Apparently Apple has brought this behaviour in-line with mainstream OpenSSH. It is not surprising however that they introduced this breaking change with little to no regard towards developers who might have gotten used to this very convenient feature of macOS.
Wed, Feb 22, 2017
Accidentally discovered that EC2 security groups do not terminate an open connection (like SSH) when the security group rules or membership change. New connections will be prevented, but this will not terminate established ones.
See for yourself:
- create an EC2 instance and give it a security group
- add an ingress rule on port 22
- SSH into it
- change the security group; remove the instance from that group altogether, or just change ingress rule.
- Observe how the SSH connection remains open
Tested this for N hours and SSH connection did not get terminated. So if someone is in your boxen, you can’t kick them out that way.
Heed the warning and plan accordingly.
Apparently Azure NSGs have the same flaw. Not even surprised.