ssh-audit: ecdsa-sha2-nistp<256/384/521>

@jtesta , ssh-audit 2.4.0 returns the following for host key algorithms ecdsa-sha2-nistp256, ecdsa-sha2-nistp384 and ecdsa-sha2-nistp521:

# host-key algorithms
(key) ecdsa-sha2-nistp521 -- [fail] using weak elliptic curves
                          `- [warn] using weak random number generator could reveal the key
                          `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ecdsa-sha2-nistp384 -- [fail] using weak elliptic curves
                          `- [warn] using weak random number generator could reveal the key
                          `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ecdsa-sha2-nistp256 -- [fail] using weak elliptic curves
                          `- [warn] using weak random number generator could reveal the key
                          `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62

Would it be possible to update the [fail] message to include a citation to a credible source that backs up the claim of using weak elliptic curves?

I’ve seen that you presented on the topic of Problems With Elliptic Curves In TLS and SSH at Rochester Security Summit (RSS) 2017.

Perhaps ssh-audit could cite your presentation?

About this issue

  • Original URL
  • State: open
  • Created 3 years ago
  • Comments: 17 (11 by maintainers)

Most upvoted comments

What do you think about this?

Yep, that looks good.

When verbose mode is enabled, the JSON output should include the references as well.

+1
jtesta on Jun 30, 2021

I think it would make more sense to include it along the error:

(key) ecdsa-sha2-nistp256                   -- [fail] using weak elliptic curves -- <https://reference.com/>
                                            `- [warn] using weak random number generator could reveal the key
                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62

As you could have multiple references:

(key) ssh-foo                               -- [fail] using weak hashing algorithm: <example.com/foo-considered-insecure>
                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
                                            `- [info] deprecated in OpenSSH 42: https://www.openssh.com/txt/release-42

Although I guess you could use the same format for adding references in a new sublevel:

(key) ssh-foo                               -- [fail] using weak hashing algorithm:
                                             --  <example.com/foo-considered-insecure>
                                             `-  <example.com/foo-is-still-insecure>
                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
                                            `- [info] deprecated in OpenSSH 42: https://www.openssh.com/txt/release-42
+1
Keisial on May 31, 2021
Read more comments on GitHub
← kube2iam: Pods are sometimes assigned to the incorrect IAM role
ssh-audit: LookupError: unknown encoding: idna →