Theo de Raadt suggests that a significant OpenSSH security issue is about to be exposed; the message reads, in full: “Important SSH patch coming soon. For now, every on all operating systems, please do the following: Add undocumented ‘UseRoaming no’ to ssh_config or use ‘-oUseRoaming=no’ to prevent upcoming #openssh client bug CVE-2016-0777. More later.“
Update: that important patch appears to be OpenSSH 7.1p2, available now. “The OpenSSH client code between 5.4 and 7.1 contains experimential support for resuming SSH-connections (roaming). The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys.” There are a few other security fixes there as well.
