    `- [info] available since OpenSSH 2.3.0
+(kex) diffie-hellman-group14-sha1           -- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus
+                                            `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+
+# host-key algorithms
+(key) ssh-rsa (1024-bit)                    -- [fail] using weak hashing algorithm
+                                            `- [warn] using small 1024-bit modulus
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/3072-bit CA) -- [fail] using small 1024-bit modulus
+                                                               `- [info] available since OpenSSH 5.6
+
+# encryption algorithms (ciphers)
+(enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) arcfour256                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher
+                                            `- [info] available since OpenSSH 4.2
+(enc) arcfour128                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher
+                                            `- [info] available since OpenSSH 4.2
+(enc) aes128-cbc                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) 3des-cbc                              -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.4, unsafe algorithm
+                                            `- [warn] using weak cipher
+                                            `- [warn] using weak cipher mode
+                                            `- [warn] using small 64-bit block size
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) blowfish-cbc                          -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [fail] disabled since Dropbear SSH 0.53
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [warn] using small 64-bit block size
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) cast128-cbc                           -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [warn] using small 64-bit block size
+                                            `- [info] available since OpenSSH 2.1.0
+(enc) aes192-cbc                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0
+(enc) aes256-cbc                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) arcfour                               -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher
+                                            `- [info] available since OpenSSH 2.1.0
+(enc) rijndael-cbc@lysator.liu.se           -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0
+
+# message authentication code algorithms
+(mac) hmac-md5                              -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha1                             -- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) umac-64@openssh.com                   -- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using small 64-bit tag size
+                                            `- [info] available since OpenSSH 4.7
+(mac) hmac-ripemd160                        -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [info] available since OpenSSH 2.5.0
+(mac) hmac-ripemd160@openssh.com            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [info] available since OpenSSH 2.1.0
+(mac) hmac-sha1-96                          -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-md5-96                           -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.5.0
+
+# fingerprints
+(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4
+
+# algorithm recommendations (for OpenSSH 5.6)
+(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 2048 bits or larger) 
+(rec) !ssh-rsa-cert-v01@openssh.com         -- key algorithm to change (increase modulus size to 2048 bits or larger) 
+(rec) -3des-cbc                             -- enc algorithm to remove 
+(rec) -aes128-cbc                           -- enc algorithm to remove 
+(rec) -aes192-cbc                           -- enc algorithm to remove 
+(rec) -aes256-cbc                           -- enc algorithm to remove 
+(rec) -arcfour                              -- enc algorithm to remove 
+(rec) -arcfour128                           -- enc algorithm to remove 
+(rec) -arcfour256                           -- enc algorithm to remove 
+(rec) -blowfish-cbc                         -- enc algorithm to remove 
+(rec) -cast128-cbc                          -- enc algorithm to remove 
+(rec) -diffie-hellman-group-exchange-sha1   -- kex algorithm to remove 
+(rec) -diffie-hellman-group1-sha1           -- kex algorithm to remove 
+(rec) -hmac-md5                             -- mac algorithm to remove 
+(rec) -hmac-md5-96                          -- mac algorithm to remove 
+(rec) -hmac-ripemd160                       -- mac algorithm to remove 
+(rec) -hmac-ripemd160@openssh.com           -- mac algorithm to remove 
+(rec) -hmac-sha1-96                         -- mac algorithm to remove 
+(rec) -rijndael-cbc@lysator.liu.se          -- enc algorithm to remove 
+(rec) -ssh-rsa                              -- key algorithm to remove 
+(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+

test/docker/expected_results/openssh_5.6p1_test4.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_5.6", "software": "OpenSSH_5.6"}, "compression": ["none", "zlib@openssh.com"], "enc": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "fingerprints": [{"fp": "SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244", "type": "ssh-rsa"}], "kex": [{"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 1024}, {"algorithm": "diffie-hellman-group-exchange-sha1", "keysize": 1024}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "diffie-hellman-group1-sha1"}], "key": [{"algorithm": "ssh-rsa", "keysize": 3072}, {"algorithm": "ssh-rsa-cert-v01@openssh.com", "casize": 1024, "keysize": 3072}], "mac": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"]}

