Saturday, January 9, 2016OpenSSH Vulnerability and Patch

To any OpenSSH users out there:

A vulnerability was found in OpenSSH where the default UseRoaming config can leak private key to infected hosts. Affects OpenSSH versions 5.4 through 7.1. Thankfully a patch is out.

On OSX it can be patched by running:

brew update
brew upgrade
brew tap homebrew/dupes
# if you don't already have it
brew install openssl
# it should find version 7.1p2 which contains the fix
brew install openssh
# verify the version, should be:  OpenSSH_7.1p2, OpenSSL 1.0.2e 3 Dec 2015
ssh -V

You’ll need to restart the terminal session to see the latest version.

If for some reason a system can’t be patched, UseRoaming can be disabled:

echo -e 'Host *\nUseRoaming no' >> /etc/ssh/ssh_config