Added release date for v2.3.0. Added link for policy tutorial.

* Adding ssh-audit.py to algorithm_lookup_branch

* Removed the use of an error handler from algorithm_lookup and implemented suggestions made by jugmac00 and jtesta

.appveyor.yml

@@ -1,4 +1,4 @@
-version: '1.7.1.dev.{build}'
+version: 'v2.2.1-dev.{build}'
 
 build: off
 branches:
@@ -8,18 +8,14 @@ branches:
 
 environment:
   matrix:
-    - PYTHON: "C:\\Python26"
-    - PYTHON: "C:\\Python26-x64"
-    - PYTHON: "C:\\Python27"
-    - PYTHON: "C:\\Python27-x64"
-    - PYTHON: "C:\\Python33"
-    - PYTHON: "C:\\Python33-x64"
-    - PYTHON: "C:\\Python34"
-    - PYTHON: "C:\\Python34-x64"
     - PYTHON: "C:\\Python35"
     - PYTHON: "C:\\Python35-x64"
     - PYTHON: "C:\\Python36"
     - PYTHON: "C:\\Python36-x64"
+    - PYTHON: "C:\\Python37"
+    - PYTHON: "C:\\Python37-x64"
+    - PYTHON: "C:\\Python38"
+    - PYTHON: "C:\\Python38-x64"
 matrix:
   fast_finish: true 
 

.deepsource.toml

@@ -0,0 +1,8 @@
+version = 1
+
+[[analyzers]]
+name = "python"
+enabled = true
+
+  [analyzers.meta]
+  runtime_version = "3.x.x"

.gitignore

@@ -1,8 +1,19 @@
 *~
 *.pyc
+*.exe
+*.asc
 venv*/
 .cache/
+.mypy_cache/
 .tox
 .coverage*
 reports/
 .scannerwork/
+packages/sshaudit/LICENSE
+packages/sshaudit/README.md
+packages/sshaudit/sshaudit.py
+packages/parts/
+packages/prime/
+packages/snap/
+packages/stage/
+packages/ssh-audit_*.snap

.travis.yml

@@ -1,80 +1,19 @@
 language: python
-sudo: false
-matrix:
-  include:
-    # (default)
-    - os: linux
-      python: 2.6
-    - os: linux
-      python: 2.7
-      env: SQ=1
-    - os: linux
-      python: 3.3
-    - os: linux
-      python: 3.4
-    - os: linux
-      python: 3.5
-    - os: linux
-      python: 3.6
-    - os: linux
-      python: pypy
-    - os: linux
-      python: pypy3
-    - os: linux
-      python: 3.7-dev
-    # Ubuntu 12.04
-    - os: linux
-      dist: precise
-      language: generic
-      env: PY_VER=py26,py27,py33,py34,py35,py36,pypy,pypy3 PY_ORIGIN=pyenv
-    # Ubuntu 14.04
-    - os: linux
-      dist: trusty
-      language: generic
-      env: PY_VER=py26,py27,py33,py34,py35,py36,pypy,pypy3 PY_ORIGIN=pyenv
-    # macOS 10.12 Sierra
-    - os: osx
-      osx_image: xcode8.3
-      language: generic
-      env: PY_VER=py26,py27,py33,py34,py35,py36,pypy,pypy3
-    # Mac OS X 10.11 El Capitan
-    - os: osx
-      osx_image: xcode7.3
-      language: generic
-      env: PY_VER=py26,py27,py33,py34,py35,py36,pypy,pypy3
-    # Mac OS X 10.10 Yosemite
-    - os: osx
-      osx_image: xcode6.4
-      language: generic
-      env: PY_VER=py26,py27,py33,py34,py35,py36,pypy,pypy3
-  allow_failures:
-    # PyPy3 on Travis CI is out of date
-    - python: pypy3
-    # Python nightly could fail
-    - python: 3.7-dev
-    - env: PY_VER=py37
-    - env: PY_VER=py37/pyenv
-    - env: PY_VER=py37 PY_ORIGIN=pyenv
-  fast_finish: true
+
+python:
+  - "3.5"
+  - "3.6"
+  - "3.7"
+  - "3.8"
 
 cache:
   - pip
-  - directories:
-    - $HOME/.pyenv.cache
-    - $HOME/.bin
-
-before_install:
-  - source test/tools/ci-linux.sh
-  - ci_step_before_install
 
 install:
-  - ci_step_install
+  - pip install -U pip tox tox-travis coveralls codecov
 
 script:
-  - ci_step_script
+  - tox
 
 after_success:
-  - ci_step_success
-
-after_failure:
-  - ci_step_failure
+  - codecov

CONTRIBUTING.md

@@ -0,0 +1,26 @@
+# Contributing to ssh-audit
+
+We are very much open to receiving patches from the community!  To encourage participation, passing Travis tests, unit tests, etc., *is OPTIONAL*.  As long as the patch works properly, it can be merged (please submit pull requests to the `dev` branch).
+
+However, if you can submit patches that pass all of our automated tests, then you'll lighten the load for the project maintainer (who already has enough to do!).  This document describes what tests are done and what documentation is maintained.
+
+*Anything extra you can do is appreciated!*
+
+
+## Tox Tests
+
+Tox is used to do unit testing, linting with [pylint](http://pylint.pycqa.org/en/latest/) & [flake8](https://flake8.pycqa.org/en/latest/), and static type-checking with [mypy](https://mypy.readthedocs.io/en/stable/).
+
+Install tox with `apt install tox`, then simply run `tox` in the top-level directory.  Look for any error messages in the (verbose) output.
+
+
+## Docker Tests
+
+Docker is used to run ssh-audit against various real SSH servers (OpenSSH, Dropbear, and TinySSH).  The output is then diff'ed against the expected result.  Any differences result in failure.
+
+The docker tests are run with `./docker_test.sh`.  The first time it is run, it will download and compile the SSH servers; this may take awhile.  Subsequent runs, however, will take only a minute to complete, as the docker image will already be up-to-date.
+
+
+## Man Page
+
+The `ssh-audit.1` man page documents the various features of ssh-audit.  If features are added, or significant behavior is modified, the man page needs to be updated.

LICENSE

@@ -1,7 +1,7 @@
 The MIT License (MIT)
 
+Copyright (C) 2017-2020 Joe Testa (jtesta@positronsecurity.com)
 Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
-Copyright (C) 2017-2019 Joe Testa (jtesta@positronsecurity.com)
 
 
 Permission is hereby granted, free of charge, to any person obtaining a copy

README.md

@@ -5,10 +5,13 @@
 [![codecov](https://codecov.io/gh/arthepsy/ssh-audit/branch/develop/graph/badge.svg)](https://codecov.io/gh/arthepsy/ssh-audit)
 [![Quality Gate](https://sonarqube.com/api/badges/gate?key=arthepsy-github%3Assh-audit%3Adevelop&template=ROUNDED)](https://sq.evolutiongaming.com/dashboard?id=arthepsy-github%3Assh-audit%3Adevelop)  
 -->
-**ssh-audit** is a tool for ssh server auditing.  
+**ssh-audit** is a tool for ssh server & client configuration auditing.
+
+[jtesta/ssh-audit](https://github.com/jtesta/ssh-audit/) (v2.0+) is the updated and maintained version of ssh-audit forked from [arthepsy/ssh-audit](https://github.com/arthepsy/ssh-audit) (v1.x) due to inactivity.
 
 ## Features
 - SSH1 and SSH2 protocol server support;
+- analyze SSH client configuration;
 - grab banner, recognize device or software and operating system, detect compression;
 - gather key-exchange, host-key, encryption and message authentication code algorithms;
 - output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
@@ -16,32 +19,173 @@
 - output security information (related issues, assigned CVE list, etc);
 - analyze SSH version compatibility based on algorithm information;
 - historical information from OpenSSH, Dropbear SSH and libssh;
-- no dependencies, compatible with Python 2.6+, Python 3.x and PyPy;
+- policy scans to ensure adherence to a hardened/standard configuration;
+- runs on Linux and Windows;
+- no dependencies
 
 ## Usage
 ```
-usage: ssh-audit.py [-1246pbnvlt] <host>
+usage: ssh-audit.py [options] <host>
 
+   -h,  --help             print this help
    -1,  --ssh1             force ssh version 1 only
    -2,  --ssh2             force ssh version 2 only
    -4,  --ipv4             enable IPv4 (order of precedence)
    -6,  --ipv6             enable IPv6 (order of precedence)
-   -p,  --port=<port>      port to connect
    -b,  --batch            batch output
-   -n,  --no-colors        disable colors
-   -v,  --verbose          verbose output
+   -c,  --client-audit     starts a server on port 2222 to audit client
+                               software config (use -p to change port;
+                               use -t to change timeout)
+   -j,  --json             JSON output
    -l,  --level=<level>    minimum output level (info|warn|fail)
+   -L,  --list-policies    list all the official, built-in policies
+        --lookup=<alg1,alg2,...>    looks up an algorithm(s) without
+                                    connecting to a server
+   -M,  --make-policy=<policy.txt>  creates a policy based on the target server
+                                    (i.e.: the target server has the ideal
+                                    configuration that other servers should
+                                    adhere to)
+   -n,  --no-colors        disable colors
+   -p,  --port=<port>      port to connect
+   -P,  --policy=<policy.txt>  run a policy test using the specified policy
    -t,  --timeout=<secs>   timeout (in seconds) for connection and reading
                                (default: 5)
+   -T,  --targets=<hosts.txt>  a file containing a list of target hosts (one
+                                   per line, format HOST[:PORT])
+   -v,  --verbose          verbose output
 ```
 * if both IPv4 and IPv6 are used, order of precedence can be set by using either `-46` or `-64`.  
 * batch flag `-b` will output sections without header and without empty lines (implies verbose flag).  
 * verbose flag `-v` will prefix each line with section type and algorithm name.  
+* an exit code of 0 is returned when all algorithms are considered secure (for a standard audit), or when a policy check passes (for a policy audit).
 
-### Example
-![screenshot](https://user-images.githubusercontent.com/2982011/63970414-104bdb00-ca72-11e9-832f-3e535be32811.png)
+Basic server auditing:
+```
+ssh-audit localhost
+ssh-audit 127.0.0.1
+ssh-audit 127.0.0.1:222
+ssh-audit ::1
+ssh-audit [::1]:222
+```
+
+To run a standard audit against many servers (place targets into servers.txt, one on each line in the format of `HOST[:PORT]`):
+
+```
+ssh-audit -T servers.txt
+```
+
+To audit a client configuration (listens on port 2222 by default; connect using `ssh anything@localhost`):
+
+```
+ssh-audit -c
+```
+
+To audit a client configuration, with a listener on port 4567:
+```
+ssh-audit -c -p 4567
+```
+
+To  list all official built-in policies (hint: use resulting file paths with `-P`/`--policy`):
+```
+ssh-audit -L
+```
+
+To run a policy audit against a server:
+```
+ssh-audit -P path/to/server_policy targetserver
+```
+
+To run a policy audit against a client:
+```
+ssh-audit -c -P path/to/client_policy
+```
+
+To run a policy audit against many servers:
+```
+ssh-audit -T servers.txt -P path/to/server_policy
+```
+
+To create a policy based on a target server (which can be manually edited; see official built-in policies for syntax examples):
+```
+ssh-audit -M new_policy.txt targetserver
+```
+
+### Server Standard Audit Example
+Below is a screen shot of the standard server-auditing output when connecting to an unhardened OpenSSH v5.3 service:
+![screenshot](https://user-images.githubusercontent.com/2982011/64388792-317e6f80-d00e-11e9-826e-a4934769bb07.png)
+
+### Server Policy Audit Example
+Below is a screen shot of the policy auditing output when connecting to an un-hardened Ubuntu Server 20.04 machine:
+![screenshot](https://user-images.githubusercontent.com/2982011/94370881-95178700-00c0-11eb-8705-3157a4669dc0.png)
+
+After applying the steps in the hardening guide (see below), the output changes to the following:
+![screenshot](https://user-images.githubusercontent.com/2982011/94370873-87620180-00c0-11eb-9a59-469f61a56ce1.png)
+
+### Client Standard Audit Example
+Below is a screen shot of the client-auditing output when an unhardened OpenSSH v7.2 client connects:
+![client_screenshot](https://user-images.githubusercontent.com/2982011/68867998-b946c100-06c4-11ea-975f-1f47e4178a74.png)
+
+### Hardening Guides
+Guides to harden server & client configuration can be found here: [https://www.ssh-audit.com/hardening_guides.html](https://www.ssh-audit.com/hardening_guides.html)
+
+### Pre-Built Packages
+Pre-built packages are available for Windows (see the releases page), on PyPI, Snap, and Homebrew.
+
+To install from PyPI:
+```
+$ pip3 install ssh-audit
+```
+
+To install the Snap package:
+```
+$ snap install ssh-audit
+```
+
+To install on Homebrew:
+```
+$ brew install ssh-audit
+```
+
+### Web Front-End
+For convenience, a web front-end on top of the command-line tool is available at [https://www.ssh-audit.com/](https://www.ssh-audit.com/).
 
