Anyway the parent item seems to be something about a specific, named release of Apple's proprietary MacOS operating system. It seems we are being warned that if we upgrade to it, something will not work anymore. Those of us not inclined to install Catalina may sigh in relief; our instances of SSH have not been broken.
new_realist 1478 days ago [-]
99.999% of all of us got that just from the title, thanks. Congrats on puzzling it out.
sudoaza 1478 days ago [-]
I didn't and funny you'd think Mac userbase is that big
albedoa 1478 days ago [-]
Mac users are not the only group who know what those words mean.
segfaultbuserr 1477 days ago [-]
Yeah, I don't use macOS and I don't own any Apple computer. But a weird California location name + version number 10 is a dead giveaway.
sudoaza 1477 days ago [-]
didn't know Catalina was a California location either, to me is just a female name. I actually though she might be a contributor to SSH project.
albedoa 1477 days ago [-]
You thought "Catalina 10.15.4" referred to a human woman? Come on.
finnthehuman 1477 days ago [-]
A prominent branch of a project named after the maintainer, accompanied by a version number?
That's a reasonable option for what "Catalina" might mean from context clues. Have you never run Alan Cox or Con Kolivas?
albedoa 1477 days ago [-]
> That's a reasonable option for what "Catalina" might mean from context clues.
Agreed! But my comment was in reply to someone who wants you to believe that he genuinely read "99.999%" as a claim about the size of the Mac user base. His game is not one of context clues, and you don't need to play it.
sudoaza 1477 days ago [-]
yeah the numbers were weird but thought there's plenty of crazy usernames out there. Didn't pay a lot of attention though, went through the comments and saw it was about Mac and I could safely ignore it.
tomhoward 1476 days ago [-]
Sounds like you used the site as intended.
On a website whose primary audience is technology professionals, it's reasonable to assume that a significant portion of the audience can recognise the version name of a computer operating system that is at least the second most-popular in the world, and possibly the most popular among this site's audience.
But it's also part of HN's ethos that not everything has to be spelled out all the time, and that it's OK if users sometimes have to "work a little":
People who have or care about Apple products were likely get that, but the title says "SSH", not "Apple". "Catalina 10" means absolutely nothing to almost everyone.
saagarjha 1478 days ago [-]
Those people can search it up, rather than being told about "Apple's proprietary MacOS [sic] operating system".
serf 1477 days ago [-]
it's more like referring to the specific animal that represents the release of Ubuntu you want to talk about.
Not that many people would understand 'I think Eoan Ermine 19.10 broke SSH'.
Plenty of people understand 'I think Ubuntu 19.10 broke SSH', or 'I think maxOS 10.15.4 broke SSH'.
OJFord 1477 days ago [-]
To be fair, I would have written 'macOS 10.15.4' rather than 'Catalina 10.15.4' partly for this reason (macOS is a stronger brand), but also partly because I think it's more accurate/less redundant.
floatingatoll 1478 days ago [-]
To summarize OP:
Their 10.15.4 macOS built-in ssh terminal command is unable to reach hostnames when a port number higher than 8192 is used.
EDIT:
Comments differ; one indicates issues SSH'ing to lower than 8192 ports, another indicates no issues SSH'ing to higher than 8192 ports.
Apofis 1478 days ago [-]
chaos:1111
weej 1478 days ago [-]
And Tyler "end(ed) up on Hacker News again bitching about Catalina"
saagarjha 1478 days ago [-]
That’s not completely his fault, is it?
slovette 1478 days ago [-]
Catalina is broken in many ways.
This complain and Remote Access in (so I can SSH to my $4k MacBook) disables itself anytime the computer is restarted.
But more importantly, I’ve still not found a Thunderbolt Display that doesn’t routinely crash screen manager services upon idle user activity. 3 x $300 thunderbolt3 dock solutions later and not a one hasn’t crashed this computer. All main brands, two of which sell accessories in the Apple store.
Problem also existed with a top of the line 13” MacBook Pro.
I’ve just gotten used to the shoddy-ness that is Catalina. Figure if I go to the bathroom, upon return I have a fresh, new clean desktop environment. Feature not a bug. Yay!
kerakaali 1478 days ago [-]
This is why I went back to Mojave. Apple has had a history of breaking dev environments on release for people who don't code under their ecosystem of dev tools (well on second thought, they make life difficult at times even for people that do), and I don't see that trend changing in the future.
