ssh-audit
ssh-audit copied to clipboard
arthepsy
SSH client audit
What do you think about the idea of a SSH client audit feature?
Of course, admins can configure a good and up-to-date system-wide client config (/etc/ssh/ssh_config). However, users also have their own (and often ancient!) settings in ~/.ssh/config. AFAIK there is no tool that audits the client settings and gives recommendations.
When I discovered the ssh -G host option (available since OpenSSH 6.8) I thought this may be an interesting and easy way to audit the effective client settings for the respective destination.
Also, it would be possible to not only check the configured algorithms but also insecure or dangerous features (e.g. X11Forwarding, Agent-Forwarding, etc).
It could look like this:
$ ssh-audit -c host
Also, checking the bit sizes of the configured SSH user keys (e.g. RSA >= 2048 bit) would be another useful client-side check.
Or checking the (new) storage format of the private key (bcrypt KDF and number of rounds) or the public key (RFC 4716).
Or warning about the key age and hinting about key rotation if the local private key file has an old timestamp.
@knweiss @egberts I implemented SSH client testing in v2.1.0 of my fork: https://github.com/jtesta/ssh-audit/releases/tag/v2.1.0
Oh, and please do check for those pesky "ControlMaster" settings. It is getting problematic. A minimum warning message there.