←back to thread

Apple: SSH and FileVault

(keith.github.io)
507 points ingve | 8 comments | 18 Sep 25 20:15 UTC | HN request time: 0.003s | source | bottom
Show context
reader9274 ◴[18 Sep 25 20:47 UTC] No.45294811[source]
So you're saying i can now have a fully remote mac mini server with auto-reboot on power outage without the need to physically log in with a keyboard attached? Awesome
replies(11): >>45295194 #>>45295532 #>>45295803 #>>45295918 #>>45296499 #>>45298327 #>>45298862 #>>45298996 #>>45299462 #>>45300622 #>>45300893 #
1. reader9274 ◴[19 Sep 25 05:48 UTC] No.45298327[source]
Just tested it and it works flawlessly!

1. Enable: General > Sharing > Remote Management

2. After reboot, when trying to SSH you get this message:

"This system is locked. To unlock it, use a local account name and password. Once successfully unlocked, you will be able to connect normally."

3. Once you successfully ssh, the ssh connection is closed, and this message is shown:

"System successfully unlocked. You may now use SSH to authenticate normally."

4. You have to re-ssh and you're in!

replies(3): >>45300726 #>>45302048 #>>45308439 #
2. SXX ◴[19 Sep 25 12:11 UTC] No.45300726[source]
One question for you or anyone who tried it. SSH host (mac) key pre disk unlock is randomly generated and persistent?
replies(1): >>45300955 #
3. lxgr ◴[19 Sep 25 12:35 UTC] No.45300955[source]
I'd be surprised if it were a different key from the regular host key.

Most SSH clients I know show a big and often non-overridable warning in case of a changed host key and don't allow (at least not TOFU-style) trusting two keys.

replies(1): >>45301073 #
4. SXX ◴[19 Sep 25 12:47 UTC] No.45301073{3}[source]

  > Most SSH clients I know show a big and often non-overridable warning in case of a changed host key and don't allow (at least not TOFU-style) trusting two keys.
You can solve this with HostKeyAlias, but yeah I doubt Apple would do this. Considering other comments mentioning "just SSHing after reboot" it's certainly the same host key.

  https://stackoverflow.com/questions/733753/how-to-handle-ssh-host-key-verification-with-2-different-hosts-on-the-same-but
PS: Another option obviously UserKnownHostsFile, but I would better keep single known hosts file.
replies(1): >>45301126 #
5. lxgr ◴[19 Sep 25 12:52 UTC] No.45301126{4}[source]
Wow, TIL about HostKeyAlias and CheckHostIP. Especially the latter sounds super useful when it comes to frequently changing private IPs. Thank you!
6. nazarewk ◴[19 Sep 25 14:27 UTC] No.45302048[source]
I actually turned it on after the update with General > Sharing > Remote Login.

It's worth noting I had to disable and re-enable (I had it enabled to begin with) this option for SSH to start working.

Remote Management option didn't change anything for me and is currently turned off.

replies(1): >>45324534 #
7. kylehotchkiss ◴[20 Sep 25 00:22 UTC] No.45308439[source]
If you had it on prior to the MacOS update with FileVault off, MacOS automatically enabled FileVault and didn't flip the switch with SSH to support this.

So now I have a Mac mini that I have to unmount and connect to a screen to get working again. blerg

8. reader9274 ◴[21 Sep 25 17:01 UTC] No.45324534[source]
Ah, I use Remote Management because I also do screen sharing on this mac mini from time to time