Eventually every new release has stabilised, but it seems that doesn't hold true for Catalina.
taormina 1478 days ago [-]
A history of breaking dev environments? I'd argue they have a history of breaking everything on release. I do agree that they have a history of stablizing after a few months, but it's been longer than that.
djsumdog 1478 days ago [-]
Yea, Apple doesn't care about backwards comparability. You can run some ancient 32-bit Windows games on Win 10 (so long as they don't use DRM that uses low-level things like direct CD/DVD I/O). If you have a collection of physical disc Mac games, there is a good chance 0% of them run on 10.15 (or many of the releases leading up to it).
Polylactic_acid 1477 days ago [-]
There is a good chance that less than 10% of your mac games from a few years ago work on current macos since they killed 32bit support. And now there will be essentially no new mac games since they will not support vulkan and stopped updating openGL.
1propionyl 1477 days ago [-]
The bit about a Vulkan and OpenGL isn't really accurate.
Practically no one, apart from some hobbyists working on side projects, are actually using Vulkan or Metal or D3D12 directly to make games or applications. These APIs weren't written for end-developers to use directly, they were written for engine developers.
I mean, it's fun to try. But you'll have to write something like ~1200 lines of C/C++ just to render a single triangle. It's a far cry from playing around with OpenGL immediate mode.
And to be frank, Vulkan/Metal/D3D12 are about as similar to one another as major graphics APIs have ever been. Sure, there's quite a lot of differences, but the broad strokes are more or less similar.
hyperjeff 1475 days ago [-]
I agree that usually one uses a higher level API, but I've worked on commercial apps that use Metal both for graphics and compute. The code is not so unweildy as is suggested here. An old triangle test app I have here shows only about 100 lines of graphics code.
1propionyl 1463 days ago [-]
In Metal, yes. In Vulkan it's a lot more.
Of course, a lot of this code is code you only write once and then abstract on top of. Metal just has a lot of that abstraction "done for you" because it's only designed to work on a closed set of hardware profiles.
Vulkan requires a lot more signatures in triplicate and setup rituals. Not a bad thing, just a different target.
pjmlp 1477 days ago [-]
There are plenty of new Mac games, since all game engines that matter already added Metal support and I bet that long term Apple Arcade will have more games than Desktop Linux.
So far Vulkan has been mostly a thing on Linux anyway.
dwighttk 1478 days ago [-]
we are getting close to 10 years since I owned a Mac with an optical drive (and definitely a decade+ since I used an optical drive on my mac very often)
ImprovedSilence 1478 days ago [-]
haha oh boy. I was actually just about to install Catalina today, figuring I'd put it off long enough and everything has to be smooth by now (and system update bugs me about it often enough)... But lo and behold, I log into HN and see this thread....
It does not prevent the red notification dot on the System Preferences app, but it does mean at least you don't get the notifications pop up on your screen.
KarlKemp 1477 days ago [-]
I’ve had zero problems with Catalina. You can also find complaints about every release of MacOS going back a decade+.
dman 1478 days ago [-]
The unix illusion breaks more and more with every release
rhizome 1478 days ago [-]
Every day they stray further from BSD's light
fmajid 1477 days ago [-]
The main reason why I won't buy the new MacBook Air is that it's Catalina only. Good thing my Mac Mini shipped with Mojave despite my ordering it months after the Catalina release. It's really the Windows Vista of macOS.
dawnerd 1478 days ago [-]
I've tried to find a thunderbolt3 dock that worked perfectly but none have - not even limited to Catalina. My monitors will randomly switch refresh rates or resolutions or not even display picture. Plug them into a pc and they work every single time.
emmelaich 1478 days ago [-]
I have Catalina. It doesn't play nicely with a Dell D6000 powerbrick / dock.
The display is fine but it won't charge at the same time.
I have not installed the Dell 'driver'; it loads a kext so probably won't work anyway. I'm not upset about that. Docking should not require a kernel module.
That's about it. Catalina has been fine every other way.
LilBytes 1478 days ago [-]
The thing is with this charging bullshit is, it worked fine prior to 10.15.4. Prior to that version, my Mac charged and outputted to multiple screens at the same time.
0xff00ffee 1478 days ago [-]
Try a Henge dock. Been using one for 6 years. No monitor or thunderbolt issues.
dawnerd 1478 days ago [-]
I actually have one but haven't really used it yet since I decided to just use windows and be done with all the mac problems for now. Still use my MBP but only from the couch.
