commit ssh-audit for openSUSE:Factory

[root]

Hello community,

here is the log from the commit of package ssh-audit for openSUSE:Factory 
checked in at 2020-03-12 23:06:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ssh-audit (Old)
 and      /work/SRC/openSUSE:Factory/.ssh-audit.new.3160 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "ssh-audit"

Thu Mar 12 23:06:14 2020 rev:2 rq:784062 version:2.2.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/ssh-audit/ssh-audit.changes      2020-02-04 
19:57:51.733479391 +0100
+++ /work/SRC/openSUSE:Factory/.ssh-audit.new.3160/ssh-audit.changes    
2020-03-12 23:11:40.983309163 +0100
@@ -1,0 +2,34 @@
+Wed Mar 11 18:35:53 UTC 2020 - Martin Hauke <mar...@gmx.de>
+
+- Update to version 2.2.0
+  * Marked host key type ssh-rsa as weak due to practical SHA-1
+    collisions.
+  * Added 10 new host key types:
+    ecdsa-sha2-1.3.132.0.10, x509v3-sign-dss, x509v3-sign-rsa,
+    x509v3-sign-rsa-sha...@ssh.com,
+    x509v3-ssh-dss, x509v3-ssh-rsa,
+    sk-ecdsa-sha2-nistp256-cert-...@openssh.com,
+    sk-ecdsa-sha2-nistp...@openssh.com,
+    sk-ssh-ed25519-cert-...@openssh.com,
+    and sk-ssh-ed25...@openssh.com.
+  * Added 18 new key exchanges:
+    diffie-hellman-group14-sha...@ssh.com,
+    diffie-hellman-group15-sha...@ssh.com,
+    diffie-hellman-group15-sha...@ssh.com,
+    diffie-hellman-group16-sha...@ssh.com,
+    diffie-hellman-group16-sha...@ssh.com,
+    diffie-hellman-group18-sha...@ssh.com,
+    ecdh-sha2-curve25519, ecdh-sha2-nistb233,
+    ecdh-sha2-nistb409, ecdh-sha2-nistk163,
+    ecdh-sha2-nistk233, ecdh-sha2-nistk283,
+    ecdh-sha2-nistk409, ecdh-sha2-nistp192,
+    ecdh-sha2-nistp224, ecdh-sha2-nistt571,
+    gss-gex-sha1-, and gss-group1-sha1-.
+  * Added 9 new ciphers:
+    camellia128-cbc, camellia128-ctr, camellia192-cbc,
+    camellia192-ctr, camellia256-cbc, camellia256-ctr,
+    aes128-gcm, aes256-gcm, and chacha20-poly1305.
+  * Added 2 new MACs:
+    aes128-gcm and aes256-gcm.
+
+-------------------------------------------------------------------

Old:
----
  ssh-audit-2.1.1.tar.gz
  ssh-audit-2.1.1.tar.gz.sig

New:
----
  ssh-audit-2.2.0.tar.gz
  ssh-audit-2.2.0.tar.gz.sig

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ ssh-audit.spec ++++++
--- /var/tmp/diff_new_pack.oshIS4/_old  2020-03-12 23:11:41.939309540 +0100
+++ /var/tmp/diff_new_pack.oshIS4/_new  2020-03-12 23:11:41.943309542 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package ssh-audit
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,17 +12,17 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
 Name:           ssh-audit
-Version:        2.1.1
+Version:        2.2.0
 Release:        0
 Summary:        SSH server auditing
 License:        MIT
 Group:          Productivity/Security
-Url:            https://github.com/jtesta/ssh-audit
+URL:            https://github.com/jtesta/ssh-audit
 Source:         
https://github.com/jtesta/ssh-audit/releases/download/v%{version}/%{name}-%{version}.tar.gz
 Source1:        
https://github.com/jtesta/ssh-audit/releases/download/v%{version}/%{name}-%{version}.tar.gz.sig
 Source2:        %{name}.keyring

++++++ ssh-audit-2.1.1.tar.gz -> ssh-audit-2.2.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/ssh-audit-2.1.1/.gitignore 
new/ssh-audit-2.2.0/.gitignore
--- old/ssh-audit-2.1.1/.gitignore      2019-11-26 17:48:18.000000000 +0100
+++ new/ssh-audit-2.2.0/.gitignore      2020-03-11 16:55:14.000000000 +0100
@@ -1,5 +1,7 @@
 *~
 *.pyc
+*.exe
+*.asc
 venv*/
 .cache/
 .tox
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/ssh-audit-2.1.1/README.md 
new/ssh-audit-2.2.0/README.md
--- old/ssh-audit-2.1.1/README.md       2019-11-26 17:48:18.000000000 +0100
+++ new/ssh-audit-2.2.0/README.md       2020-03-11 16:55:14.000000000 +0100
@@ -17,6 +17,7 @@
 - output security information (related issues, assigned CVE list, etc);
 - analyze SSH version compatibility based on algorithm information;
 - historical information from OpenSSH, Dropbear SSH and libssh;
+- runs on Linux and Windows;
 - no dependencies
 
 ## Usage
@@ -55,6 +56,14 @@
 Guides to harden server & client configuration can be found here: 
[https://www.ssh-audit.com/hardening_guides.html](https://www.ssh-audit.com/hardening_guides.html)
 
