ssh-audit icon indicating copy to clipboard operation
ssh-audit copied to clipboard
verified publisher icon jtesta

Update Hardening guide (Terrapin)

Open keteague opened this issue 2 years ago • 2 comments

The Hardening guide needs to be updated to remove [email protected], that is - if removal of that cipher is the suggested solution for the time being.

https://www.ssh-audit.com/hardening_guides.html

keteague avatar Dec 21 '23 16:12 keteague

I can't see any reference for the removal of [email protected] in the OpenSSH release notes, @keteague why do you think it is necessary to remove it?

chriscroome avatar Dec 22 '23 22:12 chriscroome

According to the site for the Terrapin Attack noted in the subject, from the first entry in the FAQ: https://terrapin-attack.com/index.html#question-answer

If you feel uncomfortable waiting for your SSH implementation to provide a patch, you can workaround this vulnerability by temporarily disabling the affected [email protected] encryption and [email protected] MAC algorithms in the configuration of your SSH server (or client), and use unaffected algorithms like AES-GCM instead.

The floating quick patch for this is to place the following in a file in the /etc/ssh/sshd_config.d/ folder:

Ciphers [email protected]
MACs -*[email protected]

huntersan9 avatar Dec 30 '23 22:12 huntersan9

@keteague : it seems that all supported platforms issued patches to include the [email protected] key exchange marker. This marker signifies that the Terrapin vulnerability is fixed (that is, as long as all clients also support it). Hence, I think its generally safe enough to keep the chacha20-poly1305 cipher enabled, though for any admins wanting to disable it in their environment, they can certainly do so. In that case, they can also create a custom policy based on their updated config as well.

jtesta avatar Mar 14 '24 19:03 jtesta

I suppose I'll mark this issue as complete, as no other replies have come after almost a week.

jtesta avatar Mar 20 '24 22:03 jtesta