SSH-audit is a standalone open source tool for auditing and fixing SSH server configurations. It has no dependencies and will run wherever Python is available.
It supports OpenSSH, Dropbear SSH and libssh, and reports on every detail of the tested SSH server, including detailed information about used algorithms and security related information.
“For each algorithm, it will state the security level (warning or failure), reasoning behind the assigned state, and historic information about the algorithm’s availability. The security section will show assigned CVEs and any other relevant information for recognized software and specific versions. Taking into account the recognized version, the tool will recommend the removal or addition of specific algorithms,” SSH-audit creator Andris Raugulis explains.
How SSH-audit came to be
“In order to choose the best security settings for OpenSSH, one has to carefully read the release notes and act accordingly, but things change from version to version. In order to harden deployments where upgrade isn’t possible (e.g. embedded devices), or point out flaws in a SSH server configuration (e.g. for a security audit) one has to re-read old release notes. But even more annoying is the fact that release notes and information provided in the manual do not always reflect the real situation,” he explained the frustration that lead to the creation SSH-audit.
Keeping on top of these changes and discrepancies required a huge effort, and vulnerability scanners like Nessus offered no relief, as their SSH checks were relatively superficial and they did not offer features he needed. So, he opted for creating his own standalone tool.
Challenges and future plans
Working on this project is not hard, Raugulis says, but it does take up a lot of his time. He wants to be sure of everything he adds to the tool, and that means a lot of learning about OpenSSH, Dropbear SSH and libssh releases, a lot of compiling and testing, a lot of checking regarding security related issues (and not all have CVEs assigned to them).
His short term plans include adding security information related to OpenSSH and improving key fingerprinting. “Currently, the tool can fingerprint SSH1 server keys, but lacks support for SSH2 servers, as it requires a successful key exchange. The base code for this feature is already in code tree, but it is not finished yet,” he says.
Next he will be adding support for checking SSH client configurations, and the option to choose a new output type (JSON/XML), so that it can be easily imported in other software or used by custom wrappers.
Version 1.6.0, released today, comes with fixes for minor bugs, but also two new, important features:
- A new section called Recommendations, which suggests algorithm changes based on recognized software and versions.
- Full libssh support. The tool recognises every libssh release, and knows about supported algorithms and relevant security information.