Have you ever left home without your MacBook, got to where you are going only to discover that you need some files on that laptop?
Well, it has happened to me more than once.
In such instances, I either had to wait till I got back to where my MacBook was or hope that I had a copy somewhere in the cloud.
In this article, we will be discussing one of the ways to enable remote access to your macOS devices from anywhere by using the native SSH server built into this operating system.
Not only is this useful for accessing and copying files remotely, but it can also be used for troubleshooting purposes where a system administrator remotely logs into your Mac to help resolve an issue.
Note: SSH is short for Secure Shell.
MacOS SSH Remote Access
There are a couple of ways to access a macOS device or its content remotely including:
- Screen Sharing (can only share screens with other Macs)
- File Sharing (available to any device on the network)
- Remote Login (any device can SSH, SFTP, SCP to your Mac)
- Remote Management (i.e. remote desktop)
- Third-party tools like TeamViewer
In this article, we will be discussing the Remote Login feature which basically turns your Mac into an SSH server.
This may come as a surprise for many people because they are familiar with using the SSH client on their Mac to connect to other servers but not vice versa.
For example, I can use SSH from my Mac terminal to connect to one of my servers:
Tip: The command to open an SSH connection to another device is ssh <username>@<device_ip_address>
The same way we can use the SSH client on the Mac, we can also allow other users to connect to the Mac using the Remote Login feature.
Like we said above, the Remote Login feature on macOS enables a Mac to act as an SSH server and allow remote connections to it, just like most Unix operating systems.
However, it does more than that.
Therefore, with Remote Login enabled, you can use SSH to securely access the shell on a Mac and use either SFTP or SCP to securely transfer files from/to the Mac.
Note: The screenshots in this article are based on macOS 10.14.5. However, the steps should be similar for other macOS devices.
How to Enable Remote Login
By default, Remote Login is disabled on the macOS. You can check the Remote Login setting on your Mac by opening Systems Preferences and going to Sharing:
Alternatively, you can check if Remote Login is enabled from the command line by using the command:
sudo systemsetup -getremotelogin
Note: You must run this command with elevated privileges (sudo).
From the GUI, enabling Remote Login is as simple as checking the box and specifying the users that should be able to connect remotely.
As we will discuss in the “Security considerations” sub-section below, depending on your particular scenario, it may be advisable to only allow “standard” accounts to connect remotely versus “administrator” accounts.
For this article, I will use my default administrator account since I understand the risks (and will be turning it off).
Once you enable Remote Login, the GUI will show “On” and it will also tell you what command to use to access the Mac including the username and IP address.
In my case, my Mac is connected to a Wi-Fi network and my assigned IP address is 192.168.1.9.
Hint: You can use the sudo systemsetup -setremotelogin on|off command to either enable or disable Remote Login from the command line.
Test Remote Login
The easiest and quickest way to test your configuration is by opening a terminal on the Mac and trying to remote login into itself.
The reason this is useful is that if you cannot successfully connect locally, then users will not be able to connect over a network.
Since this is the first time connecting to this host, it will ask whether to continue connecting to this host because it cannot verify if you are really connecting to the real host or a fraudulent one.
If you decide to continue (you are sure of the fingerprint), you will then enter the password for that user account.
This will basically be the same password you use when logging into your Mac normally.
Hint: You can use “exit” to end the SSH session.
Remote Login over Local Network
Now that we have tested that Remote Login works, let’s see if it works from another device on the local network. This is the real benefit of REMOTE login.
For my test, I have installed an SSH client on my phone (which is also on the same Wi-Fi network as my Mac) and configured my Mac as a host:
I will initiate the connection now:
Using the who command, I can see who is logged on and from which IP address. Cool! It works.
Remote Login over Internet
So far, we have seen that we can log in remotely from the local device and over a device that is on the same local network.
What if we want to access the Mac over the Internet? Basically, the Mac doesn’t really care where the “remote” access is coming from.
However, the most likely scenario is that the Mac connects to the Internet via a router or firewall. This means that whatever configuration to allow Remote Login to the Mac over the Internet needs to be done on that edge router or firewall.
This will typically involve some sort of NAT or Port forwarding.
The way you set up NAT/port forwarding will depend on your device but the basic details you require are:
- Local IP address of Mac e.g. 192.168.1.9
- Local port e.g. TCP port 22 is the default for SSH
- Public IP address e.g. the IP address you want Internet users to connect through. If using port forwarding, you can share the same IP address as the router/firewall. If you don’t know your public IP address, just google “what is my ip”.
- Public port e.g. TCP port 22 or whatever port you want users to connect on. For security reasons, you may choose to use a different port than 22. This is a type of “security by obfuscation” which is considered a weak form of security.
In my case, I will be using port forwarding on port 2222.
I have also added the host on my phone’s SSH client:
For this test, I will disconnect my phone from the Wi-Fi network and connect using my 4G network.
Note: In the unlikely scenario that your Mac is connected directly to the Internet, you would not need NAT or Port forwarding.
However, if you have a firewall, you will need to add rules allowing connections over SSH (default port 22).
SFTP and SCP
This can be done from the command line or using a client. For example, I installed an SFTP/SCP client on my phone and used it to connect to my Mac:
Let us discuss some security issues to consider in relation to Remote Login:
- From a security standpoint, the best practice is to disable unnecessary services. Therefore you need to ask yourself: “Do I really need remote login enabled?” For most people who use their Mac for personal use, the answer will likely be “No”. This may be different for enterprise users.
- If you decide to enable Remote Login, it will be more secure to specify the users who have access to this feature rather than enabling it for all users.
- Even when you specify the users who should have access to Remote Login, you should probably only enable it for standard accounts and not administrator accounts. This will limit security incidents to that user’s account as opposed to all users on the Mac.
- Enabling Remote Login for use over the Internet comes with its own security challenges because malicious users now have a direct path to get to your Mac/network. Firewalls and Access Control Lists (ACLs) will be useful in cases like this.
- You may want to change the default port on which the SSH server listens on. This will only deter basic attackers as a simple port scan will probably identify the new SSH port. You can look here for options on changing the default SSH port on macOS.
- Finally, you can read this Apple support article on ways to make your Mac more secure.
This brings us to the end of this article where we have seen how to enable remote access (via SSH, SFTP, and SCP) to a Mac.
This relies on the Remote Login feature and can be useful for file transfer and troubleshooting scenarios.
We looked at various access scenarios including locally (from the Mac itself), over the local network, and over the Internet.
Finally, we discussed some security considerations for this feature.
Knowing what you know now, is the Remote Login feature useful for you? Will you be enabling it? Let us know.