How to change sshd port on snow leopard?

Question

Level 1

14 points

How to change sshd port on snow leopard?

I just updated to 10.6. And my ssh on port 443 was disabled.

What is the good way to tell the ssh server to listen to port 22 and 443?

iMac 24'', Mac OS X (10.6)

Posted on Sep 4, 2009 6:01 AM

Reply

Answer 1

Sep 4, 2009 10:35 AM in response to yogsototh

Same as on any other OpenSSH installation: edit /etc/sshd_config

Reply

Answer 2

Camelot

Level 9

58,575 points

Sep 4, 2009 8:51 PM in response to Q Lazarus

Actually, I don't think that'll work.

On Mac OS X, sshd is managed via launchd, and it's launchd that listens for an incoming connection and fires off the daemon as needed. Telling sshd_config to listen on 443 won't help unless sshd is running as a background daemon.

Instead you need to configure launchd to listen on port 443 and fire off sshd as needed. It's a little more complex and off-hand I couldn't get /System/Library/LaunchDaemons/ssh.plist to support multiple ports. Even if you could that woudn't be the right approach since it changes Apple's configuration and may well get overwritten on a software update.

Therefore I think the best approach is to copy /System/Library/LaunchDaemons/ssh.plist to /Library/LaunchDaemons/ssh-443.plist and change the Label and Sockets section as needed, e.g.:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>local.sshd</string>
<key>Program</key>
string>/usr/libexec/sshd-keygen-wrapper</string>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/sshd</string>
<string>-i</string>
</array>
<key>SHAuthorizationRight</key>
<string>system.preferences</string>
<key>SessionCreate</key>
<true/>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>SockServiceName</key>
<string>https</string>
</dict>
</dict>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>inetdCompatibility</key>
<dict>
<key>Wait</key>
<false/>
</dict>
</dict>
</plist>

This will essentially create a custom ssh configuration running on the https port.

Note that this all ignores the reason why you want to run sshd on the https port in the first place.

Reply

Answer 3

Sep 4, 2009 9:08 PM in response to Camelot

What I do on Leopard is to edit /etc/services. Instead of "22" in these lines, I put in my new port number:

ssh 22/udp # SSH Remote Login Protocol
ssh 22/tcp # SSH Remote Login Protocol

I seem to remember that I have some difficulty getting the change to stick unless I reboot the machine, though. I'm sure there's a way to get launchd to reload it, but my notes say I never figure it out and just take the easy way and reboot.

So, if /etc/services exists in Snow Leopard, try editing that.

charlie

Reply

Answer 4

Camelot

Level 9

58,575 points

Sep 4, 2009 11:45 PM in response to Charles Minow

What I do on Leopard is to edit /etc/services. Instead of "22" in these lines, I put in my new port number:

Changing /etc/services will a) allow you to move ssh to a different port that isn't already used and b) get overwritten at the next system update where Apple push out a new /etc/services file.

However, what the OP wants is to run ssh on both 22 and 443 simultaneously.

Ours is not to reason why... 🙂

Reply

Answer 5

Sep 5, 2009 7:44 AM in response to Camelot

Camelot wrote:
Changing /etc/services will ... get overwritten at the next system update where Apple push out a new /etc/services file.

Which is why I always save a copy of my edits to that file under a different name, in case they do that. But I have to say that in the years since I've been changing my sshd port that way, they've never once overwritten that file.

However, what the OP wants is to run ssh on both 22 and 443 simultaneously.

Yeah, I kind of missed that. You're right: you'd want to make a new plist file and do it that way to get the second instance of sshd.

charlie

Reply

Answer 6

Sep 5, 2009 9:32 AM in response to yogsototh

Buy a $40 router and forward inbound port 443 to 22.

Reply

Answer 7

Sep 5, 2009 11:48 AM in response to Q Lazarus

You still need the OS to listen on the right port for SSH regardless of what the firewall allows.

A reason for moving SSH to 443 is to get it through firewalls that block port 22. Most firewalls allow 80 and 443 at the least, so moving SSH to 443 would allow it through, provided no application layer inspection is happening.

Reply

Answer 8

BobHarris

Level 9

56,939 points

Sep 5, 2009 2:33 PM in response to LittleSaint

Are you talking Firewire software on the Mac itself, or some corporate firewall?

"Q Lazarus" suggestion was a way to let hardware present port 443 to the next layer (in many cases the Internet as offered to you by your ISP at home; but could be a corporate environment). Everyone else sees port 443, but the Mac listens to port 22.

Now if it is firewall software on the Mac itself, then it would seem to me that this is a matter of configuration, unless there is some corporate security admin controlling that Mac software firewall.

Although a note of caution in putting a personal router inside a corporate environment. They can cause all kinds of problems if they are carefully configured, and may even violate corporate policies if they also happen to be a WiFi router and are broadcasting.

In a corporate environment, where there is a corporate firewall needing proxies to get to the internet, you can use corkscrew to make a proxy connection to any outside system via ssh. It is a bit twisted the way it is done, but it does work. This does NOT allow anyone to connect to you.

