The 'ssh: connect to host github.com port 22: Connection refused' error occurs when your SSH connection to GitHub is actively rejected. This typically happens when port 22 is blocked by a firewall, the SSH service is unavailable, or network issues prevent the connection. The most common fix is to use SSH over port 443.
The "ssh: connect to host github.com port 22: Connection refused" error indicates that your SSH client attempted to connect to GitHub's SSH server on port 22, but the connection was actively refused. Unlike a "Connection timed out" error where packets are silently dropped, "Connection refused" means either: 1. A firewall or network device is actively rejecting the connection 2. The SSH service on the target host is not running or not accepting connections 3. Your local firewall is blocking outbound SSH connections This error is commonly encountered in corporate environments, educational institutions, or public networks where outbound SSH connections on port 22 are explicitly blocked for security reasons. The connection is "refused" rather than timing out because the blocking device sends back a rejection packet (TCP RST) rather than silently dropping the traffic. The good news is that GitHub provides an alternative SSH endpoint on port 443 (the standard HTTPS port), which is rarely blocked since it would break all secure web browsing.
GitHub provides an alternative SSH server on port 443 that bypasses most firewall restrictions. Test if this works:
ssh -T -p 443 [email protected]If successful, you'll see:
Hi username! You've successfully authenticated, but GitHub does not provide shell access.If this test succeeds, proceed to configure permanent port 443 access in the next step.
Edit your SSH configuration file to permanently route GitHub connections through port 443:
# Create .ssh directory if it doesn't exist
mkdir -p ~/.ssh
# Edit the SSH config file
nano ~/.ssh/configAdd the following configuration:
Host github.com
Hostname ssh.github.com
Port 443
User gitSave the file and verify the configuration works:
ssh -T [email protected]Your existing Git remotes will continue to work without any URL changes.
Instead of modifying SSH config, configure Git to automatically rewrite GitHub URLs:
git config --global url."ssh://[email protected]:443/".insteadOf "[email protected]:"Verify the configuration:
git config --global --get-regexp urlTo remove this configuration later:
git config --global --unset url."ssh://[email protected]:443/".insteadOfYour local firewall might be blocking outbound SSH connections:
On Linux (UFW):
# Check UFW status
sudo ufw status verbose
# Allow outbound SSH if blocked
sudo ufw allow out 22/tcp
# Or temporarily disable to test
sudo ufw disable
ssh -T [email protected]
sudo ufw enableOn Linux (iptables):
# Check if SSH is blocked
sudo iptables -L OUTPUT -n | grep 22
# Allow outbound SSH
sudo iptables -A OUTPUT -p tcp --dport 22 -j ACCEPTOn Windows:
1. Open Windows Defender Firewall with Advanced Security
2. Go to Outbound Rules
3. Look for rules blocking port 22
4. Ensure Git Bash / OpenSSH has outbound access
On macOS:
# Check firewall state
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstateIf SSH remains problematic, switch your repository to use HTTPS:
# View current remote URL
git remote -v
# Change from SSH to HTTPS
git remote set-url origin https://github.com/username/repository.gitFor HTTPS authentication, use one of these methods:
Personal Access Token (recommended):
1. Go to GitHub Settings > Developer settings > Personal access tokens
2. Generate a new token with repo scope
3. Use the token as your password when prompted
Git Credential Manager:
# Install on Linux
git config --global credential.helper store
# On Windows (usually pre-installed with Git)
git config --global credential.helper managerEnsure basic network connectivity to GitHub:
# Test DNS resolution
nslookup github.com
# or
host github.com
# Test HTTPS connectivity
curl -I https://github.com
# Test if port 22 is reachable (will show refused if blocked)
nc -zv github.com 22
# Test if port 443 is reachable
nc -zv ssh.github.com 443If DNS resolution fails, try alternative DNS servers:
# Test with Google DNS
nslookup github.com 8.8.8.8
# Test with Cloudflare DNS
nslookup github.com 1.1.1.1To confirm the issue is network-related, try connecting from a different network:
- Use your mobile phone as a hotspot
- Try from a different location (home vs. office)
- Use a VPN to route around restrictions
# Quick test from new network
ssh -T [email protected]If it works on a different network, the original network is blocking port 22. Use the port 443 configuration from Step 2 as your permanent solution.
