Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.4: Stop Bonjour from broadcasting ssh/sftp, plus... Network
While looking for a way to disable Apple Remote Desktop and other services from the command line, I happened to be in /System » Library » LaunchDaemons. In my boredom, I opened ssh.plist in that directory, and find that Bonjour is a key. Anyway, skipping a long explanation and some inevitable tinkering, I figured out how to stop Bonjour from pointing out to the world (or at least my local network) that I have ssh enabled.

Be warned that while I have had no problems, I can not insure that you will not. This hint edits a system file, and messes with Bonjour, so think before you act. It also may take a system restart, in addition to undoing this hint, to re-enable Bonjour broadcasting of ssh and sftp. I would make a backup of /System » Library » LaunchDaemons » ssh.plist first, as we will be be deleting two strings from that file. (When I tried commenting them out, they disappeared after I stopped and restarted ssh.)

After you've made your backup, here's one way to edit the file:
sudo vi /System/Library/LaunchDaemons/ssh.plist
In the editor, delete these two lines:
<string>ssh</string>
<string>sftp-ssh</string>
They should be found around lines 22 and 23. Save the file and quit the editor. Then go to System Preferences » Sharing » Services, unlock it, disable Remote Login, and final re-enable Remote Login. You can check if things worked by using Bonjour Browser or some such similar app to be sure ssh/sftp no longer show up.

Lastly, to explain the plus in the hint title: A simple grep -ir bonjour . showed that eppc.plist, ftp.plist, and telnet.plist also had the Bonjour key. I don't use them myself, so this same trick may or may not work for those services, too.
    •    
  • Currently 3.80 / 5
  You rated: 5 / 5 (5 votes cast)
 
[21,667 views]  

10.4: Stop Bonjour from broadcasting ssh/sftp, plus... | 8 comments | Create New Account
Click here to return to the '10.4: Stop Bonjour from broadcasting ssh/sftp, plus...' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
two notes i left out
Authored by: delight1 on Jun 25, '07 08:37:56AM

it appears that "ssh user@your-computer-name.local" still works, not that it shouldn't (i thought it might not). maybe that is because" _workstation._tcp." is still up?

and since i didn't say this explicitly: Bonjour IS still up and running, it just doesn't do broadcast your ssh service.



[ Reply to This | # ]
10.4: Stop Bonjour from broadcasting ssh/sftp, plus...
Authored by: jolinwarren on Jun 25, '07 08:47:17AM

Note that this will presumably stop your computer broadcasting itself to SFTP clients, too. SFTP is essentially the same as SSH but the client handles all the commands to make it look like you're accessing a 'normal' FTP server. I don't have any particular use for SSH to be broadcast over the LAN with Bonjour, but it is useful for me to have my SFTP server broadcast using Bonjour.



[ Reply to This | # ]
can't have one without the other.
Authored by: klktrk on Jun 25, '07 11:34:19AM

"I don't have any particular use for SSH to be broadcast over the LAN with Bonjour, but it is useful for me to have my SFTP server broadcast using Bonjour."

Of course, obversely, if you're broadcasting SFTP access, you *are* already implicitly broadcasting SSH access. You can't broadcast one without at least implying the other. So if you want to hide one, you have to hide both, and that is, indeed, how this hint will work.

---
The Apotek
http://theapotek.com
The Executioner's Summary:
http://www.last.fm/label/Broken+Hill+Music/playlists/6761?autostart



[ Reply to This | # ]
can't have one without the other.
Authored by: delight1 on Jun 25, '07 02:12:33PM

so you can not disable ssh in its config file, and still have sftp work? *doesn't use stfp*



[ Reply to This | # ]
10.4: Stop Bonjour from broadcasting ssh/sftp, plus...
Authored by: mmnw on Jun 25, '07 08:54:09AM

You could also use a launchd editor like Lingon to stop advertising via Bonjour. Just open Lingon, switch to the "System Daemons" Tab and edit the daemons you like, i.e. "com.openssh.sshd" which would be the ssh-daemon. The bonjour options are at the bottom of the "Sockets" tab. You can disable it at all or just remove (or even add) the entries you like.
Afterwards you can even stop and restart the ssh daemon via Lingon.
I guess that is the safer method for inexpirienced user than deleting lines from the plist-file (also it does the same).
Note: Lingon will ask for administrator-privileges several times, of course you will need these to perform the changes.



[ Reply to This | # ]
This does not enhance security
Authored by: paulio on Jun 25, '07 09:04:13AM

All it does is stop Bonjour from advertising the availability of SSH/SFTP. Bonjour allows someone non technical to know that the services are there. This does not turn off SSH/SFTP services. Without Bonjour, all that is needed is a port scanner to discover the availability of these services.



[ Reply to This | # ]
This does not enhance security
Authored by: delight1 on Jun 25, '07 09:09:21AM

i do realize this (not that it isn't good to mention).

i just dislike Bonjour my self, and wish to stop my broadcasting, while still being able to see others'



[ Reply to This | # ]
10.4: Stop Bonjour from broadcasting ssh/sftp, plus...
Authored by: delight1 on Jun 19, '08 09:30:17AM

i can confirm that this works with 10.5 too



[ Reply to This | # ]