CVE-2016-20012

Sergio Durigan Junior sergiodj at ubuntu.com
Thu Oct 28 19:43:29 UTC 2021


On Thursday, October 28 2021, Leroy Tennison wrote:

> Sergio,
> Thanks for your reply, I was afraid of that.  Any suggestion on how we deal with this?

Well, according to this post from one of OpenSSH's developers:

  https://marc.info/?l=openbsd-misc&m=145278077920530&w=2

You can add the (undocumented) "UseRoaming no" option to your
/etc/ssh/ssh_config (or ~/.ssh/config), or use the "-oUseRoaming=no"
option when invoking ssh.

Note that these two things have to be done on the client's side.

Another option may be using only key-based authentication (i.e.,
disabling password-based auth), but I'm not entirely sure if that can
really mitigate this CVE (at least I couldn't find anyone suggesting
this approach).  I'd suggest contacting the OpenSSH developers and
confirming with them.

Thanks,

-- 
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0  EB2F 106D A1C8 C3CB BF14



More information about the ubuntu-server mailing list