Configure OSX Firewall to Allow SSH Server?

If I turn on my OSX firewall, ssh is disallowed. If I turn it off, ssh can connect just fine. These are the settings from the ssh host: while I don't know what I'm doing, I figured that giving /usr/sbin/sshd "Allow Incoming Connections" (along with "Remote Login (SSH)") would be enough, but it's not. What else do I have to include for ssh (sshd? not sure) to allow connections?

The firewall configuration screen on OSX

I'm configuring ssh exclusively through the sharing menu, "Remote Login" in the System Preferences.

1

4 Answers

I've seen this too - It seems that the OSX Application Firewall is getting confused. I managed to get mine going by doing the following:

sudo rm /Library/Preferences/com.apple.alf.plist

Then reboot.

Once the machine comes back up, when you go to Firewall > Advanced Settings, you should only see the system services you have enabled (in your case, SSH and Screen Sharing). The rest of the entries will have gone, but when you start any applications that need access through the firewall, OSX will ask you to permit the application or not again and should then be added back to the firewall exceptions list (if you allow it incoming connections).

1

The commands below worked for me on Yosemite

cd /usr/libexec/ApplicationFirewall
sudo ./socketfilterfw --setloggingmode on
sudo ./socketfilterfw --setloggingopt detail
sudo tail -f /var/log/appfirewall.log

Try to connect to your Mac over SSH. You should see a deny entry, in my case sshd-keygen-wrapper

Oct 27 15:22:12 myhost socketfilterfw[4940] <Info>: Deny sshd-keygen-wrapper connecting from 192.168.0.2:49470 to port 22 proto=6

Then simply add /usr/libexec/sshd-keygen-wrapper (as suggested by mehaase) to the list of allowed applications, but there is no need to reboot

To switch the logging level back

./socketfilterfw --setloggingopt throttled

In my case, I added /usr/libexec/sshd-keygen-wrapper to the firewall settings and rebooted.

I found the idea here:

One good troubleshooting technique: open Console.app and watch /var/log/appfirewall.log (or tail -f /var/log/appfirewall.log from the command line).

1

In El Capitan 10.11.5, sshd-keygen-wrapper was in the list of allowed connections, but was set to block. It was only necessary to set it to allow, and remote SSH login worked. No reboot required.

1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like