(keith.github.io)

507 points ingve | 2 comments | 18 Sep 25 20:15 UTC | HN request time: 0s | source

Show context

mmaunder ◴[18 Sep 25 20:37 UTC] No.45294710[source]▶

There’s an attack vector in there somewhere.

replies(3): >>45294968 #>>45295595 #>>45300986 #

xoa ◴[18 Sep 25 21:01 UTC] No.45294968[source]▶

Kinda struggling to think of what, beyond the well understood risks of using password-based SSH at all. But that's easily ameliorated by sticking it behind Wireguard or something similar. I think this is a pretty welcome change vs turning off FV entirely which I've had to do with Mac servers in the past.

replies(3): >>45295011 #>>45296172 #>>45301008 #

adastra22 ◴[18 Sep 25 21:06 UTC] No.45295011[source]▶

>>45294968 #

Tahoe now escrows your FileVailt key to the iCloud keychain, even if that is something you explicitly opted out of before. Can this recovery key be used to unlock over SSH?

replies(3): >>45295348 #>>45295489 #>>45295543 #

1. Citizen8396 ◴[18 Sep 25 21:40 UTC] No.45295348{3}[source]▶

>>45295011 #

1. Keychain is local if you don't enable iCloud

2. If someone has compromised your iCloud account and/or device, you have bigger things to worry about

3. No

replies(1): >>45297351 #

2. adastra22 ◴[19 Sep 25 02:29 UTC] No.45297351[source]▶

>>45295348 (TP) #

> If someone has compromised your iCloud account and/or device, you have bigger things to worry about

That doesn't mean all my security should be a house of cards with a single point of failure in the form of my iCloud account and/or device(s). Someone shouldn't be able to get the keys to the castle just by compromising any single one of those.

↑

Apple: SSH and FileVault