Switching ssh to run on an alternate port on macOS High Sierra

By | January 19, 2018

In order to get the ssh daemon to run on an alternate port, I decided to launch an second ssh daemon (let’s call it “ssh-2”) instead of messing with the main one. This has the benefit of being more resistant to any issues with macOS software updates. It also means you won’t screw up your built-in service.

I install a ssh plist in the appropriate directory, /Library/LaunchDaemons (you’ll need to use sudo to edit this file). Let’s call it “ssh-2.plist” and here are the contents (shown with port 2222, change this to be whatever legal value you want):


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<true/>
<key>Label</key>
<string>com.openssh.sshd2</string>
<key>Program</key>
<string>/usr/libexec/sshd-keygen-wrapper</string>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/sshd</string>
<string>-i</string>
</array>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>SockServiceName</key>
<string>2222</string>
</dict>
</dict>
<key>inetdCompatibility</key>
<dict>
<key>Wait</key>
<false/>
<key>Instances</key>
<integer>42</integer>
</dict>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>SHAuthorizationRight</key>
<string>system.preferences</string>
<key>POSIXSpawnType</key>
<string>Interactive</string>
</dict>
</plist>

 

Reboot and you’ll have an ssh daemon listening on port 2222.

Note that the standard ssh daemon adds Bonjour announcements, so anyone browsing Bonjour can see you have a service listening. I purposely left this out of the plist so that you will NOT be announcing to the local network that you have SSH listening on this port.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.