Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: sushi-keygen-wrapper what is this and do i need to get rid of it?

I am not a savvy user - but I found this in my privacy settings and i am wondering if my computer has been hacked.

Mac mini, macOS 10.14

Posted on May 8, 2019 8:52 AM

Reply
Question marked as Solved
Answer:
Answer:

I think MrHoffman has you covered. :)


Posted on May 8, 2019 3:12 PM

Question marked as Helpful

May 8, 2019 2:38 PM in response to amihacked In response to amihacked

The sshd-keygen-wrapper tool is an ssh secure shell key generator that is part of macOS, and is used when initially connecting to a Mac remotely via ssh.


If you've enabled ssh remote access via > System Preferences > Sharing, then this'd be a pretty typical tool to be used as part of that.


Here's the entirety of the bash shell source code of the tool:

https://opensource.apple.com/source/OpenSSH/OpenSSH-95/sshd-keygen-wrapper.auto.html


Basically, the tool creates several SSH-related keys to uniquely identify your particular Mac to folks connecting into it via ssh. This is a central part of enabling ssh remote access into any system with an ssh server.


If you're concerned about folks causing shenanigans, then avoid installing add-on cleaners or add-on security tools—those can be less effective and more problematic than any of us might like, can create vulnerabilities, and can sometimes cause slowdowns, crashes and hangs—and do ensure that you have complete and current backups, and particularly have at least some backups that are rotated away from your computer, or otherwise disconnected from your computer. There are certainly other recommendations here too, but these backups are your path to data recovery from loss or theft or breach or damage.

May 8, 2019 2:38 PM

Question marked as Helpful

May 9, 2019 9:19 AM in response to amihacked In response to amihacked

It appears to only be discombobulation at Apple...


Who put that in my Full Disk Access list? ssh and Mojave’s privacy protection


As far as access by the secure shell is concerned, Macs are in one of three states:

  • never accessed, and sshd-keygen-wrapper is absent from the Full Disk Access list;
  • accessed and permission granted, with sshd-keygen-wrapper listed and ticked;
  • accessed and permission now stopped, with sshd-keygen-wrapperlisted but not ticked.

When you try to access that Mac using ssh, if it is in either of the first two states, macOS will automatically give ssh Full Disk Access. It is only when Privacy settings are in the last state that access to protected data will be refused. The only control that the user has is enabling and disabling the sshd-keygen-wrapper in the Full Disk Access list, which has the effect of toggling access to protected data for that user. Note that removing the sshd-keygen-wrapper item from the list sets it back to the first state, effectively enabling Full Disk Access: it does not prevent access to protected data at all.


  • The effect of removing sshd-keygen-wrapper from the Full Disk Access list is exactly the opposite of all other items in that list, in that (because of the default behaviour of ssh) it enables access rather than blocks it.
  • This is the only part of privacy protection in which the default is to allow, without any user warning or interaction.

Together these are inconsistent design which will lead to human error

https://eclecticlight.co/2018/11/12/who-put-that-in-my-full-disk-access-list-ssh-and-mojaves-privacy-protection/


https://www.sentinelone.com/blog/mojaves-security-hardening-user-protections-bypassed/


https://hints.macworld.com/article.php?story=2005021023215253



May 9, 2019 9:19 AM

There’s more to the conversation

Read all replies
Question marked as Helpful

May 8, 2019 2:38 PM in response to amihacked In response to amihacked

The sshd-keygen-wrapper tool is an ssh secure shell key generator that is part of macOS, and is used when initially connecting to a Mac remotely via ssh.


If you've enabled ssh remote access via > System Preferences > Sharing, then this'd be a pretty typical tool to be used as part of that.


Here's the entirety of the bash shell source code of the tool:

https://opensource.apple.com/source/OpenSSH/OpenSSH-95/sshd-keygen-wrapper.auto.html


Basically, the tool creates several SSH-related keys to uniquely identify your particular Mac to folks connecting into it via ssh. This is a central part of enabling ssh remote access into any system with an ssh server.


