Added release date for v2.3.0. Added link for policy tutorial.

Added policy for hardened OpenSSH v8.4.
Improved formatting of usage examples. Added link to web front-end.
2025-07-06 14:02:49 -05:00 · 2020-09-27 17:12:10 -04:00 · 2020-09-27 17:04:43 -04:00 · 2020-09-27 13:24:37 -04:00 · 2020-09-27 13:13:38 -04:00 · 2020-09-27 11:48:15 -04:00
106 changed files with 7582 additions and 5928 deletions
--- a/.appveyor.yml
+++ b/.appveyor.yml
@ -1,4 +1,4 @@
-version: '1.7.1.dev.{build}'
+version: 'v2.2.1-dev.{build}'
 build: off
 branches:
@ -8,18 +8,14 @@ branches:
 environment:
  matrix:
    - PYTHON: "C:\\Python26"
    - PYTHON: "C:\\Python26-x64"
    - PYTHON: "C:\\Python27"
    - PYTHON: "C:\\Python27-x64"
    - PYTHON: "C:\\Python33"
    - PYTHON: "C:\\Python33-x64"
    - PYTHON: "C:\\Python34"
    - PYTHON: "C:\\Python34-x64"
    - PYTHON: "C:\\Python35"
    - PYTHON: "C:\\Python35-x64"
    - PYTHON: "C:\\Python36"
    - PYTHON: "C:\\Python36-x64"
    - PYTHON: "C:\\Python37"
    - PYTHON: "C:\\Python37-x64"
    - PYTHON: "C:\\Python38"
    - PYTHON: "C:\\Python38-x64"
 matrix:
  fast_finish: true 
--- a/.deepsource.toml
+++ b/.deepsource.toml
@ -0,0 +1,8 @@
 version = 1
 [[analyzers]]
 name = "python"
 enabled = true
  [analyzers.meta]
  runtime_version = "3.x.x"
--- a/.gitignore
+++ b/.gitignore
@ -1,11 +1,19 @@
 *~
 *.pyc
 *.exe
 *.asc
 venv*/
 .cache/
 .mypy_cache/
 .tox
 .coverage*
 reports/
 .scannerwork/
-pypi/sshaudit/LICENSE
+packages/sshaudit/LICENSE
-pypi/sshaudit/README.md
+packages/sshaudit/README.md
-pypi/sshaudit/sshaudit.py
+packages/sshaudit/sshaudit.py
 packages/parts/
 packages/prime/
 packages/snap/
 packages/stage/
 packages/ssh-audit_*.snap
--- a/.travis.yml
+++ b/.travis.yml
@ -1,80 +1,19 @@
 language: python
-sudo: false
+
-matrix:
+python:
-  include:
+  - "3.5"
-    # (default)
+  - "3.6"
-    - os: linux
+  - "3.7"
-      python: 2.6
+  - "3.8"
    - os: linux
      python: 2.7
      env: SQ=1
    - os: linux
      python: 3.3
    - os: linux
      python: 3.4
    - os: linux
      python: 3.5
    - os: linux
      python: 3.6
    - os: linux
      python: pypy
    - os: linux
      python: pypy3
    - os: linux
      python: 3.7-dev
    # Ubuntu 12.04
    - os: linux
      dist: precise
      language: generic
      env: PY_VER=py26,py27,py33,py34,py35,py36,pypy,pypy3 PY_ORIGIN=pyenv
    # Ubuntu 14.04
    - os: linux
      dist: trusty
      language: generic
      env: PY_VER=py26,py27,py33,py34,py35,py36,pypy,pypy3 PY_ORIGIN=pyenv
    # macOS 10.12 Sierra
    - os: osx
      osx_image: xcode8.3
      language: generic
      env: PY_VER=py26,py27,py33,py34,py35,py36,pypy,pypy3
    # Mac OS X 10.11 El Capitan
    - os: osx
      osx_image: xcode7.3
      language: generic
      env: PY_VER=py26,py27,py33,py34,py35,py36,pypy,pypy3
    # Mac OS X 10.10 Yosemite
    - os: osx
      osx_image: xcode6.4
      language: generic
      env: PY_VER=py26,py27,py33,py34,py35,py36,pypy,pypy3
  allow_failures:
    # PyPy3 on Travis CI is out of date
    - python: pypy3
    # Python nightly could fail
    - python: 3.7-dev
    - env: PY_VER=py37
    - env: PY_VER=py37/pyenv
    - env: PY_VER=py37 PY_ORIGIN=pyenv
  fast_finish: true
 cache:
  - pip
  - directories:
    - $HOME/.pyenv.cache
    - $HOME/.bin
 before_install:
  - source test/tools/ci-linux.sh
  - ci_step_before_install
 install:
-  - ci_step_install
+  - pip install -U pip tox tox-travis coveralls codecov
 script:
-  - ci_step_script
+  - tox
 after_success:
-  - ci_step_success
+  - codecov
 after_failure:
  - ci_step_failure
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -0,0 +1,26 @@
 # Contributing to ssh-audit
 We are very much open to receiving patches from the community!  To encourage participation, passing Travis tests, unit tests, etc., *is OPTIONAL*.  As long as the patch works properly, it can be merged (please submit pull requests to the `dev` branch).
 However, if you can submit patches that pass all of our automated tests, then you'll lighten the load for the project maintainer (who already has enough to do!).  This document describes what tests are done and what documentation is maintained.
 *Anything extra you can do is appreciated!*
 ## Tox Tests
 Tox is used to do unit testing, linting with [pylint](http://pylint.pycqa.org/en/latest/) & [flake8](https://flake8.pycqa.org/en/latest/), and static type-checking with [mypy](https://mypy.readthedocs.io/en/stable/).
 Install tox with `apt install tox`, then simply run `tox` in the top-level directory.  Look for any error messages in the (verbose) output.
 ## Docker Tests
 Docker is used to run ssh-audit against various real SSH servers (OpenSSH, Dropbear, and TinySSH).  The output is then diff'ed against the expected result.  Any differences result in failure.
 The docker tests are run with `./docker_test.sh`.  The first time it is run, it will download and compile the SSH servers; this may take awhile.  Subsequent runs, however, will take only a minute to complete, as the docker image will already be up-to-date.
 ## Man Page
 The `ssh-audit.1` man page documents the various features of ssh-audit.  If features are added, or significant behavior is modified, the man page needs to be updated.
--- a/2
+++ b/2
@ -1,7 +1,7 @@
 The MIT License (MIT)
 Copyright (C) 2017-2020 Joe Testa (jtesta@positronsecurity.com)
 Copyright (C) 2017 Andris Raugulis (moo@arthepsy.eu)
 Copyright (C) 2017-2019 Joe Testa (jtesta@positronsecurity.com)
 Permission is hereby granted, free of charge, to any person obtaining a copy
--- a/README.md
+++ b/README.md
@ -7,6 +7,8 @@
 -->
 **ssh-audit** is a tool for ssh server & client configuration auditing.
 [jtesta/ssh-audit](https://github.com/jtesta/ssh-audit/) (v2.0+) is the updated and maintained version of ssh-audit forked from [arthepsy/ssh-audit](https://github.com/arthepsy/ssh-audit) (v1.x) due to inactivity.
 ## Features
 - SSH1 and SSH2 protocol server support;
 - analyze SSH client configuration;
@ -17,44 +19,158 @@
 - output security information (related issues, assigned CVE list, etc);
 - analyze SSH version compatibility based on algorithm information;
 - historical information from OpenSSH, Dropbear SSH and libssh;
 - policy scans to ensure adherence to a hardened/standard configuration;
 - runs on Linux and Windows;
 - no dependencies
 ## Usage
 ```
-usage: ssh-audit.py [-1246pbcnjvlt] <host>
+usage: ssh-audit.py [options] <host>
   -h,  --help             print this help
   -1,  --ssh1             force ssh version 1 only
   -2,  --ssh2             force ssh version 2 only
   -4,  --ipv4             enable IPv4 (order of precedence)
   -6,  --ipv6             enable IPv6 (order of precedence)
   -p,  --port=<port>      port to connect
   -b,  --batch            batch output
   -c,  --client-audit     starts a server on port 2222 to audit client
                               software config (use -p to change port;
                               use -t to change timeout)
   -n,  --no-colors        disable colors
   -j,  --json             JSON output
   -v,  --verbose          verbose output
   -l,  --level=<level>    minimum output level (info|warn|fail)
   -L,  --list-policies    list all the official, built-in policies
        --lookup=<alg1,alg2,...>    looks up an algorithm(s) without
                                    connecting to a server
   -M,  --make-policy=<policy.txt>  creates a policy based on the target server
                                    (i.e.: the target server has the ideal
                                    configuration that other servers should
                                    adhere to)
   -n,  --no-colors        disable colors
   -p,  --port=<port>      port to connect
   -P,  --policy=<policy.txt>  run a policy test using the specified policy
   -t,  --timeout=<secs>   timeout (in seconds) for connection and reading
                               (default: 5)
   -T,  --targets=<hosts.txt>  a file containing a list of target hosts (one
                                   per line, format HOST[:PORT])
   -v,  --verbose          verbose output
 ```
 * if both IPv4 and IPv6 are used, order of precedence can be set by using either `-46` or `-64`.  
 * batch flag `-b` will output sections without header and without empty lines (implies verbose flag).  
 * verbose flag `-v` will prefix each line with section type and algorithm name.  
 * an exit code of 0 is returned when all algorithms are considered secure (for a standard audit), or when a policy check passes (for a policy audit).
-### Server Audit Example
+Basic server auditing:
-Below is a screen shot of the server-auditing output when connecting to an unhardened OpenSSH v5.3 service:
+```
 ssh-audit localhost
 ssh-audit 127.0.0.1
 ssh-audit 127.0.0.1:222
 ssh-audit ::1
 ssh-audit [::1]:222
 ```
 To run a standard audit against many servers (place targets into servers.txt, one on each line in the format of `HOST[:PORT]`):
 ```
 ssh-audit -T servers.txt
 ```
 To audit a client configuration (listens on port 2222 by default; connect using `ssh anything@localhost`):
 ```
 ssh-audit -c
 ```
 To audit a client configuration, with a listener on port 4567:
 ```
 ssh-audit -c -p 4567
 ```
 To  list all official built-in policies (hint: use resulting file paths with `-P`/`--policy`):
 ```
 ssh-audit -L
 ```
 To run a policy audit against a server:
 ```
 ssh-audit -P path/to/server_policy targetserver
 ```
 To run a policy audit against a client:
 ```
 ssh-audit -c -P path/to/client_policy
 ```
 To run a policy audit against many servers:
 ```
 ssh-audit -T servers.txt -P path/to/server_policy
 ```
 To create a policy based on a target server (which can be manually edited; see official built-in policies for syntax examples):
 ```
 ssh-audit -M new_policy.txt targetserver
 ```
 ### Server Standard Audit Example
 Below is a screen shot of the standard server-auditing output when connecting to an unhardened OpenSSH v5.3 service:
 ![screenshot](https://user-images.githubusercontent.com/2982011/64388792-317e6f80-d00e-11e9-826e-a4934769bb07.png)
-### Client Audit Example
+### Server Policy Audit Example
 Below is a screen shot of the policy auditing output when connecting to an un-hardened Ubuntu Server 20.04 machine:
 ![screenshot](https://user-images.githubusercontent.com/2982011/94370881-95178700-00c0-11eb-8705-3157a4669dc0.png)
 After applying the steps in the hardening guide (see below), the output changes to the following:
 ![screenshot](https://user-images.githubusercontent.com/2982011/94370873-87620180-00c0-11eb-9a59-469f61a56ce1.png)
 ### Client Standard Audit Example
 Below is a screen shot of the client-auditing output when an unhardened OpenSSH v7.2 client connects:
 ![client_screenshot](https://user-images.githubusercontent.com/2982011/68867998-b946c100-06c4-11ea-975f-1f47e4178a74.png)
 ### Hardening Guides
 Guides to harden server & client configuration can be found here: [https://www.ssh-audit.com/hardening_guides.html](https://www.ssh-audit.com/hardening_guides.html)
 ### Pre-Built Packages
 Pre-built packages are available for Windows (see the releases page), on PyPI, Snap, and Homebrew.
 To install from PyPI:
 ```
 $ pip3 install ssh-audit
 ```
 To install the Snap package:
 ```
 $ snap install ssh-audit
 ```
 To install on Homebrew:
 ```
 $ brew install ssh-audit
 ```
 ### Web Front-End
 For convenience, a web front-end on top of the command-line tool is available at [https://www.ssh-audit.com/](https://www.ssh-audit.com/).
 ## ChangeLog
 ### v2.3.0 (2020-09-27)
 - Added new policy auditing functionality to test adherence to a hardening guide/standard configuration (see `-L`/`--list-policies`, `-M`/`--make-policy` and `-P`/`--policy`).  For an in-depth tutorial, see <https://www.positronsecurity.com/blog/2020-09-27-ssh-policy-configuration-checks-with-ssh-audit/>.
 - Created new man page (see `ssh-audit.1` file).
 - 1024-bit moduli upgraded from warnings to failures.
 - Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments; credit [Jürgen Gmach](https://github.com/jugmac00).
 - Added feature to look up algorithms in internal database (see `--lookup`); credit [Adam Russell](https://github.com/thecliguy).
 - Suppress recommendation of token host key types.
 - Added check for use-after-free vulnerability in PuTTY v0.73.
 - Added 11 new host key types: `ssh-rsa1`, `ssh-dss-sha256@ssh.com`, `ssh-gost2001`, `ssh-gost2012-256`, `ssh-gost2012-512`, `spki-sign-rsa`, `ssh-ed448`, `x509v3-ecdsa-sha2-nistp256`, `x509v3-ecdsa-sha2-nistp384`, `x509v3-ecdsa-sha2-nistp521`, `x509v3-rsa2048-sha256`.
 - Added 8 new key exchanges: `diffie-hellman-group1-sha256`, `kexAlgoCurve25519SHA256`, `Curve25519SHA256`, `gss-group14-sha256-`, `gss-group15-sha512-`, `gss-group16-sha512-`, `gss-nistp256-sha256-`, `gss-curve25519-sha256-`.
 - Added 5 new ciphers: `blowfish`, `AEAD_AES_128_GCM`, `AEAD_AES_256_GCM`, `crypticore128@ssh.com`, `seed-cbc@ssh.com`.
 - Added 3 new MACs: `chacha20-poly1305@openssh.com`, `hmac-sha3-224`, `crypticore-mac@ssh.com`.
 ### v2.2.0 (2020-03-11)
 - Marked host key type `ssh-rsa` as weak due to [practical SHA-1 collisions](https://eprint.iacr.org/2020/014.pdf).
 - Added Windows builds.
 - Added 10 new host key types: `ecdsa-sha2-1.3.132.0.10`, `x509v3-sign-dss`, `x509v3-sign-rsa`, `x509v3-sign-rsa-sha256@ssh.com`, `x509v3-ssh-dss`, `x509v3-ssh-rsa`, `sk-ecdsa-sha2-nistp256-cert-v01@openssh.com`, `sk-ecdsa-sha2-nistp256@openssh.com`, `sk-ssh-ed25519-cert-v01@openssh.com`, and `sk-ssh-ed25519@openssh.com`.
