This release features tests for the Terrapin message prefix truncation vulnerability in the SSH protocol (CVE-2023-48795), along with other minor enhancements and fixes.
This version is also available as a PyPI package (pip3 install ssh-audit), Docker image (docker pull positronsecurity/ssh-audit), Snap package (snap install ssh-audit), or as a Windows executable (see below, though be aware that sometimes Windows Defender inappropriately detects it as malware!).
The full change log is:
- Added test for the Terrapin message prefix truncation vulnerability (CVE-2023-48795).
- Dropped support for Python 3.7 (EOL was reached in June 2023).
- Added Python 3.12 support.
- In server policies, reduced expected DH modulus sizes from 4096 to 3072 to match the online hardening guides (note that 3072-bit moduli provide the equivalent of 128-bit symmetric security).
- In Ubuntu 22.04 client policy, moved host key types
sk-ssh-ed25519@openssh.comandssh-ed25519to the end of all certificate types. - Updated Ubuntu Server & Client policies for 20.04 and 22.04 to account for key exchange list changes due to Terrapin vulnerability patches.
- Re-organized option host key types for OpenSSH 9.2 server policy to correspond with updated Debian 12 hardening guide.
- Added built-in policies for OpenSSH 9.5 and 9.6.
- Added an
additional_notesfield to the JSON output.