←back to thread

Apple: SSH and FileVault

(keith.github.io)
507 points ingve | 6 comments | 18 Sep 25 20:15 UTC | HN request time: 0.003s | source | bottom
Show context
sugarpimpdorsey ◴[18 Sep 25 20:39 UTC] No.45294739[source]
Maybe stop using Macs as multiuser servers?

Unavailability of FileVault-mounted home directories when not logged in has been the case since Tiger.

I'm curious - if the OpenSSH config files are not available - how do they start sshd? If the system keys are encrypted, how do they accept connections?

There's a surprising lack of detail here.

replies(4): >>45294817 #>>45294905 #>>45294943 #>>45301003 #
cyberax ◴[18 Sep 25 20:58 UTC] No.45294943[source]
I think the SSH host keys are in the system partition ('/private' directory)? It's not protected by FileVault.

This leaves out a possibility of a MITM. An attacker can steal the unencrypted machine host keys and pretend to be your computer. And since you're entering a clear-text password, it's easy to sniff.

Moving the host keys into hardware root-of-trust would help. But macOS Secure Enclave barely supports that, and it's also pretty slow.

replies(2): >>45295020 #>>45295324 #
_mikz ◴[18 Sep 25 21:07 UTC] No.45295020[source]
I have my private keys in Secure Enclave. Why the machine would not have own private keys there?
replies(2): >>45295383 #>>45300066 #
1. cyberax ◴[19 Sep 25 10:35 UTC] No.45300066[source]
> I have my private keys in Secure Enclave.

Really? Secure Enclave supports only one asymmetric algorithm. With only some limited usages.

replies(1): >>45300900 #
2. SXX ◴[19 Sep 25 12:28 UTC] No.45300900[source]
As far as I aware you can't actually do 100% of crypto needed for SSH auth inside the SEP itself. Might be I missed something, but I tried to find a way before and there was none. This would obviously be most secure.

What you can do though is use Secure Enclave powered app for storing and managing access to the keys. So basically app like "secretive" run on your normal OS, but isolated and only it can access keys, use them and there no export function even with admin privileges.

AFAIK this will fail if there is a local root exploit on macOS, but still much better than keeping keys in plain text.

replies(1): >>45304325 #
3. cyberax ◴[19 Sep 25 17:37 UTC] No.45304325[source]
You can generate and store your private SSH key in the secure enclave, there's even an SSH agent that does that for you: https://github.com/maxgoedjen/secretive

But that's it.

Anything more complicated is not possible. You can't even upload your existing key into the SE.

replies(1): >>45305080 #
4. SXX ◴[19 Sep 25 18:51 UTC] No.45305080{3}[source]
AFAIK "secretive" SSH agent is not actually running inside SEP when it using the keys. So when keys are actively used they are exposed in main OS RAM and only protected by macOS security model (so are safe unless there is jailbreak / actual root exploit).

So "secretive" and similar software is not as secure as let's say hardware token.

If I'm wrong please correct me, but when I researched the topic I come to this conclusion.

replies(1): >>45320826 #
5. cyberax ◴[21 Sep 25 07:35 UTC] No.45320826{4}[source]
Ah, I see that Secretive is a victim of feature creep. I think it still can use the SE to store the private key, but it also has more ways to do it.

This is the initial inspiration for Secretive: https://github.com/sekey/sekey - it uses the SE to generate and store the actual private key, so it never leaves the machine. Hence its limitations.

replies(1): >>45336435 #
6. SXX ◴[22 Sep 25 17:10 UTC] No.45336435{5}[source]
Again - I could be really wrong about Secretive. Sadly their documentation dont make it very clear and I myself don't have enough time to actually to go read the code and figure out how it works exactly.