0xff00ffee 1478 days ago [-]
Wow, there are so many mac problems in your workflow that WINDOWS is easier to use? Ouch.
dawnerd 1478 days ago [-]
I know, sad right? Thankfully most of the stuff I do is on a dev server so doesn’t really matter. As long as vs code works.
kevindong 1478 days ago [-]
The Dell U3419W (with Thunderbolt 3) works exactly as promised for me.
I've had a lot of compatibility issues between my U3818DW and macOS and Dell doesn't care. Even more, their support staff on their public forums don't even acknowledge their buggy USB-C implementation and insists on blaming Apple. [1]
That's a shame. This monitor is spectacular over DisplayPort with my good old 2015 MBP.
slig 1477 days ago [-]
Indeed, the image, price and size are spectacular. But this atitude has put me off Dell and they won't get my business anytime soon.
acdha 1478 days ago [-]
That's true for most Macs, too: people are very prone to believing that their experience is universal rather than a hardware failure or local configuration issue.
kevindong 1478 days ago [-]
FWIW, the monitor I talked about is the standard issue monitor for most employees (~500) at my office. My company has MBPs ranging from 2016 to 2020 of varying sizes and I've never heard anyone say anything negative about the connectivity to their monitor.
cromka 1477 days ago [-]
It has USB-C, not Thunderbolt.
unicornmama 1478 days ago [-]
I completely disabled everything to do with sleep. “Solved” the problem for me.
anonexpat 1478 days ago [-]
The first thing I install on a fresh Mac is amphetamine.
SamuelAdams 1478 days ago [-]
Just curious, how is this different from Caffeine?
The one you linked to looks like a simple wrapper of caffeinate(8).
skoskie 1478 days ago [-]
Caffeine might be better in this scenario, but amphetamine has some auto triggers and custom settings for keeping the system awake but still turning off the screen, etc.
wyclif 1478 days ago [-]
One difference is that Amphetamine isn't updated as well, also seems more hackish. I switched to Caffeine a while ago.
blacksmith_tb 1478 days ago [-]
Or just running caffeinate -t 10000?
asveikau 1478 days ago [-]
Maybe I will get flamed for saying it. What a shockingly tasteless name for an app.
Edit: guessing that downvoters haven't encountered a lot of people suffering from addiction
mulmen 1478 days ago [-]
The most popular third party software installation tool for MacOS is called Homebrew. Alcoholics exist. That doesn't make the name offensive.
Amphetamines have legitimate therapeutic uses, it's not only crippling addiction.
asveikau 1478 days ago [-]
Actually you just made a pretty convincing case that Homebrew has similar issues. I am already not a fan of it because I have hit too many amateurish bugs, but now I have another reason.
By the way, the word brew is also used for other things, eg. coffee or tea, and homebrew is a common metaphor for other things where amphetamine is unbiguously one thing.
htfu 1477 days ago [-]
Overdiagnosis & misuse etc aside the number of people using amphetamines therapeutically may well outnumber your "unambiguous" cohort by a larger fraction than drinkers do alcoholics.
Tasteless comment.
asveikau 1477 days ago [-]
I didn't say use was unambiguously non-therapeutic. I said it was unambiguously a drug. There are no famous cultural metaphors analogous to "homebrew computer club" etc. It always refers directly to the substance.
Maybe you should consider that a close family member had problems with this very recently before you call me tasteless. It is in fact really fucking stupid that some privileged Mac programmer, probably young and of limited life experience, thinks that is a cutesy name for his (yes I am assuming male) project and not the name of something ruining a lot of lives, probably thinks it's hilarious and clever. He has no taste. Opiates also have legit use. I wouldn't name a project after those either. There is a thing such as tone deafness.
mulmen 1478 days ago [-]
Yeah Homebrew is kind of a bad example. I wish there was at least an option to use descriptive names instead of tortured analogies.
dmitriid 1477 days ago [-]
Is there a world-wide approved list of names and topics that we're allowed to use to avoid infringing on sensibilities of 100% of world population?
jwandborg 1477 days ago [-]
I take prescribed amphetamine [0] twice every day. The taste of the name is not in the name, it's from whatever else you had in your mouth at the same time.
Yeah, I've had my problems in the past and whatever that app is, I wouldn't be keen on having that on my computer, it would only serve to remind me.
