
Important SSH patch coming soon - DrRobinson
http://marc.info/?l=openbsd-tech&m=145278077820529&w=2
======
dang
[https://news.ycombinator.com/item?id=10901588](https://news.ycombinator.com/item?id=10901588)

------
chippy
What does "UseRoaming" do?

[http://linux.die.net/man/5/ssh_config](http://linux.die.net/man/5/ssh_config)
contains no mention of it, and DDG hits a reddit thread of 2014 asking the
same thing (and giving an indication that it was also subject to another vuln)
and they stated that it was added undocumented but "it does nothing yet"...

I found a commit message saying "Request roaming to be enabled if UseRoaming
is true and the server supports it." So in addition, what is "request
roaming"?

~~~
gravypod
It allows re-connection to an SSH session after you are dropped from what I
understand.

This is for people who are on cell connections/spotty internet.

~~~
masklinn
That was the idea, but it needs server support and the server side was never
implemented in OpenSSH.

~~~
nickodell
Perhaps roaming makes some kind of man-in-the-middle attack possible?

~~~
masklinn
The roaming thing occurs post negotiation, so the connection is already fully
encrypted.

------
lultimouomo
Impact: a malicious server could read client memory, including private client
user keys.

------
dbalan
More details:
[http://undeadly.org/cgi?action=article&sid=20160114142733](http://undeadly.org/cgi?action=article&sid=20160114142733)

~~~
dbalan
This link is a separate thread that is in top. Maybe we should chuck this
parent altogether.

------
j15e
Do not manually change your server configuration if security updates are
already available for your platform. Ubuntu is already providing the patch.

[https://launchpad.net/ubuntu/+source/openssh/1:5.9p1-5ubuntu...](https://launchpad.net/ubuntu/+source/openssh/1:5.9p1-5ubuntu1.8)

*Edit : it does seems like a good idea to disable the feature on your local `ssh_config` in case you or a software you use connect to an unpatched evil server.

~~~
throwaway7767
> *Edit : it does seems like a good idea to disable the feature on your local
> `ssh_config` in case you or a software you use connect to an unpatched evil
> server.

The vulnerability is in the OpenSSH client, not the server. ssh_config is the
client configuration. Unpatched servers are not relevant and putting this
option in your server configuration (sshd_config) will simply make it not
start, because the configuration is invalid.

------
state_machine
More info on the issue:
[http://www.openssh.com/txt/release-7.1p2](http://www.openssh.com/txt/release-7.1p2)

"experimental support for resuming SSH-connections (roaming) ... could be
tricked by a malicious server into leaking ... private client user keys."

------
ericfrederich
Asking people to make changes without explaining why. What if that actually
enables the vulnerability?

------
feld
> undocumented "UseRoaming no"

Come on Theo, this isn't Linux

------
colindean
TL;DR IIRC, add

    
    
      UseRoaming no
    

to your ssh_config systemwide or add

    
    
      Host *
        UseRoaming no
    

to your ~/.ssh/config. It's a client bug: no need to change sshd_config.

~~~
unfunco
There are 34 words in the link. It doesn't need a TL;DR.

~~~
patates
in this case, maybe: MD;DC (mobile device, didn't click)

Most of the web sites have a tendency of emptying your data plan, so, I would
understand if people are hesitant on opening the web page.

~~~
chris_wot
That web page is literally 34 words of text, with no images and a small two
line CSS file. It isn't going to empty your data plan, unless you are using a
300 baud modem :-)

~~~
marcosdumay
The problem is that people can only know it after going there, and risking
(with what 90% certainty?) emptying their plan.

~~~
chris_wot
Sounds like visiting HN is a risk to them then. The whole point of HN is to
provide links to interesting sites.

And the person visited the website who gave the summary. Presumably they
already knew.