 ## ChangeLog
+### v2.2.0 (2020-03-11)
+ - Marked host key type `ssh-rsa` as weak due to [practical SHA-1 
collisions](https://eprint.iacr.org/2020/014.pdf).
+ - Added Windows builds.
+ - Added 10 new host key types: `ecdsa-sha2-1.3.132.0.10`, `x509v3-sign-dss`, 
`x509v3-sign-rsa`, `x509v3-sign-rsa-sha...@ssh.com`, `x509v3-ssh-dss`, 
`x509v3-ssh-rsa`, `sk-ecdsa-sha2-nistp256-cert-...@openssh.com`, 
`sk-ecdsa-sha2-nistp...@openssh.com`, `sk-ssh-ed25519-cert-...@openssh.com`, 
and `sk-ssh-ed25...@openssh.com`.
+ - Added 18 new key exchanges: `diffie-hellman-group14-sha...@ssh.com`, 
`diffie-hellman-group15-sha...@ssh.com`, 
`diffie-hellman-group15-sha...@ssh.com`, 
`diffie-hellman-group16-sha...@ssh.com`, 
`diffie-hellman-group16-sha...@ssh.com`, 
`diffie-hellman-group18-sha...@ssh.com`, `ecdh-sha2-curve25519`, 
`ecdh-sha2-nistb233`, `ecdh-sha2-nistb409`, `ecdh-sha2-nistk163`, 
`ecdh-sha2-nistk233`, `ecdh-sha2-nistk283`, `ecdh-sha2-nistk409`, 
`ecdh-sha2-nistp192`, `ecdh-sha2-nistp224`, `ecdh-sha2-nistt571`, 
`gss-gex-sha1-`, and `gss-group1-sha1-`.
+ - Added 9 new ciphers: `camellia128-cbc`, `camellia128-ctr`, 
`camellia192-cbc`, `camellia192-ctr`, `camellia256-cbc`, `camellia256-ctr`, 
`aes128-gcm`, `aes256-gcm`, and `chacha20-poly1305`.
+ - Added 2 new MACs: `aes128-gcm` and `aes256-gcm`.
+
 ### v2.1.1 (2019-11-26)
  - Added 2 new host key types: `rsa-sha2-256-cert-...@openssh.com`, 
`rsa-sha2-512-cert-...@openssh.com`.
  - Added 2 new ciphers: `des`, `3des`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/ssh-audit-2.1.1/docker_test.sh 
new/ssh-audit-2.2.0/docker_test.sh
--- old/ssh-audit-2.1.1/docker_test.sh  2019-11-26 17:48:18.000000000 +0100
+++ new/ssh-audit-2.2.0/docker_test.sh  2020-03-11 16:55:14.000000000 +0100
@@ -423,18 +423,18 @@
     ./ssh-audit.py localhost:2222 > $test_result_stdout
     if [[ $? != 0 ]]; then
        echo -e "${REDB}Failed to run ssh-audit.py! (exit code: $?)${CLR}"
-       docker container stop $cid > /dev/null
+       docker container stop -t 0 $cid > /dev/null
        exit 1
     fi
 
     ./ssh-audit.py -j localhost:2222 > $test_result_json
     if [[ $? != 0 ]]; then
        echo -e "${REDB}Failed to run ssh-audit.py! (exit code: $?)${CLR}"
-       docker container stop $cid > /dev/null
+       docker container stop -t 0 $cid > /dev/null
        exit 1
     fi
 
-    docker container stop $cid > /dev/null
+    docker container stop -t 0 $cid > /dev/null
     if [[ $? != 0 ]]; then
        echo -e "${REDB}Failed to stop docker container ${cid}! (exit code: 
$?)${CLR}"
        exit 1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/ssh-audit-2.1.1/pypi/notes.txt 
new/ssh-audit-2.2.0/pypi/notes.txt
--- old/ssh-audit-2.1.1/pypi/notes.txt  2019-11-26 17:48:18.000000000 +0100
+++ new/ssh-audit-2.2.0/pypi/notes.txt  2020-03-11 16:55:14.000000000 +0100
@@ -1,8 +1,8 @@
 To create package and upload to test server:
 
 # apt install virtualenv
-$ virtualenv -p /usr/bin/python3 pypi_upload
-$ cd pypi_upload; source bin/activate
+$ virtualenv -p /usr/bin/python3 /tmp/pypi_upload
+$ cd /tmp/pypi_upload; source bin/activate
 $ pip3 install twine
 $ cp -R path/to/ssh-audit .
 $ cd ssh-audit/pypi
@@ -12,6 +12,6 @@
 
 To download from test server and verify:
 
-$ virtualenv -p /usr/bin/python3 pypi_test
-$ cd pypi_test; source bin/activate
+$ virtualenv -p /usr/bin/python3 /tmp/pypi_test
+$ cd /tmp/pypi_test; source bin/activate
 $ pip3 install --index-url https://test.pypi.org/simple ssh-audit
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/ssh-audit-2.1.1/pypi/setup.py 
new/ssh-audit-2.2.0/pypi/setup.py
--- old/ssh-audit-2.1.1/pypi/setup.py   2019-11-26 17:48:18.000000000 +0100
+++ new/ssh-audit-2.2.0/pypi/setup.py   2020-03-11 16:55:14.000000000 +0100
@@ -20,7 +20,7 @@
         "console_scripts": ['ssh-audit = sshaudit.sshaudit:main']
     },
     version = version,
-    description = "An SSH server configuration security auditing tool",
+    description = "An SSH server & client configuration security auditing 
tool",
     long_description = long_descr,
     long_description_content_type = "text/markdown",
     author = "Joe Testa",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/ssh-audit-2.1.1/ssh-audit.py 
new/ssh-audit-2.2.0/ssh-audit.py
--- old/ssh-audit-2.1.1/ssh-audit.py    2019-11-26 17:48:18.000000000 +0100
+++ new/ssh-audit-2.2.0/ssh-audit.py    2020-03-11 16:55:14.000000000 +0100
@@ -3,7 +3,7 @@
 """
    The MIT License (MIT)
    
