I have a Mac OS X machine (Mac mini running 10.5) with Remote Login enabled. I want to open the sshd port to the Internet to be able to login remotely.
For security reasons I want to disable remote logins using passwords, allowing only users with a valid public key to login.
What is the best way to set this up in Mac OS X?
After a little trial and error, I found the answer myself. These options need to be set in /etc/sshd_config:
PasswordAuthentication no
ChallengeResponseAuthentication no
Only changing one of them is not enough.
In /etc/ssh/sshd_config
# To disable tunneled clear text passwords, change to no here! Also,
# remember to set the UsePAM setting to 'no'.
#PasswordAuthentication yes
#PermitEmptyPasswords no
Set PasswordAuthentication to no and remove the # before it.
Other posts have already covered to to only allow password authentication. If you're having trouble getting the key-based authentication side of the problem to work, see this answer, which deals with file permissions issues that can cause public key authentication to not work.
If you still can't get it to work with all the comments here that modify /etc/ssh/sshd_config, check out this line from man sshd on OSX, under the FILES section:
~/.ssh/authorized_keys
Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used for logging in as this user. The format of this file is described above.
The content of the file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others.
**If this file, the ~/.ssh directory, or the user's home directory are writable by other users, then the file could be modified or replaced by
unauthorized users. In this case, sshd will not allow it to be used unless the StrictModes option has been set to ``no''.**
So you can set, in /etc/ssh/sshd_config:
StrictModes no
(I didn't test that way), or ensure that the permissions of the files mentioned above in the doc are correct:
chmod 0600 ~/.ssh/authorized_keys
chmod 0700 ~/.ssh
Setting permissions for ~ is more complex, since it may have special attributes like setuid bit, etc. First, use stat to find the actual, absolute, octal permissions of ~:
stat -f %Op ~
The syntax for stat seems to be different on the osx version than on the GNU version. For me, this initially output:
40777
The last two 7's mean that it's rwx for group and others; we need them to be 5, to remove write permissions for group and others, as specified in the doc: only the user can have write on ~. So, perform:
chmod 40755 ~
NOTE: only change the last two numbers; if you change anything else, you'll be changing your permissions (the third octal number), or special file properties (anything before the last three octal numbers).
After doing this, public key authentication finally worked. Worth it.
It's actually in /etc/sshd_config that you set the following line:
PasswordAuthentication no
If you are using a stock install (i.e., you didn't build/install it yourself from source), launchd should take care of picking up the new config without having to restart the daemon.
