MacOS upgrades now blow away your sshd settings

Isn't that handy? Because I totally wanted to turn PasswordAuthentication back on, and allow logins from any account.

Thanks, Apple. You're a pal.

Previously, previously, previously, previously.

Tags: , , ,

21 Responses:

  1. Wait until you discover the changes in ssh's keychain integration.

    • David Glover-Aoki says:

      You can undo those changes by adding the following to your ssh_config. But you'll have to re-do it after every update.


      Host *
      AddKeysToAgent yes
      UseKeychain yes

      • Aristotle says:

        Although, why do it there instead of in ~/.ssh/config?

        (Or are you saying they’re going to start blowing away dotfiles in my homedir on my behalf? Please please tell me otherwise…)

        • David Glover-Aoki says:

          I don't do it in ~ because my home folder is synced with other non-macos machines, which do not understand the "UseKeychain" directive.

          • Aristotle says:

            Ah, right.

            Well, ssh_config does have an Include directive and it doesn’t error on non-existent files, so you could put them in a ~/.ssh/config_local… but since Include has only been supported since OpenSSH 7.3, you’d have to have recent OpenSSH everywhere you have access to. (And I see that in 7.5 it warns on non-existent files, which makes it a little more annoying to use for this particular issue…)

            There’s also IgnoreUnknown… which was added in 6.3 i.e. late 2013, so it stands at least a chance of being useful for this. But it’s not in Debian Wheezy…

  2. Wout says:

    They should rename it to iTunesAndPhotosOS, to reveal its true purpose…

  3. Colin Rafferty says:

    Well they did say it was a security update. They just forgot to mention which direction they were taking security.

  4. tfofurn says:

    I actually use the HTTP server on my Mac for weird redirect purposes, and that configuration got replaced when I moved to Sierra. Fortunately, my httpd.conf was renamed during the upgrade, so I didn't have to rediscover the settings I needed from scratch. Unfortunately, I haven't yet learned the lesson of keeping a copy of those files in my home directory.

  5. Yeah, the OSX update process has been doing that for a while for people unlucky enough to be on the OSX beta train. I spent a considerable amount of time submitting bug reports over the last year first when apple switched to openssh 7.4 (which took out the older protocol negotiation) and then the stupid beta program which kept overwriting ssh_config (and thus disabling all of the ssh configuration I'd set up.)

    I don't think that any of the apple security team has ever been a sysadmin, or, for that matter, has ever done anything with the network other than web traffic.

  6. Perry Metzger says:

    This really, really, really bites the wax tadpole.

  7. Waider says:

    Ah, thanks for reminding me. I forget this every time I upgrade.

  8. Joe Loughry says:

    Something similar happened in 2014; I had to reset all these after a MacOS update:

    PasswordAuthentication no

    ChallengeResponseAuthentication no

    PermitRootLogin no

    • jwz says:

      One of my nightly cron jobs now warns if any of these files exist. Sigh...

      /etc/apache2/extra/httpd-mpm.conf~previous
      /etc/apache2/extra/httpd-ssl.conf~previous
      /etc/apache2/httpd.conf~previous
      /etc/hosts~previous
      /etc/newsyslog.d/apache2.conf~previous
      /etc/postfix/main.cf~previous
      /etc/ssh/sshd_config~previous
      /usr/local/etc/com.apple.syslogd.plist~previous

      • BHN says:

        This may still be less onerous than what many linux users have gone through with Poettering's team and the shift over to systemd, but I can't help but think it's a gradual convergence toward a mediocrity of systems that are all a pita to use.

        "We know better than you do." only works if they do in fact know better than you do.

  9. Web Guy says:

    I keep my /etc under source control since apt-get occasionally burns me the same way.

  10. This bug makes me sad.

    Naïve question: Is there any way to convince Apple to take this issue seriously?

    • Tim says:

      Silly answer: simply take a billion dollars or so and create a product that eats >25% of their market share.

  • Previously