I am not a savvy user - but I found this in my privacy settings and i am wondering if my computer has been hacked.
Mac mini, macOS 10.14
Best served with some wasabi and pickled ginger on the side. 😎
Best served with some wasabi and pickled ginger on the side. 😎
I wouldn't be concerned about this script.
I would shut off remote access if that's enabled here not in use, but that access still requires passwords.
What would I be concerned about?
Are your backups current? Are your backups complete? Do you have backups rotated and with some kept disconnected and/or off-site and/or remote? I mean that quite seriously. If not, then you would be following one usual course for these discussions and focusing on what you fear and what you don't understand, and ignoring actual and serious risks to your data. Get your backups going.
As for the rest of your question? If the attackers have gotten to this degree of complete system access and are tweaking a setting like this? They already have complete control and there's no path available short of restoring from known-good distributions and previous backups. You're completely and utterly breached. The proverbial horse has fled the proverbial barn. Wiping and restoring is the recovery path. This is one of various reasons why having complete and current backups is important to your data security.
More than a few folks asking these sorts of questions want a simple answer, too. This often leads to some of those folks getting scammed by sketchy products and by vendors offering "simple solutions". More than a few of which will be malware themselves, or which have variously led to corruptions or instabilities or slowdowns or crashes, or packages that'll "just" upload all your data to who-knows-where, or that'll pop up fake you are infected messages. All sorts of nice-looking and apparently-convenient and very inviting-looking utter dreck "security" apps exist here, too. Don't install any package that you didn't go looking for.
Here? Turn off remote management in System Preferences > Sharing, if that's enabled and if you're not using it. Learn about and use good passwords. Use macOS 10.14 Mojave, and whatever is the most current available software is at the time, and apply available patches. And don't expect to find easy answers to hard problems.
The sshd-keygen-wrapper tool is an ssh secure shell key generator that is part of macOS, and is used when initially connecting to a Mac remotely via ssh.
If you've enabled ssh remote access via > System Preferences > Sharing, then this'd be a pretty typical tool to be used as part of that.
Here's the entirety of the bash shell source code of the tool:
https://opensource.apple.com/source/OpenSSH/OpenSSH-95/sshd-keygen-wrapper.auto.html
Basically, the tool creates several SSH-related keys to uniquely identify your particular Mac to folks connecting into it via ssh. This is a central part of enabling ssh remote access into any system with an ssh server.
If you're concerned about folks causing shenanigans, then avoid installing add-on cleaners or add-on security tools—those can be less effective and more problematic than any of us might like, can create vulnerabilities, and can sometimes cause slowdowns, crashes and hangs—and do ensure that you have complete and current backups, and particularly have at least some backups that are rotated away from your computer, or otherwise disconnected from your computer. There are certainly other recommendations here too, but these backups are your path to data recovery from loss or theft or breach or damage.
So no one has ever connected with my computer remotely that I have actively participated in. So how did that tool get activated? And should I delete it?
It appears to only be discombobulation at Apple...
Who put that in my Full Disk Access list? ssh and Mojave’s privacy protection
As far as access by the secure shell is concerned, Macs are in one of three states:
When you try to access that Mac using ssh, if it is in either of the first two states, macOS will automatically give ssh Full Disk Access. It is only when Privacy settings are in the last state that access to protected data will be refused. The only control that the user has is enabling and disabling the sshd-keygen-wrapper in the Full Disk Access list, which has the effect of toggling access to protected data for that user. Note that removing the sshd-keygen-wrapper item from the list sets it back to the first state, effectively enabling Full Disk Access: it does not prevent access to protected data at all.
Together these are inconsistent design which will lead to human error
https://www.sentinelone.com/blog/mojaves-security-hardening-user-protections-bypassed/
https://hints.macworld.com/article.php?story=2005021023215253
Yes.... If I was sharing with someone, but I am not and have not, so that is concerning to me.
sshd-keygen-wrapper is this supposed to be in my privacy file? I do not share my desktop with anyone.
I think MrHoffman has you covered. :)
sushi-keygen-wrapper what is this and do i need to get rid of it?
