Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
 [dupe] Important SSH patch coming soon (marc.info)
109 points by DrRobinson on Jan 14, 2016 | hide | past | favorite | 23 comments


https://news.ycombinator.com/item?id=10901588


What does "UseRoaming" do?

http://linux.die.net/man/5/ssh_config contains no mention of it, and DDG hits a reddit thread of 2014 asking the same thing (and giving an indication that it was also subject to another vuln) and they stated that it was added undocumented but "it does nothing yet"...

I found a commit message saying "Request roaming to be enabled if UseRoaming is true and the server supports it." So in addition, what is "request roaming"?


It allows re-connection to an SSH session after you are dropped from what I understand.

This is for people who are on cell connections/spotty internet.


That was the idea, but it needs server support and the server side was never implemented in OpenSSH.


Perhaps roaming makes some kind of man-in-the-middle attack possible?


The roaming thing occurs post negotiation, so the connection is already fully encrypted.


Impact: a malicious server could read client memory, including private client user keys.


More details: http://undeadly.org/cgi?action=article&sid=20160114142733


This link is a separate thread that is in top. Maybe we should chuck this parent altogether.


Do not manually change your server configuration if security updates are already available for your platform. Ubuntu is already providing the patch.

https://launchpad.net/ubuntu/+source/openssh/1:5.9p1-5ubuntu...

*Edit : it does seems like a good idea to disable the feature on your local `ssh_config` in case you or a software you use connect to an unpatched evil server.


> *Edit : it does seems like a good idea to disable the feature on your local `ssh_config` in case you or a software you use connect to an unpatched evil server.

The vulnerability is in the OpenSSH client, not the server. ssh_config is the client configuration. Unpatched servers are not relevant and putting this option in your server configuration (sshd_config) will simply make it not start, because the configuration is invalid.


More info on the issue: http://www.openssh.com/txt/release-7.1p2

"experimental support for resuming SSH-connections (roaming) ... could be tricked by a malicious server into leaking ... private client user keys."


Asking people to make changes without explaining why. What if that actually enables the vulnerability?


> undocumented "UseRoaming no"

Come on Theo, this isn't Linux


TL;DR IIRC, add

  UseRoaming no
to your ssh_config systemwide or add

  Host *
    UseRoaming no
to your ~/.ssh/config. It's a client bug: no need to change sshd_config.


There are 34 words in the link. It doesn't need a TL;DR.


in this case, maybe: MD;DC (mobile device, didn't click)

Most of the web sites have a tendency of emptying your data plan, so, I would understand if people are hesitant on opening the web page.


That web page is literally 34 words of text, with no images and a small two line CSS file. It isn't going to empty your data plan, unless you are using a 300 baud modem :-)


The problem is that people can only know it after going there, and risking (with what 90% certainty?) emptying their plan.


Sounds like visiting HN is a risk to them then. The whole point of HN is to provide links to interesting sites.

And the person visited the website who gave the summary. Presumably they already knew.


I always read comments before article on mobile, hoping for a tldr comment.


There's at least one hipster in every crowd that does crap like this. thanks for being that guy.


It does. I'm just gonna implement what op said - no need to click hoping it's written in laymen terms




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: