release request (terrapin)

[0-wiz-0]

Please make a release that includes the fix for the terrapin vulnerability, for easier packaging.
Thank you!

[mkj]

Not sure if I'll get the release made in the next week, otherwise it'll be after mid-January.

Note that Terrapin doesn't reduce the security of Dropbear at all, it doesn't implement ping@openssh.com extension.

server-sig-algs is mentioned by the Terrapin authors as security-related, but I think that's incorrect - it's used for compatibility, not security.

[mkj]

For reference, this commit can be cherrypicked if desired
6e43be5 Implement Strict KEX mode

With description in 66bc1fc

dropbear/CHANGES

Lines 12 to 23 in 66bc1fc

	- Add "Strict KEX" support. This mitigates a SSH protocol flaw which lets
	a MITM attacker silently remove packets immediately after the
	first key exchange. At present the flaw does not seem to reduce Dropbear's
	security (the only packet affected would be a server-sig-algs extension,
	which is used for compatibility not security).
	For Dropbear, chacha20-poly1305 is the only affected cipher.
	Both sides of the connection must support Strict KEX for it to be used.
	The protocol flaw is tracked as CVE-2023-48795, details
	at https://terrapin-attack.com . Thanks to the researchers Fabian Bäumer,
	Marcus Brinkmann, and Jörg Schwenk. Thanks to OpenSSH for specifying
	strict KEX mode.

[TrueSkrillor]

server-sig-algs is mentioned by the Terrapin authors as security-related, but I think that's incorrect - it's used for compatibility, not security.

The reason why we considered server-sig-algs to be security-related is given in RFC8332 Section 3.3:

When authenticating with an RSA key against a server that does not
implement the "server-sig-algs" extension, clients MAY default to an
"ssh-rsa" signature to avoid authentication penalties. When the new
rsa-sha2-* algorithms have been sufficiently widely adopted to
warrant disabling "ssh-rsa", clients MAY default to one of the new
algorithms.

While it is true that not sending server-sig-algs does not prevent the client from trying SHA2-based RSA signatures, we observed the suggested behavior (preferring SHA-1 over SHA-2 when server-sig-algs is missing) in a wide variety of SSH clients. Also, the order of algorithms in server-sig-algs is used by some clients in case multiple private keys are present, potentially leading to downgrades as well.

However, we do not consider this application of the Terrapin attack to have a significant impact. Instead, our main concern is the combination of Terrapin with implementation bugs, as seen in AsyncSSH. We evaluated only a handful of SSH implementations, where one already allowed for in-session man-in-the-middle attacks. Given the wide variety of SSH implementations, one can estimate with sufficient probability that other implementations face similar issues.