Go Back   MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Reply
 
Thread Tools Search this Thread Display Modes
Old Nov 17, 2012, 10:33 AM   #1
Kilamite
macrumors G3
 
Kilamite's Avatar
 
Join Date: Mar 2007
Location: Scotland
SSH/SFTP from outside to my Mac

I have a Raspberry Pi and a Mac with SSH enabled. I want to SSH to my Mac from outside, however having trouble differentiating between my Mac and Raspberry Pi.

If I SSH from the outside using my public IP, my router always relays that onto the Raspberry Pi. I can then tunnel from the Pi to my Mac, but that isn't ideal when I want to SFTP.

I've tried opening up additional ports on my router, one for my Mac's LAN IP and one for the Pi, and SSH using those ports to differentiate between my Mac and Pi but no luck.

Worth mentioning that even with the Pi turned off, I can't SSH to my Mac from the outside.
__________________
15" MacBook Pro 2GHz i7 8GB 750GB Hybrid | Mac mini 2.3GHz i7 16GB 1TB Fusion | OS X 10.10
iPhone 5 64GB | Apple TV 3 1080p | iOS 8
Home Theatre Hackintosh i3 3.5GHz 4GB 6TB | OS X 10.9
Kilamite is offline   0 Reply With Quote
Old Nov 17, 2012, 11:19 AM   #2
switon
macrumors 6502a
 
Join Date: Sep 2012
RE: SSH and non-standard ports....

Hi Kilamite,

Depending upon your router, some routers allow you to specify which internal LAN IP address a connection on a particular external port (WAN-Internet) will be directed to. You have to setup the differentiated port forwarding at the router level.

It looks like you have already attempted this non-standard SSH port scheme. Did you edit both the ssh_config and sshd_config files to specify the non-standard ports for the Mac? Can you SSH to your Mac from the outside when using the standard port 22 (obviously with the Pi unplugged)? If not, then you may have a router issue. If so, then you may have a firewall issue on your Mac when using the non-standard port.

I don't have and am not familiar with the Raspberry Pi, but I've done precisely the above non-standard SSH port strategy for SSH-ing to multiple computers on a LAN from the external Internet. Has the Pi reset the configuration on your router to forward everything to itself?

Good luck,
Switon

Last edited by switon; Nov 17, 2012 at 11:25 AM.
switon is offline   0 Reply With Quote
Old Nov 17, 2012, 11:38 AM   #3
Kilamite
Thread Starter
macrumors G3
 
Kilamite's Avatar
 
Join Date: Mar 2007
Location: Scotland
Thanks for the reply switon.

To make things simpler, I'll use Cyberduck SFTP to test, since it is easier to quickly configure ports (screenshot 2).

I've attached my router settings with port forwarding. I've blocked out the other ports I have open, however, port 22 is open by default.

When I use port 9092 to connect to the Pi, it doesn't work. If I use port 22, it works fine.

EDIT - I noticed I actually had port 22 forwarding to the Pi's IP address (set this up ages ago). I changed that to my Mac's IP and I can now remotely SFTP to my Mac. But using non SSH ports to differentiate between LAN computers still isn't working for me.
Attached Thumbnails
Click image for larger version

Name:	Screen Shot 2012-11-17 at 16.27.jpg
Views:	52
Size:	18.0 KB
ID:	377876   Click image for larger version

Name:	Screen Shot 2012-11-17 at 16.36.43.png
Views:	35
Size:	49.7 KB
ID:	377877  
__________________
15" MacBook Pro 2GHz i7 8GB 750GB Hybrid | Mac mini 2.3GHz i7 16GB 1TB Fusion | OS X 10.10
iPhone 5 64GB | Apple TV 3 1080p | iOS 8
Home Theatre Hackintosh i3 3.5GHz 4GB 6TB | OS X 10.9
Kilamite is offline   0 Reply With Quote
Old Nov 17, 2012, 02:01 PM   #4
switon
macrumors 6502a
 
Join Date: Sep 2012
RE: non-standard ports...