test/docker/expected_results/openssh_5.6p1_test4.txt

@@ -0,0 +1,146 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_5.6
+(gen) software: OpenSSH 5.6
+(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2016-3115                         -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
+(cve) CVE-2016-1907                         -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
+(cve) CVE-2015-6564                         -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid
+(cve) CVE-2015-6563                         -- (CVSSv2: 1.9) conduct impersonation attack
+(cve) CVE-2014-2532                         -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard
+(cve) CVE-2014-1692                         -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
+(cve) CVE-2012-0814                         -- (CVSSv2: 3.5) leak data via debug messages
+(cve) CVE-2011-5000                         -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)
+(cve) CVE-2010-5107                         -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)
+(cve) CVE-2010-4755                         -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)
+(cve) CVE-2010-4478                         -- (CVSSv2: 7.5) bypass authentication check via crafted values
+
+# key exchange algorithms
+(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
+                                                      `- [info] available since OpenSSH 4.4
+(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
+                                                    `- [warn] using weak hashing algorithm
+                                                    `- [info] available since OpenSSH 2.3.0
+(kex) diffie-hellman-group14-sha1           -- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus
+                                            `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+
+# host-key algorithms
+(key) ssh-rsa (3072-bit)                    -- [fail] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/1024-bit CA) -- [fail] using small 1024-bit modulus
+                                                               `- [info] available since OpenSSH 5.6
+
+# encryption algorithms (ciphers)
+(enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) arcfour256                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher
+                                            `- [info] available since OpenSSH 4.2
+(enc) arcfour128                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher
+                                            `- [info] available since OpenSSH 4.2
+(enc) aes128-cbc                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) 3des-cbc                              -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.4, unsafe algorithm
+                                            `- [warn] using weak cipher
+                                            `- [warn] using weak cipher mode
+                                            `- [warn] using small 64-bit block size
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) blowfish-cbc                          -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [fail] disabled since Dropbear SSH 0.53
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [warn] using small 64-bit block size
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) cast128-cbc                           -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [warn] using small 64-bit block size
+                                            `- [info] available since OpenSSH 2.1.0
+(enc) aes192-cbc                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0
+(enc) aes256-cbc                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) arcfour                               -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher
+                                            `- [info] available since OpenSSH 2.1.0
+(enc) rijndael-cbc@lysator.liu.se           -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0
+
+# message authentication code algorithms
+(mac) hmac-md5                              -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha1                             -- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) umac-64@openssh.com                   -- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using small 64-bit tag size
+                                            `- [info] available since OpenSSH 4.7
+(mac) hmac-ripemd160                        -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [info] available since OpenSSH 2.5.0
+(mac) hmac-ripemd160@openssh.com            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [info] available since OpenSSH 2.1.0
+(mac) hmac-sha1-96                          -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-md5-96                           -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.5.0
+
+# fingerprints
+(fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244
+
+# algorithm recommendations (for OpenSSH 5.6)
+(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 2048 bits or larger) 
+(rec) !ssh-rsa-cert-v01@openssh.com         -- key algorithm to change (increase modulus size to 2048 bits or larger) 
+(rec) -3des-cbc                             -- enc algorithm to remove 
+(rec) -aes128-cbc                           -- enc algorithm to remove 
+(rec) -aes192-cbc                           -- enc algorithm to remove 
+(rec) -aes256-cbc                           -- enc algorithm to remove 
+(rec) -arcfour                              -- enc algorithm to remove 
+(rec) -arcfour128                           -- enc algorithm to remove 
+(rec) -arcfour256                           -- enc algorithm to remove 
+(rec) -blowfish-cbc                         -- enc algorithm to remove 
+(rec) -cast128-cbc                          -- enc algorithm to remove 
+(rec) -diffie-hellman-group-exchange-sha1   -- kex algorithm to remove 
+(rec) -diffie-hellman-group1-sha1           -- kex algorithm to remove 
+(rec) -hmac-md5                             -- mac algorithm to remove 
+(rec) -hmac-md5-96                          -- mac algorithm to remove 
+(rec) -hmac-ripemd160                       -- mac algorithm to remove 
+(rec) -hmac-ripemd160@openssh.com           -- mac algorithm to remove 
+(rec) -hmac-sha1-96                         -- mac algorithm to remove 
+(rec) -rijndael-cbc@lysator.liu.se          -- enc algorithm to remove 
+(rec) -ssh-rsa                              -- key algorithm to remove 
+(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+

test/docker/expected_results/openssh_5.6p1_test5.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_5.6", "software": "OpenSSH_5.6"}, "compression": ["none", "zlib@openssh.com"], "enc": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "fingerprints": [{"fp": "SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244", "type": "ssh-rsa"}], "kex": [{"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 1024}, {"algorithm": "diffie-hellman-group-exchange-sha1", "keysize": 1024}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "diffie-hellman-group1-sha1"}], "key": [{"algorithm": "ssh-rsa", "keysize": 3072}, {"algorithm": "ssh-rsa-cert-v01@openssh.com", "casize": 3072, "keysize": 3072}], "mac": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"]}

