OpenSSH BUG: Client Information leak due to use of roaming connection feature
The OpenSSH client is supports an undocumented/unknown feature called roaming:
If connection to SSH server breaks/stucked unexpectedly,
and if server supports roaming, then client is able to reconnect to the server and resume the suspended SSH session.
Roaming feature on OpenSSH clients contain a security flaw which allows a malicious SSH server to steal the client’s private keys and its create OpenSSH bug.
To disable Roaming feature, refer following simple steps and secure your server.
To fix
Add the option ‘UseRoaming no’ in /etc/ssh/ssh_config file and restart ssh service with -oUseRoaming=no included on the ssh command line.
ie, echo ‘UseRoaming no’ >> /etc/ssh/ssh_config
or
sudo sh -c ‘echo UseRoaming \”no\” >> /etc/ssh/ssh_config’
It’s being reported that it effects only on Centos 7 servers and they can update OpenSSH using yum.
#yum update openssh
For more information read official Bug at Redhat Bugzilla
#KTCHost – A Reliable Hosting Provider