While rare, GitHub's SSH service can occasionally have issues:
1. Visit https://www.githubstatus.com/
2. Check for any ongoing incidents affecting SSH access
3. Look at the "Git Operations" component status
If GitHub is experiencing issues, wait for the incident to be resolved. You can also try using HTTPS as a temporary workaround.
### Understanding "Connection refused" vs "Connection timed out"
- Connection refused: The target or an intermediate device actively rejected the connection (TCP RST packet received). This is fast and deterministic.
- Connection timed out: No response received within the timeout period. Packets were likely silently dropped by a firewall. This is slow.
"Connection refused" is actually more informative - it tells you something is actively blocking the connection rather than packets disappearing into a void.
### SSH over Port 443: How It Works
GitHub runs a separate SSH server at ssh.github.com on port 443. This works because:
1. Port 443 is the standard HTTPS port - blocking it would break most web traffic
2. SSH and HTTPS both use TCP, so SSH can be tunneled over port 443
3. Deep packet inspection (DPI) firewalls can potentially detect and block this, but most corporate firewalls don't implement SSH-specific DPI
The ~/.ssh/config mapping tells your SSH client to connect to ssh.github.com:443 whenever you reference github.com.
### Complete SSH Config Example
# GitHub using port 443 to bypass firewalls
Host github.com
Hostname ssh.github.com
Port 443
User git
IdentityFile ~/.ssh/github_ed25519
AddKeysToAgent yes
# GitLab alternative port (if needed)
Host gitlab.com
Hostname altssh.gitlab.com
Port 443
User git
# Bitbucket alternative port (if needed)
Host bitbucket.org
Hostname altssh.bitbucket.org
Port 443
User git
# Global settings
Host *
ServerAliveInterval 60
ServerAliveCountMax 3
IdentitiesOnly yes### Debugging SSH Connection Issues
Use verbose mode to diagnose connection problems:
# Basic verbosity
ssh -vT [email protected]
# Maximum verbosity
ssh -vvvT [email protected]Key lines to look for:
- debug1: Connecting to github.com [IP] port 22 - Shows connection attempt
- debug1: connect to address [IP] port 22: Connection refused - Confirms the block
- debug1: Connection established - Connection succeeded
### Proxy and Corporate Network Workarounds
If your network requires a proxy, you can tunnel SSH through it:
Host github.com
Hostname ssh.github.com
Port 443
User git
ProxyCommand nc -X connect -x proxy.company.com:8080 %h %pOr using the connect utility:
Host github.com
Hostname ssh.github.com
Port 443
User git
ProxyCommand connect -H proxy.company.com:8080 %h %pInstall the connect utility:
- Debian/Ubuntu: sudo apt install connect-proxy
- macOS: brew install connect
- Windows: Often included with Git for Windows
### Windows-Specific Considerations
The SSH config file location on Windows:
- Git Bash: ~/.ssh/config (C:\Users\YourName\.ssh\config)
- PowerShell/cmd with OpenSSH: %USERPROFILE%\.ssh\config
- PuTTY: Configure in PuTTY GUI under Connection > SSH
If using PuTTY, create a saved session with:
- Host: ssh.github.com
- Port: 443
- Protocol: SSH
### GitHub Actions and CI/CD
For CI/CD pipelines running behind restrictive firewalls:
- name: Configure SSH for port 443
run: |
mkdir -p ~/.ssh
cat >> ~/.ssh/config << EOF
Host github.com
Hostname ssh.github.com
Port 443
User git
StrictHostKeyChecking accept-new
EOF
chmod 600 ~/.ssh/configAlternatively, consider using HTTPS with a deploy token or GitHub App credentials for CI/CD environments.
kex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git
fatal: unable to access: no_proxy configuration not working
How to fix 'no_proxy configuration not working' in Git
fatal: unable to read tree object in treeless clone
How to fix 'unable to read tree object in treeless clone' in Git