test/docker/expected_results/openssh_5.6p1_test5.txt

@@ -0,0 +1,144 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_5.6
+(gen) software: OpenSSH 5.6
+(gen) compatibility: OpenSSH 5.6-6.6, Dropbear SSH 0.53+ (some functionality from 0.52)
+(gen) compression: enabled (zlib@openssh.com)
+
+# security
+(cve) CVE-2016-3115                         -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data
+(cve) CVE-2016-1907                         -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read)
+(cve) CVE-2015-6564                         -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid
+(cve) CVE-2015-6563                         -- (CVSSv2: 1.9) conduct impersonation attack
+(cve) CVE-2014-2532                         -- (CVSSv2: 5.8) bypass environment restrictions via specific string before wildcard
+(cve) CVE-2014-1692                         -- (CVSSv2: 7.5) cause DoS via triggering error condition (memory corruption)
+(cve) CVE-2012-0814                         -- (CVSSv2: 3.5) leak data via debug messages
+(cve) CVE-2011-5000                         -- (CVSSv2: 3.5) cause DoS via large value in certain length field (memory consumption)
+(cve) CVE-2010-5107                         -- (CVSSv2: 5.0) cause DoS via large number of connections (slot exhaustion)
+(cve) CVE-2010-4755                         -- (CVSSv2: 4.0) cause DoS via crafted glob expression (CPU and memory consumption)
+(cve) CVE-2010-4478                         -- (CVSSv2: 7.5) bypass authentication check via crafted values
+
+# key exchange algorithms
+(kex) diffie-hellman-group-exchange-sha256 (1024-bit) -- [fail] using small 1024-bit modulus
+                                                      `- [info] available since OpenSSH 4.4
+(kex) diffie-hellman-group-exchange-sha1 (1024-bit) -- [fail] using small 1024-bit modulus
+                                                    `- [warn] using weak hashing algorithm
+                                                    `- [info] available since OpenSSH 2.3.0
+(kex) diffie-hellman-group14-sha1           -- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus
+                                            `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+
+# host-key algorithms
+(key) ssh-rsa (3072-bit)                    -- [fail] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/3072-bit CA) -- [info] available since OpenSSH 5.6
+
+# encryption algorithms (ciphers)
+(enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) arcfour256                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher
+                                            `- [info] available since OpenSSH 4.2
+(enc) arcfour128                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher
+                                            `- [info] available since OpenSSH 4.2
+(enc) aes128-cbc                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
+(enc) 3des-cbc                              -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.4, unsafe algorithm
+                                            `- [warn] using weak cipher
+                                            `- [warn] using weak cipher mode
+                                            `- [warn] using small 64-bit block size
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) blowfish-cbc                          -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [fail] disabled since Dropbear SSH 0.53
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [warn] using small 64-bit block size
+                                            `- [info] available since OpenSSH 1.2.2, Dropbear SSH 0.28
+(enc) cast128-cbc                           -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [warn] using small 64-bit block size
+                                            `- [info] available since OpenSSH 2.1.0
+(enc) aes192-cbc                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0
+(enc) aes256-cbc                            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.47
+(enc) arcfour                               -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher
+                                            `- [info] available since OpenSSH 2.1.0
+(enc) rijndael-cbc@lysator.liu.se           -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using weak cipher mode
+                                            `- [info] available since OpenSSH 2.3.0
+
+# message authentication code algorithms
+(mac) hmac-md5                              -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) hmac-sha1                             -- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+(mac) umac-64@openssh.com                   -- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using small 64-bit tag size
+                                            `- [info] available since OpenSSH 4.7
+(mac) hmac-ripemd160                        -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [info] available since OpenSSH 2.5.0
+(mac) hmac-ripemd160@openssh.com            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [info] available since OpenSSH 2.1.0
+(mac) hmac-sha1-96                          -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
+(mac) hmac-md5-96                           -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+                                            `- [warn] disabled (in client) since OpenSSH 7.2, legacy algorithm
+                                            `- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.5.0
+
+# fingerprints
+(fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244
+
+# algorithm recommendations (for OpenSSH 5.6)
+(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 2048 bits or larger) 
+(rec) -3des-cbc                             -- enc algorithm to remove 
+(rec) -aes128-cbc                           -- enc algorithm to remove 
+(rec) -aes192-cbc                           -- enc algorithm to remove 
+(rec) -aes256-cbc                           -- enc algorithm to remove 
+(rec) -arcfour                              -- enc algorithm to remove 
+(rec) -arcfour128                           -- enc algorithm to remove 
+(rec) -arcfour256                           -- enc algorithm to remove 
+(rec) -blowfish-cbc                         -- enc algorithm to remove 
+(rec) -cast128-cbc                          -- enc algorithm to remove 
+(rec) -diffie-hellman-group-exchange-sha1   -- kex algorithm to remove 
+(rec) -diffie-hellman-group1-sha1           -- kex algorithm to remove 
+(rec) -hmac-md5                             -- mac algorithm to remove 
+(rec) -hmac-md5-96                          -- mac algorithm to remove 
+(rec) -hmac-ripemd160                       -- mac algorithm to remove 
+(rec) -hmac-ripemd160@openssh.com           -- mac algorithm to remove 
+(rec) -hmac-sha1-96                         -- mac algorithm to remove 
+(rec) -rijndael-cbc@lysator.liu.se          -- enc algorithm to remove 
+(rec) -ssh-rsa                              -- key algorithm to remove 
+(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+

test/docker/expected_results/openssh_8.0p1_policy_test11.json

@@ -0,0 +1 @@
+{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test11 (version 1)"}

test/docker/expected_results/openssh_8.0p1_policy_test11.txt

@@ -0,0 +1,3 @@
+Host:   localhost:2222
+Policy: Docker policy: test11 (version 1)
+Result: ✔ Passed

test/docker/expected_results/openssh_8.0p1_policy_test12.json

@@ -0,0 +1 @@
+{"errors": [{"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (rsa-sha2-256) sizes"}, {"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (rsa-sha2-512) sizes"}, {"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (ssh-rsa) sizes"}], "host": "localhost", "passed": false, "policy": "Docker policy: test12 (version 1)"}

test/docker/expected_results/openssh_8.0p1_policy_test12.txt

@@ -0,0 +1,8 @@
+Host:   localhost:2222
+Policy: Docker policy: test12 (version 1)
+Result: ❌ Failed!
+
+Errors:
+  * RSA host key (rsa-sha2-256) sizes did not match. Expected: 4096; Actual: 3072
+  * RSA host key (rsa-sha2-512) sizes did not match. Expected: 4096; Actual: 3072
+  * RSA host key (ssh-rsa) sizes did not match. Expected: 4096; Actual: 3072

