Setting up SSH on Mac OSX
Well, it's been a long time I wanted to set up a SSH service on my Mac. Every time I did it I got slammed by robots trying to brute-force my password. Not that I have a week password but it ate a lot of my bandwidth and not to mention the processing power. So, I decided to make a series of changes to make my box more secure.
Change the default SSH port to something other than 22 :
From a security point of view defaults are a big no-no. So, here are the steps to change the default SSH port from 22 to something else. Now, for some reason its not as easy as changing /etc/sshd_config file as it is with Linux. Anonymous, has written a nice article on this, I will duplicate some of it here.
1) Using Terminal go to the file /etc/services
2) Find the line where SSH port value is defined, by default it should be 22 (for TCP and UDP)
3) Modify the number from 22 to any number between 1024-65535.
4) Restart the machine for the changes to take effect.
One small thing to remember about ports is that values 1-1024 are privileged ports and avoid using those values. Any value between 1024-65535 should be acceptable but larger values are invalid.
Disable Password Logins and enable Publickey Authentication:
I would rather disable password logins on my internet facing box. Its Game Over for me if my password is compromised or gets brute-forced.
To disable password logins follow the following steps:
1) Using terminal go to the file /etc/sshd_config
2) Open the file with your favorite editor (vim in this case)
sudo vim /etc/sshd_config
3) Uncomment (remove #) the line which says '#ChallengeResponseAuthentication yes' and change it to following
4) To enable publickey login, uncomment the lines
This will enable you to login using publickey which is a nice and secure way to log in from outside your network.
5) If you want to turn on Tunneling then you can change the line '#PermitTunnel no' to 'PermitTunnel yes'
6) Once you are comfortable with all the changes type 'Esc:wq' which means Write the file and Quit.
We don't need to restart the SSH server on mac OS X as services are started and stopped dynamically by launchd. Configuration changes are immediate.
Creating SSH Public-Private Key:
To be able to login from outside the network we need to set up public private key pair. The private part remains with you all the time ( never ever share it !) and the public part goes to whatever server you want to be able to be log in from.
Here you will be creating public-private key pair on the client machine (e.g. iPhone or PC) from which you want to access your SSH server securely. In my case I want to access it from iPhone using iSSH. So I will be creating the keys on my SSH server itself and copy the private part to my iPhone and public part to my server.
Following are the steps to create public-private key pair:
1) Fire up the terminal and type 'ssh-keygen'
2) Select the default location and hit enter.
3) Select a strong passphrase and hit enter.
4) Confirm the passphrase and hit enter.
5) Your key should be ready now.
6) Login into the server as a user you want to login using SSH. Create a folder .ssh under the home directory (if it dos not exist)
7) Copy the public part of the key (id_rsa.pub) to that .ssh folder
cp ~/Desktop/id_rsa.pub ~/.ssh/
8 ) Rename id_rsa.pub file to 'authorized_keys' (this is an important step !)
mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
9 ) Change the permissions on the public file so that its read only for the user
chmod 400 ~/.ssh/id_rsa.pub
10) Copy the private part of the key (id_rsa) to the machine from where you want to be able to login (client).
11) Try log in from the client machine.
Awesome, you got yourself a secure SSH server ! make sure you do not share the private key with anyone and make sure you protect it.
For some reason if things do not go your way check the output of
ssh -vvv myssh.com
and see what you get. If you are still having issues try repeating above steps, if that does not help post a comment may be I can be of some help.
There is a very nice post describing above steps and Kerbros authentication for SSH here.