SSHv2 Server Test Suite Data Sheet
Test Suite:
SSHv2 Server Test Suite
Direction:
Server

Secure Shell 2.0 or SSH 2 (hereafter SSHv2) is a secure communications protocol that encompasses several layers of architecture, including transport, authentication and connection.One of the most common uses for SSHv2 is as stand-alone for simple terminal connection (TTY), but it is used to transport several other protocols such as SFTP, SCP, SSFS, GIT, SVN and many others.This test suite can be used for robustness testing of SSHv2 Server implementations.

Used specifications

Specification
Title
RFC4250

The Secure Shell (SSH) Protocol Assigned Numbers

RFC4251

The Secure Shell (SSH) Protocol Architecture

RFC4252

The Secure Shell (SSH) Authentication Protocol

RFC4253

The Secure Shell (SSH) Transport Layer Protocol

RFC4254

The Secure Shell (SSH) Connection Protocol

RFC4256

Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)

RFC4345

Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol

RFC4419

Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol

RFC5656

Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer

RFC6668

SHA-2 Data Integrity Verification for the Secure Shell (SSH) Transport Layer Protocol

Tool-specific information

Supported Key Exchange (KEX) Methods
Notes
diffie-hellman-group1-sha1

diffie-hellman-group14-sha1

diffie-hellman-group-exchange-sha1

Groups up to 8192 bits are supported

diffie-hellman-group-exchange-sha256

Groups up to 8192 bits are supported

ecdh-sha2-nistp256

ecdh-sha2-nistp384

ecdh-sha2-nistp521

Supported ciphers
Notes
3DES-CBC

3DES-CTR

AES128-CBC

AES192-CBC

AES256-CBC

None

AES128-CTR

AES192-CTR

AES256-CTR

RIJNDAEL-CBC

ARCFOUR

ARCFOUR128

ARCFOUR256

Supported digests
Notes
HMAC-SHA1-96

HMAC-SHA1

HMAC-MD5-96

HMAC-MD5

HMAC-RIPEMD160

HMAC-SHA2-256

HMAC-SHA2-512

Supported authentication methods
Notes
Password

keyboard-interactive

Single response supported

SSH-RSA

SSH-DSS

SSH-ECSDA-256

Tested messages
Specifications
Notes
Client Version
SSH1
SCP1
SSH1
Key Exchange init
RFC4253
Diffie-Hellman Key Exchange Init
RFC4252
Elliptic Curve Diffie-Hellman Key Exchange Init
RFC5656
Service Request
RFC4253
Diffie-Hellman Group Exchange Request
RFC4419
Diffie-Hellman Group Exchange Init
RFC4419
Service Request
RFC4253
New Keys
RFC4253
User Authentication Request
RFC4252
Global Request
RFC4254
Channel Open
RFC4254
Window Adjust
RFC4254
Channel Data
RFC4254
Channel EOF
RFC4254
Channel Close
RFC4254
Channel Request
RFC4254
Ignore
RFC4253
Debug
RFC4253
Extended Data
RFC4254
Disconnect
RFC4253
No more sessions
OpenSSH extensions

Unsupported protocol features
Specifications
Notes
RSA Key Exchange
RFC4432
This KEX method is not currently supported by the test suite.
SSH Public Key File Format
RFC4432
DSA, ECDSA, RSA and PKCS8 formats are used by the suite
Additional Diffie-Hellman Groups
RFC5114
Specified MODP and ECP groups are not specifically supported by the test suite, only generic groups
AES Galois Counter Mode
RFC5647
AES-*-GCM cipher modes (and the built-in integrity modes) are not supported by the test suite
X.509 host key certificates for Secure Shell (SSH)
RFC6187
This specification is not relevant for a server test suite, included in this list for completion.
Suite B Compliance
RFC6239
This is not a technical specification, but mentioned here for completion. This specification is not supported because some of its components are not supported, namely AEAD_AES_*_GCM cipher/integrity algorithms defined in RFC 5647.
Two-way cipher separation
RFC4250-RFC4254
SSHv2 supports separate cipher/digest suites for outgoing and incoming messages. At the moment the suite requests and assumes that both directions have the same cipher/digest.

Supported SafeGuard Checks

Authentication Bypass

Unexpected Data

Weak Cryptography

Test tool general features
  • Fully automated black-box negative testing
  • Ready-made test cases
  • Written in Java(tm)
  • GUI command line remote interface modes
  • Instrumentation (health-check) capability
  • Support and maintenance
  • Comprehensive user documentation
  • Results reporting and analysis