27

I'm trying to access a Mac remotely (I do have physical access to this Mac) through SSH from a Linux client computer. My goal is to access this Mac from outside the network. Port forwarding is set up on the router. From my client computer I'm able to ssh user@ip for the public IP and I am able to get into the Mac, so port forwarding is working.

Now I want to set up SSH keys. I've generated SSH keys on my client computer but I wanted to get the SSH Daemon on the Mac setup first. I edited /etc/ssh_config and set PasswordAuthentication no. I restarted SSH with these commands: sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist, then sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist. When I try to SSH in from the client again, it still asks for my password.

I took a look at this post and from the answer I added UsePAM no to the config file and restarted the service with launchctl again. I'm still being prompted for a password.

I also tried the solution here. I'm still being prompted for a password.

How do I set up my ssh_config to so that it doesn't ask for the password and only accepts SSH keys? Am I not restarting the daemon properly? Is there another step I am missing?

Improve this question

4 Answers 4

Reset to default
30

I was editing the wrong configuration file! Instead of /etc/ssh_config, I edited private/etc/sshd_config. I think this probably would have also worked if I edited /etc/sshd_config as per the updated answer from @GhostLyrics, but I didn't test that yet so I can't say for sure. After that, I restarted the service with sudo launchctl stop com.openssh.sshd and then sudo launchctl start com.openssh.sshd and I was able to get my desired behavior. Here is the resource where I found the pertinent information: https://superuser.com/questions/364304/how-do-i-configure-ssh-on-os-x

Here are the config options I changed:

PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no

After that I was successfully able to generate SSH keys on my client computer, moved the public key to ~/.ssh/authorized_keys on the Mac and set permissions for that file to 644.

It is important to note that those permissions are for my public key. My private key permissions are set to 600 on my client computer. This is really important if you have both your public and private key in your ~/.ssh folder and there are multiple users on the system. If your private key permissions are set to 644 then any user could read your private key and impersonate you. Also, the permissions for the ~/.ssh folder should be 700.

Improve this answer
3
  • 7
    Internally, /etc/sshd_config and /private/etc/sshd_config are the same file. :) Commented Mar 31, 2016 at 22:29
  • On recent Macs, ChallengeResponseAuthentication has been replaced by KbdInteractiveAuthentication. Commented Dec 13, 2024 at 10:03
  • It won't let me edit the answer because I didn't change enough characters, but I'm pretty sure "Instead of /etc/ssh_config" should read "Instead of /etc/sshd_config"? It seems ssh_config is client settings whereas sshd_config is server settings (which is what we want actually changed here). Commented Mar 31 at 4:47
20

I'm using Apple-M1 (11.3) now and I found that only setting PasswordAuthentication no does not work, but these two options are enough:

PasswordAuthentication no
ChallengeResponseAuthentication no

enter image description here enter image description here

Improve this answer
1
  • 1
    According to man sshd_config, ChallengeResponseAuthentication is a deprecated alias for KbdInteractiveAuthentication. Commented Oct 23, 2024 at 4:28
13

/etc/ssh/ssh_config is the configuration file for the client which is used if you don't have a more specific one in your home directory. What you want to edit is /etc/ssh/sshd_config which is the one for the server.

You will probably want to set PermitRootLogin without-password (or no) and PasswordAuthentication no there.

Update: Since you are running Yosemite, the file is /etc/sshd_config according to this answer: https://apple.stackexchange.com/a/167405/11135

To further elaborate why it still prompts when setting PasswordAuthentication no in /etc/ssh/ssh_config it is important to understand what you configured. "When making an outgoing connection via SSH, don't offer password authentication."

Improve this answer
6
  • I don't have a /etc/ssh/ssh_config, only a /etc/ssh_config. I'm running on Yosemite. I did try the PasswordAuthentication no but it's still prompting me for the password. Commented Jan 27, 2016 at 18:53
  • Ah, I see. That is not what I want. I want to SSH from my Linux client to the Mac with keys and without a password. What should I change for an incoming connection? Commented Jan 27, 2016 at 18:59
  • /etc/sshd_configPasswordAuthentication no. Sorry for the confusion. Please let me know how I can make the answer more clear. :) Commented Jan 27, 2016 at 19:01
  • 1
    I'm still getting the same behavior. It prompts me for a password when I ssh from the Linux machine to the Mac. Commented Jan 27, 2016 at 19:05
  • Let's continue this in chat chat.stackexchange.com/rooms/info/34931/… Commented Jan 27, 2016 at 19:09
1

The options required to disable password authentication are

PasswordAuthentication no
KbdInteractiveAuthentication no

From StigViewer - The macOS system must disable password authentication for SSH.

It is prefferable to add a partial config 01-mscp-sshd.conf to /etc/ssh/ssh_config.d as opposed to editing yourssh_config file directly

This can be automated with the following script:

ssh-disable-password-auth.sh

include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*')
if [[ -z $include_dir ]]; then
    /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config
fi
echo "passwordauthentication no" >> "${include_dir}01-mscp-sshd.conf"
echo "kbdinteractiveauthentication no" >> "${include_dir}01-mscp-sshd.conf"

for file in $(ls ${include_dir}); do
    if [[ "$file" == "100-macos.conf" ]]; then
        continue
    fi
    if [[ "$file" == "01-mscp-sshd.conf" ]]; then
        break
    fi
    /bin/mv ${include_dir}${file} ${include_dir}20-${file}
done

Having this script handy is useful in case any future MacOS update overwrites your ssh_config file

Improve this answer
1
  • I have /etc/ssh/sshd_config.d/000-local.conf since 2021, and it survived all the macOS updates since, so the risk it's getting lost is rather small. Commented Jan 2 at 8:01

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.