Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Terrapin SSH Attack

    General pfSense Questions
    16
    33
    22.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate
      last edited by jimp

      This is pretty fresh so still fairly preliminary information available at the moment: https://terrapin-attack.com/

      Barrier to exploit is pretty high. Requires an MitM and certain combinations of options, namely, ChaCha20-Poly1305 and MACs which use Encrypt-then-MAC (-etm). The SSH daemon on pfSense does enable that combination of algorithms but (a) admins shouldn't be exposing their SSH ports to the Internet and (b) if someone can MitM your local network you probably have more pressing concerns than SSH on the firewall.

      That said, if you do expose your SSH daemon to untrusted networks and want to work around this vulnerability, you can take one of the following actions:

      1. Disable both in sshd (Recommended) -- terrapin-no-etm-no-chacha.patch
      2. Disable ChaCha20-Poly1305 in sshd (MAY be sufficient) -- terrapin-no-chacha.patch

      Choose one of those options and add the patch to the System Patches package.

      After applying the patch, reboot or restart the SSH daemon:

      # /usr/local/bin/php-cgi -f /etc/sshd
      

      After restarting the SSH daemon, ensure that available/necessary SSH clients can still connect. If they cannot, then revert the patch, restart the SSH daemon, and then try a different patch. Also consider updating the SSH client if it fails to connect, or check its configuration to ensure it has encryption and MAC algorithms enabled which overlap with options enabled on the server.

      You can use nmap to verify the list of offered encryption and MAC algorithms on a given server:

      $ nmap --script ssh2-enum-algos -sV -p 22 x.x.x.x
      

      As mentioned above, affected configurations will list chacha20-poly1305@openssh.com in the encryption algorithms and will have MAC algorithms in the list which contain -etm in the name.

      Various operating systems are patching SSH daemons and clients to work around the issue in other ways, such as by adding a strict key exchange mode, but for that to work both the client and server must support it. For the time being it seems like it would be more effective to disable the problematic combination of options on the server, hence these patches.

      However, since it's not yet clear which method is ideal (and that may vary by environment and clients), we are not issuing a specific recommended patch until we have more information.

      EDIT: Re-ordered patches to note which is recommended, removed ETM only patch.

      EDIT 2: The patch to disable ChaCha and ETM is now available in System Patches Package v2.2.9 as a recommended patch. Read the linked thread before updating the package.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      johnpozJ A stephenw10S 3 Replies Last reply Reply Quote 16
      • jimpJ jimp pinned this topic on
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @jimp
        last edited by johnpoz

        @jimp The way I am reading this - if was open to this would be seeing -etm listed with the nmap script?

        and will have MAC algorithms in the list which contain -etm in the name.

        I have not applied the patch yet for the no-etm, but I don't recall messing with the sshd conf, maybe I did but not seeing that combo on my 23.09.1

        $ nmap --script ssh2-enum-algos -sV -p 22 192.168.9.253
        Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-18 14:36 Central Standard Time
        Nmap scan report for sg4860.home.arpa (192.168.9.253)
        Host is up (0.0010s latency).
        
        PORT   STATE SERVICE VERSION
        22/tcp open  ssh     OpenSSH 9.4 (protocol 2.0)
        | ssh2-enum-algos:
        |   kex_algorithms: (2)
        |       curve25519-sha256@libssh.org
        |       diffie-hellman-group-exchange-sha256
        |   server_host_key_algorithms: (3)
        |       rsa-sha2-512
        |       rsa-sha2-256
        |       ssh-ed25519
        |   encryption_algorithms: (6)
        |       chacha20-poly1305@openssh.com
        |       aes256-gcm@openssh.com
        |       aes128-gcm@openssh.com
        |       aes256-ctr
        |       aes192-ctr
        |       aes128-ctr
        |   mac_algorithms: (6)
        |       hmac-sha2-512-etm@openssh.com
        |       hmac-sha2-256-etm@openssh.com
        |       umac-128-etm@openssh.com
        |       hmac-sha2-512
        |       hmac-sha2-256
        |       umac-128@openssh.com
        |   compression_algorithms: (2)
        |       none
        |_      zlib@openssh.com
        MAC Address: 00:08:A2:0C:E6:24 (ADI Engineering)
        
        Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
        Nmap done: 1 IP address (1 host up) scanned in 0.91 seconds
        

        edit:
        DOH!!! it is there - nevermind, going to patch it now... I can't read it seems, was looking for it at the end... ugghhh

        |       hmac-sha2-512-etm@openssh.com
        |       hmac-sha2-256-etm@openssh.com
        |       umac-128-etm@openssh.com
        

        edit2: after etm patch applied

        $ nmap --script ssh2-enum-algos -sV -p 22 192.168.9.253
        Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-18 14:47 Central Standard Time
        Nmap scan report for sg4860.home.arpa (192.168.9.253)
        Host is up (0.0010s latency).
        