 - Added 18 new key exchanges: `diffie-hellman-group14-sha256@ssh.com`, `diffie-hellman-group15-sha256@ssh.com`, `diffie-hellman-group15-sha384@ssh.com`, `diffie-hellman-group16-sha384@ssh.com`, `diffie-hellman-group16-sha512@ssh.com`, `diffie-hellman-group18-sha512@ssh.com`, `ecdh-sha2-curve25519`, `ecdh-sha2-nistb233`, `ecdh-sha2-nistb409`, `ecdh-sha2-nistk163`, `ecdh-sha2-nistk233`, `ecdh-sha2-nistk283`, `ecdh-sha2-nistk409`, `ecdh-sha2-nistp192`, `ecdh-sha2-nistp224`, `ecdh-sha2-nistt571`, `gss-gex-sha1-`, and `gss-group1-sha1-`.
 - Added 9 new ciphers: `camellia128-cbc`, `camellia128-ctr`, `camellia192-cbc`, `camellia192-ctr`, `camellia256-cbc`, `camellia256-ctr`, `aes128-gcm`, `aes256-gcm`, and `chacha20-poly1305`.
 - Added 2 new MACs: `aes128-gcm` and `aes256-gcm`.
 ### v2.1.1 (2019-11-26)
 - Added 2 new host key types: `rsa-sha2-256-cert-v01@openssh.com`, `rsa-sha2-512-cert-v01@openssh.com`.
 - Added 2 new ciphers: `des`, `3des`.
--- a/docker_test.sh
+++ b/docker_test.sh
@ -28,6 +28,12 @@ GREEN="\033[0;32m"
 REDB="\033[1;31m"   # Red + bold
 GREENB="\033[1;32m" # Green + bold
 # Program return values.
 PROGRAM_RETVAL_FAILURE=3
 PROGRAM_RETVAL_WARNING=2
 PROGRAM_RETVAL_CONNECTION_ERROR=1
 PROGRAM_RETVAL_GOOD=0
 # Returns 0 if current docker image exists.
 function check_if_docker_image_exists {
@ -353,8 +359,9 @@ function run_dropbear_test {
    dropbear_version=$1
    test_number=$2
    options=$3
    expected_retval=$4
-    run_test 'Dropbear' $dropbear_version $test_number "$options"
+    run_test 'Dropbear' $dropbear_version $test_number "$options" $expected_retval
 }
@ -363,8 +370,9 @@ function run_dropbear_test {
 function run_openssh_test {
    openssh_version=$1
    test_number=$2
    expected_retval=$3
-    run_test 'OpenSSH' $openssh_version $test_number ''
+    run_test 'OpenSSH' $openssh_version $test_number '' $expected_retval
 }
@ -373,8 +381,9 @@ function run_openssh_test {
 function run_tinyssh_test {
    tinyssh_version=$1
    test_number=$2
    expected_retval=$3
-    run_test 'TinySSH' $tinyssh_version $test_number ''
+    run_test 'TinySSH' $tinyssh_version $test_number '' $expected_retval
 }
@ -383,6 +392,7 @@ function run_test {
    version=$2
    test_number=$3
    options=$4
    expected_retval=$5
    server_exec=
    test_result_stdout=
@ -421,20 +431,22 @@ function run_test {
    fi
    ./ssh-audit.py localhost:2222 > $test_result_stdout
-    if [[ $? != 0 ]]; then
+    actual_retval=$?
-	echo -e "${REDB}Failed to run ssh-audit.py! (exit code: $?)${CLR}"
+    if [[ $actual_retval != $expected_retval ]]; then
-	docker container stop $cid > /dev/null
+	echo -e "${REDB}Unexpected return value.  Expected: ${expected_retval}; Actual: ${actual_retval}${CLR}"
 	docker container stop -t 0 $cid > /dev/null
 	exit 1
    fi
    ./ssh-audit.py -j localhost:2222 > $test_result_json
-    if [[ $? != 0 ]]; then
+    actual_retval=$?
-	echo -e "${REDB}Failed to run ssh-audit.py! (exit code: $?)${CLR}"
+    if [[ $actual_retval != $expected_retval ]]; then
-	docker container stop $cid > /dev/null
+	echo -e "${REDB}Unexpected return value.  Expected: ${expected_retval}; Actual: ${actual_retval}${CLR}"
 	docker container stop -t 0 $cid > /dev/null
 	exit 1
    fi
-    docker container stop $cid > /dev/null
+    docker container stop -t 0 $cid > /dev/null
    if [[ $? != 0 ]]; then
       echo -e "${REDB}Failed to stop docker container ${cid}! (exit code: $?)${CLR}"
       exit 1
@ -465,6 +477,81 @@ function run_test {
 }
 function run_policy_test {
    config_number=$1  # The configuration number to use.
    test_number=$2    # The policy test number to run.
    expected_exit_code=$3  # The expected exit code of ssh-audit.py.
    version=
    config=
    if [[ ${config_number} == 'config1' ]]; then
        version='5.6p1'
        config='sshd_config-5.6p1_test1'
    elif [[ ${config_number} == 'config2' ]]; then
        version='8.0p1'
        config='sshd_config-8.0p1_test1'
    elif [[ ${config_number} == 'config3' ]]; then
        version='5.6p1'
        config='sshd_config-5.6p1_test4'
    fi
    server_exec="/openssh/sshd-${version} -D -f /etc/ssh/${config}"
    policy_path="test/docker/policies/policy_${test_number}.txt"
    test_result_stdout="${TEST_RESULT_DIR}/openssh_${version}_policy_${test_number}.txt"
    test_result_json="${TEST_RESULT_DIR}/openssh_${version}_policy_${test_number}.json"
    expected_result_stdout="test/docker/expected_results/openssh_${version}_policy_${test_number}.txt"
    expected_result_json="test/docker/expected_results/openssh_${version}_policy_${test_number}.json"
    test_name="OpenSSH ${version} policy ${test_number}"
    #echo "Running: docker run -d -p 2222:22 ${IMAGE_NAME}:${IMAGE_VERSION} ${server_exec}"
    cid=`docker run -d -p 2222:22 ${IMAGE_NAME}:${IMAGE_VERSION} ${server_exec}`
    if [[ $? != 0 ]]; then
 	echo -e "${REDB}Failed to run docker image! (exit code: $?)${CLR}"
 	exit 1
    fi
    #echo "Running: ./ssh-audit.py -P ${policy_path} localhost:2222 > ${test_result_stdout}"
    ./ssh-audit.py -P ${policy_path} localhost:2222 > ${test_result_stdout}
    actual_exit_code=$?
    if [[ ${actual_exit_code} != ${expected_exit_code} ]]; then
 	echo -e "${test_name} ${REDB}FAILED${CLR} (expected exit code: ${expected_exit_code}; actual exit code: ${actual_exit_code}\n"
        cat ${test_result_stdout}
 	docker container stop -t 0 $cid > /dev/null
 	exit 1
    fi
    #echo "Running: ./ssh-audit.py -P ${policy_path} -j localhost:2222 > ${test_result_json}"
    ./ssh-audit.py -P ${policy_path} -j localhost:2222 > ${test_result_json}
    actual_exit_code=$?
    if [[ ${actual_exit_code} != ${expected_exit_code} ]]; then
 	echo -e "${test_name} ${REDB}FAILED${CLR} (expected exit code: ${expected_exit_code}; actual exit code: ${actual_exit_code}\n"
        cat ${test_result_json}
 	docker container stop -t 0 $cid > /dev/null
 	exit 1
    fi
    docker container stop -t 0 $cid > /dev/null
    if [[ $? != 0 ]]; then
       echo -e "${REDB}Failed to stop docker container ${cid}! (exit code: $?)${CLR}"
       exit 1
    fi
    diff=`diff -u ${expected_result_stdout} ${test_result_stdout}`
    if [[ $? != 0 ]]; then
 	echo -e "${test_name} ${REDB}FAILED${CLR}.\n\n${diff}\n"
 	exit 1
    fi
    diff=`diff -u ${expected_result_json} ${test_result_json}`
    if [[ $? != 0 ]]; then
 	echo -e "${test_name} ${REDB}FAILED${CLR}.\n\n${diff}\n"
 	exit 1
    fi
    echo -e "${test_name} ${GREEN}passed${CLR}."
 }
 # First check if docker is functional.
 docker version > /dev/null
 if [[ $? != 0 ]]; then
@ -487,21 +574,54 @@ TEST_RESULT_DIR=`mktemp -d /tmp/ssh-audit_test-results_XXXXXXXXXX`
 # Now run all the tests.
 echo -e "\nRunning tests..."
-run_openssh_test '4.0p1' 'test1'
+run_openssh_test '4.0p1' 'test1' $PROGRAM_RETVAL_FAILURE
 echo
-run_openssh_test '5.6p1' 'test1'
+run_openssh_test '5.6p1' 'test1' $PROGRAM_RETVAL_FAILURE
-run_openssh_test '5.6p1' 'test2'
+run_openssh_test '5.6p1' 'test2' $PROGRAM_RETVAL_FAILURE
-run_openssh_test '5.6p1' 'test3'
+run_openssh_test '5.6p1' 'test3' $PROGRAM_RETVAL_FAILURE
-run_openssh_test '5.6p1' 'test4'
+run_openssh_test '5.6p1' 'test4' $PROGRAM_RETVAL_FAILURE
-run_openssh_test '5.6p1' 'test5'
+run_openssh_test '5.6p1' 'test5' $PROGRAM_RETVAL_FAILURE
 echo
-run_openssh_test '8.0p1' 'test1'
+run_openssh_test '8.0p1' 'test1' $PROGRAM_RETVAL_FAILURE
-run_openssh_test '8.0p1' 'test2'
+run_openssh_test '8.0p1' 'test2' $PROGRAM_RETVAL_FAILURE
-run_openssh_test '8.0p1' 'test3'
+run_openssh_test '8.0p1' 'test3' $PROGRAM_RETVAL_GOOD
 echo
-run_dropbear_test '2019.78' 'test1' '-r /etc/dropbear/dropbear_rsa_host_key_1024 -r /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_ecdsa_host_key'
+run_dropbear_test '2019.78' 'test1' '-r /etc/dropbear/dropbear_rsa_host_key_1024 -r /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_ecdsa_host_key' 3
 echo
-run_tinyssh_test '20190101' 'test1'
+run_tinyssh_test '20190101' 'test1' $PROGRAM_RETVAL_WARNING
 echo
 echo
 run_policy_test 'config1' 'test1' $PROGRAM_RETVAL_GOOD
 run_policy_test 'config1' 'test2' $PROGRAM_RETVAL_FAILURE
 run_policy_test 'config1' 'test3' $PROGRAM_RETVAL_FAILURE
 run_policy_test 'config1' 'test4' $PROGRAM_RETVAL_FAILURE
 run_policy_test 'config1' 'test5' $PROGRAM_RETVAL_FAILURE
 run_policy_test 'config2' 'test6' $PROGRAM_RETVAL_GOOD
 # Passing test with host key certificate and CA key certificates.
 run_policy_test 'config3' 'test7' $PROGRAM_RETVAL_GOOD
 # Failing test with host key certificate and non-compliant CA key length.
 run_policy_test 'config3' 'test8' $PROGRAM_RETVAL_FAILURE
 # Failing test with non-compliant host key certificate and CA key certificate.
 run_policy_test 'config3' 'test9' $PROGRAM_RETVAL_FAILURE
 # Failing test with non-compliant host key certificate and non-compliant CA key certificate.
 run_policy_test 'config3' 'test10' $PROGRAM_RETVAL_FAILURE
 # Passing test with host key size check.
 run_policy_test 'config2' 'test11' $PROGRAM_RETVAL_GOOD
 # Failing test with non-compliant host key size check.
 run_policy_test 'config2' 'test12' $PROGRAM_RETVAL_FAILURE
 # Passing test with DH modulus test.
 run_policy_test 'config2' 'test13' $PROGRAM_RETVAL_GOOD
 # Failing test with DH modulus test.
 run_policy_test 'config2' 'test14' $PROGRAM_RETVAL_FAILURE
 # The test functions above will terminate the script on failure, so if we reached here,
 # all tests are successful.
--- a/packages/MANIFEST.in
+++ b/packages/MANIFEST.in
--- a/packages/Makefile.pypi
+++ b/packages/Makefile.pypi
@ -11,4 +11,4 @@ uploadprod:
 	twine upload dist/*
 clean:
-	rm -rf build/ dist/ *.egg-info/ sshaudit/sshaudit.py sshaudit/LICENSE sshaudit/README.md
+	rm -rf parts/ prime/ snap/ stage/ build/ dist/ *.egg-info/ sshaudit/sshaudit.py sshaudit/LICENSE sshaudit/README.md ssh-audit*.snap
--- a/packages/Makefile.snap
+++ b/packages/Makefile.snap
@ -0,0 +1,8 @@
 all:
 	cp ../ssh-audit.py sshaudit/sshaudit.py
 	cp ../README.md sshaudit/README.md
 	echo -e "\n\nDid you remember to bump the version number in snapcraft.yaml?\n\n"
 	snapcraft
 clean:
 	rm -rf parts/ prime/ snap/ stage/ build/ dist/ *.egg-info/ sshaudit/sshaudit.py sshaudit/LICENSE sshaudit/README.md ssh-audit*.snap
--- a/packages/notes.txt
+++ b/packages/notes.txt
@ -0,0 +1,41 @@
 = PyPI =
 To create package and upload to test server:
 # apt install virtualenv
 $ virtualenv -p /usr/bin/python3 /tmp/pypi_upload
 $ cd /tmp/pypi_upload; source bin/activate
 $ pip3 install twine
 $ cp -R path/to/ssh-audit .
