-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/14/2016 05:34 PM, m.roth at 5-cent.us wrote:> Michael H wrote: >> Probably worth a read... >> >> http://www.openssh.com/txt/release-7.1p2 >> >>> Important SSH patch coming soon. For now, everyone on all >>> operating systems, please do the following: >>> >>> Add undocumented "UseRoaming no" to ssh_config or use >>> "-oUseRoaming=no" to prevent upcoming #openssh client bug >>> CVE-2016-0777. More later. >> >> echo "UseRoaming no" >> /etc/ssh/ssh_config > > Please clarify - will the update add *Roam* to > /etc/ssh/ssh_config?It will fix the bug.> I've just checked on two systems that are CentOS 7, a server, and > a workstation that I literally built yesterday, and grep -i on > both reports "no, not here".Yes, as it's undocumented, but enabled since about 2010. Even OpenBSD 5.9 (pre-release, it's going to be released on May 1st, 2016) does not mention it. Timo> mark-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlaX1gIACgkQuSPmkPhAW0pYsQD/YtMb9XpnIY+GZWJUfjUB/ktS 6KcEMUIB3wjXgBI609MA/03tx8mOMUIzrixR6Sjb3FaLvoN45WD61OKfAtLSdNw6 =1Vbf -----END PGP SIGNATURE-----
Timo Sch?ler wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 01/14/2016 05:34 PM, m.roth at 5-cent.us wrote: >> Michael H wrote: >>> Probably worth a read... >>> >>> http://www.openssh.com/txt/release-7.1p2 >>> >>>> Important SSH patch coming soon. For now, everyone on all >>>> operating systems, please do the following: >>>> >>>> Add undocumented "UseRoaming no" to ssh_config or use >>>> "-oUseRoaming=no" to prevent upcoming #openssh client bug >>>> CVE-2016-0777. More later. >>> >>> echo "UseRoaming no" >> /etc/ssh/ssh_config >> >> Please clarify - will the update add *Roam* to >> /etc/ssh/ssh_config? > > It will fix the bug. > >> I've just checked on two systems that are CentOS 7, a server, and >> a workstation that I literally built yesterday, and grep -i on >> both reports "no, not here". > > Yes, as it's undocumented, but enabled since about 2010. Even OpenBSD > 5.9 (pre-release, it's going to be released on May 1st, 2016) does not > mention it.Undocumented? You're saying that there's a feature that is configurable via the configuration file, and there's no mention of it at all in the configuration file, not even the default? That is more than slightly unacceptable. mark
On Thu, January 14, 2016 11:46 am, m.roth at 5-cent.us wrote:> Timo Sch??ler wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> On 01/14/2016 05:34 PM, m.roth at 5-cent.us wrote: >>> Michael H wrote: >>>> Probably worth a read... >>>> >>>> http://www.openssh.com/txt/release-7.1p2 >>>> >>>>> Important SSH patch coming soon. For now, everyone on all >>>>> operating systems, please do the following: >>>>> >>>>> Add undocumented "UseRoaming no" to ssh_config or use >>>>> "-oUseRoaming=no" to prevent upcoming #openssh client bug >>>>> CVE-2016-0777. More later. >>>> >>>> echo "UseRoaming no" >> /etc/ssh/ssh_config >>> >>> Please clarify - will the update add *Roam* to >>> /etc/ssh/ssh_config? >> >> It will fix the bug. >> >>> I've just checked on two systems that are CentOS 7, a server, and >>> a workstation that I literally built yesterday, and grep -i on >>> both reports "no, not here". >> >> Yes, as it's undocumented, but enabled since about 2010. Even OpenBSD >> 5.9 (pre-release, it's going to be released on May 1st, 2016) does not >> mention it. > > Undocumented? You're saying that there's a feature that is configurable > via the configuration file, and there's no mention of it at all in the > configuration file, not even the default? > > That is more than slightly unacceptable. >More than agree! I was highly respecting OpenBSD project, especially for their openssh. After scandal with OpenBSD IPSEC stack backdoor accusations, my respect faded grossly, and I felt extremely happy my choice of system for servers fell on FreeBSD, not OpenBSD (for some independent reason)... Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++