Skip to content

'Terrapin' vulnerability - and suggested ciphers #175

Description

@jesusbagpuss

The ssh config guidance includes ciphers that are part of the https://terrapin-attack.com/ vulnerability e.g.
https://github.com/mozilla/infosec.mozilla.org/blob/bb3f88ef1df6b0bc31b5c09b7f8ec00431b6a60c/docs/guidelines/openssh.md?plain=1#L36C9-L36C38

The guidance on the above site is:

If you feel uncomfortable waiting for your SSH implementation to provide a patch, you can workaround this vulnerability by temporarily disabling the affected chacha20-poly1305@openssh.com encryption and -etm@openssh.com MAC algorithms in the configuration of your SSH server (or client), and use unaffected algorithms like AES-GCM instead.

Not sure if removing the chacha20-poly1305@openssh.com cipher from the suggested config, or referencing the vulnerability and impacted versions of openSSH server/clients is the best option.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions