Tips on upgrading ssh

Robert La Ferla robertlaferla at comcast.net
Mon Oct 2 21:01:05 PDT 2006 

I have been experiencing problems with the Apple supplied sshd.   
Newer ssh clients on Linux and Windows had problems connecting to my  
Apple server.  However, these same clients had no problems connecting  
with any of my Linux and Unix servers.  I also experienced  
performance problems with Apple's ssh (really slow connections.)   
After quite a bit of troubleshooting, I ended up replacing Apple's  
older version of ssh with a new version of portable ssh. I did this  
before the recent software updates so perhaps Apple has fixed this  
problem.  Given that even their latest version has known security  
issues, the upgrade has other benefits.

WARNING: I DO NOT recommend that you do this unless you have problems  
and are willing to deal with issues related to the upgrade, and have  
the UNIX expertise to do it.  I just wanted to share a few tips/ 
tricks if anyone wants to try upgrading:

1. Use Portable SSH from http://www.openssh.com (http:// 
www.openssh.com/portable.html)
2. Use --with-pam when configuring the source code.
3. Backup and remove all your old ssh files (in /usr/bin, /usr/sbin,  
and /usr/libexec)
4. Assuming you install the new ssh in /usr/local, you will need to  
update several files:
(a) /System/Library/LaunchDaemons/ssh.plist
(b) /usr/libexec/sshd-keygen-wrapper

% cat /usr/libexec/sshd-keygen-wrapper
#!/bin/sh

[ ! -f /usr/local/etc/ssh_host_key ]     && /usr/local/bin/ssh-keygen  
-q -t rsa1 -f /usr/local/etc/ssh_host_key     -N "" -C ""
[ ! -f /usr/local/etc/ssh_host_rsa_key ] && /usr/local/bin/ssh-keygen  
-q -t rsa  -f /usr/local/etc/ssh_host_rsa_key -N "" -C ""
[ ! -f /usr/local/etc/ssh_host_dsa_key ] && /usr/local/bin/ssh-keygen  
-q -t dsa  -f /usr/local/etc/ssh_host_dsa_key -N "" -C ""

exec /usr/local/sbin/sshd $@

(c) Review your config files sshd_config and ssh_config.  Especially  
important is the location of the public/private keys.  i.e. If you  
used the new wrapper above, they should be in /usr/local/etc

5. Stop and restart Remote Login in Preferences.app.

More information about the MacOSX-talk mailing list