Probably worth a read... http://www.openssh.com/txt/release-7.1p2> Important SSH patch coming soon. For now, everyone on all operating > systems, please do the following: > > Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" > to prevent upcoming #openssh client bug CVE-2016-0777. More later.echo "UseRoaming no" >> /etc/ssh/ssh_config
Michael H wrote:> Probably worth a read... > > http://www.openssh.com/txt/release-7.1p2 > >> Important SSH patch coming soon. For now, everyone on all operating >> systems, please do the following: >> >> Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" >> to prevent upcoming #openssh client bug CVE-2016-0777. More later. > > echo "UseRoaming no" >> /etc/ssh/ssh_configPlease clarify - will the update add *Roam* to /etc/ssh/ssh_config? I've just checked on two systems that are CentOS 7, a server, and a workstation that I literally built yesterday, and grep -i on both reports "no, not here". mark
In article <5697CAB8.6090703 at wemoto.com>, Michael H <michael at wemoto.com> wrote:> Probably worth a read... > > http://www.openssh.com/txt/release-7.1p2 > > > Important SSH patch coming soon. For now, everyone on all operating > > systems, please do the following: > > > > Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" > > to prevent upcoming #openssh client bug CVE-2016-0777. More later. > > echo "UseRoaming no" >> /etc/ssh/ssh_configIt says this applies to OpenSSH 5.4 to 7.1. So it would only affect CentOS7 and up, as C6 uses openssh-5.3. Cheers Tony -- Tony Mountifield Work: tony at softins.co.uk - http://www.softins.co.uk Play: tony at mountifield.org - http://tony.mountifield.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/14/2016 05:34 PM, m.roth at 5-cent.us wrote:> Michael H wrote: >> Probably worth a read... >> >> http://www.openssh.com/txt/release-7.1p2 >> >>> Important SSH patch coming soon. For now, everyone on all >>> operating systems, please do the following: >>> >>> Add undocumented "UseRoaming no" to ssh_config or use >>> "-oUseRoaming=no" to prevent upcoming #openssh client bug >>> CVE-2016-0777. More later. >> >> echo "UseRoaming no" >> /etc/ssh/ssh_config > > Please clarify - will the update add *Roam* to > /etc/ssh/ssh_config?It will fix the bug.> I've just checked on two systems that are CentOS 7, a server, and > a workstation that I literally built yesterday, and grep -i on > both reports "no, not here".Yes, as it's undocumented, but enabled since about 2010. Even OpenBSD 5.9 (pre-release, it's going to be released on May 1st, 2016) does not mention it. Timo> mark-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlaX1gIACgkQuSPmkPhAW0pYsQD/YtMb9XpnIY+GZWJUfjUB/ktS 6KcEMUIB3wjXgBI609MA/03tx8mOMUIzrixR6Sjb3FaLvoN45WD61OKfAtLSdNw6 =1Vbf -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/14/2016 06:05 PM, Timo Sch?ler wrote:> On 01/14/2016 05:34 PM, m.roth at 5-cent.us wrote: >> Michael H wrote: >>> Probably worth a read... >>> >>> http://www.openssh.com/txt/release-7.1p2 >>> >>>> Important SSH patch coming soon. For now, everyone on all >>>> operating systems, please do the following: >>>> >>>> Add undocumented "UseRoaming no" to ssh_config or use >>>> "-oUseRoaming=no" to prevent upcoming #openssh client bug >>>> CVE-2016-0777. More later. >>> >>> echo "UseRoaming no" >> /etc/ssh/ssh_config > >> Please clarify - will the update add *Roam* to >> /etc/ssh/ssh_config? > > It will fix the bug. > >> I've just checked on two systems that are CentOS 7, a server, and >> a workstation that I literally built yesterday, and grep -i on >> both reports "no, not here". > > Yes, as it's undocumented, but enabled since about 2010.FYI: https://github.com/openssh/openssh-portable/search?q=AppGate+Network+Sec urity+AB> Even OpenBSD 5.9 (pre-release, it's going to be released on May > 1st, 2016) does not mention it. > > Timo > >> mark-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlaX2IIACgkQuSPmkPhAW0rh0AD+Kje8MZE5xlnK1YQlH1H7oFgK M6JOfkgiWt3gvdzOjewA/RgopaQKm7YkdIgiiVRCVoKtUaRVieBr6xz/SccrISFR =94uA -----END PGP SIGNATURE-----
On Thu, Jan 14, 2016 at 11:34:18AM -0500, m.roth at 5-cent.us wrote:> Michael H wrote: > > Probably worth a read... > > > > http://www.openssh.com/txt/release-7.1p2 > > > >> Important SSH patch coming soon. For now, everyone on all operating > >> systems, please do the following: > >> > >> Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" > >> to prevent upcoming #openssh client bug CVE-2016-0777. More later. > > > > echo "UseRoaming no" >> /etc/ssh/ssh_config > > Please clarify - will the update add *Roam* to /etc/ssh/ssh_config? I've > just checked on two systems that are CentOS 7, a server, and a workstation > that I literally built yesterday, and grep -i on both reports "no, not > here". >That came from Theo (OpenBSD's Theo) and was called undocumented. So, my guess is that, in the client (not the server) there is a default of UseRoaming that doesn't show in the config file. Note that this is something that affects ssh clients, not servers. -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6
