Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenSSH client roaming key disclosure bug CVE-2016-0777 and CVE-2016-0778

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    6 Posts 5 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate
      last edited by

      Lots of info here:

      http://undeadly.org/cgi?action=article&sid=20160114142733

      tl;dr: Explicitly disable roaming in the client config. Don't connect to ssh servers you don't trust. Use an ssh agent rather than letting the client read the keys directly.

      Not a huge impact for us since it's in the ssh client, and though I'm sure a handful of people do use the firewall to ssh out to other places, it's not something that is in common practice. The fix will be pulled in to 2.3 as soon as it hits FreeBSD, but the jury is still out on whether or not it warrants another 2.2.x release.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • _
        _igor_
        last edited by

        For people using the ssh client you can apply a patch:

        — ssh_config.orig
        +++ ssh_config
        @@ -51,0 +51,1 @@
        +UseRoaming no

        Base Directory /etc/ssh/

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Why the %#&* isn't the default OFF for an "experimental feature?" Shame on OpenSSH.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            @Derelict:

            Why the %#&* isn't the default OFF for an "undocumented experimental feature?" Shame on OpenSSH.

            FTFY. And indeed. That seems to be the real question.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • 2
              2chemlud Banned
              last edited by

              Have look who provided this quality code and where this company originated.. 1+1=?

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                Have look who provided this quality code

                Not Scott Adams?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.