test/docker/expected_results/openssh_8.0p1_policy_test13.json

@@ -0,0 +1 @@
+{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test13 (version 1)"}

test/docker/expected_results/openssh_8.0p1_policy_test13.txt

@@ -0,0 +1,3 @@
+Host:   localhost:2222
+Policy: Docker policy: test13 (version 1)
+Result: ✔ Passed

test/docker/expected_results/openssh_8.0p1_policy_test14.json

@@ -0,0 +1 @@
+{"errors": [{"actual": ["2048"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes"}], "host": "localhost", "passed": false, "policy": "Docker policy: test14 (version 1)"}

test/docker/expected_results/openssh_8.0p1_policy_test14.txt

@@ -0,0 +1,6 @@
+Host:   localhost:2222
+Policy: Docker policy: test14 (version 1)
+Result: ❌ Failed!
+
+Errors:
+  * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match. Expected: 4096; Actual: 2048

test/docker/expected_results/openssh_8.0p1_policy_test6.json

@@ -0,0 +1 @@
+{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test6 (version 1)"}

test/docker/expected_results/openssh_8.0p1_policy_test6.txt

@@ -0,0 +1,3 @@
+Host:   localhost:2222
+Policy: Docker policy: test6 (version 1)
+Result: ✔ Passed

test/docker/expected_results/openssh_8.0p1_test1.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_8.0", "software": "OpenSSH_8.0"}, "compression": ["none", "zlib@openssh.com"], "enc": ["chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com"], "fingerprints": [{"fp": "SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU", "type": "ssh-ed25519"}, {"fp": "SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244", "type": "ssh-rsa"}], "kex": [{"algorithm": "curve25519-sha256"}, {"algorithm": "curve25519-sha256@libssh.org"}, {"algorithm": "ecdh-sha2-nistp256"}, {"algorithm": "ecdh-sha2-nistp384"}, {"algorithm": "ecdh-sha2-nistp521"}, {"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 2048}, {"algorithm": "diffie-hellman-group16-sha512"}, {"algorithm": "diffie-hellman-group18-sha512"}, {"algorithm": "diffie-hellman-group14-sha256"}, {"algorithm": "diffie-hellman-group14-sha1"}], "key": [{"algorithm": "rsa-sha2-512", "keysize": 3072}, {"algorithm": "rsa-sha2-256", "keysize": 3072}, {"algorithm": "ssh-rsa", "keysize": 3072}, {"algorithm": "ecdsa-sha2-nistp256"}, {"algorithm": "ssh-ed25519"}], "mac": ["umac-64-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1"]}

test/docker/expected_results/openssh_8.0p1_test1.txt

@@ -0,0 +1,84 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_8.0
+(gen) software: OpenSSH 8.0
+(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
+(gen) compression: enabled (zlib@openssh.com)
+
+# key exchange algorithms
+(kex) curve25519-sha256                     -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
+(kex) curve25519-sha256@libssh.org          -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp256                    -- [fail] using weak elliptic curves
+                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp384                    -- [fail] using weak elliptic curves
+                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp521                    -- [fail] using weak elliptic curves
+                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [info] available since OpenSSH 4.4
+(kex) diffie-hellman-group16-sha512         -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+(kex) diffie-hellman-group18-sha512         -- [info] available since OpenSSH 7.3
+(kex) diffie-hellman-group14-sha256         -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+(kex) diffie-hellman-group14-sha1           -- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+
+# host-key algorithms
+(key) rsa-sha2-512 (3072-bit)               -- [info] available since OpenSSH 7.2
+(key) rsa-sha2-256 (3072-bit)               -- [info] available since OpenSSH 7.2
+(key) ssh-rsa (3072-bit)                    -- [fail] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+(key) ecdsa-sha2-nistp256                   -- [fail] using weak elliptic curves
+                                            `- [warn] using weak random number generator could reveal the key
+                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(key) ssh-ed25519                           -- [info] available since OpenSSH 6.5
+
+# encryption algorithms (ciphers)
+(enc) chacha20-poly1305@openssh.com         -- [info] available since OpenSSH 6.5
+                                            `- [info] default cipher since OpenSSH 6.9.
+(enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes128-gcm@openssh.com                -- [info] available since OpenSSH 6.2
+(enc) aes256-gcm@openssh.com                -- [info] available since OpenSSH 6.2
+
+# message authentication code algorithms
+(mac) umac-64-etm@openssh.com               -- [warn] using small 64-bit tag size
+                                            `- [info] available since OpenSSH 6.2
+(mac) umac-128-etm@openssh.com              -- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-256-etm@openssh.com         -- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-512-etm@openssh.com         -- [info] available since OpenSSH 6.2
+(mac) hmac-sha1-etm@openssh.com             -- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 6.2
+(mac) umac-64@openssh.com                   -- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using small 64-bit tag size
+                                            `- [info] available since OpenSSH 4.7
+(mac) umac-128@openssh.com                  -- [warn] using encrypt-and-MAC mode
+                                            `- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-256                         -- [warn] using encrypt-and-MAC mode
+                                            `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+(mac) hmac-sha2-512                         -- [warn] using encrypt-and-MAC mode
+                                            `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+(mac) hmac-sha1                             -- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+
+# fingerprints
+(fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU
+(fin) ssh-rsa: SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244
+
+# algorithm recommendations (for OpenSSH 8.0)
+(rec) -ecdh-sha2-nistp256                   -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp384                   -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp521                   -- kex algorithm to remove 
+(rec) -ecdsa-sha2-nistp256                  -- key algorithm to remove 
+(rec) -ssh-rsa                              -- key algorithm to remove 
+(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 
+(rec) -hmac-sha1                            -- mac algorithm to remove 
+(rec) -hmac-sha1-etm@openssh.com            -- mac algorithm to remove 
+(rec) -hmac-sha2-256                        -- mac algorithm to remove 
+(rec) -hmac-sha2-512                        -- mac algorithm to remove 
+(rec) -umac-128@openssh.com                 -- mac algorithm to remove 
+(rec) -umac-64-etm@openssh.com              -- mac algorithm to remove 
+(rec) -umac-64@openssh.com                  -- mac algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+

