I have a Mac mini I want to use as a headless server. The Mac has FileVault enabled and I'd like to keep it on. I'd like to make use of the pre-boot SSH feature in macOS Tahoe so I can unlock the drive remotely without connecting a physical monitor and keyboard to the Mac.

The machine is wired into the network over Ethernet, and Wi-Fi is disabled.

When I try to ssh into the machine, I get an error:

>> ssh user@192.168.0.8

kex_exchange_identification: read: Connection reset by peer

Connection reset by 192.168.0.8 port 22

But the machine does respond to pings:

>> ping 192.168.0.8

PING 192.168.0.8 (192.168.0.8): 56 data bytes

64 bytes from 192.168.0.8: icmp_seq=0 ttl=64 time=0.708 ms

64 bytes from 192.168.0.8: icmp_seq=1 ttl=64 time=0.715 ms

64 bytes from 192.168.0.8: icmp_seq=2 ttl=64 time=0.900 ms

^C

--- 192.168.0.8 ping statistics ---

3 packets transmitted, 3 packets received, 0.0% packet loss

round-trip min/avg/max/stddev = 0.708/0.774/0.900/0.089 ms

I tried adding verbose output and ignoring key mismatch in case the pre-boot SSH environment uses a different fingerprint, still no dice:

>> ssh -v -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null user@192.168.0.8

debug1: OpenSSH_10.0p2, LibreSSL 3.3.6

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Reading configuration data /etc/ssh/ssh_config.d/100-macos.conf

debug1: /etc/ssh/ssh_config.d/100-macos.conf line 1: Applying options for *

debug1: Reading configuration data /etc/ssh/crypto.conf

debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling

debug1: Connecting to 192.168.0.8 [192.168.0.8] port 22.

debug1: Connection established.

debug1: identity file /Users/user/.ssh/id_rsa type -1

debug1: identity file /Users/user/.ssh/id_rsa-cert type -1

debug1: identity file /Users/user/.ssh/id_ecdsa type -1

debug1: identity file /Users/user/.ssh/id_ecdsa-cert type -1

debug1: identity file /Users/user/.ssh/id_ecdsa_sk type -1

debug1: identity file /Users/user/.ssh/id_ecdsa_sk-cert type -1

debug1: identity file /Users/user/.ssh/id_ed25519 type -1

debug1: identity file /Users/user/.ssh/id_ed25519-cert type -1

debug1: identity file /Users/user/.ssh/id_ed25519_sk type -1

debug1: identity file /Users/user/.ssh/id_ed25519_sk-cert type -1

debug1: identity file /Users/user/.ssh/id_xmss type -1

debug1: identity file /Users/user/.ssh/id_xmss-cert type -1

debug1: Local version string SSH-2.0-OpenSSH_10.0

kex_exchange_identification: read: Connection reset by peer

Connection reset by 192.168.0.8 port 22

Is there a different way to set this up, or does the pre-boot SSH feature just not work reliably?