MacOS – Configuring sshd on OS X Lion

macosssh

I'm trying to set up some (rudimentary) ssh security on my workstation behind a router on a home network. It's running Mac OS X Lion (10.7).

As I understand it, what one would normally do under such circumstances is change the appropriate parts of an /etc/sshd_config file. For example, I might have

# akil@computerA:/etc/sshd_config
Port 12345
Protocol 2
PermitRootLogin no
PasswordAuthentication no

And this would, respectively only listen on port 12345, accept authentication method "2" only, disallow root logins, and only allow key logins. I would then restart the ssh daemon and then everything would be great.

Apparently this worked Snow Leopard (OS X 10.6), but it does not seem to work for Lion. Lion seems to ignore anything in the sshd_config file.

For changing the port, you can follow the advice of some blogs and forums posts (1,2) that direct you to change (a) add a new ssh service by editing /System/Library/LaunchDaemons/ssh.plist and (b) defining the port of the new service in /etc/services.

This works — doing ssh akil@computerA.local refuses the connection, but now ssh akil@computerA.local -p 12345 works fine.

The problem is that I have no idea how to use similar steps to change anything else: how do I disable root logins and/or password authentications?

1: Changing sshd port on Lion

2: Changing sshd port on OS X 10.4

Best Answer

You cannot change the port sshd listens to by changing it in sshd_config since sshd is not yet running when the connection comes in. sshd is instantly launched by launched when a connection arrives. So you need to change the port in the appropriate launched item, or create another one to have a second port listening for incoming ssh connections.

You can find the correct file in /System/Library/LaunchDaemons/ssh.plist

Copy that to /Library/LaunchDaemons/ssh-alternative.plist and change the following part:

            <key>Listeners</key>
            <dict>
                    <key>SockServiceName</key>
                    <string>ssh-alt</string>
            </dict>

Notice that the SockServiceName has been changed from ssh to ssh-alt. To make it work you need to add a service named ssh-alt to /etc/services For example like this (to match your example) add this line:

ssh-alt 12345/tcp # ssh-alt

You can then load your new ssh-alternative config with sudo launchctl load -w /Library/LaunchDaemons/ssh-alt.plist

If you're running ipfw make sure to allow tcp connections to the new port. The Sharing.PrefPanel will only allow you to turn on and of the standard port 22 listening sshd (Unless you change ssh in /etc/services which I do not recommend).

In addition you can prevent this service to be advertised by Bonjour by removing the corresponding part from the launched item.

        <key>Bonjour</key>
        <array>
            <string>ssh</string>
            <string>sftp-ssh</string>
        </array>

If this was already running you need to unload and load the item again.

Related Solutions

SSH stops at ‘SSH2_MSG_SERVICE_ACCEPT received’

Running unset SSH_AUTH_SOCK in Terminal worked for me, though I'm currently unsure why. One thing I did not mention in the body of my question was that I had to modify /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist in order to get sshd to work: here's a link to my org.openbsd.ssh-agent.plist in case anyone in the future thinks they know what caused the problem.

MacOS – Background changed on Mountain Lion

If you don't have any Time Machine backups, now would be a good time to make one.

The Desktop Preference in your screen grab is displaying the contents of Macintosh HD -> Library -> Desktop Pictures which appears to be empty. If it really is empty, you may be able to locate, replace, or download the missing files and that could be a simple fix. But if there are other issues and it seems that Mac OS X has been damaged, I would think about using Recovery HD to reinstall the OS. User pictures are located in the /Library/User Pictures folder. Since Disk Utility has verified and repaired permissions on Macintosh HD, I guess those files are missing too.

Step one: make a Time Machine archive of your Mac Mini on an external drive. Once you are sure it is properly backed up, you could try entering this in Terminal to search the Library folder for the Mountain Lion default Desktop picture:

sudo find /Library -name "Galaxy.jpg"

Or search the entire disk like this (it will take quite some time):

sudo find / -name "Galaxy.jpg"

And just for good measure, run a bit of system maintenance:

sudo periodic daily weekly monthly

If you are still in the same predicament and decide to re-install Mac OS X, reboot holding down the Command and R keys until you see the Apple logo appear. You should see a list of utilities including Disk Utility (try it one more time) and "Install Mac OS X" which is a 4GB download, so a good network connection is going to help. After a clean install, you can use Migration Assistant to import Users from the Time Machine archive you made earlier. Applications are best re-installed from the App Store, original media, or a source you can trust.

Best Answer

Related Solutions

SSH stops at ‘SSH2_MSG_SERVICE_ACCEPT received’

MacOS – Background changed on Mountain Lion

Related Question