Protecting Against CVE-2016-0777 and CVE-2016-0778

Overview

A flaw in OpenSSH, discovered and reported by Qualys on Jan. 14, 2016, could potentially allow an information leak (CVE-2016-0777) or buffer overflow (CVE-2016-0778) via the OpenSSH client. Specifically, an undocumented feature called roaming, introduced in OpenSSH version 5.4, can be exploited to expose a client’s private SSH key.

Impact

The roaming feature, which allows clients to reconnect to the server automatically should the connection drop (on servers supporting the feature), can be exploited in the default configuration of OpenSSH clients from versions 5.4 through 7.1p1, but is not supported in the default configuration of the OpenSSH server.

All versions of OpenSSH clients from 5.4 through 7.1p1 are affected for anyone who connects via SSH on the following operating systems:

  • Linux
  • FreeBSD
  • Mac OS X
  • Windows when using OpenSSH for Windows

The following are not affected:

  • OpenSSH servers in default configuration
  • Windows users utilizing PuTTY to connect
  • Connections not authenticated via an SSH key

Summary

A connection made from an affected client to a compromised or malicious server which uses an SSH key for authentication potentially could expose all or part of the user’s private SSH key.

If the key utilized to authenticate the connection is encrypted, only the encrypted private key could be exposed. However, a malicious party could attempt to brute-force the password offline after obtaining the encrypted key.

Is Your SSH Client Vulnerable?

You can check the version of your SSH client by running the following command:

ssh -V

That will produce output similar to:

workstation$ $ ssh -V
OpenSSH_7.1p2, OpenSSL 1.0.2e 3 Dec 2015

If the version is below 7.1p2, the SSH client is affected.

Resolution

  1. Update your OpenSSL client: Check for any updates to your SSH client and apply them immediately.
  2. Patch older clients: If an update is not yet available for your operating system, you may disable the roaming feature on affected clients by adding the line “UseRoaming no” to your ssh configuration file. You can do so directly or via one of the methods below:
    • On Linux, you can run the following command to add the necessary line:echo 'UseRoaming no' | sudo tee --append /etc/ssh/ssh_config

      And restart ssh.

    • On a Mac running OS X, you can run the command:echo "UseRoaming no" >> ~/.ssh/config

      You will need to close any active SSH sessions or log out and log back in to ensure the change has taken effect.

  3. Change existing SSH keys: If you’re using keys to authenticate SSH connections, you should generate new keys as soon as possible. You can find instructions for generating a key and uploading it to your server at: Using SSH Keys. Please note: If you currently are using the same key to connect to multiple servers, you may wish to consider using unique keys in the future in light of the potential scope of this vulnerability. You also should ensure you are using a strong passphrase for any key you generate.

 

How to Install Git on Ubuntu 15.04

Introduction

Git is an open source, distributed version control system (VCS). It’s commonly used for source code management (SCM), with sites like GitHub offering a social coding experience, and popular projects such as Perl, Ruby on Rails, and the Linux kernel using it.

Pre-Flight Check

  • These instructions are intended for installing Git on Ubuntu 15.04.
  • I’ll be working from a Liquid Web Core Managed Ubuntu 15.04 server, and I’ll be logged in as root.

Continue reading “How to Install Git on Ubuntu 15.04”

How to Install and Configure Git on Fedora 22

Introduction

Git is a widely adopted, distributed version control system (VCS) and open source. It’s commonly used for source code management (SCM), with sites like GitHub offering a social coding experience, and popular projects such as Perl, Ruby on Rails, and the Linux kernel using it.

Pre-Flight Check

  • These instructions are intended for installing Git on Fedora 22.
  • I’ll be working from a Liquid Web Self Managed Fedora 22 server, and I’ll be logged in as root.

Continue reading “How to Install and Configure Git on Fedora 22”

How to Configure a VNC Server to Use an SSH Tunnel on Ubuntu 14.04 LTS

VNC is short for ‘Virtual Network Computing’. It’s a simple method for sharing a graphical desktop environment. For example, if you install VNC on your hosted server, you could connect to its graphical desktop environment remotely.

Pre-Flight Check

Continue reading “How to Configure a VNC Server to Use an SSH Tunnel on Ubuntu 14.04 LTS”

How to Install and Configure Git on Fedora 21

Introduction

Git is an open source, distributed version control system (VCS). It’s commonly used for source code management (SCM), with sites like GitHub offering a social coding experience, and popular projects such as Perl, Ruby on Rails, and the Linux kernel using it.

Pre-Flight Check

  • These instructions are intended for installing Git on Fedora 21.
  • I’ll be working from a Liquid Web Self Managed Fedora 21 server, and I’ll be logged in as root.

Continue reading “How to Install and Configure Git on Fedora 21”

How to Install and Configure Git on Fedora 20

Introduction

Git is an open source, distributed version control system (VCS). It’s commonly used for source code management (SCM), with sites like GitHub offering a social coding experience, and popular projects such as Perl, Ruby on Rails, and the Linux kernel using it.

Pre-Flight Check
  • These instructions are intended for installing Git on Fedora 20.
  • I’ll be working from a Liquid Web Self Managed Fedora 20 server, and I’ll be logged in as root.

Continue reading “How to Install and Configure Git on Fedora 20”

How to Install and Configure Git on CentOS 7

Introduction

Git is an open source, distributed version control system (VCS). It’s commonly used for source code management (SCM), with sites like GitHub offering a social coding experience, and popular projects such as Perl, Ruby on Rails, and the Linux kernel using it.

Pre-Flight Check
  • These instructions are intended for installing Git on CentOS 7.
  • I’ll be working from a Liquid Web Self Managed CentOS 7 server, and I’ll be logged in as root.

Continue reading “How to Install and Configure Git on CentOS 7”

How To Install Git on Ubuntu 14.04

Introduction

Git is an open source, distributed version control system (VCS). It’s commonly used for source code management (SCM), with sites like GitHub offering a social coding experience, and popular projects such as Perl, Ruby on Rails, and the Linux kernel using it.

Pre-Flight Check

  • These instructions are intended for installing Git on Ubuntu 14.04.
  • I’ll be working from a Liquid Web Core Managed Ubuntu 14.04 server, and I’ll be logged in as root.

Continue reading “How To Install Git on Ubuntu 14.04”