BigSur SSH can connect a server in the intranet but cannot connect to a internet server

Question

aaron_ch Author

Level 1

4 points

BigSur SSH can connect a server in the intranet but cannot connect to a internet server

I tried a lot of things to figure out why my SSH gives me the following message (I took out the IP address)

OpenSSH_8.1p1, LibreSSL 2.7.3

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 47: Applying options for *

debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxxxxx] port 22.

debug1: connect to address xxx.xxx.xxx.xxx port 22: Operation timed out

I can connect to my VM, a server in my intranet (even inside VPN) without any issues.

But, every time I connect to a server over the internet. I got above message.

NOTE:

(1) the server is working. I use another laptop SSH to it. It is working fine.

(2) I do not have any firewall in my Macbook Pro.

Can anyone know how to fix my SSH?

Should I downgrade or upgrade my OS?

Can I reinstall SSH to fix this?

Thanks.

MacBook Pro 16″, macOS 11.6

Posted on Feb 5, 2022 7:03 AM

Reply

Answer 1

Feb 5, 2022 1:59 PM in response to aaron_ch

This is not an Apple problem. I work with literally "thousands" of OpenSSH connections and have not run into such problems. The issue is with the server you are attempting to remote connect. Something is out of date or misconfigured. The fact that changing the port number to 8822 worked, reveals the issue is with the server configuration. That and all your other testing stated that SSH works fine with other server hosts. Digital Ocean might be able to provide some insight with your problem, you could open a support case with them.

Reply

Answer 2

Feb 5, 2022 2:10 PM in response to aaron_ch

If you have an add-on VPN app installed here, remove it, and try again.

Then run an ssh -vvv and compare the results in both paths; non-working and working.

That changing the ports changed behaviors could be the ssh server, or it could also be an issue created by an add-on VPN app.

Reply

Answer 3

Feb 5, 2022 10:00 AM in response to aaron_ch

Compare working old El Capitan Mac vs Newer Big Sur Mac:

/etc/ssh/ssh_config 
/etc/ssh/ssh_config.d/*
~/.ssh/config
~/.ssh/known_hosts
~/.ssh/authorized_keys

As well as any public / private keys

My guess is the server you are attempting to SSH connect to with Big Sur is listening on a different port other than the default port 22 and perhaps your ~/.ssh/config on the El Capitan Mac might have that host configured with the appropriate port. Something like the below config.

~/.ssh/config
Host <customized servername>
  User <user>
  HostName <actual servername w/FQDN>
  Port 2222

You might need to do this on the Digital Ocean host:

sudo ufw allow 22/tcp

You might also need to reboot the Digital Ocean host.

On the Big Sur Mac flush your DNS cache

sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

Reply

Answer 4

aaron_ch Author

Level 1

4 points

Feb 5, 2022 1:31 PM in response to James Brickley

Thank you very much, James. I will do it later. I would like to include some findings for those who have similar questions.

So, I switch my host server to listen to port 8822 and then use my failed macbook to SSH it.

It worked but not on the default port.

To summarize my experiences so far -

(1) changing port from 22 to others working fine.

(2) using port 22 to SSH to "intranet" host working fine.

I can certainly change my hosting server to other port but it is not ideal solution.

I planed to do what James suggested, or reinstalling SSH on my macbook.

But, does any Apple developers monitoring this. It seems that it is a frustrating and odd issue.

[Link Edited by Moderator]

Reply

Answer 5

Feb 5, 2022 8:15 AM in response to aaron_ch

Employer network? Many companies are blocking outbound SSH/SFTP to prevent data loss.

Reply

Answer 6

Feb 5, 2022 12:42 PM in response to aaron_ch

Using telnet to test is all fine and good. But have you compared the configurations between the El Capitan and Big Sur Mac? There has to be a difference because El Capitan is working but Big Sur is failing and in fact timing out seems to indicate it's being ignored and not actively blocked or refused.

Also, in the /etc/ssh there should be several public / private keys and the file permissions need to be proper. I have had issues with Catalina and Big Sur having bad file permissions on these files.

Should be like this (included the octal values so you can "chmod 0660 *_key" and "chmod 0644 *.pub" if you have to alter the permissions to be proper):


0600  .rw-------  1.4k root wheel 27 Apr  2021  ssh_host_dsa_key
0644  .rw-r--r--   590 root wheel 27 Apr  2021  ssh_host_dsa_key.pub
0600  .rw-------   492 root wheel 27 Apr  2021  ssh_host_ecdsa_key
0644  .rw-r--r--   162 root wheel 27 Apr  2021  ssh_host_ecdsa_key.pub
0600  .rw-------   387 root wheel 27 Apr  2021  ssh_host_ed25519_key
0644  .rw-r--r--    82 root wheel 27 Apr  2021  ssh_host_ed25519_key.pub
0600  .rw-------  2.6k root wheel 27 Apr  2021  ssh_host_rsa_key
0644  .rw-r--r--   554 root wheel 27 Apr  2021  ssh_host_rsa_key.pub

You may see other key names in El Capitan and like @etresoft mentioned, it might be an older encryption standard that newer OpenSSH client would reject.

You need to find the difference between El Capitan and Big Sur when it comes to SSH.

You may need to check the servers SSH configuration and update the SSH configuration on your server. Newer OpenSSH versions will be more picky about security. If you are running an old Linux version on Digital Ocean you may need to upgrade it. Depends on what you have configured, without seeing the details, I just don't know. But the problem is on the server somewhere you just need to find it. Or you are missing something that is different on the El Capitan Mac in regards to OpenSSH and its configuration where Big Sur's default configuration doesn't match.

Reply

Answer 7

etresoft

Level 9

56,326 points

Feb 5, 2022 8:35 AM in response to aaron_ch

Can you describe "another laptop"? Is this a Mac or a PC? Is it running the same configuration?

Can you describe "a server over the internet"? Do you mean any server, or one specific server?

Have you tried connecting from a different source network?

Reply

Answer 8

aaron_ch Author

Level 1

4 points

Feb 5, 2022 11:52 AM in response to James Brickley

I did two things.

(1) I upgraded to Monterey 12.2. It is still the same.

(2) I troubleshoot by executing the following commands. I got responses as follows.

telnet xxx.xxx.xxx.xxx 22
Trying xxx.xxx.xxx.xxx...

Then

telnet xxx.xxx.xxx.xxx 23 
Trying xxx.xxx.xxx.xxx...
telnet: connect to address xxx.xxx.xxx.xxx: Connection refused
telnet: Unable to connect to remote host

I strongly think the port 22 is limited by newer MacOS. I also saw similar complaints from some post.

I need to figure out how MacOS is doing on it.

Reply

Answer 9

aaron_ch Author

Level 1

4 points

Feb 5, 2022 9:02 AM in response to etresoft

It is my old macbook which has different OS - El Captian 10.11.6.

My failed macbook is Big Sur 11.6.1.

The internet server is my hosting Digital Ocean server.

Both machines tested SSH at my home network.

In fact, if I tried my failed macbook to SSH a server in my cooperation network via VPN. It is okay.

I can also use SSH to access my local VirtualBox VM.

Reply

Answer 10

etresoft

Level 9

56,326 points

Feb 5, 2022 12:12 PM in response to aaron_ch

aaron_ch wrote:

In fact, if I tried my failed macbook to SSH a server in my cooperation network via VPN. It is okay.

Then the problem is on that server. It is probably only allowing some old encryption scheme that is no longer secure, but was acceptable back in El Capitan days.

Reply