Upgrading openssh on Mac OS Yosemite

Great tutorial by mochtu.de.

brew install openssl
brew install openssh --with-brewed-openssl --with-keychain-support
sudo sed -i '' 's/\/usr\/bin\/ssh-agent/\/usr\/local\/bin\/ssh-agent/' /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
sudo mv /usr/bin/ssh /usr/bin/ssh_old
sudo ln -s /usr/local/bin/ssh /usr/bin/ssh

Great tips on improving ssh settings

I am currently reading “Ansible: Up and Running” and it pointed to several improvements I could do on my ssh settings. Also thanks to tenshu.net and OpenSSH Wikibooks.


Host *
  ControlPath /tmp/control-%r@%h:%p
  ControlMaster auto
  ControlPersist 10m

Generate separate known hosts file for your local domain:

Host *.mycompany.com
    UserKnownHostsFile ~/.ssh/generated_known_hosts
    StrictHostKeyChecking yes

Sane global defaults:

HashKnownHosts no
Host *
    GSSAPIAuthentication no
    ForwardAgent no

Notify new ssh connections:

Host *
    PermitLocalCommand yes
    LocalCommand /home/user/bin/ssh-notify.sh %h

Setup host forward ports:

Host port-forwards-site1.company.com
  Hostname server1.company.com
  LocalForward 1234


Host jumphost.company.com
  ProxyCommand none
Host *.company.com
  ProxyCommand ssh jumphost.company.com nc -q0 %h %p

–or– ProxyCommand ssh -W %h:%p jumphost.company.com

Keep it Alive:

ServerAliveInterval 30
ServerAliveCountMax 4

Upgrading my SSH and SSHd settings

Thanks to the great articles by stribika on github and Aaron Toponce, these are the updated settings I am using now:

Protocol 2
Ciphers aes256-ctr,aes192-ctr,aes128-ctr,arcfour256,arcfour128,arcfour 
KexAlgorithms diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160


Host *
    Ciphers aes256-ctr,aes192-ctr,aes128-ctr,arcfour256,arcfour128,arcfour
    KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160