The libssh authentication bypass (CVE-2018-10933) has been the talk of every channel I'm in for a couple of weeks now, and the headlines have been doing what headlines do. "Four-year-old flaw lets attackers skip the login." It sounds apocalyptic. The reality, as usual, is more interesting and a good deal narrower, and the gap between those two things is where most of the bad decisions get made.
Here's the actual shape of it. libssh, the library, is not OpenSSH. If you SSH into a box, you are almost certainly talking to OpenSSH's sshd, which does not use libssh and is not affected. libssh is a separate implementation that gets embedded in applications, and the bug is on the server side of that library. A client could send a SSH2_MSG_USERAUTH_SUCCESS message, the one the server is meant to send when it has decided you're in, and a vulnerable server would cheerfully accept it and consider you authenticated. You skip the part where you prove who you are by simply telling the server you've already done it.
So the question I went and answered, before reading another word of commentary, was: what do I run that actually links libssh as a server? The honest answer was "almost nothing." Some Git hosting front-ends use it. KDE's network transparency layer uses it. A scattering of bespoke things. It's a real and serious bug for the people exposing libssh-based servers, and they should absolutely patch to 0.7.6 or 0.8.4 yesterday. But the mental image of every SSH session on earth suddenly being wide open is just wrong, and that wrongness is load-bearing in a lot of the panic.
What I keep coming back to is how mundane the underlying mistake is. The server's state machine trusted a message it should never have been willing to receive in that state. It's the same class of error as a web app that checks if (user.isAdmin) on a value the client sent. The grand-sounding word "authentication bypass" describes something that, at the code level, is a missing check on whose turn it is to speak.
The practical takeaway for me wasn't "panic about SSH." It was to spend twenty minutes actually enumerating where libssh lives in my stack, find that it was almost nowhere, patch the one thing that mattered, and move on. That's the unglamorous middle path between ignoring a CVE and rebuilding your entire estate over a headline. Most weeks, the right amount of fear is "enough to go and look, not enough to do something stupid." This was one of those weeks.