my guesses: pam.d/sshd was changed when activating md5 passwords (>8 characters) ssh*_config were changed by myself ssh hmmm... as one can change file permissions (easy,local,secure), is it possible, that after an installation default permissions and groups are overriden by a script that sets the chosen values?
My guesses for ssh - you installed an update with rpm -i instead of of rpm -u or a script such as harden_suse changed attributes.
By the way - its ssh not sshd. An attacker would exchange the daemon to get in. are you sure?
He would _probably_ exchange the daemon or install a second one listening on a different port. In that case sshd is untouched. Why not modifying ssh to log passwords? -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net