Bugfix release notes: https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-sec...

You're telling me that, basically, an attacker says "you've already said you trust me" and the server answers "sure, I did"? Wow.

"libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.

The bug was discovered by Peter Winter-Smith of NCC Group."