Editing Secure Shell (section)

=== Terrapin attack ===
{{main|Terrapin attack}}
A novel man-in-the-middle attack against most current ssh implementations was discovered in 2023. It was named the [[Terrapin attack]] by its discoverers.<ref>{{Cite web |title=Terrapin Attack |url=https://terrapin-attack.com/ |access-date=2023-12-20 |website=terrapin-attack.com}}</ref><ref>{{Cite web |last=Jones |first=Connor |title=SSH shaken, not stirred by Terrapin downgrade vulnerability |url=https://www.theregister.com/2023/12/20/terrapin_attack_ssh/ |access-date=2023-12-20 |website=www.theregister.com |language=en}}</ref> However, the risk is mitigated by the requirement to intercept a genuine ssh session, and that the attack is restricted in its scope, fortuitously resulting mostly in failed connections.<ref name="El Reg">{{Cite web |last=Jones |first=Connor |title=SSH shaken, not stirred by Terrapin downgrade vulnerability |url=https://www.theregister.com/2023/12/20/terrapin_attack_ssh/ |access-date=2023-12-20 |website=www.theregister.com |language=en}}</ref><ref name=":1">{{Cite web |date=2023-12-18 |title=OpenSSH 9.6 release notes |url=https://www.openssh.com/txt/release-9.6 |website=openssh.com}}</ref> The ssh developers have stated that the major impact of the attack is to degrade the [[Keystroke dynamics|keystroke timing]] obfuscation features of ssh.<ref name=":1" /> The vulnerability was fixed in OpenSSH 9.6, but requires both client and server to be upgraded for the fix to be fully effective.