19

The existing version of openssh on OS X 10.7.4 is SSH-2.0-OpenSSH_5.6, which is not, unfortunately, PCI Compliant. So, I need to upgrade it and I have been trying to do so with Homebrew.

So far, what I've done is:

brew tap homebrew/dupes
brew install openssh

No problem, all went well, and now when I try which ssh I get:

/usr/local/bin/ssh

Which seems fine, also which sshd gives:

/usr/local/sbin/sshd

and ssh -v duly reports:

OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011

So far so good. But here's where I'm out of my element. Port 22 is still using the OS installed version, which is to say that telnet hostname 22 reports:

SSH-2.0-OpenSSH_5.6

I've tried mucking around with /System/Library/LaunchDaemons/ssh.plist with no luck.

So, my questions are (probably in reverse order of importance):

  1. How do I get my Homebrew installation of openssh to be the one listening on port 22?
  2. If I do, will this cause any conflicts with OS X or other software?
  3. Is the way I'm going about this a reasonable one in the first place?
  4. Am I not thinking about things that I should be?
  5. Is this a terrible idea to begin with?

I'm frustrated about not passing the PCI Compliance scan and need to get this figured out, and frankly I'm considering changing all the e-commerce websites on my server over to stripe.com, but I would like to get this figured out. Also, does anyone know if openssh will be upgraded in Mountain Lion?

Edit: Here's what I've been trying in /System/Library/LaunchDaemons/ssh.plist:

I've only edited one line, changing:

<string>/usr/sbin/sshd</string>

To

<string>/usr/local/sbin/sshd</string>

And then I tried sudo kill -HUP 1 as suggested by @the-paul below, as well as restarting the Mac.

Telnetting in from a remote still shows SSH-2.0-OpenSSH_5.6

My whole ssh.plist file now looks like this: http://pastie.org/private/qnhofuxomawjdypp9wgaq

John Saunders
  • 160,644
  • 26
  • 247
  • 397
leggo-my-eggo
  • 261
  • 1
  • 2
  • 12

2 Answers2

16

  1. Daemons like this are controlled on OS X by launchd, which is in turn configured by files in directories like /System/Library/LaunchDaemons/ and /Library/LaunchDaemons. On at least Lion and Snow Leopard, the default ssh daemon is defined by /System/Library/LaunchDaemons/ssh.plist.

    You can open that up as root with a text editor, and change the value for the "Program" key from /usr/libexec/sshd-keygen-wrapper to the path you want; in your case, that's probably /usr/local/sbin/sshd. Then you also need to change the first of the ProgramArguments strings, the one saying /usr/sbin/sshd, since that is meant as an argument to launchproxy. Then, to reload,

    sudo launchctl unload -w /System/Library/LaunchDaemons/ssh.plist
sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist

  2. I don't see how that should cause any conflicts with normal or well-behaved OS X software.

  3. Yes, that seems like a very reasonable thing to me. Security is important.

  4. This is not really a very answerable question. But almost certainly, yes, same as everyone else :^)

  5. Nope. The only thing to really worry about is that you keep your sshd up-to-date with security as well or better than the OS does. If you're aware of concerns like the one posed by this question, then I don't think that will be a problem for you.

Edit: Corrected my suggestions for editing ssh.plist (tested it this time).

the paul
  • 8,972
  • 1
  • 36
  • 53
  • thank you for the helpful answers. I'm still not able to get it to work, however. Perhaps I'm missing something in ssh.plist. I'm adding the process I'm going though there above, let me know if you see where I'm going wrong. – leggo-my-eggo May 21 '12 at 15:22
  • I just peeked inside /usr/libexec/sshd-keygen-wrapper and found the line `exec /usr/sbin/sshd $@`. Do I need to edit this manually? Or is the `$@` a variable which is being replaced by the xml file? – leggo-my-eggo May 21 '12 at 15:39
  • Oh man, that's hilarious. It passes the path to an sshd on the command line to `sshd-keygen-wrapper`, but then it doesn't actually get used. Yeah, I think you are much better off replacing `sshd-keygen-wrapper` in that plist. Then just keep the `-i` argument in the argument list. – the paul May 21 '12 at 17:56
  • OK, thank you. Can I ask you to walk me through exactly how to do that? Do I create my own sshd-keygen-wrapper somewhere else without that last line, or what? Thanks so much for your help with this. – leggo-my-eggo May 23 '12 at 14:12
  • 1
    Hm. Any idea why this would have killed my ability to ssh in with a username/password? I can still get in from my machine with a shared key. – leggo-my-eggo May 23 '12 at 22:41
  • No, I don't know specifically why, but I guess it makes sense that there would be difficulties there. OS X has different interfaces for checking user passwords than most unix-based systems. – the paul May 24 '12 at 14:50
  • 1
    Just an update here that upgrading to Mountain Lion seems to overwrite these changes, however the openssh version in Mountain Lion is the desired 5.9p1, so I'm just going to let the OS handle ssh for me again. – leggo-my-eggo Jul 26 '12 at 15:31
1

This is what I did. Based on the above discussion. Successfully tested on 10.11.6 (El Capitan)

Server

  1. Edit /System/Library/LaunchDaemons/ssh.plist so that the corresponding key reflects…

    <key>ProgramArguments</key>
    <array>
    <string>/usr/local/sbin/sshd</string>
    <string>-i</string>
</array>

  2. Edit shell script /usr/libexec/sshd-keygen-wrapper so that the last command reflects the following:

    exec /usr/local/sbin/sshd $@

  3. Clone /etc/ssh/ directory content:

    $ sudo cp /etc/ssh/ssh* /usr/local/etc/ssh/

  4. Make sure of solid file ownership and permissions:

    $ sudo chmod 755 /usr/local/etc/ssh/
$ sudo chmod 600 /usr/local/etc/ssh/*_key
$ sudo chmod 644 /usr/local/etc/ssh/ssh{{,d}_config,*.pub}
$ sudo chown -R root:wheel /usr/local/etc/ssh/

  5. Reload SSH dæmon:

    $ sudo launchctl unload -w /System/Library/LaunchDaemons/ssh.plist
$ sudo launchctl   load -w /System/Library/LaunchDaemons/ssh.plist

    Note: the last entry, for example, is equivalent to systemsetup -setremotelogin on or activating Sharing service in System Preference panel.

  6. Make sure of OpenSSH upgrade from Client:

    $ ssh-audit <Server IP>
# general
(gen) banner: SSH-2.0-OpenSSH_7.8
(gen) software: OpenSSH 7.8
(gen) compatibility: OpenSSH 6.5+, Dropbear SSH 2013.62+
(gen) compression: enabled (zlib@openssh.com)

Client

  1. Install OpenSSH:

    $ brew install openssh

  2. Clone /etc/ssh/ directory content.

  3. Make sure of solid file ownership and permissions.

Faxopita
  • 83
  • 1
  • 9
  • Try: Boot in recovery mode, open a Terminal and type: `csrutil disable` – Faxopita Jun 04 '20 at 16:37
  • I just copied the LaunchDaemon and loaded under a new name ssh2. Turns out to be a great idea... It works just as well and it means I have a backup in case one crashes or I want to reconfigure forwarding, ports etc. It should also play better with updates. – Ray Foss Jun 05 '20 at 01:11