Security audit of Paramiko completed, fixes coming in 5.0 release

[Alan Coopersmith <alan.coopersmith () oracle com>]

https://ostif.org/paramiko-audit-complete/ announces:
> The Open Source Technology Improvement Fund is proud to share the results
> of our security audit of Paramiko. Paramiko is an open source Python
> implementation of the SSHv2 protocol designed for secure remote login and
> other secure network services. Thanks to the help of Quarkslab and
> Alpha-Omega, this project received custom security work reviewing
> Paramiko’s testing, building and CI systems, and cryptography.
>
> Audit Process:
>
> The engagement took place in November 2025, with Quarkslab’s audit team
> executing the mission on Paramiko’s testing, building, and CI systems.
> In order to effectively execute this work on critical security features
> of Paramiko, the scope was expanded to include PYCA Cryptography and how
> it interacts with Paramiko critical cryptographic functions, (PYCA)
> Cryptography’s OpenSSL Rust Bindings, and CI/CD CircleCI for Paramiko
> and Github Actions for (PYCA) Cryptography. For Paramiko the engagement
> consisted of manual code review, dependencies review, dynamic testing,
> build systems, testing enhancements, static analysis, and fuzz testing.
>
> Audit Results:
>
>   * 30 Findings with Security Impact
>       - 2 High
>       - 7 Medium
>       - 5 Low
>       - 16 Informational
>   * Build and CI/CD Pipeline Review
>   * Testing Enhancements
>       - Implementation of a crypto-condor plug-in to incorporate in the CI
>         for cryptographic compliance and testing of entropy sources
>       - Review  of current testing coverage
>   * SSH RFC compliance review
>
> The project maintainer worked diligently to address and resolve the issues
> presented by this report, engaging with the audit team to design fix
> solutions aligned with security best practices. Update to the most recent
> release of Paramiko (version 5.0 will release early May 2026) and follow
> documentation in order to take advantage of the hard work of the individuals
> behind Paramiko and Quarkslab. If you’re interested in contributing to
> Paramiko, learn more about them and their community on their website:
> https://www.paramiko.org/ .
>
> Thank you to the individuals and groups that made this engagement possible:
>
>   * Paramiko maintainers and community, especially: Jeff Forcier
>   * Quarkslab: Dahmun Goudarzi, Julio Loayza Meneses, Alan Marrec, and
>                Pauline Sauder
>   * Alpha-Omega
>
> You can read the Audit Report at
> https://ostif.org/wp-content/uploads/2026/05/25-11-2415-REP_paramiko-security-audit_v1.1.pdf
>
> Everyone around the world depends on open source software. If you’re interested
> in financially supporting this critical work, reach out to contactus () ostif org.


The findings listed in the audit report at higher than "Informational" are:
> HIGH-21 Insecure parameters for digital signatures with RSA
> HIGH-28 Insecure key sizes accepted for Triple DES [in Cryptography]
> MEDIUM-15 Deprecated group exchange method
> MEDIUM-16 Insecure minimum modulus size in Diffie-Hellman group exchange
> MEDIUM-17 Deprecated Diffie-Hellman group
> MEDIUM-18 Deprecated GSS-API key exchange methods
> MEDIUM-22 Use of 8-byte seed for TripleDES key generation
> MEDIUM-24 Wrong type usage in SHA-1 in KexGSSGroup1 and KexGSSGroup14
> LOW-1 CVE impacting black 
> LOW-19 Use of MD5 as a Key Derivation Function 
> LOW-25 Invalid Ed25519 signature causes mishandled exception
> LOW-27 Invalid Ed25519 signature cause transport thread to crash
> LOW-29 Insecure RSA key size allowed RSA Keys in Paramiko and Cryptography
> LOW-30 Server can be instantiated over UDP socket

with these recommendations to resolve them:
> HIGH-21 Remove support for RSA with SHA-1.
> HIGH-28 Reject key sizes that are not 24 bytes.
> MEDIUM-15 Remove support for diffie-hellman-group-exchange-sha1.
> MEDIUM-16 Increase the minimum modulus size to 2048 bits.
> MEDIUM-17 Remove support for diffie-hellman-group1-sha1.
> MEDIUM-18 Remove the deprecated key exchange methods, replacing them with RFC
> 8732 additions.
> MEDIUM-22 Reject 8-byte input for the key initialization of Triple DES.
> MEDIUM-24 Change str(hm) to hm.asbytes() in KexGSSGroup1.
> LOW-1 Update black to version 24.3.0.
> LOW-19 Warn when using this format, recommend the user to save their keys in
> PKCS8 or OpenSSH format instead.
> LOW-25 Either check the length of the signature before calling verify() or handle
> the exception.
> LOW-27 Handle the exception: either catch the nacl.exception.ValueError excep-
> tion or check that the signature has the correct length before calling
> verify().
> LOW-29 Reject RSA keys that are shorter than 2048 bits.
> LOW-30 Add a check in Transport.__init__() to verify that sock is a TCP socket.

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris