How to change the sshd listen address on Mac OS X?

Question

This question is similar to the question here, about changing the sshd port on Mac OSX, but instead of changing the port number, I want to change the listen address of my Mac's ssh server. Setting it in /etc/sshd_config doesn't work (just like it doesn't work for port numbers).

According to the man page on SSHD_CONFIG(5):

On Mac OS X, sshd is started on demand by launchd(8). The specification of the address on which sshd will listen is given in the launchd.plist(5) file /System/Library/LaunchDaemons/ssh.plist. The values of ListenAddress and Port are only used when sshd is run from the command line. Use launchctl(1) to unload and load the plist file. The port number on which sshd listens can be set by changing the value of the SockServiceName key in the plist file.

This answer shows how to set SockServiceName to change the port number, but I'm unclear on how to change the listen address.

Deos anyone know how?

score 3 · Accepted Answer · answered Mar 06 '15 at 13:07

The answer is similar to the one you linked to.

In the file /System/Library/LaunchDaemons/ssh.plist, you need to edit the Listeners item. The IP address can be specified with they key SockNodeName. When you're done, the Listeners part of the file should look something like this:

 <key>Listeners</key>
 <dict>
         <key>SockNodeName</key>
         <string>10.10.1.70</string>  ####This is the IP address you want
         <key>SockServiceName</key>
         <string>ssh</string>
         <key>Bonjour</key>
         <array>
                 <string>ssh</string>
                 <string>sftp-ssh</string>
         </array>
 </dict>

Once you're done, you reload the config by doing

sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
sudo launchctl load /System/Library/LaunchDaemons/ssh.plist

score -1 · Answer 2 · answered Jul 04 '24 at 04:42

This "locking down" of systems for "security" is doing the exact opposite! I want SSH to listen only on the localhost interface. Simple, right? Just change a line in /etc/ssh/sshd_config. But no, sshd-keygen-wrapper thinks it's smarter than me and ignores the directive.

So now I have to hack into my own system to secure it. Seriously, what the...?

Then I thought, let's try the firewall. But guess what? You can only enable or disable SSH there. Brilliant.

Going down the /System/Library/LaunchDaemons/ssh.plist again blocked by the brainiacs engineers at apple.

For goodness' sake, Apple, give me a break and provide a real solution!

score -2 · Answer 3 · answered Mar 06 '15 at 13:05

-2

sshd has a ListenAddress config option. i do not know if OS/X has a new enough version of ssh for this.

i have used this on an older Ubuntu server to get sshd to listen on port 443 with Apache listening to the same port on another IP.

answered Mar 06 '15 at 13:05

Skaperen

1,124

How to change the sshd listen address on Mac OS X?

3 Answers3