MacLemon/How to run a seconds SSHd on Mac OS X.txt

## How to run a seconds SSHd on Mac OS X.txt
Alternative/Secondary/Backup SSH Service:


Add this line to /etc/services
ssh-alt         10022/tcp   # ssh-alternative
You may change the port to any unused port you like but maybe try to avoid 2222 and 22222 as they are a little too obvious. This line actually specifies which port your alternative sshd will be listening on.

Save the launchd item following as as /Library/LaunchDaemons/ssh-alt.plist

Load with
sudo launchctl load -w /Library/LaunchDaemons/ssh-alt.plist

Unload with
sudo launchctl unload -w /Library/LaunchDaemons/ssh-alt.plist
if you decide to not use it anymore.

Uses the same config as standard sshd in /etc/sshd_config except for the port. (The port setting in sshd_config is ignored.)

This one does NOT announce itself as ssh and sftp service via Bonjour.
It is by no means safer than any other ssh installation. It's just not affected by the usual bots that only scan port 22 for victims.

Works from 10.4 up until 10.6.6 and server as well, haven't checked with 10.7 yet.

Connect as usual but don't forget about the custom port.
ssh -p 10022 user@hostname.example.com
Or just add a
Port 10022
to any Host in your ~/.ssh/config

## ssh-alt.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Label</key>
        <string>com.openssh.sshd-alt</string>
        <key>Program</key>
        <string>/usr/libexec/sshd-keygen-wrapper</string>
        <key>ProgramArguments</key>
        <array>
                <string>/usr/sbin/sshd</string>
                <string>-i</string>
        </array>
        <key>SHAuthorizationRight</key>
        <string>system.preferences</string>
        <key>Sockets</key>
        <dict>
                <key>Listeners</key>
                <dict>
                        <key>SockServiceName</key>
                        <string>ssh-alt</string>
                </dict>
        </dict>
        <key>StandardErrorPath</key>
        <string>/dev/null</string>
        <key>inetdCompatibility</key>
        <dict>
                <key>Wait</key>
                <false/>
        </dict>
</dict>
</plist>
	Alternative/Secondary/Backup SSH Service:


	Add this line to /etc/services
	ssh-alt 10022/tcp # ssh-alternative
	You may change the port to any unused port you like but maybe try to avoid 2222 and 22222 as they are a little too obvious. This line actually specifies which port your alternative sshd will be listening on.

	Save the launchd item following as as /Library/LaunchDaemons/ssh-alt.plist

	Load with
	sudo launchctl load -w /Library/LaunchDaemons/ssh-alt.plist

	Unload with
	sudo launchctl unload -w /Library/LaunchDaemons/ssh-alt.plist
	if you decide to not use it anymore.

	Uses the same config as standard sshd in /etc/sshd_config except for the port. (The port setting in sshd_config is ignored.)

	This one does NOT announce itself as ssh and sftp service via Bonjour.
	It is by no means safer than any other ssh installation. It's just not affected by the usual bots that only scan port 22 for victims.

	Works from 10.4 up until 10.6.6 and server as well, haven't checked with 10.7 yet.

	Connect as usual but don't forget about the custom port.
	ssh -p 10022 user@hostname.example.com
	Or just add a
	Port 10022
	to any Host in your ~/.ssh/config
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>Label</key>
	<string>com.openssh.sshd-alt</string>
	<key>Program</key>
	<string>/usr/libexec/sshd-keygen-wrapper</string>
	<key>ProgramArguments</key>
	<array>
	<string>/usr/sbin/sshd</string>
	<string>-i</string>
	</array>
	<key>SHAuthorizationRight</key>
	<string>system.preferences</string>
	<key>Sockets</key>
	<dict>
	<key>Listeners</key>
	<dict>
	<key>SockServiceName</key>
	<string>ssh-alt</string>
	</dict>
	</dict>
	<key>StandardErrorPath</key>
	<string>/dev/null</string>
	<key>inetdCompatibility</key>
	<dict>
	<key>Wait</key>
	<false/>
	</dict>
	</dict>
	</plist>