Bottom Line: Here’s how I fixed Connection reset by peer on MacOS Monterey.

After updating to MacOS Monterey (12.0) a couple of days ago, I found that my SSH access was no longer working.

My SSH access is set up on a custom port, which helps reduce the burden of constant port scanning (though is definitely “security through obscurity”); MacOS didn’t make this particularly easy to do, so I went through my setup in a prior post: How to Change the SSH Port on OSX El Capitan.

In trying to debug, I tried to connect locally, since I know that I have an ssh key set up to allow me to ssh to myself:

$ # replace 22 with your actual port number
$ ssh -4 -p 22 localhost
kex_exchange_identification: read: Connection reset by peer
Connection reset by port 22

I googled a bit and didn’t find much information about that error: kex_exchange_identification: read: Connection reset by peer.

Reviewing my old post, I noticed that I had copied my SSH template from /System/Library/LaunchDaemons/ssh.plist.

Comparing the system-supplied one and my customized one: (diff /System/Library/LaunchDaemons/ssh.plist /Library/LaunchDaemons/ssh.plist) showed a few differences, notably the addition of MaterializeDatalessFiles (see man 5 launchd.plist) and changing the ssh command from /usr/sbin/sshd -i to sshd-keygen-wrapper.

Adopting these changes got SSH working again. For users starting from scratch, I would recommend following the step-by-step from my prior post; my current /Library/LaunchDaemons/ssh.plist looks like this, replacing REDACTED with my actual port number.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">

Next, reload the file in launchd:

$ sudo launchctl unload -w /Library/LaunchDaemons/ssh.plist
$ sudo launchctl load -w /Library/LaunchDaemons/ssh.plist

At this point, I could ssh -p 22 localhost and connect. Woohoo!

Unfortunately, I also noted that password authentication was working (which I like to disable):

ssh -p 22 -o pubkeyauthentication=no localhost

For this, I came across a post detailing a new method for disabling PAM and password authentication on Monterey (ssh has gone to a config.d-style setup). The bottom line of the post amounts to the command below.

$ cat <<'EOF' | sudo tee /etc/ssh/sshd_config.d/000-n8henrie.conf
UsePAM no
PasswordAuthentication no

After running this, I could confirm that password authentication was no longer possible:

$ ssh -p 22 -o pubkeyauthentication=no localhost
n8henrie@localhost: Permission denied (publickey,keyboard-interactive).