The highlights of this release are:
- Warnings will be issued on key exchanges that are not post-quantum safe.
- Hardening guides are now included for all supported platforms (see
--list-hardening-guides). - UNIX sockets can be used as scan targets (specified with
unix:///path/to/socket); useful in containerized environments such as CI/CD pipelines. - Scanning through SOCKS5 proxies can now be done (with
--socks5). - A variety of new post-quantum algorithms can now be identified.
BIG THANKS to realmiwi for being the project's very first sponsor!!
The full release notes are:
- Added support for Python 3.14.
- Dropped support for Python 3.8, as it reached end-of-life in October 2024.
- Dropped support for Python 3.9, as it reached end-of-life in October 2025.
- Added warning to all key exchanges that do not include protections against quantum attacks due to the Harvest Now, Decrypt Later strategy (see https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later).
- Removed SSHv1 support (rationale is documented in: #298).
- Added hardening guides (see
--list-hardening-guidesand--get-hardening-guide). Previously, they were only available at https://ssh-audit.com/hardening_guides.html, but now they are built-in for convenience; partial credit oam7575. - Added
allow_hostkey_subset_and_reorderingpolicy option to allow targets to have a more stringent list of host keys and/or a different ordering of them. - Migrated from deprecated
getoptmodule toargparse; partial credit oam7575. - When running against multiple hosts, now prints each target host regardless of output level.
- Batch mode (
-b) no longer automatically enables verbose mode, due to sometimes confusing results; users can still explicitly enable verbose mode using the-vflag. - Added UNIX server socket scanning (specify the target with
unix:///path/to/socket). - Added SOCKS5 proxy support (specify the proxy with
--socks5 host:port); partial credit Michał Majchrowicz. - Updated built-in policy for Debian 12.
- Added built-in policies for OpenSSH 10.0, 10.1, 10.2, 10.3, and 10.4.
- Added hardening guides and policies for Debian 13.
- Added hardening guides and policies for Rocky Linux 10.
- Added hardening guides and policies for Ubuntu 26.04.
- Added 2 new key exchanges:
mlkem768nistp256-sha256,mlkem1024nistp384-sha384. - Added 11 new host keys:
webauthn-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,mldsa-44,ssh-mldsa44-ed25519@openssh.com,mldsa-65,mldsa-87,ssh-mldsa-44,ssh-mldsa-65,ssh-mldsa-87,ssh-mldsa44,ssh-mldsa65,ssh-mldsa87. - Added 2 new ciphers:
AEAD_CAMELLIA_128_GCM,AEAD_CAMELLIA_256_GCM.