Joe Testa

@ecki : thanks for posting this. This shows that the GSS parsing seems to be working--at least for client audits. I should still double-check that server audits still parse them...

> You also might want to add the version info for curve448-sha512 I don't believe that was added to OpenSSH, since they don't support Curve448 at all (unfortunately). > how...

Closing this issue, since additional testing showed that the GSS algorithms are indeed being parsed correctly.

@RZR7332 : My apologies for the very late response. It seems that, in your original post, you were running the `Hardened OpenSSH Server v8.9 (version 2)` policy against an Ubuntu...

@RZR7332 : Thanks for reporting! Closing as complete.

@BareqAZ : thanks for bringing this to my attention! I did some testing, and it seems that this denial-of-service requires unlimited new connections to the server (at least against OpenSSH)....

Just now, I checked into `master` a rather extensive implementation of the DHEat vulnerability. This will be included in v3.2.0, whose release is imminent. I've also conducted an in-depth research...

I've published the article I mentioned a few days ago: [An Analysis of the DHEat DoS Against SSH in Cloud Environments](https://www.positronsecurity.com/blog/2024-04-23-an-analysis-of-dheat-dos-against-ssh-in-cloud-environments/)

@XSpielinbox : thanks for letting me know! I've fixed most of the problems found by Shellcheck in https://github.com/jtesta/ssh-audit/commit/953683a76213c6388f01709e624ef6e70ad79c79. As a note to myself, the following tools made some additional findings...

FYI, I am considering removing CVE reporting from the tool. In #240, I described the rationale, as well as set up a voting process to hear from the community on...