JoachimS 1478 days ago [-]
My issue with Catalina is that every time i open up the laptop and log in (so sleep, not reboot) it has forgotten the Apple-ID password and needs to be entered. I've tried all suggested solutions (I'm not alone) including resetting the NVMRAM etc. But so far no luck.
I'm holding off installing Catalina on my main machine. And now they seem to focus on 10.16 instead.
lowbloodsugar 1478 days ago [-]
I have two CalDigit TS3+ docks (home and office). At home, I have a 4k monitor in the display port and a Thunderbolt 27" plugged into the TB3 port using an adapter. My previous dock couldnt handle the 27" at all, so I had to plug that in directly to the Mac. Usually when I needed to wake the machine, I had to unplug both the doc and the 27", log in, and then plug them back in again. Now with the CalDigit, it just works. It's also like $300, so I guess TB3 is hard and they know it =)
I am still on Mojave tho, so may suck on Catalina.
TheRealDunkirk 1478 days ago [-]
Figure this is the place to jump in here. I tried a couple cheaper docks and sent them back to Amazon immediately. I bought a CalDigit, and it's been rock solid for many months now. I connect an external display (Asus 27" 4K) to it, remove it, use the built-in display, and use it in clamshell, off and on, all through the day. Not one problem at all. There's no sugar-coating it; they're at the top of the range for TB3 docks, but mine's been worth every penny. I've been on Catalina since launch day.
ipython 1478 days ago [-]
I know "me too" is discouraged here but yes I have the same experience (Caldigit TS3+ dock, works great in Mojave). Expensive, yes, but at least now it's down to $250 both at apple as well as amazon.
syndacks 1478 days ago [-]
I had this problem as well on a 13" MacBook Pro.
My "fix" was to go HDMI to USB-C (instead of Thunderbold to USB-C).
I understand this might not be viable for everyone, but it resolved the issue for me.
0xff00ffee 1478 days ago [-]
", I’ve still not found a Thunderbolt Display that doesn’t routinely crash screen manager services upon idle user activity. "
I've been using a Dell U2515H for almost six years on my late 2013-model MBP and thunderbolt port, never had an issue. I'm also going through a Henge thunderbolt dock. It's not a macOS problem.
vardump 1477 days ago [-]
I think Dell U2515H doesn't have Thunderbolt, only Display Port. So I wouldn't call that a Thunderbolt display, if it doesn't have ability to chain further Thunderbolt devices.
sitzkrieg 1478 days ago [-]
naive take, i have same problem but if i boot into windows on the mbp it works fine. how do you explain that?
0xff00ffee 1478 days ago [-]
Trivially easy to explain:
The monitor you have didn't properly implement the Thunderbolt spec, and since Windows has looser adherence to the spec than macOS, things work fine.
This happens with web browsers every decade or so. "Browser X" follows the Javascript spec to a tee, which breaks millions of poorly written websites, so "Browser X" has to degrade its performance or lose market share, and thus we have lots of sites that are out of spec.
Make sense?
henriquez 1478 days ago [-]
Your explanation could be plausible but do you have any evidence to back it up? Most curious is the fact that people are complaining about a specific OS version with regard to the problems. Did the spec change between OS releases?
0xff00ffee 1478 days ago [-]
No but the OS could have fixed a bug or tightened the spec.
I have evidence in other domains, as per my example.
But thanks for moving the goalpost. /salute/
OP asked for an explanation, I gave one. Was it correct? I don't know, I just provide reasoning skills.
henriquez 1478 days ago [-]
My intent was not to move the goalposts, I was just wanting you to elaborate. Even though the explanation is trivial to you, it may not be that way to others.
(A corollary to this are the forum posts starting with a technical problem and ending with the OP saying "figured it out!" and no further explanation :)
beart 1478 days ago [-]
Assume this is true. Why is it a good thing? If the looser spec handling on Windows fixes the bug without introducing other problems, then from the user perspective, Windows is doing the correct thing and OSX is failing.
zimpenfish 1477 days ago [-]
But it then ends up with standards being meaningless and people who are running not-Windows get screwed (like UEFI, ACPI, and various other nonsenses that "work fine" on Windows but not on Linux, etc.)
beart 1477 days ago [-]
That assumes Microsoft broke the spec and the hardware was designed for it. The scenario in the thread is that the hardware broke the spec and Microsoft just made it work. I don't think that's much different than a lot of other software. Look at all the application specific code and fixes added to graphics drivers, for example.
jiveturkey 1478 days ago [-]
LG 4K works perfectly for me.
I've tried every T3 dock available. They all have bugs that render them unusable for me. The one that was the closest to being good -- OWC 12 port I think -- wouldn't tolerate MBP sleep. After wake from overnite sleep (maybe the Mac would go to hibernate -- I didn't investigate further) the dock would need to be reset. I've never had the MPB crash though, but I haven't gone back to trying docks now with Catalina.
There certainly is something particular to your environment causing this crash. Such a bug would be in all the news.
lostlogin 1478 days ago [-]
I haven’t encountered that, but have other more minor gripes.
When in clamshell and an external monitor is plugged in and you restart all you have actually done is shutdown (you you have to open up the laptop and turn it on again).
The way things break for ‘security reasons’ which you have to hunt for though the settings page. Eg VMWare Fusion won’t work unless you happen to know that it needs enabling in security settings, but some breakages are even more obscure and don’t generate an error message.
ravishi 1478 days ago [-]
Oh, so that's why my computer restarts from time to time when I get away from my desk. And I'm not even on Catalina yet, just use a 13" MacBook Pro.
FlagsAreFun 1478 days ago [-]
My 2013 Mac Pro does this too - it's actually (at least in my case) a kernel panic.
amaccuish 1478 days ago [-]
> This complain and Remote Access in (so I can SSH to my $4k MacBook) disables itself anytime the computer is restarted.
I've found IPv6 stops working after sleep, the appropriate area in the network pane is blank (I use RA not DHCPv6). Since the Mac updates its DNS records and puts IPv6 addresses in I've found accessing via hostname stops working, but then of course I can use the IPv4 address which works fine.
skoskie 1478 days ago [-]
Yep. I turned off ipv6 support on my router an computers, and still use RA. No more issues on local network except one ... the DNS settings on my MacBook constantly revert to a default value, killing my host name access to my docket containers. But at least it’s a quick fix.
geerlingguy 1478 days ago [-]
Yeah both of my TB3 docks result in crashes after unplugging or plugging in while the display is off. Very annoying behavior.
internalthief 1478 days ago [-]
I've been using the Belkin Thunderbolt 3 dock for years now, and have had 0 issues with crashes.
makecheck 1478 days ago [-]
So, some quick debugging here...
In his screenshot the bad login hangs at "Connecting to clickontyler.com port" (noting that no port number appears and no period at the end).
While I can’t be sure exactly which "ssh" patch Apple may have, this seems to be the relevant file and logging code (starting at line 448):
In that code, the only thing that can set the "strport" value that is used in the log is a call to getnameinfo().
If that string is corrupted in any way, e.g. not terminated or perhaps has invisible characters that trigger bad terminal behavior (such as invisibility), the act of logging it might produce the apparent hang seen here.
Again, a guess but it is possible that getnameinfo() is not necessarily processing the record correctly (for whatever reason). One such example is in the "getnameinfo" man page at the end, under CAVEATS, where they show an example of not simply trusting the result of the first call.
tylerhall 1478 days ago [-]
Good sleuthing, but the missing port number is simpler than that. I just blacked it out of the screenshot. I know very well that running sshd on a non-standard port has no benefits security-wise, but it does lessen the length of my log files from dumb script kiddies. I redacted the port in the screenshot for that reason.
jonny_eh 1478 days ago [-]
You should mention that in the caption, or use a non-black colour as a mask.
simias 1478 days ago [-]
>I know very well that running sshd on a non-standard port has no benefits security-wise
I don't know if Mac OS is different but on other unices ports above 1024 are not privileged, meaning that anybody can bind them. Now it increases the attack surface only a tiny bit (you have to have your sshd offline, and the attacker have local access, and them bind a fake sshd to your port in order to MitM. And even then they won't be able to spoof the server key unless it's not chmoded correctly).
Still, better safe than sorry IMO, I also use a non-standard sshd port but I keep it in the low range. In my experience it's more than sufficient to get rid of 99% of dumb attacks that generally don't bother looking beyond port 22.
INTPenis 1478 days ago [-]
I think using a non-standard port is a good layer of security, among other layers.