 $ cd ssh-audit/packages
 $ make -f Makefile.pypi
 $ make -f Makefile.pypi uploadtest
 To download from test server and verify:
 $ virtualenv -p /usr/bin/python3 /tmp/pypi_test
 $ cd /tmp/pypi_test; source bin/activate
 $ pip3 install --index-url https://test.pypi.org/simple ssh-audit
 To upload to production server:
 $ cd /tmp/pypi_upload; source bin/activate
 $ cd ssh-audit/pypi
 $ make -f Makefile.pypi uploadprod
 To download from production server and verify:
 $ virtualenv -p /usr/bin/python3 /tmp/pypi_prod
 $ cd /tmp/pypi_prod; source bin/activate
 $ pip3 install ssh-audit
 ----
 = Snap =
 To create the snap package, simply run:
 $ make -f Makefile.snap
--- a/packages/setup.py
+++ b/packages/setup.py
@ -0,0 +1,58 @@
 # -*- coding: utf-8 -*-
 import re
 import sys
 from setuptools import setup
 print_warning = False
 m = re.search(r'^VERSION\s*=\s*\'v(\d\.\d\.\d)\'', open('sshaudit/sshaudit.py').read(), re.M)
 if m is None:
    # If we failed to parse the stable version, see if this is the development version.
    m = re.search(r'^VERSION\s*=\s*\'v(\d\.\d\.\d-dev)\'', open('sshaudit/sshaudit.py').read(), re.M)
    if m is None:
        print("Error: could not parse VERSION variable from ssh-audit.py.")
        sys.exit(1)
    else:  # Continue with the development version, but print a warning later.
        print_warning = True
 version = m.group(1)
 print("\n\nPackaging ssh-audit v%s...\n\n" % version)
 with open("sshaudit/README.md", "rb") as f:
    long_descr = f.read().decode("utf-8")
 setup(
    name="ssh-audit",
    packages=["sshaudit"],
    license='MIT',
    entry_points={
        "console_scripts": ['ssh-audit = sshaudit.sshaudit:main']
    },
    version=version,
    description="An SSH server & client configuration security auditing tool",
    long_description=long_descr,
    long_description_content_type="text/markdown",
    author="Joe Testa",
    author_email="jtesta@positronsecurity.com",
    url="https://github.com/jtesta/ssh-audit",
    classifiers=[
        "Development Status :: 5 - Production/Stable",
        "Intended Audience :: Information Technology",
        "Intended Audience :: System Administrators",
        "License :: OSI Approved :: MIT License",
        "Operating System :: OS Independent",
        "Programming Language :: Python :: 3",
        "Programming Language :: Python :: 3.5",
        "Programming Language :: Python :: 3.6",
        "Programming Language :: Python :: 3.7",
        "Programming Language :: Python :: 3.8",
        "Programming Language :: Python :: Implementation :: CPython",
        "Programming Language :: Python :: Implementation :: PyPy",
        "Topic :: Security",
        "Topic :: Security :: Cryptography"
    ])
 if print_warning:
    print("\n\n    !!! WARNING: development version detected (%s).  Are you sure you want to package this version?  Probably not...\n" % version)
--- a/packages/snapcraft.yaml
+++ b/packages/snapcraft.yaml
@ -0,0 +1,21 @@
 name: ssh-audit
 version: '2.2.0-1'
 license: 'MIT'
 summary: ssh-audit
 description: |
  SSH server and client security configuration auditor.  Official repository: <https://github.com/jtesta/ssh-audit>
 base: core18
 grade: stable
 confinement: strict
 apps:
  ssh-audit:
    command: bin/ssh-audit
    plugs: [network,network-bind]
 parts:
  ssh-audit:
    plugin: python
    python-version: python3
    source: .
--- a/packages/sshaudit/init.py
+++ b/packages/sshaudit/init.py
--- a/packages/sshaudit/main.py
+++ b/packages/sshaudit/main.py
--- a/packages/windows_build.txt
+++ b/packages/windows_build.txt
@ -0,0 +1,17 @@
 Below are notes for creating a Windows executable.
 An executable can only be made on a Windows host because the PyInstaller tool (https://www.pyinstaller.org/) does not support cross-compilation.
 On a Windows machine, do the following:
 1.) Install Python v3.7.x from https://www.python.org/.  (As of this writing v3.8.0 isn't supported.)  To make life easier, check the option to add Python to the PATH environment variable.
 2.) Using pip, install pyinstaller and colorama:
    pip install pyinstaller colorama
 3.) Create the executable with:
    pyinstaller -F --icon packages\windows_icon.ico ssh-audit.py
 4.) The 'dist' folder will have the resulting ssh-audit.exe.
--- a/packages/windows_icon.ico
+++ b/packages/windows_icon.ico
--- a/policies/openssh_7_7.txt
+++ b/policies/openssh_7_7.txt
@ -0,0 +1,24 @@
 #
 # Official policy for hardened OpenSSH v7.7.
 #
 name = "Hardened OpenSSH v7.7"
 version = 1
 # Group exchange DH modulus sizes.
 dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
 # The host key types that must match exactly (order matters).
 host keys = ssh-ed25519
 # Host key types that may optionally appear.
 optional host keys = ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
 # The ciphers that must match exactly (order matters).
 ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
 # The MACs that must match exactly (order matters).
 macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com
--- a/policies/openssh_7_8.txt
+++ b/policies/openssh_7_8.txt
@ -0,0 +1,24 @@
 #
 # Official policy for hardened OpenSSH v7.8.
 #
 name = "Hardened OpenSSH v7.8"
 version = 1
 # Group exchange DH modulus sizes.
 dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
 # The host key types that must match exactly (order matters).
 host keys = ssh-ed25519
 # Host key types that may optionally appear.
 optional host keys = ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
 # The ciphers that must match exactly (order matters).
 ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
 # The MACs that must match exactly (order matters).
 macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com
--- a/policies/openssh_7_9.txt
+++ b/policies/openssh_7_9.txt
@ -0,0 +1,24 @@
 #
 # Official policy for hardened OpenSSH v7.9.
 #
 name = "Hardened OpenSSH v7.9"
 version = 1
 # Group exchange DH modulus sizes.
 dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
 # The host key types that must match exactly (order matters).
 host keys = ssh-ed25519
 # Host key types that may optionally appear.
 optional host keys = ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
 # The ciphers that must match exactly (order matters).
 ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
 # The MACs that must match exactly (order matters).
 macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com
--- a/policies/openssh_8_0.txt
+++ b/policies/openssh_8_0.txt
@ -0,0 +1,24 @@
 #
 # Official policy for hardened OpenSSH v8.0.
 #
 name = "Hardened OpenSSH v8.0"
 version = 1
 # Group exchange DH modulus sizes.
 dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
 # The host key types that must match exactly (order matters).
 host keys = ssh-ed25519
 # Host key types that may optionally appear.
 optional host keys = ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
 # The ciphers that must match exactly (order matters).
 ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
 # The MACs that must match exactly (order matters).
 macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com
--- a/policies/openssh_8_1.txt
+++ b/policies/openssh_8_1.txt
@ -0,0 +1,24 @@
 #
 # Official policy for hardened OpenSSH v8.1.
 #
 name = "Hardened OpenSSH v8.1"
 version = 1
 # Group exchange DH modulus sizes.
 dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
 # The host key types that must match exactly (order matters).
 host keys = ssh-ed25519
 # Host key types that may optionally appear.
 optional host keys = sk-ssh-ed25519@openssh.com, ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
 # The ciphers that must match exactly (order matters).
 ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
 # The MACs that must match exactly (order matters).
 macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com
--- a/policies/openssh_8_2.txt
+++ b/policies/openssh_8_2.txt
@ -0,0 +1,28 @@
 #
 # Official policy for hardened OpenSSH v8.2.
 #
 name = "Hardened OpenSSH v8.2"
 version = 1
 # RSA host key sizes.
 hostkey_size_rsa-sha2-256 = 4096
 hostkey_size_rsa-sha2-512 = 4096
 # Group exchange DH modulus sizes.
 dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
 # The host key types that must match exactly (order matters).
 host keys = rsa-sha2-512, rsa-sha2-256, ssh-ed25519
 # Host key types that may optionally appear.
 optional host keys = sk-ssh-ed25519@openssh.com, ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
 # The ciphers that must match exactly (order matters).
 ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
 # The MACs that must match exactly (order matters).
 macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com
--- a/policies/openssh_8_3.txt
+++ b/policies/openssh_8_3.txt
@ -0,0 +1,28 @@
 #
 # Official policy for hardened OpenSSH v8.3.
 #
 name = "Hardened OpenSSH v8.3"
 version = 1
 # RSA host key sizes.
 hostkey_size_rsa-sha2-256 = 4096
 hostkey_size_rsa-sha2-512 = 4096
 # Group exchange DH modulus sizes.
 dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
 # The host key types that must match exactly (order matters).
 host keys = rsa-sha2-512, rsa-sha2-256, ssh-ed25519
 # Host key types that may optionally appear.
 optional host keys = sk-ssh-ed25519@openssh.com, ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
 # The ciphers that must match exactly (order matters).
 ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
 # The MACs that must match exactly (order matters).
 macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com
--- a/policies/openssh_8_4.txt
+++ b/policies/openssh_8_4.txt
@ -0,0 +1,28 @@
 #
 # Official policy for hardened OpenSSH v8.4.
 #
 name = "Hardened OpenSSH v8.4"
 version = 1
 # RSA host key sizes.
 hostkey_size_rsa-sha2-256 = 4096
 hostkey_size_rsa-sha2-512 = 4096
 # Group exchange DH modulus sizes.
 dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
 # The host key types that must match exactly (order matters).
 host keys = rsa-sha2-512, rsa-sha2-256, ssh-ed25519
 # Host key types that may optionally appear.
 optional host keys = sk-ssh-ed25519@openssh.com, ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
 # The ciphers that must match exactly (order matters).
 ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
 # The MACs that must match exactly (order matters).
 macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com
--- a/policies/ubuntu_client_16_04.txt
+++ b/policies/ubuntu_client_16_04.txt
@ -0,0 +1,19 @@
 #
 # Official policy for hardened OpenSSH on Ubuntu 16.04 LTS.
 #
 client policy = true
 name = "Hardened Ubuntu Client 16.04 LTS"
 version = 1
 # The host key types that must match exactly (order matters).
 host keys = ssh-ed25519, ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256, rsa-sha2-512, ssh-rsa-cert-v01@openssh.com
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = curve25519-sha256@libssh.org, diffie-hellman-group-exchange-sha256, ext-info-c
 # The ciphers that must match exactly (order matters).
 ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
 # The MACs that must match exactly (order matters).
 macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com
--- a/policies/ubuntu_client_18_04.txt
+++ b/policies/ubuntu_client_18_04.txt
@ -0,0 +1,19 @@
 #
 # Official policy for hardened OpenSSH on Ubuntu 18.04 LTS.
 #
 client policy = true
 name = "Hardened Ubuntu Client 18.04 LTS"
 version = 1
 # The host key types that must match exactly (order matters).
 host keys = ssh-ed25519, ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256, rsa-sha2-512, ssh-rsa-cert-v01@openssh.com
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256, ext-info-c
 # The ciphers that must match exactly (order matters).
 ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
 # The MACs that must match exactly (order matters).
 macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com
--- a/policies/ubuntu_client_20_04.txt
+++ b/policies/ubuntu_client_20_04.txt
@ -0,0 +1,19 @@
 #
 # Official policy for hardened OpenSSH on Ubuntu 20.04 LTS.
 #
 client policy = true
 name = "Hardened Ubuntu Client 20.04 LTS"
 version = 1
 # The host key types that must match exactly (order matters).
 host keys = ssh-ed25519, ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512, rsa-sha2-512-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256, ext-info-c
 # The ciphers that must match exactly (order matters).
 ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
 # The MACs that must match exactly (order matters).
 macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com
--- a/policies/ubuntu_server_16_04.txt
+++ b/policies/ubuntu_server_16_04.txt
@ -0,0 +1,24 @@
 #
 # Official policy for hardened OpenSSH on Ubuntu Server 16.04 LTS.
 #
 name = "Hardened Ubuntu Server 16.04 LTS"
 version = 1
 # Group exchange DH modulus sizes.
 dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
 # The host key types that must match exactly (order matters).
 host keys = ssh-ed25519
 # Host key types that may optionally appear.
 optional host keys = ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = curve25519-sha256@libssh.org, diffie-hellman-group-exchange-sha256
 # The ciphers that must match exactly (order matters).
 ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
 # The MACs that must match exactly (order matters).
 macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com
--- a/policies/ubuntu_server_18_04.txt
+++ b/policies/ubuntu_server_18_04.txt
@ -0,0 +1,24 @@
 #
 # Official policy for hardened OpenSSH on Ubuntu Server 18.04 LTS.
 #
 name = "Hardened Ubuntu Server 18.04 LTS"
 version = 1
 # Group exchange DH modulus sizes.
 dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
 # The host key types that must match exactly (order matters).
 host keys = ssh-ed25519
 # Host key types that may optionally appear.
 optional host keys = ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
 # The ciphers that must match exactly (order matters).
 ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
 # The MACs that must match exactly (order matters).
 macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com
--- a/policies/ubuntu_server_20_04.txt
+++ b/policies/ubuntu_server_20_04.txt
@ -0,0 +1,28 @@
 #
 # Official policy for hardened OpenSSH on Ubuntu Server 20.04 LTS.
 #
 name = "Hardened Ubuntu Server 20.04 LTS"
 version = 1
 # RSA host key sizes.
 hostkey_size_rsa-sha2-256 = 4096
 hostkey_size_rsa-sha2-512 = 4096
 # Group exchange DH modulus sizes.
 dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
 # The host key types that must match exactly (order matters).
 host keys = rsa-sha2-512, rsa-sha2-256, ssh-ed25519
 # Host key types that may optionally appear.
 optional host keys = sk-ssh-ed25519@openssh.com, ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
 # The ciphers that must match exactly (order matters).
 ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
 # The MACs that must match exactly (order matters).
 macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com
--- a/pypi/notes.txt
+++ b/pypi/notes.txt
@ -1,17 +0,0 @@
 To create package and upload to test server:
 # apt install virtualenv
 $ virtualenv -p /usr/bin/python3 pypi_upload
 $ cd pypi_upload; source bin/activate
 $ pip3 install twine
 $ cp -R path/to/ssh-audit .
 $ cd ssh-audit/pypi
 $ make
 $ make uploadtest
 To download from test server and verify:
 $ virtualenv -p /usr/bin/python3 pypi_test
 $ cd pypi_test; source bin/activate
 $ pip3 install --index-url https://test.pypi.org/simple ssh-audit
--- a/pypi/setup.py
+++ b/pypi/setup.py
@ -1,38 +0,0 @@
 # -*- coding: utf-8 -*-
 import re
 from setuptools import setup
 version = re.search('^VERSION\s*=\s*\'v(\d\.\d\.\d)\'', open('sshaudit/sshaudit.py').read(), re.M).group(1)
 print("\n\nPackaging ssh-audit v%s...\n\n" % version)
 with open("sshaudit/README.md", "rb") as f:
    long_descr = f.read().decode("utf-8")
 setup(
    name = "ssh-audit",
    packages = ["sshaudit"],
    license = 'MIT',
    entry_points = {
        "console_scripts": ['ssh-audit = sshaudit.sshaudit:main']
    },
    version = version,
    description = "An SSH server configuration security auditing tool",
    long_description = long_descr,
    long_description_content_type = "text/markdown",
    author = "Joe Testa",
    author_email = "jtesta@positronsecurity.com",
    url = "https://github.com/jtesta/ssh-audit",
    classifiers = [
        "Development Status :: 5 - Production/Stable",
        "Intended Audience :: Information Technology",
        "Intended Audience :: System Administrators",
        "License :: OSI Approved :: MIT License",
        "Operating System :: OS Independent",
        "Programming Language :: Python :: 3",
        "Topic :: Security",
        "Topic :: Security :: Cryptography"
    ])
--- a/ssh-audit.1
+++ b/ssh-audit.1
@ -0,0 +1,221 @@
 .TH SSH-AUDIT 1 "July 16, 2020"
 .SH NAME
 \fBssh-audit\fP \- SSH server & client configuration auditor
 .SH SYNOPSIS
 .B ssh-audit
 .RI [ options ] " <target_host>"
 .SH DESCRIPTION
 .PP
 \fBssh-audit\fP analyzes the configuration of SSH servers & clients, then warns the user of weak, obsolete, and/or un-tested cryptographic primitives.  It is very useful for hardening SSH tunnels, which by default tend to be optimized for compatibility, not security.
 .PP
 See <https://www.ssh\-audit.com/> for official hardening guides for common platforms.
 .SH OPTIONS
 .TP
 .B -h, \-\-help
 .br
 Print short summary of options.
 .TP
 .B -1, \-\-ssh1
 .br
 Only perform an audit using SSH protocol version 1.
 .TP
 .B -2, \-\-ssh2
 .br
 Only perform an audit using SSH protocol version 2.
