A Python 3 script that returns a list of the authentication methods supported by an SSH server.
No non-standard Python packages are required.
WARNING: The IP address that you run this script on can get blocked or even blacklisted! Use with caution. (See the Warnings section below for more info).
The next two subsections assume that you're using this as a stand-alone shell script. The functions can be imported to Python 3 code. See the section Library for a discussion of this.
The script reads from standard input. To test Google, you can simply use:
echo 'google.com' | python3 ssh_auth_methods.py
The input can be domain names or IP addresses.
Multiple inputs are expected to be line-delimited. To test each in a file of line-delimited addresses, simply use:
python3 ssh_auth_methods.py < my_addrs.txt
The ouput is printed to standard output, one address per line. Each line is tab-delimited, with the supplied address as its first field, followed by each authentication method supported by the corresponding SSH server.
Nothing is printed after the address if the address could not be resolved, the request timed out, or that there was an error parsing the response received.
If the --verbose option is supplied on the command line (the only
command line option currently supported) these causes of failure will
be printed to standard error. For example, if you want the results
stored in stdout_results.txt and the error descriptions stored in
stderr_results.txt, you can use:
python3 ssh_auth_methods.py --verbose < my_addrs.txt > stdout_results.txt 2> stderr_results.txt
The script is threaded, so outputs will be printing as they are received and processed.
The auth method 'none' implies that the SSH server let us in without any
authentication at all.
Our SSH command ends in 'exit' so that we'll disconnect immediately
if granted access. In this case, we can't find what the other potential auth methods
are (nor do they really matter), so 'none' will be the only one returned.
Additionally, we assume that any non-error (i.e. not 255) SSH exit status
means the login was successful. This is because 255 is OpenSSH's only
error status, and all other statuses are those of the remotely executed
command (see OpenSSH man pages).
The core function in this module is get_auth_methods(). It takes the
hostname scanned, an optional port number (defaulting to 22), a default
SSH request timeout (defaulting to 5.0), and a
boolean determining verbosity (defaulting to False).
threaded_auth_methods() takes a file containing newline-delimited
hostnames and spawns a thread executing get_auth_methods() for each
of them. I'll leave out specific argument descriptions, as the code
should be self-documenting.
SSH protection software like SSHGuard and fail2ban will probably find your connections suspect even though they don't attempt authentication. I know SSHGuard does, as some of my own servers started blocking my test server. This may even lead to the IP address used being added to a blacklist if this software reports offenders. So exercise restraint, and consider using a dirt-cheap VPS.
As with all security scanning software, there is potential to make people suspicious or angry if you don't give them prior warning. For everything you need to know about liability, see the included license.
This currently only runs on Python 3. Because the code is relatively small and simple, porting should be pretty easy.
As mentioned in the Output section, using an SSH client other than OpenSSH
may cause unpredictable results because of exit statuses. Namely, if
failed authentication is ever indicated by an exit status other than 255,
a servers will be falsely reported as allowing unauthenticated login.
This StackOverflow post tipped me off to the fact that the SSH Authentication Protocol (RFC 4252) suggests a slightly hacky way of finding which authentication methods an SSH server offers:
Authentication methods are identified by their name, as defined in [SSH-ARCH]. The "none" method is reserved, and MUST NOT be listed as supported. However, it MAY be sent by the client. The server MUST always reject this request, unless the client is to be granted access without any authentication, in which case, the server MUST accept this request. The main purpose of sending this request is to get the list of supported methods from the server.
SSH servers traditionally offer little information about their configuration for security reasons, so this isn't surprising.
Specifically, if the client's PreferredAuthentications option is set to none
and the server requires authentication, it is supposed to reject the request and supply a list of
supported auth methods. In short, this script makes such a request and
parses the supported auth methods out of the response.
The short answer is that I wanted to do a security scan of Tor relays to begin publicly auditing the network's security.
More generally, it's valuable to know which authentication methods a server supports, as some are far weaker than others. Generally, you should only support public-key authentication unless you have a very good reason to do otherwise.
This tool, like nmap et al., is useful for scanning your own servers.
You may find that one of your machine's /etc/ssh/sshd_config options
weren't what you thought, or even that you forgot to restart sshd
after changing them. I did.
The timeout mechanism used with Python 3.3+ is different from that used
with older versions. The optional timeout argument was added to
subprocess.check_output() in Python 3.3. With older versions of
Python, we instead use the ConnectTimeout SSH option. This allows
the specified timeout for every IP address associated with a domain
name, so probing a major domain like google.com will take significantly longer
than the supplied timeout to fail.
I think the subprocess.check_output() timeout is probably preferable;
if we haven't heard back from the server in five or so seconds, we
probably aren't getting a response. However, there is no easy way
to implement simple subprocess timeout in Python <3.3, aside perhaps from
making the user install the subprocess32 package.