 ## ChangeLog
+### v2.3.0 (2020-09-27)
+ - Added new policy auditing functionality to test adherence to a hardening guide/standard configuration (see `-L`/`--list-policies`, `-M`/`--make-policy` and `-P`/`--policy`).  For an in-depth tutorial, see <https://www.positronsecurity.com/blog/2020-09-27-ssh-policy-configuration-checks-with-ssh-audit/>.
+ - Created new man page (see `ssh-audit.1` file).
+ - 1024-bit moduli upgraded from warnings to failures.
+ - Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit [Jürgen Gmach](https://github.com/jugmac00).
+ - Added feature to look up algorithms in internal database (see `--lookup`); credit [Adam Russell](https://github.com/thecliguy).
+ - Suppress recommendation of token host key types.
+ - Added check for use-after-free vulnerability in PuTTY v0.73.
+ - Added 11 new host key types: `ssh-rsa1`, `ssh-dss-sha256@ssh.com`, `ssh-gost2001`, `ssh-gost2012-256`, `ssh-gost2012-512`, `spki-sign-rsa`, `ssh-ed448`, `x509v3-ecdsa-sha2-nistp256`, `x509v3-ecdsa-sha2-nistp384`, `x509v3-ecdsa-sha2-nistp521`, `x509v3-rsa2048-sha256`.
+ - Added 8 new key exchanges: `diffie-hellman-group1-sha256`, `kexAlgoCurve25519SHA256`, `Curve25519SHA256`, `gss-group14-sha256-`, `gss-group15-sha512-`, `gss-group16-sha512-`, `gss-nistp256-sha256-`, `gss-curve25519-sha256-`.
+ - Added 5 new ciphers: `blowfish`, `AEAD_AES_128_GCM`, `AEAD_AES_256_GCM`, `crypticore128@ssh.com`, `seed-cbc@ssh.com`.
+ - Added 3 new MACs: `chacha20-poly1305@openssh.com`, `hmac-sha3-224`, `crypticore-mac@ssh.com`.
+
+### v2.2.0 (2020-03-11)
+ - Marked host key type `ssh-rsa` as weak due to [practical SHA-1 collisions](https://eprint.iacr.org/2020/014.pdf).
+ - Added Windows builds.
+ - Added 10 new host key types: `ecdsa-sha2-1.3.132.0.10`, `x509v3-sign-dss`, `x509v3-sign-rsa`, `x509v3-sign-rsa-sha256@ssh.com`, `x509v3-ssh-dss`, `x509v3-ssh-rsa`, `sk-ecdsa-sha2-nistp256-cert-v01@openssh.com`, `sk-ecdsa-sha2-nistp256@openssh.com`, `sk-ssh-ed25519-cert-v01@openssh.com`, and `sk-ssh-ed25519@openssh.com`.
+ - Added 18 new key exchanges: `diffie-hellman-group14-sha256@ssh.com`, `diffie-hellman-group15-sha256@ssh.com`, `diffie-hellman-group15-sha384@ssh.com`, `diffie-hellman-group16-sha384@ssh.com`, `diffie-hellman-group16-sha512@ssh.com`, `diffie-hellman-group18-sha512@ssh.com`, `ecdh-sha2-curve25519`, `ecdh-sha2-nistb233`, `ecdh-sha2-nistb409`, `ecdh-sha2-nistk163`, `ecdh-sha2-nistk233`, `ecdh-sha2-nistk283`, `ecdh-sha2-nistk409`, `ecdh-sha2-nistp192`, `ecdh-sha2-nistp224`, `ecdh-sha2-nistt571`, `gss-gex-sha1-`, and `gss-group1-sha1-`.
+ - Added 9 new ciphers: `camellia128-cbc`, `camellia128-ctr`, `camellia192-cbc`, `camellia192-ctr`, `camellia256-cbc`, `camellia256-ctr`, `aes128-gcm`, `aes256-gcm`, and `chacha20-poly1305`.
+ - Added 2 new MACs: `aes128-gcm` and `aes256-gcm`.
+
+### v2.1.1 (2019-11-26)
+ - Added 2 new host key types: `rsa-sha2-256-cert-v01@openssh.com`, `rsa-sha2-512-cert-v01@openssh.com`.
+ - Added 2 new ciphers: `des`, `3des`.
+ - Added 3 new PuTTY vulnerabilities.
+ - During client testing, client IP address is now listed in output.
+
+### v2.1.0 (2019-11-14)
+ - Added client software auditing functionality (see `-c` / `--client-audit` option).
+ - Added JSON output option (see `-j` / `--json` option; credit [Andreas Jaggi](https://github.com/x-way)).
+ - Fixed crash while scanning Solaris Sun_SSH.
+ - Added 9 new key exchanges: `gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==`, `gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==`, `gss-group14-sha1-`, `gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==`, `gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==`, `gss-group15-sha512-toWM5Slw5Ew8Mqkay+al2g==`, `diffie-hellman-group15-sha256`, `ecdh-sha2-1.3.132.0.10`, `curve448-sha512`.
+ - Added 1 new host key type: `ecdsa-sha2-1.3.132.0.10`.
+ - Added 4 new ciphers: `idea-cbc`, `serpent128-cbc`, `serpent192-cbc`, `serpent256-cbc`.
+ - Added 6 new MACs: `hmac-sha2-256-96-etm@openssh.com`, `hmac-sha2-512-96-etm@openssh.com`, `hmac-ripemd`, `hmac-sha256-96@ssh.com`, `umac-32@openssh.com`, `umac-96@openssh.com`.
+
 ### v2.0.0 (2019-08-29)
  - Forked from https://github.com/arthepsy/ssh-audit (development was stalled, and developer went MIA).
  - Added RSA host key length test.
@@ -51,7 +195,7 @@ usage: ssh-audit.py [-1246pbnvlt] <host>
  - Added 5 new key exchanges: `sntrup4591761x25519-sha512@tinyssh.org`, `diffie-hellman-group-exchange-sha256@ssh.com`, `diffie-hellman-group-exchange-sha512@ssh.com`, `diffie-hellman-group16-sha256`, `diffie-hellman-group17-sha512`.
  - Added 3 new encryption algorithms: `des-cbc-ssh1`, `blowfish-ctr`, `twofish-ctr`.
  - Added 10 new MACs: `hmac-sha2-56`, `hmac-sha2-224`, `hmac-sha2-384`, `hmac-sha3-256`, `hmac-sha3-384`, `hmac-sha3-512`, `hmac-sha256`, `hmac-sha256@ssh.com`, `hmac-sha512`, `hmac-512@ssh.com`.
- - Added command line argument (-t / --timeout) for connection & reading timeouts.
+ - Added command line argument (`-t` / `--timeout`) for connection & reading timeouts.
  - Updated CVEs for libssh & Dropbear.
 
 ### v1.7.0 (2016-10-26)

docker_test.sh

@@ -28,6 +28,12 @@ GREEN="\033[0;32m"
 REDB="\033[1;31m"   # Red + bold
 GREENB="\033[1;32m" # Green + bold
 
+# Program return values.
+PROGRAM_RETVAL_FAILURE=3
+PROGRAM_RETVAL_WARNING=2
+PROGRAM_RETVAL_CONNECTION_ERROR=1
+PROGRAM_RETVAL_GOOD=0
+
 
 # Returns 0 if current docker image exists.
 function check_if_docker_image_exists {
@@ -353,8 +359,9 @@ function run_dropbear_test {
     dropbear_version=$1
     test_number=$2
     options=$3
+    expected_retval=$4
 
-    run_test 'Dropbear' $dropbear_version $test_number "$options"
+    run_test 'Dropbear' $dropbear_version $test_number "$options" $expected_retval
 }
 
 
@@ -363,8 +370,9 @@ function run_dropbear_test {
 function run_openssh_test {
     openssh_version=$1
     test_number=$2
+    expected_retval=$3
 
-    run_test 'OpenSSH' $openssh_version $test_number ''
+    run_test 'OpenSSH' $openssh_version $test_number '' $expected_retval
 }
 
 
@@ -373,8 +381,9 @@ function run_openssh_test {
 function run_tinyssh_test {
     tinyssh_version=$1
     test_number=$2
+    expected_retval=$3
 
-    run_test 'TinySSH' $tinyssh_version $test_number ''
+    run_test 'TinySSH' $tinyssh_version $test_number '' $expected_retval
 }
 
 
@@ -383,26 +392,35 @@ function run_test {
     version=$2
     test_number=$3
     options=$4
+    expected_retval=$5
 
     server_exec=
-    test_result=
-    expected_result=
+    test_result_stdout=
+    test_result_json=
+    expected_result_stdout=
+    expected_result_json=
     test_name=
     if [[ $server_type == 'OpenSSH' ]]; then
 	server_exec="/openssh/sshd-${version} -D -f /etc/ssh/sshd_config-${version}_${test_number}"
-	test_result="${TEST_RESULT_DIR}/openssh_${version}_${test_number}.txt"
-	expected_result="test/docker/expected_results/openssh_${version}_${test_number}.txt"
+	test_result_stdout="${TEST_RESULT_DIR}/openssh_${version}_${test_number}.txt"
+	test_result_json="${TEST_RESULT_DIR}/openssh_${version}_${test_number}.json"
+	expected_result_stdout="test/docker/expected_results/openssh_${version}_${test_number}.txt"
+	expected_result_json="test/docker/expected_results/openssh_${version}_${test_number}.json"
 	test_name="OpenSSH ${version} ${test_number}"
 	options=
     elif [[ $server_type == 'Dropbear' ]]; then
 	server_exec="/dropbear/dropbear-${version} -F ${options}"
-	test_result="${TEST_RESULT_DIR}/dropbear_${version}_${test_number}.txt"
-	expected_result="test/docker/expected_results/dropbear_${version}_${test_number}.txt"
+	test_result_stdout="${TEST_RESULT_DIR}/dropbear_${version}_${test_number}.txt"
+	test_result_json="${TEST_RESULT_DIR}/dropbear_${version}_${test_number}.json"
+	expected_result_stdout="test/docker/expected_results/dropbear_${version}_${test_number}.txt"
+	expected_result_json="test/docker/expected_results/dropbear_${version}_${test_number}.json"
 	test_name="Dropbear ${version} ${test_number}"
     elif [[ $server_type == 'TinySSH' ]]; then
 	server_exec="/usr/bin/tcpserver -HRDl0 0.0.0.0 22 /tinysshd/tinyssh-20190101 -v /etc/tinyssh/"
-	test_result="${TEST_RESULT_DIR}/tinyssh_${version}_${test_number}.txt"
-	expected_result="test/docker/expected_results/tinyssh_${version}_${test_number}.txt"
+	test_result_stdout="${TEST_RESULT_DIR}/tinyssh_${version}_${test_number}.txt"
+	test_result_json="${TEST_RESULT_DIR}/tinyssh_${version}_${test_number}.json"
+	expected_result_stdout="test/docker/expected_results/tinyssh_${version}_${test_number}.txt"
+	expected_result_json="test/docker/expected_results/tinyssh_${version}_${test_number}.json"
 	test_name="TinySSH ${version} ${test_number}"
     fi
 
