OpenSSH client roaming key disclosure bug CVE-2016-0777 and CVE-2016-0778
-
Lots of info here:
http://undeadly.org/cgi?action=article&sid=20160114142733
tl;dr: Explicitly disable roaming in the client config. Don't connect to ssh servers you don't trust. Use an ssh agent rather than letting the client read the keys directly.
Not a huge impact for us since it's in the ssh client, and though I'm sure a handful of people do use the firewall to ssh out to other places, it's not something that is in common practice. The fix will be pulled in to 2.3 as soon as it hits FreeBSD, but the jury is still out on whether or not it warrants another 2.2.x release.
-
For people using the ssh client you can apply a patch:
— ssh_config.orig
+++ ssh_config
@@ -51,0 +51,1 @@
+UseRoaming noBase Directory /etc/ssh/
-
Why the %#&* isn't the default OFF for an "experimental feature?" Shame on OpenSSH.
-
Why the %#&* isn't the default OFF for an "undocumented experimental feature?" Shame on OpenSSH.
FTFY. And indeed. That seems to be the real question.
-
Have look who provided this quality code and where this company originated.. 1+1=?
-
Have look who provided this quality code
Not Scott Adams?
