Jacob Tomlinson's profile picture Jacob Tomlinson
Home Blog Talks Newsletter About

Fixing the SSH roaming vulnerability (CVE-2016-0777)

2 minute read #vulnerability, #ssh, #os-x, #linux, #cve-2016-0777

A vulnerability in the OpenSSH client has been discovered which means that if you SSH to a compromised server the server can steal your private key. This affects any operating system with OpenSSH client 5.4 and above, which is pretty much all flavors of linux and OS X.

This is the official explanation from RedHat:

Since version 5.4, the OpenSSH client supports an undocumented feature called roaming. If a connection to an SSH server breaks unexpectedly, and if the SSH server supports roaming as well, the client is able to reconnect to the server and resume the interrupted SSH session. The roaming feature is enabled by default in OpenSSH clients, even though no OpenSSH server version implements the roaming feature.

An information leak flaw was found in the way OpenSSH client roaming feature was implemented. The information leak is exploitable in the default configuration of certain versions of the OpenSSH client and could (depending on the client’s version, compiler, and operating system) allow a malicious SSH server to steal the client’s private keys.

Am I affected?

Run this command from the command line and see if it responds as shown below. If so then you are vulnerable!

$ ssh -v -T git@github.com 2>&1 | grep Roaming
debug1: Roaming not allowed by server

How do I fix it?

Ensure you have sudo permissions and run the command below for your operating system:

OS X (Yosemite 10.10 and below)

echo 'UseRoaming no' | sudo tee -a /private/etc/ssh_config

Linux (and OS X El Capitan 10.11)

echo 'UseRoaming no' | sudo tee -a /etc/ssh/ssh_config

When you run the test command again it should print nothing, which means you are now protected.

$ ssh -v -T git@github.com 2>&1 | grep Roaming

Have thoughts?

I love hearing feedback on my posts. You should head over to Twitter and let me know what you think!

Spotted a mistake? Why not suggest an edit!