frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Apple: SSH and FileVault

https://keith.github.io/xcode-man-pages/apple_ssh_and_filevault.7.html
108•ingve•1h ago

Comments

syndeo•1h ago
>When FileVault is enabled, the data volume is locked and unavailable during and after booting, until an account has been authenticated using a password. The macOS version of OpenSSH stores all of its configuration files, both system-wide and per-account, in the data volume. Therefore, the usually configured authentication methods and shell access are not available during this time. However, when Remote Login is enabled, it is possible to perform password authentication using SSH even in this situation. This can be used to unlock the data volume remotely over the network. However, it does not immediately permit an SSH session. Instead, once the data volume has been unlocked using this method, macOS will disconnect SSH briefly while it completes mounting the data volume and starting the remaining services dependent on it. Thereafter, SSH (and other enabled services) are fully available.

Now THAT is a welcome change!

mmaunder•1h ago
There’s an attack vector in there somewhere.
xoa•44m ago
Kinda struggling to think of what, beyond the well understood risks of using password-based SSH at all. But that's easily ameliorated by sticking it behind Wireguard or something similar. I think this is a pretty welcome change vs turning off FV entirely which I've had to do with Mac servers in the past.
adastra22•40m ago
Tahoe now escrows your FileVailt key to the iCloud keychain, even if that is something you explicitly opted out of before. Can this recovery key be used to unlock over SSH?
Citizen8396•6m ago
1. It's stored to Keychain; it's only stored to iCloud if you enable iCloud Keychain

2. If someone has compromised your iCloud account and/or device, you have bigger things to worry about

3. No

sugarpimpdorsey•1h ago
Maybe stop using Macs as multiuser servers?

Unavailability of FileVault-mounted home directories when not logged in has been the case since Tiger.

I'm curious - if the OpenSSH config files are not available - how do they start sshd? If the system keys are encrypted, how do they accept connections?

There's a surprising lack of detail here.

numbsafari•58m ago
How about I just want to access my files remotely after a reboot occurs without having to get to the device at my house?

Agreed, though… MacOS isn’t a proper multi-user system and X is Not Unix…

gjsman-1000•55m ago
macOS is a Unix by pedigree; Linux is not.

https://en.wikipedia.org/wiki/List_of_Unix_systems#/media/Fi...

I have to dig out this chart when people complain about macOS's "non-standard utilities." Linux's GNU tools are the ones that aren't standard. If anything, Linux did an "embrace, extend, extinguish" against Unix in general.

dangus•49m ago
I’d add that it is rather prescriptive to declare that macOS is not a “proper multi-user system.”

It is quite capable of handling multiple users. Maybe just not in the way that certain people want it to.

jen20•22m ago
It's also not just Unix by pedigree, but also by certification [1].

[1]: https://www.opengroup.org/openbrand/certificates/1223p.pdf

jacobgkau•25m ago
In addition to the pedigree that someone else pointed out, macOS is also explicitly certified as UNIX by the legal stewards of that name: https://www.opengroup.org/openbrand/register/

This includes Tahoe specifically: https://www.opengroup.org/openbrand/register/brand3725.htm

dangus•51m ago
I can’t imagine it’s too hard, I think password authentication is the key. Your user password is the same as your FileVault unlock password. I think that there’s a pre-unlock and post-unlock ssh session trick going on. The pre-unlock session just doesn’t have access to anything in the data volume and is able to use the provided password to unlock the data volume.

This would explain why it won’t work with ssh key authentication.

angulardragon03•19m ago
Yeah iirc they have moved some stuff around that sshd relied on into the pre-boot volume, so it works exactly as you describe.
cyberax•47m ago
I think the SSH host keys are in the system partition ('/private' directory)? It's not protected by FileVault.

This leaves out a possibility of a MITM. An attacker can steal the unencrypted machine host keys and pretend to be your computer. And since you're entering a clear-text password, it's easy to sniff.

