CVE-2016-20012
Simon Deziel
simon at sdeziel.info
Fri Oct 29 14:12:55 UTC 2021
On 2021-10-28 15:43, Sergio Durigan Junior wrote:
> On Thursday, October 28 2021, Leroy Tennison wrote:
>
>> Sergio,
>> Thanks for your reply, I was afraid of that. Any suggestion on how we deal with this?
>
> Well, according to this post from one of OpenSSH's developers:
>
> https://marc.info/?l=openbsd-misc&m=145278077920530&w=2
>
> You can add the (undocumented) "UseRoaming no" option to your
> /etc/ssh/ssh_config (or ~/.ssh/config), or use the "-oUseRoaming=no"
> option when invoking ssh.
>
> Note that these two things have to be done on the client's side.
If I understood the CVE properly, the attacker would try to authenticate
with a likely combination of username and public key. If the combination
is right, the server would challenge the attacker to prove it owns the
private key associated with the public key. The attacker doesn't need to
prove anything and can stop here now that it learned 2 things:
1) the user exist on the server
2) the public key is in user at server's authorized_keys
As such, changing something on the client's side won't help to prevent
the server from disclosing the info to an attacker.
HTH,
Simon
P.S: This sounds like a minor annoyance more than a vulnerability to me
as the attacker still has to guess the private key... discovering the
username<=>pubkey isn't meant to be the hard part here ;)
More information about the ubuntu-server
mailing list