Systemd provides via libsystemd a call sd_notify() that tells systemd the daemon is not only started but ready to accept connections. libsystemd, being a kitchen-sink like everything else systemd, has a bunch of unrelated functionality including one that pulled liblzma as a dependency.
The backdoored liblzma relies on a misfeature of glibc called ifuncs, where a library can override a function by calling a special init function in the library. This is so for instance if you have a version of a function optimized for AVX512, one ofor AVX2 and one not optimized for those at all, the init function would check which features the CPU supports and picks the best one. Seemingly ifuncs doesn't check the function being overriden is in the same library, and it was replacing OpenSSH's RSA auth function.
OpenSSH added a clean-room libsystemd-free implementation of sd_notify() after this fiasco, in the hope Linux distros will stop linking against libsystemd, this will appear in OpenSSH 9.8:
The backdoored liblzma relies on a misfeature of glibc called ifuncs, where a library can override a function by calling a special init function in the library. This is so for instance if you have a version of a function optimized for AVX512, one ofor AVX2 and one not optimized for those at all, the init function would check which features the CPU supports and picks the best one. Seemingly ifuncs doesn't check the function being overriden is in the same library, and it was replacing OpenSSH's RSA auth function.
OpenSSH added a clean-room libsystemd-free implementation of sd_notify() after this fiasco, in the hope Linux distros will stop linking against libsystemd, this will appear in OpenSSH 9.8:
https://bugzilla.mindrot.org/show_bug.cgi?id=2641