Moving the host keys into hardware root-of-trust would help. But macOS Secure Enclave barely supports that, and it's also pretty slow.

_mikz•39m ago
I have my private keys in Secure Enclave. Why the machine would not have own private keys there?
Citizen8396•8m ago
1. The drive is encrypted and practically impossible to access on modern Macs regardless of FileVault status

2. The notion of someone having access to / compromising your device in order to capture SSH creds doesn't strike me as realistic

trueismywork•5m ago
Thats how all major supercomputer was hacked for crypto.
reader9274•59m ago
So you're saying i can now have a fully remote mac mini server with auto-reboot on power outage without the need to physically log in with a keyboard attached? Awesome
varenc•20m ago
You can also do this:

   sudo fdesetup authrestart -delayminutes -1
which will make the computer auto login to the chosen account on next reboot, without having to type in a password. Only lasts once. Has obvious security downsides though but that might be fine.
nozzlegear•56m ago
> The capability to unlock the data volume over SSH appeared in macOS 26 Tahoe.

Neat! I thought it was odd that I was able to SSH into my Mac after upgrading to Tahoe the other night – part of me wondered if I actually hit that "Upgrade" button before walking away. This is a welcome change though; I don't usually shut my Mac down but there have been a few times where I'm working away from home and need to SSH into my Mac only to remember that I'd installed some major update the night before.

Cu3PO42•43m ago
Neat. Though I wonder if this suffers from the same race condition that the graphical session does when your shell is stored on a data volume.

Specifically, if you restart and opt to restart apps, they can come up before all volumes have been decrypted and mounted. If your shell is on one such volume, your terminal emulator may fail to start, for example. This can happen when using Nix to install your shell, for example.

I imagine this may be even easier to hit over SSH unless the underlying problem was resolved.

daft_pink•25m ago
It’s such a welcome change. I have filevault disabled specifically for that purpose.
pfexec•8m ago
Friendly reminder that you've been able to automatically unlock fully-encrypted Linux systems via TPM for years since it was added to systemd...

(Here's a nickel kid...)

trueismywork•7m ago
Link?

FOSDEM 2026: 31st January and first February

https://fosdem.org./2026/news/2025-09-18-fosdem-2026/
1•edward•1m ago•0 comments

Radio Apocalypse: Clearing the Air with Scatana

https://hackaday.com/2025/09/18/radio-apocalypse-clearing-the-air-with-scatana/
1•jnord•2m ago•0 comments

Returning to Church won't save us from nihilism

https://thereader.mitpress.mit.edu/returning-to-church-wont-save-us-from-nihilism/
2•hhs•3m ago•0 comments

In Their Own Words: Trump and Top Officials Change Tone on Free Speech

https://www.nytimes.com/2025/09/18/us/politics/trump-free-speech.html
1•duxup•3m ago•0 comments

Lovemoney Game online- popular clicking game

https://lovemoneygames.com
1•Febe1212•5m ago•0 comments

I've built a directory of tech indexes similar to Meritech or Bessemer Cloud

https://multiples.vc/sector-indexes
1•olekskw•9m ago•1 comments

Tanks Were Just Tanks, Until Drones Made Them Change

https://www.nytimes.com/interactive/2025/09/08/world/europe/ukraine-russia-war-drones-tanks-milit...
1•bookofjoe•11m ago•1 comments

Zencoder Lets Developers Bring Their CLI Coding Agent of Choice to Its Platform

https://thenewstack.io/zencoder-lets-developers-bring-their-cli-coding-agent-of-choice-to-its-pla...
1•ashvardanian•12m ago•0 comments

