Can't change PORT listen on macOS X Mojave for built-in SSH
macOS X Mojave 10.14.2, Kernel Darwin 18.2.0
Want to change 22 port listening for incoming SSH connections for any from 2222x further for security reasons.
Changing /etc/ssh/sshd_config make no sense..
This Methods describing before doesn't works too for me on Mojave
Any suggestions where is the port settings I can change?
/etc/ssh/sshd_config:
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# SSH v2
Protocol 2
Port 2222
AddressFamily inet
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
client's /etc/ssh/ssh_config:
Host *
Protocol 2
Port 2222
SendEnv LANG LC_*
port listening on sshd:
MBP:.ssh user$ > sudo lsof -iTCP -sTCP:LISTEN -n -P
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
launchd 1 root 8u IPv6 0xad7e82fd153731a7 0t0 TCP *:445 (LISTEN)
launchd 1 root 12u IPv4 0xad7e82fd153798e7 0t0 TCP *:445 (LISTEN)
launchd 1 root 14u IPv6 0xad7e82fd22020067 0t0 TCP *:22 (LISTEN)
launchd 1 root 20u IPv4 0xad7e82fd2eeb3f67 0t0 TCP *:22 (LISTEN)
launchd 1 root 24u IPv6 0xad7e82fd153731a7 0t0 TCP *:445 (LISTEN)
launchd 1 root 26u IPv6 0xad7e82fd15373767 0t0 TCP *:548 (LISTEN)
launchd 1 root 28u IPv4 0xad7e82fd153798e7 0t0 TCP *:445 (LISTEN)
launchd 1 root 29u IPv6 0xad7e82fd22020067 0t0 TCP *:22 (LISTEN)
launchd 1 root 33u IPv4 0xad7e82fd15378f67 0t0 TCP *:548 (LISTEN)
launchd 1 root 43u IPv6 0xad7e82fd15373767 0t0 TCP *:548 (LISTEN)
launchd 1 root 44u IPv4 0xad7e82fd15378f67 0t0 TCP *:548 (LISTEN)
launchd 1 root 47u IPv4 0xad7e82fd2eeb3f67 0t0 TCP *:22 (LISTEN)
kdc 87 root 5u IPv6 0xad7e82fd15372be7 0t0 TCP *:88 (LISTEN)
kdc 87 root 7u IPv4 0xad7e82fd15377c67 0t0 TCP *:88 (LISTEN)
Solution 1:
Say you want to change the default port 22 to port 22222
Open a terminal window
Edit the /etc/services file
Enter:
sudo vi /etc/services
You'll be prompted for you password and obtain an elevated security privilege to make changes.
Use the slash command to find the ssh service /ssh. There will be two entries, one for tcp and the other for udp
ssh 22/udp # SSH Remote Login Protocol
ssh 22/tcp # SSH Remote Login Protocol
Change the number 22 in both cases to 22222 or your desired port number.
Save the changes with :wEnter
You need to recycle the ssh daemon. Depending on your system setup, ssh may not be running. If it is not, the first command will fail; ignor it and move on to the second to start ssh.
Enter the following command to stop it:sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
Now enter the following command to start SSH again:sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
Verify you can access the system by logging in with ssh using this command:ssh localhost -p 22222
To put the system back, redo the above steps and change the ssh port back to 22.
Solution 2:
To follow-up on Hogstrom's response you may want to additionally edit the /etc/ssh/ssh_config and uncomment the following :
Port 22
So when you attempt to ssh to a normal host (running port 22) that is chosen instead of the new ssh default that you set in /etc/services.
Solution 3:
Listening on port 22 is handled by launchd, which is the equivalent of Unix's init, inetd and cron. Inetd can be configured to listen on a port and launch the appropriate command, rather than the command starting in daemon mode, same with launchd.
You'll notice that if you run a ps -ax | grep sshd none of them are listening on port 22. You'll also notice that if you run an lsof on the launchd process you'll see it listening on port 22.
launchd is configured via a bunch of .plist files in /Library/LaunchDaemons and /System/Library/LaunchDaemons The system directory being installed with the OS, and the non system is added after installation.
The configuration you're after is /System/Library/LaunchDaemons/ssh.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<true/>
<key>Label</key>
<string>com.openssh.sshd</string>
<key>Program</key>
<string>/usr/libexec/sshd-keygen-wrapper</string>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/sshd</string>
<string>-i</string>
</array>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>SockServiceName</key>
<string>ssh</string>
<key>Bonjour</key>
<array>
<string>ssh</string>
<string>sftp-ssh</string>
</array>
</dict>
</dict>
<key>inetdCompatibility</key>
<dict>
<key>Wait</key>
<false/>
<key>Instances</key>
<integer>42</integer>
</dict>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>SHAuthorizationRight</key>
<string>system.preferences</string>
<key>POSIXSpawnType</key>
<string>Interactive</string>
</dict>
</plist>
If you don't want it listening on port 22 anymore, you can just edit this file. Otherwise copy it, with a different name, to /Libary/LaunchDaemons and edit that copy. cp /System/Library/LaunchDaemons/ssh.plist /Library/LaunchDaemons/ssh-alt.plist
Edit the line just under the SockServiceName it is a string of the port number or port alias, hence why changing /etc/services works. You can either add the numeric port you want to the array in the plist or add the numeric port you want to /etc/services with your own identifier, like my-ssh-alt and change to that in the plist.
If you've copied to a new plist, Load the new plist;
sudo launchctl load -w /Library/LaunchDaemons/ssh-alt.plist
Else reload the ssh config, which I'll just copy from the other answer;
Enter the following command to stop it:
sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
Now enter the following command to start SSH again:
sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist