CVE-2021-36368: 
NixOS vulnerability analysis and mitigation

An issue was discovered in OpenSSH before version 8.9 related to public-key authentication with agent forwarding. The vulnerability (CVE-2021-36368) affects scenarios where clients use public-key authentication with agent forwarding but without the -oLogLevel=verbose option enabled (NVD).

The vulnerability occurs when an attacker has silently modified the server to support the None authentication option. In such cases, users cannot determine whether FIDO authentication is confirming a direct server connection or authorizing that server to connect to a different server on the user's behalf. The issue specifically relates to the authentication process and how the None authentication method interacts with FIDO device confirmations (Mindrot Bugzilla).

The vulnerability could lead to confusion about the context of FIDO authentication requests, potentially allowing an attacker to trick users into authorizing unintended connections. When None authentication is used, the client does not need the agent to sign data, which means users don't need to confirm the login with their FIDO 2 key or ssh-askpass (Mindrot Bugzilla).

The primary mitigation is to upgrade to OpenSSH version 8.9 or later. Additionally, users can set LogLevel=verbose in their SSH configuration to receive messages about authentication conclusions. OpenSSH 8.9 introduced agent restrictions which help prevent such attacks (Mindrot Bugzilla).