Output Format
Certificate Scan Results (X.509)
For X.509 certificates found in PKIX-SSH implementations:
{
"resultType": "scan",
"pluginId": "ssh-scanner-plugin",
"pluginVersion": "1.0.dev",
"data": {
"type": "cert",
"timestamp": "2025-10-29T09:06:02-04:00",
"urn": "urn:cert:sha256:887ae4b0e6d30e43f120cd0a2d9d5bddc876f126057d2513d7803123b277d9a4",
"url": "ssh://localhost:2223",
"extra": {
"negotiated_algorithms": {
"compression": "none",
"encryption": "aes128-gcm@openssh.com",
"host_key": "rsa-sha2-256-cert-v01@openssh.com",
"kex": "curve25519-sha256",
"mac": "hmac-sha2-256-etm@openssh.com"
}
},
"certPem": "MIIDRTCCAi2gAwI...",
"endpoint": {
"host": "localhost",
"port": 2223,
"service": "ssh",
"serviceVendor": "Go"
}
}
}
OpenSSH Certificate Scan Results
For OpenSSH certificate format host keys:
{
"resultType": "scan",
"pluginId": "ssh-scanner-plugin",
"pluginVersion": "1.0.dev",
"data": {
"type": "openssh-cert",
"timestamp": "2025-10-29T09:05:30-04:00",
"urn": "urn:cert:sha256:bf83eed618d9b012303de3241a69ad797b27f744f9e99eec65f31ea80273aafc",
"url": "ssh://localhost:2222",
"extra": {
"CertType": 2,
"KeyId": "test-host",
"Serial": 0,
"ValidAfter": 1761742980,
"ValidBefore": 1793192647,
"ValidPrincipals": [
"localhost"
],
"negotiated_algorithms": {
"compression": "none",
"encryption": "aes128-gcm@openssh.com",
"host_key": "rsa-sha2-512",
"kex": "curve25519-sha256",
"mac": "hmac-sha2-256-etm@openssh.com"
}
},
"certPem": "MIIBIjANBg....",
"endpoint": {
"host": "localhost",
"port": 2222,
"service": "ssh",
"serviceVendor": "OpenSSH_9.9"
}
}
}
Public Key Scan Results
For SSH host public keys:
{
"type": "pubkey",
"timestamp": "2025-12-01T08:24:18-05:00",
"urn": "urn:pubkey:sha256:1ccfacbc6b13228c1b94b79a0e367107fd8d12b279793b8b084f3c947e5c519a",
"url": "ssh://10.1.127.26:22",
"extra": {
"negotiated_algorithms": {
"compression": "none",
"encryption": "aes128-gcm@openssh.com",
"host_key": "rsa-sha2-512",
"kex": "curve25519-sha256",
"mac": "hmac-sha2-256-etm@openssh.com"
},
"ssh_key_type": "ecdsa-sha2-nistp256"
},
"pubkey_pem": "MFkwEwYHKoZI....",
"endpoint": {
"host": "10.1.127.26",
"port": 22,
"service": "ssh",
"service_vendor": "OpenSSH_8.2p1",
"service_vendor_version": "Ubuntu-4ubuntu0.13"
}
}
State Result
After each scan, the plugin outputs state information:
{
"resultType": "state",
"pluginId": "ssh-scanner-plugin",
"pluginVersion": "1.0.1",
"data": {
"lastRunDateTime": "2025-10-14T11:12:21-04:00"
}
}
Output Fields
Field | Description |
|---|---|
| Asset type: |
| RFC3339 timestamp of when the scan was performed |
| Unique resource name based on SHA256 hash of the certificate or public key |
| SSH URL in format |
| Base64-encoded certificate (PEM body without headers/footers) - certificates only |
| Base64-encoded public key (PEM body without headers/footers) - public keys only |
| Object containing endpoint details (see Endpoint Fields below) |
| Additional metadata (see Extra Fields section below) |
Endpoint Fields
Field | Description |
|---|---|
| Target host address (IP or hostname) |
| Target SSH port number |
| Always |
| SSH server software identifier (e.g., |
| SSH server version information (e.g., |
Extra Fields
Common Fields (All Asset Types)
Field | Type | Description |
|---|---|---|
| object | Cryptographic algorithms negotiated during the SSH handshake (see Negotiated Algorithms Fields below) |
Negotiated Algorithms Fields
The negotiated_algorithms object contains the following fields:
Field | Type | Description |
|---|---|---|
| string | Key exchange algorithm (e.g., |
| string | Host key algorithm (e.g., |
| string | Symmetric encryption algorithm when client-to-server and server-to-client are identical (e.g., |
| string | Client-to-server encryption algorithm (only present when different from server-to-client) |
| string | Server-to-client encryption algorithm (only present when different from client-to-server) |
| string | Message authentication code algorithm when both directions are identical (e.g., |
| string | Client-to-server MAC algorithm (only present when different from server-to-client) |
| string | Server-to-client MAC algorithm (only present when different from client-to-server) |
| string | Compression algorithm when both directions are identical (typically |
| string | Client-to-server compression (only present when different from server-to-client) |
| string | Server-to-client compression (only present when different from client-to-server) |
Public Key-Specific Fields
Field | Type | Description |
|---|---|---|
| string | SSH key type (e.g., |
Note: Cryptographic algorithm details (algorithm type, key length, curve) are derivable from the PEM-encoded public key and are not duplicated in extra fields.
OpenSSH Certificate-Specific Fields
Field | Type | Description |
|---|---|---|
| integer | Unix timestamp for certificate validity start time |
| integer | Unix timestamp for certificate validity end time |
| array | Array of valid principal names for the certificate |
| string | Certificate key identifier string |
| integer | Certificate serial number |
| integer | Certificate type: |