Description
I have run the terrapin scanner (https://github.com/RUB-NDS/Terrapin-Scanner) against an our server module and it is reporting as vulnerable. I was wondering if you have any advice on how to mitigate the vulnerability. According to the website https://terrapin-attack.com/
In more technical terms, if your SSH implementations supports (and is configured to offer) the chacha20-poly1305@openssh.com encryption algorithm, or any encryption algorithm suffixed -cbc in combination with any MAC algorithm suffixed -etm@openssh.com, you are vulnerable to Terrapin.
Also
AES-GCM (RFC5647) is not affected by Terrapin
Or perhaps there is a way to enable "strict kex" which (assuming the client also supports it) would also shutdown any attempt to exploit the issue.
Thanks!