Hacker News new | past | comments | ask | show | jobs | submit login

Just a note: the default AWS Linux AMI doesn't seem to have this problem on the server side. Connecting to one of my EC2 instances with verbose on I get the following message:

  debug1: Roaming not allowed by server
Yeah! AWS Linux for the win. :)



This is client-only vulnerability:

   The matching server code has never been shipped, but the client
   code was enabled by default and could be tricked by a malicious
   server into leaking client memory to the server, including private
   client user keys.[1]
[1] https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-Ja...


That message actually means that your client has roaming enabled and is therefore vulnerable.


OpenSSH server doesn't support roaming. This is a client only issue. The problem is that your connection could be MITM'd by someone looking to exploit this bug.


> your connection could be MITM'd

MITM isn't a risk, if I understand this statement in the undeadly.org announcement:

   The authentication of the server host key prevents exploitation
   by a man-in-the-middle, so this information leak is restricted
   to connections to malicious or compromised servers.


Unless it's your first connection to a legit uncompromised server, yes? (AWS instance, etc)




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: