"UseRoaming no"
Hey, it’s been almost a year since we’ve had a computer security issue bad enough that I have to sing a song about it! This time around the bug only affects “computer people” who use “ssh”, “scp”, or “private keys”. But for those of us who do…oh gosh.
If you’re on a slow internet connection, you might want to download the audio instead.
This bug doesn’t have a catchy name, just “CVE-2016-0777 and CVE-2016-0778”. There’s a lot of information on the OpenBSD Journal, including the full technical report from computer security company Qualys, but the gist of it is:
- Code for an experimental feature from years ago was left in the
ssh
tool that’s used to securely connect to other computers. - That code has a “ring buffer” that stores synchronization data between the client and server. The buffer doesn’t correctly distinguish between the “completely empty” and “completely full” states.
- A malicious server can get the client to send whatever’s in the “empty” buffer, which is whatever was in memory before. If you’re unlikely, this could include your private key—which is what makes the connection secure. With this, someone else can pretend to be you.
Fortunately, you can turn off the leftover feature by adding “UseRoaming no” to your SSH configuration:
echo -e 'Host *\nUseRoaming no' >> ~/.ssh/config
If you always use ssh-agent
, you’re okay, because then the key’s not ever loaded into the client process. But it’s hard to verify that. I decided to replace all my keys, assuming the old ones might be compromised.
The song, of course, is a parody of “You’ve Got To Hide Your Love Away”, by the Beatles.
One fine day your boss will say
Something’s wrong on the site
Got a file to make her smile
And fix this problem tonightSensibly, you scp
But something’s gone awry
When the server reconnects
Kiss security goodbyeHey, you’ve got to hide your private key
Hey, you’ve got to hide your private keyEmpty or full, that’s our first hole
The next, leaving data behind
Fortunately, the fix is easy
“UseRoaming no”, you’ll be fineHow could we have shipped this feature
Broken for so long?
Without a doubt we must rip it out
Before something else goes wrongHey, you’ve got to hide your private key
Hey, you’ve got to hide your private key
Hey, you should be careful what youfree()
Hey, you’ve got to hide your private key