        PORT   STATE SERVICE VERSION
        22/tcp open  ssh     OpenSSH 9.4 (protocol 2.0)
        | ssh2-enum-algos:
        |   kex_algorithms: (2)
        |       curve25519-sha256@libssh.org
        |       diffie-hellman-group-exchange-sha256
        |   server_host_key_algorithms: (3)
        |       rsa-sha2-512
        |       rsa-sha2-256
        |       ssh-ed25519
        |   encryption_algorithms: (6)
        |       chacha20-poly1305@openssh.com
        |       aes256-gcm@openssh.com
        |       aes128-gcm@openssh.com
        |       aes256-ctr
        |       aes192-ctr
        |       aes128-ctr
        |   mac_algorithms: (3)
        |       hmac-sha2-512
        |       hmac-sha2-256
        |       umac-128@openssh.com
        |   compression_algorithms: (2)
        |       none
        |_      zlib@openssh.com
        MAC Address: 00:08:A2:0C:E6:24 (ADI Engineering)
        
        Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
        Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
        

        edit3: And can can still ssh into pfsense.. Great info and write up thanks!

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 2
        • S
          Skrillor
          last edited by

          Hi there,

          Fabian Bäumer (one of the authors from Terrapin) here. Just replying here to let you know that a workaround requires both, ChaCha20-Poly1305 and -etm MAC algorithms, to be disabled. If you only disable one of them (patch 1 and 2), the other one may still be exploitable if enabled.

          dennypageD jimpJ 2 Replies Last reply Reply Quote 4
          • dennypageD
            dennypage @Skrillor
            last edited by

            @Skrillor said in Terrapin SSH Attack:

            Just replying here to let you know that a workaround requires both, ChaCha20-Poly1305 and -etm MAC algorithms, to be disabled. If you only disable one of them (patch 1 and 2), the other one may still be exploitable if enabled.

            On my firewall, results from the published vulnerability scanner seem to indicate that disabling chacha alone (patch 1) is sufficient. Are there other potential mitigating factors?

            johnpozJ S 2 Replies Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @dennypage
              last edited by johnpoz

              @dennypage had you disabled etm? when you disabled chacha..

              I just ran the scanner against pfsense, where I ran the etm patch, but still says vuln since I did not disable chacha

              Remote Banner: SSH-2.0-OpenSSH_9.4
              
              ChaCha20-Poly1305 support:   true
              CBC-EtM support:             false
              
              Strict key exchange support: false
              
              ==> The scanned peer is VULNERABLE to Terrapin.
              

              Keeping in mind I don't really have any concerns - I don't expose ssh to the public, and there is nobody going to be doing mitm on my local network.. But it is a very interesting attack.

              I looked into the strict key exchange - and does look like it is available in openssh 9.6.. But its not yet available in my securecrt client.. I looked to see if they had pushed out a new beta even.. But looks like putty has updated to include strict kex

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              dennypageD 1 Reply Last reply Reply Quote 0
              • S
                Skrillor @dennypage
                last edited by

                @dennypage said in Terrapin SSH Attack:

                On my firewall, results from the published vulnerability scanner seem to indicate that disabling chacha alone (patch 1) is sufficient. Are there other potential mitigating factors?

                To exploit the Encrypt-then-MAC variant in practice, we additionally require a CBC cipher to be negotiated. If your implementation does not offer any -cbc cipher alongside an -etm@openssh.com MAC, the vulnerability scanner returns false for CBC-EtM. If CBC-EtM isn't supported at all, disabling chacha20-poly1305@openssh.com on its own will have the same effect.

                1 Reply Last reply Reply Quote 0
                • dennypageD
                  dennypage @johnpoz
                  last edited by

                  @johnpoz said in Terrapin SSH Attack:

                  had you disabled etm? when you disabled chacha..