 .TP
 .B -4, \-\-ipv4
 .br
 Prioritize the usage of IPv4.
 .TP
 .B -6, \-\-ipv6
 .br
 Prioritize the usage of IPv6.
 .TP
 .B -b, \-\-batch
 .br
 Enables grepable output.
 .TP
 .B -c, \-\-client\-audit
 .br
 Starts a server on port 2222 to audit client software configuration.  Use -p/--port=<port> to change port and -t/--timeout=<secs> to change listen timeout.
 .TP
 .B -j, \-\-json
 .br
 Output results in JSON format.
 .TP
 .B -l, \-\-level=<info|warn|fail>
 .br
 Specify the minimum output level.  Default is info.
 .TP
 .B -L, \-\-list-policies
 .br
 List all official, built-in policies for common systems.  Their file paths can then be provided using -P/--policy=<path/to/policy.txt>.
 .TP
 .B \-\-lookup=<alg1,alg2,...>
 .br
 Look up the security information of an algorithm(s) in the internal database.  Does not connect to a server.
 .TP
 .B -M, \-\-make-policy=<policy.txt>
 .br
 Creates a policy based on the target server.  Useful when other servers should be compared to the target server's custom configuration (i.e.: a cluster environment).  Note that the resulting policy can be edited manually.
 .TP
 .B -n, \-\-no-colors
 .br
 Disable color output.
 .TP
 .B -p, \-\-port=<port>
 .br
 The TCP port to connect to when auditing a server, or the port to listen on when auditing a client.
 .TP
 .B -P, \-\-policy=<policy.txt>
 .br
 Runs a policy audit against a target using the specified policy (see \fBPOLICY AUDIT\fP section for detailed description of this mode of operation).  Combine with -c/--client-audit to audit a client configuration instead of a server.  Use -L/--list-policies to list all official, built-in policies for common systems.
 .TP
 .B -t, \-\-timeout=<secs>
 .br
 The timeout, in seconds, for creating connections and reading data from the socket.  Default is 5.
 .TP
 .B -T, \-\-targets=<hosts.txt>
 .br
 A file containing a list of target hosts.  Each line must have one host, in the format of HOST[:PORT].
 .TP
 .B -v, \-\-verbose
 .br
 Enable verbose output.
 .SH STANDARD AUDIT
 .PP
 By default, \fBssh-audit\fP performs a standard audit.  That is, it enumerates all host key types, key exchanges, ciphers, MACs, and other information, then color-codes them in output to the user.  Cryptographic primitives with potential issues are displayed in yellow; primitives with serious flaws are displayed in red.
 .SH POLICY AUDIT
 .PP
 When the -P/--policy=<policy.txt> option is used, \fBssh-audit\fP performs a policy audit.  The target's host key types, key exchanges, ciphers, MACs, and other information is compared to a set of expected values defined in the specified policy file.  If everything matches, only a short message stating a passing result is reported.  Otherwise, the field(s) that did not match are reported.
 .PP
 Policy auditing is helpful for ensuring a group of related servers are properly hardened to an exact specification.
 .PP
 The set of official built-in policies can be viewed with -L/--list-policies.  Multiple servers can be audited with -T/--targets=<servers.txt>.  Custom policies can be made from an ideal target server with -M/--make-policy=<custom_policy.txt>.
 .SH EXAMPLES
 .LP
 Basic server auditing:
 .RS
 .nf
 ssh-audit localhost
 ssh-audit 127.0.0.1
 ssh-audit 127.0.0.1:222
 ssh-audit ::1
 ssh-audit [::1]:222
 .fi
 .RE
 .LP
 To run a standard audit against many servers (place targets into servers.txt, one on each line in the format of HOST[:PORT]):
 .RS
 .nf
 ssh-audit -T servers.txt
 .fi
 .RE
 .LP
 To audit a client configuration (listens on port 2222 by default; connect using "ssh anything@localhost"):
 .RS
 .nf
 ssh-audit -c
 .fi
 .RE
 .LP
 To audit a client configuration, with a listener on port 4567:
 .RS
 .nf
 ssh-audit -c -p 4567
 .fi
 .RE
 .LP
 To list all official built-in policies (hint: use resulting file paths with -P/--policy):
 .RS
 .nf
 ssh-audit -L
 .fi
 .RE
 .LP
 To run a policy audit against a server:
 .RS
 .nf
 ssh-audit -P path/to/server_policy targetserver
 .fi
 .RE
 .LP
 To run a policy audit against a client:
 .RS
 .nf
 ssh-audit -c -P path/to/client_policy
 .fi
 .RE
 .LP
 To run a policy audit against many servers:
 .RS
 .nf
 ssh-audit -T servers.txt -P path/to/server_policy
 .fi
 .RE
 .LP
 To create a policy based on a target server (which can be manually edited; see official built-in policies for syntax examples):
 .RS
 .nf
 ssh-audit -M new_policy.txt targetserver
 .fi
 .RE
 .SH RETURN VALUES
 When a successful connection is made and all algorithms are rated as "good", \fBssh-audit\fP returns 0.  Other possible return values are:
 .RS
 .nf
 1 = connection error
 2 = at least one algorithm warning was found
 3 = at least one algorithm failure was found
 <any other non-zero value> = unknown error
 .fi
 .RE
 .SH SSH HARDENING GUIDES
 Hardening guides for common platforms can be found at: <https://www.ssh\-audit.com/>
 .SH BUG REPORTS
 Please file bug reports as a Github Issue at: <https://github.com/jtesta/ssh\-audit/issues>
 .SH AUTHOR
 .LP
 \fBssh-audit\fP was originally written by Andris Raugulis <moo@arthepsy.eu>, and maintained from 2015 to 2017.
 .br
 .LP
 Maintainership was assumed and development was resumed in 2017 by Joe Testa <jtesta@positronsecurity.com>.
--- a/ssh-audit.py
+++ b/ssh-audit.py
--- a/test/conftest.py
+++ b/test/conftest.py
@ -1,5 +1,3 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 import os
 import io
 import sys
@ -7,13 +5,6 @@ import socket
 import pytest
 if sys.version_info[0] == 2:
 	import StringIO  # pylint: disable=import-error
 	StringIO = StringIO.StringIO
 else:
 	StringIO = io.StringIO
@pytest.fixture(scope='module')
 def ssh_audit():
    __rdir = os.path.join(os.path.dirname(os.path.abspath(__file__)), '..')
@ -24,7 +15,7 @@ def ssh_audit():
 # pylint: disable=attribute-defined-outside-init
 class _OutputSpy(list):
    def begin(self):
-		self.__out = StringIO()
+        self.__out = io.StringIO()
        self.__old_stdout = sys.stdout
        sys.stdout = self.__out
@ -40,7 +31,7 @@ def output_spy():
    return _OutputSpy()
-class _VirtualGlobalSocket(object):
+class _VirtualGlobalSocket:
    def __init__(self, vsocket):
        self.vsocket = vsocket
        self.addrinfodata = {}
@ -59,7 +50,7 @@ class _VirtualGlobalSocket(object):
        return self.vsocket
    def getaddrinfo(self, host, port, family=0, socktype=0, proto=0, flags=0):
-		key = '{0}#{1}'.format(host, port)
+        key = '{}#{}'.format(host, port)
        if key in self.addrinfodata:
            data = self.addrinfodata[key]
            if isinstance(data, Exception):
@ -75,7 +66,7 @@ class _VirtualGlobalSocket(object):
        return []
-class _VirtualSocket(object):
+class _VirtualSocket:
    def __init__(self):
        self.sock_address = ('127.0.0.1', 0)
        self.peer_address = None
@ -108,7 +99,7 @@ class _VirtualSocket(object):
    def getpeername(self):
        if self.peer_address is None or not self._connected:
-			raise socket.error(57, 'Socket is not connected')
+            raise OSError(57, 'Socket is not connected')
        return self.peer_address
    def getsockname(self):
@ -131,7 +122,7 @@ class _VirtualSocket(object):
    def recv(self, bufsize, flags=0):
        # pylint: disable=unused-argument
        if not self._connected:
-			raise socket.error(54, 'Connection reset by peer')
+            raise OSError(54, 'Connection reset by peer')
        if not len(self.rdata) > 0:
            return b''
        data = self.rdata.pop(0)
@ -141,7 +132,7 @@ class _VirtualSocket(object):
    def send(self, data):
        if self.peer_address is None or not self._connected:
-			raise socket.error(32, 'Broken pipe')
+            raise OSError(32, 'Broken pipe')
        self._check_err('send')
        self.sdata.append(data)
--- a/test/docker/expected_results/dropbear_2019.78_test1.txt
+++ b/test/docker/expected_results/dropbear_2019.78_test1.txt
@ -22,10 +22,11 @@
 [0;31m(key) ecdsa-sha2-nistp256            -- [fail] using weak elliptic curves[0m
 [0;33m                                     `- [warn] using weak random number generator could reveal the key[0m
                                     `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
-[0;31m(key) ssh-rsa (1024-bit)             -- [fail] using small 1024-bit modulus[0m
+[0;31m(key) ssh-rsa (1024-bit)             -- [fail] using weak hashing algorithm[0m
                                     `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
 [0;31m(key) ssh-dss                        -- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm[0m
 [0;33m                                     `- [warn] using small 1024-bit modulus[0m
                                     `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
 [0;31m(key) ssh-dss                        -- [fail] using small 1024-bit modulus[0m
 [0;31m                                     `- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm[0m
 [0;33m                                     `- [warn] using weak random number generator could reveal the key[0m
                                     `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
@ -63,7 +64,6 @@
 [0;32m(fin) ssh-rsa: SHA256:CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM[0m
 [0;36m# algorithm recommendations (for Dropbear SSH 2019.78)[0m
 [0;31m(rec) !ssh-rsa                       -- key algorithm to change (increase modulus size to 2048 bits or larger) [0m
 [0;31m(rec) -3des-cbc                      -- enc algorithm to remove [0m
 [0;31m(rec) -3des-ctr                      -- enc algorithm to remove [0m
 [0;31m(rec) -aes128-cbc                    -- enc algorithm to remove [0m
@ -71,7 +71,6 @@
 [0;31m(rec) -ecdh-sha2-nistp256            -- kex algorithm to remove [0m
 [0;31m(rec) -ecdh-sha2-nistp384            -- kex algorithm to remove [0m
 [0;31m(rec) -ecdh-sha2-nistp521            -- kex algorithm to remove [0m
 [0;31m(rec) -ecdsa-sha2-nistp256           -- key algorithm to remove [0m
 [0;31m(rec) -hmac-sha1-96                  -- mac algorithm to remove [0m
 [0;31m(rec) -ssh-dss                       -- key algorithm to remove [0m
 [0;32m(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append [0m
--- a/test/docker/expected_results/openssh_4.0p1_test1.txt
+++ b/test/docker/expected_results/openssh_4.0p1_test1.txt
@ -31,17 +31,18 @@
                                                    `- [info] available since OpenSSH 2.3.0
 [0;33m(kex) diffie-hellman-group14-sha1         -- [warn] using weak hashing algorithm[0m
                                          `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
-[0;31m(kex) diffie-hellman-group1-sha1          -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
+[0;31m(kex) diffie-hellman-group1-sha1          -- [fail] using small 1024-bit modulus[0m
 [0;31m                                          `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
 [0;31m                                          `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack[0m
 [0;33m                                          `- [warn] using small 1024-bit modulus[0m
 [0;33m                                          `- [warn] using weak hashing algorithm[0m
                                          `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
 [0;36m# host-key algorithms[0m
-[0;31m(key) ssh-rsa (1024-bit)                  -- [fail] using small 1024-bit modulus[0m
+[0;31m(key) ssh-rsa (1024-bit)                  -- [fail] using weak hashing algorithm[0m
                                          `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
 [0;31m(key) ssh-dss                             -- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm[0m
 [0;33m                                          `- [warn] using small 1024-bit modulus[0m
                                          `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
 [0;31m(key) ssh-dss                             -- [fail] using small 1024-bit modulus[0m
 [0;31m                                          `- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm[0m
 [0;33m                                          `- [warn] using weak random number generator could reveal the key[0m
                                          `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
@ -116,7 +117,6 @@
 [0;32m(fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4[0m
 [0;36m# algorithm recommendations (for OpenSSH 4.0)[0m
 [0;31m(rec) !ssh-rsa                            -- key algorithm to change (increase modulus size to 2048 bits or larger) [0m
 [0;31m(rec) -3des-cbc                           -- enc algorithm to remove [0m
 [0;31m(rec) -aes128-cbc                         -- enc algorithm to remove [0m
 [0;31m(rec) -aes192-cbc                         -- enc algorithm to remove [0m
--- a/test/docker/expected_results/openssh_5.6p1_policy_test1.json
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test1.json
@ -0,0 +1 @@
 {"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test1 (version 1)"}
--- a/test/docker/expected_results/openssh_5.6p1_policy_test1.txt
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test1.txt
@ -0,0 +1,3 @@
 Host:   localhost:2222
 Policy: Docker policy: test1 (version 1)
 Result: [0;32m✔ Passed[0m
--- a/test/docker/expected_results/openssh_5.6p1_policy_test10.json
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test10.json
@ -0,0 +1 @@
 {"errors": [{"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (ssh-rsa-cert-v01@openssh.com) sizes"}, {"actual": ["1024"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes"}], "host": "localhost", "passed": false, "policy": "Docker poliicy: test10 (version 1)"}
--- a/test/docker/expected_results/openssh_5.6p1_policy_test10.txt
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test10.txt
@ -0,0 +1,7 @@
 Host:   localhost:2222
 Policy: Docker poliicy: test10 (version 1)
 Result: [0;31m❌ Failed![0m
 [0;33m
 Errors:
  * RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 1024
  * RSA host key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 3072[0m
--- a/test/docker/expected_results/openssh_5.6p1_policy_test2.json
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test2.json
@ -0,0 +1 @@
 {"errors": [{"actual": ["diffie-hellman-group-exchange-sha256", "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1"], "expected_optional": [""], "expected_required": ["kex_alg1", "kex_alg2"], "mismatched_field": "Key exchanges"}], "host": "localhost", "passed": false, "policy": "Docker policy: test2 (version 1)"}
--- a/test/docker/expected_results/openssh_5.6p1_policy_test2.txt
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test2.txt
@ -0,0 +1,6 @@
 Host:   localhost:2222
 Policy: Docker policy: test2 (version 1)
 Result: [0;31m❌ Failed![0m
 [0;33m
 Errors:
  * Key exchanges did not match. Expected: ['kex_alg1', 'kex_alg2']; Actual: ['diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'][0m
--- a/test/docker/expected_results/openssh_5.6p1_policy_test3.json
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test3.json
@ -0,0 +1 @@
 {"errors": [{"actual": ["ssh-rsa", "ssh-dss"], "expected_optional": [""], "expected_required": ["ssh-rsa", "ssh-dss", "key_alg1"], "mismatched_field": "Host keys"}], "host": "localhost", "passed": false, "policy": "Docker policy: test3 (version 1)"}
--- a/test/docker/expected_results/openssh_5.6p1_policy_test3.txt
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test3.txt
@ -0,0 +1,6 @@
 Host:   localhost:2222
 Policy: Docker policy: test3 (version 1)
 Result: [0;31m❌ Failed![0m
 [0;33m
 Errors:
  * Host keys did not match. Expected: ['ssh-rsa', 'ssh-dss', 'key_alg1']; Actual: ['ssh-rsa', 'ssh-dss'][0m
--- a/test/docker/expected_results/openssh_5.6p1_policy_test4.json
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test4.json
@ -0,0 +1 @@
 {"errors": [{"actual": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "expected_optional": [""], "expected_required": ["cipher_alg1", "cipher_alg2"], "mismatched_field": "Ciphers"}], "host": "localhost", "passed": false, "policy": "Docker policy: test4 (version 1)"}
--- a/test/docker/expected_results/openssh_5.6p1_policy_test4.txt
