Mac OS X Quickie
Securing sshd_config

Overview – While transferring the configuration files from my Late 2012 Mac Mini to my new Mac Pro, I noticed a pretty glaring security issue with the configuration file for the SSH daemon.  SSH, or secure shell, is a means of remotely accessing your server or workstations shell, through a terminal. It is similar to telnet, with the added benefit of being encrypted.  Telnet sends all traffic including username and passwords over the network in clear text. 

By default the configuration file is readable by all users.  So anyone who gains access to the system, can look at this configuration file to determine if there are any vulnerabilities caused by misconfiguration of the ssh daemon. While this is easily rectified, it is a glaring security hole that left me a little surprised.. Here are the POSIX permissions from a Centos 7.0 server.

Do you see the difference?

Mac OS X by default gives the read permission to the <other> group, allowing any user the ability to view the /etc/ssh/ssd_config.  We are going to fix this, and I advise you to do the same on any Mac server or desktop computer with SSH enabled.

Launch your terminal application, either from Go > Utilities > Terminal.app, or Shift-Command U > Terminal App. With a privileged account, type the following.

$ sudo chmod o-r /etc/ssh/sshd_config

If successful, you will be returned to the terminal prompt and you can verify the changes by performing a long directory listing.

$ ls –l

You should now see the following.

You can further test by switching to a non privileged account and trying to read the file.

$ cat /etc/ssh/sshd_config

You should see the following message.
cat: /etc/ssh/sshd_config: Permission denied

Thank you for your continued patronage of Brent’s World (An American Expat Living And Working In Korea!).  Please continue to visit for more exiting travel and technical blogs!

If you wish to be notified of new content, please sign up for an account by clicking HERE!