                  No. I only have -etm MACs enabled. I have other things disabled (RSA), which is why I asked about other mitigating factors.

                  dennypageD 1 Reply Last reply Reply Quote 0
                  • dennypageD
                    dennypage @dennypage
                    last edited by

                    @dennypage This is the security patch I have historically applied for ssh:

                    --- /etc/inc/globals.inc.org	2023-02-02 08:47:26.000000000 -0800
                    +++ /etc/inc/globals.inc	2023-02-02 22:53:00.000000000 -0800
                    @@ -365,7 +365,6 @@
                     
                     global $ssh_keys;
                     $ssh_keys = [
                    -	['type' => 'rsa', 'suffix' => 'rsa_'],
                     	['type' => 'ed25519', 'suffix' => 'ed25519_'],
                     ];
                     
                    --- /etc/sshd.org	2023-02-02 08:47:26.000000000 -0800
                    +++ /etc/sshd	2023-02-02 22:53:00.000000000 -0800
                    @@ -70,7 +70,7 @@
                     /* Include default configuration for pfSense */
                     /* Taken from https://stribika.github.io/2015/01/04/secure-secure-shell.html */
                     $sshconf = "# This file is automatically generated at startup\n";
                    -$sshconf .= "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n";
                    +$sshconf .= "KexAlgorithms curve25519-sha256@libssh.org,curve25519-sha256\n";
                     /* Run the server on another port if we have one defined */
                     $sshconf .= "Port $sshport\n";
                     /* Only allow protocol 2, because we say so */
                    @@ -116,7 +116,7 @@
                     }
                     $sshconf .= "X11Forwarding no\n";
                     $sshconf .= "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n";
                    -$sshconf .= "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\n";
                    +$sshconf .= "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com\n";
                     $sshconf .= "# override default of no subsystems\n";
                     $sshconf .= "Subsystem\tsftp\t/usr/libexec/sftp-server\n";
                    

                    And the slight adjustment I made for Terrapin:

                    --- /etc/inc/globals.inc.org	2023-02-02 08:47:26.000000000 -0800
                    +++ /etc/inc/globals.inc	2023-02-02 22:53:00.000000000 -0800
                    @@ -365,7 +365,6 @@
                     
                     global $ssh_keys;
                     $ssh_keys = [
                    -	['type' => 'rsa', 'suffix' => 'rsa_'],
                     	['type' => 'ed25519', 'suffix' => 'ed25519_'],
                     ];
                     
                    --- /etc/sshd.org	2023-02-02 08:47:26.000000000 -0800
                    +++ /etc/sshd	2023-02-02 22:53:00.000000000 -0800
                    @@ -70,7 +70,7 @@
                     /* Include default configuration for pfSense */
                     /* Taken from https://stribika.github.io/2015/01/04/secure-secure-shell.html */
                     $sshconf = "# This file is automatically generated at startup\n";
                    -$sshconf .= "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n";
                    +$sshconf .= "KexAlgorithms curve25519-sha256@libssh.org,curve25519-sha256\n";
                     /* Run the server on another port if we have one defined */
                     $sshconf .= "Port $sshport\n";
                     /* Only allow protocol 2, because we say so */
                    @@ -116,7 +116,7 @@
                     }
                     $sshconf .= "X11Forwarding no\n";
                    -$sshconf .= "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n";
                    +$sshconf .= "Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n";
                    -$sshconf .= "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\n";
                    +$sshconf .= "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com\n";
                     $sshconf .= "# override default of no subsystems\n";
                     $sshconf .= "Subsystem\tsftp\t/usr/libexec/sftp-server\n";
                    
                    dennypageD 1 Reply Last reply Reply Quote 0
                    • dennypageD
                      dennypage @dennypage
                      last edited by

                      FWIW, ssh-audit was updated earlier this evening to include scanning for Terrapin.

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate @Skrillor
                        last edited by

                        @Skrillor said in Terrapin SSH Attack:

                        Hi there,

                        Fabian Bäumer (one of the authors from Terrapin) here. Just replying here to let you know that a workaround requires both, ChaCha20-Poly1305 and -etm MAC algorithms, to be disabled. If you only disable one of them (patch 1 and 2), the other one may still be exploitable if enabled.

