Yesterday, the OpenSSH project reported a client side vulnerability affecting OpenSSH versions 5.4 to 7.1. The vulnerability could cause an SSH client to leak key information, potentially exposing users to man-in-the-middle attacks. The vulnerability could allow a malicious SSH server to make the OpenSSH client leak memory contents, including data such as private keys. The vulnerability exists only after a client has successfully authenticated with a malicious SSH server. The vulnerability only exists in the client, not the server software itself.
This issue affects all OpenSSH clients between 5.4 and 7.1 on most modern operating systems including Linux, FreeBSD and Mac OSX. More information can be found here.
While patches and updates are being rolled out for affected distributions, the feature causing this security issue can be disabled manually in order to resolve the issue. For any systems that cannot be patched yet, the recommended client configuration change is to add the following to the global /etc/ssh/ssh_config or your own local ~/.ssh/config file:
Once you have done this, you should close any open SSH sessions in order for the change to be effective.
If you’re unsure: regenerate all your key pairs
If you suspect someone may have gained access to your private keys using this vulnerability, or if you want to be sure just in case, you should regenerate all of your key pairs and upload the new public keys to your servers.