Evil OpenSSH servers can steal your private login keys to other systems – patch now • The Register

 

Malicious OpenSSH servers can silently steal people’s private SSH keys as they try to login, it emerged today.This means criminals who compromise one server can secretly grab keys needed to log into other systems from a user’s computer – allowing crooks to jump from server to server.

The security cockup, present in the default configuration of OpenSSH, has been patched today, and all users and administrators are urged to update as soon as possible.

SSH keys are an alternative to passwords: you generate a public and private key pair, give the remote server your public key, and keep the private key on your own computer. Then when you next login, the SSH server and client use the keys to identify and authorize you. If someone swipes your private key, they can log in as you – it’s as if they stole your password…

Source: Evil OpenSSH servers can steal your private login keys to other systems – patch now • The Register