If you access your OS X box remotely, you can do so through an incredibly simple-to-use Telnet server (simply click "Turn on remote Telnet access" on the Sharing System Preference panel). However, this is not the best way to connect to your OS X box - your passwords are transmitted in cleartext (non encrypted), meaning that they could be intercepted by those with malicious intents.
OS X includes a built-in secure remote access package known as SSH (Secure SHell). However, there is no GUI for enabling SSH, which is unfortunate (hopefully this will be changed prior to final release). It is not, however, overly difficult to enable SSH using a terminal session, if you're reasonably comfortable with editing files in the shell.
If you access your machine remotely, and you would like to do so more securely, read the rest of this article for information on how to enable and use SSH.
The process required to get SSH running is as follows:
- Start a terminal session, and then become the root user
su
and then enter your root password.
- Change to the etc directory:
cd /etc
- Make a copy of your hostconfig file:
cp hostconfig hostconfig.bak
- Edit your hostconfig file, using your favorite editor:
vi hostconfig
- On the last line, change this
SSHSERVER=-NO-
to thisSSHSERVER=-YES-
- Save your changes and quit the editor.
- Change to the SSH directory:
cd /System/Library/StartupItems/SSH
Execute the SSH command:./SSH
You should see the following text appear on screenStarting Secure Login Server
This is where it gets a bit confusing, as there are two SSH protocols - SSH1 and SSH2. You can connect fine with SSH1, but the next steps will enable SSH2, so that both SSH1 and SSH2 clients can connect to your machine.
error: Could not load DSA host key: /etc/ssh_host_dsa_key
Disabling protocol version 2
- Edit the SSH file to enable SSH2 protocol, assuming you are still in the /System/Library/StartupItems/SSH/SSH directory:
vi SSH
- Look for the section that looks like this:
if [ ! -f /etc/ssh_host_key ]; then
You are going to insert a new IF statement after the current one, and before the SSHD command. The new if statement is:
echo "Generating ssh host key..."
ssh-keygen -f /etc/ssh_host_key -N "" -C "$(hostname)"
fi
sshdif [ ! -f /etc/ssh_host_dsa_key ]; then
When you are done, there should be two separate IF statements, and then the SSHD command as before. Do not change any other portion of this file.
echo "Generating ssh host key..."
ssh-keygen -d -b 1024 -f /etc/ssh_host_dsa_key -N "" -C "$(hostname)"
fi
- Save your changes and quit the editor, and disconnect as the root user.
ssh username@hostnameAlternatively, you can separate the user and host by typing
ssh -l username hostnameusername is obviously your user name, and hostname is either the domain name or IP address of your OS X box. If you don't have a domain name or static IP address, you'll need to use one of the dynamic naming services (see this link on Versiontracker) or have some other method of determining your IP number. Either version of the command should come back with a password prompt, at which you would enter your normal user's password, and you will then be connected securely to your OS X box.
If you're using OS 9 to connect to OS X, you can use NiftyTelnet SSH to make the connection; if you're using OS X, you can just type the command in the terminal window.
Once you're sure everything's working right, go back to that Sharing preference panel, and disable the telnet server, and close that security hole.
Many thanks to my UNIX friends for helping me configure this on my machine, and a tip of the hat to wyzeguy on this MacNN forum for solving the SSH protocol 2 issue!

