Saturday, January 9, 2016OpenSSH Vulnerability and Patch
To any OpenSSH users out there:
A vulnerability was found in OpenSSH where the default
UseRoaming config can leak private key to infected hosts. Affects OpenSSH versions 5.4 through 7.1. Thankfully a patch is out.
On OSX it can be patched by running:
brew update brew upgrade brew tap homebrew/dupes # if you don't already have it brew install openssl # it should find version 7.1p2 which contains the fix brew install openssh # verify the version, should be: OpenSSH_7.1p2, OpenSSL 1.0.2e 3 Dec 2015 ssh -V
You’ll need to restart the terminal session to see the latest version.
If for some reason a system can’t be patched,
UseRoaming can be disabled:
echo -e 'Host *\nUseRoaming no' >> /etc/ssh/ssh_config