Alternate SSH port on Mac OS 10.6 Snow Leopard

1/8/2010

I previously wrote SSH-Use. Now I want to switch to an alternate SSH server port on OS 10.6.

References:
tektastic.com - maybe for prior OS, more beginner level.
macosxhints.com - explains why ssh.plist is required, and setting up sshd to listen on two ports.

Big picture:
  1. Edit services to designate a new service name to listen on the new port. Be sure to specify not just the port number but also the /tcp and /udp protocols as part of the port designation. I forgot this, and it took me hours to figure out what was wrong!
  2. Edit ssh.plist to connect up the sshd service with the newly designated service name.
  3. Edit sshd_config to specify the non-default port you're using.
  4. The new OSX firewall GUI doesn't allow specific port opening, so I don't know how it works. I made no changes, and the new port works. Hmm...

Apparently the tektastic.com reference is for an older Mac OS. Some bad interactions happened with the Snow Leopard 10.6 OS firewall. Specifically, I had tightened up my firewall settings. Both SSH and SMB were specified in the top half of the app panel (the part you change by going to a the sharing screen and click-checking services there). I blocked the SMB and ssh-related things on the lower panel, and SSH and SMB kept working.

Then I did the port change, and everything locked up. SSH service now would not reply to anything. Put all the port changes back, and SSH was still non-responsive. Opened firewall and it worked. Unclicked everything. Reclicked everything. Still nothing worked. Turned SSH and SMB off, two config files back to port 22, powered off the computer, reboot. Okay, now it's working.

And again, selecting SSH puts sshd-keygen-wrapper in the lower half of the firewall control screen, but everything keeps working when I go back and manually turn it off. I think somehow to do the port change, the entry in the lower panel of the firewall GUI need to be left to allow incoming connections.

Here are some summaries from the tektastic.com site:

Create a new custom service by editing /etc/services (as root) and add "secret-ssh xxxx/tcp # secret SSH port".

Cause SSH to use the new service by launching it instead of the default system service. Do this by editing /System/Library/LaunchDaemons/ssh.plist

Make a backup copy of your file!

Replace the code:
<key>SockServiceName? </key>
<string>ssh </string>

with
<key>SockServiceName? </key>
<string>secret-ssh </string>

Change your port forwarding configuration on your firewall to route the new port.

Open "Sharing" control panel and ensure that "Remote Login" is checked off (if not uncheck it). Then check it again to start with the new configuration.:q.t.

Now you should be able to run SSH command to your new IP port as follows:
ssh -p xxxxx ip_address_of_your_server -l username
ssh -p xxxxx brian@ip_address_of_your_server

January 2010 progress check - this doesn't work. You have to open an alternate port on the Mac Leopard OSX 10.6, but the new firewall user control panel does not allow specific ports; you have to designate a program. Somehow the firewall is tripping up when ssh comes up on a different port. Not sure why yet.

To copy files from remote hosts to your Mac desktop, run the following command:

scp -P 43539 local_file.txt username@ip_address_of_your_server:~/Desktop
Note that "scp" command requires an upper case "P", while regular "ssh" wants a lower case "p" to declare remote server's port. That's it, hope it helps! :)


Created by brian. Last Modification: Friday 12 of February, 2010 09:59:23 CST by brian.