7 Replies Latest reply: Jun 3, 2014 8:36 AM by torus0519
J Soren Level 1 (120 points)

After spending hours tracking down this solution as a result of losing my ssh settings after the upgrade to Mountain Lion, I thought it might be useful to post the steps taken to restore the configuration I used with Snow Leopard.

 

Changing the sshd default listening port

 

Disclaimer: This tutorial is specific to Mountain Lion (OS X 10.8). I was able to accomplish this using Snow Leopard (OS X 10.6) in fewer steps, but upgrading required this more involved solution. 

 

Steps:

 

1.) You must first enable the root user account in order to change the relevant files. This can be done from the terminal, or by going to System Preferences --> Users & Groups. Once there, click on 'Login Options' at the bottom of the Current User list, and 'Join' where it says 'Network Account Server'.

 

This will bring up a smaller window. Click on 'Open Directory Utility' at the bottom. You will be prompted for your admin password. Now go to the 'Edit' tab at the top of the screen and toggle down to 'Enable Root User'.  You will be prompted to enter your admin password twice.

 

2.) Log out of your regular user account. At the log in screen you will now see an additional entry for 'other'. Click on that and log in with the username 'root' and your admin password. If are inexperienced as a root-level user, be careful as you can cause problems to your system can be difficult to undo.

 

Once in your root account, the first step is to create a new 'service definition' in the etc/services file. Open the file with text editor of choice and scroll to the current entry for sshd listening port, which will look like this:

 

ssh    22/udp    # SSH Remote Login Protocol

ssh    22/tcp     # SSH Remote Login Protocol

 

Overwrite the '22' with the port number you would like sshd to listen on:

 

ssh    12345/udp   # SSH Remote Login Protocol

ssh    12345/tcp    # SSH Remote Login Protocol

 

*12345 being our hypothetical, non-standard port.

 

It is important to note that the new port number will not take by simply adding a new uncommented line to the file (I tried), unless of course you comment the original ssh entries. Easiest way is just to overwrite what is there already. Save changes.

 

3.) You now need to edit the ssh.plist file, which is located at /System/Library/LaunchDaemons/ssh.plist. A word to those familiar with Linux/BSD environments: changing the default port in the sshd_config file, which exists in OS X, does NOT change the listening port. Simply changing the default port, saving the config file, and restarting the server (the sensible way) won't work. The OS X sshd server (openssh) is configured to get launch instructions from the ssh.plist file, as opposed to sshd_config. If you are more interested in this aspect of OS X, read up on LaunchDaemons (e.g. launchd).

 

Before altering the ssh.plist file, you should save a backup copy in case of mistakes, or if you need to revert back to it in the future. Name your backup file something like original.ssh.plist, etc.

 

In the ssh.plist file, locate the SocksServiceName entry and change it from the default:

 

<key>SockServiceName</key>

<string>ssh</string>

 

To the following:

 

<key>SockServiceName</key>

<string>$alternate port number</string>

 

In our example from above this value would be 12345.

 

4.) Save your changes, and exit ssh.plist. You now need to move the backup file you created (original.ssh.plist) out of the System/Library/LaunchDaemons path.

 

The updated sshd port will not take until you have only one ssh.plist file in the LaunchDaemons directory - this has to do with how launchd is configured to load files which is outside the scope of the current discussion.  (*If you've found a way around this, please share.) 

 

5.) Restart the sshd server. Easiest way to accomplish this is going to System Preferences --> Sharing and clicking off 'Remote Login', then clicking back on it. 

 

6.) Test the configuration by logging into the machine running the sshd server from another host using:

 

ssh username@ipaddress -p 12345

 

There are a few good tutorials out there that capture some of these steps, but many are dated and/or incomplete. If you are running a standard setup of OS X 10.8, this should work for you.

 

Of course, don't be fooled into thinking that changing the default listening port from the ubiquitously-probed 22 equates to actual security. At best, it will cut down on the number of dubious connection attempts and probing.

  • sohyule Level 1 (5 points)

    spent lots of hours trying to make it work. Nothing helped, until I reached your instruction! Thank you.

  • J Soren Level 1 (120 points)

    Happy it helped!

  • dsesvak Level 1 (0 points)

    Hi --

     

    I can confirm that the above instructions work under 10.9 client and 10.6 server (suprisingly)

     

    If you don't have GUI access to the target machine (i.e. you're not sitting in front of it nor remotely accessing it via VNC or ARD), you can reload the plist file via command line as well like so (this would replace step #5 above, and is assuming you're executing these commands as root, otherwise preface them with sudo):

     

    launchctl unload /System/Library/LaunchDaemons/ssh.plist

    launchctl load /System/Library/LaunchDaemons/ssh.plist

     

    Don't forget that Apple will probably overwrite all of this with subsequent updates, so be sure to be sure you have alternate access to the machine before updating in the future!

     

    Thanks for the helpful instructions OP!

  • J Soren Level 1 (120 points)

    Glad to hear that worked on 10.9 client and 10.6 server. I'm a bit surprised as well - most of the time an OS X upgrade requires new steps, as you mentioned.

     

    Thanks for the addition. Always easier to do things from terminal! It also provides a solution for when there is no GUI available (remote access).

  • Mordente Level 1 (0 points)

    I used your tutorial and had success changing my SSH port, thanks.

     

    I am not an expert and don't know how .plist files work.

    However, I noticed that the following:

    <key>SockServiceName</key>
    <string>ssh</string>

    makes a reference to the ssh service in the /etc/services file.

     

    Therefore, changing only the port in step 2 is enough to make the port changing work properly.

    In other words, step 3 is not needed.

    Am I right?

     

    I followed the other steps exactly the way you described, just skipping the third, and it worked fine.

  • J Soren Level 1 (120 points)

    Are you using Mountain Lion? I do remember this being easier to accomplish with Snow Leopard. If you got it to work w/out step 3 that's great. I initially posted this in hopes that someone out there would have a more efficient method.

     

    A bit curious that it can be done without step 3 though, since this step makes changes to the .plist file (whereas step 2 makes changes to the configuration file at: etc/services.)

     

    I'm certainly no expert with .plist files either but it seems like you'd need to make changes in both places (?). Maybe someone with more expertise on the inner workings of OS X can weigh in. Next time I need to change listening ports on sshd, I'll try it without step 3 and see if I can replicate what you did. Cheers.

  • torus0519 Level 1 (0 points)

    Hi all, above helped me change the sshd port number, thank you very much.

     

    Just upgraded to OS X 10.9.3 on my macbook pro.

     

    My findings were:

     

    Step 1(become a root user or sudo)

     

    Step 2 (/etc/services)

    This may not be required unless you want ssh to work without the "-p XXXX" option to connect to other ssh hosts.  I favor such as "ssh -p 2222 user@hostname" just to be sure I know what I am doing and also to leave ssh known port as its default "22".

     

    Step 3 (/System/Library/LaunchDaemons/ssh.plist)

    This is required if you want to change the sshd port number, I changed both "ssh" to "2222" in this file.

     

    Step 4 (launchctl)

    Below is a must as I understood:

    launchctl unload /System/Library/LaunchDaemons/ssh.plist

    launchctl load /System/Library/LaunchDaemons/ssh.plist

     

    it should be already working with the new port number.

    You can "ssh -p 2222 user@localhost" in the console terminal and see if its working.

     

    Since I am no expert on MacOS X, and it is a macbook pro that I am using, I also rebooted the system and changes were reflected permanantly.

     

    Thank you guys!