@@ -412,14 +430,23 @@ function run_test {
 	exit 1
     fi
 
-    ./ssh-audit.py localhost:2222 > $test_result
-    if [[ $? != 0 ]]; then
-	echo -e "${REDB}Failed to run ssh-audit.py! (exit code: $?)${CLR}"
-	docker container stop $cid > /dev/null
+    ./ssh-audit.py localhost:2222 > $test_result_stdout
+    actual_retval=$?
+    if [[ $actual_retval != $expected_retval ]]; then
+	echo -e "${REDB}Unexpected return value.  Expected: ${expected_retval}; Actual: ${actual_retval}${CLR}"
+	docker container stop -t 0 $cid > /dev/null
 	exit 1
     fi
 
-    docker container stop $cid > /dev/null
+    ./ssh-audit.py -j localhost:2222 > $test_result_json
+    actual_retval=$?
+    if [[ $actual_retval != $expected_retval ]]; then
+	echo -e "${REDB}Unexpected return value.  Expected: ${expected_retval}; Actual: ${actual_retval}${CLR}"
+	docker container stop -t 0 $cid > /dev/null
+	exit 1
+    fi
+
+    docker container stop -t 0 $cid > /dev/null
     if [[ $? != 0 ]]; then
        echo -e "${REDB}Failed to stop docker container ${cid}! (exit code: $?)${CLR}"
        exit 1
@@ -429,20 +456,101 @@ function run_test {
     # we need to filter out the banner part of the output so we get stable, repeatable
     # results.
     if [[ $server_type == 'TinySSH' ]]; then
-	grep -v "(gen) banner: " ${test_result} > "${test_result}.tmp"
-	mv "${test_result}.tmp" ${test_result}
+	grep -v "(gen) banner: " ${test_result_stdout} > "${test_result_stdout}.tmp"
+	mv "${test_result_stdout}.tmp" ${test_result_stdout}
+	cat "${test_result_json}" | perl -pe 's/"comments": ".*?"/"comments": ""/' | perl -pe 's/"raw": ".+?"/"raw": ""/' > "${test_result_json}.tmp"
+	mv "${test_result_json}.tmp" ${test_result_json}
     fi
 
-    diff=`diff -u ${expected_result} ${test_result}`
-    if [[ $? == 0 ]]; then
-	echo -e "${test_name} ${GREEN}passed${CLR}."
-    else
+    diff=`diff -u ${expected_result_stdout} ${test_result_stdout}`
+    if [[ $? != 0 ]]; then
 	echo -e "${test_name} ${REDB}FAILED${CLR}.\n\n${diff}\n"
 	exit 1
     fi
+
+    diff=`diff -u ${expected_result_json} ${test_result_json}`
+    if [[ $? != 0 ]]; then
+	echo -e "${test_name} ${REDB}FAILED${CLR}.\n\n${diff}\n"
+	exit 1
+    fi
+    echo -e "${test_name} ${GREEN}passed${CLR}."
 }
 
 
+function run_policy_test {
+    config_number=$1  # The configuration number to use.
+    test_number=$2    # The policy test number to run.
+    expected_exit_code=$3  # The expected exit code of ssh-audit.py.
+
+    version=
+    config=
+    if [[ ${config_number} == 'config1' ]]; then
+        version='5.6p1'
+        config='sshd_config-5.6p1_test1'
+    elif [[ ${config_number} == 'config2' ]]; then
+        version='8.0p1'
+        config='sshd_config-8.0p1_test1'
+    elif [[ ${config_number} == 'config3' ]]; then
+        version='5.6p1'
+        config='sshd_config-5.6p1_test4'
+    fi
+
+    server_exec="/openssh/sshd-${version} -D -f /etc/ssh/${config}"
+    policy_path="test/docker/policies/policy_${test_number}.txt"
+    test_result_stdout="${TEST_RESULT_DIR}/openssh_${version}_policy_${test_number}.txt"
+    test_result_json="${TEST_RESULT_DIR}/openssh_${version}_policy_${test_number}.json"
+    expected_result_stdout="test/docker/expected_results/openssh_${version}_policy_${test_number}.txt"
+    expected_result_json="test/docker/expected_results/openssh_${version}_policy_${test_number}.json"
+    test_name="OpenSSH ${version} policy ${test_number}"
+
+    #echo "Running: docker run -d -p 2222:22 ${IMAGE_NAME}:${IMAGE_VERSION} ${server_exec}"
+    cid=`docker run -d -p 2222:22 ${IMAGE_NAME}:${IMAGE_VERSION} ${server_exec}`
+    if [[ $? != 0 ]]; then
+	echo -e "${REDB}Failed to run docker image! (exit code: $?)${CLR}"
+	exit 1
+    fi
+
+    #echo "Running: ./ssh-audit.py -P ${policy_path} localhost:2222 > ${test_result_stdout}"
+    ./ssh-audit.py -P ${policy_path} localhost:2222 > ${test_result_stdout}
+    actual_exit_code=$?
+    if [[ ${actual_exit_code} != ${expected_exit_code} ]]; then
+	echo -e "${test_name} ${REDB}FAILED${CLR} (expected exit code: ${expected_exit_code}; actual exit code: ${actual_exit_code}\n"
+        cat ${test_result_stdout}
+	docker container stop -t 0 $cid > /dev/null
+	exit 1
+    fi
+
+    #echo "Running: ./ssh-audit.py -P ${policy_path} -j localhost:2222 > ${test_result_json}"
+    ./ssh-audit.py -P ${policy_path} -j localhost:2222 > ${test_result_json}
+    actual_exit_code=$?
+    if [[ ${actual_exit_code} != ${expected_exit_code} ]]; then
+	echo -e "${test_name} ${REDB}FAILED${CLR} (expected exit code: ${expected_exit_code}; actual exit code: ${actual_exit_code}\n"
+        cat ${test_result_json}
+	docker container stop -t 0 $cid > /dev/null
+	exit 1
+    fi
+
+    docker container stop -t 0 $cid > /dev/null
+    if [[ $? != 0 ]]; then
+       echo -e "${REDB}Failed to stop docker container ${cid}! (exit code: $?)${CLR}"
+       exit 1
+    fi
+
+    diff=`diff -u ${expected_result_stdout} ${test_result_stdout}`
+    if [[ $? != 0 ]]; then
+	echo -e "${test_name} ${REDB}FAILED${CLR}.\n\n${diff}\n"
+	exit 1
+    fi
+
+    diff=`diff -u ${expected_result_json} ${test_result_json}`
+    if [[ $? != 0 ]]; then
+	echo -e "${test_name} ${REDB}FAILED${CLR}.\n\n${diff}\n"
+	exit 1
+    fi
+
+    echo -e "${test_name} ${GREEN}passed${CLR}."
+}
+
 
 # First check if docker is functional.
 docker version > /dev/null
@@ -466,21 +574,54 @@ TEST_RESULT_DIR=`mktemp -d /tmp/ssh-audit_test-results_XXXXXXXXXX`
 
 # Now run all the tests.
 echo -e "\nRunning tests..."
-run_openssh_test '4.0p1' 'test1'
+run_openssh_test '4.0p1' 'test1' $PROGRAM_RETVAL_FAILURE
 echo
-run_openssh_test '5.6p1' 'test1'
-run_openssh_test '5.6p1' 'test2'
-run_openssh_test '5.6p1' 'test3'
-run_openssh_test '5.6p1' 'test4'
-run_openssh_test '5.6p1' 'test5'
+run_openssh_test '5.6p1' 'test1' $PROGRAM_RETVAL_FAILURE
+run_openssh_test '5.6p1' 'test2' $PROGRAM_RETVAL_FAILURE
+run_openssh_test '5.6p1' 'test3' $PROGRAM_RETVAL_FAILURE
+run_openssh_test '5.6p1' 'test4' $PROGRAM_RETVAL_FAILURE
+run_openssh_test '5.6p1' 'test5' $PROGRAM_RETVAL_FAILURE
 echo
-run_openssh_test '8.0p1' 'test1'
-run_openssh_test '8.0p1' 'test2'
-run_openssh_test '8.0p1' 'test3'
+run_openssh_test '8.0p1' 'test1' $PROGRAM_RETVAL_FAILURE
+run_openssh_test '8.0p1' 'test2' $PROGRAM_RETVAL_FAILURE
+run_openssh_test '8.0p1' 'test3' $PROGRAM_RETVAL_GOOD
 echo
-run_dropbear_test '2019.78' 'test1' '-r /etc/dropbear/dropbear_rsa_host_key_1024 -r /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_ecdsa_host_key'
+run_dropbear_test '2019.78' 'test1' '-r /etc/dropbear/dropbear_rsa_host_key_1024 -r /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_ecdsa_host_key' 3
 echo
-run_tinyssh_test '20190101' 'test1'
+run_tinyssh_test '20190101' 'test1' $PROGRAM_RETVAL_WARNING
+echo
+echo
+run_policy_test 'config1' 'test1' $PROGRAM_RETVAL_GOOD
+run_policy_test 'config1' 'test2' $PROGRAM_RETVAL_FAILURE
+run_policy_test 'config1' 'test3' $PROGRAM_RETVAL_FAILURE
+run_policy_test 'config1' 'test4' $PROGRAM_RETVAL_FAILURE
+run_policy_test 'config1' 'test5' $PROGRAM_RETVAL_FAILURE
+run_policy_test 'config2' 'test6' $PROGRAM_RETVAL_GOOD
+
+# Passing test with host key certificate and CA key certificates.
+run_policy_test 'config3' 'test7' $PROGRAM_RETVAL_GOOD
+
+# Failing test with host key certificate and non-compliant CA key length.
+run_policy_test 'config3' 'test8' $PROGRAM_RETVAL_FAILURE
+
+# Failing test with non-compliant host key certificate and CA key certificate.
+run_policy_test 'config3' 'test9' $PROGRAM_RETVAL_FAILURE
+
+# Failing test with non-compliant host key certificate and non-compliant CA key certificate.
+run_policy_test 'config3' 'test10' $PROGRAM_RETVAL_FAILURE
+
+# Passing test with host key size check.
+run_policy_test 'config2' 'test11' $PROGRAM_RETVAL_GOOD
+
+# Failing test with non-compliant host key size check.
+run_policy_test 'config2' 'test12' $PROGRAM_RETVAL_FAILURE
+
+# Passing test with DH modulus test.
+run_policy_test 'config2' 'test13' $PROGRAM_RETVAL_GOOD
+
+# Failing test with DH modulus test.
+run_policy_test 'config2' 'test14' $PROGRAM_RETVAL_FAILURE
+
 
