frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Apple: SSH and FileVault

https://keith.github.io/xcode-man-pages/apple_ssh_and_filevault.7.html
131•ingve•1h ago•40 comments

Learn Your Way: Reimagining Textbooks with Generative AI

https://research.google/blog/learn-your-way-reimagining-textbooks-with-generative-ai/
191•FromTheArchives•4h ago•119 comments

Nvidia buys $5B in Intel

https://www.tomshardware.com/pc-components/cpus/nvidia-and-intel-announce-jointly-developed-intel...
750•stycznik•11h ago•439 comments

This map is not upside down

https://www.maps.com/this-map-is-not-upside-down/
126•aagha•4h ago•213 comments

The Sagrada Família Takes Its Final Shape

https://www.newyorker.com/magazine/2025/09/22/is-the-sagrada-familia-a-masterpiece-or-kitsch
27•pseudolus•2d ago•2 comments

Show HN: Asxiv.org – Ask ArXiv papers questions through chat

https://asxiv.org/
39•anonfunction•1w ago•2 comments

tldraw SDK 4.0

https://tldraw.dev/blog/tldraw-sdk-4-0
49•bpierre•2h ago•28 comments

Configuration files are user interfaces

https://ochagavia.nl/blog/configuration-files-are-user-interfaces/
116•todsacerdoti•5h ago•64 comments

Launch HN: Cactus (YC S25) – AI inference on smartphones

https://github.com/cactus-compute/cactus
74•HenryNdubuaku•6h ago•32 comments

Meta's live staged demo fails; the "AI" recording plays before the actor acts

https://old.reddit.com/r/LivestreamFail/comments/1nkbig7/metas_live_staged_demo_fails_the_ai_reco...
75•personjerry•1h ago•24 comments

When Knowing Someone at Meta Is the Only Way to Break Out of "Content Jail"

https://www.eff.org/pages/when-knowing-someone-meta-only-way-break-out-content-jail
171•01-_-•3h ago•88 comments

TernFS – An exabyte scale, multi-region distributed filesystem

https://www.xtxmarkets.com/tech/2025-ternfs/
184•rostayob•7h ago•67 comments

U.S. already has the critical minerals it needs, according to new analysis

https://www.minesnewsroom.com/news/us-already-has-critical-minerals-it-needs-theyre-being-thrown-...
73•giuliomagnifico•2h ago•65 comments

Flipper Zero Geiger Counter

https://kasiin.top/blog/2025-08-04-flipper_zero_geiger_counter_module/
187•wgx•8h ago•63 comments

KDE is now my favorite desktop

https://kokada.dev/blog/kde-is-now-my-favorite-desktop/
654•todsacerdoti•9h ago•520 comments

OpenTelemetry Collector: What It Is, When You Need It, and When You Don't

https://oneuptime.com/blog/post/2025-09-18-what-is-opentelemetry-collector-and-why-use-one/view
43•ndhandala•4h ago•14 comments

TIC-80 – Tiny Computer

https://tic80.com/
20•archargelod•3d ago•3 comments

Luau – Fast, small, safe, gradually typed scripting language derived from Lua

https://luau.org/
134•andsoitis•8h ago•59 comments

PostgreSQL Maintenance Without Superuser

https://boringsql.com/posts/postgresql-predefined-roles/
36•radimm•3d ago•0 comments

Returning to Church won't save us from nihilism

https://thereader.mitpress.mit.edu/returning-to-church-wont-save-us-from-nihilism/
6•hhs•30m ago•3 comments

Slack has raised our charges by $195k per year

https://skyfall.dev/posts/slack
2752•JustSkyfall•20h ago•1197 comments

Aaron Levie: Startups win in the AI era [video]

https://www.youtube.com/watch?v=uqc_vt95GJg
46•sandslash•8h ago•15 comments

OneDev – Self-hosted Git server with CI/CD, Kanban, and packages

https://onedev.io/
69•jcbhmr•5h ago•31 comments

American Prairie unlocks another 70k acres in Montana

https://earthhope.substack.com/p/victory-for-public-access-american
239•mooreds•6h ago•153 comments

Shipping 100 hardware units in under eight weeks

https://farhanhossain.substack.com/p/how-we-shipped-100-hardware-units
18•M_farhan_h•2h ago•10 comments

I Built an Event-Sourcing Database Engine: Meet Genesis DB

https://www.genesisdb.io
26•patriceckhart•3d ago•13 comments

Midcentury North American Restaurant Placemats

https://casualarchivist.substack.com/p/order-up
165•NaOH•2d ago•46 comments

CERN Animal Shelter for Computer Mice (2011)

https://computer-animal-shelter.web.cern.ch/index.shtml
320•EbNar•15h ago•45 comments

The quality of AI-assisted software depends on unit of work management

https://blog.nilenso.com/blog/2025/09/15/ai-unit-of-work/
129•mogambo1•9h ago•83 comments

Chrome's New AI Features

https://blog.google/products/chrome/new-ai-features-for-chrome/
154•HieronymusBosch•5h ago•103 comments
Open in hackernews

Apple: SSH and FileVault

https://keith.github.io/xcode-man-pages/apple_ssh_and_filevault.7.html
130•ingve•1h ago

Comments

syndeo•1h ago
>When FileVault is enabled, the data volume is locked and unavailable during and after booting, until an account has been authenticated using a password. The macOS version of OpenSSH stores all of its configuration files, both system-wide and per-account, in the data volume. Therefore, the usually configured authentication methods and shell access are not available during this time. However, when Remote Login is enabled, it is possible to perform password authentication using SSH even in this situation. This can be used to unlock the data volume remotely over the network. However, it does not immediately permit an SSH session. Instead, once the data volume has been unlocked using this method, macOS will disconnect SSH briefly while it completes mounting the data volume and starting the remaining services dependent on it. Thereafter, SSH (and other enabled services) are fully available.

