A report on the CoreOS remote SSH vulnerability

For those who are curious about how the CoreOS remote SSH vulnerabilitycame to be, the company has posted adetailed report. "This misconfiguration was abetted byconfirmation bias. The expected outcome of the change to the CoreOS PAMconfiguration was for users who presented a password present in anauthentication database to be successfully authenticated. Because of thepam_permit failure case explained above, this was the observed behavior intesting, so the change was assumed to be correct. No attempt was made todetermine whether the observed behavior could be explained in some otherway, such as the system allowing any presented password."