Date: Thursday, January 14, 2016 12:49:57 -0600 From: Valeri Galtsev galtsev@kicp.uchicago.edu
On Thu, January 14, 2016 11:46 am, m.roth@5-cent.us wrote:
Timo Schöler wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 01/14/2016 05:34 PM, m.roth@5-cent.us wrote:
Michael H wrote:
Probably worth a read...
http://www.openssh.com/txt/release-7.1p2
Important SSH patch coming soon. For now, everyone on all operating systems, please do the following:
Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" to prevent upcoming #openssh client bug CVE-2016-0777. More later.
echo "UseRoaming no" >> /etc/ssh/ssh_config
Please clarify - will the update add *Roam* to /etc/ssh/ssh_config?
It will fix the bug.
I've just checked on two systems that are CentOS 7, a server, and a workstation that I literally built yesterday, and grep -i on both reports "no, not here".
Yes, as it's undocumented, but enabled since about 2010. Even OpenBSD 5.9 (pre-release, it's going to be released on May 1st, 2016) does not mention it.
Undocumented? You're saying that there's a feature that is configurable via the configuration file, and there's no mention of it at all in the configuration file, not even the default?
That is more than slightly unacceptable.
More than agree! I was highly respecting OpenBSD project, especially for their openssh. After scandal with OpenBSD IPSEC stack backdoor accusations, my respect faded grossly, and I felt extremely happy my choice of system for servers fell on FreeBSD, not OpenBSD (for some independent reason)...
Valeri
RH issued an update to address this a bit over an hour ago:
https://rhn.redhat.com/errata/RHSA-2016-0043.html
I expect that we'll see the CentOS version shortly.