These instructions are for installing ssh on the Apple TV from an Intel Mac (if you don't have an Intel Mac, you need to find another source for sshd, such as http://darwinsource.opendarwin.org/Roots/OpenSSH-56.root.tar.gz and http://darwinsource.opendarwin.org/Roots/OpenSSL-26.root.tar.gz - please verify that those work). You need to remove the Apple TV's hard drive and mount it using some sort of firewire or usb enclosure, perform the below steps, and then reinstall the drive. It is not necessary to disable the firewall (see Disable Firewall), however (for some unknown reason) the SSH server only allows SSH protocol version 1 connections so you will need to use the -1 option when using the ssh client.
If you copy sshd from a 10.4.9 Intel Mac (OpenSSH_4.5p1, OpenSSL 0.9.7l 28 Sep 2006), the sshd binary will crash when trying to establish a SSH2 connection. To get SSHv2 working, see Step 4.
Copy sshd from /usr/sbin/ on your local Intel Mac, to /Volumes/OSBoot/usr/sbin/ on the Apple TV HD (you have to use an Intel-compiled version).
After that you have to change the sshd file classification from Document type to a UNIX shell script. The easiest is to do a
chmod +x /Volumes/OSBoot/usr/sbin/sshd
in the Terminal.
Rewrite /Volumes/OSBoot/System/Library/LaunchDaemons/ssh.plist with this:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Disabled</key> <false/> <key>Label</key> <string>com.openssh.sshd</string> <key>Program</key> <string>/usr/libexec/sshd-keygen-wrapper</string> <key>ProgramArguments</key> <array> <string>/usr/sbin/sshd</string> <string>-i</string> </array> <key>SessionCreate</key> <true/> <key>Sockets</key> <dict> <key>Listeners</key> <dict> <key>Bonjour</key> <array> <string>ssh</string> <string>sftp-ssh</string> </array> <key>SockServiceName</key> <string>ssh</string> </dict> </dict> <key>StandardErrorPath</key> <string>/dev/null</string> <key>inetdCompatibility</key> <dict> <key>Wait</key> <false/> </dict> </dict> </plist>
Log in like this:
ssh -1 frontrow@AppleTV.local
- If you are on a windows machine, use Putty to connect.
- Under connections -> ssh, there is an option for "1 only". Use this.
- You may need to connect by IP address instead of by name if you do not have Bonjour installed.
- Note: user "frontrow" has sudo privileges. The password for sudo is "frontrow".
Step 4 - Creating Host Keys and Making ssh2 Work
As noted copying the sshd binary from a 10.4.9 install will only support version 1 of the ssh protocol. To enable ssh2, and create your host keys, follow these steps.
This is written assuming you already have ssh1 shell access to the device.
- Download the ssh package listed above from here http://darwinsource.opendarwin.org/Roots/OpenSSH-56.root.tar.gz and extract usr/sbin/sshd from the package.
- scp this file over to the ATV with the following command
scp -1 sshd frontrow@<your ip address>:
- Log in to the ATV and remount the root partition as read write.
-bash-2.05b$ sudo mount -o rw,remount /dev/disk0s3 /
- Backup the existing sshd
-bash-2.05b$ sudo mv /usr/sbin/sshd /usr/sbin/sshd.old
- Move the new sshd binary to /usr/sbin
-bash-2.05b$ sudo mv /Users/frontrow/sshd /usr/sbin/sshd
- Again change the sshd file classification from Document type to a UNIX shell script.
-bash2.05b$ chmod +x /usr/sbin/sshd
- Generate the rsa key - Do not use a passphrase
-bash-2.05b$ sudo ssh-keygen -t rsa -f /etc/ssh_host_rsa_key
- Generate the dsa key - Do not use a passphrase
Note: this can be / is a bit slow on the ATV; be patient.