                        Curious, the web site says AES-GCM is not affected, and CTR algorithms are not affected in real-world scenarios. By disabling only ChaCha, the only algorithms left active in the configuration on pfSense software are AES-GCM and CTR-based options. Perhaps the web site needs an update to reflect that? Or the patch could only leave AES-GCM enabled. If there is no real-world scenario where CTR+ETM is exploitable it's questionable to label it vulnerable, but that's open for debate I suppose.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        dennypageD 1 Reply Last reply Reply Quote 2
                        • dennypageD
                          dennypage @jimp
                          last edited by

                          FWIW, In addition to pfSense, I've tested a few other Linux and Mac systems using both the Terrapin scanner and ssh-audit. On those systems, even without any other changes, both scanners indicate that disabling ChaCha alone (patch 1) is sufficient. I have not tested with just disabling -etm MACs (patch 2).

                          Of course, both scanners could be broken...

                          1 Reply Last reply Reply Quote 0
                          • S
                            sandie
                            last edited by

                            I fully agree with everything what Jim written, but… ;) OpenSSH 9.6 anytime soon in pfSense? (23.09.2?) :)
                            Thanks!

                            jimpJ 1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate @sandie
                              last edited by

                              @sandie said in Terrapin SSH Attack:

                              I fully agree with everything what Jim written, but… ;) OpenSSH 9.6 anytime soon in pfSense? (23.09.2?) :)

                              I don't know that this is worth a point release all on its own especially given the timing. Given the high barrier to do anything meaningful, the workaround is sufficient for now unless new information comes up suggesting otherwise.

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              johnpozJ 1 Reply Last reply Reply Quote 3
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator @jimp
                                last edited by johnpoz

                                @jimp So will 9.6 be coming with the next normal release? I mean 9.5 was out a month before 23.09 dropped. I not sure why when 23.09 or even 23.09.1 came out why openssh wasn't updated to 9.5?

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                S jimpJ 2 Replies Last reply Reply Quote 0
                                • S
                                  sandie @johnpoz
                                  last edited by

                                  @johnpoz Newer <> Better often. I am going to apply Jim’s patch, but we will upgrade each and every system which offers OpenSSH 9.6 (hopefully not having too many of nodes).
                                  I was just crosschecking what is the plan. I think this problem may be urgent only for people who need to use those ciphers, but we are going to stop using them.

                                  M 1 Reply Last reply Reply Quote 0
                                  • M
                                    mcury @sandie
                                    last edited by

                                    I'm not in a hurry to apply these patches since I'm not exposing SSH to the internet.
                                    SSH is only for my MGMT network.

                                    So, I'm just waiting right now..

                                    dead on arrival, nowhere to be found.

                                    1 Reply Last reply Reply Quote 3
                                    • jimpJ
                                      jimp Rebel Alliance Developer Netgate @johnpoz
                                      last edited by

                                      @johnpoz said in Terrapin SSH Attack:

                                      @jimp So will 9.6 be coming with the next normal release? I mean 9.5 was out a month before 23.09 dropped. I not sure why when 23.09 or even 23.09.1 came out why openssh wasn't updated to 9.5?

                                      We follow FreeBSD's lead here. We take whichever version is in base. At the moment that is 9.5p1 on dev snapshots. If they put 9.6 in base and we merge after that point, we'll pick it up.

                                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                      Need help fast? Netgate Global Support!

                                      Do not Chat/PM for help!

                                      1 Reply Last reply Reply Quote 3
                                      • the otherT
                                        the other
                                        last edited by the other

                                        hey there,
                                        first...thank you for your work, explanations, patch and work. :)
                                        Then just a short feedback: although I do not have ssh open to the Internet, I used the nmap script to check..., of course, there it was: chacha and etm just as @johnpoz posted. And then it bugged me so much I installed the patch (first one of the two posted by @jimp) anyways. Rebooted, waited, checked ssh (which is still working) and got that mild feeling of relief (even though no ssh to Internet and only homenetwork with chance for MitM relatively small...but it feels better). So thanx for that one moment of easyness in pre-xmas-stress mode. :)

                                        the other

                                        pure amateur home user, no business or professional background
                                        please excuse poor english skills and typpoz :)

                                        1 Reply Last reply Reply Quote 0
                                        • jimpJ jimp referenced this topic on
                                        • jimpJ
                                          jimp Rebel Alliance Developer Netgate
                                          last edited by

                                          The patch to disable ChaCha and ETM is now available in System Patches Package v2.2.9 as a recommended patch. Read the linked thread before updating the package.

                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                          Need help fast? Netgate Global Support!

                                          Do not Chat/PM for help!