-   Copyright (C) 2017-2019 Joe Testa (jte...@positronsecurity.com)
+   Copyright (C) 2017-2020 Joe Testa (jte...@positronsecurity.com)
    Copyright (C) 2017 Andris Raugulis (m...@arthepsy.eu)
    
    Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -27,7 +27,8 @@
 from __future__ import print_function
 import base64, binascii, errno, hashlib, getopt, io, os, random, re, select, 
socket, struct, sys, json
 
-VERSION = 'v2.1.1'
+
+VERSION = 'v2.2.0'
 SSH_HEADER = 'SSH-{0}-OpenSSH_8.0' # SSH software to impersonate
 
 if sys.version_info.major < 3:
@@ -50,7 +51,7 @@
        pass
 try:  # pragma: nocover
        from colorama import init as colorama_init
-       colorama_init()  # pragma: nocover
+       colorama_init(strip=False)  # pragma: nocover
 except ImportError:  # pragma: nocover
        pass
 
@@ -151,7 +152,7 @@
                aconf = cls()
                try:
                        sopts = 'h1246p:bcnjvl:t:'
-                       lopts = ['help', 'ssh1', 'ssh2', 'ipv4', 'ipv6', 
'port', 'json',
+                       lopts = ['help', 'ssh1', 'ssh2', 'ipv4', 'ipv6', 
'port=', 'json',
                                 'batch', 'client-audit', 'no-colors', 
'verbose', 'level=', 'timeout=']
                        opts, args = getopt.gnu_getopt(args, sopts, lopts)
                except getopt.GetoptError as err:
@@ -339,25 +340,43 @@
                                'diffie-hellman-group1-sha1': 
[['2.3.0,d0.28,l10.2', '6.6', '6.9'], [FAIL_OPENSSH67_UNSAFE, 
FAIL_OPENSSH70_LOGJAM], [WARN_MODULUS_SIZE, WARN_HASH_WEAK]],
                                'gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==': 
[[], [FAIL_OPENSSH67_UNSAFE, FAIL_OPENSSH70_LOGJAM], [WARN_MODULUS_SIZE, 
WARN_HASH_WEAK]],
                                'gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==': [[], 
[], [WARN_HASH_WEAK]],
+                               'gss-gex-sha1-': [[], [], [WARN_HASH_WEAK]],
+                               'gss-group1-sha1-': [[], [], [WARN_HASH_WEAK]],
                                'gss-group14-sha1-': [[], [], [WARN_HASH_WEAK]],
                                'gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==': 
[[], [], [WARN_HASH_WEAK]],
                                'gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==': 
[[]],
                                'gss-group15-sha512-toWM5Slw5Ew8Mqkay+al2g==': 
[[]],
                                'diffie-hellman-group14-sha1': 
[['3.9,d0.53,l10.6.0'], [], [WARN_HASH_WEAK]],
                                'diffie-hellman-group14-sha256': 
[['7.3,d2016.73']],
+                               'diffie-hellman-group14-sha...@ssh.com': [[]],
                                'diffie-hellman-group15-sha256': [[]],
+                               'diffie-hellman-group15-sha...@ssh.com': [[]],
+                               'diffie-hellman-group15-sha...@ssh.com': [[]],
                                'diffie-hellman-group15-sha512': [[]],
                                'diffie-hellman-group16-sha256': [[]],
+                               'diffie-hellman-group16-sha...@ssh.com': [[]],
                                'diffie-hellman-group16-sha512': 
[['7.3,d2016.73']],
+                               'diffie-hellman-group16-sha...@ssh.com': [[]],
                                'diffie-hellman-group17-sha512': [[]],
                                'diffie-hellman-group18-sha512': [['7.3']],
+                               'diffie-hellman-group18-sha...@ssh.com': [[]],
                                'diffie-hellman-group-exchange-sha1': 
[['2.3.0', '6.6', None], [FAIL_OPENSSH67_UNSAFE], [WARN_HASH_WEAK]],
                                'diffie-hellman-group-exchange-sha256': 
[['4.4']],
                                'diffie-hellman-group-exchange-sha...@ssh.com': 
[[]],
                                'diffie-hellman-group-exchange-sha...@ssh.com': 
[[]],
+                               'ecdh-sha2-curve25519': [[], []],
+                               'ecdh-sha2-nistb233': [[], [WARN_CURVES_WEAK]],
+                               'ecdh-sha2-nistb409': [[], [WARN_CURVES_WEAK]],
+                               'ecdh-sha2-nistk163': [[], [WARN_CURVES_WEAK]],
+                               'ecdh-sha2-nistk233': [[], [WARN_CURVES_WEAK]],
+                               'ecdh-sha2-nistk283': [[], [WARN_CURVES_WEAK]],
+                               'ecdh-sha2-nistk409': [[], [WARN_CURVES_WEAK]],
+                               'ecdh-sha2-nistp192': [[], [WARN_CURVES_WEAK]],
+                               'ecdh-sha2-nistp224': [[], [WARN_CURVES_WEAK]],
                                'ecdh-sha2-nistp256': 
[['5.7,d2013.62,l10.6.0'], [WARN_CURVES_WEAK]],
                                'ecdh-sha2-nistp384': [['5.7,d2013.62'], 
[WARN_CURVES_WEAK]],
                                'ecdh-sha2-nistp521': [['5.7,d2013.62'], 
