Difference between revisions of "Install SSH"

From AwkwardTV
Jump to: navigation, search
m
m (Reverted edits by Infovis (Talk) to last revision by Peoplemover)
 
(95 intermediate revisions by 30 users not shown)
Line 1: Line 1:
__NOTOC__
+
These instructions are for installing ssh on the Apple TV from an Intel Mac. If you don't have an Intel Mac, you can extract an sshd and the other needed files from one of the recent OS X security updates or from the OS X 10.4.9 update, which you can download from Apple's web site.
{{Template:Banner}}
 
These instructions are for installing ssh on the Apple TV from an Intel Mac (if you don't have an Intel Mac, you need to find another source for sshd, such as http://darwinsource.opendarwin.org/Roots/OpenSSH-56.root.tar.gz and http://darwinsource.opendarwin.org/Roots/OpenSSL-26.root.tar.gz - please verify that those work). You need to remove the Apple TV's hard drive and mount it using some sort of firewire or usb enclosure, perform the below steps, and then reinstall the drive. It is not necessary to disable the firewall (see [[Disable Firewall]]), however (for some unknown reason) the SSH server only allows SSH protocol version 1 connections so you will need to use the -1 option when using the ssh client.
 
  
If you copy sshd from a 10.4.9 Intel Mac (OpenSSH_4.5p1, OpenSSL 0.9.7l 28 Sep 2006), the sshd binary will crash when trying to establish a SSH2 connection. To get SSHv2 working, see Step 4.
+
To find the sshd in an update, mount the .dmg image, right-click on the .pkg install package, select 'Show Package Contents', find the Archive.pax.gz file, extract it using [http://www.stepwise.com/Software/OpenUp/ OpenUp] or pax, and you will find the the sshd daemon in Archive_X/usr/sbin/. Verify that it's an x386 executable by using ''file sshd''.
  
=Step 1=
+
Without an Intel Mac, though, you won't be able to get the Kerberos framework, and you'll be stuck with ssh v1. You can NOT use the sshd or Kerberos framework from a PPC Mac (G3, G4, or G5).
Copy <tt>sshd</tt> from <tt>/usr/sbin/</tt> on your local Intel Mac, to <tt>/Volumes/OSBoot/usr/sbin/</tt> on the Apple TV HD (you have to use an Intel-compiled version).
 
  
After that you have to change the sshd file classification from Document type to a UNIX shell script. The easiest is to do a<br>
+
* '''Changed 2007-06-01:''' You also can use ssh v2 now. (This was formerly a problem)
<tt>chmod +x /Volumes/OSBoot/usr/sbin/sshd</tt><br> in the Terminal.
+
* '''Changed 2007-06-02:''' Fixed up the rest of the page a bunch. Eliminated significant errors in first half of last section. Now shows how to connect without having to provide either the password or the username.
 +
* '''Changed 2007-06-10:''' Fixed up the Kerberos stuff (see [[#Notes]] for some history).
 +
 
 +
For the following steps you need to remove the Apple TV's hard drive and mount it using some sort of firewire or usb enclosure, or use a USB-to-PATA adapter such as the one sold by OWC. Perform these steps, and then reinstall the drive.  It is not necessary to disable the firewall (see [[Disable Firewall]]).
 +
 
 +
==How to install SSHD==
 +
 
 +
===Preparations===
 +
Make sure that your AppleTV drive is mounted on your Intel Mac (or whatever machine you're using to do this). It should be in your filesystem at <tt>/Volumes/OSBoot</tt>. If it's not, you'll need to modify the instructions below accordingly.
 +
 
 +
===Copy the SSHD Binary===
 +
Copy sshd from your Mac to your AppleTV. For example:
 +
 
 +
cp -p /usr/sbin/sshd /Volumes/OSBoot/usr/sbin/
 +
 
 +
The "-p" preserves permissions while copying sshd; if you forgot it, mark the copy as executable:
 +
 
 +
chmod +x /Volumes/OSBoot/usr/sbin/sshd
 +
 
 +
Note: This doesn't work with Leopard's <tt>sshd</tt>. Get the <tt>sshd</tt> from the [[Patchstick/Testing#Full_Working_Version|patchstick]]. The other files can be copied from your Leopard system.
 +
 
 +
===Creating an automatic startup file===
 +
Make sshd start automatically on boot. If you have the AppleTV disk mounted on a Mac, it's easy.
 +
Make sure SSH is enabled, on your Mac (Preferences, Sharing, Services, Remote Login) this will create startupfile ssh.plist then do:
 +
 
 +
cp -p /System/Library/LaunchDaemons/ssh.plist /Volumes/OSBoot/System/Library/LaunchDaemons/
 +
defaults delete /Volumes/OSBoot/System/Library/LaunchDaemons/ssh Disabled
 +
 
