Recently, a SSH client bug was discovered that could let the server read client private keys in some situations.
If you’re affected, then follow these steps. SSH regulars will be familiar with most of the commands used.
If you use public key authentication
If you do use keys to authenticate, you should regenerate them. Start by backing up your old key. Assuming it’s at the default location, just use-
$ mv ~/.ssh/id_rsa ~/.ssh/id_rsa.old
$ mv ~/.ssh/id_rsa.pub ~/.ssh/id_rsa.pub.oldNext, create or edit ~/.ssh/config, and add the following line. This disables the roaming feature, which was part of the problem:
UseRoaming noGenerate new keys-
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/example/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/example/.ssh/id_rsa.
Your public key has been saved in /home/example/.ssh/id_rsa.pub.Now copy the new public key over, using the old keys. You would normally use ssh-copy-id, but it adds keys rather than replacing them, which is why we need to do it manually-
scp -i ~/.ssh/id_rsa.old ~/.ssh/id_rsa.pub user@example.com:/home/user/id_rsa.pub.newSSH in with the old key:
ssh -i ~/.ssh/id_rsa.oldReplace all current authorized keys with the newly generated one:
mv -f id_rsa.pub.new ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keysLogout, log back in with the new key to make sure it works, and you’re done.
If you don’t use public keys
If you don’t use keys for login, now could be a good time to start. Public-key authentication provides much stronger protection from brute force attacks, and also prevents the need for the server to be sent your password each time you log in.
Create or edit ~/.ssh/config as above, and make sure it contains this line-
UseRoaming noGenerate a keypair and add your public key to the server-
ssh-keygen
ssh-copy-id user@example.comTest it out-
ssh user@example.comAt his point, you should disable password-based authentication in OpenSSH server. If you don’t control the server, then just set a good random password for your account to prevent it being brute-orced:
openssl rand -base64 32
cat /dev/urandom | head -c32 | base64Set it on your account:
passwdUpdate 2017-10-22: Updated to correct errors in the commands.
You’re copying the private key into the authorized_hosts instead of the public.
@hello – Cheers, updated the post thanks to your comment. The private key is used to log in, and is not copied (see the -i flag). The command was missing the source filename, so would give you an error.