SSH Scan – SSH Configuration and Policy Scanner

SSH Scan is an SSH configuration and policy scanner the source of Inspiration for SSH Scan is the Mozilla OpenSSH Security Guide – which provides a sane baseline policy recommendation for SSH configuration parameters (eg. Ciphers, MACs, and KexAlgos).

ssh_scan - SSH configuration and policy scanner
ssh_scan – SSH configuration and policy scanner

Key Benefits

  • Minimal Dependancies – Uses native Ruby and BinData to do its work, no heavy dependancies.
  • Not Just a Script – Implementation is portable for use in another project or for automation of tasks.
  • Simple – Just point ssh_scan at an SSH service and get a JSON report of what it supports and its policy status.
  • Configurable – Make your own custom policies that fit your unique policy requirements.

The goal of this tool is to help operational teams with the configuration of OpenSSH server and client. All Mozilla sites and deployment should follow the recommendations. The Enterprise Information Security (Infosec) team maintains this document as a reference guide.

Examples of usage:

  • ssh_scan -t
  • ssh_scan -t
  • ssh_scan -t ::1 ssh_scan -t ::1 -T 5
  • ssh_scan -f hosts.txt
  • ssh_scan -o output.json
  • ssh_scan -O output.json -o rescan_output.json
  • ssh_scan -t -p 22222
  • ssh_scan -t -p 22222 -L output.log -V INFO
  • ssh_scan -t -P custom_policy.yml
  • ssh_scan -t –unit-test -P custom_policy.yml

You can read more and download this tool over here:

Notify of
Inline Feedbacks
View all comments