Configure OSX Firewall to Allow SSH Server?

If I turn on my OSX firewall, ssh is disallowed. If I turn it off, ssh can connect just fine. These are the settings from the ssh host: while I don't know what I'm doing, I figured that giving /usr/sbin/sshd "Allow Incoming Connections" (along with "Remote Login (SSH)") would be enough, but it's not. What else do I have to include for ssh (sshd? not sure) to allow connections?

The firewall configuration screen on OSX

I'm configuring ssh exclusively through the sharing menu, "Remote Login" in the System Preferences.

Dan Rosenstark

Posted 2011-04-02T19:56:36.963

Reputation: 5 718

As stated here (http://discussions.apple.com/thread.jspa?threadID=2174585), deleting sshd-keygen-wrapper, rebooting and saying yes to ssh-keygen-wrapper (though it was already set to yes) seems to work.

– Dan Rosenstark – 2011-04-02T20:27:30.507

Answers

I've seen this too - It seems that the OSX Application Firewall is getting confused. I managed to get mine going by doing the following:

sudo rm /Library/Preferences/com.apple.alf.plist

Then reboot.

Once the machine comes back up, when you go to Firewall > Advanced Settings, you should only see the system services you have enabled (in your case, SSH and Screen Sharing). The rest of the entries will have gone, but when you start any applications that need access through the firewall, OSX will ask you to permit the application or not again and should then be added back to the firewall exceptions list (if you allow it incoming connections).

Pierz

Posted 2011-04-02T19:56:36.963

Reputation: 880

I found that if you run "sudo ipfw -f flush" and then close and re-open System Preferences, you can avoid the step of rebooting. – Mark E. Haase – 2012-07-11T01:14:00.117

The commands below worked for me on Yosemite

cd /usr/libexec/ApplicationFirewall
sudo ./socketfilterfw --setloggingmode on
sudo ./socketfilterfw --setloggingopt detail
sudo tail -f /var/log/appfirewall.log

Try to connect to your Mac over SSH. You should see a deny entry, in my case sshd-keygen-wrapper

Oct 27 15:22:12 myhost socketfilterfw[4940] <Info>: Deny sshd-keygen-wrapper connecting from 192.168.0.2:49470 to port 22 proto=6

Then simply add /usr/libexec/sshd-keygen-wrapper (as suggested by mehaase) to the list of allowed applications, but there is no need to reboot

To switch the logging level back

./socketfilterfw --setloggingopt throttled

Chad

Posted 2011-04-02T19:56:36.963

Reputation: 71

In my case, I added /usr/libexec/sshd-keygen-wrapper to the firewall settings and rebooted.

I found the idea here: https://discussions.apple.com/thread/2174585?threadID=2174585

One good troubleshooting technique: open Console.app and watch /var/log/appfirewall.log (or tail -f /var/log/appfirewall.log from the command line).

Mark E. Haase

Posted 2011-04-02T19:56:36.963

Reputation: 3 243

(For OSX 10.11) dragging and dropping /usr/libexec/sshd-keygen-wrapper from the finder into the System Preferences > Security & Privacy [Firewall] (Firewall Options) dialog window fixed this for me--after cycling sshd off/on in the sharing dialog prefs too. – jimmont – 2016-10-25T04:50:46.200

In El Capitan 10.11.5, sshd-keygen-wrapper was in the list of allowed connections, but was set to block. It was only necessary to set it to allow, and remote SSH login worked. No reboot required.

CCryder66

Posted 2011-04-02T19:56:36.963

Reputation: 21

Same, simple fix for 10.11.6. Thanks! – TomEE – 2018-09-12T19:26:14.907