Updating OpenSSH on Mac OS X 10.10 Yosemite

Update for OSX El Capitan SSH OSX 10.11 ships with openssh 6.9p1/libressl2.1.7. So the below recommended ciphers should work with the system's ssh version. With the new rootless mode it's a messy hack anyways to edit the LaunchAgents. You should keep a look at the OpenSSH Security Issues, to determine whether a manual update makes sense in the future.

Update for homebrewed openssh The homebrew openssh package dropped ssh-agent integration support with 6.9p1. So don't go further than 6.8p1 with Yosemite.

If you are wondering why Apple leaves you behind on this front yet again, I can't help you. But I can tell you how to update your OpenSSH to the current version manually. This will not only help you to feel good, it will also enable you to use state of the art strong crypto when talking to you servers over ssh.

Prerequisites

You should definitely already be using Homebrew. And I quote:

"Homebrew installs the stuff you need that Apple didn’t."

Install homebrew like described here. Brew provides a nice set of software that you can install and update easily via your command line. See the FAQ Regularly use the following to stay up-to-date:

brew update
brew upgrade

Also, for the following we need to add a so called tap, which is homebrew-speak for a repository that contains additional formulae (stuff that tells homebrew how to install more nice software for you). Let's tap into the dupes repo (contains only stuff that is replacing existing OS X stuff, if you install it, so be careful here):

brew tap homebrew/dupes

Also you should install the developer command line tools from Apple. You need them for compiling stuff (thanks to Franz for the hint):

xcode-select --install
New OpenSSL Version

To update OpenSSH we need a recent OpenSSL Version, get it by running

brew install openssl
Update OpenSSH

Now we can already install a fresh OpenSSH:

brew install openssh@6.8 --with-keychain-support

Yeah, done. Almost! We need to tell your OS X to recognize the new SSH installation. If you configured homebrew correctly, you should just be able to use the new ssh executable. Test so by ssh -V, it should return something like this OpenSSH_6.8p1, OpenSSL 1.0.1j 15 Oct 2014 or a higher version number.

If not so, you probably didn't install homebrew correctly and maybe /usr/local/bin is not in your PATH. You get help by executing brew doctor.

To make your system use the right version of ssh-agent you need to modify a LaunchAgent file and tell it to search the new ssh-agent at /usr/local/bin. Do easily so by

sudo sed -i '' 's/\/usr\/bin\/ssh-agent/\/usr\/local\/bin\/ssh-agent/' /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist    

Now, add this little script helper to the end of your ~/.bash_profile:

    eval $(ssh-agent)
    function cleanup {
        echo \"Killing SSH-Agent\"
        kill -9 $SSH_AGENT_PID
    }
    trap cleanup EXIT

Finally you need to reboot your system (re-loading the plist with launchctl was not enough on my machine). To see if your setup works do

  1. Check if ssh -V gives something like OpenSSH_6.6p1, OpenSSL 1.0.1j 15 Oct 2014 or a higher version number
  2. Check if after the reboot on the first ssh connection a OS X Cocoa window pops up and asks you to enter your passphrase for your SSH key.

OSX password popup

If you don't see a popup, either you did something wrong (check if ssh-agent is running), or you are probably not using a ssh key, which you definitely should!

If everything works, you can now use the most recent crypto algorithms on with your ssh connection. See this blog entry for further information on that.

Update

Unfortunately OSX GUI software does usually not adhere to PATH environments set in your .bashrc or .bash_profile. The only way I found so far on keeping applications like GitHub.app or SourceTree.app – which use ssh to connect to git repos – happy, is to relink the original ssh bin in /usr/bin/ssh:

sudo mv /usr/bin/ssh /usr/bin/ssh_old
sudo ln -s /usr/local/bin/ssh /usr/bin/ssh

As long as you make a backup I see no harm in using an up to date version globally. Let me know if you have any problems with that!