 +
Otherwise, create a text file <tt>/Volumes/OSBoot/System/Library/LaunchDaemons/ssh.plist</tt> containing:
  
=Step 2=
 
Rewrite <tt>/Volumes/OSBoot/System/Library/LaunchDaemons/ssh.plist</tt> with this:
 
<pre>
 
 
  <?xml version="1.0" encoding="UTF-8"?>
 
  <?xml version="1.0" encoding="UTF-8"?>
 
  <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 
  <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 
  <plist version="1.0">
 
  <plist version="1.0">
 
  <dict>
 
  <dict>
<key>Disabled</key>
 
<false/>
 
 
         <key>Label</key>
 
         <key>Label</key>
 
         <string>com.openssh.sshd</string>
 
         <string>com.openssh.sshd</string>
Line 53: Line 73:
 
  </dict>
 
  </dict>
 
  </plist>
 
  </plist>
</pre>
 
  
=Step 3=
 
Log in like this:
 
<pre>
 
ssh -1 frontrow@AppleTV.local
 
</pre>
 
Password "frontrow"
 
  
* If you are on a windows machine, use [http://www.chiark.greenend.org.uk/~sgtatham/putty/ Putty] to connect.
+
=== Take 2: Copy extra files===
** Under connections -> ssh, there is an option for "1 only". Use this.
+
As of take 2 some other files are missing as well.  Simply trying to SSH to the AppleTV now will result in an error message:
** You may need to connect by IP address instead of by name if you do not have Bonjour installed.
+
ssh_exchange_identification: Connection closed by remote host
* Note: user "frontrow" has sudo privilegesThe password for sudo is "frontrow".
+
 
 +
In addition to copying over <code>/usr/sbin/sshd</code> and <code>/System/Library/LaunchDaemons/ssh.plist</code> per the above, you must copy over these additional files.  They can all be found in the 10.4.9 combo update.
 +
 
 +
* <code>/usr/bin/ssh-keygen</code>
 +
* <code>/usr/libexec/sftp-server</code>
 +
* <code>/usr/libexec/ssh-keysign</code>
 +
* <code>/usr/libexec/sshd-keygen-wrapper</code>
 +
 
 +
Also, if you plan to ssh out from the appletv to other devices copy over the following additional files.
 +
 
 +
* <code>/usr/bin/ssh</code>
 +
* <code>/usr/bin/ssh-add</code>
 +
* <code>/usr/bin/ssh-agent</code>
 +
* <code>/usr/bin/ssh-keyscan</code>
 +
* <code>/usr/bin/scp</code>
 +
 
 +
Here are the md5 checksums of the change to my take2, with working sshd V2.
 +
<code><nowiki>
 +
-bash-2.05b$ md5 /Volumes/OSBoot/usr/libexec/sshd-keygen-wrapper /Volumes/OSBoot/usr/libexec/sftp-server /Volumes/OSBoot/usr/sbin/sshd /Volumes/OSBoot/System/Library/Frameworks/OSXFrames/Kerberos.framework/Kerberos /Volumes/OSBoot/System/Library/LaunchDaemons/ssh.plist
 +
MD5 (/usr/libexec/sshd-keygen-wrapper) = 56fa1739153d23f22d25777d48fcf316
 +
MD5 (/usr/libexec/sftp-server) = 6d2c75d108bce39564142917c582a98d
 +
MD5 (/usr/sbin/sshd) = 7a6617d80ff198c3d0dc4385287cb377
 +
MD5 (/System/Library/Frameworks/OSXFrames/Kerberos.framework/Kerberos) = 83764deb005b7e1701992c9e22f4a7b3
 +
MD5 (/System/Library/LaunchDaemons/ssh.plist) = 7776e5f87b7d65c640aed6bade4b1319
 +
</nowiki></code>
 +
 
 +
* Note: The sshd-keygen-wrapper file was changed from its original to reference the <code>/System/Library/Frameworks/OSXFrames/Kerberos.framework</code>.  It is probable that you can leave this file unaltered and but the framework directly into your Frameworks folder instead of into a OSXFrames sub folder.  I believe this was simply done for organization, but I was more concerned with getting it to work at the time.
 +
--[[User:DrOmega|Dr Omega]] 19:02, 25 February 2008 (CET)
 +
 
 +
For each of these files (including <code>sshd</code> and <code>ssh.plist</code>), the forum also recommends executing the following two commands:
 +
chown 0:0 ''file''
 +
chmod 755 ''file''
 +
 
 +
For example:
 +
sudo chown 0:0 /Volumes/OSBoot/usr/bin/ssh
 +
chmod 755 /Volumes/OSBoot/usr/bin/ssh
 +
 
