There's one obvious thing I totally forgot to mention, but the initial spin put on this issue is *all wrong*.
Calling that an "OpenSSH bug" is, pure and simple, slander. If anything, it is a PAM bug. Or you can say it's a system integration bug on FreeBSD. Calling that an OpenSSH bug just because OpenSSH does not take all the necessary paranoid measures required by an insane auth system is an over-simplification that goes in one specific direction. To throw mud in openssh direction. But yeah, it's SO SIMPLE to try to blame the openssh team (because you know, they're full of ubris) instead of putting the blame where the blame is. - treat passwords hashing as something mundane (FreeBSD). For sure it's not your task to make it hard to brute force password. - treat authentication as a maze (PAM). For sure, it's not your task to make things clear and simple so that configuration mistakes HAPPEN ALL THE TIME. - put all the blame on openssh, because you know, they're the only guys who have a clue about what's going on. - forget to mention this specific issue happens on ONE particular system due to ONE specific set of conditions. Do not EVERY try it everywhere. Publish first. Leaving it to the OpenBSD developers to reassert that this ONLY affects one *specific* deployment of OpenSSH. Here, I'll give you my root password. You can now exploit my machine.
