Decrypting OpenSSH sessions for fun and profit

This blog post describes research and tooling to recover OpenSSH session keys from process memory and memory snapshots (using ptrace and Volatility plugins) and to decrypt and parse SSH PCAPs, demonstrated on a forensic case where a modified OpenSSH binary was used as a backdoor. The author explains OpenSSH internals, the sshenc/session structures, memory-scraping validation checks, and the pipeline to install recovered keys and decrypt SSH traffic, releasing proof-of-concept scripts and Volatility plugins.