checkupdates: workaround Terrapin vuln
The fix for https://terrapin-attack.com/ requires that both the client and server implement the new strict key exchange. This scanner says that gitlab.com is still vulnerable. So this change stops the checkupdates SSH client from using the vulnerable algorithms.
$ ./Terrapin_Scanner_Linux_amd64 -connect gitlab.com
================================================================================
==================================== Report ====================================
================================================================================
Remote Banner: SSH-2.0-GitLab-SSHD
ChaCha20-Poly1305 support: true
CBC-EtM support: false
Strict key exchange support: false
The scanned peer is VULNERABLE to Terrapin.
Note: This tool is provided as is, with no warranty whatsoever. It determines
the vulnerability of a peer by checking the supported algorithms and
support for strict key exchange. It may falsely claim a peer to be
vulnerable if the vendor supports countermeasures other than strict key
exchange.
For more details visit our website available at https://terrapin-attack.com
I've tested this snippet on at.or.at, both for client and server. I'm going to roll it out elsewhere as well.
Edited by Hans-Christoph Steiner