                                          M 1 Reply Last reply Reply Quote 8
                                          • M
                                            michmoor LAYER 8 Rebel Alliance @jimp
                                            last edited by michmoor

                                            @jimp
                                            The patch works out nicely. Thanks to the prompt response.

                                            525f718a-56de-4a2a-82e8-edd3ad38b52f-image.png 54e9dd77-ad7f-4cb3-9e51-b4e822c8d86a-image.png

                                            Firewall: NetGate,Palo Alto-VM,Juniper SRX
                                            Routing: Juniper, Arista, Cisco
                                            Switching: Juniper, Arista, Cisco
                                            Wireless: Unifi, Aruba IAP
                                            JNCIP,CCNP Enterprise

                                            1 Reply Last reply Reply Quote 0
                                            • johnpozJ johnpoz referenced this topic on
                                            • M
                                              monsen
                                              last edited by monsen

                                              I just noticed that this patch seems to "break" shh connectivity with Windows.

                                              After applying the patch (and restarting the ssh deamon), when trying to SSH to the box from Windows, it now just reports

                                              Corrupted MAC on input.
                                              ssh_dispatch_run_fatal: Connection to 10.11.11.1 port 22: message authentication code incorrect
                                              

                                              Tested disabling the patch, and everything was back working again. I made sure to test from multiple version of Windows and Windows server to confirm a general problem.

                                              Doing a bit of ssh debugging, I noticed that Windows would try to use "umac-128@openssh.com" as the MAC algorithm, which is also is one of the ones listed as supported on the pfsense box after the patch. It also chose aes128-ctr as the Crypto algorithm. (OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3; among others)

                                              It can be worked around on the Windows side by just excluding the umac-128@openssh.com algorithm either in the client config file or on the command line, or by forcing Windows to use AES-GCM.

                                              I did some further testing, and while the issue isn't technically caused by the patch, it is still present even without the patch if you force the SSH client to choose the same algorithms it would have picked then, I still thought it worthwhile to report it here, since this patch is technically what will trigger the "bad" MAC algorithm.

                                              This may (or may not) be a fault of Windows (or the OpenSSH client version compiled for Windows),

                                              (Running Netgate 4100, 23.09.1-RELEASE)

                                              STLJonnyS 1 Reply Last reply Reply Quote 2
                                              • STLJonnyS
                                                STLJonny @monsen
                                                last edited by

                                                @monsen

                                                Simple fix that I've found, to fix my Windows to be able to ssh to my pfSense install (after applying the patch) is the following.

                                                Add the following like to c:\users<user>.ssh/config

                                                MACs hmac-sha2-512

                                                This forced my ssh to use that MAC (message authentication code), of which pfSense is fine with.

                                                1 Reply Last reply Reply Quote 2
                                                • JonathanLeeJ
                                                  JonathanLee
                                                  last edited by JonathanLee

                                                  So is cha cha poly safe to use at this point? That is supposed to be the new advanced encryption algorithm. Disabling it kind of lets the bad guys win as we are degrading our systems by way of encryption algorithms. Is there a solution. Yes I am also aware that OpenVPN side doesn’t have support for it yet. The SMID assembly code is available on the processor I am using. Is this a software issue where not many programmers understand how to work with it? Bleeding edge software issues?

                                                  Just to confirm ChaCha is similar to a “Diffie-Hellman" algorithm? Based on the vulnerability explanation it acts just like one. Is it something new that had a security vulnerability? That exploit seems to have the ability to perform this on other algorithms as well. What makes sha better suited to this attack when they also do key exchanges?

                                                  Make sure to upvote

                                                  1 Reply Last reply Reply Quote 0
                                                  • A
                                                    aldomoro @jimp
                                                    last edited by

                                                    This post is deleted!
                                                    1 Reply Last reply Reply Quote 0
                                                    • stephenw10S
                                                      stephenw10 Netgate Administrator @jimp
                                                      last edited by

                                                      @jimp said in Terrapin SSH Attack:

                                                      After applying the patch, reboot or restart the SSH daemon:

                                                      /usr/local/bin/php-cgi -f /etc/sshd

                                                      Like that. ^

                                                      1 Reply Last reply Reply Quote 0
                                                      • D
                                                        DominikHoffmann
                                                        last edited by

                                                        I take it, pfSense 24.03 has fixed this. Am I correct?

