Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What is it too locked down to accomplish? There are many knobs to unlock it.


Changing the sshd_config to only accept key authentication for example. Since the recent locking down of significant parts of the OS this keeps getting reverted to default.

But there's many more issues, I've gone into them before (I used to be a Mac admin) but I don't want to bring it all up again


There has been a very nice trend for a number of projects to support a <config_file>.d directory to which local modifications can be added.

Current macOS (and Debian >=11) has a non-standard sshd_config modification that does "Include /etc/ssh/sshd_config.d/*". Although placement early in the config file means some things cannot be overridden.

Current "sudo" on macOS also supports this via "#includedir /private/etc/sudoers.d". (the # has been swapped for @ in upstream sudo).

This neatly sidesteps the need to diff / re-apply changes on a SW update.


This is not always an option, like you say it depends on the cooperation of the base config files (having the include and in the right place) and the tools used.

It won't work foor all cases either. I just want to have the ability to make modifications and sign or bless them somehow with a system admin key. Root is not enough, for understanable reasons. What is possible is to modify offline (through recovery) and then 'bless' my changes. But this reverts after every reboot.

There should be a toolchain where I can make legitimate modifications in a secure manner to system files. Like every other OS has. There should be some kind of user key to sign modifications with. Apple has just ignored this whole toolchain and replaced it with a "just trust us" blanket.


You sort of can sidestep the issue by supplying your own launchd plist for openssh, and disabling Apple's one, but it's a thorn in the side anyway — the fact that you even need to bother to sidestep the issue in the first place, while there are systems which go to great lengths to respect your changes to the configuration.


System level environment variables would be nice. It’s a pita to use a yubikey (arguably more secure than a plaintext key in .ssh) for ssh key storage. I remember having to start certain UI programs from a shell just to run them because they needed SSH abilities.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: