←back to thread

Apple: SSH and FileVault

(keith.github.io)
507 points ingve | 3 comments | 18 Sep 25 20:15 UTC | HN request time: 0s | source
Show context
reader9274 ◴[18 Sep 25 20:47 UTC] No.45294811[source]
So you're saying i can now have a fully remote mac mini server with auto-reboot on power outage without the need to physically log in with a keyboard attached? Awesome
replies(11): >>45295194 #>>45295532 #>>45295803 #>>45295918 #>>45296499 #>>45298327 #>>45298862 #>>45298996 #>>45299462 #>>45300622 #>>45300893 #
reader9274 ◴[19 Sep 25 05:48 UTC] No.45298327[source]
Just tested it and it works flawlessly!

1. Enable: General > Sharing > Remote Management

2. After reboot, when trying to SSH you get this message:

"This system is locked. To unlock it, use a local account name and password. Once successfully unlocked, you will be able to connect normally."

3. Once you successfully ssh, the ssh connection is closed, and this message is shown:

"System successfully unlocked. You may now use SSH to authenticate normally."

4. You have to re-ssh and you're in!

replies(3): >>45300726 #>>45302048 #>>45308439 #
SXX ◴[19 Sep 25 12:11 UTC] No.45300726[source]
One question for you or anyone who tried it. SSH host (mac) key pre disk unlock is randomly generated and persistent?
replies(1): >>45300955 #
1. lxgr ◴[19 Sep 25 12:35 UTC] No.45300955{3}[source]
I'd be surprised if it were a different key from the regular host key.

Most SSH clients I know show a big and often non-overridable warning in case of a changed host key and don't allow (at least not TOFU-style) trusting two keys.

replies(1): >>45301073 #
2. SXX ◴[19 Sep 25 12:47 UTC] No.45301073[source]

  > Most SSH clients I know show a big and often non-overridable warning in case of a changed host key and don't allow (at least not TOFU-style) trusting two keys.
You can solve this with HostKeyAlias, but yeah I doubt Apple would do this. Considering other comments mentioning "just SSHing after reboot" it's certainly the same host key.

  https://stackoverflow.com/questions/733753/how-to-handle-ssh-host-key-verification-with-2-different-hosts-on-the-same-but
PS: Another option obviously UserKnownHostsFile, but I would better keep single known hosts file.
replies(1): >>45301126 #
3. lxgr ◴[19 Sep 25 12:52 UTC] No.45301126[source]
Wow, TIL about HostKeyAlias and CheckHostIP. Especially the latter sounds super useful when it comes to frequently changing private IPs. Thank you!