Now THAT is a welcome change!

mmaunder•1h ago
There’s an attack vector in there somewhere.
xoa•1h ago
Kinda struggling to think of what, beyond the well understood risks of using password-based SSH at all. But that's easily ameliorated by sticking it behind Wireguard or something similar. I think this is a pretty welcome change vs turning off FV entirely which I've had to do with Mac servers in the past.
adastra22•1h ago
Tahoe now escrows your FileVailt key to the iCloud keychain, even if that is something you explicitly opted out of before. Can this recovery key be used to unlock over SSH?
Citizen8396•33m ago
1. Keychain is local if you don't enable iCloud

2. If someone has compromised your iCloud account and/or device, you have bigger things to worry about

3. No

pseudalopex•18m ago
> Tahoe now escrows your FileVailt key to the iCloud keychain, even if that is something you explicitly opted out of before.

Yes and no according to Glenn Fleishman. Storing FileVault recovery keys in iCloud Keychain wasn't a choice before. The old iCloud recovery method wasn't end to end encrypted. But iCloud Keychain is. So calling it escrow is debatable. And old recovery keys aren't added to iCloud Keychain. But new recovery keys are stored in iCloud Keychain if enabled.[1]

[1] https://sixcolors.com/post/2025/09/filevault-on-macos-tahoe-...

xoa•13m ago
I don't know but I'm still not seeing the relevance? The threat/target scenarios in general for FDE are physical theft of a device, hardware servicing by 3rd parties, and dealing with end of life (either due to replacement or hardware failure). FDE means that "erasing all data securely" can involve simple key purging instead of extremely time consuming zeroing/overwriting or physical destruction. But it's no barrier nor meant to be any barrier against hot online attacks, if someone is able to get admin remote access to a running system without authorization that is the problem and it'd be equally the problem whether the machine was cold booted or already booted. And if they illegitimately possess the recovery key then it's a problem whether remote or physically present.

FWIW and having not looked yet (since I never upgrade major macOS versions anymore without a good 3-5 months going by and the first 2-3 minor fixes first) my default assumption is it's still possible to not escrow recovery keys, if only because plenty of people don't use iCloud keychain at all (including myself), and also because I know for sure that you can use configuration profiles to control FV recovery key escrow already. That'd be a requirement for lots of business usage so even if it needs a profile to use should still be there? But again this all seems orthogonal to the issue at hand. Stuff does crash or need updates that require a reboot and previously you either needed to turn off FV entirely or use a hardware workaround for GUI access (ie, setup a basic SBC with HDMI/USB in and use it as a bridge or use a premade solution along the lines of PiKVM [0]). It's definitely a small but nice (and feels rare nowadays from Apple) remote admin gesture to let it be done in software like it should have been long ago.

----

0: https://pikvm.org/

bigyabai•6m ago
Yup. My post-Blastdoor reaction to these writeups is always one of tentative suspicion.
sugarpimpdorsey•1h ago
Maybe stop using Macs as multiuser servers?

Unavailability of FileVault-mounted home directories when not logged in has been the case since Tiger.

I'm curious - if the OpenSSH config files are not available - how do they start sshd? If the system keys are encrypted, how do they accept connections?

There's a surprising lack of detail here.

numbsafari•1h ago
How about I just want to access my files remotely after a reboot occurs without having to get to the device at my house?

Agreed, though… MacOS isn’t a proper multi-user system and X is Not Unix…

gjsman-1000•1h ago
macOS is a Unix by pedigree; Linux is not.

https://en.wikipedia.org/wiki/List_of_Unix_systems#/media/Fi...

I have to dig out this chart when people complain about macOS's "non-standard utilities." Linux's GNU tools are the ones that aren't standard. If anything, Linux did an "embrace, extend, extinguish" against Unix in general.

dangus•1h ago
I’d add that it is rather prescriptive to declare that macOS is not a “proper multi-user system.”

It is quite capable of handling multiple users. Maybe just not in the way that certain people want it to.

jen20•49m ago
It's also not just Unix by pedigree, but also by certification [1].

[1]: https://www.opengroup.org/openbrand/certificates/1223p.pdf

jacobgkau•53m ago
In addition to the pedigree that someone else pointed out, macOS is also explicitly certified as UNIX by the legal stewards of that name: https://www.opengroup.org/openbrand/register/

This includes Tahoe specifically: https://www.opengroup.org/openbrand/register/brand3725.htm

dangus•1h ago
I can’t imagine it’s too hard, I think password authentication is the key. Your user password is the same as your FileVault unlock password. I think that there’s a pre-unlock and post-unlock ssh session trick going on. The pre-unlock session just doesn’t have access to anything in the data volume and is able to use the provided password to unlock the data volume.

