You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
One of the original design goals of ssh-audit was to be a very lightweight tool with no external dependencies. The down side to this is that we cannot do any auditing that requires performing a full SSH handshake, since that requires a LOT of cryptographic code to be written and maintained. Hence, I thought I'd start a discussion here to consider whether there is enough payoff to justify adding a dependency to ssh-audit.
One example is to use the paramiko module to enumerate the authentication methods (example code is here: #290 (comment)). Custom policies could leverage this information to ensure that password authentication is disabled entirely in an organization.
Over the years, I had a couple other minor ideas that would require a crypto/SSH library, but I can't remember them at the moment. So perhaps we'll use this thread to brainstorm over time. If enough good ideas come out, I'd be happy to add an external dependency.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
One of the original design goals of ssh-audit was to be a very lightweight tool with no external dependencies. The down side to this is that we cannot do any auditing that requires performing a full SSH handshake, since that requires a LOT of cryptographic code to be written and maintained. Hence, I thought I'd start a discussion here to consider whether there is enough payoff to justify adding a dependency to ssh-audit.
One example is to use the
paramikomodule to enumerate the authentication methods (example code is here: #290 (comment)). Custom policies could leverage this information to ensure that password authentication is disabled entirely in an organization.Over the years, I had a couple other minor ideas that would require a crypto/SSH library, but I can't remember them at the moment. So perhaps we'll use this thread to brainstorm over time. If enough good ideas come out, I'd be happy to add an external dependency.
Beta Was this translation helpful? Give feedback.
All reactions