ssh-audit icon indicating copy to clipboard operation
ssh-audit copied to clipboard

Published 20 hours ago verified publisher icon jtesta

error with policy: keys did not match

Open fansari opened this issue 3 years ago • 2 comments

I wrote a policy with these host keys:

host keys = [email protected], ssh-ed25519

On the analyzed host I see:

sshd -T | grep hostkeyalgorithms
[email protected],ssh-ed25519

ssh-audit -P mypolicy.txt shows this:

Result: ❌ Failed!

Errors:
  * Host keys did not match.
    - Expected: [email protected], ssh-ed25519
    - Actual:   ssh-ed25519

When I remove [email protected] from the host keys in my policy the test passes.

Did I misconfigure something or is this a bug?

fansari avatar Dec 02 '21 16:12 fansari

This... may be a bug. Glad that you've got a temporary work-around at least!

And either way, thanks for reporting! I'll take a closer look at it once I get some spare cycles...

jtesta avatar Dec 02 '21 19:12 jtesta

Hi All,

Possibly a silly question; but are you sure that you have enabled Certificate authentication for your SSH host?

My sshd config file had [email protected] enabled as a valid host key algorithm.

sshd -T | grep hostkeyalgorithms hostkeyalgorithms [email protected],ssh-ed25519,[email protected],[email protected],rsa-sha2-256,rsa-sha2-512,[email protected],[email protected]

However ssh-audit only displayed the following

host-key algorithms (key) ssh-ed25519 -- [info] available since OpenSSH 6.5 (key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2 (key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2

A quick bit of googling landed me on the RedHat Enterprice SSH CA Certificates page https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-creating_ssh_ca_certificate_signing-keys

I followed that process through; and very quickly had ssh certificates enabled.

Once ssh certificates were enabled I then saw the following Note the error below is deliberate miss configuration of the policy file to check that ssh-audit would see the host key and then see the policy error.

host-key algorithms (key) ssh-ed25519 -- [info] available since OpenSSH 6.5 (key) [email protected] (4096-bit) -- [info] available since OpenSSH 6.5 (key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2 (key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2

Policy: Custom Policy (based on 172.168.1.55 on 2021/12/11) (version 1) Result: ❌ Failed!

Errors:

  • Host keys did not match.
    • Expected: ssh-ed25519, rsa-sha2-512, rsa-sha2-256
    • Actual: ssh-ed25519, [email protected], rsa-sha2-512, rsa-sha2-256

oam7575 avatar Dec 10 '21 23:12 oam7575

@fansari : Just checking in to see if you still have this problem. If so, could you please post the entire output of ssh-audit -d target_host? If you include -d with the latest ssh-audit code, it should return enough debugging information to see what is happening. Thanks!

jtesta avatar Apr 25 '23 13:04 jtesta

@fansari: I suppose I'll close this issue now due to inactivity. A major overhaul of the policy code landed in v2.9.0, so its possible that your issue was fixed then. If you get a chance, please test with the newest version. Thanks!

jtesta avatar Aug 25 '23 19:08 jtesta