To mitigate ISN 2023-39: SSH Terrapin Vulnerability, you can enable a registry parameter that will disable weak MACs and Chipers to prevent terrapin attacks. For more information on terrapin attacks and the related CVE-2023-48795, see https://terrapin-attack.com/ and https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-48795.

If you use OpenSSH 9.6p1 both on the client and server there is no need to use this registry parameter. IGEL OS versions 11.09.210 or higher use the latest OpenSSH 9.6p1. when you use this version or newer on the peer, they will automatically use the new "strict KEX" protocol extension.


To enable Terrapin mitigation through the registry parameter:

  1. In IGEL Setup, go to System > Registry > network > ssh_server > enable_terrapin_mitigation.

  2. Enable the parameter.

  3. Click Apply or OK to save the change.

The following options vulnerable to Terrapin attack are disabled:

    • the ChaCha20-Poly1305 cipher
    • all -cbc ciphers
    • all -ctr ciphers
    • all -etm@openssh.com macs

If you want to deactivate SSH completely, follow the instructions in Disabling SSH Access.