aes immune to terrapin (ssh attack)

Moderators: kirk, jamesbond, p310don, JakeSFR, step, Forum moderators

Post Reply

1 post • Page 1 of 1

fatdoguser: Posts: 177; Joined: Sat Aug 05, 2023 10:54 am; Has thanked: 22 times; Been thanked: 80 times

aes immune to terrapin (ssh attack)

Quote

Post by fatdoguser » Fri Dec 22, 2023 11:36 am

I note that fatdog supports ssh aes256-gcm@openssh.com cipher

Code: Select all

ssh -Q ciphers

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

and that aes-qcm is immune to the terrapin attack https://www.linuxglobal.com/thwarting-t ... sh-attack/

For the sites I ssh into it seems they also can aes-gcm

Code: Select all

ssh <some site> -c aes256-gcn@openssh.com

... and connections are OK

I assume that a temporary fix is to just add to specify the aes-gcm cipher within ~/.ssh/config for each site

Code: Select all

Host XXX
    HostName YYYY
    User ZZZZ
    Compression no
    Ciphers aes256-gcn@openssh.com
    ControlPath ~/.ssh/%r@%h:%p
    IdentityFile ~/.ssh/seas/id_rsa

Post Reply

1 post • Page 1 of 1

Return to “FatDog64”