Reply

Answer 9

Sep 5, 2009 3:32 PM in response to BobHarris

I get all of that. In fact, part of my job is preventing all of that, but the question asked was how to get the Mac to listen on port 443 for SSH, so I'm going to assume the OP has a good reason for it. A router isn't going to help.

Reply

Answer 10

yogsototh Author

Level 1

14 points

Sep 6, 2009 8:10 AM in response to LittleSaint

First thanks you all for your answers.

The main reason I want to do that is, well... Bypass "evil" corporate firewall which allow me to connect only some website on port 80 and any website on port 443.

I use the elegant 'ssh -D toMyHost' to create a local SOCKS proxy and then be able to surf all the web as if I was on my personal computer. This is also a really good solution to surf safely the web on untrusted wifi networks.

Now, for the results, I tried to use the

$ launchctl unload /System/Library/LaunchDaemon/ssh-443.plist
$ launchctl load /System/Library/LaunchDaemon/ssh-443.plist

But the result is simply:
nothing found to load

and of course if I replace the 'local.sshd' by 'com.openssh.sshd' I get:
com.openssh.sshd already loaded

I also tried to reboot, but with no more success the
$ ssh -p 443 localhost
ssh: connect to host localhost port 443: Connection refused

I remember having a bad time doing that on Leopard, and I finished by just listen on port 80, not on port 80 and 443. But I don't remember how. I just followed some forum posts.

Why on Earth it is so cryptic to simply add a listen port for ssh? I didn't heard about launchd before the need of doing that. I'll continue to search.

I didn't found any 'com.openssh.sshd' file in /System or /Library.
I'm sure the solution reside in adding a new plist for ssh. I just don't want to simply modify the port from '22' to '443' but I prefer to listen on both ports.

Thanks you all again for you help.

Reply

Answer 11

Camelot

Level 9

58,575 points

Sep 6, 2009 12:05 PM in response to yogsototh

$ launchctl unload /System/Library/LaunchDaemon/ssh-443.plist
$ launchctl load /System/Library/LaunchDaemon/ssh-443.plist

But the result is simply:
nothing found to load

The System daemons directory is /System/Library/LaunchDaemon s
Your example omitted the trailing 's'. I don't know if that was a typo or not.

Secondly, I suggested putting this in /Library/LaunchDaemons not /System/Library/LaunchDaemons.
It's a small point, but /System/Library/LauchDaemons should be reserved for Apple-provided (and maintained) LaunchDaemons. Your own daemons should be in /Library/LaunchDaemons, partly to differentiate them from Apple's daemons

I don't know if you put your .plist in /Library/LaunchDaemons any just typoed your post, but it's worth checking.

Reply

Answer 12

yogsototh Author

Level 1

14 points

Sep 6, 2009 12:23 PM in response to Camelot

Yes that was only a typo, sorry.

I moved ssh-443.plist from /System/Library/LaunchDaemons to /Library/LaunchDaemons with no more success.

I made a copy of /System/Library/LaunchDaemons/ssh.plist and modifying only the Label and the SockServiceName. But the result was different from the version you had given in this post. And in fact the first entry was

<key>Disabled</key>
<true/>

Ooops. I switched it to false and now all seems fine.

Thank you very much.

ps:

To resume for others having the same issue just create the file:
/Library/LaunchDaemons/ssh-443.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" " http://www.apple.com/DTDs/PropertyList-1.0.dtd ">
<plist version="1.0">
<dict>
<key>Disabled</key>
<false/>
<key>Label</key>
<string>local.sshd</string>
<key>Program</key>
<string>/usr/libexec/sshd-keygen-wrapper</string>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/sshd</string>
<string>-i</string>
</array>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>SockServiceName</key>
<string>https</string>
</dict>
</dict>
<key>inetdCompatibility</key>
<dict>
<key>Wait</key>
<false/>
</dict>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>SHAuthorizationRight</key>
<string>system.preferences</string>
</dict>
</plist>

Reply

Answer 13

Sep 19, 2009 2:28 PM in response to yogsototh

You should avoid changing the port of sshd, as it my cause you unexpected issues. The better thing would be a solution to add an extra access method to access sshd. One solution could be in the form of Mina: http://mina.apache.org/

Another solution is documented here: http://www.terminally-incoherent.com/blog/2009/09/03/ssh-from-behind-a-firewall- via-http-proxy/ in the user comments. Specifically:

If you have control over the ssh server config on the remote side, there’s an > even easier way – just make sshd listen on port 443 as well as 22. You can do > this by editing sshd_config (usually located in /etc/ssh/) and below this line:

Port 22

add a line like

Port 443

save, restart sshd, and you can then connect directly over port 443 using

ssh -p 443 user@host

Reply

Answer 14

Dec 3, 2009 12:23 PM in response to Andre John Mas

I have used ssh via alternate ports for years now without issues (other than my own fat-fingering the port number when initiating a session). Whether using winsshd, opensshd, or the mutant stepchild that Apple uses, and connecting from openssh client, BitVise's Tunnelier, almost any SFTP client, etc., I haven't had issues.

While I don't buy into much "security through obscurity" stuff, since a simple port scan and fingering will turn up its true identity, it saves you from zombie/bot attacks that just randomly hammer port 22 on any given machine that responds.

Reply