An SSH server is a software program which uses the secure shell protocol to accept connections from remote computers. SFTP/SCP file transfers and remote terminal connections are popular use cases for an SSH server. To allow specific or additional MAC algorithms in the sshd server, use the Macs option in /etc/ssh/sshdconfig. You can specify a list of allowed MAC algorithms or add individual algorithms with the '+' option. The one I will discuss in this article is SSH, a secure remote protocol which is used to work remotely on other machines or transfer data between computers. While there are third party SSH applications available for Linux and Mac, such as OpenSSH, SSH support is native in these operating systems and may be run from within the standard command line interfaces available for each. The command line interface for both, while slightly different for each, go by the same name: Terminal. MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160. Restart ssh after you have made the changes. Stopsrc -s sshd startsrc -s sshd. You can test the new configuration using. Ssh -vvv -F sshconfig You can create a temporary configuration file to test the changes included before implementing them in /etc/ssh/sshdconfig.
Yesterday the OpenSSH project reported a client side vulnerability affecting OpenSSH versions 5.4 - 7.1. This vulnerability could allow an SSH client to leak private key information, potentially exposing users to man-in-the-middle attacks. The linked articles explain how you can disable the vulnerable feature of OpenSSH in your local configuration. This article explains how to upgrade your OpenSSH version on your machine using Homebrew.
Upgrading OpenSSH
This tutorial assumes that you already have homebrew installed on your system. If not go to http://brew.sh/ and get started.
Firstly we need to tap the homebrew-dupes library.
Now we have the latest OpenSSH recipes we can go ahead and install OpenSSH which we will use instead of the system SSH.
Making Homebrew OpenSSH Client the default
Now that we have OpenSSH installed using Homebrew we need to make sure it is the default SSH client. By default the system SSH client is installed in /usr/bin/ssh. The issue that many are likely to face is the /usr/bin comes before /usr/local/bin in their PATH variable which is where the new SSH client will be installed. For example
Ssh Server Mac Catalina
There are two ways to address this problem. The first and easiest is to simply delete the SSH binary in /usr/bin.
While this will definitely work in allowing the homebrew version of SSH to become the default, I would not advise this as updates to OSX may inadvertantly restore the system SSH client leaving you exposed again. The second and preferred method is to rearrange the locations in the PATH variable to allow /usr/local/bin to come before /usr/bin.
We are going to use the ~/.bashrc file which gets executed everytime a new non-login shell is opened. For login shells, the system will check for ~/.profile and load it if available, otherwise it will look for ~/.bash_profile and load that if available. Luckily both of those files usually come as default with an include for the ~/.bashrc file to load it during login shells as well. If yours does not you can add the following into your profile script.
Ssh Server Mac
Mac Ssh Command
The following change will allow us to change the PATH variable consistently.
Mac Os Ssh Server
Now lets check that the $PATH variable does indeed contain our changes. We can do this either by restarting our ssh shell or by sourcing the ~/.bashrc file
You can see that /usr/local/bin is listed twice, this is ok as the system will simply go through them in order looking for files. The reason we didn’t explicitly set the PATH when we modified it is because the PATH may have been modified elsewhere and we want to retain those changes.
Now we have fixed our PATH lets check that the SSH client is the one we expect
OpenSSH 7.1p2 was the version patched against the OpenSSH Client vulnerability and our system is now safe.
More information about the OpenSSH Client vulnerability