As you'd expect from the name,
HPN-SSH – High Performance SSH/SCP
is a "high performance" patch of SSH/SCP.
I've installed a newer version of OpenSSL via Homebrew
(brew install openssl
).
I've downloaded the source code (openssh-6.1p1.tar.gz) and applied the patch (openssh-6.1p1-hpn13v14.diff.gz), compiled it, and installed it to /usr/local/.
However, the default version of ssh/sshd seems to be hard-coded into the OS enough that I can't get the new version to work after editing /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
and /System/Library/LaunchDaemons/ssh.plist
.
I was getting this error:
ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261): image not found [preauth]
I found an answer here which suggested editing /usr/local/etc/sshd_config
to change UsePrivilegeSeparation sandbox
to UsePrivilegeSeparation yes
but that is apparently not recommended (for reasons I do not entirely understand).
At this point I do not know what to do next.
-
Can someone explain why
UsePrivilegeSeparation yes
is such a bad idea? -
Is there a way for me to run HPN-SSH and regular SSH at the same time? (I was thinking of setting the new
sshd
on a different port than the regularsshd
but I'm not sure if that is a good idea or if there is something else I should be doing.)
Best Answer
I'll take a stab at #1.
It looks like the sandbox prevents the application from producing new threads. From what I found online, the sandbox functionality was only recently introduced in OpenSSH 5.8 so if someone finds a bug in OpenSSH that is limited only by the sandbox, they could exploit this attack vector.
The question is, do you have a team of government spooks decided that this would be the easiest attack vector and would willing to dedicate resources to find an obscure bug in OpenSSH which would only be limited by this particular sandbox?
As for #2 ... I can't think of any reason why that wouldn't work.
Oh, and I just figured out that MacPorts has the hpn version:
sudo port install openssh +hpn