Thursday, December 11, 2008


The following are tips for both the Secure Shell daemon (server) and the SSH command line client inlcuded with Mac OS X.

SSH daemon (server)

The first time sshd runs, it generates three cryptographic key pairs and stores the keys in the /private/etc/ directory.

  • ssh_host_key and (v1)
  • ssh_host_dsa_key and (v2 DSA)
  • ssh_host_rsa_key and (v2 RSA)

SSH communicates over TCP port 22 by default. The global server configuration file is:

To deny all remote SSH root logins (generally a good idea), set this value in the sshd_config file:
PermitRootLogin no

To disable the less secure v1 SSH protocol, set this value in the sshd_config file:
Protocol 2

To disable X forwading, set this value in the sshd_config file:
X11Forwarding no

To disable keyboard password logins (force public/private key authentication), set this value in the sshd_config file:
PasswordAuthentication no

SSH client

Note: because of its sensitive nature, the $HOME/.ssh/ directory and most of the files in it MUST be read/write for the user and not accessible to group or other. For example, the file permissions should look like this:
Otherwise, SSH will ignore them. If you copy personal SSH files to a new system and they don't work, check the permissions.

The default client configuration file is:
The user configuration file, $HOME/.ssh/config takes precedence over the default configuration.

To connect to an SSH server using a different user ID:
ssh userid@server-name-or-IP

To securely copy a local file(s) to a remote server, use scp:
scp localfile userid@server-name-or-IP:remotefile

To securely copy remote file(s) to the local machine, use scp:
scp userid@server-name-or-IP:remotefile localfile

Using public/private key encryption for authentication

First, generate a keypair for logins without passwords:
ssh-keygen -t dsa
The system will prompt you for a secret key passphrase, then create the key pair in two files:
id_dsa (v2 private key) (v2 public key)
Next, append the v2 public key to your $HOME/.ssh/authorized_keys2 file on the server(s) where you want to login.

To bypass the passphrase that unlocks your secret key every time it is needed, load the key into ssh-agent.


To load secret keys in the ssh-agent manually, execute:

  1. ssh-agent
  2. ssh-add keyfile (once for each key)

It is usually more convenient to run ssh-agent and load keys in a BASH login. Linux users can use the keychain script.

Port Forwarding

SSH can port forward local and remote connections securely. Only root can forward privileged ports (<=1024)

To redirect a local port to a remote host port:
ssh userid@remotehost -L localport:remotehost:remoteport

To redirect a remote port to a local or remote host port:
ssh userid@remotehost -R remoteport:host:localport