 +
===Take 2: Installing the Kerberos framework===
 +
* The Kerbose framework will be on an Intel mac, Installation CD, or should be in the 10.4.9 combo update.
 +
* An alternative is to simple use OpenSSH from darwin or just use the ssh v1 protocol.  See [[#Using_the_v2_protocol_Without_Kerberos]] for more information.
 +
* When used Kerberos framework from a password protected Intel machine (Leopard) - it did not let authenticate showing this message: ssh_exchange_identification: Connection closed by remote host --- used kerberos.framework from 10.4.9 update - worked perfectly
 +
 
 +
Copy over the Kerberos framework, so sshd will be able to use the ssh v2 protocol (without this step, you're limited to v1).
 +
 
 +
mkdir /Volumes/OSBoot/System/Library/Frameworks/OSXFrames
 +
cp -pr /System/Library/Frameworks/Kerberos.framework /Volumes/OSBoot/System/Library/Frameworks/OSXFrames/.
 +
cd /Volumes/OSBoot/usr/libexec/
 +
sudo sed -i"" -e 's;^exec;DYLD_FRAMEWORK_PATH="/System/Library/Frameworks/OSXFrames" exec;' sshd-keygen-wrapper
 +
 
 +
(The effect of that ugly sed line is to add <tt>DYLD_FRAMEWORK_PATH="/System/Library/Frameworks/OSXFrames"</tt> to the beginning of the last line of sshd-keygen-wrapper. Using pico or vi is another possibility.)
 +
 
 +
===Logging in===
 +
The basics are done and you can now put the disk back in the AppleTV, restart it, and log in.  If you installed the Kerberos framework, the command is:
 +
 
 +
ssh frontrow@appletv.local
 +
 
 +
Otherwise use the command below which forces ssh to use the v1 protocol.
 +
 
 +
ssh -1 frontrow@appletv.local
 +
 
 +
The password, as shipped from Apple, is <tt>frontrow</tt>. If your box doesn't support Bonjour (that's most machines that aren't Macs, though you can install it on Windows, Linux, etc.), you'll have to connect to it by IP address, or put it in your local DNS or your /etc/hosts file (or analogue). In that case, figure out its IP address, and use that instead of "appletv.local".
 +
<br /><br /><b>IMPORTANT NOTE</b><br />
 +
The first time you try to SSH into the AppleTV, it will generate host keys. This takes a long time (at least compared to modern machines). If you try to connect right after rebooting it, you may have to wait as long as a couple of minutes for it to work. Be patient, and just try ssh again if it times out.
 +
<br /><br />
 +
Other misc. notes:
 +
* If you are on a windows machine, use [http://www.chiark.greenend.org.uk/~sgtatham/putty/ Putty] or other ssh clients to connect.
 +
* The user "frontrow" has complete sudo privileges. To be root, do <tt>sudo -s</tt> and put in the password again (<tt>frontrow</tt> by default, remember?).
 +
 
 +
==Logging in without a username or password==
 +
''The previous contents of this section were terribly confusing. They recommended taking the ATV's private host key and using it as your personal key on your Mac (or perhaps as the host key on your Mac, it wasn't clear). Someone else later provided an "Alternate Method" which was correct, and this is mostly a light edit of that.''
 +
 
 +
Everything here is done on your Mac, unless explicitly stated otherwise.
 +
 
 +
===Checking for an existing identity===
 +
First, check to see if you have an identity already; if not, make one:
 +
 
 +
cd ; ls .ssh/id_rsa
 +
 
 +
If you see a file called id_rsa, then you already have an identity, and you can skip the next step.
 +
 
 +
===Creating a new identity===
 +
''Do this step only if you have no <tt>id_rsa</tt> file. (Don't worry if you have other files in .ssh- they don't matter, and we won't disturb them.)''
 +
 
 +
To create a new identity file, type:
 +
 
 +
ssh-keygen
 +
 
 +
It'll ask for input three times, with lines that begin with "Enter". Just hit return each time. (You can use a passphrase if you're comfortable that you know what you're doing. Leave the filename alone.) It'll look like this, though the username and fingerprint will be different:
 +
 
 +
Generating public/private rsa key pair.
 +
Enter file in which to save the key (/Users/alexis/.ssh/id_rsa):
 +
Enter passphrase (empty for no passphrase):
 +
Enter same passphrase again:
 +
Your identification has been saved in /Users/alexis/.ssh/id_rsa.
 +
Your public key has been saved in /Users/alexis/.ssh/id_rsa.pub.
 +
The key fingerprint is:
 +
ef:3a:22:12:30:8e:37:7f:b5:0e:47:d4:e8:2f:9b:e9 alexis@alexis
 +
 