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test4.txt
@ -0,0 +1,6 @@
 Host:   localhost:2222
 Policy: Docker policy: test4 (version 1)
 Result: [0;31m❌ Failed![0m
 [0;33m
 Errors:
  * Ciphers did not match. Expected: ['cipher_alg1', 'cipher_alg2']; Actual: ['aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'arcfour256', 'arcfour128', 'aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'aes192-cbc', 'aes256-cbc', 'arcfour', 'rijndael-cbc@lysator.liu.se'][0m
--- a/test/docker/expected_results/openssh_5.6p1_policy_test5.json
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test5.json
@ -0,0 +1 @@
 {"errors": [{"actual": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"], "expected_optional": [""], "expected_required": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac_alg1", "hmac-md5-96"], "mismatched_field": "MACs"}], "host": "localhost", "passed": false, "policy": "Docker policy: test5 (version 1)"}
--- a/test/docker/expected_results/openssh_5.6p1_policy_test5.txt
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test5.txt
@ -0,0 +1,6 @@
 Host:   localhost:2222
 Policy: Docker policy: test5 (version 1)
 Result: [0;31m❌ Failed![0m
 [0;33m
 Errors:
  * MACs did not match. Expected: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac_alg1', 'hmac-md5-96']; Actual: ['hmac-md5', 'hmac-sha1', 'umac-64@openssh.com', 'hmac-ripemd160', 'hmac-ripemd160@openssh.com', 'hmac-sha1-96', 'hmac-md5-96'][0m
--- a/test/docker/expected_results/openssh_5.6p1_policy_test7.json
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test7.json
@ -0,0 +1 @@
 {"errors": [], "host": "localhost", "passed": true, "policy": "Docker poliicy: test7 (version 1)"}
--- a/test/docker/expected_results/openssh_5.6p1_policy_test7.txt
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test7.txt
@ -0,0 +1,3 @@
 Host:   localhost:2222
 Policy: Docker poliicy: test7 (version 1)
 Result: [0;32m✔ Passed[0m
--- a/test/docker/expected_results/openssh_5.6p1_policy_test8.json
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test8.json
@ -0,0 +1 @@
 {"errors": [{"actual": ["1024"], "expected_optional": [""], "expected_required": ["2048"], "mismatched_field": "RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes"}], "host": "localhost", "passed": false, "policy": "Docker poliicy: test8 (version 1)"}
--- a/test/docker/expected_results/openssh_5.6p1_policy_test8.txt
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test8.txt
@ -0,0 +1,6 @@
 Host:   localhost:2222
 Policy: Docker poliicy: test8 (version 1)
 Result: [0;31m❌ Failed![0m
 [0;33m
 Errors:
  * RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 2048; Actual: 1024[0m
--- a/test/docker/expected_results/openssh_5.6p1_policy_test9.json
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test9.json
@ -0,0 +1 @@
 {"errors": [{"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (ssh-rsa-cert-v01@openssh.com) sizes"}], "host": "localhost", "passed": false, "policy": "Docker poliicy: test9 (version 1)"}
--- a/test/docker/expected_results/openssh_5.6p1_policy_test9.txt
+++ b/test/docker/expected_results/openssh_5.6p1_policy_test9.txt
@ -0,0 +1,6 @@
 Host:   localhost:2222
 Policy: Docker poliicy: test9 (version 1)
 Result: [0;31m❌ Failed![0m
 [0;33m
 Errors:
  * RSA host key (ssh-rsa-cert-v01@openssh.com) sizes did not match. Expected: 4096; Actual: 3072[0m
--- a/test/docker/expected_results/openssh_5.6p1_test1.txt
+++ b/test/docker/expected_results/openssh_5.6p1_test1.txt
@ -25,17 +25,18 @@
                                                    `- [info] available since OpenSSH 2.3.0
 [0;33m(kex) diffie-hellman-group14-sha1           -- [warn] using weak hashing algorithm[0m
                                            `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
-[0;31m(kex) diffie-hellman-group1-sha1            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
+[0;31m(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus[0m
 [0;31m                                            `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
 [0;31m                                            `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack[0m
 [0;33m                                            `- [warn] using small 1024-bit modulus[0m
 [0;33m                                            `- [warn] using weak hashing algorithm[0m
                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
 [0;36m# host-key algorithms[0m
-[0;31m(key) ssh-rsa (1024-bit)                    -- [fail] using small 1024-bit modulus[0m
+[0;31m(key) ssh-rsa (1024-bit)                    -- [fail] using weak hashing algorithm[0m
                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
 [0;31m(key) ssh-dss                               -- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm[0m
 [0;33m                                            `- [warn] using small 1024-bit modulus[0m
                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
 [0;31m(key) ssh-dss                               -- [fail] using small 1024-bit modulus[0m
 [0;31m                                            `- [fail] removed (in server) and disabled (in client) since OpenSSH 7.0, weak algorithm[0m
 [0;33m                                            `- [warn] using weak random number generator could reveal the key[0m
                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
@ -122,7 +123,6 @@
 [0;36m# algorithm recommendations (for OpenSSH 5.6)[0m
 [0;31m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 2048 bits or larger) [0m
 [0;31m(rec) !ssh-rsa                              -- key algorithm to change (increase modulus size to 2048 bits or larger) [0m
 [0;31m(rec) -3des-cbc                             -- enc algorithm to remove [0m
 [0;31m(rec) -aes128-cbc                           -- enc algorithm to remove [0m
 [0;31m(rec) -aes192-cbc                           -- enc algorithm to remove [0m
--- a/test/docker/expected_results/openssh_5.6p1_test2.txt
+++ b/test/docker/expected_results/openssh_5.6p1_test2.txt
@ -25,14 +25,15 @@
                                                    `- [info] available since OpenSSH 2.3.0
 [0;33m(kex) diffie-hellman-group14-sha1           -- [warn] using weak hashing algorithm[0m
                                            `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
-[0;31m(kex) diffie-hellman-group1-sha1            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
+[0;31m(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus[0m
 [0;31m                                            `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
 [0;31m                                            `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack[0m
 [0;33m                                            `- [warn] using small 1024-bit modulus[0m
 [0;33m                                            `- [warn] using weak hashing algorithm[0m
                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
 [0;36m# host-key algorithms[0m
-[0;31m(key) ssh-rsa (1024-bit)                    -- [fail] using small 1024-bit modulus[0m
+[0;31m(key) ssh-rsa (1024-bit)                    -- [fail] using weak hashing algorithm[0m
 [0;33m                                            `- [warn] using small 1024-bit modulus[0m
                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
 [0;31m(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/1024-bit CA) -- [fail] using small 1024-bit modulus[0m
                                                               `- [info] available since OpenSSH 5.6
@ -120,7 +121,6 @@
 [0;36m# algorithm recommendations (for OpenSSH 5.6)[0m
 [0;31m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 2048 bits or larger) [0m
 [0;31m(rec) !ssh-rsa                              -- key algorithm to change (increase modulus size to 2048 bits or larger) [0m
 [0;31m(rec) !ssh-rsa-cert-v01@openssh.com         -- key algorithm to change (increase modulus size to 2048 bits or larger) [0m
 [0;31m(rec) -3des-cbc                             -- enc algorithm to remove [0m
 [0;31m(rec) -aes128-cbc                           -- enc algorithm to remove [0m
@ -139,6 +139,7 @@
 [0;31m(rec) -hmac-ripemd160@openssh.com           -- mac algorithm to remove [0m
 [0;31m(rec) -hmac-sha1-96                         -- mac algorithm to remove [0m
 [0;31m(rec) -rijndael-cbc@lysator.liu.se          -- enc algorithm to remove [0m
 [0;31m(rec) -ssh-rsa                              -- key algorithm to remove [0m
 [0;33m(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove [0m
 [0;36m# additional info[0m
--- a/test/docker/expected_results/openssh_5.6p1_test3.txt
+++ b/test/docker/expected_results/openssh_5.6p1_test3.txt
@ -25,14 +25,15 @@
                                                    `- [info] available since OpenSSH 2.3.0
 [0;33m(kex) diffie-hellman-group14-sha1           -- [warn] using weak hashing algorithm[0m
                                            `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
-[0;31m(kex) diffie-hellman-group1-sha1            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
+[0;31m(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus[0m
 [0;31m                                            `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
 [0;31m                                            `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack[0m
 [0;33m                                            `- [warn] using small 1024-bit modulus[0m
 [0;33m                                            `- [warn] using weak hashing algorithm[0m
                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
 [0;36m# host-key algorithms[0m
-[0;31m(key) ssh-rsa (1024-bit)                    -- [fail] using small 1024-bit modulus[0m
+[0;31m(key) ssh-rsa (1024-bit)                    -- [fail] using weak hashing algorithm[0m
 [0;33m                                            `- [warn] using small 1024-bit modulus[0m
                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
 [0;31m(key) ssh-rsa-cert-v01@openssh.com (1024-bit cert/3072-bit CA) -- [fail] using small 1024-bit modulus[0m
                                                               `- [info] available since OpenSSH 5.6
@ -120,7 +121,6 @@
 [0;36m# algorithm recommendations (for OpenSSH 5.6)[0m
 [0;31m(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 2048 bits or larger) [0m
 [0;31m(rec) !ssh-rsa                              -- key algorithm to change (increase modulus size to 2048 bits or larger) [0m
 [0;31m(rec) !ssh-rsa-cert-v01@openssh.com         -- key algorithm to change (increase modulus size to 2048 bits or larger) [0m
 [0;31m(rec) -3des-cbc                             -- enc algorithm to remove [0m
 [0;31m(rec) -aes128-cbc                           -- enc algorithm to remove [0m
@ -139,6 +139,7 @@
 [0;31m(rec) -hmac-ripemd160@openssh.com           -- mac algorithm to remove [0m
 [0;31m(rec) -hmac-sha1-96                         -- mac algorithm to remove [0m
 [0;31m(rec) -rijndael-cbc@lysator.liu.se          -- enc algorithm to remove [0m
 [0;31m(rec) -ssh-rsa                              -- key algorithm to remove [0m
 [0;33m(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove [0m
 [0;36m# additional info[0m
--- a/test/docker/expected_results/openssh_5.6p1_test4.txt
+++ b/test/docker/expected_results/openssh_5.6p1_test4.txt
@ -25,14 +25,15 @@
                                                    `- [info] available since OpenSSH 2.3.0
 [0;33m(kex) diffie-hellman-group14-sha1           -- [warn] using weak hashing algorithm[0m
                                            `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
-[0;31m(kex) diffie-hellman-group1-sha1            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
+[0;31m(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus[0m
 [0;31m                                            `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
 [0;31m                                            `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack[0m
 [0;33m                                            `- [warn] using small 1024-bit modulus[0m
 [0;33m                                            `- [warn] using weak hashing algorithm[0m
                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
 [0;36m# host-key algorithms[0m
-[0;32m(key) ssh-rsa (3072-bit)                    -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28[0m
+[0;31m(key) ssh-rsa (3072-bit)                    -- [fail] using weak hashing algorithm[0m
                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
 [0;31m(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/1024-bit CA) -- [fail] using small 1024-bit modulus[0m
                                                               `- [info] available since OpenSSH 5.6
@ -137,6 +138,7 @@
 [0;31m(rec) -hmac-ripemd160@openssh.com           -- mac algorithm to remove [0m
 [0;31m(rec) -hmac-sha1-96                         -- mac algorithm to remove [0m
 [0;31m(rec) -rijndael-cbc@lysator.liu.se          -- enc algorithm to remove [0m
 [0;31m(rec) -ssh-rsa                              -- key algorithm to remove [0m
 [0;33m(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove [0m
 [0;36m# additional info[0m
--- a/test/docker/expected_results/openssh_5.6p1_test5.txt
+++ b/test/docker/expected_results/openssh_5.6p1_test5.txt
@ -25,14 +25,15 @@
                                                    `- [info] available since OpenSSH 2.3.0
 [0;33m(kex) diffie-hellman-group14-sha1           -- [warn] using weak hashing algorithm[0m
                                            `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
-[0;31m(kex) diffie-hellman-group1-sha1            -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
+[0;31m(kex) diffie-hellman-group1-sha1            -- [fail] using small 1024-bit modulus[0m
 [0;31m                                            `- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm[0m
 [0;31m                                            `- [fail] disabled (in client) since OpenSSH 7.0, logjam attack[0m
 [0;33m                                            `- [warn] using small 1024-bit modulus[0m
 [0;33m                                            `- [warn] using weak hashing algorithm[0m
                                            `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
 [0;36m# host-key algorithms[0m
-[0;32m(key) ssh-rsa (3072-bit)                    -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28[0m
+[0;31m(key) ssh-rsa (3072-bit)                    -- [fail] using weak hashing algorithm[0m
                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
 [0;32m(key) ssh-rsa-cert-v01@openssh.com (3072-bit cert/3072-bit CA) -- [info] available since OpenSSH 5.6[0m
 [0;36m# encryption algorithms (ciphers)[0m
@ -135,6 +136,7 @@
 [0;31m(rec) -hmac-ripemd160@openssh.com           -- mac algorithm to remove [0m
 [0;31m(rec) -hmac-sha1-96                         -- mac algorithm to remove [0m
 [0;31m(rec) -rijndael-cbc@lysator.liu.se          -- enc algorithm to remove [0m
 [0;31m(rec) -ssh-rsa                              -- key algorithm to remove [0m
 [0;33m(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove [0m
 [0;36m# additional info[0m
--- a/test/docker/expected_results/openssh_8.0p1_policy_test11.json
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test11.json
@ -0,0 +1 @@
 {"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test11 (version 1)"}
--- a/test/docker/expected_results/openssh_8.0p1_policy_test11.txt
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test11.txt
@ -0,0 +1,3 @@
 Host:   localhost:2222
 Policy: Docker policy: test11 (version 1)
 Result: [0;32m✔ Passed[0m
--- a/test/docker/expected_results/openssh_8.0p1_policy_test12.json
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test12.json
@ -0,0 +1 @@
 {"errors": [{"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (rsa-sha2-256) sizes"}, {"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (rsa-sha2-512) sizes"}, {"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (ssh-rsa) sizes"}], "host": "localhost", "passed": false, "policy": "Docker policy: test12 (version 1)"}
