Tutorial: SSH To Alternate Ports and Enabling Multiple Security SSH Daemons
For one reason or another people often find themselves needing to ssh/sftp to an alternate port (default is port 22) on their systems. Additionally, sometimes it may be beneficial to have ssh open on multiple ports simultaneously. All of this can be done on Mac OS X although all of the documentation required to get this to work (under Tiger at least) appears to be spread out over several documents across the web. Since I recently had to set up ssh monitoring on multiple ports on a test system, I thought I’d share my experience in case someone else may need to do the same thing. These instructions are for Mac OS X Tiger.
Enabling Monitoring of the New Port
You need admin privileges to do the following and make ssh (remote login) is enabled in the Sharing Preferences Pane:
1) Edit the file /etc/sshd_config adding/enabling the following line(s):
# $OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. Port 22 Port 9222 # <====== This is the extra port we want to ssh/sftp to #Protocol 2,1 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress ::
2) Save the changes.
Security Port 22 above should already be in the default file, although it may need to be uncommented. I’ve just randomly picked port 9222, of course you’d want to check that port 9222 isn’t being used for something else. Also it’s important that you check with your network admin that the port of interest isn’t blocked by some firewall rule (for example if you are trying to ssh from home to work and have to go through a corporate firewall).
Create a Plist for LaunchServices
1) cd into /System/Library/LaunchDaemons
There is a file called ssh.plist in that directory. Make a copy of it:
2) sudo cp ssh.plist ssh2.plist
3) Edit the file ssh2.plist changing the following lines (below is a diff of the two files) but only change ssh2.plist:
--- ssh.plist 2006-10-13 12:06:19.000000000 -0500 +++ ssh2.plist 2006-10-16 11:31:22.000000000 -0500 @@ -3,7 +3,7 @@ <plist version="1.0"> <dict> <key>Label</key> - <string>com.openssh.sshd</string> + <string>com.openssh2.sshd</string> @@ -23,7 +23,7 @@ <key>SockServiceName</key> - <string>ssh</string> + <string>ssh2</string> </dict>
What we have done now, is create a new plist that will Launch Services can use to instantiate (or whatever the term is) a new SSH daemon to list for incoming connections. One daemon will listen to port 22 the other to port 9222.
Bless the New Port
We need to take one more step to enable ssh monitoring of the new port Virus.
1) Edit the file /etc/services making the following changes:
ssh 22/udp # SSH Remote Login Protocol ssh 22/tcp # SSH Remote Login Protocol to ssh2 9222/tcp # SSH Remote Login Protocol added DG ssh2 9222/tcp # SSH Remote Login Protocol added DG
2) Save the changes.
At this point you need to notify Launch Services to read the new plist and restart SSH. You can do this at the command line, but I can never remember the commands. So the simplest thing to do is reboot the system.
Once the system is rebooted from another computer you should be able to ssh to port 22 as normal but also to the new port:
ssh [email protected] -p 9222
And you should be welcomed by our good friend Darwin:
[XXXXXX:~] dgohara% ssh [email protected] -p 9222 Password: Last login: Fri Oct 20 07:56:04 2006 Welcome to Darwin! [XXXXXX:~] admin%
That should be it. If you run into problems, post here and I’ll try to help!