OpenSSH RSA Authentication Patch
We can apply the principle we're discussing here to almost any authentication mechanism. Let's take a quick look at OpenSSH's RSA authentication mechanism. After a little searching, we find the following function.
int auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) { u_char buf[32], mdbuf[16]; MD5_CTX md; int len; /* don't allow short keys */ if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { error("auth_rsa_verify_response: RSA modulus too small: %d < minimum %d bits", BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); return (0); } /* The response is MD5 of decrypted challenge plus session id. */ len = BN_num_bytes(challenge); if (len <= 0 len > 32) fatal("auth_rsa_verify_response: bad challenge length %d", len); memset(buf, 0, 32); BN_bn2bin(challenge, buf + 32 - len); MD5_Init(&md); MD5_Update(&md, buf, 32); MD5_Update(&md, session_id, 16); MD5_Final(mdbuf, &md); /* Verify that the response is the original challenge. */ if (memcmp(response, mdbuf, 16) != 0) { /* Wrong answer. */ return (0); } /* Correct answer. */ return (1); }
Once again, it's easy to locate a function that returns 1 or depending on whether a given authentication succeeded or not. Admittedly in the case of OpenSSH you'll have had to do this by patching the binary file on disk, since OpenSSH spawns a child process that performs the authentication. Still, the result of replacing those return 0 statements with return 1 statements is an SSH server to which you can authenticate as any user using any key.