Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
61 lines (46 sloc) 2.24 KB
author date categories excerpt tags thumbnail title aliases alias
Jacob Tomlinson
2016-01-15 00:00:00 +0000
How to detect and patch the SSH roaming vulnerability!
Fixing the SSH roaming vulnerability (CVE-2016-0777)
/quick tips/2016/01/15/fixing-ss-vuln-CVE-2016-0777-on-os-x/index.html

A vulnerability in the OpenSSH client has been discovered which means that if you SSH to a compromised server the server can steal your private key. This affects any operating system with OpenSSH client 5.4 and above, which is pretty much all flavors of linux and OS X.

This is the official explanation from RedHat:

Since version 5.4, the OpenSSH client supports an undocumented feature called roaming. If a connection to an SSH server breaks unexpectedly, and if the SSH server supports roaming as well, the client is able to reconnect to the server and resume the interrupted SSH session. The roaming feature is enabled by default in OpenSSH clients, even though no OpenSSH server version implements the roaming feature.

An information leak flaw was found in the way OpenSSH client roaming feature was implemented. The information leak is exploitable in the default configuration of certain versions of the OpenSSH client and could (depending on the client's version, compiler, and operating system) allow a malicious SSH server to steal the client's private keys.

Am I affected?

Run this command from the command line and see if it responds as shown below. If so then you are vulnerable!

$ ssh -v -T 2>&1 | grep Roaming
debug1: Roaming not allowed by server

How do I fix it?

Ensure you have sudo permissions and run the command below for your operating system:

OS X (Yosemite 10.10 and below)

echo 'UseRoaming no' | sudo tee -a /private/etc/ssh_config

Linux (and OS X El Capitan 10.11)

echo 'UseRoaming no' | sudo tee -a /etc/ssh/ssh_config

When you run the test command again it should print nothing, which means you are now protected.

$ ssh -v -T 2>&1 | grep Roaming
You can’t perform that action at this time.