When a firewall blocks SSH port 22, Git operations fail with a connection timeout. This is common in corporate networks and institutions. The fix is to use GitHub's SSH server on port 443 or switch to HTTPS authentication.
The "ssh: connect to host github.com port 22: Connection timed out" error with a firewall indication means that a network firewall is actively blocking your SSH traffic on the standard port 22. Unlike general connectivity issues, this error specifically points to firewall interference - either from your corporate network, ISP, school, or local security software. Firewalls block port 22 because SSH can be used for tunneling arbitrary traffic, which security administrators want to prevent. However, this also breaks legitimate Git workflows over SSH. The connection "times out" because blocked packets are silently dropped (not rejected), leaving your SSH client waiting indefinitely for a response that never comes. GitHub recognized this common problem and provides an alternative SSH endpoint on port 443, which is the standard HTTPS port. Since blocking port 443 would break all secure web browsing, this port is almost never restricted, making it an effective workaround for firewall-blocked SSH.
First, confirm that the issue is specifically a firewall blocking port 22:
# Test standard SSH connection
ssh -vT [email protected]If blocked by a firewall, you'll see the connection attempt hang and eventually fail with "Connection timed out". The verbose output (-v) will show it stuck at "Connecting to github.com port 22".
To confirm HTTPS works (proving it's a port issue, not general connectivity):
curl -I https://github.comIf HTTPS works but SSH doesn't, a firewall is almost certainly blocking port 22.
GitHub provides SSH access on port 443, which firewalls typically allow. Test if this works:
ssh -T -p 443 [email protected]Expected successful output:
Hi username! You've successfully authenticated, but GitHub does not provide shell access.If this works, proceed to make this configuration permanent. Note that the hostname is ssh.github.com, not github.com - GitHub runs a separate SSH server for port 443 connections.
Add a permanent SSH configuration to route all GitHub connections through port 443:
# Create .ssh directory if it doesn't exist
mkdir -p ~/.ssh
# Create or edit the SSH config file
nano ~/.ssh/configAdd this configuration:
Host github.com
Hostname ssh.github.com
Port 443
User gitSet proper permissions and test:
chmod 600 ~/.ssh/config
ssh -T [email protected]Your Git commands will now automatically use port 443 without changing any remote URLs.
If you prefer not to modify SSH config, configure Git to rewrite URLs globally:
git config --global url."ssh://[email protected]:443/".insteadOf "[email protected]:"This automatically converts SSH URLs to use port 443. Verify the configuration:
git config --global --get-regexp urlTo remove this configuration later:
git config --global --unset url."ssh://[email protected]:443/".insteadOfIf SSH on port 443 is also blocked, switch to HTTPS authentication:
# Check current remote
git remote -v
# Change to HTTPS URL
git remote set-url origin https://github.com/username/repository.gitFor authentication, create a Personal Access Token (PAT):
1. Go to GitHub Settings > Developer settings > Personal access tokens
2. Generate a new token with 'repo' scope
3. Use the token as your password when prompted
To avoid entering credentials repeatedly:
# Cache credentials for 1 hour
git config --global credential.helper 'cache --timeout=3600'
# Or store permanently (less secure)
git config --global credential.helper storeYour local firewall might also be blocking SSH. Add exceptions if needed:
Windows Defender Firewall:
1. Open Windows Security > Firewall & network protection
2. Click "Allow an app through firewall"
3. Add your SSH client (Git Bash, OpenSSH) for outbound connections
Linux (UFW):
# Allow outbound SSH
sudo ufw allow out 22/tcp
sudo ufw allow out 443/tcp
# Verify rules
sudo ufw statusmacOS:
# Check firewall status
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
# Add SSH exception if needed
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /usr/bin/sshIf you're in a corporate environment, consider requesting a firewall exception:
1. Document the business need for SSH access to GitHub
2. Request that IT either:
- Allow outbound connections to github.com on port 22
- Whitelist SSH traffic to GitHub's IP ranges
- Allow port 443 to ssh.github.com
GitHub's IP ranges are published at: https://api.github.com/meta
For many organizations, explaining that port 443 SSH is a secure alternative that doesn't require opening port 22 can help get approval more easily.
### Why Firewalls Block Port 22
SSH on port 22 is frequently blocked because:
1. SSH tunneling can bypass content filters and security monitoring
2. It can be used to exfiltrate data without inspection
3. Compromised machines could establish reverse SSH shells
Port 443 is allowed because blocking it would break all HTTPS web traffic. GitHub's SSH-over-443 solution exploits this by running an SSH server on a port that firewalls must allow.
### Deep Packet Inspection (DPI) Considerations
Some sophisticated firewalls use Deep Packet Inspection to detect SSH protocol even on port 443. If SSH over 443 still fails:
- The firewall may be detecting and blocking SSH protocol signatures
- Try using HTTPS with a Personal Access Token instead
- Consider asking IT about approved Git access methods
### SSH Config for Multiple Hosts
If you need port 443 for multiple Git hosts:
# GitHub
Host github.com
Hostname ssh.github.com
Port 443
User git
# GitLab also offers SSH over port 443
Host gitlab.com
Hostname altssh.gitlab.com
Port 443
User git
PreferredAuthentications publickey
# Generic fallback settings
Host *
ServerAliveInterval 60
ServerAliveCountMax 3
ConnectTimeout 30### Proxy Through SSH Over HTTPS
If you must use a corporate proxy, combine SSH with a proxy command:
Host github.com
Hostname ssh.github.com
Port 443
User git
ProxyCommand connect -H proxy.corporate.com:8080 %h %pRequires the connect-proxy package on Linux or connect utility.
### CI/CD Pipeline Configuration
For GitHub Actions or other CI systems behind firewalls:
- name: Configure SSH for restricted network
run: |
mkdir -p ~/.ssh
cat >> ~/.ssh/config << EOF
Host github.com
Hostname ssh.github.com
Port 443
User git
EOF
chmod 600 ~/.ssh/config### Debugging Connection Issues
For detailed diagnostics:
# Maximum verbosity
ssh -vvvT -p 443 [email protected]
# Check what IP you're connecting to
nslookup ssh.github.com
# Test TCP connectivity directly
nc -zv ssh.github.com 443### GitHub Enterprise Limitation
Note: SSH over port 443 is only available for github.com. GitHub Enterprise Server and GitHub Enterprise Cloud with data residency do not support this feature - contact your GitHub Enterprise administrator for alternative solutions.
kex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git
fatal: unable to access: no_proxy configuration not working
How to fix 'no_proxy configuration not working' in Git
fatal: unable to read tree object in treeless clone
How to fix 'unable to read tree object in treeless clone' in Git