Yes, indeed the backdoor code checks, in the event of ssh authentication with a certificate, that it was signed with a specific ssh private key (their own CA), the corresponding public key being hardcoded in the backdoor code.
But this project xzbot demonstrates how to patch the corrupted liblzma to replace the key
Oh thank you so much for these instructions I'll go through them on my computer.
I indeed wanted to know if the versions were still downloadable anywhere but if you can still install the correct liblzma version on any version of the distribution that works. I tried on a Debian VM on mac but with too little knowledge and it never run the correct liblzma
xzbot from Anthony Weems enables to patch the corrupted liblzma to change the private key used to compare it to the signed ssh certificate, so adding this to your instructions might enable me to demonstrate sshing into the VM :)
(OC)
Alt text:
Timeline reading "All ties" from the far left until "Invention of scissors, -3000". Then it's reading "Rock advantage" until a second marker called "Invention of paper, -179". The final description from there to the far right reads "Balanced".
Taking things for granted on an open-source software without willing to do anything
lemmy.world