 # The test functions above will terminate the script on failure, so if we reached here,
 # all tests are successful.

packages/MANIFEST.in

@@ -0,0 +1 @@
+include sshaudit/LICENSE

packages/Makefile.pypi

@@ -0,0 +1,14 @@
+all:
+	cp ../ssh-audit.py sshaudit/sshaudit.py
+	cp ../LICENSE sshaudit/LICENSE
+	cp ../README.md sshaudit/README.md
+	python3 setup.py sdist bdist_wheel
+
+uploadtest:
+	twine upload --repository-url https://test.pypi.org/legacy/ dist/*
+
+uploadprod:
+	twine upload dist/*
+
+clean:
+	rm -rf parts/ prime/ snap/ stage/ build/ dist/ *.egg-info/ sshaudit/sshaudit.py sshaudit/LICENSE sshaudit/README.md ssh-audit*.snap

packages/Makefile.snap

@@ -0,0 +1,8 @@
+all:
+	cp ../ssh-audit.py sshaudit/sshaudit.py
+	cp ../README.md sshaudit/README.md
+	echo -e "\n\nDid you remember to bump the version number in snapcraft.yaml?\n\n"
+	snapcraft
+
+clean:
+	rm -rf parts/ prime/ snap/ stage/ build/ dist/ *.egg-info/ sshaudit/sshaudit.py sshaudit/LICENSE sshaudit/README.md ssh-audit*.snap

packages/notes.txt

@@ -0,0 +1,41 @@
+= PyPI =
+
+To create package and upload to test server:
+
+# apt install virtualenv
+$ virtualenv -p /usr/bin/python3 /tmp/pypi_upload
+$ cd /tmp/pypi_upload; source bin/activate
+$ pip3 install twine
+$ cp -R path/to/ssh-audit .
+$ cd ssh-audit/packages
+$ make -f Makefile.pypi
+$ make -f Makefile.pypi uploadtest
+
+
+To download from test server and verify:
+
+$ virtualenv -p /usr/bin/python3 /tmp/pypi_test
+$ cd /tmp/pypi_test; source bin/activate
+$ pip3 install --index-url https://test.pypi.org/simple ssh-audit
+
+
+To upload to production server:
+
+$ cd /tmp/pypi_upload; source bin/activate
+$ cd ssh-audit/pypi
+$ make -f Makefile.pypi uploadprod
+
+
+To download from production server and verify:
+
+$ virtualenv -p /usr/bin/python3 /tmp/pypi_prod
+$ cd /tmp/pypi_prod; source bin/activate
+$ pip3 install ssh-audit
+
+----
+
+= Snap =
+
+To create the snap package, simply run:
+
+$ make -f Makefile.snap

packages/setup.py

@@ -0,0 +1,58 @@
+# -*- coding: utf-8 -*-
+
+
+import re
+import sys
+from setuptools import setup
+
+print_warning = False
+m = re.search(r'^VERSION\s*=\s*\'v(\d\.\d\.\d)\'', open('sshaudit/sshaudit.py').read(), re.M)
+if m is None:
+    # If we failed to parse the stable version, see if this is the development version.
+    m = re.search(r'^VERSION\s*=\s*\'v(\d\.\d\.\d-dev)\'', open('sshaudit/sshaudit.py').read(), re.M)
+    if m is None:
+        print("Error: could not parse VERSION variable from ssh-audit.py.")
+        sys.exit(1)
+    else:  # Continue with the development version, but print a warning later.
+        print_warning = True
+
+version = m.group(1)
+print("\n\nPackaging ssh-audit v%s...\n\n" % version)
+
+with open("sshaudit/README.md", "rb") as f:
+    long_descr = f.read().decode("utf-8")
+
+
+setup(
+    name="ssh-audit",
+    packages=["sshaudit"],
+    license='MIT',
+    entry_points={
+        "console_scripts": ['ssh-audit = sshaudit.sshaudit:main']
+    },
+    version=version,
+    description="An SSH server & client configuration security auditing tool",
+    long_description=long_descr,
+    long_description_content_type="text/markdown",
+    author="Joe Testa",
+    author_email="jtesta@positronsecurity.com",
+    url="https://github.com/jtesta/ssh-audit",
+    classifiers=[
+        "Development Status :: 5 - Production/Stable",
+        "Intended Audience :: Information Technology",
+        "Intended Audience :: System Administrators",
+        "License :: OSI Approved :: MIT License",
+        "Operating System :: OS Independent",
+        "Programming Language :: Python :: 3",
+        "Programming Language :: Python :: 3.5",
+        "Programming Language :: Python :: 3.6",
+        "Programming Language :: Python :: 3.7",
+        "Programming Language :: Python :: 3.8",
+        "Programming Language :: Python :: Implementation :: CPython",
+        "Programming Language :: Python :: Implementation :: PyPy",
+        "Topic :: Security",
+        "Topic :: Security :: Cryptography"
+    ])
+
+if print_warning:
+    print("\n\n    !!! WARNING: development version detected (%s).  Are you sure you want to package this version?  Probably not...\n" % version)

packages/snapcraft.yaml

@@ -0,0 +1,21 @@
+name: ssh-audit
+version: '2.2.0-1'
+license: 'MIT'
+summary: ssh-audit
+description: |
+  SSH server and client security configuration auditor.  Official repository: <https://github.com/jtesta/ssh-audit>
+
+base: core18
+grade: stable
+confinement: strict
+
+apps:
+  ssh-audit:
+    command: bin/ssh-audit
+    plugs: [network,network-bind]
+
+parts:
+  ssh-audit:
+    plugin: python
+    python-version: python3
+    source: .

packages/sshaudit/__main__.py

@@ -0,0 +1,4 @@
+# -*- coding: utf-8 -*-
+
+from .sshaudit import main
+main()

packages/windows_build.txt

@@ -0,0 +1,17 @@
+Below are notes for creating a Windows executable.
+
+An executable can only be made on a Windows host because the PyInstaller tool (https://www.pyinstaller.org/) does not support cross-compilation.
+
+On a Windows machine, do the following:
+
+1.) Install Python v3.7.x from https://www.python.org/.  (As of this writing v3.8.0 isn't supported.)  To make life easier, check the option to add Python to the PATH environment variable.
+
+2.) Using pip, install pyinstaller and colorama:
+
+    pip install pyinstaller colorama
+
+3.) Create the executable with:
+
+    pyinstaller -F --icon packages\windows_icon.ico ssh-audit.py
+
+4.) The 'dist' folder will have the resulting ssh-audit.exe.

policies/openssh_7_7.txt

@@ -0,0 +1,24 @@
+#
+# Official policy for hardened OpenSSH v7.7.
+#
+
+name = "Hardened OpenSSH v7.7"
+version = 1
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/openssh_7_8.txt

@@ -0,0 +1,24 @@
+#
+# Official policy for hardened OpenSSH v7.8.
+#
+
+name = "Hardened OpenSSH v7.8"
+version = 1
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/openssh_7_9.txt

@@ -0,0 +1,24 @@
+#
+# Official policy for hardened OpenSSH v7.9.
+#
+
+name = "Hardened OpenSSH v7.9"
+version = 1
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/openssh_8_0.txt

@@ -0,0 +1,24 @@
+#
+# Official policy for hardened OpenSSH v8.0.
+#
+
+name = "Hardened OpenSSH v8.0"
+version = 1
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/openssh_8_1.txt

@@ -0,0 +1,24 @@
+#
+# Official policy for hardened OpenSSH v8.1.
+#
+
+name = "Hardened OpenSSH v8.1"
+version = 1
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = sk-ssh-ed25519@openssh.com, ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/openssh_8_2.txt

@@ -0,0 +1,28 @@
+#
+# Official policy for hardened OpenSSH v8.2.
+#
+
+name = "Hardened OpenSSH v8.2"
+version = 1
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 4096
+hostkey_size_rsa-sha2-512 = 4096
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = sk-ssh-ed25519@openssh.com, ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/openssh_8_3.txt

@@ -0,0 +1,28 @@
+#
+# Official policy for hardened OpenSSH v8.3.
+#
+
+name = "Hardened OpenSSH v8.3"
+version = 1
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 4096
+hostkey_size_rsa-sha2-512 = 4096
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = sk-ssh-ed25519@openssh.com, ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/openssh_8_4.txt

@@ -0,0 +1,28 @@
+#
+# Official policy for hardened OpenSSH v8.4.
+#
+
+name = "Hardened OpenSSH v8.4"
+version = 1
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 4096
+hostkey_size_rsa-sha2-512 = 4096
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = sk-ssh-ed25519@openssh.com, ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/ubuntu_client_16_04.txt

@@ -0,0 +1,19 @@
+#
+# Official policy for hardened OpenSSH on Ubuntu 16.04 LTS.
+#
+
+client policy = true
+name = "Hardened Ubuntu Client 16.04 LTS"
+version = 1
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519, ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256, rsa-sha2-512, ssh-rsa-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256@libssh.org, diffie-hellman-group-exchange-sha256, ext-info-c
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/ubuntu_client_18_04.txt

@@ -0,0 +1,19 @@
+#
+# Official policy for hardened OpenSSH on Ubuntu 18.04 LTS.
+#
+
+client policy = true
+name = "Hardened Ubuntu Client 18.04 LTS"
+version = 1
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519, ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256, rsa-sha2-512, ssh-rsa-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256, ext-info-c
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/ubuntu_client_20_04.txt

@@ -0,0 +1,19 @@
+#
+# Official policy for hardened OpenSSH on Ubuntu 20.04 LTS.
+#
+
+client policy = true
+name = "Hardened Ubuntu Client 20.04 LTS"
+version = 1
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519, ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512, rsa-sha2-512-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256, ext-info-c
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/ubuntu_server_16_04.txt

@@ -0,0 +1,24 @@
+#
+# Official policy for hardened OpenSSH on Ubuntu Server 16.04 LTS.
+#
+
+name = "Hardened Ubuntu Server 16.04 LTS"
+version = 1
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256@libssh.org, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/ubuntu_server_18_04.txt

@@ -0,0 +1,24 @@
+#
+# Official policy for hardened OpenSSH on Ubuntu Server 18.04 LTS.
+#
+
+name = "Hardened Ubuntu Server 18.04 LTS"
+version = 1
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

policies/ubuntu_server_20_04.txt

@@ -0,0 +1,28 @@
+#
+# Official policy for hardened OpenSSH on Ubuntu Server 20.04 LTS.
+#
+
+name = "Hardened Ubuntu Server 20.04 LTS"
+version = 1
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 4096
+hostkey_size_rsa-sha2-512 = 4096
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = sk-ssh-ed25519@openssh.com, ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