test/docker/expected_results/openssh_8.0p1_test2.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_8.0", "software": "OpenSSH_8.0"}, "compression": ["none", "zlib@openssh.com"], "enc": ["chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com"], "fingerprints": [{"fp": "SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU", "type": "ssh-ed25519"}], "kex": [{"algorithm": "curve25519-sha256"}, {"algorithm": "curve25519-sha256@libssh.org"}, {"algorithm": "ecdh-sha2-nistp256"}, {"algorithm": "ecdh-sha2-nistp384"}, {"algorithm": "ecdh-sha2-nistp521"}, {"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 2048}, {"algorithm": "diffie-hellman-group16-sha512"}, {"algorithm": "diffie-hellman-group18-sha512"}, {"algorithm": "diffie-hellman-group14-sha256"}, {"algorithm": "diffie-hellman-group14-sha1"}], "key": [{"algorithm": "ssh-ed25519"}, {"algorithm": "ssh-ed25519-cert-v01@openssh.com"}], "mac": ["umac-64-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1"]}

test/docker/expected_results/openssh_8.0p1_test2.txt

@@ -0,0 +1,77 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_8.0
+(gen) software: OpenSSH 8.0
+(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
+(gen) compression: enabled (zlib@openssh.com)
+
+# key exchange algorithms
+(kex) curve25519-sha256                     -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
+(kex) curve25519-sha256@libssh.org          -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp256                    -- [fail] using weak elliptic curves
+                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp384                    -- [fail] using weak elliptic curves
+                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) ecdh-sha2-nistp521                    -- [fail] using weak elliptic curves
+                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
+(kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [info] available since OpenSSH 4.4
+(kex) diffie-hellman-group16-sha512         -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+(kex) diffie-hellman-group18-sha512         -- [info] available since OpenSSH 7.3
+(kex) diffie-hellman-group14-sha256         -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
+(kex) diffie-hellman-group14-sha1           -- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
+
+# host-key algorithms
+(key) ssh-ed25519                           -- [info] available since OpenSSH 6.5
+(key) ssh-ed25519-cert-v01@openssh.com      -- [info] available since OpenSSH 6.5
+
+# encryption algorithms (ciphers)
+(enc) chacha20-poly1305@openssh.com         -- [info] available since OpenSSH 6.5
+                                            `- [info] default cipher since OpenSSH 6.9.
+(enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7
+(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes128-gcm@openssh.com                -- [info] available since OpenSSH 6.2
+(enc) aes256-gcm@openssh.com                -- [info] available since OpenSSH 6.2
+
+# message authentication code algorithms
+(mac) umac-64-etm@openssh.com               -- [warn] using small 64-bit tag size
+                                            `- [info] available since OpenSSH 6.2
+(mac) umac-128-etm@openssh.com              -- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-256-etm@openssh.com         -- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-512-etm@openssh.com         -- [info] available since OpenSSH 6.2
+(mac) hmac-sha1-etm@openssh.com             -- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 6.2
+(mac) umac-64@openssh.com                   -- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using small 64-bit tag size
+                                            `- [info] available since OpenSSH 4.7
+(mac) umac-128@openssh.com                  -- [warn] using encrypt-and-MAC mode
+                                            `- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-256                         -- [warn] using encrypt-and-MAC mode
+                                            `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+(mac) hmac-sha2-512                         -- [warn] using encrypt-and-MAC mode
+                                            `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+(mac) hmac-sha1                             -- [warn] using encrypt-and-MAC mode
+                                            `- [warn] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
+
+# fingerprints
+(fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU
+
+# algorithm recommendations (for OpenSSH 8.0)
+(rec) -ecdh-sha2-nistp256                   -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp384                   -- kex algorithm to remove 
+(rec) -ecdh-sha2-nistp521                   -- kex algorithm to remove 
+(rec) +rsa-sha2-256                         -- key algorithm to append 
+(rec) +rsa-sha2-512                         -- key algorithm to append 
+(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 
+(rec) -hmac-sha1                            -- mac algorithm to remove 
+(rec) -hmac-sha1-etm@openssh.com            -- mac algorithm to remove 
+(rec) -hmac-sha2-256                        -- mac algorithm to remove 
+(rec) -hmac-sha2-512                        -- mac algorithm to remove 
+(rec) -umac-128@openssh.com                 -- mac algorithm to remove 
+(rec) -umac-64-etm@openssh.com              -- mac algorithm to remove 
+(rec) -umac-64@openssh.com                  -- mac algorithm to remove 
+
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+

