OpenSSH Vulnerability and Patch

- 01/19/2016

To any OpenSSH users out there:

A vulnerability was found in OpenSSH where the default UseRoaming config can leak private key to infected hosts. Affects OpenSSH versions 5.4 through 7.1. Thankfully a patch is out.

On OSX it can be patched by running:

brew update
brew upgrade
brew tap homebrew/dupes
brew install openssl     #if you don't already have it
brew install openssh     #it should find version 7.1p2 which contains the fix
ssh -V                   #verify the version, should be:  OpenSSH_7.1p2, OpenSSL 1.0.2e 3 Dec 2015

You’ll need to restart the terminal session to see the latest version.

If for some reason a system can’t be patched, UseRoaming can be disabled:

echo -e 'Host *\nUseRoaming no' >> /etc/ssh/ssh_config