From 6c4f54130d892f5034ac40d139ff27b8bb4d1927 Mon Sep 17 00:00:00 2001 From: zhangpan Date: Fri, 12 Apr 2024 12:47:45 +0800 Subject: [PATCH] Add Insecure Algorithm Logs --- paramiko/auth_handler.py | 5 ++++ paramiko/transport.py | 65 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py index db89670..0454358 100644 --- a/paramiko/auth_handler.py +++ b/paramiko/auth_handler.py @@ -384,6 +384,11 @@ class AuthHandler(object): m.add_boolean(True) key_type, bits = self._get_key_type_and_bits(self.private_key) algorithm = self._finalize_pubkey_algorithm(key_type) + if not list ( + filter( + algorithm.__contains__, + self.transport._whitelist_pubkeys)): + self._log(WARNING, "Insecure PubKey algorithm may be used: {}".format(algorithm)) m.add_string(algorithm) m.add_string(bits) blob = self._get_session_blob( diff --git a/paramiko/transport.py b/paramiko/transport.py index 5265e09..e8ff0e0 100644 --- a/paramiko/transport.py +++ b/paramiko/transport.py @@ -213,6 +213,43 @@ class Transport(threading.Thread, ClosingContextManager): ) _preferred_compression = ("none",) + _whitelist_ciphers = ( + "aes128-ctr", + "aes192-ctr", + "aes256-ctr", + "chacha20-poly1305@openssh.com", + "aes128-gcm@openssh.com", + "aes256-gcm@openssh.com", + ) + + _whitelist_macs = ( + "hmac-sha2-512", + "hmac-sha2-512-etm@openssh.com", + "hmac-sha2-256", + "hmac-sha2-256-etm@openssh.com", + ) + + _whitelist_keys = ( + "ssh-ed25519", + "ecdsa-sha2-nistp256", + "ssh-ed25519-cert-v01@openssh.com", + "rsa-sha2-256", + "rsa-sha2-512", + ) + + _whitelist_pubkeys = ( + "ssh-ed25519", + "ssh-ed25519-cert-v01@openssh.com", + "rsa-sha2-256", + "rsa-sha2-512", + ) + + _whitelist_kex = ( + "curve25519-sha256", + "curve25519-sha256@libssh.org", + "diffie-hellman-group-exchange-sha256", + ) + _cipher_info = { "aes128-ctr": { "class": algorithms.AES, @@ -2507,6 +2544,13 @@ class Transport(threading.Thread, ClosingContextManager): "Incompatible ssh peer (no acceptable kex algorithm)" ) # noqa self.kex_engine = self._kex_info[agreed_kex[0]](self) + + if not list ( + filter( + agreed_kex[0].__contains__, + self._whitelist_kex)): + self._log(WARNING, "Insecure Kex algorithm may be used: {}".format(agreed_kex[0])) + self._log(DEBUG, "Kex: {}".format(agreed_kex[0])) if self.server_mode: @@ -2534,6 +2578,13 @@ class Transport(threading.Thread, ClosingContextManager): raise IncompatiblePeer( "Incompatible ssh peer (can't match requested host key type)" ) # noqa + + if not list ( + filter( + self.host_key_type.__contains__, + self._whitelist_keys)): + self._log(WARNING, "Insecure HostKey algorithm may be used: {}".format(self.host_key_type)) + self._log_agreement("HostKey", agreed_keys[0], agreed_keys[0]) if self.server_mode: @@ -2568,6 +2619,13 @@ class Transport(threading.Thread, ClosingContextManager): ) # noqa self.local_cipher = agreed_local_ciphers[0] self.remote_cipher = agreed_remote_ciphers[0] + + if not list ( + filter( + self.local_cipher.__contains__, + self._whitelist_ciphers)): + self._log(WARNING, "Insecure Cipher algorithm may be used: {}".format(self.local_cipher)) + self._log_agreement( "Cipher", local=self.local_cipher, remote=self.remote_cipher ) @@ -2592,6 +2650,13 @@ class Transport(threading.Thread, ClosingContextManager): ) self.local_mac = agreed_local_macs[0] self.remote_mac = agreed_remote_macs[0] + + if not list ( + filter( + self.local_mac.__contains__, + self._whitelist_macs)): + self._log(WARNING, "Insecure Mac algorithm may be used: {}".format(self.local_mac)) + self._log_agreement( "MAC", local=self.local_mac, remote=self.remote_mac ) -- 2.33.0