OpenSSH clients between versions 5.4 and 7.1 are vulnerable to an information disclosure issue that may allow a malicious server to retrieve information including under some circumstances, user’s private keys. This may be mitigated by adding the undocumented config option UseRoaming no to ssh_config.
This bug is corrected in OpenSSH 7.1p2.
Recommended Action for Linux Machines
- Install updated packages when available
- If updated packages are not yet available for your distribution, add “UseRoaming no” to /etc/ssh/ssh_config
Currently known package updates include, but are not limited to: