This tip falls into one of those "I had to spend more than 10 minutes looking for an answer" category, so it's a worthwhile subject for a quick blog post.
Why Run SSH?
Running SSH on Mac OS-X allows you to login to your machine remotely, and also copy file securely via SCP command to and from your Mac OS-X host.
But I am behind my own $50 router/firewall. Can I still connect to my computer from outiside?
Yes. Most off the shelf routers and firewalls will allow you to do two things that are needed for this:
- Assign a permanent IP address to your Mac on a local network (see your router documentation for more details)
- Create a port forwarding rule on your router. Eg - any request to port 22 on your external IP (provided by your router) can be routed to the specific IP address of your Mac. Exact specifics on this configuration are once again available in your router documentation. Most off the shelf routers support this, including basic Netgear and D-Link.
So let's assume you've set this whole thing up and you are now able to connect from outside to port 22 of your external IP address on your firewall, which is then routed to your Mac port 22. This is great, since now you copy files via SCP from the internet to your computer, connect to it from your work office, etc, etc.
But why would you want to run SSH on alternative port, and not 22?
Simple answer is that port 22 is probably the most obvious port to "probe" from outside. Hackers typically run automated port scans of publicly visible IP addresses, but running it for all 64K ports takes a long time, so typically those scans are just for a small subset of ports. Port 22 is a clear indication of a server system which makes it a likely candidate for an attack. Turn of port 22 and to the outside world your system appears a lot more boring. Boring is good. So I still want to use my SSH connection, but would rather not do it on the default port. More expensive firewalls and routers will allow you to route eg. port 33333 from the outside to port 22 on the inside. But none of the cheap off-the-shelf routers I've seen allow you to do that. They just take input port, and destination IP which means the outside port and inside port must be the same. That's a silly limitation and a small bummer. So to make this work with my cheap a$$ router I have to change the listening port on my Mac. Frankly, this isn't a bad idea either, since whenever you connect your laptop to a public wi-fi network anyone can directly connect to your Mac and probe the open ports. So keeping port 22 open on your Mac is not that great of an idea. So. In order to change the port on Mac OS-X for your SSH daemon, follow the following steps:
- Open Terminal and as edit the file /etc/services (as root)
- Add a line at the bottom:
secret-ssh 43539/tcp # secret SSH port
- Edit file
/System/Library/LaunchDaemons/ssh.plistand replace the code:
<key>SockServiceName </key> <string>ssh </string>with
<key>SockServiceName </key> <string>secret-ssh </string>
- Change your port forwarding configuration on your firewall to route port 43539 instead
- Open "Sharing" control panel and ensure that "Remote Login" is checked off (if not uncheck it). Then check it again to start with the new configuration.
Now you should be able to run SSH command to your external IP as follows:
ssh -p 43539 ip_address_of_your_server -l username To copy files from remote hosts to your Mac desktop, run the following command:
scp -P 43539 local_file.txt username@ip_address_of_your_server:~/Desktop
Note that "scp" command requires an upper case "P", while regular "ssh" wants a lower case "p" to declare remote server's port. That's it, hope it helps! :)
3/9/08 10:48:06 PM com.apple.launchd (com.openssh.sshd) Unknown key: SHAuthorizationRight
Seems to work regardless.
Best explanation I can find:
Re: The mysterious SHAuthorizationRight key
by Dave Zarzycki Dec 03, 2007; 01:01pm :: R
A project at Apple is overloading the launchd configuration file
schema to store non-launchd preferences. We hope to resolve this
matter in the next major version of Mac OS X.
You basically get a very expensive router in the body of a standard, cheap router.
The list includes all 64,000 ports, so it is long. But if you had a particular number in mind you like to try, you can scroll and see if it is unallocated or not.
My only original problem with this hack is that, well, you're telling everyone what port is being used, which sort of defeats the whole purpose!
:w (saves the file)
:q (quits the file)
ssh 22/udp # SSH Remote Login Protocol
ssh 22/tcp # SSH Remote Login Protocol