MacOS Catalina, /etc/ssh/sshd_config, security and X11 forwarding (a bit of a grab bag)

When you upgrade to Catalina and each time you install Catalina updates (such as the very recent 10.15.5), the /etc/ssh/sshd_config file gets overwritten, so any changes you've made are lost.


Why might this be relevant, you ask? Well, here are two reasons why you might want to make changes to /etc/ssh/sshd_config.

Note that after changing the file, you need to run the following to restart sshd:

sudo launchctl kickstart -k system/com.openssh.sshd

Using X11 applications remotely (i.e., XQuartz)

If you happen to use XQuartz remotely, you need to add the following two lines to /etc/ssh/sshd_config:

X11Forwarding yes
XAuthLocation /opt/X11/bin/xauth

The first line (obviously) enables X11 connection forwarding (see the -Y option for ssh).

The second line tells sshd where to find the xauth program, which it uses to set up authentication across the remote connection. XQuartz puts xauth in a non-standard location so that's why this second line is required.

Disabling password authentication via SSH

Another reason you might want to modify the sshd_config file is to disable password authentication (leaving, presumably, just public key authentication enabled). From a security point of view this is a good thing as it means that someone trying to get into your computer remotely can't just guess or know your password — they have to have a copy of your private key otherwise the system won't let them in.

Add the following to sshd_config and then restart sshd:

PasswordAuthentication no

Re-apply changes after each Catalina update

The above changes need to re-applied after each Catalina update because updates overwrite the sshd_config file.