1. Forum
  2. USENET
  3. comp.sys.mac.system

  • Re: changing SSHD port?

    From Barry Margolin@barmar@alum.mit.edu to comp.sys.mac.system on Thursday, April 13, 2006 19:23:39
    From Newsgroup: comp.sys.mac.system

    In article <3MydnTuvaKzHsI3ZRVn-vQ@comcast.com>,
    D P Schreber <schreberdp@rayban.net> wrote:

    On 2006-03-09, Barry Margolin <barmar@alum.mit.edu> wrote:
    will connect to 2022 on the Mac. How do I change the port that Tiger's SSH server listens on? I tried editing the "Port" line in /etc/sshd_config, but it didn't have any effect.


    Edit /System/Library/LaunchDaemons/ssh.plist. Put 2022 or whatever you prefer as the value of the SockServiceName key.

    I did this. It works when I then enable Remote Login in the Sharing preferences, but when the machine reboots it starts listening on port 22 again. If I go back into the preferences and disable/enable Remote
    Login, it again starts listening on the alternate port.

    If it makes a difference, I made a copy of ssh.plist named
    ssh.orig.plist, and then edited ssh.plist.

    Or change /etc/services so that 'ssh' maps to 2022.

    I haven't tried it, but I suspect that will also affect the default port
    that gets used with outgoing SSH.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***
    --- Synchronet 3.18b-Win32 NewsLink 1.113
  • From D P Schreber@schreberdp@rayban.net to comp.sys.mac.system on Friday, April 14, 2006 06:51:16
    From Newsgroup: comp.sys.mac.system

    On 2006-04-13, Barry Margolin <barmar@alum.mit.edu> wrote:
    Edit /System/Library/LaunchDaemons/ssh.plist. Put 2022 or whatever you
    prefer as the value of the SockServiceName key.

    I did this. It works when I then enable Remote Login in the Sharing preferences, but when the machine reboots it starts listening on port 22 again.

    I retracted the recommendation above shortly after I made it, though not
    for the reason you mention. The reason I retracted it is that I don't
    trust Apple updates not to clobber files in this directory. In general
    Apple 'owns' /System, and it's almost never a good idea to make manual modifications to files anywhere in that tree.

    The better solution is to disable this plist item, then make a new one
    in /Library/LaunchDaemons with the revised port and a new Label. Apple
    updates should never touch files in this directory. Once you're
    configured this way, don't use the Sharing gui anymore to enable or
    disable ssh; it won't do the right thing. Use launchctl instead.


    If it makes a difference, I made a copy of ssh.plist named
    ssh.orig.plist, and then edited ssh.plist.

    As long as the old plist is still there and still enabled, it will be
    used at boot time. If you don't want a listener on port 22, you need to
    rm this file, or disable it via launchctl.
    --- Synchronet 3.18b-Win32 NewsLink 1.113
  • From Barry Margolin@barmar@alum.mit.edu to comp.sys.mac.system on Friday, April 21, 2006 20:36:06
    From Newsgroup: comp.sys.mac.system

    In article <_vadnVLzcuJbrY3Z4p2dnA@comcast.com>,
    D P Schreber <schreberdp@rayban.net> wrote:

    I rescind those recommendations. Either will work, but it's not a good
    idea to modify these files since you never know when a system update
    will replace them. Instead, make an entirely new launch daemon and put
    it in /Library/LaunchDaemons, which Apple updaters will never touch.
    You can disable the standard ssh daemon if you like, or leave it running
    for lan use.

    I've done this, but it's not working. When I try to connect, the
    connection is immediately closed, and Console shows the following log messages:

    Apr 21 20:24:03 Barry-Margolins-Computer sshd[9319]: error: Could not
    load host key: /etc/ssh_host_key
    Apr 21 20:24:03 Barry-Margolins-Computer sshd[9319]: error: Could not
    load host key: /etc/ssh_host_rsa_key
    Apr 21 20:24:03 Barry-Margolins-Computer sshd[9319]: error: Could not
    load host key: /etc/ssh_host_dsa_key
    Apr 21 20:24:03 Barry-Margolins-Computer sshd[9319]: Initial audit
    status check failed (Operation not permitted)
    Apr 21 20:24:03 Barry-Margolins-Computer sshd[9319]: Initial audit
    status check failed (Operation not permitted)
    Apr 21 20:24:03 Barry-Margolins-Computer sshd[9320]: fatal: No supported
    key exchange algorithms

    The files that it says it can't load are only readable by root. Could
    daemons launched from /Library/LaunchDaemons instead of /System/Library/LaunchDaemons be running as an ordinary user, rather
    than root? Does it run them as the user who ran launchctl?

