Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades August 22, 2018 https://www.bleepingcomputer.com/ne...sh-versions-released-in-the-past-two-decades/
Didier Stevens posted a close look at it: OpenSSH User Enumeration Vulnerability: a Close Look https://blog.nviso.be/2018/08/21/openssh-user-enumeration-vulnerability-a-close-look/
This is a little bit FUD. If you use key-based authentication, knowing usernames is not a problem. I mean, I only use root and user as login accounts. It's true that enumerating app-specific usernames is helpful in planning exploits. But depending on obscurity for app security is pretty weak. And I mean, it's pretty obvious if you're running Apache, PHP and MySQL. Or whatever. Also, it's never prudent to expose sensitive servers to the Internet.
Similar bug: OpenSSH Versions Since 2011 Vulnerable to Oracle Attack August 29, 2018 https://www.bleepingcomputer.com/ne...sions-since-2011-vulnerable-to-oracle-attack/
I agree. It really does not matter if some sunday script kiddie manages to figure out your username if you use public key authentication. They would still need to hack into your computer to steal the keyfile and crack it's password. And if someone can do that then you have bigger problem than this openssh bug....