ssh-audit.1

@@ -0,0 +1,221 @@
+.TH SSH-AUDIT 1 "July 16, 2020"
+.SH NAME
+\fBssh-audit\fP \- SSH server & client configuration auditor
+.SH SYNOPSIS
+.B ssh-audit
+.RI [ options ] " <target_host>"
+.SH DESCRIPTION
+.PP
+\fBssh-audit\fP analyzes the configuration of SSH servers & clients, then warns the user of weak, obsolete, and/or un-tested cryptographic primitives.  It is very useful for hardening SSH tunnels, which by default tend to be optimized for compatibility, not security.
+.PP
+See <https://www.ssh\-audit.com/> for official hardening guides for common platforms.
+
+.SH OPTIONS
+.TP
+.B -h, \-\-help
+.br
+Print short summary of options.
+
+.TP
+.B -1, \-\-ssh1
+.br
+Only perform an audit using SSH protocol version 1.
+
+.TP
+.B -2, \-\-ssh2
+.br
+Only perform an audit using SSH protocol version 2.
+
+.TP
+.B -4, \-\-ipv4
+.br
+Prioritize the usage of IPv4.
+
+.TP
+.B -6, \-\-ipv6
+.br
+Prioritize the usage of IPv6.
+
+.TP
+.B -b, \-\-batch
+.br
+Enables grepable output.
+
+.TP
+.B -c, \-\-client\-audit
+.br
+Starts a server on port 2222 to audit client software configuration.  Use -p/--port=<port> to change port and -t/--timeout=<secs> to change listen timeout.
+
+.TP
+.B -j, \-\-json
+.br
+Output results in JSON format.
+
+.TP
+.B -l, \-\-level=<info|warn|fail>
+.br
+Specify the minimum output level.  Default is info.
+
+.TP
+.B -L, \-\-list-policies
+.br
+List all official, built-in policies for common systems.  Their file paths can then be provided using -P/--policy=<path/to/policy.txt>.
+
+.TP
+.B \-\-lookup=<alg1,alg2,...>
+.br
+Look up the security information of an algorithm(s) in the internal database.  Does not connect to a server.
+
+.TP
+.B -M, \-\-make-policy=<policy.txt>
+.br
+Creates a policy based on the target server.  Useful when other servers should be compared to the target server's custom configuration (i.e.: a cluster environment).  Note that the resulting policy can be edited manually.
+
+.TP
+.B -n, \-\-no-colors
+.br
+Disable color output.
+
+.TP
+.B -p, \-\-port=<port>
+.br
+The TCP port to connect to when auditing a server, or the port to listen on when auditing a client.
+
+.TP
+.B -P, \-\-policy=<policy.txt>
+.br
+Runs a policy audit against a target using the specified policy (see \fBPOLICY AUDIT\fP section for detailed description of this mode of operation).  Combine with -c/--client-audit to audit a client configuration instead of a server.  Use -L/--list-policies to list all official, built-in policies for common systems.
+
+.TP
+.B -t, \-\-timeout=<secs>
+.br
+The timeout, in seconds, for creating connections and reading data from the socket.  Default is 5.
+
+.TP
+.B -T, \-\-targets=<hosts.txt>
+.br
+A file containing a list of target hosts.  Each line must have one host, in the format of HOST[:PORT].
+
+.TP
+.B -v, \-\-verbose
+.br
+Enable verbose output.
+
+
+.SH STANDARD AUDIT
+.PP
+By default, \fBssh-audit\fP performs a standard audit.  That is, it enumerates all host key types, key exchanges, ciphers, MACs, and other information, then color-codes them in output to the user.  Cryptographic primitives with potential issues are displayed in yellow; primitives with serious flaws are displayed in red.
+
+
+.SH POLICY AUDIT
+.PP
+When the -P/--policy=<policy.txt> option is used, \fBssh-audit\fP performs a policy audit.  The target's host key types, key exchanges, ciphers, MACs, and other information is compared to a set of expected values defined in the specified policy file.  If everything matches, only a short message stating a passing result is reported.  Otherwise, the field(s) that did not match are reported.
+
+.PP
+Policy auditing is helpful for ensuring a group of related servers are properly hardened to an exact specification.
+
+.PP
+The set of official built-in policies can be viewed with -L/--list-policies.  Multiple servers can be audited with -T/--targets=<servers.txt>.  Custom policies can be made from an ideal target server with -M/--make-policy=<custom_policy.txt>.
+
+
+.SH EXAMPLES
+.LP
+Basic server auditing:
+.RS
+.nf
+ssh-audit localhost
+ssh-audit 127.0.0.1
+ssh-audit 127.0.0.1:222
+ssh-audit ::1
+ssh-audit [::1]:222
+.fi
+.RE
+
+.LP
+To run a standard audit against many servers (place targets into servers.txt, one on each line in the format of HOST[:PORT]):
+.RS
+.nf
+ssh-audit -T servers.txt
+.fi
+.RE
+
+.LP
+To audit a client configuration (listens on port 2222 by default; connect using "ssh anything@localhost"):
+.RS
+.nf
+ssh-audit -c
+.fi
+.RE
+
+.LP
+To audit a client configuration, with a listener on port 4567:
+.RS
+.nf
+ssh-audit -c -p 4567
+.fi
+.RE
+
+.LP
+To list all official built-in policies (hint: use resulting file paths with -P/--policy):
+.RS
+.nf
+ssh-audit -L
+.fi
+.RE
+
+.LP
+To run a policy audit against a server:
+.RS
+.nf
+ssh-audit -P path/to/server_policy targetserver
+.fi
+.RE
+
+.LP
+To run a policy audit against a client:
+.RS
+.nf
+ssh-audit -c -P path/to/client_policy
+.fi
+.RE
+
+.LP
+To run a policy audit against many servers:
+.RS
+.nf
+ssh-audit -T servers.txt -P path/to/server_policy
+.fi
+.RE
+
+.LP
+To create a policy based on a target server (which can be manually edited; see official built-in policies for syntax examples):
+.RS
+.nf
+ssh-audit -M new_policy.txt targetserver
+.fi
+.RE
+
+.SH RETURN VALUES
+When a successful connection is made and all algorithms are rated as "good", \fBssh-audit\fP returns 0.  Other possible return values are:
+
+.RS
+.nf
+1 = connection error
+2 = at least one algorithm warning was found
+3 = at least one algorithm failure was found
+<any other non-zero value> = unknown error
+.fi
+.RE
+
+.SH SSH HARDENING GUIDES
+Hardening guides for common platforms can be found at: <https://www.ssh\-audit.com/>
+
+.SH BUG REPORTS
+Please file bug reports as a Github Issue at: <https://github.com/jtesta/ssh\-audit/issues>
+
+.SH AUTHOR
+.LP
+\fBssh-audit\fP was originally written by Andris Raugulis <moo@arthepsy.eu>, and maintained from 2015 to 2017.
+.br
+.LP
+Maintainership was assumed and development was resumed in 2017 by Joe Testa <jtesta@positronsecurity.com>.

test/conftest.py

@@ -1,5 +1,3 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
 import os
 import io
 import sys
@@ -7,13 +5,6 @@ import socket
 import pytest
 
 
-if sys.version_info[0] == 2:
-	import StringIO  # pylint: disable=import-error
-	StringIO = StringIO.StringIO
-else:
-	StringIO = io.StringIO
-
-
 @pytest.fixture(scope='module')
 def ssh_audit():
     __rdir = os.path.join(os.path.dirname(os.path.abspath(__file__)), '..')
@@ -24,7 +15,7 @@ def ssh_audit():
 # pylint: disable=attribute-defined-outside-init
 class _OutputSpy(list):
     def begin(self):
-		self.__out = StringIO()
+        self.__out = io.StringIO()
         self.__old_stdout = sys.stdout
         sys.stdout = self.__out
 
@@ -40,7 +31,7 @@ def output_spy():
     return _OutputSpy()
 
 
-class _VirtualGlobalSocket(object):
+class _VirtualGlobalSocket:
     def __init__(self, vsocket):
         self.vsocket = vsocket
         self.addrinfodata = {}
@@ -59,7 +50,7 @@ class _VirtualGlobalSocket(object):
         return self.vsocket
 
     def getaddrinfo(self, host, port, family=0, socktype=0, proto=0, flags=0):
-		key = '{0}#{1}'.format(host, port)
+        key = '{}#{}'.format(host, port)
         if key in self.addrinfodata:
             data = self.addrinfodata[key]
             if isinstance(data, Exception):
@@ -75,7 +66,7 @@ class _VirtualGlobalSocket(object):
         return []
 
 
-class _VirtualSocket(object):
+class _VirtualSocket:
     def __init__(self):
         self.sock_address = ('127.0.0.1', 0)
         self.peer_address = None
@@ -108,7 +99,7 @@ class _VirtualSocket(object):
 
     def getpeername(self):
         if self.peer_address is None or not self._connected:
-			raise socket.error(57, 'Socket is not connected')
+            raise OSError(57, 'Socket is not connected')
         return self.peer_address
 
     def getsockname(self):
@@ -131,7 +122,7 @@ class _VirtualSocket(object):
     def recv(self, bufsize, flags=0):
         # pylint: disable=unused-argument
         if not self._connected:
-			raise socket.error(54, 'Connection reset by peer')
+            raise OSError(54, 'Connection reset by peer')
         if not len(self.rdata) > 0:
             return b''
         data = self.rdata.pop(0)
@@ -141,7 +132,7 @@ class _VirtualSocket(object):
 
     def send(self, data):
         if self.peer_address is None or not self._connected:
-			raise socket.error(32, 'Broken pipe')
+            raise OSError(32, 'Broken pipe')
         self._check_err('send')
         self.sdata.append(data)
 

test/docker/expected_results/dropbear_2019.78_test1.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-dropbear_2019.78", "software": "dropbear_2019.78"}, "compression": ["zlib@openssh.com", "none"], "enc": ["aes128-ctr", "aes256-ctr", "aes128-cbc", "aes256-cbc", "3des-ctr", "3des-cbc"], "fingerprints": [{"fp": "SHA256:CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM", "type": "ssh-rsa"}], "kex": [{"algorithm": "curve25519-sha256"}, {"algorithm": "curve25519-sha256@libssh.org"}, {"algorithm": "ecdh-sha2-nistp521"}, {"algorithm": "ecdh-sha2-nistp384"}, {"algorithm": "ecdh-sha2-nistp256"}, {"algorithm": "diffie-hellman-group14-sha256"}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "kexguess2@matt.ucc.asn.au"}], "key": [{"algorithm": "ecdsa-sha2-nistp256"}, {"algorithm": "ssh-rsa", "keysize": 1024}, {"algorithm": "ssh-dss"}], "mac": ["hmac-sha1-96", "hmac-sha1", "hmac-sha2-256"]}

test/docker/expected_results/dropbear_2019.78_test1.txt

@@ -1,11 +1,11 @@
 # general
 (gen) banner: SSH-2.0-dropbear_2019.78
 (gen) software: Dropbear SSH 2019.78
-(gen) compatibility: OpenSSH 7.4+ (some functionality from 6.6), Dropbear SSH 2016.73+
+(gen) compatibility: OpenSSH 7.4+ (some functionality from 6.6), Dropbear SSH 2018.76+
 (gen) compression: enabled (zlib@openssh.com)
 
 # key exchange algorithms
-(kex) curve25519-sha256              -- [info] available since OpenSSH 7.4
+(kex) curve25519-sha256              -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 (kex) curve25519-sha256@libssh.org   -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
 (kex) ecdh-sha2-nistp521             -- [fail] using weak elliptic curves
                                      `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
@@ -22,10 +22,11 @@
 (key) ecdsa-sha2-nistp256            -- [fail] using weak elliptic curves
                                      `- [warn] using weak random number generator could reveal the key
                                      `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
-(key) ssh-rsa (1024-bit)             -- [fail] using small 1024-bit modulus
-                                     `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
-(key) ssh-dss                        -- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm
+(key) ssh-rsa (1024-bit)             -- [fail] using weak hashing algorithm
                                      `- [warn] using small 1024-bit modulus
+                                     `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+(key) ssh-dss                        -- [fail] using small 1024-bit modulus
+                                     `- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm
                                      `- [warn] using weak random number generator could reveal the key
                                      `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
 
@@ -63,7 +64,6 @@
 (fin) ssh-rsa: SHA256:CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM
 
 # algorithm recommendations (for Dropbear SSH 2019.78)
-(rec) !ssh-rsa                       -- key algorithm to change (increase modulus size to 2048 bits or larger) 
 (rec) -3des-cbc                      -- enc algorithm to remove 
 (rec) -3des-ctr                      -- enc algorithm to remove 
 (rec) -aes128-cbc                    -- enc algorithm to remove 
@@ -71,7 +71,6 @@
 (rec) -ecdh-sha2-nistp256            -- kex algorithm to remove 
 (rec) -ecdh-sha2-nistp384            -- kex algorithm to remove 
 (rec) -ecdh-sha2-nistp521            -- kex algorithm to remove 
-(rec) -ecdsa-sha2-nistp256           -- key algorithm to remove 
 (rec) -hmac-sha1-96                  -- mac algorithm to remove 
 (rec) -ssh-dss                       -- key algorithm to remove 
 (rec) +diffie-hellman-group16-sha512 -- kex algorithm to append 
@@ -80,3 +79,6 @@
 (rec) -diffie-hellman-group14-sha1   -- kex algorithm to remove 
 (rec) -hmac-sha1                     -- mac algorithm to remove 
 
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+

test/docker/expected_results/openssh_4.0p1_test1.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [1, 99], "raw": "SSH-1.99-OpenSSH_4.0", "software": "OpenSSH_4.0"}, "compression": ["none", "zlib"], "enc": ["aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "arcfour", "aes192-cbc", "aes256-cbc", "rijndael-cbc@lysator.liu.se", "aes128-ctr", "aes192-ctr", "aes256-ctr"], "fingerprints": [{"fp": "SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", "type": "ssh-rsa"}], "kex": [{"algorithm": "diffie-hellman-group-exchange-sha1", "keysize": 1024}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "diffie-hellman-group1-sha1"}], "key": [{"algorithm": "ssh-rsa", "keysize": 1024}, {"algorithm": "ssh-dss"}], "mac": ["hmac-md5", "hmac-sha1", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"]}

test/docker/expected_results/openssh_4.0p1_test1.txt

@@ -31,17 +31,18 @@
                                                     `- [info] available since OpenSSH 2.3.0
 (kex) diffie-hellman-group14-sha1         -- [warn] using weak hashing algorithm
                                           `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
-(kex) diffie-hellman-group1-sha1          -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+(kex) diffie-hellman-group1-sha1          -- [fail] using small 1024-bit modulus
+                                          `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
                                           `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack
-                                          `- [warn] using small 1024-bit modulus
                                           `- [warn] using weak hashing algorithm
                                           `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
 