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***
    --- Synchronet 3.18b-Win32 NewsLink 1.113
  • From D P Schreber@schreberdp@rayban.net to comp.sys.mac.system on Saturday, April 22, 2006 07:34:08
    From Newsgroup: comp.sys.mac.system

    On 2006-04-22, Barry Margolin <barmar@alum.mit.edu> wrote:
    Instead, make an entirely new launch daemon and put
    it in /Library/LaunchDaemons

    I've done this, but it's not working. When I try to connect, the
    connection is immediately closed, and Console shows the following log messages:

    Apr 21 20:24:03 Barry-Margolins-Computer sshd[9319]: error: Could not
    load host key: /etc/ssh_host_key

    [etc]

    Very strange. Just to confirm, your new file should look like this:

    <dict>
    <key>Label</key>
    <string>my.sshd</string>
    <key>Program</key>
    <string>/usr/libexec/sshd-keygen-wrapper</string>
    <key>ProgramArguments</key>
    <array>
    <string>/usr/sbin/sshd</string>
    <string>-i</string>
    </array>
    <key>SessionCreate</key>
    <true/>
    <key>Sockets</key>
    <dict>
    <key>Listeners</key>
    <dict>
    <key>SockServiceName</key>
    <string>5432</string>
    </dict>
    </dict>
    <key>StandardErrorPath</key>
    <string>/dev/null</string>
    <key>inetdCompatibility</key>
    <dict>
    <key>Wait</key>
    <false/>
    </dict>
    </dict>
    </plist>


    where the value of SockServiceName is whatever port you want to use, and
    the value of Label is any random thing other than com.openssh.sshd
    (which is the Label of the standard ssh plist).

    Also, the file should be owned by root:wheel, and should be 644.


    The files that it says it can't load are only readable by root. Could daemons launched from /Library/LaunchDaemons instead of /System/Library/LaunchDaemons be running as an ordinary user, rather
    than root?

    Mine runs as root, but I agree that it sounds as if yours doesn't.



    Does it run them as the user who ran launchctl?

    It might. I never tried this except via sudo. But root will do the
    work at boot time, at least it does on my machines. Are you always
    enabling manually, and always as an ordinary user?
    --- Synchronet 3.18b-Win32 NewsLink 1.113
  • From Barry Margolin@barmar@alum.mit.edu to comp.sys.mac.system on Saturday, April 22, 2006 14:40:56
    From Newsgroup: comp.sys.mac.system

    In article <kN-dnRgQDsRdv9fZRVn-qw@comcast.com>,
    D P Schreber <schreberdp@rayban.net> wrote:

    On 2006-04-22, Barry Margolin <barmar@alum.mit.edu> wrote:
    Instead, make an entirely new launch daemon and put
    it in /Library/LaunchDaemons

    I've done this, but it's not working. When I try to connect, the connection is immediately closed, and Console shows the following log messages:

    Apr 21 20:24:03 Barry-Margolins-Computer sshd[9319]: error: Could not
    load host key: /etc/ssh_host_key

    [etc]

    Very strange. Just to confirm, your new file should look like this:

    I haven't compared to yours, but I diff'ed against the one in
    /System/Library.

    *** /System/Library/LaunchDaemons/ssh.plist Fri Apr 14 19:38:33 2006
    --- /Library/LaunchDaemons/ssh.plist Fri Apr 14 19:45:46 2006
    ***************
    *** 4,9 ****
    <dict>
    - <key>Disabled</key>
    - <true/>
    <key>Label</key>
    ! <string>com.openssh.sshd</string>
    <key>Program</key>
    --- 4,7 ----
    <dict>
    <key>Label</key>
    ! <string>local.sshd</string>
    <key>Program</key>
    ***************
    *** 27,29 ****
    <key>SockServiceName</key>
    ! <string>ssh</string>
    </dict>
    --- 25,27 ----
    <key>SockServiceName</key>
    ! <string>2456</string>
    </dict>

    Also, the file should be owned by root:wheel, and should be 644.

    It is.



    The files that it says it can't load are only readable by root. Could daemons launched from /Library/LaunchDaemons instead of /System/Library/LaunchDaemons be running as an ordinary user, rather
    than root?

    Mine runs as root, but I agree that it sounds as if yours doesn't.



    Does it run them as the user who ran launchctl?

    It might. I never tried this except via sudo. But root will do the
    work at boot time, at least it does on my machines. Are you always
    enabling manually, and always as an ordinary user?

    Ah, I don't think I used sudo to run launchctl. I unloaded it, and
    reloaded it with sudo, and it worked.

    I hadn't rebooted since making these changes, so the automatic startup
    didn't happen.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***
    --- Synchronet 3.18b-Win32 NewsLink 1.113