My personal suggestion though is to use 1022 because it's below 1024. This means only root is allowed to bind to it. Preventing possible connection jacking attacks if an attacker is able to crash your own server and run theirs to harvest your passwords.
jlgaddis 1478 days ago [-]
You might add a few "-v"'s to your "ssh" command-line for more verbose debugging information.
bo1024 1478 days ago [-]
A port is mentioned in this line, you may want to redact it. Where I put X's below, is a port number.
> So, I tried ssh ip-address -pXXXXXXXXX
tylerhall 1478 days ago [-]
Thanks, but that's not the port number :-) That was just for illustrative purposes.
bo1024 1477 days ago [-]
Ok great.
0x0 1478 days ago [-]
Have you tried running ssh in lldb/gdb and dumping a stacktrace when it hangs? Might have to copy the ssh binary to a temp dir to avoid SIP denying ptrace.
ThePowerOfFuet 1478 days ago [-]
Doesn't even need to go this hardcore; simply reading the verbose output would show where things are getting stuck.
0x0 1477 days ago [-]
The verbose output didn't seem to point out the exact system call or libc call that got stuck. A lldb/gdb bt stacktrace could pinpoint what's hanging (for example, some people mentioned parsing /etc/services). I don't think this has been resolved yet?
ThePowerOfFuet 1478 days ago [-]
Disable password auth and go with keys only, and your logs will go quiet.
1478 days ago [-]
0x0 1478 days ago [-]
Maybe there is something funny in /etc/services on this machine that throws the call into an infinite loop? Perhaps near the bottom beyond port 8192?
ProAm 1478 days ago [-]
"It just works" -- Is Apple too large now? Is this a QA problem, product team problem? Management? Catalina is still stumbling and Im surprised to be honest after the past 4 years.
cflewis 1478 days ago [-]
My feeling is that Apple beancounters have decided macOS is mostly a gateway to Xcode for iOS development, anything else is just to help sell laptops. The stuff in "anything else" doesn't need to actually work well, just exist so it can be something on the features list.
asveikau 1478 days ago [-]
I feel like they are doing random deprecations with replacements that don't work as well as the original. As in, leaving the deprecated thing unmaintained but present in the install would be a better outcome. I wonder why they are wasting so much time doing this when they appear to have a working system. I'm not even talking about big items like 32-bit support or opengl but completely random libraries that work fine.
AnthonyMouse 1478 days ago [-]
This is a completely standard failure mode of large organizations. You have a product that works perfectly fine the way it is, but you also have an entire team of people whose job it is to do something with that product. The existing product has already been optimized for years and most changes are moves away from optimal rather than towards it, but they can't get paid to do nothing, so they change things that were better the way they were.
This is related to the thing where what customers want most is bug fixes for existing bugs but what marketing wants most is new features to sell to new customers and marketing tends to win, which causes the number of bugs to go up rather than down over time.
TheKarateKid 1478 days ago [-]
It's also a problem of company culture and career ladders. Fixing bugs and making a more stable product isn't going to line you up for a promotion - but some fancy new feature no one asked for will.
mleonhard 1476 days ago [-]
I think this is why Google's products have gotten worse over the last 6 years.
MiroF 1478 days ago [-]
As just another random instance, I updated my MacOS about a year ago and now I can only change the last 3 parts of my MAC address, the remainder appear to be fixed.
I know my hardware has the ability to change my entire MAC address - I don't get why they are doing this.
bostik 1478 days ago [-]
Branding?
The leading octets in MAC addresses are often called "vendor prefixes", and are assigned to various hardware vendors. Apple probably wants to ensure that all their devices show up in ARP scans and MAC lookups as Apple devices.
smolder 1478 days ago [-]
To make it harder to spoof specific devices, perhaps. Commercial end-user OS vendors generally don't think your computer being able to do something implies you should have control over that capability.
neets 1478 days ago [-]
I guess they are getting ready to run MacOS on Arm rather than AMD64
api 1478 days ago [-]
It does help that there is no overall competitor to MacBooks in terms of ease of use or (now that the butterfly keyboard is dead) build quality.
