Subtitle: Qualys finds two worrying bugs in OpenSSH
When I checked my personal rigs Debian had already released the patches and my home server had already auto updated itself.
Soo, the point is to not enable features that undermine security, like using an FQDN as a key (or source of a key) and to enable features that reduce DoS, like a connection timeout. Does not sound like bugs, just like missing default options.
It’s still important to not use the affecting options.
The single biggest attack vector for SSH is IPv4. Disable it and 99% of issues go away.
If my isp would support ipv6, that would be great!
Hot take: Might be wise to adopt the security by obscurity model and go with an OS that is hardened (ideally, a formally verified microkernel like sel4) or runs in a custom VM/container with almost zero attack surface area.
