10.4: Change the default sshd port

Jul 18, '05 09:03:00AM

Contributed by: Anonymous

Tiger only hintThe changes induced with Tiger seem to be causing great pain to many in regards to sshd and changing the default port. A hint is already on file for doing this in 10.3, which even so, seems to have caused a bit of a stir. To note -- I'm not endorsing security through obscurity, but this is still a useful exercise and one that can reduce the number of people probing the standard ssh port.

In 10.4, the mechanism for launching sshd changed from using xinetd to launchd. This dramatically changed how sshd is launched, what ports are listened to, etc. Logically, you would think you could just edit /etc/sshd_config and be done with it. Sorry, but it's not that easy. sshd_config is read on launch of sshd, but launchd launches sshd when the appropriate port is "tickled." Here's the deal. launchd has an "on-demand" mode, where services that need to be launched upon being "tickled" on a particular port are launched. In /System/Library/LaunchDaemons is a file called ssh.plist which defines the on-demand configuration for sshd.

In general, in most on-demand plists for launchd, a key can be found called SockServiceName. In the ssh.plist file, this is defined as follows:

  <key>SockServiceName</key>
  <string>ssh</string>
No, it doesn't list a port number; it lists a service name that is looked up by the getAddrInfo() function call. This, in turn, looks up the service in the /etc/services file. This file has been key to a long-raging debate on the proper way to change the port that sshd listens too.

However, you can easily just add an entry to /etc/services such as ssh2, pointing to a second port (or using an existing services entry that isn't being listened too), then modify the ssh.plist file to use that entry for SockServiceName. By doing so, sshd will only listen to that port, yet leaving ssh client activity unaffected. So, in my case, I added the following to /etc/services:
  ssh2              10022/udp 
  ssh2              10022/tcp
Next I modified my /System/Library/LaunchDaemons/ssh.plist, changing the SockServiceName lines from what's shown above to this:
  <key>SockServiceName</key>
  <string>ssh2</string>
If you want to listen to both ports, just duplicate your ssh.plist to ssh2.plist, then modify the ssh2.plist file to use your second port -- and also change the Label string to something else (to give it a different name):
  <key>Label</key>
  <string>com.openssh.sshd2</string>
This can be useful if you block port 22 at your router, then port forward (or just plain open) some other port to your machine for ssh access. Machines inside can still access the machine through port 22, but those outside can access through the alternate port only. Note that you will need to refresh launchd for these changes to take effect. A reboot is the surest way (but using launchctl to load the script seems to work fine if you didn't add a new services entry). Also, make sure to open the firewall port on the Mac OS X firewall if you are running it.

Comments (15)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20050707140439980