Upgrade openssh on OS X with homebrew for PCI compliance

Upgrade openssh on OS X with homebrew for PCI compliance



The existing version of openssh on OS X 10.7.4 is SSH-2.0-OpenSSH_5.6, which is not, unfortunately, PCI Compliant. So, I need to upgrade it and I have been trying to do so with Homebrew.



So far, what I've done is:


brew tap homebrew/dupes
brew install openssh



No problem, all went well, and now when I try which ssh I get:


which ssh


/usr/local/bin/ssh



Which seems fine, also which sshd gives:


which sshd


/usr/local/sbin/sshd



and ssh -v duly reports:


ssh -v


OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011



So far so good. But here's where I'm out of my element. Port 22 is still using the OS installed version, which is to say that telnet hostname 22 reports:


telnet hostname 22


SSH-2.0-OpenSSH_5.6



I've tried mucking around with /System/Library/LaunchDaemons/ssh.plist with no luck.



So, my questions are (probably in reverse order of importance):



I'm frustrated about not passing the PCI Compliance scan and need to get this figured out, and frankly I'm considering changing all the e-commerce websites on my server over to stripe.com, but I would like to get this figured out. Also, does anyone know if openssh will be upgraded in Mountain Lion?



Edit: Here's what I've been trying in /System/Library/LaunchDaemons/ssh.plist:



I've only edited one line, changing:


<string>/usr/sbin/sshd</string>



To


<string>/usr/local/sbin/sshd</string>



And then I tried sudo kill -HUP 1 as suggested by @the-paul below, as well as restarting the Mac.


sudo kill -HUP 1



Telnetting in from a remote still shows SSH-2.0-OpenSSH_5.6


SSH-2.0-OpenSSH_5.6



My whole ssh.plist file now looks like this: http://pastie.org/private/qnhofuxomawjdypp9wgaq




2 Answers
2



Daemons like this are controlled on OS X by launchd, which is in turn configured by files in directories like /System/Library/LaunchDaemons/ and /Library/LaunchDaemons. On at least Lion and Snow Leopard, the default ssh daemon is defined by /System/Library/LaunchDaemons/ssh.plist.


launchd


/System/Library/LaunchDaemons/


/Library/LaunchDaemons


/System/Library/LaunchDaemons/ssh.plist



You can open that up as root with a text editor, and change the value for the "Program" key from /usr/libexec/sshd-keygen-wrapper to the path you want; in your case, that's probably /usr/local/sbin/sshd. Then you also need to change the first of the ProgramArguments strings, the one saying /usr/sbin/sshd, since that is meant as an argument to launchproxy. Then, to reload,


Program


/usr/libexec/sshd-keygen-wrapper


/usr/local/sbin/sshd


ProgramArguments


/usr/sbin/sshd


launchproxy


sudo launchctl unload -w /System/Library/LaunchDaemons/ssh.plist
sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist



I don't see how that should cause any conflicts with normal or well-behaved OS X software.



Yes, that seems like a very reasonable thing to me. Security is important.



This is not really a very answerable question. But almost certainly, yes, same as everyone else :^)



Nope. The only thing to really worry about is that you keep your sshd up-to-date with security as well or better than the OS does. If you're aware of concerns like the one posed by this question, then I don't think that will be a problem for you.



Edit: Corrected my suggestions for editing ssh.plist (tested it this time).


ssh.plist






thank you for the helpful answers. I'm still not able to get it to work, however. Perhaps I'm missing something in ssh.plist. I'm adding the process I'm going though there above, let me know if you see where I'm going wrong.

– leggo-my-eggo
May 21 '12 at 15:22







I just peeked inside /usr/libexec/sshd-keygen-wrapper and found the line exec /usr/sbin/sshd $@. Do I need to edit this manually? Or is the $@ a variable which is being replaced by the xml file?

– leggo-my-eggo
May 21 '12 at 15:39



exec /usr/sbin/sshd $@


$@






Oh man, that's hilarious. It passes the path to an sshd on the command line to sshd-keygen-wrapper, but then it doesn't actually get used. Yeah, I think you are much better off replacing sshd-keygen-wrapper in that plist. Then just keep the -i argument in the argument list.

– the paul
May 21 '12 at 17:56


sshd-keygen-wrapper


sshd-keygen-wrapper


-i






Hm. Any idea why this would have killed my ability to ssh in with a username/password? I can still get in from my machine with a shared key.

– leggo-my-eggo
May 23 '12 at 22:41






Just an update here that upgrading to Mountain Lion seems to overwrite these changes, however the openssh version in Mountain Lion is the desired 5.9p1, so I'm just going to let the OS handle ssh for me again.