If you're concerned about folks causing shenanigans, then avoid installing add-on cleaners or add-on security tools—those can be less effective and more problematic than any of us might like, can create vulnerabilities, and can sometimes cause slowdowns, crashes and hangs—and do ensure that you have complete and current backups, and particularly have at least some backups that are rotated away from your computer, or otherwise disconnected from your computer. There are certainly other recommendations here too, but these backups are your path to data recovery from loss or theft or breach or damage.

May 8, 2019 2:38 PM

Reply Helpful (5)

May 9, 2019 8:27 AM in response to amihacked In response to amihacked

I wouldn't be concerned about this script.


I would shut off remote access if that's enabled here not in use, but that access still requires passwords.


What would I be concerned about?


Are your backups current? Are your backups complete? Do you have backups rotated and with some kept disconnected and/or off-site and/or remote? I mean that quite seriously. If not, then you would be following one usual course for these discussions and focusing on what you fear and what you don't understand, and ignoring actual and serious risks to your data. Get your backups going.


As for the rest of your question? If the attackers have gotten to this degree of complete system access and are tweaking a setting like this? They already have complete control and there's no path available short of restoring from known-good distributions and previous backups. You're completely and utterly breached. The proverbial horse has fled the proverbial barn. Wiping and restoring is the recovery path. This is one of various reasons why having complete and current backups is important to your data security.


More than a few folks asking these sorts of questions want a simple answer, too. This often leads to some of those folks getting scammed by sketchy products and by vendors offering "simple solutions". More than a few of which will be malware themselves, or which have variously led to corruptions or instabilities or slowdowns or crashes, or packages that'll "just" upload all your data to who-knows-where, or that'll pop up fake you are infected messages. All sorts of nice-looking and apparently-convenient and very inviting-looking utter dreck "security" apps exist here, too. Don't install any package that you didn't go looking for.


Here? Turn off remote management in System Preferences > Sharing, if that's enabled and if you're not using it. Learn about and use good passwords. Use macOS 10.14 Mojave, and whatever is the most current available software is at the time, and apply available patches. And don't expect to find easy answers to hard problems.


May 9, 2019 8:27 AM

Reply Helpful (2)
Question marked as Helpful

May 9, 2019 9:19 AM in response to amihacked In response to amihacked

It appears to only be discombobulation at Apple...


Who put that in my Full Disk Access list? ssh and Mojave’s privacy protection


As far as access by the secure shell is concerned, Macs are in one of three states:

  • never accessed, and sshd-keygen-wrapper is absent from the Full Disk Access list;
  • accessed and permission granted, with sshd-keygen-wrapper listed and ticked;
  • accessed and permission now stopped, with sshd-keygen-wrapperlisted but not ticked.

When you try to access that Mac using ssh, if it is in either of the first two states, macOS will automatically give ssh Full Disk Access. It is only when Privacy settings are in the last state that access to protected data will be refused. The only control that the user has is enabling and disabling the sshd-keygen-wrapper in the Full Disk Access list, which has the effect of toggling access to protected data for that user. Note that removing the sshd-keygen-wrapper item from the list sets it back to the first state, effectively enabling Full Disk Access: it does not prevent access to protected data at all.


  • The effect of removing sshd-keygen-wrapper from the Full Disk Access list is exactly the opposite of all other items in that list, in that (because of the default behaviour of ssh) it enables access rather than blocks it.
  • This is the only part of privacy protection in which the default is to allow, without any user warning or interaction.

Together these are inconsistent design which will lead to human error

https://eclecticlight.co/2018/11/12/who-put-that-in-my-full-disk-access-list-ssh-and-mojaves-privacy-protection/


https://www.sentinelone.com/blog/mojaves-security-hardening-user-protections-bypassed/


https://hints.macworld.com/article.php?story=2005021023215253



May 9, 2019 9:19 AM

Reply Helpful (5)
User profile for user: amihacked

Question: sushi-keygen-wrapper what is this and do i need to get rid of it?