test/docker/expected_results/openssh_8.0p1_test3.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_8.0", "software": "OpenSSH_8.0"}, "compression": ["none", "zlib@openssh.com"], "enc": ["chacha20-poly1305@openssh.com", "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr", "aes128-ctr"], "fingerprints": [{"fp": "SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU", "type": "ssh-ed25519"}], "kex": [{"algorithm": "curve25519-sha256"}, {"algorithm": "curve25519-sha256@libssh.org"}, {"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 2048}], "key": [{"algorithm": "ssh-ed25519"}], "mac": ["hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "umac-128-etm@openssh.com"]}

test/docker/expected_results/openssh_8.0p1_test3.txt

@@ -0,0 +1,38 @@
+# general
+(gen) banner: SSH-2.0-OpenSSH_8.0
+(gen) software: OpenSSH 8.0
+(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
+(gen) compression: enabled (zlib@openssh.com)
+
+# key exchange algorithms
+(kex) curve25519-sha256                     -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
+(kex) curve25519-sha256@libssh.org          -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
+(kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [info] available since OpenSSH 4.4
+
+# host-key algorithms
+(key) ssh-ed25519                           -- [info] available since OpenSSH 6.5
+
+# encryption algorithms (ciphers)
+(enc) chacha20-poly1305@openssh.com         -- [info] available since OpenSSH 6.5
+                                            `- [info] default cipher since OpenSSH 6.9.
+(enc) aes256-gcm@openssh.com                -- [info] available since OpenSSH 6.2
+(enc) aes128-gcm@openssh.com                -- [info] available since OpenSSH 6.2
+(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7
+(enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
+
+# message authentication code algorithms
+(mac) hmac-sha2-256-etm@openssh.com         -- [info] available since OpenSSH 6.2
+(mac) hmac-sha2-512-etm@openssh.com         -- [info] available since OpenSSH 6.2
+(mac) umac-128-etm@openssh.com              -- [info] available since OpenSSH 6.2
+
+# fingerprints
+(fin) ssh-ed25519: SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU
+
+# algorithm recommendations (for OpenSSH 8.0)
+(rec) +diffie-hellman-group14-sha256        -- kex algorithm to append 
+(rec) +diffie-hellman-group16-sha512        -- kex algorithm to append 
+(rec) +diffie-hellman-group18-sha512        -- kex algorithm to append 
+(rec) +rsa-sha2-256                         -- key algorithm to append 
+(rec) +rsa-sha2-512                         -- key algorithm to append 
+

test/docker/expected_results/tinyssh_20190101_test1.json

@@ -0,0 +1 @@
+{"banner": {"comments": "", "protocol": [2, 0], "raw": "", "software": "tinyssh_noversion"}, "compression": ["none"], "enc": ["chacha20-poly1305@openssh.com"], "fingerprints": [{"fp": "SHA256:89ocln1x7KNqnMgWffGoYtD70ksJ4FrH7BMJHa7SrwU", "type": "ssh-ed25519"}], "kex": [{"algorithm": "curve25519-sha256"}, {"algorithm": "curve25519-sha256@libssh.org"}, {"algorithm": "sntrup4591761x25519-sha512@tinyssh.org"}], "key": [{"algorithm": "ssh-ed25519"}], "mac": ["hmac-sha2-256"]}

test/docker/expected_results/tinyssh_20190101_test1.txt

@@ -0,0 +1,25 @@
+# general
+(gen) software: TinySSH noversion
+(gen) compatibility: OpenSSH 8.0+, Dropbear SSH 2018.76+
+(gen) compression: disabled
+
+# key exchange algorithms
+(kex) curve25519-sha256                       -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
+(kex) curve25519-sha256@libssh.org            -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
+(kex) sntrup4591761x25519-sha512@tinyssh.org  -- [warn] using experimental algorithm
+                                              `- [info] available since OpenSSH 8.0
+
+# host-key algorithms
+(key) ssh-ed25519                             -- [info] available since OpenSSH 6.5
+
+# encryption algorithms (ciphers)
+(enc) chacha20-poly1305@openssh.com           -- [info] available since OpenSSH 6.5
+                                              `- [info] default cipher since OpenSSH 6.9.
+
+# message authentication code algorithms
+(mac) hmac-sha2-256                           -- [warn] using encrypt-and-MAC mode
+                                              `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
+
+# fingerprints
+(fin) ssh-ed25519: SHA256:89ocln1x7KNqnMgWffGoYtD70ksJ4FrH7BMJHa7SrwU
+

