CVE-2016-20012

Simon Deziel simon at sdeziel.info
Fri Oct 29 14:12:55 UTC 2021


On 2021-10-28 15:43, Sergio Durigan Junior wrote:
> On Thursday, October 28 2021, Leroy Tennison wrote:
> 
>> Sergio,
>> Thanks for your reply, I was afraid of that.  Any suggestion on how we deal with this?
> 
> Well, according to this post from one of OpenSSH's developers:
> 
>    https://marc.info/?l=openbsd-misc&m=145278077920530&w=2
> 
> You can add the (undocumented) "UseRoaming no" option to your
> /etc/ssh/ssh_config (or ~/.ssh/config), or use the "-oUseRoaming=no"
> option when invoking ssh.
> 
> Note that these two things have to be done on the client's side.

If I understood the CVE properly, the attacker would try to authenticate 
with a likely combination of username and public key. If the combination 
is right, the server would challenge the attacker to prove it owns the 
private key associated with the public key. The attacker doesn't need to 
prove anything and can stop here now that it learned 2 things:

1) the user exist on the server
2) the public key is in user at server's authorized_keys


As such, changing something on the client's side won't help to prevent 
the server from disclosing the info to an attacker.

HTH,
Simon

P.S: This sounds like a minor annoyance more than a vulnerability to me 
as the attacker still has to guess the private key... discovering the 
username<=>pubkey isn't meant to be the hard part here ;)



More information about the ubuntu-server mailing list