10 Myths of Scalable Parallel Languages Part 6: Performance of High-Level Langs

https://chapel-lang.org/blog/posts/10myths-part6/
1•matt_d•12m ago•0 comments

Why ruler and compass? – Guest video [on 3b1b] by ⁨ Ben Syversen⁩

https://www.youtube.com/watch?v=M-MgQC6z3VU
2•zahlman•14m ago•0 comments

EV Mandates vs. Freedom – Mark P. Mills [video]

https://www.youtube.com/watch?v=K8Nz-4eEBTw
1•measurablefunc•17m ago•0 comments

Forgery and Fiscal Fraud in Iudaea and Arabia

https://tyche.univie.ac.at/index.php/tyche/article/view/9224
1•myth_drannon•17m ago•0 comments

Emergence of a ratchet motor by spontaneous symmetry breaking

https://pubs.aip.org/aip/cha/article/35/8/083102/3357287/Emergence-of-a-ratchet-motor-by-spontaneous
3•PaulHoule•23m ago•1 comments

Trump suggests networks who cover him 'negatively' could lose licenses

https://www.theguardian.com/us-news/live/2025/sep/18/jimmy-kimmel-charlie-kirk-comments-show-canc...
13•Fizzadar•24m ago•1 comments

I should play more infinite games

https://www.tylersmith.io/blog/i-should-play-more-infinite-games
1•herbertl•25m ago•0 comments

Spotify wants you in prison for skipping lines of code: the revanced case [video]

https://www.youtube.com/watch?v=kgFCC9haqB4
5•givemeethekeys•27m ago•0 comments

Supporting our AI overlords: Redesigning data systems to be Agent-first

http://muratbuffalo.blogspot.com/2025/09/supporting-our-ai-overlords-redesigning.html
1•pongogogo•28m ago•0 comments

Design Tradeoffs at the Edge

https://www.usenix.org/publications/loginonline/lessons-operating-large-scale-reverse-proxy
1•miggy•34m ago•0 comments

Ask HN: Looking for an Invite for Lobster.rs

3•MD3XTER•34m ago•0 comments

EC DMA Compliance Workshops

https://f-droid.org/2025/09/18/ec-dma-compliance-workshops.html
2•LorenDB•34m ago•0 comments

Ask HN: Ex-postdoc in physics feeling directionless. How to get out of it?

1•lostathome•38m ago•1 comments

Water expert's nomination scrapped as states hash out Colorado River plan

https://apnews.com/article/bureau-of-reclamation-water-colorado-river-cooke-f80fe6d4e3f86ef937599...
2•petethomas•38m ago•0 comments

Diacritics restoration: can we do better with neural networks and deep learning?

https://ileriseviye.wordpress.com/2020/10/22/diacritics-restoration-can-we-do-better-using-neural...
1•sedatk•41m ago•0 comments

Scaling Carbon Capture to Billions of Tonnes

https://spectrum.ieee.org/scaling-carbon-capture-technology
3•WaitWaitWha•42m ago•0 comments

Break down silos with a walking skeleton

https://henko.net/blog/break-down-silos-with-a-walking-skeleton/
2•henrikje•42m ago•1 comments

Christianity, Once "Borderline Illegal", Is Now Silicon Valley's New Religion

https://www.vanityfair.com/news/story/christianity-was-borderline-illegal-in-silicon-valley-now-i...
6•mgh2•43m ago•5 comments

RCA VideoDisc's Legacy: Scanning Capacitance Microscope

https://spectrum.ieee.org/rca-videodisc
2•WaitWaitWha•48m ago•1 comments

Show HN: dumpall — Dump project code into AI-ready Markdown

https://dumpall.pages.dev
2•ThisIsntMyId•48m ago•0 comments

Driven to Default: The Economy-Wide Risks of Rising Auto Loan Delinquencies

https://consumerfed.org/reports/driven-to-default-the-economy-wide-risks-of-rising-auto-loan-deli...
3•rntn•50m ago•0 comments

SWE-Bench Failures: When Coding Agents Spiral into 693 Lines of Hallucinations

https://www.surgehq.ai/blog/when-coding-agents-spiral-into-693-lines-of-hallucinations
11•landonxi•54m ago•1 comments