OpenSSH Vulnerability and Patch- 01/19/2016
To any OpenSSH users out there:
A vulnerability was found in OpenSSH where the default
UseRoaming config can leak private key to infected hosts. Affects OpenSSH versions 5.4 through 7.1. Thankfully a patch is out.
On OSX it can be patched by running:
brew update brew upgrade brew tap homebrew/dupes brew install openssl #if you don't already have it brew install openssh #it should find version 7.1p2 which contains the fix ssh -V #verify the version, should be: OpenSSH_7.1p2, OpenSSL 1.0.2e 3 Dec 2015
You’ll need to restart the terminal session to see the latest version.
If for some reason a system can’t be patched,
UseRoaming can be disabled:
echo -e 'Host *\nUseRoaming no' >> /etc/ssh/ssh_config