There are decent build PC laptops but you have to run Windows or Linux on them. Windows is a dumpster fire these days with ads in the start menu, the use of "dark patterns" to herd people into MS cloud, and out of control unnecessary telemetry. Linux is fine only if you have a lot of time on your hands to troubleshoot edge case issues and hunt for drivers. Linux also still (through no fault of its own) can't run a lot of apps that many people need.
aftbit 1478 days ago [-]
Linux is the only option IMO, but I have a very high yakshaving tolerance. That said, if you run a recent Ubuntu, most stuff "just works" as long as you don't need Photoshop or the Office suite.
jacobsenscott 1478 days ago [-]
Or 4k monitors, or screen sharing when running more than one monitor. That's the reason I haven't switched from macos back to linux (I was all in on linux until about 5 years ago when I started to care about display quality and working remotely).
vetinari 1478 days ago [-]
You know, in 5 years, many things changed.
What's wrong with 4k monitors? I'm typing this on Fedora machine with one (default install with no tinkering, Gnome on Wayland).
kevingadd 1478 days ago [-]
High-DPI is still a mess on Ubuntu (and Debian, for that matter). Last time I used Ubuntu on a 4k panel I had to manually edit some xorg config files. I'm using Debian+KDE right now and I had to manually make some adjustments (in a UI, at least) and it still randomly gets confused sometimes.
PureParadigm 1478 days ago [-]
Not true for me. I've used several distros (including Ubuntu) with Gnome on my 4K XPS and the worst I've had to do is go into Gnome settings and click 200% GUI scale. I'm pretty sure Ubuntu set that automatically.
skykooler 1478 days ago [-]
High DPI is fine as long as you have just one display. However, there's no good way to have one high-dpi display and one normal one (for example, a laptop with high dpi screen connected to a standard external monitor).
vetinari 1477 days ago [-]
There is a good way to have mixed-dpi setup: you use Gnome-on-Wayland (for normal users who expect normal desktop) or Sway (for those who want tiling wm).
Mixed DPI is not coming to X11 displays. If you insist on X11, you are going to have bad time.
rekoil 1477 days ago [-]
Not to mention mixed-DPI. Apple is the only vendor who actually handles HiDPI and mixed-DPI environments really well in my opinion.
macOS can scale different parts of an application differently depending on which screen it is on. So if you are in the process of moving an application from one screen to another, it doesn't change size mid-move.
Windows can't do that, and I've even seen applications where all windows belonging to an application use the same DPI (chosen based on which window is in focus), regardless of the DPI of the screen the window itself is on.
So it seems to me the integration of mixed-DPI into window rendering APIs was not well handled by the development team behind its implementation in Windows.
The most common "solution" I see is lowering the resolution of the high-DPI display, but that's not a solution, that's actually not even a workaround, it is literally removing the problem by pretending my screen is not as good as it is.
Finnucane 1478 days ago [-]
4K support seems to vary a bit from distro to distro. Some are good, some are lagging.
martin8412 1478 days ago [-]
I'm using Linux with 3x 4k monitors at work. I set the scaling to 150% and it just works. I'm using Awesome WM.
jacobsenscott 1477 days ago [-]
If all your monitors are 4k it works, but if you have a mix of high dpi and standard dpi monitors it does not work. And I'm betting you can't share just one of those monitors with any screen sharing software. Something I need to do frequently.
mixmastamyk 1476 days ago [-]
Sharing a window may work and amount to the same thing. Depends on the software perhaps.
mixmastamyk 1476 days ago [-]
Two 4k monitors here on Ubuntu Mate, works great. Shared my screen last week.
Jyaif 1478 days ago [-]
External monitor support on macOS is terrible.
When it does work, you can't turn on HiDPI resulting in a tiny UI.
And the latest 16" macbooks simply kernel panic: https://discussions.apple.com/thread/250876794
rekoil 1477 days ago [-]
It sucks that you are having issues with your setup, but in general macOS is the king of external monitor support.
Compare the experience with Windows for example, where disconnecting from your external monitors pushes all applications and windows to the remaining monitors, and doesn't restore them when the external monitor is reconnected.
macOS also handles mixed-DPI really well, no other vendor even comes close, Windows simply scales according to the monitor most of the application window is on, resulting in ugly resizing of applications when moving from one monitor to another.
I don't know what you're talking about with regards to "turning on HiDPI", can you elaborate?
> Compare the experience with Windows for example, where disconnecting from your external monitors pushes all applications and windows to the remaining monitors, and doesn't restore them when the external monitor is reconnected.