--- a/test/docker/expected_results/openssh_8.0p1_policy_test12.txt
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test12.txt
@ -0,0 +1,8 @@
 Host:   localhost:2222
 Policy: Docker policy: test12 (version 1)
 Result: [0;31m❌ Failed![0m
 [0;33m
 Errors:
  * RSA host key (rsa-sha2-256) sizes did not match. Expected: 4096; Actual: 3072
  * RSA host key (rsa-sha2-512) sizes did not match. Expected: 4096; Actual: 3072
  * RSA host key (ssh-rsa) sizes did not match. Expected: 4096; Actual: 3072[0m
--- a/test/docker/expected_results/openssh_8.0p1_policy_test13.json
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test13.json
@ -0,0 +1 @@
 {"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test13 (version 1)"}
--- a/test/docker/expected_results/openssh_8.0p1_policy_test13.txt
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test13.txt
@ -0,0 +1,3 @@
 Host:   localhost:2222
 Policy: Docker policy: test13 (version 1)
 Result: [0;32m✔ Passed[0m
--- a/test/docker/expected_results/openssh_8.0p1_policy_test14.json
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test14.json
@ -0,0 +1 @@
 {"errors": [{"actual": ["2048"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes"}], "host": "localhost", "passed": false, "policy": "Docker policy: test14 (version 1)"}
--- a/test/docker/expected_results/openssh_8.0p1_policy_test14.txt
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test14.txt
@ -0,0 +1,6 @@
 Host:   localhost:2222
 Policy: Docker policy: test14 (version 1)
 Result: [0;31m❌ Failed![0m
 [0;33m
 Errors:
  * Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes did not match. Expected: 4096; Actual: 2048[0m
--- a/test/docker/expected_results/openssh_8.0p1_policy_test6.json
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test6.json
@ -0,0 +1 @@
 {"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test6 (version 1)"}
--- a/test/docker/expected_results/openssh_8.0p1_policy_test6.txt
+++ b/test/docker/expected_results/openssh_8.0p1_policy_test6.txt
@ -0,0 +1,3 @@
 Host:   localhost:2222
 Policy: Docker policy: test6 (version 1)
 Result: [0;32m✔ Passed[0m
--- a/test/docker/expected_results/openssh_8.0p1_test1.txt
+++ b/test/docker/expected_results/openssh_8.0p1_test1.txt
@ -23,7 +23,8 @@
 [0;36m# host-key algorithms[0m
 [0;32m(key) rsa-sha2-512 (3072-bit)               -- [info] available since OpenSSH 7.2[0m
 [0;32m(key) rsa-sha2-256 (3072-bit)               -- [info] available since OpenSSH 7.2[0m
-[0;32m(key) ssh-rsa (3072-bit)                    -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28[0m
+[0;31m(key) ssh-rsa (3072-bit)                    -- [fail] using weak hashing algorithm[0m
                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
 [0;31m(key) ecdsa-sha2-nistp256                   -- [fail] using weak elliptic curves[0m
 [0;33m                                            `- [warn] using weak random number generator could reveal the key[0m
                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
@ -68,6 +69,7 @@
 [0;31m(rec) -ecdh-sha2-nistp384                   -- kex algorithm to remove [0m
 [0;31m(rec) -ecdh-sha2-nistp521                   -- kex algorithm to remove [0m
 [0;31m(rec) -ecdsa-sha2-nistp256                  -- key algorithm to remove [0m
 [0;31m(rec) -ssh-rsa                              -- key algorithm to remove [0m
 [0;33m(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove [0m
 [0;33m(rec) -hmac-sha1                            -- mac algorithm to remove [0m
 [0;33m(rec) -hmac-sha1-etm@openssh.com            -- mac algorithm to remove [0m
--- a/test/docker/expected_results/openssh_8.0p1_test2.txt
+++ b/test/docker/expected_results/openssh_8.0p1_test2.txt
@ -63,7 +63,6 @@
 [0;31m(rec) -ecdh-sha2-nistp521                   -- kex algorithm to remove [0m
 [0;32m(rec) +rsa-sha2-256                         -- key algorithm to append [0m
 [0;32m(rec) +rsa-sha2-512                         -- key algorithm to append [0m
 [0;32m(rec) +ssh-rsa                              -- key algorithm to append [0m
 [0;33m(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove [0m
 [0;33m(rec) -hmac-sha1                            -- mac algorithm to remove [0m
 [0;33m(rec) -hmac-sha1-etm@openssh.com            -- mac algorithm to remove [0m
--- a/test/docker/expected_results/openssh_8.0p1_test3.txt
+++ b/test/docker/expected_results/openssh_8.0p1_test3.txt
@ -35,5 +35,4 @@
 [0;32m(rec) +diffie-hellman-group18-sha512        -- kex algorithm to append [0m
 [0;32m(rec) +rsa-sha2-256                         -- key algorithm to append [0m
 [0;32m(rec) +rsa-sha2-512                         -- key algorithm to append [0m
 [0;32m(rec) +ssh-rsa                              -- key algorithm to append [0m
--- a/test/docker/policies/policy_test1.txt
+++ b/test/docker/policies/policy_test1.txt
@ -0,0 +1,10 @@
 #
 # Docker policy: test1
 #
 name = "Docker policy: test1"
 version = 1
 host keys = ssh-rsa, ssh-dss
 key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
 ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
 macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
--- a/test/docker/policies/policy_test10.txt
+++ b/test/docker/policies/policy_test10.txt
@ -0,0 +1,39 @@
 #
 # Docker policy: test10
 #
 # The name of this policy (displayed in the output during scans).  Must be in quotes.
 name = "Docker poliicy: test10"
 # The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
 version = 1
 # The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
 # banner = "SSH-2.0-OpenSSH_5.6"
 # The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
 # header = "[]"
 # The compression options that must match exactly (order matters).  Commented out to ignore by default.
 # compressions = none, zlib@openssh.com
 # RSA host key sizes.
 hostkey_size_rsa-sha2-256 = 3072
 hostkey_size_rsa-sha2-512 = 3072
 hostkey_size_ssh-rsa = 3072
 hostkey_size_ssh-rsa-cert-v01@openssh.com = 4096
 # RSA CA key sizes.
 cakey_size_ssh-rsa-cert-v01@openssh.com = 4096
 # The host key types that must match exactly (order matters).
 host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
 # The ciphers that must match exactly (order matters).
 ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
 # The MACs that must match exactly (order matters).
 macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
--- a/test/docker/policies/policy_test11.txt
+++ b/test/docker/policies/policy_test11.txt
@ -0,0 +1,35 @@
 #
 # Docker policy: test11
 #
 # The name of this policy (displayed in the output during scans).  Must be in quotes.
 name = "Docker policy: test11"
 # The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
 version = 1
 # The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
 # banner = "SSH-2.0-OpenSSH_8.0"
 # The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
 # header = "[]"
 # The compression options that must match exactly (order matters).  Commented out to ignore by default.
 # compressions = none, zlib@openssh.com
 # RSA host key sizes.
 hostkey_size_rsa-sha2-256 = 3072
 hostkey_size_rsa-sha2-512 = 3072
 hostkey_size_ssh-rsa = 3072
 # The host key types that must match exactly (order matters).
 host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
 # The ciphers that must match exactly (order matters).
 ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
 # The MACs that must match exactly (order matters).
 macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
--- a/test/docker/policies/policy_test12.txt
+++ b/test/docker/policies/policy_test12.txt
@ -0,0 +1,35 @@
 #
 # Docker policy: test12
 #
 # The name of this policy (displayed in the output during scans).  Must be in quotes.
 name = "Docker policy: test12"
 # The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
 version = 1
 # The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
 # banner = "SSH-2.0-OpenSSH_8.0"
 # The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
 # header = "[]"
 # The compression options that must match exactly (order matters).  Commented out to ignore by default.
 # compressions = none, zlib@openssh.com
 # RSA host key sizes.
 hostkey_size_rsa-sha2-256 = 4096
 hostkey_size_rsa-sha2-512 = 4096
 hostkey_size_ssh-rsa = 4096
 # The host key types that must match exactly (order matters).
 host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
 # The ciphers that must match exactly (order matters).
 ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
 # The MACs that must match exactly (order matters).
 macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
--- a/test/docker/policies/policy_test13.txt
+++ b/test/docker/policies/policy_test13.txt
@ -0,0 +1,38 @@
 #
 # Docker policy: test13
 #
 # The name of this policy (displayed in the output during scans).  Must be in quotes.
 name = "Docker policy: test13"
 # The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
 version = 1
 # The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
 # banner = "SSH-2.0-OpenSSH_8.0"
 # The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
 # header = "[]"
 # The compression options that must match exactly (order matters).  Commented out to ignore by default.
 # compressions = none, zlib@openssh.com
 # RSA host key sizes.
 hostkey_size_rsa-sha2-256 = 3072
 hostkey_size_rsa-sha2-512 = 3072
 hostkey_size_ssh-rsa = 3072
 # Group exchange DH modulus sizes.
 dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
 # The host key types that must match exactly (order matters).
 host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
 # The ciphers that must match exactly (order matters).
 ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
 # The MACs that must match exactly (order matters).
 macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
--- a/test/docker/policies/policy_test14.txt
+++ b/test/docker/policies/policy_test14.txt
@ -0,0 +1,38 @@
 #
 # Docker policy: test14
 #
 # The name of this policy (displayed in the output during scans).  Must be in quotes.
 name = "Docker policy: test14"
 # The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
 version = 1
 # The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
 # banner = "SSH-2.0-OpenSSH_8.0"
 # The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
 # header = "[]"
 # The compression options that must match exactly (order matters).  Commented out to ignore by default.
 # compressions = none, zlib@openssh.com
 # RSA host key sizes.
 hostkey_size_rsa-sha2-256 = 3072
 hostkey_size_rsa-sha2-512 = 3072
 hostkey_size_ssh-rsa = 3072
 # Group exchange DH modulus sizes.
 dh_modulus_size_diffie-hellman-group-exchange-sha256 = 4096
 # The host key types that must match exactly (order matters).
 host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
 # The ciphers that must match exactly (order matters).
 ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
 # The MACs that must match exactly (order matters).
 macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
--- a/test/docker/policies/policy_test2.txt
+++ b/test/docker/policies/policy_test2.txt
@ -0,0 +1,10 @@
 #
 # Docker policy: test2
 #
 name = "Docker policy: test2"
 version = 1
 host keys = ssh-rsa, ssh-dss
 key exchanges = kex_alg1, kex_alg2
 ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
 macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
--- a/test/docker/policies/policy_test3.txt
+++ b/test/docker/policies/policy_test3.txt
@ -0,0 +1,10 @@
 #
 # Docker policy: test3
 #
 name = "Docker policy: test3"
 version = 1
 host keys = ssh-rsa, ssh-dss, key_alg1
 key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
 ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
 macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
--- a/test/docker/policies/policy_test4.txt
+++ b/test/docker/policies/policy_test4.txt
@ -0,0 +1,10 @@
 #
 # Docker policy: test4
 #
 name = "Docker policy: test4"
 version = 1
 host keys = ssh-rsa, ssh-dss
 key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
 ciphers = cipher_alg1, cipher_alg2
 macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
--- a/test/docker/policies/policy_test5.txt
+++ b/test/docker/policies/policy_test5.txt
@ -0,0 +1,10 @@
 #
 # Docker policy: test5
 #
 name = "Docker policy: test5"
 version = 1
 host keys = ssh-rsa, ssh-dss
 key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
 ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
 macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac_alg1, hmac-md5-96
--- a/test/docker/policies/policy_test6.txt
+++ b/test/docker/policies/policy_test6.txt
@ -0,0 +1,12 @@
 #
 # Docker policy: test6
 #
 name = "Docker policy: test6"
 version = 1
 banner = "SSH-2.0-OpenSSH_8.0"
 compressions = none, zlib@openssh.com
 host keys = rsa-sha2-512, rsa-sha2-256, ssh-rsa, ecdsa-sha2-nistp256, ssh-ed25519
 key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
 ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
 macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
--- a/test/docker/policies/policy_test7.txt
+++ b/test/docker/policies/policy_test7.txt
@ -0,0 +1,39 @@
 #
 # Docker policy: test7
 #
 # The name of this policy (displayed in the output during scans).  Must be in quotes.
 name = "Docker poliicy: test7"
 # The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
 version = 1
 # The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
 # banner = "SSH-2.0-OpenSSH_5.6"
 # The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
 # header = "[]"
 # The compression options that must match exactly (order matters).  Commented out to ignore by default.
 # compressions = none, zlib@openssh.com
 # RSA host key sizes.
 hostkey_size_rsa-sha2-256 = 3072
 hostkey_size_rsa-sha2-512 = 3072
 hostkey_size_ssh-rsa = 3072
 hostkey_size_ssh-rsa-cert-v01@openssh.com = 3072
 # RSA CA key sizes.
 cakey_size_ssh-rsa-cert-v01@openssh.com = 1024
 # The host key types that must match exactly (order matters).
 host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
 # The ciphers that must match exactly (order matters).
 ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
 # The MACs that must match exactly (order matters).
 macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
--- a/test/docker/policies/policy_test8.txt
+++ b/test/docker/policies/policy_test8.txt
@ -0,0 +1,39 @@
 #
 # Docker policy: test8
 #
 # The name of this policy (displayed in the output during scans).  Must be in quotes.
 name = "Docker poliicy: test8"
 # The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
 version = 1
 # The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
 # banner = "SSH-2.0-OpenSSH_5.6"
 # The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
 # header = "[]"
 # The compression options that must match exactly (order matters).  Commented out to ignore by default.
 # compressions = none, zlib@openssh.com
 # RSA host key sizes.
 hostkey_size_rsa-sha2-256 = 3072
 hostkey_size_rsa-sha2-512 = 3072
 hostkey_size_ssh-rsa = 3072
 hostkey_size_ssh-rsa-cert-v01@openssh.com = 3072
 # RSA CA key sizes.
 cakey_size_ssh-rsa-cert-v01@openssh.com = 2048
 # The host key types that must match exactly (order matters).
 host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
 # The ciphers that must match exactly (order matters).
 ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
 # The MACs that must match exactly (order matters).
 macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
--- a/test/docker/policies/policy_test9.txt
+++ b/test/docker/policies/policy_test9.txt
@ -0,0 +1,39 @@
 #
 # Docker policy: test9
 #
 # The name of this policy (displayed in the output during scans).  Must be in quotes.
 name = "Docker poliicy: test9"
 # The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.
 version = 1
 # The banner that must match exactly.  Commented out to ignore banners, since minor variability in the banner is sometimes normal.
 # banner = "SSH-2.0-OpenSSH_5.6"
 # The header that must match exactly.  Commented out to ignore headers, since variability in the header is sometimes normal.
