Unable to SSH to OS X Server over alternate port

PROXYsshvpn

Mac mini running OS X Server 10.11.6, CommuniGate Pro, and nearly no other stock OS X Server services.

Server's owner recently found himself on a network that blocked ports for both VPN connections and SSH, so we're trying to set up the server to allow for an SSH tunnel via SOCKS proxy to port 443, which is nearly always left open. (We have no plans on running web services over that port on this box.)

Research indicates this should be a two-step process: 1) edit /Library/Server/Web/Config/Proxy/apache_serviceproxy.conf to remove web listeners on ports 80 and 443; 2) edit /etc/ssh/ssh_config to add an SSH listener on port 443; then reboot.

Upon doing so, HTTP services indeed are turned off on 80 and 443, but I can't connect to SSH on port 443. Works fine over 22 still. Nmapping the server indicates that there's nothing open on port 443. Is there something else I need to do to open this up?

Best Answer

Here are steps to get SSH listening on port 443. Note that if you have SIP disabled, you can directly edit (as root) /System/Library/LaunchDaemons/ssh.plist and therefore can skip steps 1 and 3, and use the above path in steps 2 and 5. Note in that case you will want to run the unload command before editing ssh.plist.

Copy the existing ssh.plist file into /Library:

sudo cp /System/Library/LaunchDaemons/ssh.plist /Library/LaunchDaemons/ssh2.plist

Edit the file as root:

sudo nano /Library/LaunchDaemons/ssh2.plist

There are two things that need to be changed. First is the <Label>. Change this:

<key>Label</key>
<string>com.openssh.sshd</string>

To something like this:

<key>Label</key>
<string>com.openssh.sshd443</string>

Next change this:

                <key>SockServiceName</key>
                <string>ssh</string>

To this:

                <key>SockServiceName</key>
                <string>443</string>

Save and then run this command to load the service:

sudo launchctl load -w /Library/LaunchDaemons/ssh2.plist

If you ever need to unload it, you can do so with:

sudo launchctl unload /Library/LaunchDaemons/ssh2.plist

Related Solutions

How to ensure that all networking goes through the ssh proxy

Assuming that ssh is running on localhost (or another machine on the local subnet), the easiest thing to do is to shut down your routes so that nothing can get outside. netstat -nr will show you your current routes. Mine looks like this:

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.0.69       UGSc       93     4438    en1

192.168.0.69 is my default route. If I take that route out: route delete default 192.168.0.69 then I cannot get to any machine not wired to my network. Once screen sets up your proxy, you should have access back.

Mac – Putty – equivalent Mac SSH client and commands

This is standard ssh and covered in the man page for TCP forwarding.

ssh -f -L 8080:localhost:443 1.2.3.4 sleep 10

I changed as little from the manual page (8080, 443, 1.2.3.4) so you can find it and the explanation there on OS X. You will want to increase the sleep time if you browser isn't going to connect in the next 10 seconds.

Best Answer

Related Solutions

How to ensure that all networking goes through the ssh proxy

Mac – Putty – equivalent Mac SSH client and commands

Related Question