I love Apple. I’m not some wacky Apple-or-Die lunatic but I have been using OS X as my primary home operating system for quite a while now. Windows, Unix and Linux each have their own strengths and weaknesses and I use all of them. But for my everyday computing needs, OS X just works. It’s stable, it looks unbelievable and the UI advancements especially around input gestures in Lion are way ahead of anyone else. It’s not always peaches and cream however. Apple having to do everything their own special Apple way can make usually simple tasks such as changing your default sshd port a bit of a pain in the ass. I was reminded of this during my recent upgrade to Lion.
In your traditional *nix OS you can simply edit one file in your /etc or /etc/ssh directory, generally called sshd_conf or something similar, and change your sshd port. Simply bust out your trusty text editor and change the line “Port 22” to list whatever port you wish to use, save the file and restart your sshd daemon. Sshd will now be running on the port of your choosing.
Does OS X have a /etc/sshd_config file? Absolutely! Can you change the “Port 22” line using your trusty text editor? Absolutely! Will this change the sshd port on your system once your restart your sshd daemon? Absolutely NOT!
There are plenty of older posts around on this topic but too bad, you’re getting mine anyway. I need the writing practice and my recent Lion upgrade screwed me over by overwriting my sshd config files forcing me to dig up this solution again.
The first thing you’ll need to do to change the sshd port in OS X is create a “service definition” in the /etc/services file. To do this, edit the /etc/services and add the lines:
SuperSecretSSH 12345/udp
SuperSecretSSH 12345/tcp
This will create the service definition for your very own special sshd configuration. (Wait What?! — You don’t even see the /etc/services file? That’s right,…OS X Lion will hide this file. Check out this handy post for temporarily making these files visible http://www.mikesel.info/show-hidden-files-mac-os-x-10-7-lion/ )
Now that you have your service defined in /etc/services there is one just more file to modify, /System/Library/LaunchDaemons/ssh.plist. This lovely little file tells launchd what services to launch. Search the file for SocksServiceName and change it from this:
<key>SockServiceName</key>
<string>ssh</string>
To this:
<key>SockServiceName</key>
<string>SuperSecretSSH</string>
Once you have made these changes, reboot and your sshd service should be running on your super secret port of 12345. May your logs never fill with unnecessary automated login attempts from the internet again.
For slightly more technical details please check out the original post from waaaaay back in 05′ courtesy of MacWorld
Thanks for the link back 🙂
Pingback: Changing the default SSHD Port - MikeSel.info
sorry kinda late for this party but when I try to edit the service file it says im locked even when im the admin any solutions thankyou
What application are you using to edit the services file?
the reg text editor
I’m using the text editor
From a terminal run ‘sudo open -t /etc/services’ . This will allow you to edit the file.
Thank you very mucho ! lol
I wanted a second port (as opposed to only a replacement). By copying
/System/Library/LaunchDaemons/ssh.plist to
/System/Library/LaunchDaemons/SuperSecretSSH.plist
then making your edits to the latter file; then using
sudo launchctl load -w /Library/LaunchDaemons//System/Library/LaunchDaemons/SuperSecretSSH.plist
sshd now runs on two ports for me 🙂
thanks. one thing though. This seems to break the remote login feature. it works, but i have to start it manually. any way to start this automatically?
it’s ok, I worked it out. It was the file permissions on the ssh.plist file. I edited it in textedit and messed up the permissions. thanks 🙂
Thank you for the useful tips. Instead of rebooting, you can turn off and on the “Remote Login” under System Preferences, Sharing.
Not sure how I screwed this up. I edited both the /etc/services files and the /System/Library/LaunchDaemons/ssh.plist as described above. After rebooting I am unable to remotely access the machine. Using Fing to examine the open ports I cannot see my super secret ssh port. I tried a different port value – still no luck.
Any suggestions?
Thanks for the tips. I just made it work on Mountain Lion. An additional trick was needed, you need to change the Label key to differ from what is on the first plist file.
This:
Label
com.openssh.sshd
became this:
Label
com.openssh.sshd-alt
..otherwise you get “already loaded” errors when trying to “launchctl load” the second plist.
Everything else went perfectly.Thanks again.
Ffeijo
Just discovered that removing the ‘Program’ = ‘/usr/libexec/sshd-keygen-wrapper’ key allows one to insert additional cmdline arguments for /usr/sbin/sshd (in ProgramArguments), like:
-o
AllowUsers myUsernameForLoggingInFromTheInternet
Combining this with what Miles did above, I get to allow all LAN users on the regular port-22 sshd, and a single strong-password user from WAN on some obscure higher port number. Of course, a firewall needs to be in place, forwarding WAN-originated ssh requests through only to this other port.
Hello would you mind letting me know which web host you’re using? I’ve loaded your blog in 3 different internet browsers and I must say this blog loads a lot faster then most. Can you recommend a good web hosting provider at a fair price? Cheers, I appreciate it!
This helped me get it working in 10.8, thanks. Yours was the only set of instructions I found that mentioned the requirement to restart the computer — geez, did Apple really mess this up or what?
Hello. And Bye. http://google.com
Pingback: Configuring sshd on OS X Lion - PhotoLens