test/docker/host_ca_ed25519

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACAbM9Wp3ZPcC8Ifhu6GjNDJaoMg7KxO0el2+r9J35TltQAAAKAa0zr8GtM6
+/AAAAAtzc2gtZWQyNTUxOQAAACAbM9Wp3ZPcC8Ifhu6GjNDJaoMg7KxO0el2+r9J35TltQ
+AAAEC/j/BpfmgaZqNMTkJXO4cKZBr31N5z33IRFjh5m6IDDhsz1andk9wLwh+G7oaM0Mlq
+gyDsrE7R6Xb6v0nflOW1AAAAHWpkb2dAbG9jYWxob3N0LndvbmRlcmxhbmQubG9s
+-----END OPENSSH PRIVATE KEY-----

test/docker/host_ca_ed25519.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsz1andk9wLwh+G7oaM0MlqgyDsrE7R6Xb6v0nflOW1 jdog@localhost.wonderland.lol

test/docker/host_ca_rsa_1024

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDnRlN3AFnUe2lFf5XG9UhXLr/9POruNTFbMt0zrjOUSjmAS7hS
+6pDv5VEToT6DaR1EQUYaqSMpHYzZhuCK52vrydOm5XFbJ7712r9MyZQUhoVZx8Su
+dBHzVDIVO3jcMMWIlrfWBMnUaUHEqpmy88Y7gKDa2TWxJg1+hg51KqHrUQIDAQAB
+AoGBANALOUXRcP1tTtOP4+In/709dsONKyDBhPavGMFGsWtyIavBcbxU+bBzrq1j
+3WJFCmi99xxAjjqMNInxhMgvSaoJtsiY0/FFxqRy6l/ZnRjI6hrVKR8whrPKVgBF
+pvbjeQIn9txeCYA8kwl/Si762u7byq+qvupE53xMP94J02KBAkEA/Q4+Hn1Rjblw
+VXynF+oXIq6iZy+8PW+Y/FIL8d31ehzfcssCMdFV6S3/wBoQkWby30oGC/xGmHGR
+6ffXGilByQJBAOn3NMrBPXNkaPeQtgV3tk4s1dRDQYhbqGNz6tcgThyyPdhJCmCy
+jgUEhLwAetsDI8/+3avWbo6/csOV+BvpYUkCQQDQyEp6L1z0+FV1QqY99dZmt/yn
+89t0OLnZG/xc7osU1/OHq3TBE3y1KU2D+j1HKdAiZ9l7VAYOykzf46qmG/n5AkEA
+2kWjfcjcIIw7lULvXZh6fuI7NwTr3V/Nb8MUA1EDLqhnJCG4SdAqyKmXf6Fe/HYo
+cgKPIaIykIAxfCCsULXg6QJAOxB0CKYJlopVBdjGMlGqOEneWTmb1A2INQDE2Una
+LkSd0Rr8OiEzDeemV7j3Ec4BH0HxGMnHDxMybZwoZRnRPw==
+-----END RSA PRIVATE KEY-----

test/docker/host_ca_rsa_1024.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDnRlN3AFnUe2lFf5XG9UhXLr/9POruNTFbMt0zrjOUSjmAS7hS6pDv5VEToT6DaR1EQUYaqSMpHYzZhuCK52vrydOm5XFbJ7712r9MyZQUhoVZx8SudBHzVDIVO3jcMMWIlrfWBMnUaUHEqpmy88Y7gKDa2TWxJg1+hg51KqHrUQ== jdog@localhost.wonderland.lol