Quote:
Originally Posted by Kilamite View Post
EDIT - I noticed I actually had port 22 forwarding to the Pi's IP address (set this up ages ago). I changed that to my Mac's IP and I can now remotely SFTP to my Mac. But using non SSH ports to differentiate between LAN computers still isn't working for me.
Hi Kilamite,

Glad to hear that you can sftp to your Mac when on the standard port 22. So sftp is working. But you can't sftp when on a non-standard port. Unfortunately, I don't use CyberDuck, so I can't answer any questions about that. Rather I use the SSH that comes with Mac OS/Xcode. Does CyberDuck use the same /etc/sshd_config file, or does it have its own? When you look at /etc/sshd_config, is the "#" in front of the "Port xxxx" line missing? The "#" makes the line a comment and thus it is not read. If you edit this file manually, change the "#Port 22" to "Port xxxx". Then restart the SSH daemon. (I don't know how you do this with CyberDuck, so I'm giving you the way I do it using the system's built-in ssh.) Once restarted, the daemon should now be looking for connections on port xxxx. You would then have port xxxx forwarded by your router to your Mac's IP address, and you would "ssh -p xxxx", or however CyberDuck connects on a different port, from your external Mac.

One possible way of tracking this down is to use a packet sniffer (I use wireshark -- free from the MacPorts or Fink projects) on your LAN Mac to see if your ssh packets are properly being forwarded through your router to your LAN Mac. If they are properly forwarded, then you must have a firewall problem with the non-standard port for ssh. You might check if this is the case by switching off your firewall for a minute and performing the test to see if it works without the firewall. If it does, then you know that its your firewall that is causing the connection problem. Or, if you don't want to switch off your firewall, then turn on firewall logging and look at the log files to see if the ssh packets are being deep sixed by your firewall. If it is your firewall, then you can write a specific rule to allow the non-standard port.

...just some more thoughts...

Good luck,
Switon
switon is offline   0 Reply With Quote
Old Nov 17, 2012, 02:26 PM   #5
switon
macrumors 6502a
 
Join Date: Sep 2012
RE: router...

Quote:
Originally Posted by Kilamite View Post
When I use port 9092 to connect to the Pi, it doesn't work. If I use port 22, it works fine.
Assuming that CyberDuck is working correctly, then it sounds like your router may not be forwarding the non-standard ports properly, since the Pi also does not work on non-standard ports...

Personally, I track these problems down with wireshark, but any packet sniffer would work. The WiFi Diagnostics.app from Mac OS has a rudimentary packet sniffer built-in, but I have no experience with it.

Switon
switon is offline   0 Reply With Quote
Old Nov 17, 2012, 02:41 PM   #6
switon
macrumors 6502a
 
Join Date: Sep 2012
RE: same protocol? ...

Hi,

I assume that this is not the problem, but it is worth checking. Is CyberDuck using the same protocol when it is on a non-standard port? It should be using Protocol 2.

Switon
switon is offline   0 Reply With Quote
Old Nov 17, 2012, 06:53 PM   #7
torid110
macrumors regular
 
Join Date: Jan 2006
Location: Jersey City, NJ
I don't think this will work the way that you have it configured, because SSH is still listening on port 22 on both your devices, which are default ports. You will need to change the configuration on each machine to have SSH start up using the ports that you are listing as the INT port on the router.

See this post:

http://zanshin.net/2012/07/03/change...mac-os-x-lion/
torid110 is offline   0 Reply With Quote
Old Nov 18, 2012, 09:06 AM   #8
switon
macrumors 6502a
 
Join Date: Sep 2012
Non-standard ports...

Hi torid110,

Yes, that is what Kilamite is attempting to achieve: ssh-ing to two different machines on a LAN through a router from the WAN (Internet) by using non-standard ports for one machine and the standard port 22 for the other. The problem is the non-standard port didn't work, so he/she attempted SSH-ing to both machines on the standard port, just to be certain that the ssh server was working on both machines. Once that was verified, then he/she can return to attempt to figure out why the non-standard port does not work. Is it the router's forwarding problem or the machine's firewall, or what?

