Fixing the SSH roaming vulnerability (CVE-2016-0777)

by on under Quick Tip
1 minute read

A vulnerability in the OpenSSH client has been discovered which means that if you SSH to a compromised server the server can steal your private key. This affects any operating system with OpenSSH client 5.4 and above, which is pretty much all flavors of linux and OS X.

This is the official explanation from RedHat:

Since version 5.4, the OpenSSH client supports an undocumented feature called roaming. If a connection to an SSH server breaks unexpectedly, and if the SSH server supports roaming as well, the client is able to reconnect to the server and resume the interrupted SSH session. The roaming feature is enabled by default in OpenSSH clients, even though no OpenSSH server version implements the roaming feature.

An information leak flaw was found in the way OpenSSH client roaming feature was implemented. The information leak is exploitable in the default configuration of certain versions of the OpenSSH client and could (depending on the client’s version, compiler, and operating system) allow a malicious SSH server to steal the client’s private keys.

Am I affected?

Run this command from the command line and see if it responds as shown below. If so then you are vulnerable!

$ ssh -v -T [email protected] 2>&1 | grep Roaming
debug1: Roaming not allowed by server

How do I fix it?

Ensure you have sudo permissions and run the command below for your operating system:

OS X (Yosemite 10.10 and below)

echo 'UseRoaming no' | sudo tee -a /private/etc/ssh_config

Linux (and OS X El Capitan 10.11)

echo 'UseRoaming no' | sudo tee -a /etc/ssh/ssh_config

When you run the test command again it should print nothing, which means you are now protected.

$ ssh -v -T [email protected] 2>&1 | grep Roaming
vulnerability, ssh, OS X, linux, CVE-2016-0777
Spotted a mistake in this article? Why not suggest an edit!
comments powered by Disqus