[WARN_CURVES_WEAK]],
+                               'ecdh-sha2-nistt571': [[], [WARN_CURVES_WEAK]],
                                'ecdh-sha2-1.3.132.0.10': [[]], # ECDH over 
secp256k1 (i.e.: the Bitcoin curve)
                                'curve25519-sha...@libssh.org': 
[['6.5,d2013.62,l10.6.0']],
                                'curve25519-sha256': [['7.4,d2018.76']],
@@ -374,11 +393,17 @@
                                'rsa-sha2-512': [['7.2']],
                                'ssh-ed25519': [['6.5,l10.7.0']],
                                'ssh-ed25519-cert-...@openssh.com': [['6.5']],
-                               'ssh-rsa': [['2.5.0,d0.28,l10.2']],
+                               'ssh-rsa': [['2.5.0,d0.28,l10.2'], 
[WARN_HASH_WEAK]],
                                'ssh-dss': [['2.1.0,d0.28,l10.2', '6.9'], 
[FAIL_OPENSSH70_WEAK], [WARN_MODULUS_SIZE, WARN_RNDSIG_KEY]],
                                'ecdsa-sha2-nistp256': 
[['5.7,d2013.62,l10.6.4'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]],
                                'ecdsa-sha2-nistp384': 
[['5.7,d2013.62,l10.6.4'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]],
                                'ecdsa-sha2-nistp521': 
[['5.7,d2013.62,l10.6.4'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]],
+                               'ecdsa-sha2-1.3.132.0.10': [[], [], 
[WARN_RNDSIG_KEY]], # ECDSA over secp256k1 (i.e.: the Bitcoin curve)
+                               'x509v3-sign-dss': [[], [FAIL_OPENSSH70_WEAK], 
[WARN_MODULUS_SIZE, WARN_RNDSIG_KEY]],
+                               'x509v3-sign-rsa': [[], [], [WARN_HASH_WEAK]],
+                               'x509v3-sign-rsa-sha...@ssh.com': [[]],
+                               'x509v3-ssh-dss': [[], [FAIL_OPENSSH70_WEAK], 
[WARN_MODULUS_SIZE, WARN_RNDSIG_KEY]],
+                               'x509v3-ssh-rsa': [[], [], [WARN_HASH_WEAK]],
                                'ssh-rsa-cert-...@openssh.com': [['5.4', 
'6.9'], [FAIL_OPENSSH70_LEGACY], []],
                                'ssh-dss-cert-...@openssh.com': [['5.4', 
'6.9'], [FAIL_OPENSSH70_LEGACY], [WARN_MODULUS_SIZE, WARN_RNDSIG_KEY]],
                                'ssh-rsa-cert-...@openssh.com': [['5.6']],
@@ -390,6 +415,10 @@
                                'rsa-sha2-512-cert-...@openssh.com': [['7.8']],
                                'ssh-rsa-sha...@ssh.com': [[]],
                                'ecdsa-sha2-1.3.132.0.10': [[], [], 
[WARN_RNDSIG_KEY]], # ECDSA over secp256k1 (i.e.: the Bitcoin curve)
+                               'sk-ecdsa-sha2-nistp256-cert-...@openssh.com': 
[['8.2'], [WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]],
+                               'sk-ecdsa-sha2-nistp...@openssh.com': [['8.2'], 
[WARN_CURVES_WEAK], [WARN_RNDSIG_KEY]],
+                               'sk-ssh-ed25519-cert-...@openssh.com': 
[['8.2']],
+                               'sk-ssh-ed25...@openssh.com': [['8.2']],
                        },
                        'enc': {
                                'none': [['1.2.2,d2013.56,l10.2'], 
[FAIL_PLAINTEXT]],
@@ -432,9 +461,18 @@
                                'aes128-ctr': [['3.7,d0.52,l10.4.1']],
                                'aes192-ctr': [['3.7,l10.4.1']],
                                'aes256-ctr': [['3.7,d0.52,l10.4.1']],
+                               'aes128-gcm': [[]],
+                               'aes256-gcm': [[]],
                                'aes128-...@openssh.com': [['6.2']],
                                'aes256-...@openssh.com': [['6.2']],
+                               'chacha20-poly1305': [[], [], [], 
[INFO_OPENSSH69_CHACHA]],
                                'chacha20-poly1...@openssh.com': [['6.5'], [], 
[], [INFO_OPENSSH69_CHACHA]],
+                               'camellia128-cbc': [[], [], [WARN_CIPHER_MODE]],
+                               'camellia128-ctr': [[]],
+                               'camellia192-cbc': [[], [], [WARN_CIPHER_MODE]],
+                               'camellia192-ctr': [[]],
+                               'camellia256-cbc': [[], [], [WARN_CIPHER_MODE]],
+                               'camellia256-ctr': [[]],
                        },
                        'mac': {
                                'none': [['d2013.56'], [FAIL_PLAINTEXT]],
@@ -475,6 +513,8 @@
                                'umac-64-...@openssh.com': [['6.2'], [], 
[WARN_TAG_SIZE]],
                                'umac...@openssh.com': [[], [], 
[WARN_ENCRYPT_AND_MAC]], # Despite having the @openssh.com suffix, this may 
never have shipped with OpenSSH (!).
                                'umac-128-...@openssh.com': [['6.2']],
+                               'aes128-gcm': [[]],
+                               'aes256-gcm': [[]],
                        }
                }  # type: Dict[str, Dict[str, List[List[Optional[str]]]]]
        
