Forked from MacLemon/How to run a seconds SSHd on Mac OS X.txt
Created
July 20, 2012 09:22
-
-
Save mrublev/3149842 to your computer and use it in GitHub Desktop.
Instructions for an alternative port SSH server on Mac OS X (without Bonjour annoucements).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Alternative/Secondary/Backup SSH Service: | |
Add this line to /etc/services | |
ssh-alt 10022/tcp # ssh-alternative | |
You may change the port to any unused port you like but maybe try to avoid 2222 and 22222 as they are a little too obvious. This line actually specifies which port your alternative sshd will be listening on. | |
Save the launchd item following as as /Library/LaunchDaemons/ssh-alt.plist | |
Load with | |
sudo launchctl load -w /Library/LaunchDaemons/ssh-alt.plist | |
Unload with | |
sudo launchctl unload -w /Library/LaunchDaemons/ssh-alt.plist | |
if you decide to not use it anymore. | |
Uses the same config as standard sshd in /etc/sshd_config except for the port. (The port setting in sshd_config is ignored.) | |
This one does NOT announce itself as ssh and sftp service via Bonjour. | |
It is by no means safer than any other ssh installation. It's just not affected by the usual bots that only scan port 22 for victims. | |
Works from 10.4 up until 10.6.6 and server as well, haven't checked with 10.7 yet. | |
Connect as usual but don't forget about the custom port. | |
ssh -p 10022 user@hostname.example.com | |
Or just add a | |
Port 10022 | |
to any Host in your ~/.ssh/config |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<dict> | |
<key>Label</key> | |
<string>com.openssh.sshd-alt</string> | |
<key>Program</key> | |
<string>/usr/libexec/sshd-keygen-wrapper</string> | |
<key>ProgramArguments</key> | |
<array> | |
<string>/usr/sbin/sshd</string> | |
<string>-i</string> | |
</array> | |
<key>SHAuthorizationRight</key> | |
<string>system.preferences</string> | |
<key>Sockets</key> | |
<dict> | |
<key>Listeners</key> | |
<dict> | |
<key>SockServiceName</key> | |
<string>ssh-alt</string> | |
</dict> | |
</dict> | |
<key>StandardErrorPath</key> | |
<string>/dev/null</string> | |
<key>inetdCompatibility</key> | |
<dict> | |
<key>Wait</key> | |
<false/> | |
</dict> | |
</dict> | |
</plist> |
For the purpose of changing the port that sshd listens on (rather than running an additional sshd on another port), I found that editing /etc/services to replace 22 with my alternate port worked. Then you don't need to use a custom launchctl (just enable the standard "Sharing -> Remote Login" preference), but you should also edit /etc/ssh/ssh_config to add " Port 22" so that outbound ssh still tries port 22.
Unfortunately for me this isn’t a solution - I need to continue running a second SSH service, not simply change the port of the first.
Program args have changed. Use:
<key>ProgramArguments</key>
<array>
<string>sshd-keygen-wrapper</string>
</array>
Thanks to @n8henrie https://n8henrie.com/2021/10/fixing-ssh-access-on-macos-monterey-120/
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This has been working for me for years but just broke with Monterey. Any ideas?