 +
===Make SSH use username "frontrow" automatically===
 +
Do this on your Mac. It will only affect connections from your Mac to the AppleTV:
 +
cat >>.ssh/config
 +
Host appletv.local
 +
  User frontrow
 +
^D
 +
 
 +
"^D" means you must hit the Control and D button synchronously.
 +
 
 +
Once this is done, you can just do "ssh appletv.local" instead of "ssh frontrow@appletv.local". Or, if you're really lazy (like me), this (instead of the above) will let you do just "ssh atv" to connect!
 +
cat >>.ssh/config
 +
Host appletv.local atv
 +
  HostName appletv.local
 +
  User frontrow
 +
^D
 +
 
 +
===Installing the ssh key on the AppleTV===
 +
* Copy your public key to your AppleTV. You'll need to enter the password, but you no longer need to specify a username:
 +
 
 +
scp .ssh/id_rsa.pub appletv.local:~/
 +
 
 +
* ssh to your AppleTV (still using password "frontrow", but you no longer have to give a username):
 +
 
 +
ssh appletv.local
 +
 
 +
* Now, while still connected to the AppleTV, make an .ssh directory on your AppleTV, create an "authorized_keys" file and move your public key into it.
 +
 
 +
mkdir .ssh
 +
  mv id_rsa.pub .ssh/authorized_keys
 +
 
 +
You're done. Exit the ssh session, and try it again. This time, you can connect to the AppleTV without having to enter a password (or by using your passphrase, if you chose to use one).
 +
 
 +
For more information, see the man pages for ssh, ssh-keygen, and sshd.
 +
 
 +
== Using the v2 protocol Without Kerberos ==
 +
Unlike other methods, there is a far simpler way to get ssh v2 protocol enabled.  This method does not require an Intel mac, nor does it require screwing around with the Kerberos framework.
 +
 
 +
* Download darwinx86-801.iso.gz.  This site contains a few mirrors: http://wiki.osx86project.org/wiki/index.php/Chain0
 +
* Decompress and mount the image
 +
* Copy off System/Installation/Packages_i386/OpenSSH-56.root.tar.bz2.
 +
** Unless you have installed bzip2 on your ATV, you will need to uncompress this tar file: "bunzip2 OpenSSH-56.root.tar.bz2"
 +
* Copy the archive to your AppleTV
 +
* ssh to your AppleTV (using -1) and execute the following:
 +
** cd /
 +
** sudo tar xf ~/OpenSSH-56.root.tar
 +
* On your AppleTV, edit the file: /System/Library/LaunchDaemons/ssh.plist
 +
* Remove the lines:
 +
        <key>Disabled</key>
 +
        <true/>
  
=Step 4 - Creating Host Keys and Making ssh2 Work=
+
And that's it. When you reboot your ATV, it will be running the new ssh, which can do protocol version 2.
As noted copying the sshd binary from a 10.4.9 install will only support version 1 of the ssh protocol.  To enable ssh2, and create your host keys, follow these steps.<br>
 
This is written assuming you already have ssh1 shell access to the device.
 
  
# Download the ssh package listed above from here  http://darwinsource.opendarwin.org/Roots/OpenSSH-56.root.tar.gz and extract usr/sbin/sshd from the package.  
+
== Using Protocol 1 ==
# scp this file over to the ATV with the following command<br><pre>scp -1 sshd frontrow@<your ip address>:</pre>
+
Finally, since I don't have an Intel Mac to work from, I am unable to [[#Installing_the_Kerberos_framework_.28optional.29|install the kerberos framework]]. Prior to moving to Take 2, I could still SSH using SSH protocol version 2. After enabling SSH under Take 2, trying to SSH using protocol version 2 simply results in my AppleTV closing the SSH connection. To get around this either use this ssh command from the Terminal
# Log in to the ATV and remount the root partition as read write.<br><pre>-bash-2.05b$ sudo mount -o rw,remount /dev/disk0s3 /</pre>
+
ssh -1 frontrow@AppleTV.local
# Backup the existing sshd<br><pre>-bash-2.05b$ sudo mv /usr/sbin/sshd /usr/sbin/sshd.old</pre>
+
or edit your <code>.ssh/config</code> file along these lines:
# Move the new sshd binary to /usr/sbin<br><pre>-bash-2.05b$ sudo mv /Users/frontrow/sshd /usr/sbin/sshd</pre>
+
Host appletv.local
# Again change the sshd file classification from Document type to a UNIX shell script. <br><pre>-bash2.05b$ chmod +x /usr/sbin/sshd</pre>
+
    HostName appletv.local
# Generate the rsa key - '''Do not use a passphrase'''<br><pre>-bash-2.05b$ sudo ssh-keygen -t rsa -f /etc/ssh_host_rsa_key</pre>
+
    User frontrow
# Generate the dsa key - '''Do not use a passphrase'''<br>''Note: this can be / is a bit slow on the ATV; be patient.''<br><pre>-bash-2.05b$ sudo ssh-keygen -t dsa -f /etc/ssh_host_dsa_key</pre>
+
    '''Protocol 1'''
# Generate the rsa1 key - '''Do not use a passphrase'''<br><pre>-bash-2.05b$ sudo ssh-keygen -t rsa1 -f /etc/ssh_host_key</pre>
 