@@ -1761,25 +1801,27 @@
                                        rec[sshv][alg_type] = {'add': {}, 
'del': {}, 'chg': {}}
                                        for n, alg_desc in 
alg_db[alg_type].items():
                                                versions = alg_desc[0]
+                                               empty_version = False
                                                if len(versions) == 0 or 
versions[0] is None:
-                                                       continue
-                                               matches = False
-                                               if unknown_software:
-                                                       matches = True
-                                               for v in versions[0].split(','):
-                                                       ssh_prefix, 
ssh_version, is_cli = SSH.Algorithm.get_ssh_version(v)
-                                                       if not ssh_version:
-                                                               continue
-                                                       if (software is not 
None) and (ssh_prefix != software.product):
+                                                       empty_version = True
+                                               if not empty_version:
+                                                       matches = False
+                                                       if unknown_software:
+                                                               matches = True
+                                                       for v in 
versions[0].split(','):
+                                                               ssh_prefix, 
ssh_version, is_cli = SSH.Algorithm.get_ssh_version(v)
+                                                               if not 
ssh_version:
+                                                                       continue
+                                                               if (software is 
not None) and (ssh_prefix != software.product):
+                                                                       continue
+                                                               if is_cli and 
for_server:
+                                                                       continue
+                                                               if (software is 
not None) and (software.compare_version(ssh_version) < 0):
+                                                                       continue
+                                                               matches = True
+                                                               break
+                                                       if not matches:
                                                                continue
-                                                       if is_cli and 
for_server:
-                                                               continue
-                                                       if (software is not 
None) and (software.compare_version(ssh_version) < 0):
-                                                               continue
-                                                       matches = True
-                                                       break
-                                               if not matches:
-                                                       continue
                                                adl, faults = len(alg_desc), 0
                                                for i in range(1, 3):
                                                        if not adl > i:
@@ -1788,13 +1830,13 @@
                                                        if fc > 0:
                                                                faults += 
pow(10, 2 - i) * fc
                                                if n not in alg_list:
-                                                       if faults > 0 or 
(alg_type == 'key' and '-cert-' in n):
+                                                       if faults > 0 or 
(alg_type == 'key' and '-cert-' in n) or empty_version:
                                                                continue
                                                        
rec[sshv][alg_type]['add'][n] = 0
                                                else:
                                                        if faults == 0:
                                                                continue
-                                                       if n in 
['diffie-hellman-group-exchange-sha256', 'ssh-rsa', 'rsa-sha2-256', 
'rsa-sha2-512', 'ssh-rsa-cert-...@openssh.com']:
+                                                       if n in 
['diffie-hellman-group-exchange-sha256', 'rsa-sha2-256', 'rsa-sha2-512', 
'ssh-rsa-cert-...@openssh.com']:
                                                                
rec[sshv][alg_type]['chg'][n] = faults
                                                        else:
                                                                
rec[sshv][alg_type]['del'][n] = faults
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/ssh-audit-2.1.1/test/docker/expected_results/dropbear_2019.78_test1.txt 
new/ssh-audit-2.2.0/test/docker/expected_results/dropbear_2019.78_test1.txt
--- old/ssh-audit-2.1.1/test/docker/expected_results/dropbear_2019.78_test1.txt 
2019-11-26 17:48:18.000000000 +0100
+++ new/ssh-audit-2.2.0/test/docker/expected_results/dropbear_2019.78_test1.txt 
2020-03-11 16:55:14.000000000 +0100
@@ -22,7 +22,8 @@
 (key) ecdsa-sha2-nistp256            -- [fail] using weak elliptic 
curves
                                      `- [warn] using weak random number 
generator could reveal the key
                                      `- [info] available since OpenSSH 5.7, 
Dropbear SSH 2013.62
-(key) ssh-rsa (1024-bit)             -- [fail] using small 1024-bit 
modulus
+(key) ssh-rsa (1024-bit)             -- [fail] using weak hashing 
algorithm
+                                     `- [warn] using small 1024-bit 
modulus
                                      `- [info] available since OpenSSH 2.5.0, 
Dropbear SSH 0.28
 (key) ssh-dss                        -- [fail] removed (in server) and 
disabled (in client) since OpenSSH 7.0, weak algorithm
                                      `- [warn] using small 1024-bit 
modulus
@@ -63,7 +64,6 @@
 (fin) ssh-rsa: SHA256:CDfAU12pjQS7/91kg7gYacza0U/6PDbE04Ic3IpYxkM
 