                                                        1 Reply Last reply Reply Quote 0
                                                        • stephenw10S
                                                          stephenw10 Netgate Administrator
                                                          last edited by

                                                          Yes it was patched in openssh 9.6.

                                                          [24.03-RELEASE][admin@4200.stevew.lan]/root: ssh -V
                                                          OpenSSH_9.6p1, OpenSSL 3.0.13 24 Oct 2023
                                                          
                                                          lifeboyL 1 Reply Last reply Reply Quote 1
                                                          • lifeboyL
                                                            lifeboy @stephenw10
                                                            last edited by

                                                            @stephenw10 I see that CE 2.7.2 doesn't have openssh 9.6 yet. Does one manually have to upgrade openssh?

                                                            1 Reply Last reply Reply Quote 0
                                                            • stephenw10S
                                                              stephenw10 Netgate Administrator
                                                              last edited by

                                                              There is a patch in the system patches package to disable the affected ciphers. Apply it.

                                                              1 Reply Last reply Reply Quote 0
                                                              • W
                                                                willowen100
                                                                last edited by

                                                                Hi

                                                                I know this is an old post, I'd like to add that I too am having problems connecting from a Windows client PC using OpenSSH.

                                                                With the below patch applied
                                                                Workaround for Terrapin SSH Attack (After applying the patch, reboot or restart the SSH daemon, FreeBSD-SA-23:19.openssh, Terrapin Attack)

                                                                I get an error connecting

                                                                PS C:\Users\Will> ssh admin@192.168.5.1
                                                                Corrupted MAC on input.
                                                                ssh_dispatch_run_fatal: Connection to 192.168.5.1 port 22: message authentication code incorrect
                                                                

                                                                After listing the MAC algorithms with

                                                                PS C:\Users\Will> ssh -Q mac
                                                                hmac-sha1
                                                                hmac-sha1-96
                                                                hmac-sha2-256
                                                                hmac-sha2-512
                                                                hmac-md5
                                                                hmac-md5-96
                                                                umac-64@openssh.com
                                                                umac-128@openssh.com
                                                                hmac-sha1-etm@openssh.com
                                                                hmac-sha1-96-etm@openssh.com
                                                                hmac-sha2-256-etm@openssh.com
                                                                hmac-sha2-512-etm@openssh.com
                                                                hmac-md5-etm@openssh.com
                                                                hmac-md5-96-etm@openssh.com
                                                                umac-64-etm@openssh.com
                                                                umac-128-etm@openssh.com
                                                                

                                                                If I try connecting with the first MAC algorithm I get a prompt to try different ones

                                                                PS C:\Users\Will> ssh admin@192.168.5.1 -m hmac-sha1
                                                                Unable to negotiate with 192.168.5.1 port 22: no matching MAC found. Their offer: hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
                                                                

                                                                The only way to connect to pfSense via SSH is with

                                                                ssh admin@192.168.5.1 -m hmac-sha2-512
                                                                

                                                                Once in pfSense I'm able to get the OpenSSH version

                                                                [2.7.2-RELEASE][admin@pfSense.lan]/root: ssh -V
                                                                OpenSSH_9.4p1, OpenSSL 3.0.12 24 Oct 2023
                                                                

                                                                Some more information can be found here at the link below
                                                                https://serverfault.com/questions/994646/ssh-on-windows-corrupted-mac-on-input

                                                                Is there any fix with this on the pfSense CE edition?

                                                                STLJonnyS 1 Reply Last reply Reply Quote 0
                                                                • STLJonnyS
                                                                  STLJonny @willowen100
                                                                  last edited by

                                                                  @willowen100 See my reply, above in this thread, for a fix from the windows side.

                                                                  W 1 Reply Last reply Reply Quote 1
                                                                  • W
                                                                    willowen100 @STLJonny
                                                                    last edited by

                                                                    @STLJonny That works perfectly!

                                                                    STLJonnyS 1 Reply Last reply Reply Quote 0
                                                                    • STLJonnyS
                                                                      STLJonny @willowen100
                                                                      last edited by STLJonny

                                                                      @willowen100 It basically forces your ssh (on the Windows side) to utilize that encryption algorithm. You'll need to do that on any machine you ssh from.

                                                                      I'd have rather found a more elegant workaround (preferably on the pfSense side, so the mod only has to be done in one location), but this works in a pinch.

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • First post
                                                                        Last post
                                                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.

                                                                      Looks like your connection to Netgate Forum was lost, please wait while we try to reconnect.