How to Configure SSH on macOS

macOS has an OpenSSH server built in — disabled by default. Turning it on takes a single Settings toggle, but the production-shaped recipe involves keys, a hardened config, and (optionally) a port move to cut log noise.

Prerequisites

• macOS 12 Monterey or newer with an admin account.
• A workstation with an Ed25519 SSH key ready.

Step 1: Enable Remote Login

Two paths — pick one:

GUI: System Settings → General → Sharing → Remote Login → toggle on.

CLI:

sudo systemsetup -setremotelogin on
sudo systemsetup -getremotelogin

By default this enables key + password auth on port 22.

Step 2: Push your SSH key

From your workstation:

ssh-copy-id you@mac.local

If ssh-copy-id is missing on the source machine:

cat ~/.ssh/id_ed25519.pub | ssh you@mac.local "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

Then verify:

ssh -o PasswordAuthentication=no you@mac.local whoami

Step 3: Harden sshd_config

/etc/ssh/sshd_config.d/99-skyline.conf:

PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes
PermitEmptyPasswords no
MaxAuthTries 3
LoginGraceTime 30
X11Forwarding no

macOS uses launchd, not systemd. Reload sshd by toggling Remote Login:

sudo systemsetup -setremotelogin off
sudo systemsetup -setremotelogin on

Or, directly:

sudo launchctl bootout system /System/Library/LaunchDaemons/ssh.plist 2>/dev/null
sudo launchctl bootstrap system /System/Library/LaunchDaemons/ssh.plist

Validate syntax first:

sudo /usr/sbin/sshd -t

Step 4: Restrict who can SSH

By default any administrator can log in via SSH. To restrict to specific users:

sudo dseditgroup -o create -q com.apple.access_ssh
sudo dseditgroup -o edit -a yourusername -t user com.apple.access_ssh

System Settings now shows "Allow access for: Only these users".

Step 5: Optionally move SSH off port 22

Cuts brute-force log noise. Edit /etc/ssh/sshd_config.d/99-skyline.conf:

Port 2222

Reload sshd (Step 3 commands) and open the new port through the macOS firewall:

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on

The macOS Application Firewall is app-based not port-based, so as long as sshd is allowed (it is by default), you are fine.

Step 6: Use SSH config aliases for daily ops

~/.ssh/config on your workstation:

Host mac
    HostName mac.local
    User ops
    Port 2222
    IdentityFile ~/.ssh/id_ed25519
    ServerAliveInterval 30

ssh mac

Verify

sudo /usr/sbin/sshd -t                # syntax
sudo launchctl print system/com.openssh.sshd | head
sudo log show --predicate 'process == "sshd"' --last 1h | tail -20

Conclusion

OpenSSH on macOS is the same battle-tested daemon you know from Linux, with a slightly different reload story (launchd, not systemd). Key-only access + a group restriction + an optional port move is enough hardening for any small fleet.

Next steps

• Manage scheduled tasks via launchd / launchctl.
• For package management see Homebrew on macOS.
• Apply parallel hardening on Linux via Ubuntu SSH + UFW + Fail2ban.