-bash-2.05b$ sudo ssh-keygen -t dsa -f /etc/ssh_host_dsa_key
- Generate the rsa1 key - Do not use a passphrase
-bash-2.05b$ sudo ssh-keygen -t rsa1 -f /etc/ssh_host_key
Note: You may need to create a sshd_config file in /etc for this to work. The file can be empty.
Step 5 - Logging in without a password
- It's assumed all prevous steps are completed.This section only works for a Mac, windows users should investigate Pagent, a program that comes with Putty. First create a special directory on the ATV for your keys.
-bash-2.05b$ mkdir ~frontrow/.ssh -bash-2.05b$ chmod 700 ~frontrow/.ssh
- Add a key to the authorized_files file and protect the file. SSH checks the permissions of this file very carefully.
-bash-2.05b$ cat /etc/ssh_host_rsa_key.pub > ~frontrow/.ssh/authorized_keys -bash-2.05b$ chmod 600 ~frontrow/.ssh/authorized_keys
- Display the full private key and copy the text to the clipboard. You'll see something like
-bash-2.05b$ sudo cat /etc/ssh_host_rsa_key -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAtPQlIYRKBPxrZjiXKjLX7uR6gRxCvkV8S09H1f8SLmVRoyfT chMGdMCwVgv+stf7gc1mW6aYVqSV7DMo4HCN7uFQwGRt0/qxdgCVesN60tugnEM9 ..lots more stuff here.. UvxgQ1ahS+82mHd8XNDOXmMEEIE0mOffga35ADyisZfBql+yED6xXzOOw9/vfP3q UrmG68Mwv18Wz0unZGt1NSwsw/6ITSGKN3iTr+w4zcEpGK6liJw= -----END RSA PRIVATE KEY-----
- Still on the ATV, remount the root partition read only.
-bash-2.05b$ sudo mount -o ro,remount /dev/disk0s3 /
- On your Mac in a terminal window run nano -wci ssh_host_key and paste in the clipboard text. Press Ctrl-x to save and exit
- Change the permissions on this new file:
chmod 700 /path_to_file/ssh_rsa_key
- Test your mod before logging out of the ATV by opening a new connection to the device. running this should not require a password, if it does check the permissions on your ATV .ssh directory, authorized_keys file and the key file on the Mac, all shoule be 600 or 700.
ssh -i /path_to_file/ssh_rsa_key email@example.com
- If you get something like this then just delete the known_hosts file
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 7a:24:c9:75:cb:15:0f:8a:5c:1a:72:81:e2:25:f4:c2. Please contact your system administrator. Add correct host key in /Users/nsc/.ssh/known_hosts to get rid of this message. Offending key in /Users/nsc/.ssh/known_hosts:1 RSA host key for 192.168.1.17 has changed and you have requested strict checking
Alternate Keygen Method (seems less complicated to me)
As an alternate method for setting up passwordless login, you can create the rsa key on your local machine and copy it to the AppleTV. Here are the steps I found on Dreamhost's wiki, which I've tried and can confirm it works with AppleTV, assuming you have already installed OpenSSH-56 as described above.
These steps would take over starting with item 7 in Step 4 above:
First generate an RSA key pair on your computer. Note if you have ever generated RSA keys before, i.e. for passwordless login to other SSH servers, you can skip this step.
ssh-keygen -t rsa
It will prompt you for three things, hit enter to accept the default on all three.
Next, copy your public key to your AppleTV.
scp ~/.ssh/id_rsa.pub frontrow@AppleTV.local:~/
Then ssh to your account (using your password):
Next, make an .ssh directory on your AppleTV. Add the public key to your authorized keys file and delete the file you uploaded:
mkdir .ssh cat id_rsa.pub >> .ssh/authorized_keys rm id_rsa.pub
Then make sure permissions are set properly for all necessary files and directories:
chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
If everything is configured properly, you should be able to access your AppleTV through SSH without a password now!
For more information, see the man pages for ssh, ssh-keygen, and sshd.