Having used Mac OS X Leopard (Singapore, Australia) for the last few days on my MacBook Pro I’ve discovered many changes in security from OS X Tiger and earlier releases including some genuine surprises that threw me off guard! I’m posting what I’ve discovered here in the hopes it may be useful to other people.
- NetInfo Manager is gone
- A cursory glance at the Utilities folder will show NetInfo Manager has ceased to exist, like a certain Monty Python parrot. Some of the user specific features have been relegated to a very sneakily hidden menu in the Users panel of System Preferences.
If you want to change the UID or default shell assigned to a user for example, right click or CTRL click on the name of the user and click “Advanced Options” in the popup menu.
- Firewall has moved
- The Firewall has been moved in System Preferences from the “Sharing” panel to the “Security” panel. Reading comments on forums a lot of people are angry about this, but to me it makes perfect sense!
- Firewall has been dumbed down
- Aside from a crude menu that lets you add generic “.app” programs, there is no way now to create your own custom rules, port number assignments, UDP/TCP or anything whatsoever. I guess it’s back to the command line to configure these things.
- Higher SSH encryption by default
- If you open the
/private/etc/sshd_configconfiguration file, Leopard ships with level 2 SSH security and without the option of falling back to level 1 like previous versions. This is a welcome change. - Graphically impossible to change your SSH port
- But therein lies a problem! If you change your SSH listening port in your aforementioned
sshd_configfor obfuscation reasons, in the Leopard Firewall System Preferences pane there is no way whatsoever to open that SSH port because you’re limited to only creating generic rules based on .app’s and the Services you start in the “Sharing” panel; which will turn on port 22.
So some welcome security changes in Leopard, and you’ve got to hand it to Apple for trying to make configuring security more streamlined, but I’m disappointed that in doing so so much functionality has been lost. Hopefully Apple (or perhaps even a third party) will address the legitimate need to create custom Firewall permissions soon.
If I’ve made any mistakes or you have anything to add, please post a comment. Cheers ^^.
Post to del.icio.us
3 Comments
This is false, one can change the ssh port by the same method as in 10.4. I’ve got it working.
FIRST turn on ssh in Sharing. This rewrites /etc/ssh.plist; note the changes. NOW further patch /etc/services and /etc/ssh.plist to move the port.
What I’m having in trouble in ONE direction between my Macs has to do with sshd_config.sh (I had to be searching for something when I found your page) and the dreaded
Permission denied (publickey,keyboard-interactive)
message, which googles about 30,000 hits. Not the friendliest software, ssh. But you’re mistaken, getting the port to move is just a matter of sequencing the ops right.
@Dave
Thank you for taking the time to post such a detailed reponse :). I stand by my original statement that the Leopard Firewall software makes securing the default SSH settings far more difficult than in Tiger, but I stand corrected in my conclusion that it’s not possible.
I agree, I can think of somewhat more friendly software than SSH! But it’s still the best for the job right (to think last week I was taking to a friend who still uses TELNET to access his Linux box, how frightening!).
I’m certainly a couple notches behind on advanced user issues, but since I got a new Macbook with 10.5:
I can no longer use Terminal and ssh into our web server to simply run an unzip command where I upload large batches of folders files as one big archive.zip chunk.
Here is paste of the steps that used to work:
Open Terminal Window as first step.
Last login: Wed May 31 17:59:14 on ttyp1
Welcome to Darwin!
[User-Name-G4:~] barrettb% ssh username@domain.com
username@domain.com’s password: ********
Last login: Wed May 31 18:01:34 2006 from SNIP
username@hd1:~#
Additionally I can receive mail from most all my accounts, but can send.
Trust me I’ve verified everything tangible including calling mailserver on different valid ports ! arrrggghhhh
http://discussions.apple.com/thread.jspa?messageID=6895109#6895109
Post a Comment