OpenClaw SSH
Port Forwarding Diagnostics in Action

Goal: Loopback-only Control Plane, Minimize Attack Surface

The OpenClaw gateway multiplexes WebSocket and HTTP on port 18789 by default. The configuration reference states that gateway.bind: "loopback" locks the listener to the local loopback address, while non-loopback binding requires gateway auth (token, password, or a strictly configured trusted proxy). For shared remote Macs, the best approach is: loopback binding + token mode, where operators and automation access the port via an encrypted tunnel instead of exposing 18789 on the host's public network interface.

This article pairs with: OpenClaw on nozcloud Germany: Daemon Onboarding and Compliance Baseline. To purchase or adjust configuration, visit the purchase page and compare plans on the pricing page.

Minimal Reproducible Steps (Remote Mac)

Run the following procedure on a test machine first, then push the same plist, SSH config, and CI jobs to production after validation.

1. SSH baseline setup. Create a dedicated macOS user for OpenClaw. Install only the approved OpenClaw version, then verify non-interactive SSH via key authentication (disable password auth for that account in sshd_config if policy allows).
2. Declare binding and auth in JSON5. In ~/.openclaw/openclaw.json, keep gateway.mode: "local", set gateway.bind: "loopback", and configure gateway.auth.mode: "token" with gateway.auth.token: "${OPENCLAW_GATEWAY_TOKEN}". If both token and password objects are present, explicitly set gateway.auth.mode to avoid ambiguity at startup.
3. Inject the token — don't commit secret paths to Git. Export OPENCLAW_GATEWAY_TOKEN via the LaunchDaemon's EnvironmentVariables dictionary or a root-owned environment file with strict POSIX permissions. For first boot, run openclaw doctor --generate-gateway-token in a secure admin shell.
4. No-TTY health check. Run openclaw config validate then openclaw doctor --non-interactive in sequence. The --non-interactive flag skips interactive prompts, applies safe migrations, and avoids interactive OAuth refresh — ideal for cron and CI.
5. Install or restart the gateway service. Use the vendor's standardized process (e.g. openclaw gateway install with your pinned parameters). Confirm that openclaw gateway status shows the listener healthy on loopback only.
6. Establish SSH LocalForward from your local workstation. Run ssh -N -L 18789:127.0.0.1:18789 openclaw-svc@germany-host.example (replace the username and hostname). Local tools can then reach ws://127.0.0.1:18789 while traffic is encrypted over SSH.
7. Verify the token path. Once the tunnel is up, connect to 127.0.0.1:18789 from your laptop using Bearer Token as documented in your runbook. Intentionally send a wrong token: you should see an auth failure rather than silent pass — proof of end-to-end enforcement.

Compliance-Oriented Attack Surface Checklist

The following items do not constitute legal advice; they translate the principle of "least privilege" into concrete checkpoints that security reviewers can verify.

• No plaintext tokens in shell history: Load secrets via LaunchDaemon or a CI secret injector — never inline export in a shared screen session.
• Separate ops SSH accounts from service accounts: Human users have their own UNIX principals; the OpenClaw daemon user should not own your personal dotfiles.
• Review gateway config changes in PRs: Any modification to gateway.bind, gateway.auth, hooks, or gateway.http endpoints requires two-person review.
• Back up config before doctor runs: Keep a timestamped copy of openclaw.json before upgrades; if a migration drops auth metadata, restore from artifact storage and restart the service.
• Document emergency procedures: If someone temporarily relaxes binding mode during incident response, file a ticket immediately and roll back within the SLA window.

Merge Gate Approach (GitHub Actions Pseudocode Example)

Commit a read-only pinned copy or sanitized excerpt of your production config to Git — never the production token. Inject a one-time OPENCLAW_GATEWAY_TOKEN via CI secrets so that validation paths requiring environment variable substitution execute correctly. The job should include the following steps:

1. Install the same OpenClaw minor version as production.
2. Apply openclaw config validate against the merged result of the checked-in template and test secrets.
3. Run openclaw doctor --non-interactive; fail if warnings exceed policy thresholds (many teams treat any "auth missing" line as a hard error).
4. Optionally run openclaw doctor --deep nightly rather than on every PR — deep scans take longer and may require elevated privileges.

Follow your internal ops runbook for upgrade issues; if you hit blockers around provisioning or SSH access, submit a ticket via the Help Center link below.