5

“Fifteen” is the name of the machine (MacBook Air M2) and “Sellotape” is a 2019 iMac. Both running Sequoia.

Before Sequoia I was able to log in to either machine from the other. Now it fails:

Fifteen:~ mnewman$ ssh sellotape
ssh: connect to host sellotape port 22: Operation timed out

Unless I use local appended to the hostname:

Fifteen:~ mnewman$ ssh sellotape.local
Last login: Wed Oct  2 15:49:39 2024 from fe80::4d5:db02:81d6:74d5%en0
Sellotape:~ mnewman$

I don't know enough about networking to understand why this works. Can anyone explain?

verbose logging below

Fifteen:~ mnewman$ ssh -vv sellotape
OpenSSH_9.8p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/mnewman/.ssh/config
debug1: /Users/mnewman/.ssh/config line 3: Applying options for *
debug1: /Users/mnewman/.ssh/config line 37: Applying options for sellotape
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to sellotape port 22.
ssh: connect to host sellotape port 22: Operation timed out
Improve this question
0

4 Answers 4

Reset to default
10

The problem has nothing to do with SSH. Try ping sellotape and ping sellotape.local and you should see something different, as Linc pointed out "it never should have".

.local domains work, because this follows mDNS protocol. On Apple devices it's handled by Bonjour's mDNSResponder, on Linux devices (your Raspberry Pi) it's typically handled by avahi-daemon.

Did you write anything in your /etc/hosts? If you did (and probably you did), and you have static DHCP entries in your router, then turning off private Wi-Fi address fixes it because it "randomizes" your MAC address so your router won't recognize this device. But, you really shouldn't manually set DHCP entries and IP addresses, unless you have a justified reason to do so. mDNS is (almost) always the right way to go.

Now, after removing /etc/hosts entries and static DHCP settings, you can achieve the same effect (ssh sellotape without .local suffix) by adding the following lines to your ~/.ssh/config file:

Host sellotape
    HostName sellotape.local

If sellotape.local resolves, this will always work.

Improve this answer
7

This behavior is normal. “Sellotape” and the like are not fully-qualified domain names. You used to be able to enter .local in the Network settings as a search domain, and the full name would be inferred, but that doesn't work anymore for SSH — as indeed it never should have, because the ambiguity is a potential security hole. Just get used to entering the whole multicast name.

Improve this answer
1
  • 1
    It worked fine for years until I installed Sequoia yesterday. And it still works fine with the Raspberry Pies on the network. For example, "ssh raspsky" connects immediately. No need for raspsky.local. Commented Oct 2, 2024 at 21:21
3

Well, I think I finally figured this out. If you enable private Wi-Fi address then the Mac ignores the router's address reservation setting and picks a Wi-Fi address, seemingly at random.

My router is set to assign “Sellotape” the IP address 192.168.0.76. With private Wi-Fi address enabled, the Mac picked 192.168.0.70 which, of course, is different from the IP in the hosts file. With private Wi-Fi address disabled, it works:

Fifteen:~ mnewman$ ssh sellotape
Last login: Thu Oct  3 04:56:58 2024 from 192.168.0.78
Sellotape:~ mnewman$
Improve this answer
2
  • 10
    It's not that macOS is ignoring the IP address your router provides, it's that IP address reservations are done by MAC address. Because your Mac is picking a random MAC address, it's different from the MAC address you added the reservation for. Commented Oct 3, 2024 at 1:50
  • @Buadhai To expand on Aaron's answer, randomized MAC (MAC-R) addresses are "here to stay" and every OS and device is adapting them. With MAC-R enabled on devices, your router-based "reservation" system will never work anymore. The only SOLUTION is to disable MAC-R on all your devices (you can tell your device to do this per-SSID, meaning you can leave this "feature" enabled for other wifi networks, while turning it off for only your network). NOTE: If you can not disable MAC-R on devices (or the device user keeps "switching it back on"... kids) then you need to find new solutions. Commented Dec 4, 2024 at 12:49
0

You may have an issue if you are using any 3rd party network extensions like LuLu / Little Snitch / VPNs / Crowdstrike ;-) Sequoia has apparently introduced a bug in 15.0 where the macOS firewall doesn't play well with other products. It's supposedly been acknowledged by Apple and fixed in the 15.1 Beta, but I have no ref for that.

Personally I had a problem with dropped ssh connections to my local RPi4 NAS - usually with some sort of encryption error, and dropped file copies over SMB from the same device.

I wondered about a bad interaction with LuLu, and ended up uninstalling LuLu (seems a disable isn't enough) until Apple fix the issue.

The choice appears to be, disable either of the 3rd party extensions, or the macOS FW.

SSH issues:

DNS issues (which may be related to your issue - if both machines are in the same domain, .local would be unnecessary as you are aware):

Another issue the macOS firewall has is that existing rules can't be edited. the - button in the dialog is inactive. Presumably it can be done in Terminal but I've not experimented.

Improve this answer
1
  • The MacOS firewall is disabled on both of my Macs. I am not using any third party network tools. ssh still works fine with both of the Raspberry Pies on the local network without using .local. Commented Oct 2, 2024 at 21:28

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.