 # algorithm recommendations (for Dropbear SSH 2019.78)
-(rec) !ssh-rsa                       -- key algorithm to change 
(increase modulus size to 2048 bits or larger) 
 (rec) -3des-cbc                      -- enc algorithm to remove 
 (rec) -3des-ctr                      -- enc algorithm to remove 
 (rec) -aes128-cbc                    -- enc algorithm to remove 
@@ -71,7 +71,6 @@
 (rec) -ecdh-sha2-nistp256            -- kex algorithm to remove 
 (rec) -ecdh-sha2-nistp384            -- kex algorithm to remove 
 (rec) -ecdh-sha2-nistp521            -- kex algorithm to remove 
-(rec) -ecdsa-sha2-nistp256           -- key algorithm to remove 
 (rec) -hmac-sha1-96                  -- mac algorithm to remove 
 (rec) -ssh-dss                       -- key algorithm to remove 
 (rec) +diffie-hellman-group16-sha512 -- kex algorithm to append 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/ssh-audit-2.1.1/test/docker/expected_results/openssh_4.0p1_test1.txt 
new/ssh-audit-2.2.0/test/docker/expected_results/openssh_4.0p1_test1.txt
--- old/ssh-audit-2.1.1/test/docker/expected_results/openssh_4.0p1_test1.txt    
2019-11-26 17:48:18.000000000 +0100
+++ new/ssh-audit-2.2.0/test/docker/expected_results/openssh_4.0p1_test1.txt    
2020-03-11 16:55:14.000000000 +0100
@@ -38,7 +38,8 @@
                                           `- [info] available since OpenSSH 
2.3.0, Dropbear SSH 0.28
 
 # host-key algorithms
-(key) ssh-rsa (1024-bit)                  -- [fail] using small 
1024-bit modulus
+(key) ssh-rsa (1024-bit)                  -- [fail] using weak hashing 
algorithm
+                                          `- [warn] using small 
1024-bit modulus
                                           `- [info] available since OpenSSH 
2.5.0, Dropbear SSH 0.28
 (key) ssh-dss                             -- [fail] removed (in server) 
and disabled (in client) since OpenSSH 7.0, weak algorithm
                                           `- [warn] using small 
1024-bit modulus
@@ -116,7 +117,6 @@
 (fin) ssh-rsa: SHA256:YZ457EBcJTSxRKI3yXRgtAj3PBf5B9/F36b1SVooml4
 
 # algorithm recommendations (for OpenSSH 4.0)
-(rec) !ssh-rsa                            -- key algorithm to change 
(increase modulus size to 2048 bits or larger) 
 (rec) -3des-cbc                           -- enc algorithm to remove 

 (rec) -aes128-cbc                         -- enc algorithm to remove 

 (rec) -aes192-cbc                         -- enc algorithm to remove 

diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/ssh-audit-2.1.1/test/docker/expected_results/openssh_5.6p1_test1.txt 
new/ssh-audit-2.2.0/test/docker/expected_results/openssh_5.6p1_test1.txt
--- old/ssh-audit-2.1.1/test/docker/expected_results/openssh_5.6p1_test1.txt    
2019-11-26 17:48:18.000000000 +0100
+++ new/ssh-audit-2.2.0/test/docker/expected_results/openssh_5.6p1_test1.txt    
2020-03-11 16:55:14.000000000 +0100
@@ -32,7 +32,8 @@
                                             `- [info] available since OpenSSH 
2.3.0, Dropbear SSH 0.28
 
 # host-key algorithms
-(key) ssh-rsa (1024-bit)                    -- [fail] using small 
1024-bit modulus
+(key) ssh-rsa (1024-bit)                    -- [fail] using weak 
hashing algorithm
+                                            `- [warn] using small 
1024-bit modulus
                                             `- [info] available since OpenSSH 
2.5.0, Dropbear SSH 0.28
 (key) ssh-dss                               -- [fail] removed (in 
server) and disabled (in client) since OpenSSH 7.0, weak algorithm
                                             `- [warn] using small 
1024-bit modulus
@@ -122,7 +123,6 @@
 
 # algorithm recommendations (for OpenSSH 5.6)
 (rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change 
(increase modulus size to 2048 bits or larger) 
-(rec) !ssh-rsa                              -- key algorithm to change 
(increase modulus size to 2048 bits or larger) 
 (rec) -3des-cbc                             -- enc algorithm to remove 

 (rec) -aes128-cbc                           -- enc algorithm to remove 

 (rec) -aes192-cbc                           -- enc algorithm to remove 

diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/ssh-audit-2.1.1/test/docker/expected_results/openssh_5.6p1_test2.txt 
new/ssh-audit-2.2.0/test/docker/expected_results/openssh_5.6p1_test2.txt
--- old/ssh-audit-2.1.1/test/docker/expected_results/openssh_5.6p1_test2.txt    
2019-11-26 17:48:18.000000000 +0100
+++ new/ssh-audit-2.2.0/test/docker/expected_results/openssh_5.6p1_test2.txt    
2020-03-11 16:55:14.000000000 +0100
@@ -32,7 +32,8 @@
                                             `- [info] available since OpenSSH 
2.3.0, Dropbear SSH 0.28
 
 # host-key algorithms
-(key) ssh-rsa (1024-bit)                    -- [fail] using small 
1024-bit modulus
+(key) ssh-rsa (1024-bit)                    -- [fail] using weak 
hashing algorithm
+                                            `- [warn] using small 
1024-bit modulus
                                             `- [info] available since OpenSSH 
2.5.0, Dropbear SSH 0.28
 (key) ssh-rsa-cert-...@openssh.com (1024-bit cert/1024-bit CA) -- 
[fail] using small 1024-bit modulus
                                                                `- [info] 
available since OpenSSH 5.6
@@ -120,7 +121,6 @@
 
 # algorithm recommendations (for OpenSSH 5.6)
 (rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change 
(increase modulus size to 2048 bits or larger) 
-(rec) !ssh-rsa                              -- key algorithm to change 
(increase modulus size to 2048 bits or larger) 
 (rec) !ssh-rsa-cert-...@openssh.com         -- key algorithm to change 
(increase modulus size to 2048 bits or larger) 
 (rec) -3des-cbc                             -- enc algorithm to remove 

