SSH
The SSH checker produces a comprehensive security audit of the SSH service exposed by a Server. It connects to the advertised SSH port(s) on every A/AAAA address and reports reachability, banner-to-CVE matches, the full algorithm posture (key exchange, host-key, cipher, MAC, compression), the observed host keys, SSHFP fingerprint alignment, and the authentication methods the server exposes. Results are presented as a “fix me fast” HTML report.
Scope: service-level. It attaches to services of type abstract.Server (a subdomain that publishes A/AAAA and optionally SSHFP records) and is configured from that service’s Checks tab.
What it checks
| Rule | Verifies | Severity |
|---|---|---|
ssh.tcp_reachable |
Every probed (address, port) pair accepts a TCP connection. | Critical |
ssh.handshake |
The SSH banner exchange and KEXINIT parse succeed on every reachable endpoint. | Critical |
ssh.protocol_version |
Every endpoint advertises SSH-2 and rejects legacy SSH-1. | Critical |
ssh.banner_software |
Flags servers whose banner is not a recognised OpenSSH build. | Info |
ssh.known_vulnerabilities |
Matches the advertised OpenSSH version against a curated CVE catalog (regreSSHion, Terrapin, etc.). | Critical |
ssh.host_key_strength |
Flags host keys below the accepted minimum size (e.g. RSA < 2048 bits). | Critical |
ssh.kex_algorithms |
Flags weak or broken key-exchange algorithms. | Critical |
ssh.host_key_algorithms |
Flags weak or deprecated host-key algorithms (ssh-rsa/SHA-1, ssh-dss…). | Critical |
ssh.cipher_algorithms |
Flags weak or broken symmetric ciphers (CBC, 3DES, RC4…). | Critical |
ssh.mac_algorithms |
Flags weak MAC algorithms (SHA-1, non-ETM…). | Critical |
ssh.strict_kex |
The server advertises the strict-KEX marker (CVE-2023-48795 Terrapin mitigation). | Warning |
ssh.preauth_compression |
Flags servers offering pre-authentication zlib compression. | Info |
ssh.auth_methods |
Reviews advertised authentication methods (password exposure, public-key availability). | Warning |
ssh.sshfp_alignment |
Compares published SSHFP records against observed host keys (match, missing, mismatch). | Critical |
ssh.sshfp_hash |
Flags SSHFP record sets that only publish SHA-1 (type 1) fingerprints. | Warning |
CVE matching covers, among others, regreSSHion (CVE-2024-6387), the ssh-agent PKCS#11 RCE (CVE-2023-38408), Terrapin (CVE-2023-48795), and several older username-enumeration and command-injection issues.
Options
| Option | Meaning | Default |
|---|---|---|
Ports (ports) |
Comma-separated extra TCP ports to probe. Port 22 is always probed. | (empty) |
Per-endpoint probe timeout (ms) (probeTimeoutMs) |
Maximum time for dial + banner + KEXINIT + handshake on a single endpoint. | 10000 |
Enumerate authentication methods (includeAuthProbe) |
Open a second connection with a dummy user to discover advertised auth methods. | true |
In happyDomain
This is a service-level checker: configure it from the Checks tab of the Server service on the relevant subdomain. Its SSHFP rules cross-reference the SSHFP records published in your zone, so keeping those records in sync with the server’s host keys improves the result. For the general workflow of configuring and reading checks, see /en/pages/checks/.