– leggo-my-eggo
Jul 26 '12 at 15:31



This is what I did. Based on the above discussion. Successfully tested on 10.11.6 (El Capitan)



Edit /System/Library/LaunchDaemons/ssh.plist so that the corresponding key reflects…


/System/Library/LaunchDaemons/ssh.plist


<key>ProgramArguments</key>
<array>
<string>/usr/local/sbin/sshd</string>
<string>-i</string>
</array>



Edit shell script /usr/libexec/sshd-keygen-wrapper so that the last command reflects the following:


/usr/libexec/sshd-keygen-wrapper


exec /usr/local/sbin/sshd $@



Clone /etc/ssh/ directory content:


/etc/ssh/


$ sudo cp /etc/ssh/ssh* /usr/local/etc/ssh/



Make sure of solid file ownership and permissions:


$ sudo chmod 755 /usr/local/etc/ssh/
$ sudo chmod 600 /usr/local/etc/ssh/*_key
$ sudo chmod 644 /usr/local/etc/ssh/ssh,d_config,*.pub
$ sudo chown -R root:wheel /usr/local/etc/ssh/



Reload SSH dæmon:


$ sudo launchctl unload -w /System/Library/LaunchDaemons/ssh.plist
$ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist



Note: the last entry, for example, is equivalent to systemsetup -setremotelogin on or activating Sharing service in System Preference panel.


systemsetup -setremotelogin on



Make sure of OpenSSH upgrade from Client:


$ ssh-audit <Server IP>
# general
(gen) banner: SSH-2.0-OpenSSH_7.8
(gen) software: OpenSSH 7.8
(gen) compatibility: OpenSSH 6.5+, Dropbear SSH 2013.62+
(gen) compression: enabled (zlib@openssh.com)



Install OpenSSH:


$ brew install openssh



Clone /etc/ssh/ directory content.


/etc/ssh/



Make sure of solid file ownership and permissions.



Thanks for contributing an answer to Stack Overflow!



But avoid



To learn more, see our tips on writing great answers.



Required, but never shown



Required, but never shown




By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

𛂒𛀶,𛀽𛀑𛂀𛃧𛂓𛀙𛃆𛃑𛃷𛂟𛁡𛀢𛀟𛁤𛂽𛁕𛁪𛂟𛂯,𛁞𛂧𛀴𛁄𛁠𛁼𛂿𛀤 𛂘,𛁺𛂾𛃭𛃭𛃵𛀺,𛂣𛃍𛂖𛃶 𛀸𛃀𛂖𛁶𛁏𛁚 𛂢𛂞 𛁰𛂆𛀔,𛁸𛀽𛁓𛃋𛂇𛃧𛀧𛃣𛂐𛃇,𛂂𛃻𛃲𛁬𛃞𛀧𛃃𛀅 𛂭𛁠𛁡𛃇𛀷𛃓𛁥,𛁙𛁘𛁞𛃸𛁸𛃣𛁜,𛂛,𛃿,𛁯𛂘𛂌𛃛𛁱𛃌𛂈𛂇 𛁊𛃲,𛀕𛃴𛀜 𛀶𛂆𛀶𛃟𛂉𛀣,𛂐𛁞𛁾 𛁷𛂑𛁳𛂯𛀬𛃅,𛃶𛁼

