Support scanning with external ssh command

2016-06-16 19:59:30 +09:00
parent 5e28ec22e1
commit 0ef1a5a3ce
6 changed files with 195 additions and 81 deletions
--- a/README.md
+++ b/README.md
@@ -427,12 +427,18 @@ You can customize your configuration using this template.
    #]
    #containers = ["${running}"]
    ```
+
    You can overwrite the default value specified in default section.  
-    Vuls supports multiple SSH authentication methods.  
+
+    Vuls supports two types of SSH. One is native go implementation. The other is external SSH command. For details, see [-ssh-external option](https://github.com/future-architect/vuls#-ssh-external-option)
+    
+    Multiple SSH authentication methods are supported.  
    - SSH agent
    - SSH public key authentication (with password, empty password)
    - Password authentication

+
+
 ----

 # Usage: Prepare
@@ -484,6 +490,7 @@ scan:
                [-cve-dictionary-url=http://127.0.0.1:1323]
                [-cvss-over=7]
                [-ignore-unscored-cves]
+                [-ssh-external]
                [-report-json]
                [-report-mail]
                [-report-s3]
@@ -538,6 +545,8 @@ scan:
        Send report via Slack
  -report-text
        Write report to text files ($PWD/results/current)
+  -ssh-external
+        Use external ssh command. Default: Use the Go native implementation
  -use-unattended-upgrades
        [Deprecated] For Ubuntu. Scan by unattended-upgrades or not (use apt-get upgrade --dry-run by default)
  -use-yum-plugin-security
@@ -545,6 +554,16 @@ scan:

 ```

+## -ssh-external option
+
+Vuls supports different types of SSH.  
+
+By Defaut, using a native Go implementation from crypto/ssh.   
+This is useful in situations where you may not have access to traditional UNIX tools.
+
+To use external ssh command, specify this option.   
+This is useful If you want to use ProxyCommand or chiper algorithm of SSH that is not supported by native go implementation.  
+
 ## -ask-key-password option 

 | SSH key password |  -ask-key-password | |
@@ -559,6 +578,7 @@ scan:
 | NOPASSWORD       | - | defined as NOPASSWORD in /etc/sudoers on target servers |
 | with password    | required | . |

+
 ## -report-json , -report-text option

 At the end of the scan, scan results will be available in the $PWD/result/current/ directory.