SSH features hardened by default
HearthGate now blocks SSH agent socket forwarding, reverse tunnels, X11 forwarding, layer-2 tunneling, and external gateway ports at the sshd level. Your VNC tunnel is unaffected.
HearthGate 1.5 is live
Server-level SSH hardening, posture scoring, and quieter key rotation.
HearthGate 1.5 tightens the SSH side of the gateway without changing the normal VNC path. Server-level hardening now blocks common lateral-movement escape hatches by default, periodic rekeying refreshes session keys during long connections, and the Status tab gives your SSH posture a clear score out of 100.
Periodic key rotation
OpenSSH negotiates a fresh session key after 1 GB of data or one hour, whichever comes first. Long sessions keep moving without asking the user to reconnect.
Security posture scoring
The Status tab now grades the SSH configuration out of 100 across twelve controls, including root login, password authentication, forwarding, key exchange, and idle timeouts.
Hardened privileged helper
The helper validates each incoming connection's code signature and bundle identifier, so only the signed HearthGate app from the same team can invoke privileged operations.
Server-side defense
Even unrestricted keys hit the hardened gate.
Per-key restrictions are still useful, but v1.5 adds a deeper layer: risky SSH features are closed at the server level. That means manually added keys and keys allowed to use full SSH still inherit the global gateway posture.
No socket hitchhiking
Agent forwarding blocked
Agent socket forwarding is a favorite lateral-movement shortcut. HearthGate closes that path at the managed sshd layer.
No hidden backchannels
Reverse tunnels blocked
Reverse port forwarding with ssh -R is disabled by default, so a remote key cannot quietly publish a service back out through the Mac.
Local stays local
Gateway ports blocked
Forwarded ports stay bound to the intended local side instead of becoming externally reachable gateway listeners.
Operational examples
What changes in day-to-day use?
Most users will not feel the hardening directly. That is the point: the secure defaults live below the normal workflow.
Use case
You add a key manually
Even if a key was not generated by HearthGate, server-level rules still block agent forwarding, reverse tunnels, X11 forwarding, layer-2 tunneling, and gateway ports.
Use case
A support session runs long
After one hour or 1 GB of traffic, OpenSSH refreshes the session key in the background. On modern Macs this is normally invisible.
Use case
You check the Status tab
HearthGate shows the SSH hardening posture next to helper and daemon health, so you can see whether the gateway is still at the expected score.
Security details
The SSH gateway now explains itself better.
v1.5 is a hardening release. It reduces hidden SSH surface area, rotates long-session keys, and makes configuration drift easier to see before it becomes a support mystery.
Release notes at a glance
- SSH agent socket forwarding is blocked at the server level.
- Reverse tunnels, X11 forwarding, layer-2 tunneling, and external gateway ports are blocked by default.
- Session keys are rotated after 1 GB of data or one hour, whichever comes first.
- The Status tab scores twelve SSH posture controls out of 100.
- The privileged helper verifies code signature, bundle identifier, and team identity before accepting privileged requests.
HearthGate 1.5