Microseconds
March 29, 2024. A Postgres engineer notices sshd is half a second slower on his test box. The investigation that follows uncovers a two-year supply-chain operation against every Linux distribution.
Briefing
You've been benchmarking sshd because of an unrelated Valgrind warning. Sometime after the latest sid update, sshd is taking 500–800ms longer to fail authentication than it used to. Probably nothing. Probably worth twenty minutes. Start by figuring out which library on your system shipped most recently.
Your role
You're a database engineer testing on Debian sid. You don't work on cryptography or distros. You just noticed something off this weekend and decided to chase it.
Objective
Walk the same trail of evidence: the slow sshd, the patched library, and the malicious tarball that didn't match its git source.
Terminal environment
- user
- freund
- host
- debian-sid-test
- cwd
- /home/freund
- steps
- 7
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.