  
'''Note:''' You may need to create a sshd_config file in /etc for this to work. The file can be empty.
+
Don't forget that since you'll be using Protocol 1, you need to generate a new key for the Apple TV (i.e. one that is compatible with Protocol 1). Instead of using the command <code>ssh-keygen</code>, you need to <code>ssh-keygen '''-t rsa1'''</code>. Then copy the file over to the Apple TV and everything will work fine.
  
=Step 5 - Logging in without a password=
+
==Notes==
# It's assumed all prevous steps are completed.''This section only works for a Mac, windows users should investigate Pagent, a program that comes with Putty.'' First create a special directory on the ATV for your keys.
+
* The old Step 5 described how to make ssh keys. You won't have to create those, as OS X will create them the first time you connect to its sshd if they don't already exist. Thus, this section was removed.
<pre>
+
* The previous author of this page suggested getting sources for [http://darwinsource.opendarwin.org/Roots/OpenSSL-26.root.tar.gz OpenSSL] and [http://darwinsource.opendarwin.org/Roots/OpenSSH-56.root.tar.gz OpenSSH], if you don't have an Intel Mac handy. This method might be easier if you don't know how to extract files from packages such as the OS or Security updates.)
-bash-2.05b$ mkdir ~frontrow/.ssh
+
* Old instructions were replacing the Kerberos.framework file of the AppleTV. This is causing some problems. In particular, mount_afp fails with "Illegal instruction". If you're running a hacked kernel with SSE3 emulation, this probably won't affect you, but otherwise, it's a major issue. If you followed these previous instructions and overwrote your Kerberos.framework, I'm sorry. :-( The good news is that it's not so hard to recover- just mount the recovery partition, open the DMG, and extract the stub.
-bash-2.05b$ chmod 700 ~frontrow/.ssh
 
</pre>
 
# Add a key to the ''authorized_files'' file and protect the file. SSH checks the permissions of this file very carefully.
 
<pre>
 
-bash-2.05b$ cat /etc/ssh_host_rsa_key.pub > ~frontrow/.ssh/authorized_keys
 
-bash-2.05b$ chmod 600 ~frontrow/.ssh/authorized_keys
 
</pre>
 
# Display the full private key and copy the text to the clipboard. You'll see something like
 
<pre>
 
-bash-2.05b$ sudo cat /etc/ssh_host_rsa_key
 
-----BEGIN RSA PRIVATE KEY-----
 
MIIEogIBAAKCAQEAtPQlIYRKBPxrZjiXKjLX7uR6gRxCvkV8S09H1f8SLmVRoyfT
 
chMGdMCwVgv+stf7gc1mW6aYVqSV7DMo4HCN7uFQwGRt0/qxdgCVesN60tugnEM9
 
..lots more stuff here..
 
UvxgQ1ahS+82mHd8XNDOXmMEEIE0mOffga35ADyisZfBql+yED6xXzOOw9/vfP3q
 
UrmG68Mwv18Wz0unZGt1NSwsw/6ITSGKN3iTr+w4zcEpGK6liJw=
 
-----END RSA PRIVATE KEY-----
 
</pre>
 
# Still on the ATV, remount the root partition read only.<br><pre>-bash-2.05b$ sudo mount -o ro,remount /dev/disk0s3 /</pre>
 
# On your Mac in a terminal window run ''nano -wci ssh_host_key'' and paste in the clipboard text. Press Ctrl-x to save and exit
 
# Change the permissions on this new file:
 
<pre>
 
chmod 700 /path_to_file/ssh_rsa_key
 
</pre>
 
# Test your mod '''before logging out of the ATV''' by opening a new connection to the device. running this should not require a password, if it does check the permissions on your ATV .ssh directory, authorized_keys file and the key file on the Mac, all shoule be 600 or 700.  
 
<pre>
 
ssh -i /path_to_file/ssh_rsa_key frontrow@192.168.1.24
 
</pre>
 
# If you get something like this then just delete the known_hosts file
 
<pre>
 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!    @
 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
 
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
 
It is also possible that the RSA host key has just been changed.
 
The fingerprint for the RSA key sent by the remote host is
 
7a:24:c9:75:cb:15:0f:8a:5c:1a:72:81:e2:25:f4:c2.
 
