Strict key exchange support: false --
mamoona-aslam opened this issue · 1 comments
As noticed in the main.go code
const KexStrictIndicatorClient = "kex-strict-c-v00@openssh.com"
const KexStrictIndicatorServer = "kex-strict-s-v00@openssh.com"
Shouldnt kex-strict-s-v00@openssh.com
be curve25519-sha256
?
Because as the scanner is ran, following is the output
As the same issue was highlighted in ssh-audit issue.
Can this be fixed?
No, kex-strict-s-v00@openssh.com
is the indicator used to signal the support for the strict key exchange countermeasure and is unrelated to curve25519-sha256
. The ssh-audit issue that you linked also got that wrong. The quote there confuses the last sentence of section 1.8 of the OpenSSH PROTOCOL file (describing curve25519-sha256@openssh.com
) with the beginning of section 1.9 (released as 1.10; describing strict key exchange). Those are not related.
It seems like you are scanning a Debian host with OpenSSH. As of now, Debian has not yet released OpenSSH updates targeting CVE-2023-48795 in any release other than sid. See here.