I'd like to write a monitoring plugin that checks various hosts on my network to make sure that password or interactive SSH authentication is not enabled. That is, I need to write code that:
- Connects to an SSH port.
- Enumerates available authentication methods.
- Verifies that only key based authentication is possible.
Methods using either python or bourne sh code (using ssh
) is most interesting to me, but other languages, libraries or hints are appreciated too.
I'm currently building one myself, however, you can force ssh to output (to STDERR) the supported methods by using the PreferredAuthentications option. This can easily be parsed with grep/python/language of choice.
HostA$ ssh -o PreferredAuthentications=none HostB
Permission denied (publickey,gssapi-with-mic).
HostA$ ssh -o PreferredAuthentications=none HostC
Permission denied (publickey,gssapi-with-mic,password,keyboard-interactive,hostbased).
RFC 4252, which defines authentication in SSH, says the following:
Authentication methods are identified by their name, as defined in
[SSH-ARCH]. The "none" method is reserved, and MUST NOT be listed as
supported. However, it MAY be sent by the client. The server MUST
always reject this request, unless the client is to be granted access
without any authentication, in which case, the server MUST accept
this request. The main purpose of sending this request is to get the
list of supported methods from the server.
So you can send a request for none authentication to get the list of supported ones.
However, authentication itself occurs after certain lower-level actions take place (key exchange is one of them) so you might need to write a part of SSH protocol in sh script, which is probably a non-trivial task.
You can now use the nmap
built-in NSE script called ssh-auth-methods to do this:
# nmap -p 22 --script ssh-auth-methods 192.168.1.2
Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-26 00:56 GMT
Nmap scan report for 192.168.1.2
Host is up (0.027s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ keyboard-interactive
MAC Address: AA:BB:CC:DD:EE:FF (Apple)
Nmap done: 1 IP address (1 host up) scanned in 2.40 seconds
In addition, someone has made a similar python3 script.
If you need *nix solution, you can also hook into OpenSSH sources.
If Windows suitable for you - you can also try some .NET commercial libraries, they are much handier than OpenSSH sources :)