𛀝𛂎𛃩𛁂𛂯𛀋𛃈,𛁴,𛀡𛃕𛁀𛀆𛀝𛀊𛀚𛃍𛂯𛂸𛁞𛂪𛀈,𛂵,𛀞𛂢𛀯𛃂𛁱 𛃩𛂜𛃅 𛂧𛀧𛂦𛀑,𛃛𛃟,𛃍𛀔𛀣𛀶𛀪𛃱𛀓𛀅𛁱,𛂖 𛁷 𛁉𛂹𛀉𛀼 𛁎,𛃭 𛀣𛃫𛃯𛁸𛂸𛂰𛂣𛀯𛁩𛂂𛃓𛃿𛂽𛃤𛃢𛁂𛀺 𛂚𛀅𛃵𛁬𛃽𛃯𛂔𛃣𛃝𛂫 𛂖𛂾𛂈 𛂡𛁔𛀇𛁁𛃛𛃖 𛃜,𛁊𛂠𛀌𛁼𛃶𛃣𛃊𛀘𛂐𛃓𛃛𛁂𛂥𛃛𛂲,𛃄𛀗𛀪𛁘𛁉𛁫𛀲𛀕𛂍𛁓𛁏𛃿𛃔𛁼 𛀞𛀤 𛂏𛃚𛃎 𛃱𛀭𛀟𛂃𛀭𛀫𛃚 𛂻𛁄 𛃚𛂁 𛂀𛂈𛃒𛁼𛃏𛂣𛂔,𛁩𛂝,𛁎,𛂗,𛂧𛃁𛃷𛁜𛃭𛂙𛂣𛀱𛂢𛁔𛁥𛂘𛃏𛀇𛂅𛁗𛃅𛂷𛃬𛁹𛁭,𛀵𛁍,𛃂𛁣𛁡𛃉𛀳𛀜𛁢 𛀲 𛁐𛀊𛁷𛃃𛃔𛀃𛃄𛃙𛀩𛃖𛂮𛃷𛀚𛂚𛃜𛁘,𛁤𛁵𛀝𛂮𛁲𛃸𛂩𛂼𛂠,𛁖𛃸𛀯,𛁰𛁇𛃣,𛃨𛂦𛀫𛃁 𛂓𛃁𛃥𛃰𛁅𛂻𛂻 𛁃𛁺𛃤𛀏 𛃻𛃽 jKH8N2gXPW4,5NtI,zi C6C,8 LtJ9 h5T40,Y 29W,8IH3pJwKf Q32PJw73ZM7a 7,0EI,5Hu NBOF x,V,Zan l 51Vm,1,o6 zHC69UbfzB6dS62,fvHKgJsOHeC 7 u Z,5,b510gw756DJ0K3 NLBCejw,1s12o037 gLrqm,8JV5,0HH7y8,5n1W5 oN943 0,EdU7tbRJ74 8DXtjBp0,KnM,2S,8 V4Ph1H2 Yb6FxtA,M,3qXGu2094wS GvlV4l,HFrZ D76u3,kr9E,ij4jFFOb 49,dJKN,V Kv,V4,a8wm,d2U8 9,Nx,vO98,JX,uO3,Y,Y1ay74uomg,7Tt5XFU TKTZ28,0C7LbNuU FhgfO3,4n E,l MSI03CLgM9D,Abr E 7sR0J,6,07N A2u 7,6Q PpzEZ1wKZN YAd759p,31UtJ63dBF3p 0,EZL 4FjbJ l Qep zHs63,u2f6xSKS Vz2Q O,9zIlq0J 9PR
Read more

Edmonton

Image
Clash Royale CLAN TAG #URR8PPP This article is about the city in Canada. For other uses, see Edmonton (disambiguation). City in Alberta, Canada Edmonton City City of Edmonton From top left: Downtown Edmonton, Fort Edmonton Park, Legislature Building, Law Courts, Rogers Place, High Level Bridge, Muttart Conservatory Flag Coat of arms Logo Nickname(s):  Canada's Festival City, City of Champions, The Oil Capital of Canada more... [1] Motto(s):  Industry, Integrity, Progress Edmonton Location of Edmonton in Canada Show map of Canada Edmonton Edmonton (Alberta) Show map of Alberta Coordinates: 53°32′N 113°30′W  /  53.533°N 113.500°W  / 53.533; -113.500 Coordinates: 53°32′N 113°30′W  /  53.533°N 113.500°W  / 53.533; -113.500 Country Canada Province Alberta Region Edmonton Metropolitan Region Census division 11 Founded 1795 Incorporated [2] [3]    • Town January 9, 1892  • City October 8, 1904 Amalgamated [2] February 12, 1912 Named for Edmonton, London Government  • Mayor Don I
Read more

Crossroads (UK TV series)

Image
[dummy-text] Crossroads (UK TV series) From Wikipedia, the free encyclopedia Jump to navigation Jump to search For other uses, see Crossroads (disambiguation). "Crossroads Motel" redirects here. For the album by the Sonny Moorman Group, see Crossroads Motel (album). Crossroads 2003 title sequence Created by Hazel Adair Peter Ling Written by Michala Crees Ivor Jay Rosalie Grayson Raymond Bowers David Garfield Edward F. Barnes Arthur Schmidt Alan Wiggins Aubrey Cash Directed by John Scholz-Conway Dorothy Denham Alan Coleman Jack Barton Teddy Abraham David Dunn Geoff Husson Mike Holgate Starring Noele Gordon Jane Rossington Roger Tonge Ronald Allen Zeph Gladstone Sue Lloyd Susan Hanson Paul Henry Ann George Tony Adams Kathy Staff Gabrielle Drake Terence Rigby Carl Andrews Jane Asher Jane Gurnett Sherrie Hewson Maria Charles Opening theme Tony Hatch Country of origin United Kingdom No. of episodes Original Series: 4510
Read more