OpenVAS Change Request #54: Improve SSH Support
Status: Voted +4. In progress.
Improve SSH support in OpenVAS Libraries by using a library.
The current support for SSH connections in OpenVAS is split between OpenVAS Libraries, which supplies basic cryptographic functions with the help of the GnuTLS library, and NASL libraries like ssh_func.inc, which provide functionality for establishing an SSH connection through a network socket.
This implementation has a number of drawbacks:
- The fragmentation between OpenVAS Libraries and the support code in NASL makes this solution difficult to maintain. Fixing errors or adding new functionality requires a deep understanding of the current implementation and of the SSH protocol itself.
- The current implementation is severely limited and provides only one encryption algorithm (Blowfish) and only one MAC algorithm (SHA1). If a remote SSH host does not support this exact combination, no SSH connection is possible.
- There are a number of issue with the current implementation which limit functionality in other ways, for example public keys having to be PKCS #8 encoded, certain passphrases not working or incompatibilities with recent GnuTLS versions. Fixing these issues in the current implementation is not practical for some issues and would require large amounts of work for others.
This change request proposes establishing an alternative SSH functionality which will be compatible with the current implementation for an NVT point of view and will ultimately replace the current implementation.
The most promising approach for gaining an alternative SSH functionality is using an existing well-maintained library. Early tests with libssh2 have shown good results.
A major effect of this change would be a increase in compatibility with SSH targets and more reliable SSH functionality.
A side effect would be adding one more dependency to OpenVAS Libraries and a future loss of functionality for systems not able to provide this dependency. However, the current versions of all major GNU/Linux distributions provide this dependency.
Design and Implementation
A first step will be adding a new set of NASL commands which access the SSH functionality provided by the SSH library instead of using the current implementation. NVTs can then decide on the NASL level which implementation they wish to use.
- 2011-05-30 Michael Wiegand <michael.wiegand at greenbone dot net>:
Updated status with voting results.
- 2011-05-02 Michael Wiegand <michael.wiegand at greenbone dot net>: