The Joy of ssh: remote control and quick copying

One well-established method of building fault-tolerant systems is to provide several alternative ways of doing things. When your Mac gets into trouble, the fact that it has multiple options for restarting or shutting down is important.

You will normally reach for the Restart… command in the Apple menu. If your Bluetooth mouse/trackpad isn’t playing, you can connect it using its charging lead and see if it works over USB. If that doesn’t help, and your Mac appears to have frozen, most users head for the Power button next. Although that’s normally reliable, it’s quite a blunt instrument and doesn’t give you any options as to what happens before your Mac restarts or shuts down.

It’s much smarter to connect to the sick Mac from another Mac, or indeed another computer, and take control remotely. You can then try restarting key systems, copying files off in case they get blown away during the restart, and so on. For client systems this is valuable; for servers it is often essential. Because this command-based control doesn’t rely on the great majority of macOS running properly – it has no GUI, for instance – you can often do this successfully even when that Mac appears to be frozen and unresponsive.

The way to do this is using the secure shell, ssh, in Terminal. It may seem daunting at first, but this is one of the best practical uses of the command line for regular users who see no good reason to go near it otherwise. Prior to High Sierra, you could use plain old telnet, but ssh is far better, and 10.13 has done away with both telnet and the insecure ftp tool for transferring files.

ssh01

There’s one crucial step you must take before you can make ssh or anything based on it happen: you have to enable it on the target Mac, the one that you’re going to connect to. One of the first things that I normally do when I get a Mac is to switch this on and configure it, in the Sharing pane. I also enable Remote Management, and restrict these services to myself, as the admin user.

Whilst you’re about those, if you have any doubts about the resilience of your firewall to block all incoming connections, or suspect that your password could usefully be stronger, now is the time to do something about them, before you enable sharing services which could otherwise be the jackpot for an intruder.

ssh02

Next, I check that ssh is working correctly by typing in the basic command to connect to that Mac from another system. This is where it’s handy to have configured its Network settings using a fixed IP address, as you will already know what to use. Then in Terminal type
ssh username@192.168.63.3
where you give your username on the Mac which you’re connecting to, and its IP address. The first time that you do this, ssh will obtain and save the remote system’s fingerprint, so you’ll need to type yes to its request to continue the connection. You’re then prompted for that user’s password on the remote system, and you’re in and running as that user at the top level of the Home folder. Try a couple of commands like ls to confirm that everything is good, and then type
exit
to log out.

ssh03

If you’re going to do this much, it’s worth setting up an easy connection using the New Remote Connection… command in Terminal’s Shell menu. That is extremely simple to do, and will be available when you next want to connect.

Once you’re connected by ssh to a sick Mac, the choices continue too: if you can, restart it using
shutdown -r now
which should be more graceful than the direct
reboot

The other service which is worth being familiar with is scp, which replaces ftp for transferring files. With one Terminal window open and running ssh, you can list the folders containing the files you want to transfer. Then in the other, type a command like
scp file username@192.168.63.3:Documents/
to transfer file into the remote ~/Documents folder, or
scp username@192.168.63.3:Documents/file Documents/
to transfer file from the remote ~/Documents folder into your local ~/Documents, for example.

ssh04

scp uses ssh, so once you have configured and tested the ssh connection, scp should be a breeze to use.

Using tools such as ssh and scp may appear old-fashioned and clumsy. But once you have enabled them, they are often quicker than their GUI equivalents, and normally work when the GUI has become a lot of pain and grief. And they’re excellent fallbacks which can get you out of trouble when the only option seems to be that Power button.

11Comments

Add yours

1

Eric on May 10, 2018 at 8:20 am

And here I’ll take a loss of logs over leaving ssh enabled any day of the week – I’d hesitate to recommend leaving ssh enabled continuously unless it’s on a Mac that never leaves home. Definitely a security risk, especially when running on the default port!

