Leave SSH daemon running permanently

Question

I, for some reason, cannot seem to find a google search which actually answers this question. I have a mac, and I would like to have the ssh daemon running in the background at all times, so I can ssh in from other machines whenever I need to. Currently, I can enable ssh by going to System Preferences > Sharing > Remote Login, and checking the box to turn on the service. I am able to ssh in successfully. However, after enabling it, the ssh service automatically disables itself after I disconnect from my ssh session. I enable the service through mac, connect via ssh from another machine, disconnect, and then check the mac settings to find ssh disabled. Additionally, I believe my mac will automatically terminate ssh after a period of time, either from the machine going to sleep, or from a timeout, I haven't figured out the trigger yet.

How can I make it so the ssh daemon is PERMANENTLY enabled? I want the equivalent of systemctl enable sshd for mac. I want the ssh daemon to start on boot, and remain running while the machine is on without timing out or shutting down when a user disconnects.

I am currently running MacOS Monterey 12.6

EDIT: To clarify based on comments received, I can login via ssh if I enable Remote Login in system preferences. This is the default ssh that was installed when I received the Mac, and I do not believe there is any MDM software installed on the Mac other than Computrace. My account is an admin, as Remote Login is restricted to only allow Administrators, and I have sudo access as well.

I have done some more testing and I cannot seem to reliably reproduce the issue where Remote Login disables itself after I connect and disconnect over ssh, but it has for a fact happened. Just prior to posting this question, I enabled Remote Login via system preferences, connected to the mac via ssh, closed that connection, and then checked via system preferences again to find Remote Login no longer checked.

It seems in addition to randomly turning off the Remote Login service is disabled when the Mac goes to sleep. I have had an ssh session get disconnected before, but I wonder if perhaps that was a separate issue, perhaps a wifi mishap as I was just now able to connect over ssh, and then while connected, disable Remote Login without terminating the existing ssh connection.

Thank you for the tip about launchctl. I can see via launchctl now that sshd creates a new process when a connection is attempted. However, when Remote Login is disabled, or becomes disabled of it's own accord, the com.openssh.sshd process is not existant, and therefore does not create a subprocess to handle the connection.

% sudo launchctl list | grep ssh
-   0   com.openssh.sshd
90388   0   com.openssh.sshd.43C47EF8-F4FF-49E2-BBD9-96D87190B91B

Answer 1

So, it turns out I was wrong and there was an MDM solution in place on my mac. This laptop was supposed to be provisioned without it, but apparently IT didn't get that memo. I found CrowdStrike Falcon running on it, which is what tipped me off. Not sure if it was Falcon that was disabling SSH on some sort of timer, or another software. But I have since erased my mac and set it up again to ensure no MDM software was installed. I have had no problems with my ssh daemon getting terminated since.

Answer 2

sshd is automatically handled by launchd. The command-line is launchctl but typically to enable/disable remote ssh access you use System Settings (formerly System Preferences).

In macOS 13 (Ventura) this is in System Settings -> General -> Sharing and make sure you enable Remote Login.

launchd (/sbin/launchd) handles the automatic launch of various services or tasks based on system startup, user login, service access, or even time-based schedules.

As long as you've enabled "Remote Login" via System Settings, launchd will start an sshd process automatically as you initiate a remote connection.

That's what should happen. You are indicating that you can enable Remote Login, get it to work one time, and then it wont launch on subsequent access attempts, correct?

I would start by making sure it isn't a network issue. Can you 'ping' the mac across the network? Assuming you can confirm it isn't a network issue and seems to only impact ssh, then I'd take a closer look at debugging ssh.

Validate the contents of /etc/ssh/sshd_config

Note: the above file likely includes /etc/ssh/sshd_config.d/* which will pull in the contents of /etc/ssh/sshd_config.d/100-macos.conf but this is a very short 3-line file.

Additionally, I might just validate the launchd configuration files are where they belong and haven't been changed and that there are no additional launch agents defined for ssh in other locations.

Launchd defines agents and actions in several locations.

/System/Library/LaunchDaemons    <- do not edit
/System/Library/LaunchAgents     <- do not edit
/Library/LaunchDaemons
/Library/LaunchAgents
~/Library/LaunchAgents

The first two folders are for services defined by the operating system. While you can certainly look in those folders, don't edit anything there and don't add or remove files to/from those folders. As a general rule, never edit anything under the /System folder.

The next two folders under /Library are for agents added by system administrators (often when you install 3rd party applications or utilities ... if they need launchd to handle something, they'll add it to one of those folders.

The final location is in your home Library folder, ~/Library/LaunchAgents.

The built-in SSH service is defined in:

/System/Library/LaunchDaemons/ssh.plist
/System/Library/LaunchAgents/com.openssh.ssh-agent.plist

These two files should not be edited. If you inspect them they will indicate that the service is disabled but that is because in a default OS install, they are disabled unless you manually enable them via System Settings (aka System Preferences). Launchd has an override database. A utility is normally used to inspect the contents of that database.