Thanks for the link....I wonder if upgrading to Lion/ML automatically updates this plist? Since I use MacPorts, I wonder if we are using different ssh/sshd utilities?

Regards,
Switon

Last edited by switon; Nov 18, 2012 at 09:19 AM.
switon is offline   0 Reply With Quote
Old Nov 18, 2012, 09:48 AM   #9
torid110
macrumors regular
 
Join Date: Jan 2006
Location: Jersey City, NJ
Switon, yup, got that part. The reason i'm saying that it's not working is because the machines themselves are always listening for SSH connections on port 22, unless you change them. This is independent of the router.

Even if he sets the forward on the router, the machines don't know that they have to listen for SSH connections on the ports he specified on the router.

He can test the following, keep the EXT port what he wants (9901), and change the INT port that it forwards to to 22. If he connects via ssh to WAN-IP port 9901, he will be able to make the connection.
torid110 is offline   0 Reply With Quote
Old Nov 18, 2012, 10:23 AM   #10
switon
macrumors 6502a
 
Join Date: Sep 2012
RE: yes, got that, and thanks...

Hi torid110,

Yup, got that part too. That's why I had asked Kilamite about the sshd_config file, this is the file (old style -- more on this in a moment) that resets the port on the sshd daemon so that the machine is also listening on the non-standard port.

Your link made me realize that I may be using the older Linux version of ssh/sshd, as I'm a relatively new convert to Mac OSX from Linux, and indeed I am using the Linux utilities and not the Mac OSX ones. (I change my ports the old Linux way, which I just retested. And then I switched from the Linux utilities to the Mac OSX OpenSSH utilities, and these are controlled by the ssh.plist. I changed the port on my machines using the ssh.plist so that also works when using the Mac OSX default OpenSSH routines.) Thanks so much for pointing out this link...it didn't cross my mind that I was still using the Linux utilities, although I probably should have remembered this, but I set this up in 2010 and it just hadn't occurred to me.

Thanks again, much appreciated,
Switon

P.S. So, Kilamite, the upshot of this is that you need to make sure that your CyberDuck is altering the ssh port correctly (I assume that CyberDuck is doing the correct thing, but who knows). I don't know how CyberDuck sets its ssh/sshd ports, but you might try reverting to the Mac OSX ssh utilities and testing them by changing their ports using the /etc/services and /System/Library/LaunchDaemons/ssh.plist way. I checked both the old Linux way using Linux utilities that I had downloaded and built, and this worked; and I also checked the Mac OSX OpenSSH utilities using the ssh.plist and /etc/services, and this way also worked --- so you can use non-standard ports for ssh either way. The only thing left to do is for you to make certain that your CyberDuck ssh is also changing the ports correctly. Maybe you have to reboot your machine after changing the port in CyberDuck in order to restart the CyberDuck ssh daemon?

P.P.S. So now the question is, when the next OSX update comes along, 10.8.3(?), will it overwrite ssh.plist or will it do the proper "merge", keeping the non-standard port numbers? I assume that it will do the proper "merge", the way Linux distros do. But if non-standard ssh ports stop working after an upgrade, we'll have to remember to check this.

Last edited by switon; Nov 18, 2012 at 11:44 AM. Reason: Added P.P.S.
switon is offline   0 Reply With Quote
Old Nov 18, 2012, 01:41 PM   #11
Kilamite
Thread Starter
macrumors G3
 
Kilamite's Avatar
 
Join Date: Mar 2007
Location: Scotland
I've changed the Pi ssh_config to use port 9092 rather than port 22, and rebooted it. Cyberduck is using port 9092 to SFTP to the Pi, however it still isn't working.

So to clarify the setup:

1. The Pi has IP 192.168.1.4 and the router forwards port 9092 to the Pi's IP (TCP and UDP).
2. The Pi's ssh_config files is set to use port 9092 instead of 22.
3. Cyberduck is set to use port 9092 for SFTP.
4. If I use port 22, everything works fine.

