{"id":474,"date":"2024-01-09T11:08:48","date_gmt":"2024-01-09T10:08:48","guid":{"rendered":"https:\/\/blog.rwth-aachen.de\/itc-changes\/?p=474"},"modified":"2024-01-09T11:56:46","modified_gmt":"2024-01-09T10:56:46","slug":"terrapin-attack-counter-measures-ssh","status":"publish","type":"post","link":"https:\/\/blog.rwth-aachen.de\/itc-changes\/2024\/01\/09\/terrapin-attack-counter-measures-ssh\/","title":{"rendered":"Terrapin Attack Counter Measures (SSH)"},"content":{"rendered":"<p>A recently discovered flaw in the implementation of the Secure Shell (SSH) protocol lead to an attack vector called &#8222;<a href=\"https:\/\/terrapin-attack.com\/\">Terrapin Attack<\/a>&#8220; enables an attacker to break the integrity of the &#8222;secure shell&#8220; connection in order weaken the overall security. TL;DR To implement an effective counter measure against the attack, we have disabled the affected methods in the HPC cluster&#8217;s SSH configuration. Consequently, these methods cannot be used until further notice:<\/p>\n<ul>\n<li>Ciphers: <em>ChaCha20-Poly1305<\/em><\/li>\n<li>MACs: Any etm method (e.g. <em>hmac-sha2-512<strong>-etm<\/strong>@openssh.com<\/em>)<\/li>\n<\/ul>\n<p>Please adapt your configuration accordingly if your configuration is\u00a0 relying on the methods mentioned above.<\/p>\n<p>The attack is only feasible when a using either the ChaCha20-Poly1305 Cipher or a combination of a <em>Cipher Block Chaining<\/em> (CBC) cipher (or, in theory, a <em>Counter Mode<\/em> (CTR) cipher) combined with an <em>encrypt then MAC<\/em> (etm) <em>message authentication code<\/em> (MAC) method and the attacker has the ability to act as a man-in-the-middle. (Example: A security suite on your client machine may perform a deep packet inspection (per definition a (hopefully &#8222;good&#8220;) man-in-the-middle) to protect you from other threats.)<\/p>\n<p>The <em>Galois Counter Mode<\/em> (GCM) AES ciphers are not affected.<\/p>\n<p>We encourage you to employ strong encryption ciphers such as <em>aes256-gcm@openssh.com<\/em> and a sufficiently strong MAC method (e.g. <em>hmac-sha2-256<\/em> or <em>hmac-sha2-512<\/em>) immune to the attack vector.<\/p>\n<p><strong>Note:<br \/>\n<\/strong><\/p>\n<p>Due to a bug in the Windows OpenSSH client employing the <em>umac-128@openssh.com<\/em> MAC as default, we disabled the problematic method in the SSH server configuration as well to minimize issues when connecting to the HPC cluster. Until further notice, <strong>only<\/strong> <em>hmac-sha2-512<\/em> and <em>hmac-sha2-256<\/em> can be employed as MAC. Please adapt your configuration accordingly, if required, e.g.:<\/p>\n<pre dir=\"auto\">Ciphers <em>aes256-gcm@openssh.com<\/em>,aes256-ctr\r\nMACs hmac-sha2-512,hmac-sha2-256<\/pre>\n<p>&nbsp;<\/p>\n<hr \/>\n<p>You can track any disruptions or security advisories that may occur due to the aforementioned change in the Email category on our <a class=\"external-link\" href=\"https:\/\/maintenance.rz.rwth-aachen.de\/ticket\/status\/messages\/14-rechner-cluster\" rel=\"nofollow\">status reporting<\/a> portal.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A recently discovered flaw in the implementation of the Secure Shell (SSH) protocol lead to an attack vector called &#8222;Terrapin Attack&#8220; enables an attacker to break the integrity of the [&hellip;]<\/p>\n","protected":false},"author":5173,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"c2c_always_allow_admin_comments":false,"footnotes":""},"categories":[12,1],"tags":[],"class_list":["post-474","post","type-post","status-publish","format-standard","hentry","category-allgemein","category-hpc"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/wp-json\/wp\/v2\/posts\/474","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/wp-json\/wp\/v2\/users\/5173"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/wp-json\/wp\/v2\/comments?post=474"}],"version-history":[{"count":14,"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/wp-json\/wp\/v2\/posts\/474\/revisions"}],"predecessor-version":[{"id":488,"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/wp-json\/wp\/v2\/posts\/474\/revisions\/488"}],"wp:attachment":[{"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/wp-json\/wp\/v2\/media?parent=474"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/wp-json\/wp\/v2\/categories?post=474"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/wp-json\/wp\/v2\/tags?post=474"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}