Five quarters after the Terrapin vulnerability disclosure and first patches of the Strict Kex extension to the SSH protocol, it is time to take a snapshot of the adoption process in the Internet and explore what has worked well and where more work is still to be done.

Attackers set up fake SSH servers, targeting users to unknowingly enter their corporate credentials. Traditionally, SSH security is thought from a server perspective. Did you know you can prevent this attack on the client side with a simple configuration change that almost nobody is aware of?