On 14/01/16 17:54, Tony Mountifield wrote:> In article <5697CAB8.6090703 at wemoto.com>, Michael H <michael-YC1br6QyVKfQT0dZR+AlfA at public.gmane.org> wrote: >> Probably worth a read... >> >> http://www.openssh.com/txt/release-7.1p2 >> >>> Important SSH patch coming soon. For now, everyone on all operating >>> systems, please do the following: >>> >>> Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" >>> to prevent upcoming #openssh client bug CVE-2016-0777. More later. >> >> echo "UseRoaming no" >> /etc/ssh/ssh_config > > It says this applies to OpenSSH 5.4 to 7.1. > > So it would only affect CentOS7 and up, as C6 uses openssh-5.3.https://access.redhat.com/articles/2123781 -- Kind Regards, Markus Falb
On 01/14/2016 10:20 AM, Michael H wrote:> Probably worth a read... > > http://www.openssh.com/txt/release-7.1p2 > >> Important SSH patch coming soon. For now, everyone on all operating >> systems, please do the following: >> >> Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" >> to prevent upcoming #openssh client bug CVE-2016-0777. More later. > > echo "UseRoaming no" >> /etc/ssh/ssh_configFor the record, this update is now released (it was yesterday): https://lists.centos.org/pipermail/centos-announce/2016-January/021614.html This contains a patch that disables roaming: https://git.centos.org/commitdiff/rpms!openssh.git/1edce7e6bfedb27a163f35bcacab620a703408ac Thanks, Johnny Hughes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160115/da4a3f8d/attachment.sig>
On 01/15/2016 06:39 AM, Johnny Hughes wrote:> On 01/14/2016 10:20 AM, Michael H wrote: >> Probably worth a read... >> >> http://www.openssh.com/txt/release-7.1p2 >> >>> Important SSH patch coming soon. For now, everyone on all operating >>> systems, please do the following: >>> >>> Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" >>> to prevent upcoming #openssh client bug CVE-2016-0777. More later. >> >> echo "UseRoaming no" >> /etc/ssh/ssh_config > > For the record, this update is now released (it was yesterday): > > https://lists.centos.org/pipermail/centos-announce/2016-January/021614.html > > This contains a patch that disables roaming: > https://git.centos.org/commitdiff/rpms!openssh.git/1edce7e6bfedb27a163f35bcacab620a703408acYes, thank you, I saw it yesterday in my e-mail from yum. I am not happy that this bug existed, undocumented features enabled by default are not a good thing. However that this bug was found demonstrates a success of the Open Source philosophy. I don't know this would have been found in a closed source SSH implementation. Open Source works.
I see that this is a CentOS 7 patch only, at least so far. I also see that the CentOS 6 ssh version is 5.3 > /usr/bin/ssh -V OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 which is supposedly not affected. However, strings indicates that /usr/bin/ssh is also aware for the useroaming configuration option: > strings /usr/bin/ssh | grep -i useroam useroaming Is it actually known that the ssh version shipped with CentOS 6 is not vulnerable, or is it just assumed based on the version number? The announcement implies that the roaming code itself was added in 5.4, not just that a default was changed, but if that?s really true, why is that string in the binary? Noam P.S. I do realize this is a question better directed to RedHat, but I?m hoping someone here might still know.> On Jan 15, 2016, at 9:39 AM, Johnny Hughes <johnny at centos.org> wrote: > > For the record, this update is now released (it was yesterday): > > https://lists.centos.org/pipermail/centos-announce/2016-January/021614.html > > This contains a patch that disables roaming: > https://git.centos.org/commitdiff/rpms!openssh.git/1edce7e6bfedb27a163f35bcacab620a703408ac > > Thanks, > Johnny Hughes > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
On Thu, Jan 14, 2016 at 8:20 AM, Michael H <michael at wemoto.com> wrote:> Probably worth a read... > http://www.openssh.com/txt/release-7.1p2For the sake of conversation... Reading the Qualys security advisory is interesting as well, and I tend to think the vulnerability is not severe for a number of reasons: https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt First, because versions 5.4 - 5.6 were not vulnerable to the information leak on GNU/Linux, though they were on BSD systems. Second, because later versions may have been able to leak private keys, but only incomplete copies of them. Last, because encrypted keys could only be leaked in their encrypted form, and keys used with an ssh-agent were not vulnerable to leaking at all. The buffer overflow vulnerability seems more severe, but only if you're using a bastion host which is compromised. The vulnerability can only be triggered when using ProxyCommand. The buffer overflow also is not exploitable on OpenSSH 6.8, due to a bug introduced in that version.