The distinction between authentication and authorization is important, but only in the context of what’s checking that auth(n/z) is valid.
For something like SSH which has authentication and authorization as features, I would expect to talk about an RCE in that context, and not the backdoor’s auth features.
This backdoor bypasses both authentication (not requiring an account password, authorized key, etc on the target system) as well as authorization (as it doesn’t check a user against any policy for what commands or users can log in).
For something like SSH which has authentication and authorization as features, I would expect to talk about an RCE in that context, and not the backdoor’s auth features.
This backdoor bypasses both authentication (not requiring an account password, authorized key, etc on the target system) as well as authorization (as it doesn’t check a user against any policy for what commands or users can log in).