Please contact your system administrator.
 
Add correct host key in /Users/nsc/.ssh/known_hosts to get rid of this message.
 
Offending key in /Users/nsc/.ssh/known_hosts:1
 
RSA host key for 192.168.1.17 has changed and you have requested strict checking
 
</pre>
 
  
[[Category:How-to]]
+
[[Category:How-to|SSH]]

Latest revision as of 15:33, 30 December 2012

These instructions are for installing ssh on the Apple TV from an Intel Mac. If you don't have an Intel Mac, you can extract an sshd and the other needed files from one of the recent OS X security updates or from the OS X 10.4.9 update, which you can download from Apple's web site.

To find the sshd in an update, mount the .dmg image, right-click on the .pkg install package, select 'Show Package Contents', find the Archive.pax.gz file, extract it using OpenUp or pax, and you will find the the sshd daemon in Archive_X/usr/sbin/. Verify that it's an x386 executable by using file sshd.

Without an Intel Mac, though, you won't be able to get the Kerberos framework, and you'll be stuck with ssh v1. You can NOT use the sshd or Kerberos framework from a PPC Mac (G3, G4, or G5).

  • Changed 2007-06-01: You also can use ssh v2 now. (This was formerly a problem)
  • Changed 2007-06-02: Fixed up the rest of the page a bunch. Eliminated significant errors in first half of last section. Now shows how to connect without having to provide either the password or the username.
  • Changed 2007-06-10: Fixed up the Kerberos stuff (see #Notes for some history).

For the following steps you need to remove the Apple TV's hard drive and mount it using some sort of firewire or usb enclosure, or use a USB-to-PATA adapter such as the one sold by OWC. Perform these steps, and then reinstall the drive. It is not necessary to disable the firewall (see Disable Firewall).

How to install SSHD

Preparations

Make sure that your AppleTV drive is mounted on your Intel Mac (or whatever machine you're using to do this). It should be in your filesystem at /Volumes/OSBoot. If it's not, you'll need to modify the instructions below accordingly.

Copy the SSHD Binary

Copy sshd from your Mac to your AppleTV. For example:

cp -p /usr/sbin/sshd /Volumes/OSBoot/usr/sbin/

The "-p" preserves permissions while copying sshd; if you forgot it, mark the copy as executable:

chmod  +x /Volumes/OSBoot/usr/sbin/sshd

Note: This doesn't work with Leopard's sshd. Get the sshd from the patchstick. The other files can be copied from your Leopard system.

Creating an automatic startup file

Make sshd start automatically on boot. If you have the AppleTV disk mounted on a Mac, it's easy. Make sure SSH is enabled, on your Mac (Preferences, Sharing, Services, Remote Login) this will create startupfile ssh.plist then do:

cp -p /System/Library/LaunchDaemons/ssh.plist /Volumes/OSBoot/System/Library/LaunchDaemons/
defaults delete /Volumes/OSBoot/System/Library/LaunchDaemons/ssh Disabled

Otherwise, create a text file /Volumes/OSBoot/System/Library/LaunchDaemons/ssh.plist containing:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Label</key>
        <string>com.openssh.sshd</string>
        <key>Program</key>
        <string>/usr/libexec/sshd-keygen-wrapper</string>
        <key>ProgramArguments</key>
        <array>
                <string>/usr/sbin/sshd</string>
                <string>-i</string>
        </array>
        <key>SessionCreate</key>
        <true/>
        <key>Sockets</key>
        <dict>
              <key>Listeners</key>
                <dict>
                        <key>Bonjour</key>
                        <array>
                                <string>ssh</string>
                                <string>sftp-ssh</string>
                        </array>
                        <key>SockServiceName</key>
                        <string>ssh</string>
                </dict>
        </dict>
        <key>StandardErrorPath</key>
        <string>/dev/null</string>
        <key>inetdCompatibility</key>
        <dict>
                <key>Wait</key>
                <false/>
        </dict>
</dict>
</plist>


Take 2: Copy extra files

As of take 2 some other files are missing as well. Simply trying to SSH to the AppleTV now will result in an error message:

ssh_exchange_identification: Connection closed by remote host

In addition to copying over /usr/sbin/sshd and /System/Library/LaunchDaemons/ssh.plist per the above, you must copy over these additional files. They can all be found in the 10.4.9 combo update.

  • /usr/bin/ssh-keygen
  • /usr/libexec/sftp-server
  • /usr/libexec/ssh-keysign
  • /usr/libexec/sshd-keygen-wrapper

Also, if you plan to ssh out from the appletv to other devices copy over the following additional files.

  • /usr/bin/ssh
  • /usr/bin/ssh-add
  • /usr/bin/ssh-agent
  • /usr/bin/ssh-keyscan
  • /usr/bin/scp

Here are the md5 checksums of the change to my take2, with working sshd V2.


