SSH - port question

brad--

Your post doesn't say what OS you're using. But I'm using Panther and I changed mine in "/etc/services". There's a hint about this at Mac OS X Hints, and there's some controversy about whether to do it there or in "/etc/xinetd.d/ssh". I don't remember why I decided on "/etc/services", but I did and it's been working fine for me.

I think with Tiger, it's handled by launchd, which I haven't fooled around with yet. Mac OS X Hints has this hint, though.

charlie

Hi Brad,
On Panther, the changes to the /etc/services file have the effect of telling xinetd the port on which to listen for the services configured in /etc/xinetd.d. That change will take effect after the next boot but in order to have it take effect before then you have to tell xinetd to reread it's configuration. You can do that with the command:

sudo killall -HUP xinetd

--
Gary
~~~~
Never go to a doctor whose office plants have died.
-- Erma Bombeck

Be aware also that Apple have a tendency to overwrite /etc/services with system updates.

If you customize this file and rely on those changes, make sure you recheck it after any system updates.

Hi Brad,

A very stupid question:
Have you told the client (the computer initiating the ssh connection) to use port 2222 either by the -p option or by changing the /etc/ssh_config file?

ex: ssh -p 2222 user@myfriend.host

Antonello

Hi Antonello,
That's far from a stupid question, if for no other reason because it brings up an important point that hasn't been mentioned. It's almost certainly not enough to get xinetd, or launchd for that matter, to listen on an alternative port. When sshd is invoked, it will probably listen on the port specified in the /etc/sshd_config file, no matter on what port xinetd answered. Thus, the line:

Port 2222

should probable go in the /etc/sshd_config file before this will work.
--
Gary
~~~~
Miss Wormwood: What state do you live in?
Calvin: Denial.
Miss Wormwood: I don't suppose I can argue with that...

Gary--

It's almost certainly not enough to get xinetd, or launchd for that matter, to listen on an alternative port.

Actually, I have the "Port" commented out in both /etc/sshd_config file and /etc/ssh_config file. The only change I made on my Panther installs was to the /etc/services file. I remember trying to make the change in the sshd_config file, but for whatever reason couldn't get it to work that way.

charlie

Out of curiosity, I tried changing the port in /etc/sshd_config and the setting was ignored. But then there doesn't even seem to be a ssh deamon running in 10.3. I guess xinetd replaces it.

So all sshd_config settings go in /etc/xinetd.d/ssh for 10.3?

This is all great info for me as I happen to be close to setting up an ssh gateway where I work. Thanks everyone!

--
Cole

Hi Cole,
I don't think the settings are ignored, although I don't know why sshd answered on port 22 if you specified a different port in your /etc/sshd_config file. Maybe it was invoked to listen on the standard port by xinetd but then changing the settings in /etc/services file should work and it doesn't. I personally think that both changes have to be made but I would expect connections to fail if only one change is made. However, Noah also found that the traditional port continued to work and I simply don't understand that.

I recently changed the port on Tiger as an experiment to help out Noah and I described the procedure in the thread, change/add sshd port. You'll notice there that I made both changes. Although I can't test it, let me describe what I believe is the corresponding technique in Panther.

First, as I said, I believe that it's necessary to change the port specification in the /etc/sshd_config file to something like:

Port 2222

That fixes sshd. Then add:

ssh2 2222/tcp #My personal sshd port

to the /etc/services file. Finally, move the /etc/xinetd.d/ssh file to ssh2 with:

mv /private/etc/xinetd.d/ssh /private/etc/xinetd.d/ssh2

Then reboot xinetd with:

sudo killall -HUP xinetd

Of course the change in port changes the server's RSA key. Thus you must delete the server's entry in the client's ~/.ssh/known_hosts file and accept the new one the first connection to the new port. That should do it.

Granted, it's probably not necessary to change ssh to ssh2; that just fit Noah's needs. However, it seems a little more "proper" so I left it that way. I also did that because I think that is the closest Panther equivalent to what I know works on Tiger. If someone does all of that and finds that it fails, I'll confess to being stumped. However, so far the posts don't seem to indicate that both xinetd and sshd were changed.
--
Gary
~~~~
Economists state their GNP growth projections to the
nearest tenth of a percentage point to prove they have a
sense of humor.
-- Edgar R. Fiedler