In this article, you will learn how to add a backdoor to the SSH Public Key. The backdoor will execute whenever the user logs in. The backdoor hides as an unreadable long hex-string inside ~/.ssh/authorized_keys or ~/.ssh/id_*.pub.
Simply prepend any SSH Public Key with the following backdoor-string - up until, but not including, the ssh-ed25519 AAAAC3Nzblah...):
OpenSSH has an unsung feature to execute a command (instead of a Shell) when a user successfully logs in. This feature (for example) is used by AWS to tell the customer not to log in as root:
The trick is to use OpenSSH's command= feature and silently start our backdoor and afterwards execute the user's shell (with PTY) without the user noticing.
Let's dissect the backdoor-string: The no-user-rc,no-X11-forwarding is a ruse to throw off any prying eyes. It can be omitted.
Firstly it uses a canary to make sure that the backdoor is only started once and not on every login: If ~/.ssh and /bin/sh have the same date then assume that the backdoor is already installed. Otherwise set them to the same date and execute the backdoor thereafter.