Introduction: OpenSSH has multiple features to make it more secure, however these features can be leveraged against a systems administrator. TrustedCAKeys allows for time bound SSH Access through SSH Certificates, AuthorizedKeysCommands allows for external scripts to be called to determine valid keys such as with amazons ec2-connect system. These features can be abused to provide a backdoor with 2 lines of configuration and 2 lines of code.

TrustedCAKeys: Multiple systems such as hashicorp vault, gravitational teleport, Step-CA and home grown solutions leverage ssh certificates to provide time bound access, ssh keys can be used to sign other ssh keys, these can be used to enable SSH access to a host, what happens if this is replaced with attacker controlled data

AuthorizedKeysCommands: OpenSSH can be configured to call a script or binary with arbitrary arguments such as the user or the key used, and to stdout will be keys that should be accepted by openssh, this is used in services such as amazon ec2-connect, what happens if these scripts are modified to output attacker controlled data from say a DNS TXT record lookup, curl commands, or just outright echo. This section will explore the possibilities including making a system accept any ssh key no matter what

Persistence: This section will cover methods such as FreeBSD SCHG, systemd system and user timer daemons, alternative openssh config locations to make the backdoor harder to remove.