Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

How to config ssh ?

Hello I am not really Terminal Savvy. But I currently want to use ssh to remote log in so I can access my files from anywhere using Filezilla. Wile still having the most secure connection that I can possibly have.


I currently did set up ssh and it is working I am using Filezilla so I can remotely access my files. But my worry is using my Mac account name and password. I would like to know how to lock down my server as much as possibe to avoid hackers.


1. I'm not Terminal Savvy

2. I would like to know how to disable protocol 1 (Heard it was less secure)

3. I would like to know how to disable root login.

4. I use Filezilla for (SFTP) secure ftp and still want to be able to use this with the above security measures in effect if possible.




Just wondering how or if this is possible your help would be greatly appreciated.

Mac Pro, Mac OS X (10.6.8)

Posted on Dec 30, 2012 8:10 PM

Reply
39 replies

Dec 31, 2012 1:55 AM in response to liv04soccer

You need to modify


/etc/sshd_config


Anyway, SSH1 is disabled by default. If you never enabled root user there is no need to worry about that.

If you did, the easy way is to disable root and highly recomended.

If you open SSH to the world it is better to also disable password authentication. Uncomment (delete the # symbol) the line


#PasswordAuthentication no


Watch out. You must have ~/.ssh/authorized_keys in place and working before disabling password authentication, otherwise you won't be able to ssh from any local or remote computer.


Authentication by key pair is already enabled.

Dec 31, 2012 3:55 AM in response to Alberto Ravasio

For ~/.ssh/authorized _keys are you talking about DSA keys ? And also im not Terminal savvy I don't know how to modify /ets/sshd_config a step by step guide would be nice or the terminal command. The extent of my Terminal knowledge is typing say then making the computer say it. By using the DSA keys instead of my login will I still be able to use Filezilla ? Filezilla is a FTP client because I don't know how to use the Terminal commands to transfer files.

Dec 31, 2012 4:13 AM in response to japamac

GNU nano 2.0.6 File: /etc/sshd_config


# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $


# This is the sshd server system-wide configuration file. See

# sshd_config(5) for more information.


# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin


# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented. Uncommented options change a

# default value.


#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::


# Disable legacy (protocol version 1) support in the server for new

# installations. In future the default will change to require explicit

# activation of protocol 1

Protocol 2


# HostKey for protocol version 1

#HostKey /etc/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh_host_rsa_key

#HostKey /etc/ssh_host_dsa_key


# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 1024



Ok this is what I have on my config file can you tell me what should I edit. And how to edit it I dont want to screw anything up.

Dec 31, 2012 6:03 AM in response to liv04soccer

liv04soccer wrote:


By using the DSA keys instead of my login will I still be able to use Filezilla ? Filezilla is a FTP client because I don't know how to use the Terminal commands to transfer files.


Yes, you can still use FileZilla. You must copy your DSA private key inside a visible folder, let's say Documents or whatever folder you like.

In FileZilla, Preferences, SFTP, add your key. The program will ask you to convert the format. Accept that. Create a new site with the appropriate settings. Choose Interactive as Access type.

Dec 31, 2012 6:53 AM in response to liv04soccer

This is the original /etc/sshd_config file from 10.6.8


#
$OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $



# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.


# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin


# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.


#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::


# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2


# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key


# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024


# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTHPRIV
#LogLevel INFO


# Authentication:


#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10


#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile
.ssh/authorized_keys



# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes


# To disable tunneled clear text passwords, change to no here! Also,
# remember to set the UsePAM setting to 'no'.
#PasswordAuthentication no
#PermitEmptyPasswords no


# SACL options
# The default for the SACLSupport option is now "no", as this option has been
# depreciated in favor of SACL enforcement in the PAM configuration (/etc/pam.d/sshd).
#SACLSupport no


# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes


# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes


# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no


# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# Also, PAM will deny null passwords by default.  If you need to allow
# null passwords, add the "
nullok" option to the end of the

# securityserver.so line in /etc/pam.d/sshd.
#UsePAM yes


#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none


# no default banner path
#Banner none


# override default of no subsystems
Subsystem
sftp
/usr/libexec/sftp-server



# Example of overriding settings on a per-user basis
#Match User anoncvs
#
X11Forwarding no
#
AllowTcpForwarding no
#
ForceCommand cvs server



The following is the modified version.

I enclosed the changed lines between


# changed December 31, 2012

##


#
$OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $



# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.


# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin


# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.


#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::


# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2


# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key


# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024


# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTHPRIV
#LogLevel INFO


# Authentication:


#LoginGraceTime 2m


# changed December 31, 2012
PermitRootLogin no
##


#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10


#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile
.ssh/authorized_keys



# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes


# To disable tunneled clear text passwords, change to no here! Also,
# remember to set the UsePAM setting to 'no'.


# changed December 31, 2012
PasswordAuthentication no
##


#PermitEmptyPasswords no


# SACL options
# The default for the SACLSupport option is now "no", as this option has been
# depreciated in favor of SACL enforcement in the PAM configuration (/etc/pam.d/sshd).
#SACLSupport no


# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes


# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes


# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no


# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# Also, PAM will deny null passwords by default.  If you need to allow
# null passwords, add the "
nullok" option to the end of the

# securityserver.so line in /etc/pam.d/sshd.
#UsePAM yes


#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none


# no default banner path
#Banner none


# override default of no subsystems
Subsystem
sftp
/usr/libexec/sftp-server



# Example of overriding settings on a per-user basis
#Match User anoncvs
#
X11Forwarding no
#
AllowTcpForwarding no
#
ForceCommand cvs server


Please test it before going online

Dec 31, 2012 1:14 PM in response to liv04soccer

Edit ok I generated the DSA keys now do I have to move them somewhere before I edit the config file or can I edit the config file right now ?


Ok somehow my config file is complety blank I was using Japmac's website that I can use

At your terminal, 'su -' to your root account

- 'pico -w /etc/sshd_config'


to edit my config file but when I closed out then reopened it nothing was in the config file. What am I suppose to do ?

Dec 31, 2012 1:42 PM in response to liv04soccer

So I figured out how to view the config file thanks to Japmac with the pico command. But I still don't know how to edit, backup or save the config file.


So far I generated the DSA keys, but don't know what to do with them.


Thank you both for all your help sorry again for being such a pain just not familiar with Terminal.


Thanks Alberto for showing me how to generate DSA keys.

How to config ssh ?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.