You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

118 lines
4.5KB

  1. require 'socket'
  2. module CryptCheck
  3. module Ssh
  4. class Server
  5. TCP_TIMEOUT = 10
  6. attr_reader :ip, :port, :hostname, :kex, :encryption, :hmac, :compression, :key
  7. KEX = {
  8. 'curve25519-sha256@libssh.org' => :green,
  9. 'ecdh-sha2-nistp521' => nil, # NIST
  10. 'ecdh-sha2-nistp384' => nil, # NIST
  11. 'ecdh-sha2-nistp256' => nil, # NIST
  12. 'diffie-hellman-group-exchange-sha256' => :green, # DLP (PFS)
  13. 'diffie-hellman-group-exchange-sha1' => :yellow, # DLP (PFS)
  14. 'diffie-hellman-group14-sha1' => :yellow, # 2048 bits < 3072 bits
  15. 'diffie-hellman-group1-sha1' => :red # 768 bits < 1024 bits
  16. }
  17. ENCRYPTION = {
  18. 'chacha20-poly1305@openssh.com' => :green,
  19. 'aes256-gcm@openssh.com' => :green,
  20. 'aes128-gcm@openssh.com' => :green,
  21. 'aes256-ctr' => nil, # CTR < GCM
  22. 'aes192-ctr' => nil, # CTR < GCM
  23. 'aes128-ctr' => nil, # CTR < GCM
  24. 'aes256-cbc' => :yellow, # CBC
  25. 'aes192-cbc' => :yellow, # CBC
  26. 'aes128-cbc' => :yellow, # CBC
  27. 'blowfish-cbc' => :yellow, # CBC
  28. 'cast128-cbc' => :yellow, # CBC
  29. '3des-cbc' => :red, # 3DES
  30. 'arcfour' => :red, # RC4
  31. 'arcfour128' => :red, # RC4
  32. 'arcfour256' => :red # RC4
  33. }
  34. HMAC = {
  35. 'hmac-sha2-512-etm@openssh.com' => :green,
  36. 'hmac-sha2-256-etm@openssh.com' => :green,
  37. 'hmac-sha2-512' => nil,
  38. 'hmac-sha2-256' => nil,
  39. 'hmac-sha1-etm@openssh.com' => :green,
  40. 'hmac-sha1' => nil,
  41. 'hmac-sha1-96-etm@openssh.com' => :red, # EXPORT
  42. 'hmac-sha1-96' => :red, # EXPORT
  43. 'hmac-ripemd160-etm@openssh.com' => :green,
  44. 'hmac-ripemd160' => nil,
  45. 'hmac-md5-etm@openssh.com' => :red, # MD5
  46. 'hmac-md5' => :red, # MD5
  47. 'hmac-md5-96-etm@openssh.com' => :red, # MD5 + EXPORT
  48. 'hmac-md5-96' => :red, # MD5 + EXPORT
  49. 'umac-128-etm@openssh.com' => :green,
  50. 'umac-128@openssh.com' => nil,
  51. 'umac-64-etm@openssh.com' => :red, # < 128 bits
  52. 'umac-64@openssh.com' => :red # < 128 bits
  53. }
  54. COMPRESSION = {
  55. 'none' => nil,
  56. 'zlib@openssh.com' => nil
  57. }
  58. KEY = {
  59. 'ssh-ed25519' => :green,
  60. 'ssh-ed25519-cert-v01@openssh.com' => :green,
  61. 'ecdsa-sha2-nistp256' => nil, # NIST
  62. 'ecdsa-sha2-nistp384' => nil, # NIST
  63. 'ecdsa-sha2-nistp521' => nil, # NIST
  64. 'ssh-rsa' => :yellow, # RSA
  65. 'ssh-dss' => :red, # DSA
  66. 'ecdsa-sha2-nistp256-cert-v01@openssh.com' => nil, # NIST
  67. 'ecdsa-sha2-nistp384-cert-v01@openssh.com' => nil, # NIST
  68. 'ecdsa-sha2-nistp521-cert-v01@openssh.com' => nil, # NIST
  69. 'ssh-rsa-cert-v01@openssh.com' => :yellow, # RSA
  70. 'ssh-rsa-cert-v00@openssh.com' => :yellow, # RSA
  71. 'ssh-dss-cert-v01@openssh.com' => :red, # DSA
  72. 'ssh-dss-cert-v00@openssh.com' => :red, # DSA
  73. }
  74. def initialize(hostname, _, ip, port=22)
  75. @ip, @port, @hostname = ip, port, hostname
  76. Logger.info { name.colorize :blue }
  77. kex = ::Socket.tcp ip, port, connect_timeout: TCP_TIMEOUT do |socket|
  78. socket.readline
  79. socket.write "SSH-2.0-CryptCheck\r\n"
  80. Packet.read_kex_init socket
  81. end
  82. @kex, @encryption, @hmac, @compression, @key = kex[:kex], kex[:encryption], kex[:mac], kex[:compression], kex[:host_key]
  83. Logger.info { '' }
  84. @kex.each { |k| Logger.info { "Key exchange : #{k.colorize KEX[k]}" } }
  85. Logger.info { '' }
  86. @encryption.each { |e| Logger.info { "Encryption : #{e.colorize ENCRYPTION[e]}" } }
  87. Logger.info { '' }
  88. @hmac.each { |h| Logger.info { "HMAC : #{h.colorize HMAC[h]}" } }
  89. Logger.info { '' }
  90. @compression.each { |c| Logger.info { "Compression : #{c}" } }
  91. Logger.info { '' }
  92. @key.each { |k| Logger.info { "Key type : #{k.colorize KEY[k]}" } }
  93. rescue => e
  94. Logger.debug { "SSH not supported : #{e}" }
  95. raise
  96. end
  97. private
  98. def name
  99. name = "#{@hostname || @ip}:#@port"
  100. name += " [#@ip]" if @hostname
  101. name
  102. end
  103. end
  104. end
  105. end