 (rec) -aes128-cbc                           -- enc algorithm to remove 

@@ -139,6 +139,7 @@
 (rec) -hmac-ripemd...@openssh.com           -- mac algorithm to remove 

 (rec) -hmac-sha1-96                         -- mac algorithm to remove 

 (rec) -rijndael-...@lysator.liu.se          -- enc algorithm to remove 

+(rec) -ssh-rsa                              -- key algorithm to remove 

 (rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 

 
 # additional info
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/ssh-audit-2.1.1/test/docker/expected_results/openssh_5.6p1_test3.txt 
new/ssh-audit-2.2.0/test/docker/expected_results/openssh_5.6p1_test3.txt
--- old/ssh-audit-2.1.1/test/docker/expected_results/openssh_5.6p1_test3.txt    
2019-11-26 17:48:18.000000000 +0100
+++ new/ssh-audit-2.2.0/test/docker/expected_results/openssh_5.6p1_test3.txt    
2020-03-11 16:55:14.000000000 +0100
@@ -32,7 +32,8 @@
                                             `- [info] available since OpenSSH 
2.3.0, Dropbear SSH 0.28
 
 # host-key algorithms
-(key) ssh-rsa (1024-bit)                    -- [fail] using small 
1024-bit modulus
+(key) ssh-rsa (1024-bit)                    -- [fail] using weak 
hashing algorithm
+                                            `- [warn] using small 
1024-bit modulus
                                             `- [info] available since OpenSSH 
2.5.0, Dropbear SSH 0.28
 (key) ssh-rsa-cert-...@openssh.com (1024-bit cert/3072-bit CA) -- 
[fail] using small 1024-bit modulus
                                                                `- [info] 
available since OpenSSH 5.6
@@ -120,7 +121,6 @@
 
 # algorithm recommendations (for OpenSSH 5.6)
 (rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change 
(increase modulus size to 2048 bits or larger) 
-(rec) !ssh-rsa                              -- key algorithm to change 
(increase modulus size to 2048 bits or larger) 
 (rec) !ssh-rsa-cert-...@openssh.com         -- key algorithm to change 
(increase modulus size to 2048 bits or larger) 
 (rec) -3des-cbc                             -- enc algorithm to remove 

 (rec) -aes128-cbc                           -- enc algorithm to remove 

@@ -139,6 +139,7 @@
 (rec) -hmac-ripemd...@openssh.com           -- mac algorithm to remove 

 (rec) -hmac-sha1-96                         -- mac algorithm to remove 

 (rec) -rijndael-...@lysator.liu.se          -- enc algorithm to remove 

+(rec) -ssh-rsa                              -- key algorithm to remove 

 (rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 

 
 # additional info
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/ssh-audit-2.1.1/test/docker/expected_results/openssh_5.6p1_test4.txt 
new/ssh-audit-2.2.0/test/docker/expected_results/openssh_5.6p1_test4.txt
--- old/ssh-audit-2.1.1/test/docker/expected_results/openssh_5.6p1_test4.txt    
2019-11-26 17:48:18.000000000 +0100
+++ new/ssh-audit-2.2.0/test/docker/expected_results/openssh_5.6p1_test4.txt    
2020-03-11 16:55:14.000000000 +0100
@@ -32,7 +32,8 @@
                                             `- [info] available since OpenSSH 
2.3.0, Dropbear SSH 0.28
 
 # host-key algorithms
-(key) ssh-rsa (3072-bit)                    -- [info] available since 
OpenSSH 2.5.0, Dropbear SSH 0.28
+(key) ssh-rsa (3072-bit)                    -- [fail] using weak 
hashing algorithm
+                                            `- [info] available since OpenSSH 
2.5.0, Dropbear SSH 0.28
 (key) ssh-rsa-cert-...@openssh.com (3072-bit cert/1024-bit CA) -- 
[fail] using small 1024-bit modulus
                                                                `- [info] 
available since OpenSSH 5.6
 
@@ -137,6 +138,7 @@
 (rec) -hmac-ripemd...@openssh.com           -- mac algorithm to remove 

 (rec) -hmac-sha1-96                         -- mac algorithm to remove 

 (rec) -rijndael-...@lysator.liu.se          -- enc algorithm to remove 

+(rec) -ssh-rsa                              -- key algorithm to remove 

 (rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 

 
 # additional info
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/ssh-audit-2.1.1/test/docker/expected_results/openssh_5.6p1_test5.txt 
new/ssh-audit-2.2.0/test/docker/expected_results/openssh_5.6p1_test5.txt
--- old/ssh-audit-2.1.1/test/docker/expected_results/openssh_5.6p1_test5.txt    
2019-11-26 17:48:18.000000000 +0100
+++ new/ssh-audit-2.2.0/test/docker/expected_results/openssh_5.6p1_test5.txt    
2020-03-11 16:55:14.000000000 +0100
@@ -32,7 +32,8 @@
                                             `- [info] available since OpenSSH 
2.3.0, Dropbear SSH 0.28
 
 # host-key algorithms
-(key) ssh-rsa (3072-bit)                    -- [info] available since 
OpenSSH 2.5.0, Dropbear SSH 0.28
+(key) ssh-rsa (3072-bit)                    -- [fail] using weak 
hashing algorithm
+                                            `- [info] available since OpenSSH 
2.5.0, Dropbear SSH 0.28
 (key) ssh-rsa-cert-...@openssh.com (3072-bit cert/3072-bit CA) -- 
[info] available since OpenSSH 5.6
 
