Configure the SSH Library Item

By Salur Onural

Learn how to configure and manage the SSH server and client on macOS

What is SSH?

SSH, or Secure Shell, is a network protocol that allows admins to securely access and manage a remote computer over an encrypted connection. It is commonly used by Mac admins to issue remote commands, access important files, and run applications on computers in their fleet.

How does SSH work?

macOS comes with a built-in SSH client accessible through Terminal. It also includes an SSH server, which is disabled by default, but can be enabled to allow remote access to your Mac. SSH uses cryptographic techniques to secure the connection between the client and server. This includes symmetric encryption, asymmetric encryption, and hashing to ensure data integrity and confidentiality during transmission. Using Kandji, admins can configure SSH according to their organization’s security tolerances under the General section within the SSH library item.

The /etc/ssh/ssh_config and /etc/ssh/sshd_config config files may return to their default values upon any update or major upgrade. However, the Kandji agent will automatically remediate and set the corresponding values defined in the SSH library item.

Add an SSH Library Item

Use the guidance below to meet NIST or STIG requirements for SSH in your Mac fleet.  For organizations aiming to meet CIS Level 1 requirements without using a CIS Level 1 Blueprint, disabling the SSH server on macOS is recommended.

  1. Navigate to Library in the left-hand navigation bar.
  2. Click Add New on the top-right, and choose SSH.
  3. Click Add & Configure.
  4. Give the new SSH Library Item a Name
  5. Assign to your desired Assignment Maps or Classic Blueprints.
  6. Select SSH server availability.
    • Click On.
  7. Select Challenge-response authentication.
    • Click On.
  8. Select Root login.
    • Click Off.
  9. Select SSH login banner.
    • Click On.
    • Enter a custom Banner text per your organization’s security policy. You may also use the default text.
  10. Select Login attempt grace period.
    • Ensure that the login attempt timeout is set to 30 seconds.
  11. Select Session timeout.
    • Ensure that the session timeout is set to 900 seconds.
  12. Select Maximum alive count.
    • Ensure that the alive count is set to 0 messages.
  13. Select Remove non-FIPS Ciphers.
  14. Select Remove non-FIPS Message Authentication Codes.
  15. Select Use secure key exchange algorithms.
  16. Click Save.