[conspire] OpenSSH client 'roaming' bug
Rick Moen
rick at linuxmafia.com
Fri Jan 22 16:58:15 PST 2016
Something y'all need to fix: CVE-2016-0777 and CVE-2016-0778.
Short version: OpenSSH built the client half of an experimental
'roaming' feature into /usr/bin/ssh -- a feature that's never been
implemented in any ssh so far. Moreover, this functionality in the
Portable OpenSSH client[1] hasn't ever been documented, either. So, the
inevitable happened: There's a critical security bug (see CVEs) that
could cause impersonating servers to grab your private keys as you use
them.
The way to fix this is either (1) wait for a bugfix release of OpenSSH
or (2) turn off the pointless, undocumented feature in your ssh client,
using an undocumented option we've just all been told about.
Personally, I've gone for option 2 -- though this all is pretty damned
unimpressive coming as it does from OpenBSD Foundation. Anyway, do:
su -
echo 'UseRoaming no' >> /etc/ssh/ssh_config
exit
On Macintosh OS X:
sudo su -
echo 'UseRoaming no' >> /private/etc/ssh_config
exit
LWN.net story here:
https://lwn.net/Articles/672465/
(may not become readable to non-subscribers for a few days, yet)
[1] The implemetation we use on Linux. OpenBSD has a native variant;
everyone else uses its 'Portable' cousion.
More information about the conspire
mailing list