"UseRoaming no"

Hey, it’s been almost a year since we’ve had a computer security issue bad enough that I have to sing a song about it! This time around the bug only affects “computer people” who use “ssh”, “scp”, or “private keys”. But for those of us who do…oh gosh.

If you’re on a slow internet connection, you might want to download the audio instead.

This bug doesn’t have a catchy name, just “CVE-2016-0777 and CVE-2016-0778”. There’s a lot of information on the OpenBSD Journal, including the full technical report from computer security company Qualys, but the gist of it is:

  1. Code for an experimental feature from years ago was left in the ssh tool that’s used to securely connect to other computers.
  2. That code has a “ring buffer” that stores synchronization data between the client and server. The buffer doesn’t correctly distinguish between the “completely empty” and “completely full” states.
  3. A malicious server can get the client to send whatever’s in the “empty” buffer, which is whatever was in memory before. If you’re unlikely, this could include your private key—which is what makes the connection secure. With this, someone else can pretend to be you.

Fortunately, you can turn off the leftover feature by adding “UseRoaming no” to your SSH configuration:

echo -e 'Host *\nUseRoaming no' >> ~/.ssh/config

If you always use ssh-agent, you’re okay, because then the key’s not ever loaded into the client process. But it’s hard to verify that. I decided to replace all my keys, assuming the old ones might be compromised.

The song, of course, is a parody of “You’ve Got To Hide Your Love Away”, by the Beatles.


One fine day your boss will say
Something’s wrong on the site
Got a file to make her smile
And fix this problem tonight

Sensibly, you scp
But something’s gone awry
When the server reconnects
Kiss security goodbye

Hey, you’ve got to hide your private key
Hey, you’ve got to hide your private key

Empty or full, that’s our first hole
The next, leaving data behind
Fortunately, the fix is easy
“UseRoaming no”, you’ll be fine

How could we have shipped this feature
Broken for so long?
Without a doubt we must rip it out
Before something else goes wrong

Hey, you’ve got to hide your private key
Hey, you’ve got to hide your private key
Hey, you should be careful what you free()
Hey, you’ve got to hide your private key

blog comments powered by Disqus