Every time I get a new mac, or blat my old ones, I always forget how to enable secure remote access to it. This is my guide to avoid installing Logmein or other heavy apps on it.

There’s a few steps to complete:

  1. Enable SSH in OS X [Server]
  2. Generate Keypairs [Client]
  3. Approve the key [Server]
  4. Disable password authentication [Server]
  5. Open a hole in your router

Enable SSH in OS X

Start by opening up Sharing in System Preferences and enabling Remote Login.

Screenshot 2016-01-28 14.50.23

Generating Keypairs [Client]

There are a few basic steps for generating the directory and then keys, open Terminal on the client:

cd ~/
mkdir .ssh
chmod go-rwx .ssh
cd .ssh
ssh-keygen -b 4096 -t rsa -f id_rsa -P “”

So now a 4096 bit key (about as strong as you can imagine) has been generated you need to share that with whatever machine you might want to login to. I, of course, use Dropbox for that so:

cp id_rsa.pub ~/Dropbox/

Approve the key [Server]

Open Terminal on the server and do the following:

cd ~
mkdir .ssh
chmod go-rwx .ssh
cd .ssh
touch authorized_keys
chmod u+w authorized_keys
cat ~/Dropbox/id_rsa.pub > authorized_keys
chmod u-w authorized_keys

The bits of chmod’ing stop the shared Public key being overwritten with a rogue one.

Disable password authentication

Be careful, if your keys don’t work and you don’t have local access you will bork this!

sudo vim /etc/ssh/sshd_config

Look for the line:

#ChallengeResponseAuthentication yes

And change it to:

ChallengeResponseAuthentication no

That is, remove the # at the beginning, and change yes to no. [Credit Caesium on Stackexchange]

Save the file and exit.

Open a hole in your router

This one is pretty straightforward, but my recommendation is to pick a random high numbered port and redirect it to your machine. This means you need a fixed IP address, so either disable DHCP for that machine or give it a fixed IP.

I would also recommend using a Dynamic DNS provider to give you an easy to remember server address. Map your random port to the default one for SSH.

External Port: 45123
Internal Port: 22

Now this should mean you can ssh by simply going:

ssh john@notarealserver.ddns-provider.org -p 45123