Monday, March 15, 2021

Mac Software Updates Open Up sshd

Rachel Kroll (Hacker News):

A couple of weeks ago, I read a post about how the “sealed system” on Big Sur was hurting people. I kind of skimmed through it and figured it was mostly complaining about the size of the download. For whatever reason, that hadn’t been a problem for me and my machines, so I kind of wrote it off.

Last night, I applied the latest security patches to arrive at Big Sur version 11.2.3, and realized that I should have paid more attention to that thing. It explained something that I had been noticing for a while: my Apache config would keep reverting.


Why would it matter if the sshd config got reverted? Simple: it’s because the stock Mac sshd install includes password-based auth, and that means someone can brute-force their way onto your machine if they can connect to it on port 22 for long enough.

I don’t understand how this would be caused by the SSV, and there’s a report that it’s actually been happening since Catalina. Big Sur updates are also removing the command-line developer tools, although this is also not due to the SSV, as far as I know.


Update (2021-03-16): TJ Luoma:

This has been happening for a long time, and not just on Big Sur. Apple resets 1) sshd_config, 2) ssh_config, 3) the config file that speeds up Time Machine, and 4) the setting that allows you to use Touch ID for sudo auth.

I now have scripts to re-apply those settings.

Also, after every point-update, macOS asks me if I want to turn on Siri (a setting I’ve never enabled on any Mac, ever…take a hint, Apple).

I recently turned off Document & Desktop sync via iCloud, and after a point-update, I was asked if I wanted to re-enable that too.


Update (2023-10-25): Rachel Kroll:

They’ve changed the way the config works [in Monterey] to add a “.d” directory scheme which sets some defaults. There is now /etc/ssh/sshd_config.d, and in it, 100-macos.conf.

Editing that file would likely get reverted upon the next patch (12.0.2?), so that’s right out. You can’t go past it with a higher number, since as the sshd_config points out, the first instance of a setting is kept, and subsequent instances of the same setting are ignored.

Instead, you have to get in front of them, and use a LOWER number. Try something like “000-yourname.conf”[…]

1 Comment RSS · Twitter

Fortunately, recovery isn't as painful as it might otherwise be. On my system (Catalina), every time Apple installs an update that touches system configuration files (typically my custom HTTPD configuration), Apple creates a "Relocated Items" folder in the /Users/Shared folder, and places a shortcut to it on my account's desktop.

In there, you can find what you need to recovery from any changes.

If Apple changes a configuration file that you edited, they copy your original to Relocated Items. If they did not change a file you edited, they will put a copy of the default file contents in there.

You can then (I recommend from a terminal window running a root shell) compare these relocated files against the actual configuration files, copying the bits and pieces you require from the Relocated Items folder to the working files, ignoring those bits you don't want to change.

It may take a little time, but it's far easier than trying to re-create a custom configuration from scratch. Whenever I see a Relocated Items folder after a system update, I go and look at its contents to make sure none of my customizations were deleted.

Leave a Comment