Authenticated checks and special ssh options

Hi!

I’ve tried to do authenticated scans/checks with clients needing special ssh options for connections to succeed. Is there any way to tell gvm to use these special options connecting to those clients?
If I cant handle those the only thing happening would be:

debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 194
debug2: parse_server_config: config /etc/ssh/sshd_config len 194
debug1: sshd version OpenSSH_5.1p1 FreeBSD-20080901
debug1: read PEM private key done: type DSA
debug1: private host key: #0 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-dd'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='622'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 622 on ::.
Server listening on :: port 622.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 622 on 0.0.0.0.
Server listening on 0.0.0.0 port 622.
accept: Software caused connection abort
debug1: fd 5 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
debug1: res_init()
Connection from 172.18.8.169 port 60221
Bad protocol version identification '\026\003\001\002' from 172.18.8.169

In most cases these options are such to allow additional or considered as weak encription/hash building functions. For example:

Host fbsd4
        Ciphers +aes128-cbc
        HostKeyAlgorithms +ssh-dss
        KexAlgorithms +diffie-hellman-group1-sha1

Host fbsd5
        Ciphers +aes128-cbc
        HostKeyAlgorithms +ssh-dss
        KexAlgorithms +diffie-hellman-group1-sha1

Host fbsd6
        HostKeyAlgorithms +ssh-dss

Host fbsd7
        HostKeyAlgorithms +ssh-dss

Would be nice to handle this on a client by client base with possibility to set some default sets used most of the time.

If this is not possible somehow – I’ll request this as an enhacement …!

This is NOT a duplicate! One is a request for special SSH options and how I could tell the ssh-client openvas uses to respect these. The other one is a request to verify ssh logon using passwordless keys with special accounts works at all. These are quite different things!

You can try to build a new version of libssh via git and replace the current one with it.
https://git.libssh.org/projects/libssh.git/

The handshake with our “ssh hardened” servers is working now.

1 Like