 # header = "[]"
 # The compression options that must match exactly (order matters).  Commented out to ignore by default.
 # compressions = none, zlib@openssh.com
 # RSA host key sizes.
 hostkey_size_rsa-sha2-256 = 3072
 hostkey_size_rsa-sha2-512 = 3072
 hostkey_size_ssh-rsa = 3072
 hostkey_size_ssh-rsa-cert-v01@openssh.com = 4096
 # RSA CA key sizes.
 cakey_size_ssh-rsa-cert-v01@openssh.com = 1024
 # The host key types that must match exactly (order matters).
 host keys = ssh-rsa, ssh-rsa-cert-v01@openssh.com
 # The key exchange algorithms that must match exactly (order matters).
 key exchanges = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
 # The ciphers that must match exactly (order matters).
 ciphers = aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se
 # The MACs that must match exactly (order matters).
 macs = hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96
--- a/test/test_auditconf.py
+++ b/test/test_auditconf.py
@ -1,10 +1,8 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 import pytest
 # pylint: disable=attribute-defined-outside-init
-class TestAuditConf(object):
+class TestAuditConf:
    @pytest.fixture(autouse=True)
    def init(self, ssh_audit):
        self.AuditConf = ssh_audit.AuditConf
@ -13,7 +11,7 @@ class TestAuditConf(object):
    @staticmethod
    def _test_conf(conf, **kwargs):
        options = {
-			'host': None,
+            'host': '',
            'port': 22,
            'ssh1': True,
            'ssh2': True,
@ -156,17 +154,15 @@ class TestAuditConf(object):
        self._test_conf(conf, host='2001:4860:4860::8888', port=2222)
        conf = c('-p 2222 2001:4860:4860::8888')
        self._test_conf(conf, host='2001:4860:4860::8888', port=2222)
-		with pytest.raises(SystemExit):
+        with pytest.raises(ValueError):
 			conf = c('localhost:')
 		with pytest.raises(SystemExit):
            conf = c('localhost:abc')
        with pytest.raises(SystemExit):
            conf = c('-p abc localhost')
-		with pytest.raises(SystemExit):
+        with pytest.raises(ValueError):
            conf = c('localhost:-22')
        with pytest.raises(SystemExit):
            conf = c('-p -22 localhost')
-		with pytest.raises(SystemExit):
+        with pytest.raises(ValueError):
            conf = c('localhost:99999')
        with pytest.raises(SystemExit):
            conf = c('-p 99999 localhost')
--- a/test/test_banner.py
+++ b/test/test_banner.py
@ -1,10 +1,8 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 import pytest
 # pylint: disable=line-too-long,attribute-defined-outside-init
-class TestBanner(object):
+class TestBanner:
    @pytest.fixture(autouse=True)
    def init(self, ssh_audit):
        self.ssh = ssh_audit.SSH
--- a/test/test_buffer.py
+++ b/test/test_buffer.py
@ -1,11 +1,9 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 import re
 import pytest
 # pylint: disable=attribute-defined-outside-init,bad-whitespace
-class TestBuffer(object):
+class TestBuffer:
    @pytest.fixture(autouse=True)
    def init(self, ssh_audit):
        self.rbuf = ssh_audit.ReadBuf
@ -61,7 +59,7 @@ class TestBuffer(object):
    def test_string(self):
        w = lambda x: self.wbuf().write_string(x).write_flush()  # noqa
        r = lambda x: self.rbuf(x).read_string()  # noqa
-		tc = [(u'abc1',  '00 00 00 04 61 62 63 31'),
+        tc = [('abc1',  '00 00 00 04 61 62 63 31'),
              (b'abc2',  '00 00 00 04 61 62 63 32')]
        for p in tc:
            v = p[0]
@ -87,7 +85,7 @@ class TestBuffer(object):
    def test_line(self):
        w = lambda x: self.wbuf().write_line(x).write_flush()  # noqa
        r = lambda x: self.rbuf(x).read_line()  # noqa
-		tc = [(u'example line', '65 78 61 6d 70 6c 65 20 6c 69 6e 65 0d 0a')]
+        tc = [('example line', '65 78 61 6d 70 6c 65 20 6c 69 6e 65 0d 0a')]
        for p in tc:
            assert w(p[0]) == self._b(p[1])
            assert r(self._b(p[1])) == p[0]
--- a/test/test_build_struct.py
+++ b/test/test_build_struct.py
@ -0,0 +1,41 @@
 import os
 import pytest
@pytest.fixture
 def kex(ssh_audit):
    kex_algs, key_algs = [], []
    enc, mac, compression, languages = [], [], ['none'], []
    cli = ssh_audit.SSH2.KexParty(enc, mac, compression, languages)
    enc, mac, compression, languages = [], [], ['none'], []
    srv = ssh_audit.SSH2.KexParty(enc, mac, compression, languages)
    cookie = os.urandom(16)
    kex = ssh_audit.SSH2.Kex(cookie, kex_algs, key_algs, cli, srv, 0)
    return kex
 def test_prevent_runtime_error_regression(ssh_audit, kex):
    """Prevent a regression of https://github.com/jtesta/ssh-audit/issues/41
    The following test setup does not contain any sensible data.
    It was made up to reproduce a situation when there are several host
    keys, and an error occurred when iterating and modifying them at the
    same time.
    """
    kex.set_host_key("ssh-rsa", b"\x00\x00\x00\x07ssh-rsa\x00\x00\x00")
    kex.set_host_key("ssh-rsa1", b"\x00\x00\x00\x07ssh-rsa\x00\x00\x00")
    kex.set_host_key("ssh-rsa2", b"\x00\x00\x00\x07ssh-rsa\x00\x00\x00")
    kex.set_host_key("ssh-rsa3", b"\x00\x00\x00\x07ssh-rsa\x00\x00\x00")
    kex.set_host_key("ssh-rsa4", b"\x00\x00\x00\x07ssh-rsa\x00\x00\x00")
    kex.set_host_key("ssh-rsa5", b"\x00\x00\x00\x07ssh-rsa\x00\x00\x00")
    kex.set_host_key("ssh-rsa6", b"\x00\x00\x00\x07ssh-rsa\x00\x00\x00")
    kex.set_host_key("ssh-rsa7", b"\x00\x00\x00\x07ssh-rsa\x00\x00\x00")
    kex.set_host_key("ssh-rsa8", b"\x00\x00\x00\x07ssh-rsa\x00\x00\x00")
    rv = ssh_audit.build_struct(banner=None, kex=kex)
    assert len(rv["fingerprints"]) == 9
    for key in ['banner', 'compression', 'enc', 'fingerprints', 'kex', 'key', 'mac']:
        assert key in rv
--- a/test/test_errors.py
+++ b/test/test_errors.py
@ -1,12 +1,10 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 import socket
 import errno
 import pytest
 # pylint: disable=attribute-defined-outside-init
-class TestErrors(object):
+class TestErrors:
    @pytest.fixture(autouse=True)
    def init(self, ssh_audit):
        self.AuditConf = ssh_audit.AuditConf
@ -18,41 +16,43 @@ class TestErrors(object):
        conf.batch = True
        return conf
-	def _audit(self, spy, conf=None, sysexit=True):
+    def _audit(self, spy, conf=None, exit_expected=False):
        if conf is None:
            conf = self._conf()
        spy.begin()
-		if sysexit:
+
        if exit_expected:
            with pytest.raises(SystemExit):
                self.audit(conf)
        else:
-			self.audit(conf)
+            ret = self.audit(conf)
            assert ret != 0
        lines = spy.flush()
        return lines
    def test_connection_unresolved(self, output_spy, virtual_socket):
        vsocket = virtual_socket
        vsocket.gsock.addrinfodata['localhost#22'] = []
-		lines = self._audit(output_spy)
+        lines = self._audit(output_spy, exit_expected=True)
        assert len(lines) == 1
        assert 'has no DNS records' in lines[-1]
    def test_connection_refused(self, output_spy, virtual_socket):
        vsocket = virtual_socket
        vsocket.errors['connect'] = socket.error(errno.ECONNREFUSED, 'Connection refused')
-		lines = self._audit(output_spy)
+        lines = self._audit(output_spy, exit_expected=True)
        assert len(lines) == 1
        assert 'Connection refused' in lines[-1]
    def test_connection_timeout(self, output_spy, virtual_socket):
        vsocket = virtual_socket
        vsocket.errors['connect'] = socket.timeout('timed out')
-		lines = self._audit(output_spy)
+        lines = self._audit(output_spy, exit_expected=True)
        assert len(lines) == 1
        assert 'timed out' in lines[-1]
    def test_recv_empty(self, output_spy, virtual_socket):
 		vsocket = virtual_socket
        lines = self._audit(output_spy)
        assert len(lines) == 1
        assert 'did not receive banner' in lines[-1]
--- a/test/test_output.py
+++ b/test/test_output.py
@ -1,11 +1,8 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 from __future__ import print_function
 import pytest
 # pylint: disable=attribute-defined-outside-init
-class TestOutput(object):
+class TestOutput:
    @pytest.fixture(autouse=True)
    def init(self, ssh_audit):
        self.Output = ssh_audit.Output
@ -25,17 +22,17 @@ class TestOutput(object):
    def test_output_buffer_no_flush(self, output_spy):
        output_spy.begin()
        with self.OutputBuffer():
-			print(u'abc')
+            print('abc')
        assert output_spy.flush() == []
    def test_output_buffer_flush(self, output_spy):
        output_spy.begin()
        with self.OutputBuffer() as obuf:
-			print(u'abc')
+            print('abc')
            print()
-			print(u'def')
+            print('def')
        obuf.flush()
-		assert output_spy.flush() == [u'abc', u'', u'def']
+        assert output_spy.flush() == ['abc', '', 'def']
    def test_output_defaults(self):
        out = self.Output()
@ -50,38 +47,38 @@ class TestOutput(object):
        out.use_colors = False
        output_spy.begin()
        out.info('info color')
-		assert output_spy.flush() == [u'info color']
+        assert output_spy.flush() == ['info color']
        output_spy.begin()
        out.head('head color')
-		assert output_spy.flush() == [u'head color']
+        assert output_spy.flush() == ['head color']
        output_spy.begin()
        out.good('good color')
-		assert output_spy.flush() == [u'good color']
+        assert output_spy.flush() == ['good color']
        output_spy.begin()
        out.warn('warn color')
-		assert output_spy.flush() == [u'warn color']
+        assert output_spy.flush() == ['warn color']
        output_spy.begin()
        out.fail('fail color')
-		assert output_spy.flush() == [u'fail color']
+        assert output_spy.flush() == ['fail color']
        if not out.colors_supported:
            return
        # test with colors
        out.use_colors = True
        output_spy.begin()
        out.info('info color')
-		assert output_spy.flush() == [u'info color']
+        assert output_spy.flush() == ['info color']
        output_spy.begin()
        out.head('head color')
-		assert output_spy.flush() == [u'\x1b[0;36mhead color\x1b[0m']
+        assert output_spy.flush() == ['\x1b[0;36mhead color\x1b[0m']
        output_spy.begin()
        out.good('good color')
-		assert output_spy.flush() == [u'\x1b[0;32mgood color\x1b[0m']
+        assert output_spy.flush() == ['\x1b[0;32mgood color\x1b[0m']
        output_spy.begin()
        out.warn('warn color')
-		assert output_spy.flush() == [u'\x1b[0;33mwarn color\x1b[0m']
+        assert output_spy.flush() == ['\x1b[0;33mwarn color\x1b[0m']
        output_spy.begin()
        out.fail('fail color')
-		assert output_spy.flush() == [u'\x1b[0;31mfail color\x1b[0m']
+        assert output_spy.flush() == ['\x1b[0;31mfail color\x1b[0m']
    def test_output_sep(self, output_spy):
        out = self.Output()
@ -89,7 +86,7 @@ class TestOutput(object):
        out.sep()
        out.sep()
        out.sep()
-		assert output_spy.flush() == [u'', u'', u'']
+        assert output_spy.flush() == ['', '', '']
    def test_output_levels(self):
        out = self.Output()
--- a/test/test_policy.py
+++ b/test/test_policy.py
@ -0,0 +1,337 @@
 import hashlib
 import pytest
 from datetime import date
 class TestPolicy:
    @pytest.fixture(autouse=True)
    def init(self, ssh_audit):
        self.Policy = ssh_audit.Policy
        self.wbuf = ssh_audit.WriteBuf
        self.ssh2 = ssh_audit.SSH2
    def _get_kex(self):
        '''Returns an SSH2.Kex object to simulate a server connection.'''
        w = self.wbuf()
        w.write(b'\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff')
        w.write_list(['kex_alg1', 'kex_alg2'])
        w.write_list(['key_alg1', 'key_alg2'])
        w.write_list(['cipher_alg1', 'cipher_alg2', 'cipher_alg3'])
        w.write_list(['cipher_alg1', 'cipher_alg2', 'cipher_alg3'])
        w.write_list(['mac_alg1', 'mac_alg2', 'mac_alg3'])
        w.write_list(['mac_alg1', 'mac_alg2', 'mac_alg3'])
        w.write_list(['comp_alg1', 'comp_alg2'])
        w.write_list(['comp_alg1', 'comp_alg2'])
        w.write_list([''])
        w.write_list([''])
        w.write_byte(False)
        w.write_int(0)
        return self.ssh2.Kex.parse(w.write_flush())
    def test_policy_basic(self):
        '''Ensure that a basic policy can be parsed correctly.'''
        policy_data = '''# This is a comment
 name = "Test Policy"
 version = 1
 compressions = comp_alg1
 host keys = key_alg1
 key exchanges = kex_alg1, kex_alg2
 ciphers = cipher_alg1, cipher_alg2, cipher_alg3
 macs = mac_alg1, mac_alg2, mac_alg3'''
        policy = self.Policy(policy_data=policy_data)
        assert str(policy) == "Name: [Test Policy]\nVersion: [1]\nBanner: {undefined}\nCompressions: comp_alg1\nHost Keys: key_alg1\nKey Exchanges: kex_alg1, kex_alg2\nCiphers: cipher_alg1, cipher_alg2, cipher_alg3\nMACs: mac_alg1, mac_alg2, mac_alg3"
    def test_policy_invalid_1(self):
        '''Basic policy, but with 'ciphersx' instead of 'ciphers'.'''
        policy_data = '''# This is a comment
 name = "Test Policy"
 version = 1
 compressions = comp_alg1
 host keys = key_alg1
 key exchanges = kex_alg1, kex_alg2
 ciphersx = cipher_alg1, cipher_alg2, cipher_alg3
 macs = mac_alg1, mac_alg2, mac_alg3'''
        failed = False
        try:
            self.Policy(policy_data=policy_data)
        except ValueError:
            failed = True
        assert failed, "Invalid policy did not cause Policy object to throw exception"
    def test_policy_invalid_2(self):
        '''Basic policy, but is missing the required name field.'''
        policy_data = '''# This is a comment
 #name = "Test Policy"
 version = 1
 compressions = comp_alg1
 host keys = key_alg1
 key exchanges = kex_alg1, kex_alg2
 ciphers = cipher_alg1, cipher_alg2, cipher_alg3
 macs = mac_alg1, mac_alg2, mac_alg3'''
        failed = False
        try:
            self.Policy(policy_data=policy_data)
        except ValueError:
            failed = True
        assert failed, "Invalid policy did not cause Policy object to throw exception"
    def test_policy_invalid_3(self):
        '''Basic policy, but is missing the required version field.'''
        policy_data = '''# This is a comment
 name = "Test Policy"
 #version = 1
 compressions = comp_alg1
 host keys = key_alg1
 key exchanges = kex_alg1, kex_alg2
 ciphers = cipher_alg1, cipher_alg2, cipher_alg3
 macs = mac_alg1, mac_alg2, mac_alg3'''
        failed = False
        try:
            self.Policy(policy_data=policy_data)
        except ValueError:
            failed = True
        assert failed, "Invalid policy did not cause Policy object to throw exception"
    def test_policy_invalid_4(self):
        '''Basic policy, but is missing quotes in the name field.'''
        policy_data = '''# This is a comment
 name = Test Policy
 version = 1
 compressions = comp_alg1
 host keys = key_alg1
 key exchanges = kex_alg1, kex_alg2
 ciphers = cipher_alg1, cipher_alg2, cipher_alg3
 macs = mac_alg1, mac_alg2, mac_alg3'''
        failed = False
        try:
            self.Policy(policy_data=policy_data)
        except ValueError:
            failed = True
        assert failed, "Invalid policy did not cause Policy object to throw exception"
    def test_policy_invalid_5(self):
        '''Basic policy, but is missing quotes in the banner field.'''