LikeLiked by 1 person
- 2
  
  hoakley on May 10, 2018 at 9:05 am
  
  Thank you for emphasising the security aspects of all sharing services (not just ssh).
  However, the requirement is based on context and the networks accessed. If your MacBook Pro only ever connects to your work and home networks and both are well-secured, with robust firewalls which block all incoming, then leaving ssh on should be a completely acceptable risk.
  What is unfortunate is that macOS doesn’t appear to support complete networking locations: there isn’t a simple switch, for example, which changes you from one set of settings including sharing, to another. That would be very useful for many, I suspect, as it would allow you to have ssh and other services turned on when you’re using a fixed network location, then switch to a mobile group of settings when you leave that protection.
  I don’t even know of a third party utility which does that, do you?
  Howard.
  
  LikeLike
3

Eric on May 10, 2018 at 8:24 am

Also, rsync is installed (if a bit of an older version unless using homebrew) by default on macOS, and is much faster than scp, via something like “rsync -avh user@deadmac:/remote/file/path /local/file/path” – even on a local network!

LikeLiked by 1 person
- 4
  
  hoakley on May 10, 2018 at 9:16 am
  
  Thanks.
  rsync is certainly much faster when you’re syncing files. For plain file copies, though, you are not likely to notice much speed difference, if any.
  I think it also behaves rather differently if you pass it a directory as an argument, and syncs that folder rather than copying it. Although that can be beneficial when that’s what you want to do, it could come as a surprise!
  Howard.
  
  LikeLike
5

Biff on May 10, 2018 at 3:39 pm

Using ssh as you described has proven valuable to me many times over the years, and not just with Macs, but with a wide variety of Unix systems. Another useful tip for troubleshooting problems on a machine that is having GUI trouble is to ssh into the machine and run a command like
tail -n500 -f /var/log/system.log
Even with Apple’s atrocious new logging system, this sometime will yield a clue about the underlying problem.

LikeLiked by 1 person
- 6
  
  hoakley on May 10, 2018 at 3:42 pm
  
  Thank you – yes, that can be very useful.
  Howard.
  
  LikeLike
7

Samuel Herschbein on May 11, 2018 at 1:32 am

Can you please explain why shutdown should be more graceful than reboot? I checked the man pages for both. Both say they send SIGTERM followed by SIGKILL. Shutdown says it waits “an intentionally inde-
terminate period of time” between the two, reboot doesn’t say how long.

LikeLiked by 2 people
- 8
  
  hoakley on May 11, 2018 at 7:45 am
  
  Thank you – another tricky question!
  The answer for the moment depends on a close reading of the two man pages, which may not be reliable. However, that for shutdown refers to its -o option as “If -h or -r is specified, shutdown will execute halt(8) or reboot(8) instead of sending a signal to launchd(8)”. So shutdown normally, in the absence of the -o option, works by sending a signal to launchd to prepare for the restart.
  shutdown also offers a wider range of options, including plain shutdown, and of course a time period prior to restarting. It appears to be the more generally recommended, and no less graceful than reboot, at worst.
  I can feel a session with tests and logs coming on…
  Howard.
  
  LikeLike
- 9
  
  jaydisc on May 13, 2018 at 4:06 am
  
  I had the same question.
  
  Also related, is `fdesetup authrestart` which is how to restart a machine with FileVault if you DO NOT want it to ask for password at startup (extremely useful for headless servers!). I think High Sierra introduced a new argument of “[-delayminutes number_of_minutes_to_delay]” with -1 being never, so this is a good command to use along with a gentle Finder Restart to avoid unlocking the volume and having the gentlest of restarts.
  
  LikeLiked by 1 person
  - 10
    
    hoakley on May 13, 2018 at 7:45 am
    
    Thank you – yes, that is another valuable command.
    I have been looking at differences between reboot and shutdown -r now, and there will be an article tomorrow morning providing a more definitive answer.
    Howard.
    
    LikeLiked by 1 person
    - 11
      
      hoakley on May 14, 2018 at 1:49 pm
      
      Here’s the answer for you.
      Howard.
      
      LikeLike

Share this:

Related