This would explain why it won’t work with ssh key authentication.

angulardragon03•46m ago
Yeah iirc they have moved some stuff around that sshd relied on into the pre-boot volume, so it works exactly as you describe.
cyberax•1h ago
I think the SSH host keys are in the system partition ('/private' directory)? It's not protected by FileVault.

This leaves out a possibility of a MITM. An attacker can steal the unencrypted machine host keys and pretend to be your computer. And since you're entering a clear-text password, it's easy to sniff.

Moving the host keys into hardware root-of-trust would help. But macOS Secure Enclave barely supports that, and it's also pretty slow.

_mikz•1h ago
I have my private keys in Secure Enclave. Why the machine would not have own private keys there?
aaroncarson•31m ago
100% - Apple wouldn’t be so stupid as to move the private host keys to an unencrypted partition when the Secure Enclave is _right there_. No way is the Secure Enclave too slow for this - it’s exactly what it’s designed to do!
davidczech•14m ago
They are encrypted with a SEP key when stored in preboot volume.
Citizen8396•35m ago
1. The drive is encrypted and practically impossible to access on modern Macs regardless of FileVault status

2. The notion of someone having access to / compromising your device in order to capture SSH creds doesn't strike me as realistic

trueismywork•32m ago
Thats how all major supercomputer was hacked for crypto.
reader9274•1h ago
So you're saying i can now have a fully remote mac mini server with auto-reboot on power outage without the need to physically log in with a keyboard attached? Awesome
varenc•47m ago
You can also do this:

   sudo fdesetup authrestart -delayminutes -1
which will make the computer auto login to the chosen account on next reboot, without having to type in a password. Only lasts once. Has obvious security downsides though but that might be fine.
eastbound•31m ago
But then you could just disable FileVault?
MBCook•14m ago
I don’t think so.

I think this doesn’t work from cold boot, only warm reboot.

That’s what I saw someone say on mastodon the other day.

nozzlegear•1h ago
> The capability to unlock the data volume over SSH appeared in macOS 26 Tahoe.

Neat! I thought it was odd that I was able to SSH into my Mac after upgrading to Tahoe the other night – part of me wondered if I actually hit that "Upgrade" button before walking away. This is a welcome change though; I don't usually shut my Mac down but there have been a few times where I'm working away from home and need to SSH into my Mac only to remember that I'd installed some major update the night before.

Cu3PO42•1h ago
Neat. Though I wonder if this suffers from the same race condition that the graphical session does when your shell is stored on a data volume.

Specifically, if you restart and opt to restart apps, they can come up before all volumes have been decrypted and mounted. If your shell is on one such volume, your terminal emulator may fail to start, for example. This can happen when using Nix to install your shell, for example.

I imagine this may be even easier to hit over SSH unless the underlying problem was resolved.

xrisk•25m ago
This is such a hilarious failure mode. I would never have imagined something like this to a problem.

In the case of SSH though, I assume retrying after a second or so would be enough. You probably have some sort of retry mechanism to deal with network failures anyway.

daft_pink•53m ago
It’s such a welcome change. I have filevault disabled specifically for that purpose.
pfexec•36m ago
Friendly reminder that you've been able to automatically unlock fully-encrypted Linux systems via TPM for years since it was added to systemd...

(Here's a nickel kid...)

trueismywork•35m ago
Link?
pfexec•31m ago
https://www.freedesktop.org/software/systemd/man/251/systemd...
rnhmjoj•28m ago
Also possible without a TPM: you just put openssh into the initrd, so you can log in and type the password to unlock the root.

(It's technically not full-disk encryption because the kernel and initrd are in plaintext, but everything else is)

pfexec•25m ago
What do you authenticate against? Your shadow file is in the unencrypted area leaving it susceptible to offline attack.

With the TPM you can fully disable password auth over SSH.

rnhmjoj•21m ago
Correct, someone with physical access could run a MitM attack and steal your passphrase. I just find this extremely unlikely, so I honestly don't care.
xrisk•17m ago
This is not the same thing is it? Arch Wiki mentions something about having to install a separate ssh server into initramfs to support ssh’ing into fully encrypted systems.

systemd-cryptenroll seems to be about storing encryption keys into the TPM so that they can be decrypted automatically at boot (?)

Apologies if I misunderstood something.

georgeburdell•31m ago
Biggest change for corporate non-personal Mac usage. Mac Minis are actually fairly good value and good quality for miscellaneous automation purposes. We started switching over to them at work, and the FileVault issue described here was actually one of the big things holding us back.
AceJohnny2•22m ago
Interesting. I thought even networking didn't come up after a cold boot on a system with FileVault until there was a local login, which is a big reason I do not enable FileVault on my office workstation. I guess this has been changed on Tahoe too?
johannes1234321•18m ago
I guess it is need, so that the IT department may revoke keys remotely.