        policy_data = '''# This is a comment
 name = "Test Policy"
 version = 1
 banner = 0mg
 compressions = comp_alg1
 host keys = key_alg1
 key exchanges = kex_alg1, kex_alg2
 ciphers = cipher_alg1, cipher_alg2, cipher_alg3
 macs = mac_alg1, mac_alg2, mac_alg3'''
        failed = False
        try:
            self.Policy(policy_data=policy_data)
        except ValueError:
            failed = True
        assert failed, "Invalid policy did not cause Policy object to throw exception"
    def test_policy_invalid_6(self):
        '''Basic policy, but is missing quotes in the header field.'''
        policy_data = '''# This is a comment
 name = "Test Policy"
 version = 1
 header = 0mg
 compressions = comp_alg1
 host keys = key_alg1
 key exchanges = kex_alg1, kex_alg2
 ciphers = cipher_alg1, cipher_alg2, cipher_alg3
 macs = mac_alg1, mac_alg2, mac_alg3'''
        failed = False
        try:
            self.Policy(policy_data=policy_data)
        except ValueError:
            failed = True
        assert failed, "Invalid policy did not cause Policy object to throw exception"
    def test_policy_create_1(self):
        '''Creates a policy from a kex and ensures it is generated exactly as expected.'''
        kex = self._get_kex()
        pol_data = self.Policy.create('www.l0l.com', 'bannerX', kex, False)
        # Today's date is embedded in the policy, so filter it out to get repeatable results.
        pol_data = pol_data.replace(date.today().strftime('%Y/%m/%d'), '[todays date]')
        # Instead of writing out the entire expected policy--line by line--just check that it has the expected hash.
        assert hashlib.sha256(pol_data.encode('ascii')).hexdigest() == '4af7777fb57a1dad0cf438c899a11d4f625fd9276ea3bb5ef5c9fe8806cb47dc'
    def test_policy_evaluate_passing_1(self):
        '''Creates a policy and evaluates it against the same server'''
        kex = self._get_kex()
        policy_data = self.Policy.create('www.l0l.com', None, kex, False)
        policy = self.Policy(policy_data=policy_data)
        ret, errors, error_str = policy.evaluate('SSH Server 1.0', kex)
        assert ret is True
        assert len(errors) == 0
        print(error_str)
        assert len(error_str) == 0
    def test_policy_evaluate_failing_1(self):
        '''Ensure that a policy with a specified banner fails against a server with a different banner'''
        policy_data = '''name = "Test Policy"
 version = 1
 banner = "XXX mismatched banner XXX"
 compressions = comp_alg1, comp_alg2
 host keys = key_alg1, key_alg2
 key exchanges = kex_alg1, kex_alg2
 ciphers = cipher_alg1, cipher_alg2, cipher_alg3
 macs = mac_alg1, mac_alg2, mac_alg3'''
        policy = self.Policy(policy_data=policy_data)
        ret, errors, error_str = policy.evaluate('SSH Server 1.0', self._get_kex())
        assert ret is False
        assert len(errors) == 1
        assert error_str.find('Banner did not match.') != -1
    def test_policy_evaluate_failing_2(self):
        '''Ensure that a mismatched compressions list results in a failure'''
        policy_data = '''name = "Test Policy"
 version = 1
 compressions = XXXmismatchedXXX, comp_alg1, comp_alg2
 host keys = key_alg1, key_alg2
 key exchanges = kex_alg1, kex_alg2
 ciphers = cipher_alg1, cipher_alg2, cipher_alg3
 macs = mac_alg1, mac_alg2, mac_alg3'''
        policy = self.Policy(policy_data=policy_data)
        ret, errors, error_str = policy.evaluate('SSH Server 1.0', self._get_kex())
        assert ret is False
        assert len(errors) == 1
        assert error_str.find('Compression did not match.') != -1
    def test_policy_evaluate_failing_3(self):
        '''Ensure that a mismatched host keys results in a failure'''
        policy_data = '''name = "Test Policy"
 version = 1
 compressions = comp_alg1, comp_alg2
 host keys = XXXmismatchedXXX, key_alg1, key_alg2
 key exchanges = kex_alg1, kex_alg2
 ciphers = cipher_alg1, cipher_alg2, cipher_alg3
 macs = mac_alg1, mac_alg2, mac_alg3'''
        policy = self.Policy(policy_data=policy_data)
        ret, errors, error_str = policy.evaluate('SSH Server 1.0', self._get_kex())
        assert ret is False
        assert len(errors) == 1
        assert error_str.find('Host keys did not match.') != -1
    def test_policy_evaluate_failing_4(self):
        '''Ensure that a mismatched key exchange list results in a failure'''
        policy_data = '''name = "Test Policy"
 version = 1
 compressions = comp_alg1, comp_alg2
 host keys = key_alg1, key_alg2
 key exchanges = XXXmismatchedXXX, kex_alg1, kex_alg2
 ciphers = cipher_alg1, cipher_alg2, cipher_alg3
 macs = mac_alg1, mac_alg2, mac_alg3'''
        policy = self.Policy(policy_data=policy_data)
        ret, errors, error_str = policy.evaluate('SSH Server 1.0', self._get_kex())
        assert ret is False
        assert len(errors) == 1
        assert error_str.find('Key exchanges did not match.') != -1
    def test_policy_evaluate_failing_5(self):
        '''Ensure that a mismatched cipher list results in a failure'''
        policy_data = '''name = "Test Policy"
 version = 1
 compressions = comp_alg1, comp_alg2
 host keys = key_alg1, key_alg2
 key exchanges = kex_alg1, kex_alg2
 ciphers = cipher_alg1, XXXmismatched, cipher_alg2, cipher_alg3
 macs = mac_alg1, mac_alg2, mac_alg3'''
        policy = self.Policy(policy_data=policy_data)
        ret, errors, error_str = policy.evaluate('SSH Server 1.0', self._get_kex())
        assert ret is False
        assert len(errors) == 1
        assert error_str.find('Ciphers did not match.') != -1
    def test_policy_evaluate_failing_6(self):
        '''Ensure that a mismatched MAC list results in a failure'''
        policy_data = '''name = "Test Policy"
 version = 1
 compressions = comp_alg1, comp_alg2
 host keys = key_alg1, key_alg2
 key exchanges = kex_alg1, kex_alg2
 ciphers = cipher_alg1, cipher_alg2, cipher_alg3
 macs = mac_alg1, mac_alg2, XXXmismatched, mac_alg3'''
        policy = self.Policy(policy_data=policy_data)
        ret, errors, error_str = policy.evaluate('SSH Server 1.0', self._get_kex())
        assert ret is False
        assert len(errors) == 1
        assert error_str.find('MACs did not match.') != -1
    def test_policy_evaluate_failing_7(self):
        '''Ensure that a mismatched host keys and MACs results in a failure'''
        policy_data = '''name = "Test Policy"
 version = 1
 compressions = comp_alg1, comp_alg2
 host keys = key_alg1, key_alg2, XXXmismatchedXXX
 key exchanges = kex_alg1, kex_alg2
 ciphers = cipher_alg1, cipher_alg2, cipher_alg3
 macs = mac_alg1, mac_alg2, XXXmismatchedXXX, mac_alg3'''
        policy = self.Policy(policy_data=policy_data)
        ret, errors, error_str = policy.evaluate('SSH Server 1.0', self._get_kex())
        assert ret is False
        assert len(errors) == 2
        assert error_str.find('Host keys did not match.') != -1
        assert error_str.find('MACs did not match.') != -1
--- a/test/test_resolve.py
+++ b/test/test_resolve.py
@ -1,11 +1,9 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 import socket
 import pytest
 # pylint: disable=attribute-defined-outside-init,protected-access
-class TestResolve(object):
+class TestResolve:
    @pytest.fixture(autouse=True)
    def init(self, ssh_audit):
        self.AuditConf = ssh_audit.AuditConf
@ -25,7 +23,7 @@ class TestResolve(object):
        conf = self._conf()
        output_spy.begin()
        with pytest.raises(SystemExit):
-			r = list(s._resolve(conf.ipvo))
+            list(s._resolve(conf.ipvo))
        lines = output_spy.flush()
        assert len(lines) == 1
        assert 'hostname nor servname provided' in lines[-1]
@ -40,7 +38,6 @@ class TestResolve(object):
        assert len(r) == 0
    def test_resolve_ipv4(self, virtual_socket):
 		vsocket = virtual_socket
        conf = self._conf()
        conf.ipv4 = True
        s = self.ssh.Socket('localhost', 22)
@ -49,7 +46,6 @@ class TestResolve(object):
        assert r[0] == (socket.AF_INET, ('127.0.0.1', 22))
    def test_resolve_ipv6(self, virtual_socket):
 		vsocket = virtual_socket
        s = self.ssh.Socket('localhost', 22)
        conf = self._conf()
        conf.ipv6 = True
@ -58,7 +54,6 @@ class TestResolve(object):
        assert r[0] == (socket.AF_INET6, ('::1', 22))
    def test_resolve_ipv46_both(self, virtual_socket):
 		vsocket = virtual_socket
        s = self.ssh.Socket('localhost', 22)
        conf = self._conf()
        r = list(s._resolve(conf.ipvo))
@ -67,7 +62,6 @@ class TestResolve(object):
        assert r[1] == (socket.AF_INET6, ('::1', 22))
    def test_resolve_ipv46_order(self, virtual_socket):
 		vsocket = virtual_socket
        s = self.ssh.Socket('localhost', 22)
        conf = self._conf()
        conf.ipv4 = True
--- a/test/test_socket.py
+++ b/test/test_socket.py
@ -1,28 +1,25 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 import socket
 import pytest
 # pylint: disable=attribute-defined-outside-init
-class TestSocket(object):
+class TestSocket:
    @pytest.fixture(autouse=True)
    def init(self, ssh_audit):
        self.ssh = ssh_audit.SSH
    def test_invalid_host(self, virtual_socket):
        with pytest.raises(ValueError):
-			s = self.ssh.Socket(None, 22)
+            self.ssh.Socket(None, 22)
    def test_invalid_port(self, virtual_socket):
        with pytest.raises(ValueError):
-			s = self.ssh.Socket('localhost', 'abc')
+            self.ssh.Socket('localhost', 'abc')
        with pytest.raises(ValueError):
-			s = self.ssh.Socket('localhost', -1)
+            self.ssh.Socket('localhost', -1)
        with pytest.raises(ValueError):
-			s = self.ssh.Socket('localhost', 0)
+            self.ssh.Socket('localhost', 0)
        with pytest.raises(ValueError):
-			s = self.ssh.Socket('localhost', 65536)
+            self.ssh.Socket('localhost', 65536)
    def test_not_connected_socket(self, virtual_socket):
        sock = self.ssh.Socket('localhost', 22)
--- a/test/test_software.py
+++ b/test/test_software.py
@ -1,10 +1,8 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 import pytest
 # pylint: disable=line-too-long,attribute-defined-outside-init
-class TestSoftware(object):
+class TestSoftware:
    @pytest.fixture(autouse=True)
    def init(self, ssh_audit):
        self.ssh = ssh_audit.SSH
--- a/test/test_ssh1.py
+++ b/test/test_ssh1.py
@ -1,11 +1,9 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 import struct
 import pytest
 # pylint: disable=line-too-long,attribute-defined-outside-init
-class TestSSH1(object):
+class TestSSH1:
    @pytest.fixture(autouse=True)
    def init(self, ssh_audit):
        self.ssh = ssh_audit.SSH
@ -135,8 +133,8 @@ class TestSSH1(object):
        vsocket.rdata.append(b'SSH-1.5-OpenSSH_7.2 ssh-audit-test\r\n')
        vsocket.rdata.append(self._create_ssh1_packet(w.write_flush()))
        output_spy.begin()
-		with pytest.raises(SystemExit):
+        ret = self.audit(self._conf())
-			self.audit(self._conf())
+        assert ret != 0
        lines = output_spy.flush()
        assert len(lines) == 7
        assert 'unknown message' in lines[-1]
--- a/Show More
+++ b/Show More
		`@ -0,0 +1 @@`
							`{"errors": [], "host": "localhost", "passed": true, "policy": "Docker policy: test1 (version 1)"}`
		`@ -0,0 +1 @@`
							`{"errors": [{"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (ssh-rsa-cert-v01@openssh.com) sizes"}, {"actual": ["1024"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes"}], "host": "localhost", "passed": false, "policy": "Docker poliicy: test10 (version 1)"}`
		`@ -0,0 +1 @@`
							`{"errors": [{"actual": ["diffie-hellman-group-exchange-sha256", "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1"], "expected_optional": [""], "expected_required": ["kex_alg1", "kex_alg2"], "mismatched_field": "Key exchanges"}], "host": "localhost", "passed": false, "policy": "Docker policy: test2 (version 1)"}`
		`@ -0,0 +1 @@`
							`{"errors": [{"actual": ["ssh-rsa", "ssh-dss"], "expected_optional": [""], "expected_required": ["ssh-rsa", "ssh-dss", "key_alg1"], "mismatched_field": "Host keys"}], "host": "localhost", "passed": false, "policy": "Docker policy: test3 (version 1)"}`
		`@ -0,0 +1 @@`
							`{"errors": [{"actual": ["aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc", "blowfish-cbc", "cast128-cbc", "aes192-cbc", "aes256-cbc", "arcfour", "rijndael-cbc@lysator.liu.se"], "expected_optional": [""], "expected_required": ["cipher_alg1", "cipher_alg2"], "mismatched_field": "Ciphers"}], "host": "localhost", "passed": false, "policy": "Docker policy: test4 (version 1)"}`
		`@ -0,0 +1 @@`
							`{"errors": [{"actual": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac-sha1-96", "hmac-md5-96"], "expected_optional": [""], "expected_required": ["hmac-md5", "hmac-sha1", "umac-64@openssh.com", "hmac-ripemd160", "hmac-ripemd160@openssh.com", "hmac_alg1", "hmac-md5-96"], "mismatched_field": "MACs"}], "host": "localhost", "passed": false, "policy": "Docker policy: test5 (version 1)"}`
		`@ -0,0 +1 @@`
							`{"errors": [{"actual": ["1024"], "expected_optional": [""], "expected_required": ["2048"], "mismatched_field": "RSA CA key (ssh-rsa-cert-v01@openssh.com) sizes"}], "host": "localhost", "passed": false, "policy": "Docker poliicy: test8 (version 1)"}`
		`@ -0,0 +1 @@`
							{"errors": [{"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (rsa-sha2-256) sizes"}, {"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (rsa-sha2-512) sizes"}, {"actual": ["3072"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "RSA host key (ssh-rsa) sizes"}], "host": "localhost", "passed": false, "policy": "Docker policy: test12 (version 1)"}
		`@ -0,0 +1 @@`
							`{"errors": [{"actual": ["2048"], "expected_optional": [""], "expected_required": ["4096"], "mismatched_field": "Group exchange (diffie-hellman-group-exchange-sha256) modulus sizes"}], "host": "localhost", "passed": false, "policy": "Docker policy: test14 (version 1)"}`