macOS Adaptive Firewall

After that last post on enabling SSH back to my iMac, I realized I should do a little more research into security precautions. I stumbled onto information about the macOS Server Adaptive Firewall.

Enabling it couldn’t be much easier. It’s two commands; first to self-configure, and then to start the firewall:

sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -c
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -f

kyrpted.com has a more thorough explanation of how to use the Adaptive Firewall, but I feel a little better knowing it’s running.

SSH to Mac

I’ve taken a bold step: I’ve enabled SSH back to my home computer.

Enable SSH in macOS Server -> Settings

For OPSEC, I’ve disabled all authentication methods except Public Key, with the hope that I can have a secure, reliable, SFTP connection my home machine from anywhere.

To make this change:

  1. I added my public key to ~/.ssh/authorized_keys
    • You can run this command: ssh-copy-id -i ~/id_rsa.pub username@ip.add.ress.here
    • …or just copy ~/.ssh/id_rsa.pub into ~/.ssh/authorized_keys/
  2. I enabled Remote Login in System Preferences
  3. To disable password-based authentication, I edited /etc/ssh/sshd_config with these changes:
    • ChallengeResponseAuthentication no
    • PasswordAuthentication no
    • UsePAM no1

That tutorial also recommends setting KbdInteractiveAuthentication no, but according to ssh.com:

Specified whether keyboard-interactive authentication is allowed. By default, the value of ChallengeResponseAuthentication is used.

Since it takes the value of ChallengeResponseAuthentication by default, I haven’t specified a value for KbdInteractiveAuthentication.

After making these changes, it’s important to restart ssh:

sudo launchctl stop com.openssh.sshd

If it looks like I’ve done something foolish, please let me know!


  1. This isn’t called out in that tutorial, but disabling PAM seems like the most prudent thing here.