Thanks, Apple. You're a pal.
MacOS upgrades now blow away your sshd settings
Isn't that handy? Because I totally wanted to turn PasswordAuthentication back on, and allow logins from any account.
Tags: computers, firstperson, mac, security
Wait until you discover the changes in ssh's keychain integration.
You can undo those changes by adding the following to your ssh_config. But you'll have to re-do it after every update.
Although, why do it there instead of in
(Or are you saying they’re going to start blowing away dotfiles in my homedir on my behalf? Please please tell me otherwise…)
I don't do it in ~ because my home folder is synced with other non-macos machines, which do not understand the "UseKeychain" directive.
ssh_configdoes have an
Includedirective and it doesn’t error on non-existent files, so you could put them in a
~/.ssh/config_local… but since
Includehas only been supported since OpenSSH 7.3, you’d have to have recent OpenSSH everywhere you have access to. (And I see that in 7.5 it warns on non-existent files, which makes it a little more annoying to use for this particular issue…)
IgnoreUnknown… which was added in 6.3 i.e. late 2013, so it stands at least a chance of being useful for this. But it’s not in Debian Wheezy…
They should rename it to iTunesAndPhotosOS, to reveal its true purpose…
It's really iOSAppDevOS at this point.
So long as jwz 'feels' it's still better than Linux or Windows it's all good.
At least they got rid of that trainwreck hfs+ now. I'm really curious how apfs will behave.
More trainwrecks on the horizon.
Well they did say it was a security update. They just forgot to mention which direction they were taking security.
I actually use the HTTP server on my Mac for weird redirect purposes, and that configuration got replaced when I moved to Sierra. Fortunately, my httpd.conf was renamed during the upgrade, so I didn't have to rediscover the settings I needed from scratch. Unfortunately, I haven't yet learned the lesson of keeping a copy of those files in my home directory.
Yeah, the OSX update process has been doing that for a while for people unlucky enough to be on the OSX beta train. I spent a considerable amount of time submitting bug reports over the last year first when apple switched to openssh 7.4 (which took out the older protocol negotiation) and then the stupid beta program which kept overwriting ssh_config (and thus disabling all of the ssh configuration I'd set up.)
I don't think that any of the apple security team has ever been a sysadmin, or, for that matter, has ever done anything with the network other than web traffic.
This really, really, really bites the wax tadpole.
Ah, thanks for reminding me. I forget this every time I upgrade.
Something similar happened in 2014; I had to reset all these after a MacOS update:
One of my nightly cron jobs now warns if any of these files exist. Sigh...
This may still be less onerous than what many linux users have gone through with Poettering's team and the shift over to systemd, but I can't help but think it's a gradual convergence toward a mediocrity of systems that are all a pita to use.
"We know better than you do." only works if they do in fact know better than you do.
I keep my /etc under source control since apt-get occasionally burns me the same way.
This bug makes me sad.
Naïve question: Is there any way to convince Apple to take this issue seriously?
Silly answer: simply take a billion dollars or so and create a product that eats >25% of their market share.