Browse Source

Change SSH preferences

See ANSSI report http://www.ssi.gouv.fr/uploads/2014/01/NT_OpenSSH.pdf
master
Aeris 4 years ago
parent
commit
78aba5a9f8
1 changed files with 51 additions and 51 deletions
  1. 51
    51
      lib/cryptcheck/ssh/server.rb

+ 51
- 51
lib/cryptcheck/ssh/server.rb View File

@@ -19,52 +19,52 @@ module CryptCheck

KEX = {
'curve25519-sha256@libssh.org' => :green,
'diffie-hellman-group1-sha1' => :yellow,
'diffie-hellman-group14-sha1' => :yellow,
'diffie-hellman-group-exchange-sha1' => :yellow,
'diffie-hellman-group-exchange-sha256' => :green,
'ecdh-sha2-nistp256' => :yellow,
'ecdh-sha2-nistp384' => :yellow,
'ecdh-sha2-nistp521' => :yellow
'ecdh-sha2-nistp521' => nil, # NIST
'ecdh-sha2-nistp384' => nil, # NIST
'ecdh-sha2-nistp256' => nil, # NIST
'diffie-hellman-group-exchange-sha256' => :green, # DLP (PFS)
'diffie-hellman-group-exchange-sha1' => :yellow, # DLP (PFS)
'diffie-hellman-group14-sha1' => :yellow, # 2048 bits < 3072 bits
'diffie-hellman-group1-sha1' => :red # 768 bits < 1024 bits
}

ENCRYPTION = {
'3des-cbc' => :red,
'aes128-cbc' => :yellow,
'aes192-cbc' => :yellow,
'aes256-cbc' => :yellow,
'aes128-ctr' => :yellow,
'aes192-ctr' => :yellow,
'aes256-ctr' => :yellow,
'aes128-gcm@openssh.com' => :green,
'chacha20-poly1305@openssh.com' => :green,
'aes256-gcm@openssh.com' => :green,
'arcfour' => :red,
'arcfour128' => :red,
'arcfour256' => :red,
'blowfish-cbc' => :yellow,
'cast128-cbc' => nil,
'chacha20-poly1305@openssh.com' => :green
'aes128-gcm@openssh.com' => :green,
'aes256-ctr' => nil, # CTR < GCM
'aes192-ctr' => nil, # CTR < GCM
'aes128-ctr' => nil, # CTR < GCM
'aes256-cbc' => :yellow, # CBC
'aes192-cbc' => :yellow, # CBC
'aes128-cbc' => :yellow, # CBC
'blowfish-cbc' => :yellow, # CBC
'cast128-cbc' => :yellow, # CBC
'3des-cbc' => :red, # 3DES
'arcfour' => :red, # RC4
'arcfour128' => :red, # RC4
'arcfour256' => :red # RC4
}

HMAC = {
'hmac-md5' => :red,
'hmac-md5-96' => :red,
'hmac-ripemd160' => :green,
'hmac-sha1' => :yellow,
'hmac-sha1-96' => :red,
'hmac-sha2-256' => :green,
'hmac-sha2-512' => :green,
'umac-64@openssh.com' => :red,
'umac-128@openssh.com' => nil,
'hmac-md5-etm@openssh.com' => :red,
'hmac-md5-96-etm@openssh.com' => :red,
'hmac-ripemd160-etm@openssh.com' => :green,
'hmac-sha1-etm@openssh.com' => :yellow,
'hmac-sha1-96-etm@openssh.com' => :red,
'hmac-sha2-256-etm@openssh.com' => :green,
'hmac-sha2-512-etm@openssh.com' => :green,
'umac-64-etm@openssh.com' => :red,
'umac-128-etm@openssh.com' => nil
'hmac-sha2-256-etm@openssh.com' => :green,
'hmac-sha2-512' => nil,
'hmac-sha2-256' => nil,
'hmac-sha1-etm@openssh.com' => :green,
'hmac-sha1' => nil,
'hmac-sha1-96-etm@openssh.com' => :red, # EXPORT
'hmac-sha1-96' => :red, # EXPORT
'hmac-ripemd160-etm@openssh.com' => :green,
'hmac-ripemd160' => nil,
'hmac-md5-etm@openssh.com' => :red, # MD5
'hmac-md5' => :red, # MD5
'hmac-md5-96-etm@openssh.com' => :red, # MD5 + EXPORT
'hmac-md5-96' => :red, # MD5 + EXPORT
'umac-128-etm@openssh.com' => :green,
'umac-128@openssh.com' => nil,
'umac-64-etm@openssh.com' => :red, # < 128 bits
'umac-64@openssh.com' => :red # < 128 bits
}

COMPRESSION = {
@@ -73,20 +73,20 @@ module CryptCheck
}

KEY = {
'ecdsa-sha2-nistp256-cert-v01@openssh.com' => :yellow,
'ecdsa-sha2-nistp384-cert-v01@openssh.com' => :yellow,
'ecdsa-sha2-nistp521-cert-v01@openssh.com' => :yellow,
'ssh-ed25519-cert-v01@openssh.com' => :green,
'ssh-rsa-cert-v01@openssh.com' => :yellow,
'ssh-dss-cert-v01@openssh.com' => :red,
'ssh-rsa-cert-v00@openssh.com' => :yellow,
'ssh-dss-cert-v00@openssh.com' => :red,
'ecdsa-sha2-nistp256' => :yellow,
'ecdsa-sha2-nistp384' => :yellow,
'ecdsa-sha2-nistp521' => :yellow,
'ssh-ed25519' => :green,
'ssh-rsa' => :yellow,
'ssh-dss' => :red
'ssh-ed25519-cert-v01@openssh.com' => :green,
'ecdsa-sha2-nistp256' => nil, # NIST
'ecdsa-sha2-nistp384' => nil, # NIST
'ecdsa-sha2-nistp521' => nil, # NIST
'ssh-rsa' => :yellow, # RSA
'ssh-dss' => :red, # DSA
'ecdsa-sha2-nistp256-cert-v01@openssh.com' => nil, # NIST
'ecdsa-sha2-nistp384-cert-v01@openssh.com' => nil, # NIST
'ecdsa-sha2-nistp521-cert-v01@openssh.com' => nil, # NIST
'ssh-rsa-cert-v01@openssh.com' => :yellow, # RSA
'ssh-rsa-cert-v00@openssh.com' => :yellow, # RSA
'ssh-dss-cert-v01@openssh.com' => :red, # DSA
'ssh-dss-cert-v00@openssh.com' => :red, # DSA
}

def initialize(hostname, port)

Loading…
Cancel
Save