writes "The original story is here.
And more details are available from the guy's weblog here."
Here's a mirror
of that email message. Another reader writes, "Not really a trojan because all it does is make a connection to 18.104.22.168:6667."
Still another writes "The tarball of the portable OpenSSH on ftp.openbsd.org is trojaned. The backdoor is only used during build - generated binaries are fine."
There isn't much authoritative information available, but this appears legitimate - please be careful if you're updating any of your machines with code from ftp.openbsd.org, and we'll update this story with more links as information is available. Update: 08/01 19:13 GMT
: OpenSSH now has an advisory