 # host-key algorithms
-(key) ssh-rsa (1024-bit)                  -- [fail] using small 1024-bit modulus
-                                          `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
-(key) ssh-dss                             -- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm
+(key) ssh-rsa (1024-bit)                  -- [fail] using weak hashing algorithm
                                           `- [warn] using small 1024-bit modulus
+                                          `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+(key) ssh-dss                             -- [fail] using small 1024-bit modulus
+                                          `- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm
                                           `- [warn] using weak random number generator could reveal the key
                                           `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
 
@@ -116,7 +117,6 @@
 (fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4
 
 # algorithm recommendations (for OpenSSH 4.0)
-(rec) !ssh-rsa                            -- key algorithm to change (increase modulus size to 2048 bits or larger) 
 (rec) -3des-cbc                           -- enc algorithm to remove 
 (rec) -aes128-cbc                         -- enc algorithm to remove 
 (rec) -aes192-cbc                         -- enc algorithm to remove 
@@ -134,3 +134,6 @@
 (rec) -rijndael-cbc@lysator.liu.se        -- enc algorithm to remove 
 (rec) -ssh-dss                            -- key algorithm to remove 
 
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+

test/docker/expected_results/openssh_5.6p1_policy_test1.json

@@ -0,0 +1 @@
+{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test1 (version 1)"}

test/docker/expected_results/openssh_5.6p1_policy_test1.txt

@@ -0,0 +1,3 @@
+Host:   localhost:2222
+Policy: Docker policy: test1 (version 1)
+Result: ✔ Passed

test/docker/expected_results/openssh_5.6p1_policy_test10.json

@@ -0,0 +1 @@
+{"errors": [{"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (ssh-rsa-cert-v01@openssh.com) sizes"}, {"actual": ["1024"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes"}], "host": "localhost", "passed": false, "policy": "Docker poliicy: test10 (version 1)"}

test/docker/expected_results/openssh_5.6p1_policy_test10.txt

@@ -0,0 +1,7 @@
+Host:   localhost:2222
+Policy: Docker poliicy: test10 (version 1)
+Result: ❌ Failed!
+
+Errors:
+  * RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 1024
+  * RSA host key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 3072

test/docker/expected_results/openssh_5.6p1_policy_test2.json

@@ -0,0 +1 @@
+{"errors": [{"actual": ["diffie-hellman-group-exchange-sha256", "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1"], "expected_optional": [""], "expected_required": ["kex_alg1", "kex_alg2"], "mismatched_field": "Key exchanges"}], "host": "localhost", "passed": false, "policy": "Docker policy: test2 (version 1)"}

test/docker/expected_results/openssh_5.6p1_policy_test2.txt

@@ -0,0 +1,6 @@
+Host:   localhost:2222
+Policy: Docker policy: test2 (version 1)
+Result: ❌ Failed!
+
+Errors:
+  * Key exchanges did not match. Expected: ['kex_alg1', 'kex_alg2']; Actual: ['diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1']

test/docker/expected_results/openssh_5.6p1_policy_test3.json

@@ -0,0 +1 @@
+{"errors": [{"actual": ["ssh-rsa", "ssh-dss"], "expected_optional": [""], "expected_required": ["ssh-rsa", "ssh-dss", "key_alg1"], "mismatched_field": "Host keys"}], "host": "localhost", "passed": false, "policy": "Docker policy: test3 (version 1)"}

test/docker/expected_results/openssh_5.6p1_policy_test3.txt

@@ -0,0 +1,6 @@
+Host:   localhost:2222
+Policy: Docker policy: test3 (version 1)
+Result: ❌ Failed!
+
+Errors:
+  * Host keys did not match. Expected: ['ssh-rsa', 'ssh-dss', 'key_alg1']; Actual: ['ssh-rsa', 'ssh-dss']

test/docker/expected_results/openssh_5.6p1_policy_test4.json

@@ -0,0 +1 @@
+{"errors": [{"actual": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "expected_optional": [""], "expected_required": ["cipher_alg1", "cipher_alg2"], "mismatched_field": "Ciphers"}], "host": "localhost", "passed": false, "policy": "Docker policy: test4 (version 1)"}

test/docker/expected_results/openssh_5.6p1_policy_test4.txt

@@ -0,0 +1,6 @@
+Host:   localhost:2222
+Policy: Docker policy: test4 (version 1)
+Result: ❌ Failed!
+
+Errors:
+  * Ciphers did not match. Expected: ['cipher_alg1', 'cipher_alg2']; Actual: ['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se']

test/docker/expected_results/openssh_5.6p1_policy_test5.json

@@ -0,0 +1 @@
+{"errors": [{"actual": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"], "expected_optional": [""], "expected_required": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac_alg1", "hmac-md5-96"], "mismatched_field": "MACs"}], "host": "localhost", "passed": false, "policy": "Docker policy: test5 (version 1)"}

test/docker/expected_results/openssh_5.6p1_policy_test5.txt

@@ -0,0 +1,6 @@
+Host:   localhost:2222
+Policy: Docker policy: test5 (version 1)
+Result: ❌ Failed!
+
+Errors:
+  * MACs did not match. Expected: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac_alg1', 'hmac-md5-96']; Actual: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96']

test/docker/expected_results/openssh_5.6p1_policy_test7.json

@@ -0,0 +1 @@
+{"errors": [], "host": "localhost", "passed": true, "policy": "Docker poliicy: test7 (version 1)"}

test/docker/expected_results/openssh_5.6p1_policy_test7.txt

@@ -0,0 +1,3 @@
+Host:   localhost:2222
+Policy: Docker poliicy: test7 (version 1)
+Result: ✔ Passed

test/docker/expected_results/openssh_5.6p1_policy_test8.json

@@ -0,0 +1 @@
+{"errors": [{"actual": ["1024"], "expected_optional": [""], "expected_required": ["2048"], "mismatched_field": "RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes"}], "host": "localhost", "passed": false, "policy": "Docker poliicy: test8 (version 1)"}

test/docker/expected_results/openssh_5.6p1_policy_test8.txt

@@ -0,0 +1,6 @@
+Host:   localhost:2222
+Policy: Docker poliicy: test8 (version 1)
+Result: ❌ Failed!
+
+Errors:
+  * RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 2048; Actual: 1024

test/docker/expected_results/openssh_5.6p1_policy_test9.json

@@ -0,0 +1 @@
+{"errors": [{"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (ssh-rsa-cert-v01@openssh.com) sizes"}], "host": "localhost", "passed": false, "policy": "Docker poliicy: test9 (version 1)"}

test/docker/expected_results/openssh_5.6p1_policy_test9.txt

@@ -0,0 +1,6 @@
+Host:   localhost:2222
+Policy: Docker poliicy: test9 (version 1)
+Result: ❌ Failed!
+
+Errors:
+  * RSA host key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 3072

test/docker/expected_results/openssh_5.6p1_test1.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_5.6", "software": "OpenSSH_5.6"}, "compression": ["none", "zlib@openssh.com"], "enc": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "fingerprints": [{"fp": "SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", "type": "ssh-rsa"}], "kex": [{"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 1024}, {"algorithm": "diffie-hellman-group-exchange-sha1", "keysize": 1024}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "diffie-hellman-group1-sha1"}], "key": [{"algorithm": "ssh-rsa", "keysize": 1024}, {"algorithm": "ssh-dss"}], "mac": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"]}

test/docker/expected_results/openssh_5.6p1_test1.txt

@@ -25,17 +25,18 @@
                                                     `- [info] available since OpenSSH 2.3.0
 (kex) diffie-hellman-group14-sha1           -- [warn] using weak hashing algorithm
                                             `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
-(kex) diffie-hellman-group1-sha1            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus
+                                            `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
                                             `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack
-                                            `- [warn] using small 1024-bit modulus
                                             `- [warn] using weak hashing algorithm
                                             `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
 
 # host-key algorithms
-(key) ssh-rsa (1024-bit)                    -- [fail] using small 1024-bit modulus
-                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
-(key) ssh-dss                               -- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm
+(key) ssh-rsa (1024-bit)                    -- [fail] using weak hashing algorithm
                                             `- [warn] using small 1024-bit modulus
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+(key) ssh-dss                               -- [fail] using small 1024-bit modulus
+                                            `- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm
                                             `- [warn] using weak random number generator could reveal the key
                                             `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
 
@@ -122,7 +123,6 @@
 
 # algorithm recommendations (for OpenSSH 5.6)
 (rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 2048 bits or larger) 
-(rec) !ssh-rsa                              -- key algorithm to change (increase modulus size to 2048 bits or larger) 
 (rec) -3des-cbc                             -- enc algorithm to remove 
 (rec) -aes128-cbc                           -- enc algorithm to remove 
 (rec) -aes192-cbc                           -- enc algorithm to remove 
@@ -143,3 +143,6 @@
 (rec) -ssh-dss                              -- key algorithm to remove 
 (rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 
 
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+

test/docker/expected_results/openssh_5.6p1_test2.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_5.6", "software": "OpenSSH_5.6"}, "compression": ["none", "zlib@openssh.com"], "enc": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "fingerprints": [{"fp": "SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", "type": "ssh-rsa"}], "kex": [{"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 1024}, {"algorithm": "diffie-hellman-group-exchange-sha1", "keysize": 1024}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "diffie-hellman-group1-sha1"}], "key": [{"algorithm": "ssh-rsa", "keysize": 1024}, {"algorithm": "ssh-rsa-cert-v01@openssh.com", "casize": 1024, "keysize": 1024}], "mac": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"]}

test/docker/expected_results/openssh_5.6p1_test2.txt

@@ -25,14 +25,15 @@
                                                     `- [info] available since OpenSSH 2.3.0
 (kex) diffie-hellman-group14-sha1           -- [warn] using weak hashing algorithm
                                             `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
-(kex) diffie-hellman-group1-sha1            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus
+                                            `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
                                             `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack
-                                            `- [warn] using small 1024-bit modulus
                                             `- [warn] using weak hashing algorithm
                                             `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
 
 # host-key algorithms
-(key) ssh-rsa (1024-bit)                    -- [fail] using small 1024-bit modulus
+(key) ssh-rsa (1024-bit)                    -- [fail] using weak hashing algorithm
+                                            `- [warn] using small 1024-bit modulus
                                             `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
 (key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/1024-bit CA) -- [fail] using small 1024-bit modulus
                                                                `- [info] available since OpenSSH 5.6
@@ -120,7 +121,6 @@
 
 # algorithm recommendations (for OpenSSH 5.6)
 (rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 2048 bits or larger) 
-(rec) !ssh-rsa                              -- key algorithm to change (increase modulus size to 2048 bits or larger) 
 (rec) !ssh-rsa-cert-v01@openssh.com         -- key algorithm to change (increase modulus size to 2048 bits or larger) 
 (rec) -3des-cbc                             -- enc algorithm to remove 
 (rec) -aes128-cbc                           -- enc algorithm to remove 
@@ -139,5 +139,9 @@
 (rec) -hmac-ripemd160@openssh.com           -- mac algorithm to remove 
 (rec) -hmac-sha1-96                         -- mac algorithm to remove 
 (rec) -rijndael-cbc@lysator.liu.se          -- enc algorithm to remove 
+(rec) -ssh-rsa                              -- key algorithm to remove 
 (rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 
 
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+

test/docker/expected_results/openssh_5.6p1_test3.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_5.6", "software": "OpenSSH_5.6"}, "compression": ["none", "zlib@openssh.com"], "enc": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "fingerprints": [{"fp": "SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4", "type": "ssh-rsa"}], "kex": [{"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 1024}, {"algorithm": "diffie-hellman-group-exchange-sha1", "keysize": 1024}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "diffie-hellman-group1-sha1"}], "key": [{"algorithm": "ssh-rsa", "keysize": 1024}, {"algorithm": "ssh-rsa-cert-v01@openssh.com", "casize": 3072, "keysize": 1024}], "mac": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"]}

test/docker/expected_results/openssh_5.6p1_test3.txt

@@ -25,14 +25,15 @@
                                                     `- [info] available since OpenSSH 2.3.0
 (kex) diffie-hellman-group14-sha1           -- [warn] using weak hashing algorithm
                                             `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
-(kex) diffie-hellman-group1-sha1            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus
+                                            `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
                                             `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack
-                                            `- [warn] using small 1024-bit modulus
                                             `- [warn] using weak hashing algorithm
                                             `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
 
