You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

User profile for user: FdeBrouwer
FdeBrouwer Author
User level: Level 1
24 points

After upgrading to Sequoia MacOS 15.0 cannot connect to it via SSH

After upgrading from Sonoma (MacOS 14) to Sequoia (MacOS 15) I was unable to connect to this Mac via SSH. I discovered the SSHD process has moved behind a tcpwrapper process. Most likely due to this change the key negotiations are missing while connecting via an Ethernet/Wifi interface resulting in no successful SSH connection to this upgraded Mac. When the connection is made on that Mac to the localhost/loopback-interface the negotiation is successful and a SSH-session can be established; so SSHD itself is working.


This is for me a very serious bug.


Please advice.


\



Some technical troubleshooting:


While performing basic tests the Mac running on MacOS 15 is misbehaving. A normal SSH connection fails before kex_exchange_identification and the Mac resets the session. The second try is just disconnected and not even showing the SSHD-version while connecting to an Ethernet/Wifi interface. The third try is presenting properly the SSHD-version on the localhost/loopback-interface address...


** connection to MacOS 15 / upgraded Mac:

MacOS15:~ fred$ ssh 10.0.0.166
kex_exchange_identification: read: Connection reset by peer   <-- the outside interface
Connection reset by 10.0.0.166 port 22


MacOS15:~ fred$ telnet 10.0.0.166 22 
Trying 10.0.0.166...
Connected to 10.0.0.166.
Escape character is '^]'.                    <-- after connection imediately kills the session
Connection closed by foreign host.


MacOS15:~ fred$ telnet 127.0.0.1  22
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
SSH-2.0-OpenSSH_9.8                         <-- sucessful connection, incl. version

Invalid SSH identification string.          <-- just enter to stop the negotiating...
Connection closed by foreign host.




While searching on internet for troubleshooting this connection I was pointed to this nmap tool. The first try is to receive the negotiations on the Ethernet interface and where none are returned. The second try is receiving the negotiation parameters via the loopback interface; and that is successful. The third try is receiving the negotiation parameters successfully from a Mac with MacOS 14. That version is not using a tcpwrapper.


** connection to MacOS 15 / upgraded Mac:

MacOS15:~ fred$ nmap   --script ssh2-enum-algos -sV -p 22  10.0.0.166
Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-18 17:51 CEST
Nmap scan report for MacOS15 (10.0.0.166)
Host is up (0.00021s latency).

PORT   STATE SERVICE    VERSION
22/tcp open  tcpwrapped                          <-- tcpwrapped ??

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds


MacOS15:~ fred$ nmap   --script ssh2-enum-algos -sV -p 22  localhost 
Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-18 17:51 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000096s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.8 (protocol 2.0)             <-- not tcpwrapped !!
| ssh2-enum-algos: 
|   kex_algorithms: (12)
|       sntrup761x25519-sha512@openssh.com
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|       diffie-hellman-group14-sha256
|       ext-info-s
|       kex-strict-s-v00@openssh.com
|   server_host_key_algorithms: (4)
|       rsa-sha2-512
|       rsa-sha2-256
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|   encryption_algorithms: (6)
|       chacha20-poly1305@openssh.com
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       aes128-gcm@openssh.com
|       aes256-gcm@openssh.com
|   mac_algorithms: (10)
|       umac-64-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-512-etm@openssh.com
|       hmac-sha1-etm@openssh.com
|       umac-64@openssh.com
|       umac-128@openssh.com
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds



** connection to MacOS 14 / not yet upgraded Mac:

MacOS15:~ fred$ nmap   --script ssh2-enum-algos -sV -p 22 10.0.0.192   
Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-18 18:10 CEST
Nmap scan report for MacOS14 (10.0.0.192)
Host is up (0.00033s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.7 (protocol 2.0)       <-- not tcpwrapped !!
| ssh2-enum-algos: 
|   kex_algorithms: (12)
|       sntrup761x25519-sha512@openssh.com
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
...etc...




MacBook Pro 16″, macOS 15.0

Posted on Sep 18, 2024 9:23 AM

Reply
Question marked as Top-ranking reply
User profile for user: liubomyr144
liubomyr144
User level: Level 1
14 points

Posted on Oct 4, 2024 2:59 AM

I think it was fixed in 15.0.1. My test macbook connects via ssh with the firewall enabled after the update. I'm additionally testing it on other macbooks

View in context
23 replies

After upgrading to Sequoia MacOS 15.0 cannot connect to it via SSH

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up