(keith.github.io)

507 points ingve | 1 comments | 18 Sep 25 20:15 UTC | HN request time: 0.204s | source

Show context

sugarpimpdorsey ◴[18 Sep 25 20:39 UTC] No.45294739[source]▶

Maybe stop using Macs as multiuser servers?

Unavailability of FileVault-mounted home directories when not logged in has been the case since Tiger.

I'm curious - if the OpenSSH config files are not available - how do they start sshd? If the system keys are encrypted, how do they accept connections?

There's a surprising lack of detail here.

replies(4): >>45294817 #>>45294905 #>>45294943 #>>45301003 #

cyberax ◴[18 Sep 25 20:58 UTC] No.45294943[source]▶

>>45294739 #

I think the SSH host keys are in the system partition ('/private' directory)? It's not protected by FileVault.

This leaves out a possibility of a MITM. An attacker can steal the unencrypted machine host keys and pretend to be your computer. And since you're entering a clear-text password, it's easy to sniff.

Moving the host keys into hardware root-of-trust would help. But macOS Secure Enclave barely supports that, and it's also pretty slow.

replies(2): >>45295020 #>>45295324 #

Citizen8396 ◴[18 Sep 25 21:38 UTC] No.45295324[source]▶

>>45294943 #

1. The drive is encrypted and practically impossible to access on modern Macs regardless of FileVault status

2. The notion of someone having access to / compromising your device in order to capture SSH creds doesn't strike me as realistic

replies(1): >>45295356 #

1. trueismywork ◴[18 Sep 25 21:41 UTC] No.45295356[source]▶

>>45295324 #

Thats how all major supercomputer was hacked for crypto.

↑

Apple: SSH and FileVault