The SSH protocol provides secure access to network services, particularly remote terminal login and file transfer within organizational networks and to over 15 million servers on the open internet. SSH uses an authenticated key exchange to establish a secure channel between a client and a server, which protects the confidentiality and integrity of messages sent in either direction. The secure channel prevents message manipulation, replay, insertion, deletion, and reordering. In this paper, we show that as new encryption algorithms and mitigations were added to SSH, the SSH Binary Packet Protocol is no longer a secure channel: SSH channel integrity (INT-PST) is broken for three widely used encryption modes. This allows prefix truncation attacks where some encrypted packets at the beginning of the SSH channel can be deleted without the client or server noticing it. We demonstrate several real-world applications of this attack. We show that we can fully break SSH extension negotiation (RFC 8308), such that an attacker can downgrade the public key algorithms for user authentication or turn off a new countermeasure against keystroke timing attacks introduced in OpenSSH 9.5. We also identified an implementation flaw in AsyncSSH that, together with prefix truncation, allows an attacker to redirect the victim's login into a shell controlled by the attacker. In an internet-wide scan for vulnerable encryption modes and support for extension negotiation, we find that 77% of SSH servers support an exploitable encryption mode, while 57% even list it as their preferred choice. We identify two root causes that enable these attacks: First, the SSH handshake supports optional messages that are not authenticated. Second, SSH does not reset message sequence numbers when encryption is enabled. Based on this analysis, we propose effective and backward-compatible changes to SSH that mitigate our attacks.

翻译：摘要：SSH协议为网络服务提供安全访问，特别是组织网络内的远程终端登录和文件传输，以及开放互联网上超过1500万台服务器。SSH通过认证密钥交换在客户端和服务器之间建立安全通道，保护双向传输消息的机密性和完整性。该安全通道可防止消息操纵、重放、插入、删除和重排序。在本文中，我们证明随着SSH新增加密算法和缓解措施，SSH二进制数据包协议已不再是安全通道：对于三种广泛使用的加密模式，SSH通道完整性（INT-PST）已被破坏。这导致前缀截断攻击，即SSH通道开头部分加密数据包可在客户端或服务器未察觉的情况下被删除。我们展示了该攻击的多种实际应用场景：能够完全破坏SSH扩展协商（RFC 8308），使攻击者可降级用户认证的公钥算法，或关闭OpenSSH 9.5引入的针对击键时序攻击的新型防御措施；同时发现AsyncSSH的实现缺陷，结合前缀截断攻击可让攻击者将受害者登录重定向至攻击者控制的shell。在对易受攻击加密模式和扩展协商支持的互联网范围扫描中，我们发现77%的SSH服务器支持可被利用的加密模式，其中57%将其列为首选模式。我们识别出导致这些攻击的两个根本原因：首先，SSH握手协议包含未经验证的可选消息；其次，启用加密时SSH未重置消息序列号。基于此分析，我们提出了能有效缓解攻击且向后兼容的SSH协议改进方案。