As you'd expect from the name,
HPN-SSH – High Performance SSH/SCP
is a "high performance" patch of SSH/SCP.
I've installed a newer version of OpenSSL via Homebrew
(brew install openssl).
I've downloaded the source code (openssh-6.1p1.tar.gz) and applied the patch (openssh-6.1p1-hpn13v14.diff.gz), compiled it, and installed it to /usr/local/.
However, the default version of ssh/sshd seems to be hard-coded into the OS enough that I can't get the new version to work after editing /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist and /System/Library/LaunchDaemons/ssh.plist.
I was getting this error:
ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261): image not found [preauth]
I found an answer here which suggested editing /usr/local/etc/sshd_config to change UsePrivilegeSeparation sandbox to UsePrivilegeSeparation yes but that is apparently not recommended (for reasons I do not entirely understand).
At this point I do not know what to do next.
-
Can someone explain why
UsePrivilegeSeparation yesis such a bad idea? -
Is there a way for me to run HPN-SSH and regular SSH at the same time? (I was thinking of setting the new
sshdon a different port than the regularsshdbut I'm not sure if that is a good idea or if there is something else I should be doing.)
Best Answer
I'll take a stab at #1.
It looks like the sandbox prevents the application from producing new threads. From what I found online, the sandbox functionality was only recently introduced in OpenSSH 5.8 so if someone finds a bug in OpenSSH that is limited only by the sandbox, they could exploit this attack vector.
The question is, do you have a team of government spooks decided that this would be the easiest attack vector and would willing to dedicate resources to find an obscure bug in OpenSSH which would only be limited by this particular sandbox?
As for #2 ... I can't think of any reason why that wouldn't work.
Oh, and I just figured out that MacPorts has the hpn version:
sudo port install openssh +hpn