Skip to main content
This Library Item is available for Mac computers

What is SSH?

SSH, or Secure Shell, is a network protocol that lets you securely access and manage a remote computer over an encrypted connection. It’s commonly used by Mac admins to issue remote commands, access important files, and run applications on computers in their fleet.

How does SSH work?

macOS comes with a built-in SSH client accessible through Terminal. It also includes an SSH server, which is disabled by default, but can be enabled to allow remote access to your Mac. SSH uses cryptographic techniques to secure the connection between the client and server. This includes symmetric encryption, asymmetric encryption, and hashing to ensure data integrity and confidentiality during transmission. Using Iru, you can configure SSH according to your organization’s security tolerances under the General section within the SSH Library item.
The /etc/ssh/ssh_config and /etc/ssh/sshd_config config files may return to their default values upon any update or major upgrade. However, the Kandji Agent will automatically remediate and set the corresponding values defined in the SSH Library item.

Add an SSH Library Item

Use the guidance below to meet NIST or STIG requirements for SSH in your Mac fleet. For organizations aiming to meet CIS Level 1 requirements without using a CIS Level 1 Blueprint, disabling the SSH server on macOS is recommended. To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.
1

Name the Library Item

Give the new SSH Library Item a Name.
2

Assign to Blueprints

Assign to your desired Blueprints.
1

Enable SSH server

Select SSH server availability.
  • Click On.
2

Enable Challenge-response authentication

Select Challenge-response authentication.
  • Click On.
3

Disable Root login

Select Root login.
  • Click Off.
4

Configure SSH login banner

Select SSH login banner.
  • Click On.
  • Enter a custom Banner text per your organization’s security policy. You can also use the default text.
5

Set Login attempt grace period

Select Login attempt grace period.
  • Ensure that the login attempt timeout is set to 30 seconds.
6

Set Session timeout

Select Session timeout.
  • Ensure that the session timeout is set to 900 seconds.
7

Set Maximum alive count

Select Maximum alive count.
  • Ensure that the alive count is set to 0 messages.
8

Remove non-FIPS Ciphers

Select Remove non-FIPS Ciphers.
9

Remove non-FIPS Message Authentication Codes

Select Remove non-FIPS Message Authentication Codes.
10

Use secure key exchange algorithms

Select Use secure key exchange algorithms.
11

Save configuration

Click Save.