Text only | Text with Images

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: ripdog on December 22, 2023, 01:02:22 PM

Title: [SOLVED] Mitigations for Terrapin ssh attack?
Post by: ripdog on December 22, 2023, 01:02:22 PM
Hi all,

A few days ago, the terrapin attack on SSH was disclosed. https://terrapin-attack.com

OpenSSH 9.6 includes a new automatic strict KEX mode to mitigate this attack, but both client and server need to support this. As OPNSense ships OpenSSH 9.3, are there any plans for either an OpenSSH update or a targeted patch?

See the PFSense discussion: https://forum.netgate.com/topic/184941/terrapin-ssh-attack/

FreeBSD advisory: https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc

It seems upstream has already patched.
Title: Re: Mitigations for Terrapin ssh attack?
Post by: doktornotor on December 25, 2023, 12:45:13 PM
System - Settings - Administration:

Code Select
# egrep "^(MACs|Ciphers)" /usr/local/etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-256,hmac-sha2-512,umac-128@openssh.com


Title: Re: Mitigations for Terrapin ssh attack?
Post by: franco on December 27, 2023, 12:00:32 PM
We are evaluating the hotfix, but need more input to publish it for everyone. It only landed in FreeBSD ports yesterday.

# opnsense-revert -z openssh-portable

Should install the latest version.

# opnsense-revert openssh-prortable

Moves it back to the current one.

The reason for this precaution is that while base FreeBSD patches a single problem the port goes from 9.3 to 9.6 which is usually high risk with lots of changes and sometimes deprecations.


Cheers,
Franco
Title: Re: [CALL FOR TESTING] Mitigations for Terrapin ssh attack?
Post by: Maurice on December 27, 2023, 07:25:07 PM
openssh-portable 9.6.p1_1,1 works for me, no side effects so far.

Cheers
Maurice
Title: Re: [CALL FOR TESTING] Mitigations for Terrapin ssh attack?
Post by: dinguz on December 27, 2023, 08:01:56 PM
Quote from: Maurice on December 27, 2023, 07:25:07 PM
openssh-portable 9.6.p1_1,1 works for me, no side effects so far.

Same here.
Title: Re: Mitigations for Terrapin ssh attack?
Post by: tja on December 28, 2023, 06:15:55 AM
Quote from: franco on December 27, 2023, 12:00:32 PM
# opnsense-revert -z openssh-portable

works here, thx !
Title: Re: [CALL FOR TESTING] Mitigations for Terrapin ssh attack?
Post by: MoeJoe on December 28, 2023, 07:26:32 AM
Works fine for me.

Gesendet von meinem SM-A536B mit Tapatalk

Title: Re: [CALL FOR TESTING] Mitigations for Terrapin ssh attack?
Post by: franco on December 28, 2023, 02:27:54 PM
Thanks, hotfixed now. https://forum.opnsense.org/index.php?topic=37511.msg183965#msg183965


Cheers,
Franco
Title: Re: [SOLVED] Mitigations for Terrapin ssh attack?
Post by: Maurice on December 29, 2023, 02:21:00 AM
Thanks Franco! Did you build this directly from upstream? opnsense/ports still has 9.3.p2.

Cheers
Maurice
Title: Re: [SOLVED] Mitigations for Terrapin ssh attack?
Post by: franco on December 29, 2023, 08:54:23 AM
Sorry, usual problem: https://github.com/opnsense/ports/commit/486e921714

# make hotfix-openssh-portable


Cheers,
Franco
Title: Re: [SOLVED] Mitigations for Terrapin ssh attack?
Post by: Maurice on December 30, 2023, 02:24:48 AM
Thanks!
https://forum.opnsense.org/index.php?topic=35828.msg184064#msg184064
Title: Re: Mitigations for Terrapin ssh attack?
Post by: DEC670airp414user on December 30, 2023, 01:16:39 PM
Quote from: doktornotor on December 25, 2023, 12:45:13 PM
System - Settings - Administration:

Code Select
# egrep "^(MACs|Ciphers)" /usr/local/etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-256,hmac-sha2-512,umac-128@openssh.com


is the latest business version that much different than this screen shot?
so I have checked only GCM under SSL ciphers.     and the GUI is still accessible.

ah its hidden under advanced

should I just restart any tunnels now?
Text only | Text with Images