Sergio Durigan Junior sergiodj at
Thu Oct 28 19:43:29 UTC 2021

On Thursday, October 28 2021, Leroy Tennison wrote:

> Sergio,
> Thanks for your reply, I was afraid of that.  Any suggestion on how we deal with this?

Well, according to this post from one of OpenSSH's developers:

You can add the (undocumented) "UseRoaming no" option to your
/etc/ssh/ssh_config (or ~/.ssh/config), or use the "-oUseRoaming=no"
option when invoking ssh.

Note that these two things have to be done on the client's side.

Another option may be using only key-based authentication (i.e.,
disabling password-based auth), but I'm not entirely sure if that can
really mitigate this CVE (at least I couldn't find anyone suggesting
this approach).  I'd suggest contacting the OpenSSH developers and
confirming with them.


GPG key ID: E92F D0B3 6B14 F1F4 D8E0  EB2F 106D A1C8 C3CB BF14

More information about the ubuntu-server mailing list