-bash-2.05b$ md5 /Volumes/OSBoot/usr/libexec/sshd-keygen-wrapper /Volumes/OSBoot/usr/libexec/sftp-server /Volumes/OSBoot/usr/sbin/sshd /Volumes/OSBoot/System/Library/Frameworks/OSXFrames/Kerberos.framework/Kerberos /Volumes/OSBoot/System/Library/LaunchDaemons/ssh.plist
MD5 (/usr/libexec/sshd-keygen-wrapper) = 56fa1739153d23f22d25777d48fcf316
MD5 (/usr/libexec/sftp-server) = 6d2c75d108bce39564142917c582a98d
MD5 (/usr/sbin/sshd) = 7a6617d80ff198c3d0dc4385287cb377
MD5 (/System/Library/Frameworks/OSXFrames/Kerberos.framework/Kerberos) = 83764deb005b7e1701992c9e22f4a7b3
MD5 (/System/Library/LaunchDaemons/ssh.plist) = 7776e5f87b7d65c640aed6bade4b1319

  • Note: The sshd-keygen-wrapper file was changed from its original to reference the /System/Library/Frameworks/OSXFrames/Kerberos.framework. It is probable that you can leave this file unaltered and but the framework directly into your Frameworks folder instead of into a OSXFrames sub folder. I believe this was simply done for organization, but I was more concerned with getting it to work at the time.

--Dr Omega 19:02, 25 February 2008 (CET)

For each of these files (including sshd and ssh.plist), the forum also recommends executing the following two commands:

chown 0:0 file
chmod 755 file

For example:

sudo chown 0:0 /Volumes/OSBoot/usr/bin/ssh
chmod 755 /Volumes/OSBoot/usr/bin/ssh

Take 2: Installing the Kerberos framework

  • The Kerbose framework will be on an Intel mac, Installation CD, or should be in the 10.4.9 combo update.
  • An alternative is to simple use OpenSSH from darwin or just use the ssh v1 protocol. See #Using_the_v2_protocol_Without_Kerberos for more information.
  • When used Kerberos framework from a password protected Intel machine (Leopard) - it did not let authenticate showing this message: ssh_exchange_identification: Connection closed by remote host --- used kerberos.framework from 10.4.9 update - worked perfectly

Copy over the Kerberos framework, so sshd will be able to use the ssh v2 protocol (without this step, you're limited to v1).

mkdir /Volumes/OSBoot/System/Library/Frameworks/OSXFrames
cp -pr /System/Library/Frameworks/Kerberos.framework /Volumes/OSBoot/System/Library/Frameworks/OSXFrames/.
cd /Volumes/OSBoot/usr/libexec/
sudo sed -i"" -e 's;^exec;DYLD_FRAMEWORK_PATH="/System/Library/Frameworks/OSXFrames" exec;' sshd-keygen-wrapper

(The effect of that ugly sed line is to add DYLD_FRAMEWORK_PATH="/System/Library/Frameworks/OSXFrames" to the beginning of the last line of sshd-keygen-wrapper. Using pico or vi is another possibility.)

Logging in

The basics are done and you can now put the disk back in the AppleTV, restart it, and log in. If you installed the Kerberos framework, the command is:

ssh frontrow@appletv.local

Otherwise use the command below which forces ssh to use the v1 protocol.

ssh -1 frontrow@appletv.local

The password, as shipped from Apple, is frontrow. If your box doesn't support Bonjour (that's most machines that aren't Macs, though you can install it on Windows, Linux, etc.), you'll have to connect to it by IP address, or put it in your local DNS or your /etc/hosts file (or analogue). In that case, figure out its IP address, and use that instead of "appletv.local".

IMPORTANT NOTE
The first time you try to SSH into the AppleTV, it will generate host keys. This takes a long time (at least compared to modern machines). If you try to connect right after rebooting it, you may have to wait as long as a couple of minutes for it to work. Be patient, and just try ssh again if it times out.

Other misc. notes:

  • If you are on a windows machine, use Putty or other ssh clients to connect.
  • The user "frontrow" has complete sudo privileges. To be root, do sudo -s and put in the password again (frontrow by default, remember?).

Logging in without a username or password

The previous contents of this section were terribly confusing. They recommended taking the ATV's private host key and using it as your personal key on your Mac (or perhaps as the host key on your Mac, it wasn't clear). Someone else later provided an "Alternate Method" which was correct, and this is mostly a light edit of that.

Everything here is done on your Mac, unless explicitly stated otherwise.

Checking for an existing identity

First, check to see if you have an identity already; if not, make one:

cd ; ls .ssh/id_rsa

If you see a file called id_rsa, then you already have an identity, and you can skip the next step.

Creating a new identity

Do this step only if you have no id_rsa file. (Don't worry if you have other files in .ssh- they don't matter, and we won't disturb them.)

To create a new identity file, type:

ssh-keygen

It'll ask for input three times, with lines that begin with "Enter". Just hit return each time. (You can use a passphrase if you're comfortable that you know what you're doing. Leave the filename alone.) It'll look like this, though the username and fingerprint will be different:

Generating public/private rsa key pair.
Enter file in which to save the key (/Users/alexis/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/alexis/.ssh/id_rsa.
Your public key has been saved in /Users/alexis/.ssh/id_rsa.pub.
The key fingerprint is:
ef:3a:22:12:30:8e:37:7f:b5:0e:47:d4:e8:2f:9b:e9 alexis@alexis

Make SSH use username "frontrow" automatically

Do this on your Mac. It will only affect connections from your Mac to the AppleTV:

cat >>.ssh/config
Host appletv.local
 User frontrow
^D

"^D" means you must hit the Control and D button synchronously.

Once this is done, you can just do "ssh appletv.local" instead of "ssh frontrow@appletv.local". Or, if you're really lazy (like me), this (instead of the above) will let you do just "ssh atv" to connect!

cat >>.ssh/config
Host appletv.local atv
 HostName appletv.local
 User frontrow
^D

Installing the ssh key on the AppleTV

  • Copy your public key to your AppleTV. You'll need to enter the password, but you no longer need to specify a username:
scp .ssh/id_rsa.pub appletv.local:~/
  • ssh to your AppleTV (still using password "frontrow", but you no longer have to give a username):
ssh appletv.local
  • Now, while still connected to the AppleTV, make an .ssh directory on your AppleTV, create an "authorized_keys" file and move your public key into it.
mkdir .ssh
mv id_rsa.pub .ssh/authorized_keys

You're done. Exit the ssh session, and try it again. This time, you can connect to the AppleTV without having to enter a password (or by using your passphrase, if you chose to use one).

For more information, see the man pages for ssh, ssh-keygen, and sshd.

Using the v2 protocol Without Kerberos

Unlike other methods, there is a far simpler way to get ssh v2 protocol enabled. This method does not require an Intel mac, nor does it require screwing around with the Kerberos framework.

  • Download darwinx86-801.iso.gz. This site contains a few mirrors: http://wiki.osx86project.org/wiki/index.php/Chain0
  • Decompress and mount the image
  • Copy off System/Installation/Packages_i386/OpenSSH-56.root.tar.bz2.
    • Unless you have installed bzip2 on your ATV, you will need to uncompress this tar file: "bunzip2 OpenSSH-56.root.tar.bz2"
  • Copy the archive to your AppleTV
  • ssh to your AppleTV (using -1) and execute the following:
    • cd /
    • sudo tar xf ~/OpenSSH-56.root.tar
  • On your AppleTV, edit the file: /System/Library/LaunchDaemons/ssh.plist
  • Remove the lines:
       <key>Disabled</key>
       <true/>

And that's it. When you reboot your ATV, it will be running the new ssh, which can do protocol version 2.

Using Protocol 1

Finally, since I don't have an Intel Mac to work from, I am unable to install the kerberos framework. Prior to moving to Take 2, I could still SSH using SSH protocol version 2. After enabling SSH under Take 2, trying to SSH using protocol version 2 simply results in my AppleTV closing the SSH connection. To get around this either use this ssh command from the Terminal

ssh -1 frontrow@AppleTV.local

or edit your .ssh/config file along these lines:

Host appletv.local
    HostName appletv.local
    User frontrow
    Protocol 1

Don't forget that since you'll be using Protocol 1, you need to generate a new key for the Apple TV (i.e. one that is compatible with Protocol 1). Instead of using the command ssh-keygen, you need to ssh-keygen -t rsa1. Then copy the file over to the Apple TV and everything will work fine.

Notes

  • The old Step 5 described how to make ssh keys. You won't have to create those, as OS X will create them the first time you connect to its sshd if they don't already exist. Thus, this section was removed.
  • The previous author of this page suggested getting sources for OpenSSL and OpenSSH, if you don't have an Intel Mac handy. This method might be easier if you don't know how to extract files from packages such as the OS or Security updates.)
  • Old instructions were replacing the Kerberos.framework file of the AppleTV. This is causing some problems. In particular, mount_afp fails with "Illegal instruction". If you're running a hacked kernel with SSE3 emulation, this probably won't affect you, but otherwise, it's a major issue. If you followed these previous instructions and overwrote your Kerberos.framework, I'm sorry. :-( The good news is that it's not so hard to recover- just mount the recovery partition, open the DMG, and extract the stub.