On Tue, 1 Mar 2022, Damien Miller wrote: > We're not aware of any security problems in OpenSSH 8.6 that could yield > access to a locked account like this. I'd just add that if an attacker did have a sshd 0-day, then burning it only to send spam seems amazingly profligate... -d