MacOS – SSH no longer listens on custom port after update to 10.12.4

macosssh

I had a custom port by using the "Port" line in /etc/sshd_config. After updating to Mac OS X 10.12.4 I found I could no longer connect on the custom port – instead it was listening on port 22. I found that my sshd_config had apparently been renamed to sshd_config~previous, so I moved it back to the correct spot and restarted sshd from the command line using sudo launchctl stop com.openssh.sshd; sudo launchctl start com.openssh.sshd. However, after the restart sshd was still listening on port 22. I then opened System Preferences and under sharing clicked on "Remote Login". Running `netstat -a -n" showed that port 22 was no longer being listened to. I then click on "Remote Login" to restart sshd, and then found sshd was still listening on port 22, not my custom port.

In /var/log/apache2 I see an empty access_log on startup, and error_log contains the normal startup message. No clues there.

How do I get sshd to listen on my custom port again?

Best Answer

I found the answer here and it appears to also apply for upgrading to Sierra from a pre-el capitan version of OS X.

To summarize:

sudo cp /System/Library/LaunchDaemons/ssh.plist /Library/LaunchDaemons/ssh2.plist

Edit /Library/LaunchDaemons/ssh2.plist and change the lines that read:

<key>Label</key>
<string>com.openssh.sshd</string>

to:

<key>Label</key>
<string>com.openssh.sshd2</string>

And change the lines that read:

<key>SockServiceName</key>
<string>ssh</string>

by replacing "ssh" with whatever port you want to use.

Then start the new port with:

sudo launchctl load -w /Library/LaunchDaemons/ssh2.plist

As noted in the article, this doesn't eliminate ssh running on port 22. In my case that was okay - the main reason for running on the new port was to match the port ssh was visible at outside the firewall.

Related Solutions

Mac – Need help understanding script running at startup? “osascript -e ‘tell app \”ARDAgent\“ to do shell script \”say quack\“’”

It seems your Mac has been compromised (at the time of your writing) in order to mine bitcoins (./bitcoin-qt.app) probably by using ARDAgent exploit or similar. The posted commands are quite advanced, however plenty of them are copy&paste commands which indicates some pseudo-hacker (with actually little knowledge) who is trying to install trojan on your system.

Find the explanation for history commands below:

1: It removing files from Trash. Maybe clearing some evidence after downloading something.
2-12: Accessing Downloads folder with a bit of trouble. Half of these commands are mis-typed, so maybe the person was in hurry or stressed out.
13-14: Finding all files which belong to an unknown user (for unknown reason).
15-20: Struggling to access your passwords in KeyChains, but most of the commands are mis-typed. This indicates very little knowledge how to use the basic shell commands. It seems he tries to access folders such as /Library/LaunchAgents, /Library/Automator, /Library/Keychains, but fails.
21: There is no command sha.
22-23: Struggling to see your processes.
24-29: Struggling to check all the system users, however present shell prompt in 25-27 indicates that these commands were copy and pasted from some hack tutorial.
34-39: Checking network configuration.
41: Disabling auto updates for Google apps.
40, 45: Log-in to remote host.
47: Checking your non-Apple kernel extensions.
48-49: Checking your non-Apple loaded jobs. Repeating the same command without sudo could indicate that the user didn't have root access.
51: Checking startup items.
57: Disabling remote desktop agent. Why?
71-72: How he managed to install htop using apt-get on OS X? I don't know.
73-164: Checking processes, what's listening on port 80 and the history of last logins.
165-225: Checking your users and files again.
228: Indicates the person is from Windows background, as the parameter /i is invalid.
226-237: Repeating the same things over and over again.
238-480: Clearing DNS caches.
241-259: Running Bitcoin client.
263-264: Pasting code into wrong window. It should be actually:
```
osascript -e 'tell app "ARDAgent" to do shell script "say quack"'
```
Which basically on successful run of ARDAgent would run command say quack which basically say loudly "quack". This suppose to test if ARDAgent is vulnerable to the attacks, but testing by using Speech Synthesis it's the worse what hacker can do, because the user will hear that and figure it out that something is wrong.
265: Testing if check_afp is vulnerable by having SUID flag.

Your action were correct by disabling SUID for ARDAgent. When you run Disk Utility and Repair Permission, it will automatically restore the right permissions (including ARDAgent), unless it has been modified. The other thing it to keep your system up-to-date and monitor logs and history more frequently.

SSH into different port

You can use the -p option to choose a different port. So:

ssh -p 222 root@ipaddress

You can also look up help using the man (manual) command, like man ssh, to show help information, including usage, command line options, errors, etc. While in the man page, you can type / (the slash character) followed by any text (and Enter) to search for that within the manual.

Best Answer

Related Solutions

Mac – Need help understanding script running at startup? “osascript -e ‘tell app \”ARDAgent\“ to do shell script \”say quack\“’”

SSH into different port

Related Question