The OpenSSH client supports an undocumented feature called roaming: if the connection to an SSH server breaks unexpectedly, and if the server supports roaming as well, the client is able to reconnect to the server and resume the suspended SSH session. This roaming feature on OpenSSH clients contain a security flaw which allows a malicious SSH server to steal the client's private keys.
Mitigation: 1. The vulnerable roaming code can be permanently disabled by adding the undocumented option "UseRoaming no" to the system-wide configuration file (usually /etc/ssh/ssh_config), or per-user configuration file (~/.ssh/config), or command-line (-o "UseRoaming no"). 2. If an OpenSSH client is disconnected from an SSH server that offers roaming, it prints "[connection suspended, press return to resume]" on stderr, and waits for '\n' or '\r' on stdin (and not on the controlling terminal) before it reconnects to the server; advanced users may become suspicious and press Control-C or Control-Z instead, thus avoiding the information leak. However, SSH commands that use the local stdin to transfer data to the remote server are bound to trigger this reconnection automatically (upon reading a '\n' or '\r' from stdin). Moreover, these non-interactive SSH commands (for example, backup scripts and cron jobs) commonly employ public-key authentication and are therefore perfect targets for this information leak.
The "roaming" feature of OpenSSH clients was introduced in OpenSSH-5.4. Therefore Red Hat Enterprise Linux 4, 5, and 6 are not affected by this flaw. OpenSSH-6.6 is vulnerable to this issue but only when used with "ProxyCommands" not in a default configuration, therefore the version of OpenSSH shipped with Red Hat Enterprise Linux 7 is affected by this flaw. Also Red Hat Enterprise Linux 4, 5, 6 and 7 does not enable this "roaming" feature on the server side. Statement: This issue does not affect the version OpenSSH as shipped with Red Hat Enterprise Linux 4, 5 and 6. This issue affects the version of OpenSSH as shipped with Red Hat Enterprise Linux 7 in a non-default configuration. For more information please refer to https://access.redhat.com/articles/2123781
External References: https://access.redhat.com/articles/2123781 https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt http://www.openssh.com/txt/release-7.1p2
Created attachment 1114690 [details] Upstream patch This is the fix that is expected to be published by upstream later today. It disabled the roaming feature.
Acknowledgements: Red Hat would like to thank Qualys for reporting this issue.
This is now public via https://twitter.com/phessler/status/687651384360091649 and https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034680.html
Created openssh tracking bugs for this issue: Affects: fedora-all [bug 1298626]
Fixed upstream in 7.1p2: http://www.openssh.com/txt/release-7.1p2
Upstream commit: https://anongit.mindrot.org/openssh.git/commit/?id=e6c85f8889c5c9eb04796fdb76d2807636b9eef5
A detailed analysis of this issue was published by Qualys at: https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt
After disabling roaming for the 7.1p2 security release, upstream already proceeded to removing roaming support completely in the CVS: http://marc.info/?l=openbsd-cvs&m=145278862023945
Why does the openssh-clients-5.3p1-112.el6_7.x86_64 copy of ssh contain the string "useroaming" if it's not affected by this bug? Could Redhat have helpfully backported this functionality from 5.4p1 to 5.3p1?
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0043 https://rhn.redhat.com/errata/RHSA-2016-0043.html
(In reply to Trevor Hemsley from comment #16) > Why does the openssh-clients-5.3p1-112.el6_7.x86_64 copy of ssh contain the > string "useroaming" if it's not affected by this bug? Could Redhat have > helpfully backported this functionality from 5.4p1 to 5.3p1? There's no Red Hat specific backport. Upstream 5.3 already added some roaming related code, apparently in preparation for addition of the client side implementation in 5.4. 5.3 recognizes UseRoaming option, but does not use it in any way.
Created gsi-openssh tracking bugs for this issue: Affects: fedora-all [bug 1298817] Affects: epel-7 [bug 1298818]
(In reply to Tomas Hoger from comment #18) > (In reply to Trevor Hemsley from comment #16) > > Why does the openssh-clients-5.3p1-112.el6_7.x86_64 copy of ssh contain the > > string "useroaming" if it's not affected by this bug? Could Redhat have > > helpfully backported this functionality from 5.4p1 to 5.3p1? > > There's no Red Hat specific backport. Upstream 5.3 already added some > roaming related code, apparently in preparation for addition of the client > side implementation in 5.4. 5.3 recognizes UseRoaming option, but does not > use it in any way. I had a client who noticed similar and had a look prior to seeing this. To confirm, the option parser in the RHEL6 version recognizes UseRoaming, but the option isn't used anywhere.
openssh-7.1p2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
openssh-6.9p1-10.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
gsi-openssh-7.1p2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
gsi-openssh-6.9p1-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
gsi-openssh-6.6.1p1-3.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.