Acquia sent out an email on November 18 with the subject line "Action Required prior to Scheduled Maintenance for the Drupal Cloud platform on 1 December 2020":
On Tuesday, 1 December 2020 Acquia will be performing maintenance for the Drupal Cloud platform. As part of our ongoing efforts to maintain the security of our platform, we will be updating the security policies associated with SSH (Secure Shell) activity on 1 December 2020 to remove outdated and insecure cipher suites.
This will impact all Acquia application subscriptions, including Acquia Cloud Professional, Acquia Cloud Enterprise, and Acquia Cloud Site Factory.
As a result of this maintenance, customers with older access software, outdated operating systems, and older internal services may lose the ability to connect to the Acquia platform hosted applications via SSH until such software, systems, and services are updated to a newer version.
Acquia strongly encourages all customers to ensure that their SSH access tools are up-to-date and do not rely on outdated and insecure cipher suites prior to 1 December 2020. Failure to do so may result in loss of SSH access to your application instances until you make necessary updates.
The standard SSH configurations that Acquia hosts accept include the following:
KexAlgorithms ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group-exchange-sha256 Ciphers aes128-ctr aes192-ctr aes256-ctr MACs hmac-sha2-256 hmac-sha2-512
You can check on your machine which configurations your SSH client supports by running the following command. Note: If a section outputs "no matches", this means that your configuration may require an update:
echo "# kex" ; ssh -Q kex | grep -Eo '^(ecdh-sha2-nistp384|ecdh-sha2-nistp521|diffie-hellman-group-exchange-sha256)$' || echo "no matches" ; echo "# ciphers" ; ssh -Q cipher | grep -Eo '^(aes128-ctr|aes192-ctr|aes256-ctr)$' || echo "no matches" ; echo "# mac" ; ssh -Q mac | grep -Eo '^(hmac-sha2-256|hmac-sha2-512)$' || echo "no matches"
However, please note that this snippet is an unofficial check that is provided as is. The command may not run on all local environments.
One of the SSH clients affected by our cipher removal are some DevDesktop installs. The solution is to install newest version, then there is a new SSH option you need to check from the preferences page:
Open Dev Desktop -> Click "Acquia Dev Desktop" -> Preferences -> then put a check on "Use new SSH(OpenSSL 1.1.1d 10 Sep 2019)"