16

I have a Mac OS X machine (Mac mini running 10.5) with Remote Login enabled. I want to open the sshd port to the Internet to be able to login remotely.

For security reasons I want to disable remote logins using passwords, allowing only users with a valid public key to login.

What is the best way to set this up in Mac OS X?

Christian Berg
  • 481
  • 1
  • 3
  • 8

4 Answers4

22

After a little trial and error, I found the answer myself. These options need to be set in /etc/sshd_config:

PasswordAuthentication no
ChallengeResponseAuthentication no

Only changing one of them is not enough.

Christian Berg
  • 481
  • 1
  • 3
  • 8
  • 3
    In El Capital (and probably in Mavericks as well), the location changed to `/etc/ssh/sshd_config` instead of just `/etc/sshd_config` – yorch Oct 25 '15 at 01:15
  • That was the fix. A LOT of online resources do not mention the key to this whole thing: `ChallengeResponseAuthentication no`. – the_real_one Mar 19 '19 at 23:24
1

In /etc/ssh/sshd_config

# To disable tunneled clear text passwords, change to no here! Also,
# remember to set the UsePAM setting to 'no'.
#PasswordAuthentication yes
#PermitEmptyPasswords no

Set PasswordAuthentication to no and remove the # before it.

user21715
  • 81
  • 1
  • 2
  • 8
0

If you still can't get it to work with all the comments here that modify /etc/ssh/sshd_config, check out this line from man sshd on OSX, under the FILES section:

~/.ssh/authorized_keys
             Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used for logging in as this user.  The format of this file is described above.
             The content of the file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others.

             **If this file, the ~/.ssh directory, or the user's home directory are writable by other users, then the file could be modified or replaced by
             unauthorized users.  In this case, sshd will not allow it to be used unless the StrictModes option has been set to ``no''.**

So you can set, in /etc/ssh/sshd_config:

StrictModes no

(I didn't test that way), or ensure that the permissions of the files mentioned above in the doc are correct:

chmod 0600 ~/.ssh/authorized_keys
chmod 0700 ~/.ssh

Setting permissions for ~ is more complex, since it may have special attributes like setuid bit, etc. First, use stat to find the actual, absolute, octal permissions of ~:

stat -f %Op ~

The syntax for stat seems to be different on the osx version than on the GNU version. For me, this initially output:

40777

The last two 7's mean that it's rwx for group and others; we need them to be 5, to remove write permissions for group and others, as specified in the doc: only the user can have write on ~. So, perform:

chmod 40755 ~

NOTE: only change the last two numbers; if you change anything else, you'll be changing your permissions (the third octal number), or special file properties (anything before the last three octal numbers).

After doing this, public key authentication finally worked. Worth it.

Life5ign
  • 101
  • 1
0

It's actually in /etc/sshd_config that you set the following line:

PasswordAuthentication no

If you are using a stock install (i.e., you didn't build/install it yourself from source), launchd should take care of picking up the new config without having to restart the daemon.

user5336
  • 2,369
  • 1
  • 15
  • 9
  • This is not working, I can still login with my password. The logfile /var/log/secure.log contains an entry like this: sshd[16306]: Accepted keyboard-interactive/pam for christian from 192.168.178.20 port 63841 ssh2 I believe the PasswordAuthentication option only controls clear-text password logins, not keyboard-interactive? – Christian Berg Nov 18 '09 at 18:33