warn.txt

[0;36m# security[0m
[0;33m(cve) CVE-2021-41617                        -- (CVSSv2: 7.0) privilege escalation via supplemental groups[0m
[0;33m(cve) CVE-2020-15778                        -- (CVSSv2: 7.8) command injection via anomalous argument transfers[0m
[0;33m(cve) CVE-2016-20012                        -- (CVSSv2: 5.3) enumerate usernames via challenge response[0m
[0;36m# key exchange algorithms[0m
[0;31m(kex) ecdh-sha2-nistp256                    -- [fail] using weak elliptic curves[0m
[0;31m(kex) ecdh-sha2-nistp384                    -- [fail] using weak elliptic curves[0m
[0;31m(kex) ecdh-sha2-nistp521                    -- [fail] using weak elliptic curves[0m
[0;36m# host-key algorithms[0m
[0;31m(key) ssh-rsa (3072-bit)                    -- [fail] using weak hashing algorithm[0m
[0;31m(key) ecdsa-sha2-nistp256                   -- [fail] using weak elliptic curves[0m
[0;33m                                            `- [warn] using weak random number generator could reveal the key[0m
[0;36m# message authentication code algorithms[0m
[0;33m(mac) umac-64-etm@openssh.com               -- [warn] using small 64-bit tag size[0m
[0;33m(mac) hmac-sha1-etm@openssh.com             -- [warn] using weak hashing algorithm[0m
[0;33m(mac) umac-64@openssh.com                   -- [warn] using encrypt-and-MAC mode[0m
[0;33m                                            `- [warn] using small 64-bit tag size[0m
[0;33m(mac) umac-128@openssh.com                  -- [warn] using encrypt-and-MAC mode[0m
[0;33m(mac) hmac-sha2-256                         -- [warn] using encrypt-and-MAC mode[0m
[0;33m(mac) hmac-sha2-512                         -- [warn] using encrypt-and-MAC mode[0m
[0;33m(mac) hmac-sha1                             -- [warn] using encrypt-and-MAC mode[0m
[0;33m                                            `- [warn] using weak hashing algorithm[0m
[0;36m# algorithm recommendations (for OpenSSH 8.2)[0m
[0;31m(rec) -ecdh-sha2-nistp256                   -- kex algorithm to remove [0m
[0;31m(rec) -ecdh-sha2-nistp384                   -- kex algorithm to remove [0m
[0;31m(rec) -ecdh-sha2-nistp521                   -- kex algorithm to remove [0m
[0;31m(rec) -ecdsa-sha2-nistp256                  -- key algorithm to remove [0m
[0;31m(rec) -ssh-rsa                              -- key algorithm to remove [0m
[0;33m(rec) -hmac-sha1                            -- mac algorithm to remove [0m
[0;33m(rec) -hmac-sha1-etm@openssh.com            -- mac algorithm to remove [0m
[0;33m(rec) -hmac-sha2-256                        -- mac algorithm to remove [0m
[0;33m(rec) -hmac-sha2-512                        -- mac algorithm to remove [0m
[0;33m(rec) -umac-128@openssh.com                 -- mac algorithm to remove [0m
[0;33m(rec) -umac-64-etm@openssh.com              -- mac algorithm to remove [0m
[0;33m(rec) -umac-64@openssh.com                  -- mac algorithm to remove [0m
[0;36m# additional info[0m
[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m