OpenSSH Clients Vulnerability

OpenSSH clients between versions 5.4 and 7.1 are vulnerable to an information disclosure issue that may allow a malicious server to retrieve information including under some circumstances, user’s private keys. This may be mitigated by adding the undocumented config option UseRoaming no to ssh_config.

This bug is corrected in OpenSSH 7.1p2.


CVE Number
This issue has been assigned CVE-2016-0777 and CVE-2016-0778. We expect more information to be added to the common vulnerability pages shortly.

Recommended Action for Linux Machines

  • Install updated packages when available
  • If updated packages are not yet available for your distribution, add “UseRoaming no” to /etc/ssh/ssh_config

Currently known package updates include, but are not limited to:

More Information