[CentOS] Fwd: Heads up: OpenSSH users

Thu Jan 14 17:46:52 UTC 2016
m.roth at 5-cent.us <m.roth at 5-cent.us>

Timo Schöler wrote:
> Hash: SHA256
> On 01/14/2016 05:34 PM, m.roth at 5-cent.us wrote:
>> Michael H wrote:
>>> Probably worth a read...
>>> http://www.openssh.com/txt/release-7.1p2
>>>> Important SSH patch coming soon.  For now, everyone on all
>>>> operating systems, please do the following:
>>>> Add undocumented "UseRoaming no" to ssh_config or use
>>>> "-oUseRoaming=no" to prevent upcoming #openssh client bug
>>>> CVE-2016-0777. More later.
>>> echo "UseRoaming no" >> /etc/ssh/ssh_config
>> Please clarify - will the update add *Roam* to
>> /etc/ssh/ssh_config?
> It will fix the bug.
>> I've just checked on two systems that are CentOS 7, a server, and
>> a workstation that I literally built yesterday, and grep -i on
>> both reports "no, not here".
> Yes, as it's undocumented, but enabled since about 2010. Even OpenBSD
> 5.9 (pre-release, it's going to be released on May 1st, 2016) does not
> mention it.

Undocumented? You're saying that there's a feature that is configurable
via the configuration file, and there's no mention of it at all in the
configuration file, not even the default?

That is more than slightly unacceptable.