It will still work if the connecting client offers a RSA key.

The only real way to be sure it's not on your system is if your liblzma version is strictly less than 5.6.0 (first infected version):

    ls -al $(ldd $(which sshd) | grep lzma | awk '{ print $3 }')

Thanks for the reply, I was just curious because `RSA_public_decrypt` threw me off.

FWIW RSA_public_decrypt is an 90s way of saying RSA_signature_validate

This backdoor does not care about any of the authorisation configuration set by the user.

It is executed before that step. So just make sure you are not affected.

It was just that it hooks to `RSA_public_decrypt` which threw me off, I didn't really understand this backdoor much. I only have one Debian sid machine which was vulnerable and accessible via a public IPv4 ssh, I'm not sure if I should just wipe it.