MacOS Catalina, /etc/ssh/sshd_config, security and X11 forwarding (a bit of a grab bag)
When you upgrade to Catalina and each time you install Catalina updates (such as the very recent 10.15.5), the /etc/ssh/sshd_config
file gets overwritten, so any changes you've made are lost.
Annoying.
Why might this be relevant, you ask? Well, here are two reasons why you might want to make changes to /etc/ssh/sshd_config
.
Note that after changing the file, you need to run the following to restart sshd
:
sudo launchctl kickstart -k system/com.openssh.sshd
Using X11 applications remotely (i.e., XQuartz)
If you happen to use XQuartz remotely, you need to add the following two lines to /etc/ssh/sshd_config
:
X11Forwarding yes XAuthLocation /opt/X11/bin/xauth
The first line (obviously) enables X11 connection forwarding (see the -Y
option for ssh
).
The second line tells sshd
where to find the xauth
program, which it uses to set up authentication across the remote connection. XQuartz puts xauth
in a non-standard location so that's why this second line is required.
Disabling password authentication via SSH
Another reason you might want to modify the sshd_config
file is to disable password authentication (leaving, presumably, just public key authentication enabled). From a security point of view this is a good thing as it means that someone trying to get into your computer remotely can't just guess or know your password — they have to have a copy of your private key otherwise the system won't let them in.
Add the following to sshd_config
and then restart sshd
:
PasswordAuthentication no
Re-apply changes after each Catalina update
The above changes need to re-applied after each Catalina update because updates overwrite the sshd_config
file.