 # encryption algorithms (ciphers)
@@ -135,6 +136,7 @@
 (rec) -hmac-ripemd...@openssh.com           -- mac algorithm to remove 

 (rec) -hmac-sha1-96                         -- mac algorithm to remove 

 (rec) -rijndael-...@lysator.liu.se          -- enc algorithm to remove 

+(rec) -ssh-rsa                              -- key algorithm to remove 

 (rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 

 
 # additional info
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/ssh-audit-2.1.1/test/docker/expected_results/openssh_8.0p1_test1.txt 
new/ssh-audit-2.2.0/test/docker/expected_results/openssh_8.0p1_test1.txt
--- old/ssh-audit-2.1.1/test/docker/expected_results/openssh_8.0p1_test1.txt    
2019-11-26 17:48:18.000000000 +0100
+++ new/ssh-audit-2.2.0/test/docker/expected_results/openssh_8.0p1_test1.txt    
2020-03-11 16:55:14.000000000 +0100
@@ -23,7 +23,8 @@
 # host-key algorithms
 (key) rsa-sha2-512 (3072-bit)               -- [info] available since 
OpenSSH 7.2
 (key) rsa-sha2-256 (3072-bit)               -- [info] available since 
OpenSSH 7.2
-(key) ssh-rsa (3072-bit)                    -- [info] available since 
OpenSSH 2.5.0, Dropbear SSH 0.28
+(key) ssh-rsa (3072-bit)                    -- [fail] using weak 
hashing algorithm
+                                            `- [info] available since OpenSSH 
2.5.0, Dropbear SSH 0.28
 (key) ecdsa-sha2-nistp256                   -- [fail] using weak 
elliptic curves
                                             `- [warn] using weak random 
number generator could reveal the key
                                             `- [info] available since OpenSSH 
5.7, Dropbear SSH 2013.62
@@ -68,6 +69,7 @@
 (rec) -ecdh-sha2-nistp384                   -- kex algorithm to remove 

 (rec) -ecdh-sha2-nistp521                   -- kex algorithm to remove 

 (rec) -ecdsa-sha2-nistp256                  -- key algorithm to remove 

+(rec) -ssh-rsa                              -- key algorithm to remove 

 (rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 

 (rec) -hmac-sha1                            -- mac algorithm to remove 

 (rec) -hmac-sha1-...@openssh.com            -- mac algorithm to remove 

diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/ssh-audit-2.1.1/test/docker/expected_results/openssh_8.0p1_test2.txt 
new/ssh-audit-2.2.0/test/docker/expected_results/openssh_8.0p1_test2.txt
--- old/ssh-audit-2.1.1/test/docker/expected_results/openssh_8.0p1_test2.txt    
2019-11-26 17:48:18.000000000 +0100
+++ new/ssh-audit-2.2.0/test/docker/expected_results/openssh_8.0p1_test2.txt    
2020-03-11 16:55:14.000000000 +0100
@@ -63,7 +63,6 @@
 (rec) -ecdh-sha2-nistp521                   -- kex algorithm to remove 

 (rec) +rsa-sha2-256                         -- key algorithm to append 

 (rec) +rsa-sha2-512                         -- key algorithm to append 

-(rec) +ssh-rsa                              -- key algorithm to append 

 (rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove 

 (rec) -hmac-sha1                            -- mac algorithm to remove 

 (rec) -hmac-sha1-...@openssh.com            -- mac algorithm to remove 

diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/ssh-audit-2.1.1/test/docker/expected_results/openssh_8.0p1_test3.txt 
new/ssh-audit-2.2.0/test/docker/expected_results/openssh_8.0p1_test3.txt
--- old/ssh-audit-2.1.1/test/docker/expected_results/openssh_8.0p1_test3.txt    
2019-11-26 17:48:18.000000000 +0100
+++ new/ssh-audit-2.2.0/test/docker/expected_results/openssh_8.0p1_test3.txt    
2020-03-11 16:55:14.000000000 +0100
@@ -35,5 +35,4 @@
 (rec) +diffie-hellman-group18-sha512        -- kex algorithm to append 

 (rec) +rsa-sha2-256                         -- key algorithm to append 

 (rec) +rsa-sha2-512                         -- key algorithm to append 

-(rec) +ssh-rsa                              -- key algorithm to append 

 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/ssh-audit-2.1.1/windows_build.txt 
new/ssh-audit-2.2.0/windows_build.txt
--- old/ssh-audit-2.1.1/windows_build.txt       1970-01-01 01:00:00.000000000 
+0100
+++ new/ssh-audit-2.2.0/windows_build.txt       2020-03-11 16:55:14.000000000 
+0100
@@ -0,0 +1,17 @@
+Below are notes for creating a Windows executable.
+
+An executable can only be made on a Windows host because the PyInstaller tool 
(https://www.pyinstaller.org/) does not support cross-compilation.
+
+On a Windows machine, do the following:
+
+1.) Install Python v3.7.x from https://www.python.org/.  (As of this writing 
v3.8.0 isn't supported.)  To make life easier, check the option to add Python 
to the PATH environment variable.
+
+2.) Using pip, install pyinstaller and colorama:
+
+    pip install pyinstaller colorama
+
+3.) Create the executable with:
+
+    pyinstaller -F --icon windows_icon.ico ssh-audit.py
+
+4.) The 'dist' folder will have the resulting ssh-audit.exe.
Binary files old/ssh-audit-2.1.1/windows_icon.ico and 
new/ssh-audit-2.2.0/windows_icon.ico differ