openssh

For Debian that usually means a combination of using the Security Apt repo, and for things like OpenSSH, using the Backports Apt repo.

You'd do better to submit a patch upstream for machine-readable progress output in OpenSSH's 'scp', and bundling that.

It's really the heart and soul of OpenBSD, OpenSSH and all the other projects (libreSSL, etc.) that they release.

Well, it sort of isn't, because the OpenBSD team designed OpenSSH to not use PAM at all.

Mr Hansteen is saying it is not a serious OpenSSH vuln, like the tech media is claiming it is.

It's a site which has strong example configurations for Apache, nginx, Openssh and many many others..

Use the stuff from that Mozilla wiki page and OpenSSH will be secure enough already.

Mozilla's wiki has some information on strengthening the security of your OpenSSH setup.

I've also run this your tool again on our site to confirm the openssl/openssh were fixed.

But that assumes OpenSSH users are using a cryptographic key for authentication.

OpenSSH ubuntu version strongly suggest you are using PHP ubuntu version.

So OpenSSH is unlikely to be adding overhead on that front.

PAM was patched in by some folks, and clearly they got it wrong, but I suspect the OpenSSH team doesn't see that as "part of OpenSSH".

I would call it a systemic design flaw in PAM." is then clearly wrong, it is an OpenSSH bug.

Yes, and this guy, quoted by the article author: "I wouldn't call that an OpenSSH bug.

That's why the original disclosure and subsequent news articles clearly stated it was a FreeBSD and/or PAM vulnerability, and didn't run with headlines such as "OpenSSH keyboard-interactive authentication brute force vulnerability"[0] or "Bug in widely used OpenSSH opens servers to password cracking"[1].