macOS Sequoia - Firewall

stewart994 wrote:

Doesn’t sound very safe at all. I’ve never used remote login yet somehow on multiple occasions Keygen has got itself set up and approved to be issuing keys and granted full disk access without even telling me

That service is a normal and expected and necessary part of macOS, and is used to establish the sshd host environment, and to configure the sshd daemon startup.

The disk access allows that service to create the host key where it needs to be written.

In this particular case, you can look at what that particular service does:

https://github.com/apple-oss-distributions/OpenSSH/tree/main/sshd-keygen-wrapper

Why Apple chose this path and not performing the configuration at first boot is unclear.

sshd-keygen-wrapper

is a macOS process used for securing SSH (Secure Shell) connections, and is completely safe.

It is a Mac process and not a reason for alarm.

sushi-keygen-wrapper what is this and do … - Apple Community

sshd-keygen-wrapper - Apple Community

You seem to have got yourself worked up by going down a rabbit hole on security websites who get paid by scaring users to drive clicks and advertisement dollars. The article you were looking at is 6 years old and was with the Mojave OS. You don't need to grant Full Disk Access to sshd-keygen-wrapper and is an essential process that is needed for security in network computing. In addition, the Firewall is only relevent when you have several computers networked together. For connections outside of a Local Network, it is your router that is blocking connections and only your router IP is visible, with no access to your computer IP Address unless you specifically set up port forwarding on the router.

Since the article that you referred to, the OS on your computer is now locked on a Read Only partition of the HD so it is not possible for you or anyone else to modify the contents there. On top of that, there is another layer called SIP (System Integrity Protection) that validates the information. It is not possible to alter any system files.

I can recommend some current articles that may be more relevant:

Effective defenses against malware and ot… - Apple Community

System security overview - Apple Support

Encryption and Data Protection overview - Apple Support

I had the same experience I don’t believe supposed to be that way. Seems like a security breach. SSH Kayden wrapper is a well known weakness that has been around for years. I’ve had it come up from time to time getting its own full disk access and bypassing firewall settings . But I’ve never seen it bring a dozen apps with it like it did this time. I have no confidence in the answers below who say you should not worry because it’s Apple software. I think that’s why it’s called hacking because they exploit vulnerabilities in the in built software! My internet router seemed to have been hacked via the MacBook as all the passwords were changed and somehow it got half a dozen new passwords . I’ve gone into lockdown mode and I’ve reset the router etc while in safe mode.

[Edited by Moderator]

While ssh-keygen is indeed a standard part of the system networking stack, used for generating secure shell keys, I'm mystified why this wrapper is given permission on the firewall to listen for connections from outside the host. Normally you would only run ssh-keygen locally.

I note that sshd itself is NOT given permission on the firewall, so presumably this wrapper is an Apple customisation of the ssh service that I've not seen before.

Doesn’t sound very safe at all. I’ve never used remote login yet somehow on multiple occasions Keygen has got itself set up and approved to be issuing keys and granted full disk access without even telling me

[Edited by Moderator]

It's required by the operating system.

But let me ask you a question. Judging by the state of your allowed services, just what is your firewall doing exactly?