Compile OpenSSH 6.7 with LibreSSL on OSX

Lets say you want to use the newest version of OpenSSH on your MacBook / OSX for reasons like:

  • your current version is too old for newer ciphers, key exchanges, etc.
  • you trust LibreSSL more than some OSSLShim
  • you are just some hipster that wants to have cipherli.st running

No worries, in this short tutorial I will show you how to compile OpenSSH 6.7p1 from source without replacing your current installed ssh implementation shipped by OSX.

We will be using LibreSSL instead of OpenSSL which is easier to compile and might be more secure than OpenSSL itself.

Some of the gists I took from here: https://github.com/Homebrew/homebrew-dupes/blob/master/openssh.rb

Get sources

$ wget \
http://mirror.is.co.za/mirror/ftp.openbsd.org/OpenSSH/portable/openssh-6.7p1.tar.gz \
http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.17.tar.gz \
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.1.3.tar.gz

Compile LibreSSL

$ tar xvfz libressl-2.1.3.tar.gz
$ ./configure --prefix=/opt/libressl --with-openssldir=/System/Library/OpenSSL --with-enginesdir=/opt/libressl
$ make
$ sudo make install

Compile ldns

$ tar xvfz ldns-1.6.17.tar.gz
$ cd ldns-1.6.17.tar.gz
$ ./configure --with-ssl=/opt/libressl
$ make
$ sudo make install

Compile OpenSSH

$ tar xvfz openssh-6.7p1.tar.gz
$ cd openssh-6.7p1

$ wget \
https://trac.macports.org/export/131258/trunk/dports/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch \
https://gist.githubusercontent.com/sigkate/fca7ee9fe1cdbe77ba03/raw/6894261e7838d81c76ef4b329e77e80d5ad25afc/patch-openssl-darwin-sandbox.diff \
https://trac.macports.org/export/131258/trunk/dports/net/openssh/files/launchd.patch

$ patch -p1 < 0002-Apple-keychain-integration-other-changes.patch
$ patch -p1 < patch-openssl-darwin-sandbox.diff
$ patch -p1 < launchd.patch

$ autoreconf -i
$ export CPPFLAGS="-D__APPLE_LAUNCHD__ -D__APPLE_KEYCHAIN__ -D__APPLE_SANDBOX_NAMED_EXTERNAL__"
$ export LDFLAGS="-framework CoreFoundation -framework SecurityFoundation -framework Security"
$ ./configure \
--prefix=/opt/openssh \
--sysconfdir=/etc/ssh \
--with-zlib \
--with-ssl-dir=/opt/libressl \
--with-pam \
--with-privsep-path=/opt/openssh/var/empty \
--with-md5-passwords \
--with-pid-dir=/opt/openssh/var/run \
--with-libedit \
--with-ldns \
--with-kerberos5 \
--without-xauth \
--without-pie
$ make
$ sudo make install

Use newly installed ssh-agent

$ sudo nano /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
/usr/bin/ssh-agent > /opt/openssh/bin/ssh-agent

$ sudo launchctl unload /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
$ sudo launchctl load /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist

Set alias

$ echo "alias ssh=/opt/openssh/bin/ssh" >> ~/.bash_profile

Reboot!

(verify with “ssh -V”)


Leave a Reply

Your email address will not be published. Required fields are marked *