Every time I get a new mac, or blat my old ones, I always forget how to enable secure remote access to it. This is my guide to avoid installing Logmein or other heavy apps on it.
There’s a few steps to complete:
- Enable SSH in OS X [Server]
- Generate Keypairs [Client]
- Approve the key [Server]
- Disable password authentication [Server]
- Open a hole in your router
Enable SSH in OS X
Start by opening up Sharing in System Preferences and enabling Remote Login.
Generating Keypairs [Client]
There are a few basic steps for generating the directory and then keys, open Terminal on the client:
chmod go-rwx .ssh
ssh-keygen -b 4096 -t rsa -f id_rsa -P “”
So now a 4096 bit key (about as strong as you can imagine) has been generated you need to share that with whatever machine you might want to login to. I, of course, use Dropbox for that so:
cp id_rsa.pub ~/Dropbox/
Approve the key [Server]
Open Terminal on the server and do the following:
chmod go-rwx .ssh
chmod u+w authorized_keys
cat ~/Dropbox/id_rsa.pub > authorized_keys
chmod u-w authorized_keys
The bits of chmod’ing stop the shared Public key being overwritten with a rogue one.
Disable password authentication
Be careful, if your keys don’t work and you don’t have local access you will bork this!
sudo vim /etc/ssh/sshd_config
Look for the line:
And change it to:
That is, remove the # at the beginning, and change yes to no. [Credit Caesium on Stackexchange]
Save the file and exit.
Open a hole in your router
This one is pretty straightforward, but my recommendation is to pick a random high numbered port and redirect it to your machine. This means you need a fixed IP address, so either disable DHCP for that machine or give it a fixed IP.
I would also recommend using a Dynamic DNS provider to give you an easy to remember server address. Map your random port to the default one for SSH.
External Port: 45123
Internal Port: 22
Now this should mean you can ssh by simply going:
ssh email@example.com -p 45123