Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

PB Only - Enabling secure remote connections System
[Editor's note: The following applies to the Public Beta only. The current release version of OS X does not contain SSH; search the site for articles on installing SSH if you'd like to use it. Rumor has it that the first OS X update will again include SSH]

If you access your OS X box remotely, you can do so through an incredibly simple-to-use Telnet server (simply click "Turn on remote Telnet access" on the Sharing System Preference panel). However, this is not the best way to connect to your OS X box - your passwords are transmitted in cleartext (non encrypted), meaning that they could be intercepted by those with malicious intents.

OS X includes a built-in secure remote access package known as SSH (Secure SHell). However, there is no GUI for enabling SSH, which is unfortunate (hopefully this will be changed prior to final release). It is not, however, overly difficult to enable SSH using a terminal session, if you're reasonably comfortable with editing files in the shell.

If you access your machine remotely, and you would like to do so more securely, read the rest of this article for information on how to enable and use SSH.

The process required to get SSH running is as follows:
  1. Start a terminal session, and then become the root user
    su
    and then enter your root password.

  2. Change to the etc directory:
    cd /etc
  3. Make a copy of your hostconfig file:
    cp hostconfig hostconfig.bak
  4. Edit your hostconfig file, using your favorite editor:
    vi hostconfig
  5. On the last line, change this
    SSHSERVER=-NO-
    to this
    SSHSERVER=-YES-
  6. Save your changes and quit the editor.

  7. Change to the SSH directory:
    cd /System/Library/StartupItems/SSH
    Execute the SSH command:
    ./SSH
    You should see the following text appear on screen
    Starting Secure Login Server
    error: Could not load DSA host key: /etc/ssh_host_dsa_key
    Disabling protocol version 2
    This is where it gets a bit confusing, as there are two SSH protocols - SSH1 and SSH2. You can connect fine with SSH1, but the next steps will enable SSH2, so that both SSH1 and SSH2 clients can connect to your machine.

  8. Edit the SSH file to enable SSH2 protocol, assuming you are still in the /System/Library/StartupItems/SSH/SSH directory:
    vi SSH
  9. Look for the section that looks like this:
    if [ ! -f /etc/ssh_host_key ]; then
    echo "Generating ssh host key..."
    ssh-keygen -f /etc/ssh_host_key -N "" -C "$(hostname)"
    fi
    sshd
    You are going to insert a new IF statement after the current one, and before the SSHD command. The new if statement is:
    if [ ! -f /etc/ssh_host_dsa_key ]; then
    echo "Generating ssh host key..."
    ssh-keygen -d -b 1024 -f /etc/ssh_host_dsa_key -N "" -C "$(hostname)"
    fi
    When you are done, there should be two separate IF statements, and then the SSHD command as before. Do not change any other portion of this file.

  10. Save your changes and quit the editor, and disconnect as the root user.
You should now have an enabled SSH server, and you can connect remotely with much greater security. To make an SSH connection, the command syntax is:
ssh username@hostname
Alternatively, you can separate the user and host by typing
ssh -l username hostname
username is obviously your user name, and hostname is either the domain name or IP address of your OS X box. If you don't have a domain name or static IP address, you'll need to use one of the dynamic naming services (see this link on Versiontracker) or have some other method of determining your IP number. Either version of the command should come back with a password prompt, at which you would enter your normal user's password, and you will then be connected securely to your OS X box.

If you're using OS 9 to connect to OS X, you can use NiftyTelnet SSH to make the connection; if you're using OS X, you can just type the command in the terminal window.

Once you're sure everything's working right, go back to that Sharing preference panel, and disable the telnet server, and close that security hole.

Many thanks to my UNIX friends for helping me configure this on my machine, and a tip of the hat to wyzeguy on this MacNN forum for solving the SSH protocol 2 issue!
    •    
  • Currently 2.29 / 5
  You rated: 3 / 5 (7 votes cast)
 
[27,865 views]  

PB Only - Enabling secure remote connections | 3 comments | Create New Account
Click here to return to the 'PB Only - Enabling secure remote connections' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
ssh tips
Authored by: robh on Jan 05, '01 12:07:12PM

you can find info on using ssh at..
www.ssh.org/faq.html.

One quick tip for new users of ssh is that you can run a single command on a remote machine with:
ssh username@machinename command
e.g
ssh me@myothermachine.com date
... to find out the time/date on the remote (unix / osx) machine.



[ Reply to This | # ]
login vs. remote command
Authored by: Anonymous on Mar 28, '01 03:00:47PM

<<
One quick tip for new users of ssh is that you can run a
single command on a remote machine with:

ssh username@machinename command
>>

Wouldn't it be better more secure to force people to log in to the machine via SSH and execute the command once in?



[ Reply to This | # ]
Specific ports?
Authored by: cichlisuite on Mar 28, '01 04:56:39PM

Is there need to set a specific port for telnet/ssh to listen to?

My company firewall will only let email/ftp/http through (no ICQ or anything else), therefore the only way I can connect to my home machine is to use one of those ports.



[ Reply to This | # ]