代码拉取完成,页面将自动刷新
From 6c4f54130d892f5034ac40d139ff27b8bb4d1927 Mon Sep 17 00:00:00 2001
From: zhangpan <zhangpan103@h-partners.com>
Date: Fri, 12 Apr 2024 12:47:45 +0800
Subject: [PATCH] Add Insecure Algorithm Logs
---
paramiko/auth_handler.py | 5 ++++
paramiko/transport.py | 65 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 70 insertions(+)
diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py
index db89670..0454358 100644
--- a/paramiko/auth_handler.py
+++ b/paramiko/auth_handler.py
@@ -384,6 +384,11 @@ class AuthHandler(object):
m.add_boolean(True)
key_type, bits = self._get_key_type_and_bits(self.private_key)
algorithm = self._finalize_pubkey_algorithm(key_type)
+ if not list (
+ filter(
+ algorithm.__contains__,
+ self.transport._whitelist_pubkeys)):
+ self._log(WARNING, "Insecure PubKey algorithm may be used: {}".format(algorithm))
m.add_string(algorithm)
m.add_string(bits)
blob = self._get_session_blob(
diff --git a/paramiko/transport.py b/paramiko/transport.py
index 5265e09..e8ff0e0 100644
--- a/paramiko/transport.py
+++ b/paramiko/transport.py
@@ -213,6 +213,43 @@ class Transport(threading.Thread, ClosingContextManager):
)
_preferred_compression = ("none",)
+ _whitelist_ciphers = (
+ "aes128-ctr",
+ "aes192-ctr",
+ "aes256-ctr",
+ "chacha20-poly1305@openssh.com",
+ "aes128-gcm@openssh.com",
+ "aes256-gcm@openssh.com",
+ )
+
+ _whitelist_macs = (
+ "hmac-sha2-512",
+ "hmac-sha2-512-etm@openssh.com",
+ "hmac-sha2-256",
+ "hmac-sha2-256-etm@openssh.com",
+ )
+
+ _whitelist_keys = (
+ "ssh-ed25519",
+ "ecdsa-sha2-nistp256",
+ "ssh-ed25519-cert-v01@openssh.com",
+ "rsa-sha2-256",
+ "rsa-sha2-512",
+ )
+
+ _whitelist_pubkeys = (
+ "ssh-ed25519",
+ "ssh-ed25519-cert-v01@openssh.com",
+ "rsa-sha2-256",
+ "rsa-sha2-512",
+ )
+
+ _whitelist_kex = (
+ "curve25519-sha256",
+ "curve25519-sha256@libssh.org",
+ "diffie-hellman-group-exchange-sha256",
+ )
+
_cipher_info = {
"aes128-ctr": {
"class": algorithms.AES,
@@ -2507,6 +2544,13 @@ class Transport(threading.Thread, ClosingContextManager):
"Incompatible ssh peer (no acceptable kex algorithm)"
) # noqa
self.kex_engine = self._kex_info[agreed_kex[0]](self)
+
+ if not list (
+ filter(
+ agreed_kex[0].__contains__,
+ self._whitelist_kex)):
+ self._log(WARNING, "Insecure Kex algorithm may be used: {}".format(agreed_kex[0]))
+
self._log(DEBUG, "Kex: {}".format(agreed_kex[0]))
if self.server_mode:
@@ -2534,6 +2578,13 @@ class Transport(threading.Thread, ClosingContextManager):
raise IncompatiblePeer(
"Incompatible ssh peer (can't match requested host key type)"
) # noqa
+
+ if not list (
+ filter(
+ self.host_key_type.__contains__,
+ self._whitelist_keys)):
+ self._log(WARNING, "Insecure HostKey algorithm may be used: {}".format(self.host_key_type))
+
self._log_agreement("HostKey", agreed_keys[0], agreed_keys[0])
if self.server_mode:
@@ -2568,6 +2619,13 @@ class Transport(threading.Thread, ClosingContextManager):
) # noqa
self.local_cipher = agreed_local_ciphers[0]
self.remote_cipher = agreed_remote_ciphers[0]
+
+ if not list (
+ filter(
+ self.local_cipher.__contains__,
+ self._whitelist_ciphers)):
+ self._log(WARNING, "Insecure Cipher algorithm may be used: {}".format(self.local_cipher))
+
self._log_agreement(
"Cipher", local=self.local_cipher, remote=self.remote_cipher
)
@@ -2592,6 +2650,13 @@ class Transport(threading.Thread, ClosingContextManager):
)
self.local_mac = agreed_local_macs[0]
self.remote_mac = agreed_remote_macs[0]
+
+ if not list (
+ filter(
+ self.local_mac.__contains__,
+ self._whitelist_macs)):
+ self._log(WARNING, "Insecure Mac algorithm may be used: {}".format(self.local_mac))
+
self._log_agreement(
"MAC", local=self.local_mac, remote=self.remote_mac
)
--
2.33.0
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手