launchd and sshd on multiple ports
Sunday, October 2nd, 2005I got a new iMac this weekend and wanted to get sshd running on both the standard port 22 and port 2224 that I'll use in my firewall to redirect requests from outside. Common practice, really. I want to have the machine act normally within the network of my house, but I also want to be able to directly get to it from outside as well. The problem is that sshd is not run as a daemon on Mac OS X Tiger (10.4), it's run from launchd more like telnet.
There are configuration files - plists, that take the place if the xinetd conf files indicating what to run when a message comes in on a certain port. However, in this case, I needed to add an extra port to the configuration. If you look in the file /System/Library/LaunchDaemons directory you'll find a file called ssh.plist. In it's original form it looks something like this:
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>Bonjour</key>
<array>
<string>ssh</string>
<string>sftp-ssh</string>
</array>
<key>SockServiceName</key>
<string>ssh</string>
</dict>
</dict>
It needs to be modified to look like this:
<key>Sockets</key>
<dict>
<key>Listeners</key>
<array>
<dict>
<key>Bonjour</key>
<array>
<string>ssh</string>
<string>sftp-ssh</string>
</array>
<key>SockServiceName</key>
<string>ssh</string>
</dict>
<dict>
<key>SockServiceName</key>
<string>sshalt</string>
</dict>
</array>
</dict>
The key is that for launchd the value for Listeners can be a dictionary or an array of dictionaries. It was in the man page for launchd and that's what lead me to the breakthrough. You also need to add a line to /etc/services for the new service 'sshalt' (ssh-alternative) which references the port number that you want to monitor as well.
Now I can control SSH with the standard tools, it won't run until a user comes to the box and it's all in-line with the Mac OS X way of doing things.