SSH Connections - Additional Logging and Visibility of Errors

ADDITIONAL LOGGING

I’m planning on using ssh-audit in a production environment and would like to be able to demonstrate and record how aggressive a typical audit is.

Currently verbose output only shows the initial SSH connection that’s made to a target server:

https://github.com/jtesta/ssh-audit/blob/c483fe1861bcfaefabec21a9195b7c226540aaa4/src/ssh_audit/ssh_audit.py#L823

However an audit actually makes multiple connections to a target server:

1. The initial connection:
   ssh_audit.py: main --> audit --> err = s.connect()

2. Obtaining host key(s):
   ssh_audit.py: main --> audit --> HostKeyTest.run(s, kex) hostkeytest.py: run --> perform_test --> err = s.connect() (err = s.connect() runs once per key type [rsa, ed25519, etc])

3. Performing DH group exchange: ssh_audit.py: main --> audit --> GEXTest.run(s, kex) gextest.py: run --> GEXTest.reconnect --> err = s.connect() (GEXTest.reconnect runs once per group-exchange alg and once per modulus length for each group-exchange alg)

@jtesta Would you be happy to entertain the idea of adding some additional logging so that each SSH connection is output? If that sounds OK, do you want this to be added to the existing verbose output or would it be more appropriate to add a new --debug parameter?

VISIBILITY OF ERRORS

When obtaining host key(s) and performing DH group exchange, if s.connect() or get_banner() produce an error then currently the error message is suppressed:

https://github.com/jtesta/ssh-audit/blob/c483fe1861bcfaefabec21a9195b7c226540aaa4/src/ssh_audit/hostkeytest.py#L109-L116

https://github.com/jtesta/ssh-audit/blob/c483fe1861bcfaefabec21a9195b7c226540aaa4/src/ssh_audit/gextest.py#L45-L52

Should we at least display a warning rather than hiding errors?