10.4: Stop Bonjour from broadcasting ssh/sftp, plus...

While looking for a way to disable Apple Remote Desktop and other services from the command line, I happened to be in /System » Library » LaunchDaemons. In my boredom, I opened ssh.plist in that directory, and find that Bonjour is a key. Anyway, skipping a long explanation and some inevitable tinkering, I figured out how to stop Bonjour from pointing out to the world (or at least my local network) that I have ssh enabled.

Be warned that while I have had no problems, I can not insure that you will not. This hint edits a system file, and messes with Bonjour, so think before you act. It also may take a system restart, in addition to undoing this hint, to re-enable Bonjour broadcasting of ssh and sftp. I would make a backup of /System » Library » LaunchDaemons » ssh.plist first, as we will be be deleting two strings from that file. (When I tried commenting them out, they disappeared after I stopped and restarted ssh.)

After you've made your backup, here's one way to edit the file:

sudo vi /System/Library/LaunchDaemons/ssh.plist

In the editor, delete these two lines:

<string>ssh</string>
<string>sftp-ssh</string>

They should be found around lines 22 and 23. Save the file and quit the editor. Then go to System Preferences » Sharing » Services, unlock it, disable Remote Login, and final re-enable Remote Login. You can check if things worked by using Bonjour Browser or some such similar app to be sure ssh/sftp no longer show up.

Lastly, to explain the plus in the hint title: A simple grep -ir bonjour . showed that eppc.plist, ftp.plist, and telnet.plist also had the Bonjour key. I don't use them myself, so this same trick may or may not work for those services, too.

From our Sponsor...

The macosxhints Poll

What version of OS X are you running as your main OS?

10.4: Stop Bonjour from broadcasting ssh/sftp, plus... | 8 comments | Create New Account

Click here to return to the '10.4: Stop Bonjour from broadcasting ssh/sftp, plus...' hint

The following comments are owned by whomever posted them. This site is not responsible for what they say.

two notes i left out
Authored by: delight1 on Mon, Jun 25 2007 at 8:37AM PDT

it appears that "ssh user@your-computer-name.local" still works, not that it shouldn't (i thought it might not). maybe that is because" _workstation._tcp." is still up?

and since i didn't say this explicitly: Bonjour IS still up and running, it just doesn't do broadcast your ssh service.

10.4: Stop Bonjour from broadcasting ssh/sftp, plus...
Authored by: jolinwarren on Mon, Jun 25 2007 at 8:47AM PDT

Note that this will presumably stop your computer broadcasting itself to SFTP clients, too. SFTP is essentially the same as SSH but the client handles all the commands to make it look like you're accessing a 'normal' FTP server. I don't have any particular use for SSH to be broadcast over the LAN with Bonjour, but it is useful for me to have my SFTP server broadcast using Bonjour.

can't have one without the other.
Authored by: klktrk on Mon, Jun 25 2007 at 11:34AM PDT

"I don't have any particular use for SSH to be broadcast over the LAN with Bonjour, but it is useful for me to have my SFTP server broadcast using Bonjour."

Of course, obversely, if you're broadcasting SFTP access, you *are* already implicitly broadcasting SSH access. You can't broadcast one without at least implying the other. So if you want to hide one, you have to hide both, and that is, indeed, how this hint will work.

---
The Apotek
http://theapotek.com
The Executioner's Summary:
http://www.last.fm/label/Broken+Hill+Music/playlists/6761?autostart

can't have one without the other.
Authored by: delight1 on Mon, Jun 25 2007 at 2:12PM PDT

so you can not disable ssh in its config file, and still have sftp work? *doesn't use stfp*

10.4: Stop Bonjour from broadcasting ssh/sftp, plus...
Authored by: mmnw on Mon, Jun 25 2007 at 8:54AM PDT

You could also use a launchd editor like Lingon to stop advertising via Bonjour. Just open Lingon, switch to the "System Daemons" Tab and edit the daemons you like, i.e. "com.openssh.sshd" which would be the ssh-daemon. The bonjour options are at the bottom of the "Sockets" tab. You can disable it at all or just remove (or even add) the entries you like.
Afterwards you can even stop and restart the ssh daemon via Lingon.
I guess that is the safer method for inexpirienced user than deleting lines from the plist-file (also it does the same).
Note: Lingon will ask for administrator-privileges several times, of course you will need these to perform the changes.

This does not enhance security
Authored by: paulio on Mon, Jun 25 2007 at 9:04AM PDT

All it does is stop Bonjour from advertising the availability of SSH/SFTP. Bonjour allows someone non technical to know that the services are there. This does not turn off SSH/SFTP services. Without Bonjour, all that is needed is a port scanner to discover the availability of these services.

This does not enhance security
Authored by: delight1 on Mon, Jun 25 2007 at 9:09AM PDT

i do realize this (not that it isn't good to mention).

i just dislike Bonjour my self, and wish to stop my broadcasting, while still being able to see others'

10.4: Stop Bonjour from broadcasting ssh/sftp, plus...
Authored by: delight1 on Thu, Jun 19 2008 at 9:30AM PDT

i can confirm that this works with 10.5 too

Hint Options

Search

From our Sponsor...

User Functions

What's New:

Hints

Comments last 2 days

Links last 2 weeks

What's New in the Forums?

The Editor's Corner...

Hints by Topic

News from Macworld

The macosxhints Poll