Tuesday, March 31, 2020

macOS 10.15.4 Broke SSH

Tyler Hall (tweet, Hacker News):

The user in the Apple forums was right. At least in my case, my one server that happened to be running on a non-standard ssh port above 8192 will not connect from Catalina 10.15.4 when using the hostname instead of the IP address.

He’s not the only one:

/usr/bin/ssh in macos 10.15.4 hangs if used with the -p flag to specify an alternate port and used with a hostname. This was not present in macos 10.15.3

[…]

Using maximum verbosity doesn’t give any clues, and max debugging on the sshd target host shows no connection is ever initiated[…]

vgene:

I had the same problem on a MacBook after upgrading to 10.15.4. However, I wasn’t using a port number higher than 8192, the socket was 75 with a hostname. The problem was solved when I replaced the hostname with its IP or plugged in an Ethernet Cable. I tried to restart mDNSResponder and flush the dns cache and switch to a different DNS server. Nothing works so far.

Previously:

15 Comments RSS · Twitter

I'm using SSH on non standard port daily and have no issue with 10.15.4, so this is something more complex than just using the '-p' flag.

Sören Nils Kuklau

Probably not a coincidence that Xamarin, which uses SSH to use Macs as a build host, has users reporting problems in 10.15.4 (with some suggesting disabling SIP and installing old SSH binaries as a workaround).

Wonder if today's 10.15.5b1 fixes this?

Thinking about it, It looks like an IPv6 issue. By using the IP instead of the hostname, it forces usage of IPv4.

Passing the '-4' flag to ssh may also solve the issue.

I got such issue with SSH from time to time.

I haven't seen this particular bug, but I've seen where the shell doesn't have access to files on the Desktop and other places.

As usual, Apple engineers are amazing humans. One of them was kind enough to reach out and spend a few hours debugging the issue with me. One spindump and sysdiagnose later, they think they've narrowed down the problem. At least to the point where they were able to provide this workaround.

Instead of using:

ssh -p 12345 domain.com

use

ssh -p 12345 -oConnectTimeout=5 domain.com

and it will work.

The very last thing I want to do is step on the toes of the folks working to fix the bug, so I don't want to pre-announce what they think the cause is - just that adding the above timeout parameter is a sufficient workaround for the time being.

@Tyler Thanks for that info! Glad to hear that you have a workaround.

Similar problems here. In my case I could resolve it by removing all proxy configurations temporarily (remove all checks in System Preferences -> Network -> Advanced -> Proxies).
However, the ConnectTimeout workaround works better and allows me to use my proxy configurations again. Thanks for that @Tyler!

Ramon Barrios Lascar

If, ConnectTimeout manages the error, then you can try setting it by default in your client:

open $HOME/.ssh/config (and create if does not exists)
set ConnectTimeout 5 for all hosts:

Add to the end of file:

Host *
ConnectTimeout 5

Man, if SSH broke, I would go batty, I use it basically every day. Glad Apple engineers figured out an easy fix for users.

Thanks for the workaround,my ssh works now. Though I'm still perplexed since I have to machines, iMac and MBP, both on Catalina 10.15.4. My iMac works as expected only my MBP failed to ssh.

Another workaround is to use netcat as a proxy command:

ssh -p 12345 -oProxyCommand="nc %h %p" domain.com

-OR-

Open $HOME/.ssh/config and set the following option:
ProxyCommand nc %h %p

Hi, I'm experiencing a similar issue. I attempt to connect to an EC2 server and it fails (since OS X 10.15.4). My testing reveals I can connect using the IP instead of hostname. I don't have any proxies and the connection timeout solution does not work for me. When running the SSH command with -v (verbose) flag, the connection and auth seem to work fine, but the command hangs here: "debug1: Sending command: sudo -u root -I ". Anyone have thoughts?

I wanted to thank Peter. His solution solved the problem for me. This was driving me crazy. So for the record, setting ~/.ssh/config to the following option "ProxyCommand nc %h %p" resolved the issue for me. Apple needs to fix this.

For me, the issue was with the .pem file. Adding it to the keychain seemed to do the trick!

I found the answer here: https://stackoverflow.com/questions/59811969/ssh-not-working-in-macbook-pro-2019-catalina

Hope this helps!

[…] appears my issue is specifically tied to a recent update of MacOS. The answer was found here: https://mjtsai.com/blog/2020/03/31/macos-10-15-4-broke-ssh/. Specifying the IP address of the server rather than its name resolved my […]

Leave a Comment