 # host-key algorithms
-(key) ssh-rsa (1024-bit)                    -- [fail] using small 1024-bit modulus
+(key) ssh-rsa (1024-bit)                    -- [fail] using weak hashing algorithm
+                                            `- [warn] using small 1024-bit modulus
                                             `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
 (key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/3072-bit CA) -- [fail] using small 1024-bit modulus
                                                                `- [info] available since OpenSSH 5.6
@@ -120,7 +121,6 @@
 
 # algorithm recommendations (for OpenSSH 5.6)
 (rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 2048 bits or larger) 
-(rec) !ssh-rsa                              -- key algorithm to change (increase modulus size to 2048 bits or larger) 
 (rec) !ssh-rsa-cert-v01@openssh.com         -- key algorithm to change (increase modulus size to 2048 bits or larger) 
 (rec) -3des-cbc                             -- enc algorithm to remove 
 (rec) -aes128-cbc                           -- enc algorithm to remove 
@@ -139,5 +139,9 @@
 (rec) -hmac-ripemd160@openssh.com           -- mac algorithm to remove 
 (rec) -hmac-sha1-96                         -- mac algorithm to remove 
 (rec) -rijndael-cbc@lysator.liu.se          -- enc algorithm to remove 
+(rec) -ssh-rsa                              -- key algorithm to remove 
 (rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 
 
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+

test/docker/expected_results/openssh_5.6p1_test4.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_5.6", "software": "OpenSSH_5.6"}, "compression": ["none", "zlib@openssh.com"], "enc": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "fingerprints": [{"fp": "SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244", "type": "ssh-rsa"}], "kex": [{"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 1024}, {"algorithm": "diffie-hellman-group-exchange-sha1", "keysize": 1024}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "diffie-hellman-group1-sha1"}], "key": [{"algorithm": "ssh-rsa", "keysize": 3072}, {"algorithm": "ssh-rsa-cert-v01@openssh.com", "casize": 1024, "keysize": 3072}], "mac": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"]}

test/docker/expected_results/openssh_5.6p1_test4.txt

@@ -25,14 +25,15 @@
                                                     `- [info] available since OpenSSH 2.3.0
 (kex) diffie-hellman-group14-sha1           -- [warn] using weak hashing algorithm
                                             `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
-(kex) diffie-hellman-group1-sha1            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus
+                                            `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
                                             `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack
-                                            `- [warn] using small 1024-bit modulus
                                             `- [warn] using weak hashing algorithm
                                             `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
 
 # host-key algorithms
-(key) ssh-rsa (3072-bit)                    -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+(key) ssh-rsa (3072-bit)                    -- [fail] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
 (key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/1024-bit CA) -- [fail] using small 1024-bit modulus
                                                                `- [info] available since OpenSSH 5.6
 
@@ -137,5 +138,9 @@
 (rec) -hmac-ripemd160@openssh.com           -- mac algorithm to remove 
 (rec) -hmac-sha1-96                         -- mac algorithm to remove 
 (rec) -rijndael-cbc@lysator.liu.se          -- enc algorithm to remove 
+(rec) -ssh-rsa                              -- key algorithm to remove 
 (rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 
 
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+

test/docker/expected_results/openssh_5.6p1_test5.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_5.6", "software": "OpenSSH_5.6"}, "compression": ["none", "zlib@openssh.com"], "enc": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "fingerprints": [{"fp": "SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244", "type": "ssh-rsa"}], "kex": [{"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 1024}, {"algorithm": "diffie-hellman-group-exchange-sha1", "keysize": 1024}, {"algorithm": "diffie-hellman-group14-sha1"}, {"algorithm": "diffie-hellman-group1-sha1"}], "key": [{"algorithm": "ssh-rsa", "keysize": 3072}, {"algorithm": "ssh-rsa-cert-v01@openssh.com", "casize": 3072, "keysize": 3072}], "mac": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"]}

test/docker/expected_results/openssh_5.6p1_test5.txt

@@ -25,14 +25,15 @@
                                                     `- [info] available since OpenSSH 2.3.0
 (kex) diffie-hellman-group14-sha1           -- [warn] using weak hashing algorithm
                                             `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
-(kex) diffie-hellman-group1-sha1            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
+(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus
+                                            `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
                                             `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack
-                                            `- [warn] using small 1024-bit modulus
                                             `- [warn] using weak hashing algorithm
                                             `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
 
 # host-key algorithms
-(key) ssh-rsa (3072-bit)                    -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+(key) ssh-rsa (3072-bit)                    -- [fail] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
 (key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/3072-bit CA) -- [info] available since OpenSSH 5.6
 
 # encryption algorithms (ciphers)
@@ -135,5 +136,9 @@
 (rec) -hmac-ripemd160@openssh.com           -- mac algorithm to remove 
 (rec) -hmac-sha1-96                         -- mac algorithm to remove 
 (rec) -rijndael-cbc@lysator.liu.se          -- enc algorithm to remove 
+(rec) -ssh-rsa                              -- key algorithm to remove 
 (rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 
 
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+

test/docker/expected_results/openssh_8.0p1_policy_test11.json

@@ -0,0 +1 @@
+{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test11 (version 1)"}

test/docker/expected_results/openssh_8.0p1_policy_test11.txt

@@ -0,0 +1,3 @@
+Host:   localhost:2222
+Policy: Docker policy: test11 (version 1)
+Result: ✔ Passed

test/docker/expected_results/openssh_8.0p1_policy_test12.json

@@ -0,0 +1 @@
+{"errors": [{"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (rsa-sha2-256) sizes"}, {"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (rsa-sha2-512) sizes"}, {"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (ssh-rsa) sizes"}], "host": "localhost", "passed": false, "policy": "Docker policy: test12 (version 1)"}

test/docker/expected_results/openssh_8.0p1_policy_test12.txt

@@ -0,0 +1,8 @@
+Host:   localhost:2222
+Policy: Docker policy: test12 (version 1)
+Result: ❌ Failed!
+
+Errors:
+  * RSA host key (rsa-sha2-256) sizes did not match. Expected: 4096; Actual: 3072
+  * RSA host key (rsa-sha2-512) sizes did not match. Expected: 4096; Actual: 3072
+  * RSA host key (ssh-rsa) sizes did not match. Expected: 4096; Actual: 3072

test/docker/expected_results/openssh_8.0p1_policy_test13.json

@@ -0,0 +1 @@
+{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test13 (version 1)"}

test/docker/expected_results/openssh_8.0p1_policy_test13.txt

@@ -0,0 +1,3 @@
+Host:   localhost:2222
+Policy: Docker policy: test13 (version 1)
+Result: ✔ Passed

test/docker/expected_results/openssh_8.0p1_policy_test14.json

@@ -0,0 +1 @@
+{"errors": [{"actual": ["2048"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes"}], "host": "localhost", "passed": false, "policy": "Docker policy: test14 (version 1)"}

test/docker/expected_results/openssh_8.0p1_policy_test14.txt

@@ -0,0 +1,6 @@
+Host:   localhost:2222
+Policy: Docker policy: test14 (version 1)
+Result: ❌ Failed!
+
+Errors:
+  * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match. Expected: 4096; Actual: 2048

test/docker/expected_results/openssh_8.0p1_policy_test6.json

@@ -0,0 +1 @@
+{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test6 (version 1)"}

test/docker/expected_results/openssh_8.0p1_policy_test6.txt

@@ -0,0 +1,3 @@
+Host:   localhost:2222
+Policy: Docker policy: test6 (version 1)
+Result: ✔ Passed

test/docker/expected_results/openssh_8.0p1_test1.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_8.0", "software": "OpenSSH_8.0"}, "compression": ["none", "zlib@openssh.com"], "enc": ["chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com"], "fingerprints": [{"fp": "SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU", "type": "ssh-ed25519"}, {"fp": "SHA256:nsWtdJ9Z67Vrf7OsUzQov7esXhsWAfVppArGh25u244", "type": "ssh-rsa"}], "kex": [{"algorithm": "curve25519-sha256"}, {"algorithm": "curve25519-sha256@libssh.org"}, {"algorithm": "ecdh-sha2-nistp256"}, {"algorithm": "ecdh-sha2-nistp384"}, {"algorithm": "ecdh-sha2-nistp521"}, {"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 2048}, {"algorithm": "diffie-hellman-group16-sha512"}, {"algorithm": "diffie-hellman-group18-sha512"}, {"algorithm": "diffie-hellman-group14-sha256"}, {"algorithm": "diffie-hellman-group14-sha1"}], "key": [{"algorithm": "rsa-sha2-512", "keysize": 3072}, {"algorithm": "rsa-sha2-256", "keysize": 3072}, {"algorithm": "ssh-rsa", "keysize": 3072}, {"algorithm": "ecdsa-sha2-nistp256"}, {"algorithm": "ssh-ed25519"}], "mac": ["umac-64-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1"]}

test/docker/expected_results/openssh_8.0p1_test1.txt

@@ -1,11 +1,11 @@
 # general
 (gen) banner: SSH-2.0-OpenSSH_8.0
 (gen) software: OpenSSH 8.0
-(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2016.73+
+(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
 (gen) compression: enabled (zlib@openssh.com)
 
 # key exchange algorithms
-(kex) curve25519-sha256                     -- [info] available since OpenSSH 7.4
+(kex) curve25519-sha256                     -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 (kex) curve25519-sha256@libssh.org          -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
 (kex) ecdh-sha2-nistp256                    -- [fail] using weak elliptic curves
                                             `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
@@ -23,7 +23,8 @@
 # host-key algorithms
 (key) rsa-sha2-512 (3072-bit)               -- [info] available since OpenSSH 7.2
 (key) rsa-sha2-256 (3072-bit)               -- [info] available since OpenSSH 7.2
-(key) ssh-rsa (3072-bit)                    -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
+(key) ssh-rsa (3072-bit)                    -- [fail] using weak hashing algorithm
+                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
 (key) ecdsa-sha2-nistp256                   -- [fail] using weak elliptic curves
                                             `- [warn] using weak random number generator could reveal the key
                                             `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
@@ -68,6 +69,7 @@
 (rec) -ecdh-sha2-nistp384                   -- kex algorithm to remove 
 (rec) -ecdh-sha2-nistp521                   -- kex algorithm to remove 
 (rec) -ecdsa-sha2-nistp256                  -- key algorithm to remove 
+(rec) -ssh-rsa                              -- key algorithm to remove 
 (rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 
 (rec) -hmac-sha1                            -- mac algorithm to remove 
 (rec) -hmac-sha1-etm@openssh.com            -- mac algorithm to remove 
@@ -77,3 +79,6 @@
 (rec) -umac-64-etm@openssh.com              -- mac algorithm to remove 
 (rec) -umac-64@openssh.com                  -- mac algorithm to remove 
 
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+

test/docker/expected_results/openssh_8.0p1_test2.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_8.0", "software": "OpenSSH_8.0"}, "compression": ["none", "zlib@openssh.com"], "enc": ["chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com"], "fingerprints": [{"fp": "SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU", "type": "ssh-ed25519"}], "kex": [{"algorithm": "curve25519-sha256"}, {"algorithm": "curve25519-sha256@libssh.org"}, {"algorithm": "ecdh-sha2-nistp256"}, {"algorithm": "ecdh-sha2-nistp384"}, {"algorithm": "ecdh-sha2-nistp521"}, {"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 2048}, {"algorithm": "diffie-hellman-group16-sha512"}, {"algorithm": "diffie-hellman-group18-sha512"}, {"algorithm": "diffie-hellman-group14-sha256"}, {"algorithm": "diffie-hellman-group14-sha1"}], "key": [{"algorithm": "ssh-ed25519"}, {"algorithm": "ssh-ed25519-cert-v01@openssh.com"}], "mac": ["umac-64-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1"]}

test/docker/expected_results/openssh_8.0p1_test2.txt

@@ -1,11 +1,11 @@
 # general
 (gen) banner: SSH-2.0-OpenSSH_8.0
 (gen) software: OpenSSH 8.0
-(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2016.73+
+(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
 (gen) compression: enabled (zlib@openssh.com)
 
