Let your Mac phone home via SSH and launchd

Tags: #<Tag:0x00007f0cacffba30> #<Tag:0x00007f0cacffb850>


The Mac-way of the corkscrew

I let some of my Ubuntu hosts phone home via SSH. This approach uses multiple hops, OpenSSH and SystemD.

Thankfully Apple does not use SystemD on Mac OS X, but launchd. Mac OS X (in opposite to Ubuntu btw.) ships with an OpenSSH client. Due to this I am able to reuse the configs (and the keys).

Feature overview

  • persistent SSH connection via launchd init system as system user
  • transparent use of a Jump Host
  • Key-based authentication

Launchd and OpenSSH

Take a look at the following XML file, that defines a plist for Launchd.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
	  <string>-o ServerAliveInterval=60</string>
	  <string>-o ExitOnForwardFailure=yes</string>
	  <string>-o StrictHostKeyChecking=no</string>
	  <string>-R 12346:localhost:22</string>
	  <string>[email protected]</string>

Besides the port for the reverse listener there is no change to the OpenSSH parameters.

Debugging a launchd plist with /tmp/

If you ever come across a buggy launchd plist, here is what you can do:


This writes the stdout and stderr to /tmp.

➜  /tmp ls | grep ssh

In /var/log/system.log you will only find status information, but you won’t the the cause for a failing service that restarts all the time.

Install the launchd plist and run it

Put it into the correct folder:

sudo cp ~/Documents/ssh_osroad.plist /Library/LaunchDaemons/

Load it:

sudo launchctl unload /Library/LaunchDaemons/ssh_osroad.plist
sudo launchctl load /Library/LaunchDaemons/ssh_osroad.plist

The unload command is only necessary if you update the plist file.

That’s pretty much it. The OpenSSH .config is the same.

Connect to the Mac from the remote server

You can use the reverse listener on the endpoint the SSH client connected to.

> $ sudo netstat -tulpen | grep ssh
tcp        0      0*               LISTEN

And log in:

[email protected] ~                                                       
> $ ssh -p 12346

You can initiate VNC as well. But usually SSH is enough for me.


09.03.2018 - pasted everything into a post and published it