test/docker/host_ca_rsa_3072

@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEAqxQEIbj8w0TrBY1fDO81curijQrdLOUr8Vl8XECWc5QGd1Lk
+AG80NgdcCBPvjWxZSmYrKeqA78GUdN+KgycE0ztpxYSXKHZMaIM5Xe94BB+BocH9
+1vd/2iBzGeed1nV/zfAdq2AEHQj1TpII+a+z25yxv2PuwVTTwwo9I/6JgNq3evH4
+Hbwgr3SRfEEYZQ+YL8cOpBuNg1YZOR0k1yk23ZqAd92JybxZ4iCtOt7rcj2sFHzN
+u1U544wWBwIL5yZZKTgBhY4dqfT2Ep7IzR5HdsdrvQV9qC92GM1zDE+U3AwrVKjH
+s0YZq3jzcq/yvFDCcMMRz4/0pGFFU26oWma+n3vbAxKJoL+rhG8QM9+l2qFlLGsn
+M0kUXAJXsPKbygpaP8Z3U4eKgTuJ2GuS9eLIFnB7mrwD75V6GgN9q5mY89DfkVSk
+HaoqpY8pPdRkz9QAmMEuLtHmv29CVOpfX5v/rsm7wASAZqtUlmFu4rFGBLwvZbUl
+Wu02HmgBT47g6EIfAgMBAAECggGAKVCdKtO03yd+pomcodAHFWiaK7uq7FOwCAo3
+WUQT0Xe3FAwFmgFBF6cxV5YQ7RN0gN4poGbMmpoiUxNFLSU4KhcYFSZPJutiyn6e
+VQwm7L/7G2hw+AAvdSsPAPuJh6g6pC5Py/pVI/ns2/uyhTIkem3eEz18BF6LAXgw
+icfHx0GKu/tBk1TCg/zfwaUq0gUxGKC27XTl+QjK8JsUMY33fQ755Xiv9PMytcR0
+cVoyfBVewFffi1UqtMQ48ZpR65G743RxrP4/wcwsfD7n5LJLdyxQkh3gIMTJ8dd/
+R5V4FlueorRgjTbLTjGDxNrCAJ+locezhEEPXsPh2q0KiIXGyz2AMxaOqFmhU8oK
+aVVt8pWJ+YsrKIgc/A3s18ezO8uO5ZdtjQ+CWguduUGY7YgWezGLO1LPxhJC4d7b
+Q/xpeKveTRlcScAqOUzKgSuEhcvPgj8paUcRUoiXm4qiJBY5sXJks+YGp8BGksH0
+O94no+Ns2G58MlL+RyXk3JWrc6zRAoHBANdPplY2sIuIiiEBu95f1Qar1nCBHhB2
+i+HpnsUOdSlbxwMxoF8ffeN9N+DQqaqPu1RhFa5xbB2EUSujvOnL7b/RWqe1X9Po
+UIt5UjXctNP/HYcQDyjXY+rV5SZhHDyv6TBYurNZlvlBivliDz82THPRtqVxed3B
+w2MeaSkKAQ8rA7PE+0j3TG+YtIij0mHOhNPJgEZ/XZ9MIQOGMycRJhwOlclBI5NP
+Ak6p30ArnU2fX4qMkU3i+wqUfXS1hhDihwKBwQDLaHWPIWPVbWdcCbYQTcUmFC3i
+xkxd0UuLcfS9csk61nvdFj7m8tMExX+3fIo/fHEtzDd98Alc1i6/f6ePl0CX6NDu
+QIWLryI1QQRQidHCdw0wQ3N3VD4ZXJHDeqBxogVAkA7A/1QeXwcXE/Xj2ZgyDwhL
+3+myjmvWtw9zJsXL0F3tpPzn+Mrf0KRkWOaluOw7hMMjVjrgu6g24HMWbHHVLRTx
+dlAI7tgxCAPe2SEi+1mzaVUZ8cfgqYqC3X66UakCgcEAopxtK7+yJi/A4pzEnnYS
+FS/CjMV3R0fA7aXbW0hIBCxkaW0Zib3m/eCcSxZMjZxwBpIsJctTtBcylprbGlgB
+/1TF+tNoxEo4Sp4eEL/XciTC0Da4vEewFrPklM/S26KfovvgRYPsGeP+aco9aahA
+pVhFcT36pBiq0DkvgucjValO6n5iqgDboYzbDDdttKCcgLc2Qgf/VUfRxy+bgm3Z
+MmdxiMXBcIfDXlW9XmGSNAWhyqnPM9uxbZQoC/Tsg+QRAoHANHMcFSsz9f2+8DGk
+27FiC76aUmZ1nJ9yTmO1CwDFOMHDsK+iyqSEmy9eDm8zqsko2flVuciicWjdJw4A
+o/sJceJbtYO3q9weAwNf3HCdQPq30OEjrfpwBNQk1fYR1xtDJXHADC4Kf8ZbKq0/
+81/Rad8McZwsQ5mL3xLXDgdKa5KwFa48dIhnr6y6JxHxb3wule5W7w62Ierhpjzc
+EEUoWSLFyrmKS7Ni1cnOTbFJZR7Q831Or2Dz/E9bYwFAQ0T5AoHAM4/zU+8rsbdD
+FvvhWsj7Ivfh6pxx1Tl1Wccaauea9AJayHht0FOzkycpJrH1E+6F5MzhkFFU1SUY
+60NZxzSZgbU0HBrJRcRFyo510iMcnctdTdyh8p7nweGoD0oqXzf6cHqrUep8Y8rQ
+gkSVhPE31+NGlPbwz+NOflcaaAWYiDC6wjVt1asaZq292SJD4DF1fAUkbQ2hxgyQ
++G/6y5ovrcGnh7q63RLhW1TRf8dD2D2Av9UgXDmWZAZ5n838FS+X
+-----END RSA PRIVATE KEY-----

test/docker/host_ca_rsa_3072.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrFAQhuPzDROsFjV8M7zVy6uKNCt0s5SvxWXxcQJZzlAZ3UuQAbzQ2B1wIE++NbFlKZisp6oDvwZR034qDJwTTO2nFhJcodkxogzld73gEH4Ghwf3W93/aIHMZ553WdX/N8B2rYAQdCPVOkgj5r7PbnLG/Y+7BVNPDCj0j/omA2rd68fgdvCCvdJF8QRhlD5gvxw6kG42DVhk5HSTXKTbdmoB33YnJvFniIK063utyPawUfM27VTnjjBYHAgvnJlkpOAGFjh2p9PYSnsjNHkd2x2u9BX2oL3YYzXMMT5TcDCtUqMezRhmrePNyr/K8UMJwwxHPj/SkYUVTbqhaZr6fe9sDEomgv6uEbxAz36XaoWUsayczSRRcAlew8pvKClo/xndTh4qBO4nYa5L14sgWcHuavAPvlXoaA32rmZjz0N+RVKQdqiqljyk91GTP1ACYwS4u0ea/b0JU6l9fm/+uybvABIBmq1SWYW7isUYEvC9ltSVa7TYeaAFPjuDoQh8= jdog@localhost.wonderland.lol