Firewall denies sshd-keygen-wrapper despite configuration

firewallssh

After upgrading to Lion, I cannot connect via SSH. I get a timeout:

$ ssh -o ConnectTimeout=5 not.my.actual.hostname
ssh: connect to host not.my.actual.hostname port 22: Operation timed out

In /var/log/appfirewall.log I get this:

Firewall[541]: Deny sshd-keygen-wrapper connecting from 192.168.1.1:49380 to port 22 proto=6

I have specifically added sshd-keygen-wrapper to my firewall rules and set it to "Allow incoming connections", but I still get the same message in the firewall log.

If I disable the firewall, I can connect without issue, but I'd rather not disable it completely. What am I missing? Thanks.

Best Answer

I was having the same problem and this is how I fixed it --

Delete sshd-keygen-wrapper from firewall list
Click + to add it back
In the Open dialog press Cmd-Shift-G and specify /usr/libexec
select sshd-keygen-wrapper

Explicitly adding it in this way worked for me. Good luck!

After step 4. you have to reboot. Or just restart the firewall by disabling and enabling the firewall in the system settings. Without the restart the new configuration will not be activated.

Related Solutions

OS X Server – Remote HTTP Connections Ignored but Local Accepted

OS X actually has (at least) 3 firewalls. Since you've turned off the application firewall (in System Preferences -> Security & Privacy -> Firewall) and checked the Berkeley packet filter (pfctl -sa), I'm guessing it's the old ipfw that's doing the blocking. You can check with sudo ipfw show -- that'll list the active rules, along with counts of how many packets and bytes each one has applied to:

$ sudo ipfw show
01000 19228642 23229993542 allow ip from any to any via lo0
01010        0           0 deny ip from any to 127.0.0.0/8
[etc...]
65534    23505     3467352 deny ip from any to any
65535        0           0 allow ip from any to any

If your listing only shows rule #65535 (the allow rule at the end), my guess is wrong and you have to look elsewhere. If it does show other rules, you probably have a third-party firewall config program installed somewhere (I don't think the Apple-supplied ipfw config software is still there in 10.8); take a look in /Library/StartupItems and /Library/LaunchDaemons for things that might be relevant.

VNC via SSH Problem

It looks to me like you're using the wrong remote IP address in your tunnel. You should be using -L 5901:127.0.0.1:5900 ....

It's important to realize that the destination IP for the tunnel is where the remote (server) computer forwards the connection to, so 127.0.0.1:5900 means it connects to port 5900 on the server itself.

It looks like you're using ssh -L 5901:PublicIPofServer:5900 ..., which makes the server try to connect to port 5900 on its own public IP. But that's actually the WAN IP of the router the server's behind, so unless that router forwards port 5900 to the private IP of the server (in which case you wouldn't need the SSH tunnel) AND the router supports NAT loopback (aka hairpin NAT), this won't work.

Best Answer

Related Solutions

OS X Server – Remote HTTP Connections Ignored but Local Accepted

VNC via SSH Problem

Related Question