The existing version of openssh on OS X 10.7.4 is SSH-2.0-OpenSSH_5.6, which is not, unfortunately, PCI Compliant. So, I need to upgrade it and I have been trying to do so with Homebrew.
So far, what I've done is:
brew tap homebrew/dupes
brew install openssh
No problem, all went well, and now when I try which ssh
I get:
/usr/local/bin/ssh
Which seems fine, also which sshd
gives:
/usr/local/sbin/sshd
and ssh -v
duly reports:
OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011
So far so good. But here's where I'm out of my element. Port 22 is still using the OS installed version, which is to say that telnet hostname 22
reports:
SSH-2.0-OpenSSH_5.6
I've tried mucking around with /System/Library/LaunchDaemons/ssh.plist with no luck.
So, my questions are (probably in reverse order of importance):
I'm frustrated about not passing the PCI Compliance scan and need to get this figured out, and frankly I'm considering changing all the e-commerce websites on my server over to stripe.com, but I would like to get this figured out. Also, does anyone know if openssh will be upgraded in Mountain Lion?
Edit: Here's what I've been trying in /System/Library/LaunchDaemons/ssh.plist:
I've only edited one line, changing:
<string>/usr/sbin/sshd</string>
To
<string>/usr/local/sbin/sshd</string>
And then I tried sudo kill -HUP 1
as suggested by @the-paul below, as well as restarting the Mac.
Telnetting in from a remote still shows SSH-2.0-OpenSSH_5.6
My whole ssh.plist file now looks like this: http://pastie.org/private/qnhofuxomawjdypp9wgaq
Daemons like this are controlled on OS X by launchd
, which is in turn configured by files in directories like /System/Library/LaunchDaemons/
and /Library/LaunchDaemons
. On at least Lion and Snow Leopard, the default ssh daemon is defined by /System/Library/LaunchDaemons/ssh.plist
.
You can open that up as root with a text editor, and change the value for the "Program
" key from /usr/libexec/sshd-keygen-wrapper
to the path you want; in your case, that's probably /usr/local/sbin/sshd
. Then you also need to change the first of the ProgramArguments
strings, the one saying /usr/sbin/sshd
, since that is meant as an argument to launchproxy
. Then, to reload,
sudo launchctl unload -w /System/Library/LaunchDaemons/ssh.plist
sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
I don't see how that should cause any conflicts with normal or well-behaved OS X software.
Yes, that seems like a very reasonable thing to me. Security is important.
This is not really a very answerable question. But almost certainly, yes, same as everyone else :^)
Nope. The only thing to really worry about is that you keep your sshd up-to-date with security as well or better than the OS does. If you're aware of concerns like the one posed by this question, then I don't think that will be a problem for you.
Edit: Corrected my suggestions for editing ssh.plist
(tested it this time).