 # key exchange algorithms
-(kex) curve25519-sha256                     -- [info] available since OpenSSH 7.4
+(kex) curve25519-sha256                     -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 (kex) curve25519-sha256@libssh.org          -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
 (kex) ecdh-sha2-nistp256                    -- [fail] using weak elliptic curves
                                             `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
@@ -63,7 +63,6 @@
 (rec) -ecdh-sha2-nistp521                   -- kex algorithm to remove 
 (rec) +rsa-sha2-256                         -- key algorithm to append 
 (rec) +rsa-sha2-512                         -- key algorithm to append 
-(rec) +ssh-rsa                              -- key algorithm to append 
 (rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 
 (rec) -hmac-sha1                            -- mac algorithm to remove 
 (rec) -hmac-sha1-etm@openssh.com            -- mac algorithm to remove 
@@ -73,3 +72,6 @@
 (rec) -umac-64-etm@openssh.com              -- mac algorithm to remove 
 (rec) -umac-64@openssh.com                  -- mac algorithm to remove 
 
+# additional info
+(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
+

test/docker/expected_results/openssh_8.0p1_test3.json

@@ -0,0 +1 @@
+{"banner": {"comments": null, "protocol": [2, 0], "raw": "SSH-2.0-OpenSSH_8.0", "software": "OpenSSH_8.0"}, "compression": ["none", "zlib@openssh.com"], "enc": ["chacha20-poly1305@openssh.com", "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr", "aes128-ctr"], "fingerprints": [{"fp": "SHA256:UrnXIVH+7dlw8UqYocl48yUEcKrthGDQG2CPCgp7MxU", "type": "ssh-ed25519"}], "kex": [{"algorithm": "curve25519-sha256"}, {"algorithm": "curve25519-sha256@libssh.org"}, {"algorithm": "diffie-hellman-group-exchange-sha256", "keysize": 2048}], "key": [{"algorithm": "ssh-ed25519"}], "mac": ["hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "umac-128-etm@openssh.com"]}

test/docker/expected_results/openssh_8.0p1_test3.txt

@@ -1,11 +1,11 @@
 # general
 (gen) banner: SSH-2.0-OpenSSH_8.0
 (gen) software: OpenSSH 8.0
-(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2013.62+
+(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
 (gen) compression: enabled (zlib@openssh.com)
 
 # key exchange algorithms
-(kex) curve25519-sha256                     -- [info] available since OpenSSH 7.4
+(kex) curve25519-sha256                     -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 (kex) curve25519-sha256@libssh.org          -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
 (kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [info] available since OpenSSH 4.4
 
@@ -35,5 +35,4 @@
 (rec) +diffie-hellman-group18-sha512        -- kex algorithm to append 
 (rec) +rsa-sha2-256                         -- key algorithm to append 
 (rec) +rsa-sha2-512                         -- key algorithm to append 
-(rec) +ssh-rsa                              -- key algorithm to append 
 

test/docker/expected_results/tinyssh_20190101_test1.json

@@ -0,0 +1 @@
+{"banner": {"comments": "", "protocol": [2, 0], "raw": "", "software": "tinyssh_noversion"}, "compression": ["none"], "enc": ["chacha20-poly1305@openssh.com"], "fingerprints": [{"fp": "SHA256:89ocln1x7KNqnMgWffGoYtD70ksJ4FrH7BMJHa7SrwU", "type": "ssh-ed25519"}], "kex": [{"algorithm": "curve25519-sha256"}, {"algorithm": "curve25519-sha256@libssh.org"}, {"algorithm": "sntrup4591761x25519-sha512@tinyssh.org"}], "key": [{"algorithm": "ssh-ed25519"}], "mac": ["hmac-sha2-256"]}

test/docker/expected_results/tinyssh_20190101_test1.txt

@@ -1,10 +1,10 @@
 # general
 (gen) software: TinySSH noversion
-(gen) compatibility: OpenSSH 8.0+, Dropbear SSH 2013.62+
+(gen) compatibility: OpenSSH 8.0+, Dropbear SSH 2018.76+
 (gen) compression: disabled
 
 # key exchange algorithms
-(kex) curve25519-sha256                       -- [info] available since OpenSSH 7.4
+(kex) curve25519-sha256                       -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
 (kex) curve25519-sha256@libssh.org            -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
 (kex) sntrup4591761x25519-sha512@tinyssh.org  -- [warn] using experimental algorithm
                                               `- [info] available since OpenSSH 8.0

test/docker/policies/policy_test1.txt

@@ -0,0 +1,10 @@
+#
+# Docker policy: test1
+#
+
+name = "Docker policy: test1"
+version = 1
+host keys = ssh-rsa, ssh-dss
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96

test/docker/policies/policy_test10.txt

@@ -0,0 +1,39 @@
+#
+# Docker policy: test10
+#
+
+# The name of this policy (displayed in the output during scans).  Must be in quotes.
+name = "Docker poliicy: test10"
+
+# The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_5.6"
+
+# The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters).  Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+hostkey_size_ssh-rsa-cert-v01@openssh.com = 4096
+
+# RSA CA key sizes.
+cakey_size_ssh-rsa-cert-v01@openssh.com = 4096
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+
+# The MACs that must match exactly (order matters).
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96

test/docker/policies/policy_test11.txt

@@ -0,0 +1,35 @@
+#
+# Docker policy: test11
+#
+
+# The name of this policy (displayed in the output during scans).  Must be in quotes.
+name = "Docker policy: test11"
+
+# The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_8.0"
+
+# The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters).  Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
+
+# The MACs that must match exactly (order matters).
+macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1

test/docker/policies/policy_test12.txt

@@ -0,0 +1,35 @@
+#
+# Docker policy: test12
+#
+
+# The name of this policy (displayed in the output during scans).  Must be in quotes.
+name = "Docker policy: test12"
+
+# The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_8.0"
+
+# The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters).  Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 4096
+hostkey_size_rsa-sha2-512 = 4096
+hostkey_size_ssh-rsa = 4096
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
+
+# The MACs that must match exactly (order matters).
+macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1

test/docker/policies/policy_test13.txt

@@ -0,0 +1,38 @@
+#
+# Docker policy: test13
+#
+
+# The name of this policy (displayed in the output during scans).  Must be in quotes.
+name = "Docker policy: test13"
+
+# The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_8.0"
+
+# The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters).  Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
+
+# The MACs that must match exactly (order matters).
+macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1

test/docker/policies/policy_test14.txt

@@ -0,0 +1,38 @@
+#
+# Docker policy: test14
+#
+
+# The name of this policy (displayed in the output during scans).  Must be in quotes.
+name = "Docker policy: test14"
+
+# The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_8.0"
+
+# The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters).  Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 4096
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
+
+# The MACs that must match exactly (order matters).
+macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1

test/docker/policies/policy_test2.txt

@@ -0,0 +1,10 @@
+#
+# Docker policy: test2
+#
+
+name = "Docker policy: test2"
+version = 1
+host keys = ssh-rsa, ssh-dss
+key exchanges = kex_alg1, kex_alg2
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96

test/docker/policies/policy_test3.txt

@@ -0,0 +1,10 @@
+#
+# Docker policy: test3
+#
+
+name = "Docker policy: test3"
+version = 1
+host keys = ssh-rsa, ssh-dss, key_alg1
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96

test/docker/policies/policy_test4.txt

@@ -0,0 +1,10 @@
+#
+# Docker policy: test4
+#
+
+name = "Docker policy: test4"
+version = 1
+host keys = ssh-rsa, ssh-dss
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+ciphers = cipher_alg1, cipher_alg2
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96

test/docker/policies/policy_test5.txt

@@ -0,0 +1,10 @@
+#
+# Docker policy: test5
+#
+
+name = "Docker policy: test5"
+version = 1
+host keys = ssh-rsa, ssh-dss
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac_alg1, hmac-md5-96

test/docker/policies/policy_test6.txt

@@ -0,0 +1,12 @@
+#
+# Docker policy: test6
+#
+
+name = "Docker policy: test6"
+version = 1
+banner = "SSH-2.0-OpenSSH_8.0"
+compressions = none, zlib@openssh.com
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
+ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
+macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1

test/docker/policies/policy_test7.txt

@@ -0,0 +1,39 @@
+#
+# Docker policy: test7
+#
+
+# The name of this policy (displayed in the output during scans).  Must be in quotes.
+name = "Docker poliicy: test7"
+
+# The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_5.6"
+
+# The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters).  Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+hostkey_size_ssh-rsa-cert-v01@openssh.com = 3072
+
+# RSA CA key sizes.
+cakey_size_ssh-rsa-cert-v01@openssh.com = 1024
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+
+# The MACs that must match exactly (order matters).
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96

test/docker/policies/policy_test8.txt

@@ -0,0 +1,39 @@
+#
+# Docker policy: test8
+#
+
+# The name of this policy (displayed in the output during scans).  Must be in quotes.
+name = "Docker poliicy: test8"
+
+# The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_5.6"
+
+# The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters).  Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+hostkey_size_ssh-rsa-cert-v01@openssh.com = 3072
+
+# RSA CA key sizes.
+cakey_size_ssh-rsa-cert-v01@openssh.com = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+
+# The MACs that must match exactly (order matters).
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96

test/docker/policies/policy_test9.txt

@@ -0,0 +1,39 @@
+#
+# Docker policy: test9
+#
+
+# The name of this policy (displayed in the output during scans).  Must be in quotes.
+name = "Docker poliicy: test9"
+
+# The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
+version = 1
+
+# The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
+# banner = "SSH-2.0-OpenSSH_5.6"
+
+# The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
+# header = "[]"
+
+# The compression options that must match exactly (order matters).  Commented out to ignore by default.
+# compressions = none, zlib@openssh.com
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 3072
+hostkey_size_rsa-sha2-512 = 3072
+hostkey_size_ssh-rsa = 3072
+hostkey_size_ssh-rsa-cert-v01@openssh.com = 4096
+
+# RSA CA key sizes.
+cakey_size_ssh-rsa-cert-v01@openssh.com = 1024
+
+# The host key types that must match exactly (order matters).
+host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
+
+# The ciphers that must match exactly (order matters).
+ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
+
+# The MACs that must match exactly (order matters).
+macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96

test/test_auditconf.py

@@ -1,10 +1,8 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
 import pytest
 
 
 # pylint: disable=attribute-defined-outside-init
-class TestAuditConf(object):
+class TestAuditConf:
     @pytest.fixture(autouse=True)
     def init(self, ssh_audit):
         self.AuditConf = ssh_audit.AuditConf
@@ -13,7 +11,7 @@ class TestAuditConf(object):
     @staticmethod
     def _test_conf(conf, **kwargs):
         options = {
-			'host': None,
+            'host': '',
             'port': 22,
             'ssh1': True,
             'ssh2': True,
@@ -156,17 +154,15 @@ class TestAuditConf(object):
         self._test_conf(conf, host='2001:4860:4860::8888', port=2222)
         conf = c('-p 2222 2001:4860:4860::8888')
         self._test_conf(conf, host='2001:4860:4860::8888', port=2222)
-		with pytest.raises(SystemExit):
-			conf = c('localhost:')
-		with pytest.raises(SystemExit):
+        with pytest.raises(ValueError):
             conf = c('localhost:abc')
         with pytest.raises(SystemExit):
             conf = c('-p abc localhost')
-		with pytest.raises(SystemExit):
+        with pytest.raises(ValueError):
             conf = c('localhost:-22')
         with pytest.raises(SystemExit):
             conf = c('-p -22 localhost')
-		with pytest.raises(SystemExit):
+        with pytest.raises(ValueError):
             conf = c('localhost:99999')
         with pytest.raises(SystemExit):
             conf = c('-p 99999 localhost')