SSH (Secure SHell) is a pretty good and secure way to connect from a remote machine to your OSX machine. All communication through SSH is encrypted, including the exchange of passwords! Luckily SSH is already on your machine by default, you only have to enable it. To enable SSH go to “System preferences” > “Sharing” and select “Remote login”. Now you can also select the user account you want to be able to login with SSH. Be careful, now your machine is exposed to the world with port 22 open. Attackers will try to guess your account/password to gain access to your SSH! This post will also give some hints about SSH security. First some SSH details:
SSH port. Default SSH runs on port 22.
SSH Clients. All Linux/Unix like machines support SSH (just type “ssh” in a terminal). For Windows you can use a SSH client like “Putty”.
SSH server config. On the server side (your OSX machine) the SSH server runs as a daemon called SSHD. The configuration you can find in /etc/sshd_config . You have to be “root” to edit the config.
SSH client files. SSH also stores some client info. If you use your OSX as a SSH client you can find the files in the hidden directory .ssh in your home directory. To get there open a Terminal window and type:
- cd $home (go to your home dir)
- ls -a (the -a let’s you view hidden files and directories, if you use SSH as a client there probably is an .ssh directory)
- cd .ssh (include the DOT before ssh, to have a look inside the dir)
SSH logs. Have a look what’s happening with SSH. To do that you can browse the SSH log that’s located in /var/log/secure.log . To view the last 10 entries that have something to do with SSH, open a Terminal and type:
- cd /var/log
- grep ssh secure.log | tail (grep “ssh” finds all lines in the file “secure.log” containing “ssh”, tail shows only the last 10 lines
SSH’s friends. There are some very useful commands that use SSH to communicate securely:
- scp is used to copy files between machines securely over SSH
- sftp is the secure version of ftp, using SSH
Start SSH session. If you have enabled SSH on your OSX machine you can check to see if it’s all working ok. Open a terminal and type: ssh username@localhost (replace “username” with your OSX account name) . If all is well SSH will ask you for your password. Give it your password and you will be connected to your local machine. From a remote machine this works the same 🙂 To exit the SSH session type “exit“.
SSH on a custom port. If you configured SSH on the server to run on another port than the default 22 you have to tell that to the client during connection: ssh username@system -p 123 (replace “123” with the port you configured SSH to use and “system” with the name or IP address of the system you are connecting to). The SSH server port can be configured in the “/etc/sshd_config” file.
SSH through a proxy. If you need to go through a proxy with SSH (for instance when you are behind a troublesome corporate firewall…) have a look at this very useful article: SSH through a proxy on your Mac
SSH client time-out. SSH will end the session after some time of inactivity. You can prevent this through sending keep alive messages to the server every x seconds. To do this add the following line to your client SSH config file (located in your home dir /.ssh/config )
This will send a message to the server after 60 seconds of inactivity, effectively preventing SSH to end the session because of inactivity.
Thoughts on SSH security. The default user/pass login is an easy target for hackers. SSH has something much better than user/pass, it has a certificate (PKI) login possibility. In short, you create a public key and put that on the SSH server. You also create a private key and keep that on the SSH client. Now SSH can log you in if you present the private key that matches the public key on the server. This is a pretty good security mechanism, but you have to keep your private key save of course!
Create the pubic/private key pair with:
- Go to your home dir: cd $home
- Type: ssh-keygen -t rsa
The ssh-keygen will ask you for a password. This pass will be asked every time you use the key. Or you can enter no password, it’s up to you. Now you will have 2 files in the .ssh directory in your home dir:
- The private key: id_rsa
- The public key: id_rsa.pub
The id_rsa.pub file needs to be appended to the “authorized_keys” file in YOUR home dir on the SERVER in the .ssh directory. To do this:
- Copy the id_rsa.pub file to the .ssh dir in your home directory on the server
- if there is no “authorized_keys” file, create it with: touch authorized_keys
- append the public key to authorized_keys with: cat id_rsa.pub >> authorized_keys
The id_rsa file is already where it needs to be, in the .ssh dir in your home directory on the client. On the SSH server config (/etc/sshd_config) make sure you at least have uncommented these lines:
- RSAAuthentication yes
- PubkeyAuthentication yes
- AuthorizedKeysFile .ssh/authorized_keys
Now you should be able to setup a SSH session with the privat/public keys. If this works you can disable logging in with passwords. That will make life for hackers a bit more difficult. To do this uncomment the following lines in your sshd_config:
- PasswordAuthentication no
- ChallengeResponseAuthentication no
What’s left is setting the permissions on the files:
- id_rsa is your PRIVATE key, only YOU should be able to read this file
- id_rsa.pub is your public key, this is not a security sensitive file
- authorized_keys is a sensitive file, someone could add his own public keys! therefore only the owner should be able to write to this file.
Have fun with SSH !