Appreciate the help guys!

EDIT: Doh. I edited the ssh_config instead of the sshd_config file.

It all works now!

Thanks for your help.
__________________
15" MacBook Pro 2GHz i7 8GB 750GB Hybrid | Mac mini 2.3GHz i7 16GB 1TB Fusion | OS X 10.10
iPhone 5 64GB | Apple TV 3 1080p | iOS 8
Home Theatre Hackintosh i3 3.5GHz 4GB 6TB | OS X 10.9

Last edited by Kilamite; Nov 18, 2012 at 01:51 PM.
Kilamite is offline   0 Reply With Quote
Old Nov 18, 2012, 03:48 PM   #12
switon
macrumors 6502a
 
Join Date: Sep 2012
RE: sshd_config...

Great! Glad it all works now.

So CyberDuck and the Pi use the sshd_config file, like my old Linux distros, instead of the Mac OSX way!

Regards,
Switon

P.S. I just switched from my Linux ssh utilities to the Mac OSX OpenSSH utilities. I'm thinking I might switch back since I'm more familiar with the ssh_config and sshd_config way of setting parameters.
switon is offline   0 Reply With Quote
Old Nov 18, 2012, 04:11 PM   #13
torid110
macrumors regular
 
Join Date: Jan 2006
Location: Jersey City, NJ
Glad to hear it's working !
torid110 is offline   0 Reply With Quote
Old Nov 18, 2012, 04:15 PM   #14
Kilamite
Thread Starter
macrumors G3
 
Kilamite's Avatar
 
Join Date: Mar 2007
Location: Scotland
Quote:
Originally Posted by switon View Post
So CyberDuck and the Pi use the sshd_config file, like my old Linux distros, instead of the Mac OSX way!
Well CyberDuck lets you specify the port you want to connect using, and the Pi will refuse anything that isn't on that port.

The Pi uses sshd_config because it runs Linux.

Not sure what you mean by the Mac OS X way in this sense since they aren't relating to OS X!
__________________
15" MacBook Pro 2GHz i7 8GB 750GB Hybrid | Mac mini 2.3GHz i7 16GB 1TB Fusion | OS X 10.10
iPhone 5 64GB | Apple TV 3 1080p | iOS 8
Home Theatre Hackintosh i3 3.5GHz 4GB 6TB | OS X 10.9
Kilamite is offline   0 Reply With Quote
Old Nov 18, 2012, 10:07 PM   #15
switon
macrumors 6502a
 
Join Date: Sep 2012
RE: plists....

Quote:
Originally Posted by Kilamite View Post
Well CyberDuck lets you specify the port you want to connect using, and the Pi will refuse anything that isn't on that port.

The Pi uses sshd_config because it runs Linux.

Not sure what you mean by the Mac OS X way in this sense since they aren't relating to OS X!
Hi Kilamite,

By "Mac OS X way" I mean the way the Mac OS X uses ssh.plist to specify the parameters for ssh. For instance, in ssh.plist you tell OpenSSH to use the ports with a specific label in the /etc/services file. The Linux way is to specify the "Port xxxx" command in the /etc/sshd_config file. Both are unix, but the Mac OS X is getting away from the "old" way and is rather using plists to do much of its configurations.

Switon
switon is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Ssh server. How to block all internet traffic except ssh? Mikehuang OS X Mavericks (10.9) 3 Mar 30, 2014 09:55 PM
Rerouting ports so i can ssh my other mac? $yregnar86 Mac Basics and Help 1 Jul 30, 2013 11:53 PM
General: Open SSH alternative for Mac? bobright Jailbreaks and iOS Hacks 9 Feb 8, 2013 04:29 AM
SSH Not Working on Mac macuser1232 Mac Programming 2 Aug 25, 2012 01:28 AM
Can Finder connect via SSH or SFTP? stchman Mac OS X 10.7 Lion 4 Jul 20, 2012 08:11 PM

Forum Jump

All times are GMT -5. The time now is 07:29 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC