OpenSSHEA.sh

#!/bin/bash
osVersion=$(sw_vers -productVersion | awk -F\. '{print $2}')
if [[ ${osVersion} -ge 11 ]]; then
    if [[ $(cat /private/etc/ssh/ssh_config | grep -v ^# | grep Roaming >/dev/null; echo $?) -eq 1 ]]; then
        echo "<result>Enabled</result>"
    else
        echo "<result>Disabled</result>"
    fi
else
    if [[ $(cat /private/etc/ssh_config | grep -v ^# | grep Roaming >/dev/null; echo $?) -eq 1 ]]; then
        echo "<result>Enabled</result>"
    else
        echo "<result>Disabled</result>"
    fi
fi

OpenSSHpatch.sh

#!/bin/bash
# OpenSSHfix.sh
# Script to mitigate vulnerability in OpenSSH on Macs. See CVE-2016-0777 and CVE-2016-0778. Thanks to Robert Hammen on the MacAdmins #security channel for paths and commands to set roaming off. Tested on Mavericks, Yosemite and El Capitan.

osVersion=$(sw_vers -productVersion | awk -F\. '{print $2}')
if [[ ${osVersion} -ge 11 ]]; then
  if [[ $(cat /private/etc/ssh/ssh_config | grep -v ^# | grep Roaming >/dev/null; echo $?) -eq 1 ]]; then
    echo "Disabling client-side roaming."
    echo -e 'Host *\nUseRoaming no' >> /private/etc/ssh/ssh_config
  else
    echo "Client-side roaming disabled. No changes necessary."
  fi
else
  if [[ $(cat /private/etc/ssh_config | grep -v ^# | grep Roaming >/dev/null; echo $?) -eq 1 ]]; then
    echo "Disabling client-side roaming."
    echo -e 'Host *\nUseRoaming no' >> /private/etc/ssh_config
  else
    echo "Client-side roaming disabled. No changes necessary."
  fi
fi

exit 0

I would probably add a | grep -v ^# before the | grep Roaming lines to make sure I'm finding a Roaming line that isn't commented out.

Big thanks for posting this and doing the hard work / here and on the slack channel!

Made suggest change. Thanks bmike.