23Ara
How safe is it to run an un unpatched, internet-exposed OpenSSH service?
There have recently been several reported security issues with OpenSSH (Terrapin, double-frees, remote execution, X11 forwarding vulnerabilities..). How safe is it for a server to expose OpenSSH (using public key authentication) to the internet?
For example, if the server were significantly (e.g. 5-10 years) behind on patches, how feasible would it be for attackers to break into the server without the private key?
