The changes induced with Tiger seem to be causing great pain to many in regards to sshd and changing the default port. A hint is already on file for doing this in 10.3, which even so, seems to have caused a bit of a stir. To note -- I'm not endorsing security through obscurity, but this is still a useful exercise and one that can reduce the number of people probing the standard ssh port.
In 10.4, the mechanism for launching sshd changed from using xinetd to launchd. This dramatically changed how sshd is launched, what ports are listened to, etc. Logically, you would think you could just edit /etc/sshd_config and be done with it. Sorry, but it's not that easy. sshd_config is read on launch of sshd, but launchd launches sshd when the appropriate port is "tickled." Here's the deal. launchd has an "on-demand" mode, where services that need to be launched upon being "tickled" on a particular port are launched. In /System/Library/LaunchDaemons is a file called ssh.plist which defines the on-demand configuration for sshd.
In general, in most on-demand plists for launchd, a key can be found called SockServiceName. In the ssh.plist file, this is defined as follows:
<key>SockServiceName</key>
<string>ssh</string>
No, it doesn't list a port number; it lists a service name that is looked up by the getAddrInfo() function call. This, in turn, looks up the service in the /etc/services file. This file has been key to a long-raging debate on the proper way to change the port that sshd listens too.
ssh2 10022/udp
ssh2 10022/tcp
Next I modified my /System/Library/LaunchDaemons/ssh.plist, changing the SockServiceName lines from what's shown above to this:
<key>SockServiceName</key>
<string>ssh2</string>
If you want to listen to both ports, just duplicate your ssh.plist to ssh2.plist, then modify the ssh2.plist file to use your second port -- and also change the Label string to something else (to give it a different name):
<key>Label</key>
<string>com.openssh.sshd2</string>
This can be useful if you block port 22 at your router, then port forward (or just plain open) some other port to your machine for ssh access. Machines inside can still access the machine through port 22, but those outside can access through the alternate port only. Note that you will need to refresh launchd for these changes to take effect. A reboot is the surest way (but using launchctl to load the script seems to work fine if you didn't add a new services entry). Also, make sure to open the firewall port on the Mac OS X firewall if you are running it.
Mac OS X Hints
http://hints.macworld.com/article.php?story=20050707140439980