Mac OS X Lion — Changing SSHD port

I love Apple. I’m not some wacky Apple-or-Die lunatic but I have been using OS X as my primary home operating system for quite a while now.  Windows, Unix and Linux each have their own strengths and weaknesses and I use all of them. But for my everyday computing needs, OS X  just works. It’s stable, it looks unbelievable and the UI advancements especially around input gestures in Lion are way ahead of anyone else. It’s not always peaches and cream however. Apple having to do everything their own special Apple way can make usually simple tasks such as changing your default sshd port a bit of a pain in the ass. I was reminded of this during my recent upgrade to Lion.

In your traditional *nix OS you can simply edit one file in your /etc or /etc/ssh directory, generally called sshd_conf or something similar, and change your sshd port. Simply bust out your trusty text editor and change the line “Port 22″ to list whatever port you wish to use, save the file and restart your sshd daemon. Sshd will now be running on the port of your choosing.

Does OS X have a /etc/sshd_config file? Absolutely! Can you change the “Port 22″ line using your trusty text editor? Absolutely! Will this change the sshd port on your system once your restart your sshd daemon? Absolutely NOT!

There are plenty of older posts around on this topic but too bad, you’re getting mine anyway. I need the writing practice and my recent Lion upgrade screwed me over by overwriting my sshd config files forcing me to dig up this solution again.

The first thing you’ll need to do to change the sshd port in OS X is create a “service definition” in the /etc/services file. To do this, edit the /etc/services and add the lines:

SuperSecretSSH     12345/udp
SuperSecretSSH     12345/tcp

This will create the service definition for your very own special sshd configuration. (Wait What?! — You don’t even see the /etc/services file? That’s right,…OS X Lion will hide this file. Check out this handy post for temporarily making these files visible http://www.mikesel.info/show-hidden-files-mac-os-x-10-7-lion/ )

Now that you have your service defined in /etc/services there is one just more file to modify, /System/Library/LaunchDaemons/ssh.plist. This lovely little file tells launchd what services to launch. Search the file for SocksServiceName and change it from this:

<key>SockServiceName</key>
<string>ssh</string>

To this:

<key>SockServiceName</key>
<string>SuperSecretSSH</string>

Once you have made these changes, reboot and your sshd service should be running on your super secret port of 12345. May your logs never fill with unnecessary automated login attempts from the internet again.

For slightly more technical details please check out the original post from waaaaay back in 05′ courtesy of MacWorld



About these ads

18 responses to “Mac OS X Lion — Changing SSHD port

  1. Pingback: Changing the default SSHD Port - MikeSel.info

  2. sorry kinda late for this party but when I try to edit the service file it says im locked even when im the admin any solutions thankyou

  3. I wanted a second port (as opposed to only a replacement). By copying
    /System/Library/LaunchDaemons/ssh.plist to
    /System/Library/LaunchDaemons/SuperSecretSSH.plist
    then making your edits to the latter file; then using
    sudo launchctl load -w /Library/LaunchDaemons//System/Library/LaunchDaemons/SuperSecretSSH.plist
    sshd now runs on two ports for me :)

  4. thanks. one thing though. This seems to break the remote login feature. it works, but i have to start it manually. any way to start this automatically?

    • it’s ok, I worked it out. It was the file permissions on the ssh.plist file. I edited it in textedit and messed up the permissions. thanks :)

  5. Not sure how I screwed this up. I edited both the /etc/services files and the /System/Library/LaunchDaemons/ssh.plist as described above. After rebooting I am unable to remotely access the machine. Using Fing to examine the open ports I cannot see my super secret ssh port. I tried a different port value – still no luck.

    Any suggestions?

  6. Thanks for the tips. I just made it work on Mountain Lion. An additional trick was needed, you need to change the Label key to differ from what is on the first plist file.

    This:
    Label
    com.openssh.sshd

    became this:
    Label
    com.openssh.sshd-alt

    ..otherwise you get “already loaded” errors when trying to “launchctl load” the second plist.

    Everything else went perfectly.Thanks again.

    Ffeijo

  7. Just discovered that removing the ‘Program’ = ‘/usr/libexec/sshd-keygen-wrapper’ key allows one to insert additional cmdline arguments for /usr/sbin/sshd (in ProgramArguments), like:
    -o
    AllowUsers myUsernameForLoggingInFromTheInternet

    Combining this with what Miles did above, I get to allow all LAN users on the regular port-22 sshd, and a single strong-password user from WAN on some obscure higher port number. Of course, a firewall needs to be in place, forwarding WAN-originated ssh requests through only to this other port.

  8. Hello would you mind letting me know which web host you’re using? I’ve loaded your blog in 3 different internet browsers and I must say this blog loads a lot faster then most. Can you recommend a good web hosting provider at a fair price? Cheers, I appreciate it!

  9. This helped me get it working in 10.8, thanks. Yours was the only set of instructions I found that mentioned the requirement to restart the computer — geez, did Apple really mess this up or what?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s