CVE-2016-20012
Sergio Durigan Junior
sergiodj at ubuntu.com
Thu Oct 28 19:43:29 UTC 2021
On Thursday, October 28 2021, Leroy Tennison wrote:
> Sergio,
> Thanks for your reply, I was afraid of that. Any suggestion on how we deal with this?
Well, according to this post from one of OpenSSH's developers:
https://marc.info/?l=openbsd-misc&m=145278077920530&w=2
You can add the (undocumented) "UseRoaming no" option to your
/etc/ssh/ssh_config (or ~/.ssh/config), or use the "-oUseRoaming=no"
option when invoking ssh.
Note that these two things have to be done on the client's side.
Another option may be using only key-based authentication (i.e.,
disabling password-based auth), but I'm not entirely sure if that can
really mitigate this CVE (at least I couldn't find anyone suggesting
this approach). I'd suggest contacting the OpenSSH developers and
confirming with them.
Thanks,
--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14
More information about the ubuntu-server
mailing list