How to Mitigate Terrapin Attack on macOS

/ 2 minutes

Recently a new security vulnerability was disclosed:

Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel.

More details can be found here (in slightly more readable form) as well as here (original site explaining the attack).

TL;DR: This Man-In-The-Middle (MITM) attack vulnerability is not about a specific implementation. It is about the SSH protocol itself. And most importantly, it impacts both SSH servers (e.g., OpenSSH) as well as SSH clients. And BOTH must be patched to mitigate this issue. If EITHER the SSH server OR the client involved in a connection is vulnerable, there exists a risk of a MITM attack.

Admittedly, this does require the attacker to be somewhere "in the middle" between your SSH client and server. But there is a risk.

This vulnerability affects various OSes and applications. For example, OpenSSH is affected, and any versions prior to v9.6 are impacted. macOS uses OpenSSH, and even the latest as of this writing (macOS "Sonoma" v14.2.1) only has OpenSSH v9.4 installed.

So I tested with their vulnerability scanner and found that both the latest version of macOS “Ventura” 13.6.3 (which is what I am still running on most systems) as well as the absolute latest macOS "Sonoma" 14.2.1 are vulnerable to this attack.

For anyone with macOS, you can mitigate this by simply putting a file (I named mine Mitigate_Terrapin_Attack.conf ) with this line:

Ciphers -chacha20-poly1305@openssh.com

in these 2 directories:

  • /etc/ssh/ssh_config.d/
  • /etc/ssh/sshd_config.d/

and rebooting.

In other words,

  1. Open Terminal

  2. Run the command

    sudo nano /etc/ssh/ssh_config.d/Mitigate_Terrapin_Attack.conf

    for the ssh client or

    sudo nano /etc/ssh/sshd_config.d/Mitigate_Terrapin_Attack.conf

    for the sshd daemon, enter your password (what you log into your Mac with) to give root access, and copy/paste

    Ciphers -chacha20-poly1305@openssh.com

    into the file and save by hitting [CTRL][X] and then Y. (Note the - before the cipher, which tells OpenSSH to disable/remove it.)

  3. Once both files created, simply reboot your Mac. 1

Once I did this, I retested with their vulnerability scanner and confirmed that neither the SSH server nor the client were listed as vulnerable.


After macOS is patched

If/when Apple updates their OSes to patch this vulnerability, you simply remove those 2 files using commands such as

sudo rm /etc/ssh/ssh_config.d/Mitigate_Terrapin_Attack.conf
sudo rm /etc/ssh/sshd_config.d/Mitigate_Terrapin_Attack.conf

Final Notes

The steps above likely will work for any OS that uses OpenSSH (e.g., Linux). However, I have not tested this on other OSes. I just know that on macOS, the OpenSSH server reads the /etc/ssh/sshd_config file, which in turn has a line in it:

Include /etc/ssh/sshd_config.d/*

which includes the contents of any files in that subdirectory.

Similarly, the ssh client reads the /etc/ssh/ssh_config file, which similarly has

Include /etc/ssh/ssh_config.d/*

So depending on your OS, you might need to put the one line that removes the cipher directly into these config files instead. YMMV.


  1. You could also restart the OpenSSH daemon using launchctl to unload/load if you prefer/know how. I just figured for most users, rebooting is easier. 

Previous Post