MacOS – How to use SSH keys and disable password authentication

macosssh

I'm trying to access a Mac remotely (I do have physical access to this Mac) through SSH from a Linux client computer. My goal is to access this Mac from outside the network. Port forwarding is set up on the router. From my client computer I'm able to ssh user@ip for the public IP and I am able to get into the Mac, so port forwarding is working.

Now I want to set up SSH keys. I've generated SSH keys on my client computer but I wanted to get the SSH Daemon on the Mac setup first. I edited /etc/ssh_config and set PasswordAuthentication no. I restarted SSH with these commands: sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist, then sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist. When I try to SSH in from the client again, it still asks for my password.

I took a look at this post and from the answer I added UsePAM no to the config file and restarted the service with launchctl again. I'm still being prompted for a password.

I also tried the solution here. I'm still being prompted for a password.

How do I set up my ssh_config to so that it doesn't ask for the password and only accepts SSH keys? Am I not restarting the daemon properly? Is there another step I am missing?

Best Answer

I was editing the wrong configuration file! Instead of /etc/ssh_config, I edited private/etc/sshd_config. I think this probably would have also worked if I edited /etc/sshd_config as per the updated answer from @GhostLyrics, but I didn't test that yet so I can't say for sure. After that, I restarted the service with sudo launchctl stop com.openssh.sshd and then sudo launchctl start com.openssh.sshd and I was able to get my desired behavior. Here is the resource where I found the pertinent information: https://superuser.com/questions/364304/how-do-i-configure-ssh-on-os-x

Here are the config options I changed:

PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no

After that I was successfully able to generate SSH keys on my client computer, moved the public key to ~/.ssh/authorized_keys on the Mac and set permissions for that file to 644.

It is important to note that those permissions are for my public key. My private key permissions are set to 600 on my client computer. This is really important if you have both your public and private key in your ~/.ssh folder and there are multiple users on the system. If your private key permissions are set to 644 then any user could read your private key and impersonate you. Also, the permissions for the ~/.ssh folder should be 700.

Related Question