How to change sshd port on Mac OS X?

Every previous answer is working (as google suggest too), but they are dirty and inelegant.

The right way to change the listening port for a launchd handled service on Mac OS X is to make the changes the dedicated keys available in ssh.plist

So the solution is as simple as to use the port number instead of the service name.

An excerpt from my edited /System/Library/LaunchDaemons/ssh.plist:

    <key>Sockets</key>
    <dict>
            <key>Listeners</key>
            <dict>
                    <key>SockServiceName</key>
                    <string>22022</string>
                    <key>SockFamily</key>
                    <string>IPv4</string>
                    <key>Bonjour</key>
                    <array>
                            <string>22022</string>
                    </array>
            </dict>
    </dict>

Note:

To be able to edit this file on El Capitan, Sierra and probably future versions as well, you need to disable SIP (System Integrity Protection). See How do I disable System Integrity Protection (SIP).

For Catalina, even after disabling SIP, the volumes are unwritable. Use sudo mount -uw / in order to enable writing to /System. Do the change then restore SIP and reboot.

The above edit will also force sshd to listen only over IPV4.

After making any changes to ssh.plist, the file must be reloaded as follows:

sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
sudo launchctl load /System/Library/LaunchDaemons/ssh.plist

Note that using launchctl stop ... and launchctl start ... will NOT reload this file.

The man page with more information can be found by typing man launchd.plist or using this link.

If you want sshd to listen on an additional port, you can add multiple entries to the Sockets dictionary.

Example:

<key>Sockets</key>
<dict>
        <key>Listeners</key>
        <dict>
                <key>SockServiceName</key>
                <string>ssh</string>
                <key>Bonjour</key>
                <array>
                        <string>ssh</string>
                        <string>sftp-ssh</string>
                </array>
        </dict>
        <key>Listeners2</key>
        <dict>
                <key>SockServiceName</key>
                <string>22022</string>
        </dict>
</dict>

From what I read (and experienced) so far, there are three main methods which can be used:

1. change the setting in the ssh.plist file;
2. change the setting in the /etc/services file;
3. change the setting in the /etc/sshd.conf file.

Another way to do it, which I personally by far prefer to all and each of these methods, because it avoids messing around with Mac OS X system files is using socat to redirect port 22 to whichever port you want.

1. Download socat: http://www.dest-unreach.org/socat/download/socat-1.7.3.2.tar.gz
2. Move the tar.gz file to your /usr/local/ directory (sudo mv ./socat-1.7.3.2.tar.gz /usr/local/bin/socat-1.7.3.2.tar.gz)
3. Go to your /usr/local/bin directory (cd /usr/local/bin)
4. Uncompress: sudo tar -xvzf socat-1.7.3.2.tar.gz
5. Move to the uncompressed file directory: cd ./socat-1.7.3.2
6. Run the usual configure, make and make install to install socat (sudo ./configure && sudo make && sudo make install)
7. Redirect port 22 (default ssh) to any port you want (in the following ex., 2222) using the correct option by sending a socat call (sudo socat TCP-LISTEN:2222,reuseaddr,fork TCP:localhost:22)

You're done and your mac os x system files are left unchanged. In addition, this method works not only on Snow Leopard, but on all versions of Mac OS X and also on any machine on which socat may run.

The last thing you need to do if you use a router/firewall is to include the correct redirect commands in your router/firewall.

Also, it avoids getting stuck into the debate whether the ssh.plist method, the services method or the whatever method is better, more elegant or worse than the other.

You may also easily prepare a script that runs at start up to rebuild the socat redirection each you restart your machine. Place this in /Library/LaunchDaemons/com.serverfault.sshdredirect.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.serverfault.sshdredirect</string>
    <key>KeepAlive</key>
    <dict>
        <key>NetworkState</key>
        <true/>
    </dict>
    <key>RunAtLoad</key>
    <true/>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/socat</string>
        <string>TCP-LISTEN:2222,reuseaddr,fork</string>
        <string>TCP:localhost:22</string>
    </array>
</dict>
</plist>

Use sudo launchctl load -w /Library/LaunchDaemons/com.serverfault.sshdredirect.plist to load it. It'll automatically load on future reboots.

In addition, you can also improve security by (i) setting your firewall to block any connections to your port 22 from any other interface than the loopback (127.0.0.1) and (ii) make a similar change in your sshd.conf file to have ssh listen on the loopback only.

Enjoy.

I couldn't see this documented anywhere properly in a man page, but if you want to do nothing more than add an extra listener, you can use an array of listeners and have an extra dict. This doesn't require editing /etc/services if you use the port directly (but remember to open up the port on your firewall!)

    <key>Listeners</key>
    <array>
    <dict>
        <key>Bonjour</key>
        <array>
            <string>ssh</string>
            <string>sftp-ssh</string>
        </array>
        <key>SockServiceName</key>
        <string>ssh</string>
    </dict>
    <dict>
        <key>SockServiceName</key>
        <string>22222</string>
    </dict>
    </array>