On 2021-10-28 15:43, Sergio Durigan Junior wrote:
On Thursday, October 28 2021, Leroy Tennison wrote:
Sergio,
Thanks for your reply, I was afraid of that. Any suggestion on how we deal
with this?
Well, according to this post from one of OpenSSH's developers:
https://marc.info/?l=openbsd-misc&m=145278077920530&w=2
You can add the (undocumented) "UseRoaming no" option to your
/etc/ssh/ssh_config (or ~/.ssh/config), or use the "-oUseRoaming=no"
option when invoking ssh.
Note that these two things have to be done on the client's side.
If I understood the CVE properly, the attacker would try to authenticate
with a likely combination of username and public key. If the combination
is right, the server would challenge the attacker to prove it owns the
private key associated with the public key. The attacker doesn't need to
prove anything and can stop here now that it learned 2 things:
1) the user exist on the server
2) the public key is in user@server's authorized_keys
As such, changing something on the client's side won't help to prevent
the server from disclosing the info to an attacker.
HTH,
Simon
P.S: This sounds like a minor annoyance more than a vulnerability to me
as the attacker still has to guess the private key... discovering the
username<=>pubkey isn't meant to be the hard part here ;)
--
ubuntu-server mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
