Secure Remote Access to Your Mac using SSH – Part 1

May 6, 2009 in How-To, Tips & Tricks by Bob Faulhaber

Did you ever need to access your home or office computer while on the road? Concerned about security using public services? Now you can securely access your Mac from anywhere on the Internet using SSH and Public Key Authentication.

Step 1: Enable Remote Login on System Preferences under Sharing

1. Enable Remote Login on System Preferences under Sharing
2. To enhance security, make sure that access is only allowed for authorized user accounts

%title%

Step 2: Add Warning Banner

1. Create a generic login banner called sshd_banner.txt on your Desktop using TextEdit, which warns users that they are accessing a system and if unauthorized they may face criminal or legal actions. This will not prevent malicious users, but gives you right to press charges if they are caught. (See sample)
2. Change to the /etc directory by typring the cd /etc command
3. Copy the sshd_banner.txt file from your Desktop using the following command:
sudo cp /Users/Name/Desktop/sshd_banner.txt sshd_banner.txt
where Name is your logged in username.
4. You will be prompted for the root password. Provide when prompted and hit Enter.

%title%

Step 3: Editing sshd_config Configuration Settings

The sshd_config file is located in the /etc directory.

1. Edit file with vi using the following command: sudo vi sshd_config
2. Provide the root password when prompted.

3. Make the following changes to the configuration file:

Under Authentication section:
a. Remove # from LoginGraceTime
b. Remove # from PermitRootLogin
c. Change Value of PermitRootLogin to no
d. Remove # from StrictModes
e. Remove # from MaxAuthTries
f. Change Value of MaxAuthTries from 6 to 3

Scroll down and locate RhostsRSAAuthentication
Change Value to no

Scroll down and locate AllowTCPForwarding
Remove # from AllowTCPForwarding

Scroll down and locate PrintLastLog
Remove # from PrintLastLog

Scroll down and locate UsePrivilegeSeparation
Remove # from UseprivilegeSeparation

Scroll down to Banner
Remove # from Banner
Change path to /etc/sshd_banner.txt

When done making all these changes, save the file and exit the vi editor.

%title%

Step 4: Test SSH to your Mac

Your computer should now be ready and capable of accepting SSH connections.

Using another computer on your local network, test the connection by using the following command:

ssh [email protected]_address

where Username is the account you setup when you enabled Remote Access and IP_Address is the TCP/IP Address of your computer on the local network.

If everything is correct, you will see the Banner you created and be prompted for the password associated with the account you are trying to login with.

This completes Part 1 of this Tutorial.

In Part 2, we will describe how to setup the more secure Public Key Authentication and how to configure your router for Port Forwarding to allow access from the Internet.