Tutorial

How To Fix OpenSSH's Client Bug CVE-0216-0777 and CVE-0216-0778 by Disabling UseRoaming

Published on January 14, 2016
How To Fix OpenSSH's Client Bug CVE-0216-0777 and CVE-0216-0778 by Disabling UseRoaming

The OpenSSH project today reported a client side issue affecting OpenSSH versions 5.4 - 7.1. This issue could allow an SSH client to leak key information, potentially exposing users to man-in-the-middle attacks.

##What does this mean?

A key exchange is initiated when an SSH client connects to a server. A new “roaming” feature included in the OpenSSH client can be exploited and a malicious server could use this issue to leak client memory to the server, including private client user keys.

##Who is affected?

This issue affects the OpenSSH client (not server) on most modern operating systems including Linux, FreeBSD and Mac OSX. This issue may also affect users running OpenSSH for Windows but does not affect users using PuTTY on Windows.

That means you don’t have to update OpenSSH on your Droplet (the server side), but you should update the OpenSSH client on your local computer. If you want to cover all your bases, you could generate new key pairs and upload the new public keys to your servers (see the second-to-last section for details).

##How to fix the isssue

While patches and updates are being rolled out for affected distributions, the feature causing this security issue can be disabled manually in order to resolve the issue. On OS X, Linux and BSD variants this can be done by adding a line to your SSH configuration.

###On Linux and FreeBSD Run the following command to add the new line to your configuration:

echo 'UseRoaming no' | sudo tee -a /etc/ssh/ssh_config

###On Mac OSX

Run the following command to add the new line to your configuration:

echo "UseRoaming no" >> ~/.ssh/config

Close and Reopen Sessions

Once you have done this you should close any open SSH sessions in order for the change to be effective.

For the Security-Conscious: Regenerate All Your Key Pairs

If you think someone gained access to your private keys using this vulnerability, or if you want to cover your bases “just in case,” you should regenerate all of your key pairs and upload the new public keys to your servers.

##Learn More OpenSSH: client bug CVE-0216-0777 and CVE-0216-0778 Ubuntu - USN-2869-1: OpenSSH vulnerabilities

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about us


About the authors


Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
1 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Thanks for the Fix! :-)

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel