1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenSSH patches information leak that could expose private SSH keys

Discussion in 'Network World' started by RSS, Jan 15, 2016.

  1. RSS

    RSS New Member Member

    If you're connecting to servers over the secure shell (SSH) protocol using an OpenSSH client, you should update it immediately. The latest version patches a flaw that could allow rogue or compromised servers to read users' private authentication keys.

    The vulnerability stems from an experimental feature known as roaming that allows SSH connections to be resumed. This feature has been enabled by default in OpenSSH clients since version 5.4, released in March 2010, but is not present in the OpenSSH server implementation. As a result only clients are affected.

    The vulnerability allows a server to read information from a connecting client's memory, including its private keys. It has been fixed in OpenSSH 7.1p2, released Thursday.

    To read this article in full or to leave a comment, please click here

    Continue reading...

Share This Page