Ssh – How to change the sshd listen address on Mac OS X

mac-osxmac-osx-serverssh

This question is similar to the question here, about changing the sshd port on Mac OSX, but instead of changing the port number, I want to change the listen address of my Mac's ssh server. Setting it in /etc/sshd_config doesn't work (just like it doesn't work for port numbers).

According to the man page on SSHD_CONFIG(5):

On Mac OS X, sshd is started on demand by launchd(8). The specification of the
address on which sshd will listen is given in the launchd.plist(5) file
/System/Library/LaunchDaemons/ssh.plist. The values of ListenAddress and Port
are only used when sshd is run from the command line. Use launchctl(1) to unload
and load the plist file. The port number on which sshd listens can be set by
changing the value of the SockServiceName key in the plist file.

This answer shows how to set SockServiceName to change the port number, but I'm unclear on how to change the listen address.

Deos anyone know how?

Best Answer

The answer is similar to the one you linked to.

In the file /System/Library/LaunchDaemons/ssh.plist, you need to edit the Listeners item. The IP address can be specified with they key SockNodeName. When you're done, the Listeners part of the file should look something like this:

 <key>Listeners</key>
 <dict>
         <key>SockNodeName</key>
         <string>10.10.1.70</string>  ####This is the IP address you want
         <key>SockServiceName</key>
         <string>ssh</string>
         <key>Bonjour</key>
         <array>
                 <string>ssh</string>
                 <string>sftp-ssh</string>
         </array>
 </dict>

Once you're done, you reload the config by doing

sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
sudo launchctl load /System/Library/LaunchDaemons/ssh.plist

Related Solutions

Ssh – How to change sshd port on Mac OS X

Every previous answer is working (as google suggest too), but they are dirty and inelegant.

The right way to change the listening port for a launchd handled service on Mac OS X is to make the changes the dedicated keys available in ssh.plist

So the solution is as simple as to use the port number instead of the service name.

An excerpt from my edited /System/Library/LaunchDaemons/ssh.plist:

    <key>Sockets</key>
    <dict>
            <key>Listeners</key>
            <dict>
                    <key>SockServiceName</key>
                    <string>22022</string>
                    <key>SockFamily</key>
                    <string>IPv4</string>
                    <key>Bonjour</key>
                    <array>
                            <string>22022</string>
                    </array>
            </dict>
    </dict>

Note:

To be able to edit this file on El Capitan, Sierra and probably future versions as well, you need to disable SIP (System Integrity Protection). See How do I disable System Integrity Protection (SIP).

For Catalina, even after disabling SIP, the volumes are unwritable. Use sudo mount -uw / in order to enable writing to /System. Do the change then restore SIP and reboot.

The above edit will also force sshd to listen only over IPV4.

After making any changes to ssh.plist, the file must be reloaded as follows:

sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
sudo launchctl load /System/Library/LaunchDaemons/ssh.plist

Note that using launchctl stop ... and launchctl start ... will NOT reload this file.

The man page with more information can be found by typing man launchd.plist or using this link.

Ssh – How to change the private key passphrase

To change the passphrase on your default key:

$ ssh-keygen -p

If you need to specify a key, pass the -f option:

$ ssh-keygen -p -f ~/.ssh/id_dsa

then provide your old and new passphrase (twice) at the prompts. (Use ~/.ssh/id_rsa if you have an RSA key.)

More details from man ssh-keygen:

[...]
SYNOPSIS
    ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment]
               [-f output_keyfile]
    ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
[...]
     -f filename
             Specifies the filename of the key file.
[...]
     -N new_passphrase
             Provides the new passphrase.

     -P passphrase
             Provides the (old) passphrase.

     -p      Requests changing the passphrase of a private key file instead of
             creating a new private key.  The program will prompt for the file
             containing the private key, for the old passphrase, and twice for
             the new passphrase.
[...]

Best Answer

Related Solutions

Ssh – How to change sshd port on Mac OS X

Ssh – How to change the private key passphrase

Related Topic