-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathcheckSshServerPqCryptoConfig
More file actions
executable file
·36 lines (34 loc) · 1.23 KB
/
checkSshServerPqCryptoConfig
File metadata and controls
executable file
·36 lines (34 loc) · 1.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#!/usr/bin/env bash
if test -f /sbin/sshd && /sbin/sshd -V 2>&1 | grep -q OpenSSH; then
# OpenSSH
# See https://www.openssh.org/pq.html
# Since release 9.0 (April 2022), the `sntrup761x25519-sha512` is available.
# Since 10.0 the new default is `mlkem768x25519-sha256`, this second one is preferred.
echo "Detected OpenSSH"
RESULT=$(sudo sshd -T | awk '/^kexalgorithms/{ print $2}')
elif which dropbear 2>&1; then
echo "Detected Dropbear"
echo "ERROR: Dropbear doesn't support runtime configuration of allowed kexalgorithms!"
echo "You can configure that in compile time or switch to OpenSSH."
exit -1
else
echo "ERROR: Couldn't find any supported SSH server."
exit -2
fi
case "${RESULT}" in
mlkem768x25519-sha256)
echo "Excellent! Found ${RESULT} ONLY, this is the most secure!"
;;
*mlkem768x25519-sha256*)
echo "Good! Found ${RESULT}. But consider removing the rest ASAP!"
;;
sntrup761x25519-sha512)
echo "Good enough! Found ${RESULT} ONLY, which is good enough for now. Consider upgrading when possible!"
;;
*sntrup761x25519-sha512*)
echo "Good enough! Found ${RESULT}. Consider upgrading when possible & removing non-PQ options!"
;;
*)
echo "Warning! Found ${RESULT}, upgrade ASAP!"
;;
esac