Huh? I have a dock that I disconnect and reconnect from all the time; windows move onto my laptop screen when I disconnect, and move back onto my docked screen when I reconnect.
rekoil 1477 days ago [-]
Do you have multiple screens active at one time? This is really only a problem when you have multiple screens, applications don't "remember" which screen they are supposed to be on, they just go to the "primary" screen when docked.
lmm 1477 days ago [-]
Ah, you're right. I do use the dock screen and the laptop screen, but hadn't noticed that everything moves to the dock screen even if it was previously on the laptop screen when docked.
lostlogin 1478 days ago [-]
Does System Prefs > Displays > Scaled not work?
IggleSniggle 1478 days ago [-]
HiDPI is working fine on my 3 external displays
api 1478 days ago [-]
I would agree were it not for the hairy yaks. As a startup founder I just don't have time for my computer to not "just work." This is the primary thing that keeps me absolutely glued to Apple.
I do kind of like MacOS, but am concerned about their lack of strong interest in it.
I would pay for a "vertically integrated" open hardware Linux laptop. I've seen some promising projects but none are mature enough.
The second issue is apps, but that can be mitigated by having a Windows VM.
null4bl3 1478 days ago [-]
But this entire thread of comments and even the topic of the post is proof that it really just doesn't work.
I would argue that any major Linux distro at this point "just work" just as well as MacOS
jolux 1478 days ago [-]
> But this entire thread of comments and even the topic of the post is proof that it really just doesn't work.
Yeah, there may actually be close to a dozen people commenting here!
>I would argue that any major Linux distro at this point "just work" just as well as MacOS
Given my perennial attempts to switch to Linux which are inevitably thwarted by aggravating driver bugs and incompatibility issues with X Windows and Wayland (both), I'm inclined to disagree.
1478 days ago [-]
pjmlp 1477 days ago [-]
Or do any kind of serious 3D or audio related work.
pachico 1478 days ago [-]
Is this still an issue with Ubuntu? I haven't had any problems with drivers nor software for... 6 years and 7 laptops?
est31 1478 days ago [-]
I've had problems with printer drivers consistently since I switched to (K)ubuntu on the desktop in 2010ish. Since 2 years however, they are basically gone. That's thanks to IPP becoming more commonplace.
Then I'm having issues with PTP from my phone. Windows is fine but Plasma is broken. The phone also offers an MTP mode which thankfully works.
When I bought a Lenovo netbook in 2015, I was unable to set the screen brightness. It took a few years but eventually the issue got fixed with a new version of Kubuntu.
On my brand new ThinkPad T495 I'm having an issue with the graphics drivers, which crash and require me to issue an ACPI reboot when I close the lid and reopen it again. Pretty sure it's this issue as the error messages, symptoms and working workarounds all match. https://gitlab.freedesktop.org/drm/amd/issues/883
sudosysgen 1478 days ago [-]
KDE connect made plugging my phone into my computer basically obsolete, at least for me.
pachico 1478 days ago [-]
It might be that I use pretty standard hardware and don't have any fancy requirements, but really, I have evangelized several people and installed mostly Xubuntu in their laptops and I haven't had problems.
pjmlp 1477 days ago [-]
My APU stuck in OpenGL 3.3 without video hardware decoding, would like to get OpenGL 4.4 and hardware video decoding back that it had with the AMD proprietary driver.
skrtskrt 1478 days ago [-]
Support for 4K monitors and multiple screens is still pretty miserable and causes stuttering, freezing, and crashing
ahsima1 1478 days ago [-]
Never had any problems with my 4K screen in Manjaro KDE, and only needed to change Xft.dpi in .Xresources in Manjaro i3
skrtskrt 1478 days ago [-]
I’m not saying it cannot work but I am saying an IT department cannot just install Ubuntu on a laptop, hand it to someone who doesn’t know how to hack at Linux, and have the display aspects “just work” with any monitor.
I have no beef with Linux, but we have to be honest about what it needs to be capable of to compete with MacOS for the general user unable or unwilling to hack at it a bit.
If the solution in any way involves "enter this command", you have lost the vast, vast majority of users. Those users will never have any idea that "Catalina broke SSH".
1478 days ago [-]
pachico 1478 days ago [-]
I think you are wrong. I have seen it happen more than once, even in my current company. Especially when companies use mostly online tools, like our case, it's a no brainer.
skrtskrt 1478 days ago [-]
Do you mean I am wrong that standard users won't notice ssh broken?
You're right, my statement may have been too strong.
We do know that Catalina isn't broken for everyone though as alluded to by others in this thread. No one in my company or anyone I personally know with a MacBook has been affected. There must be another interaction happening.
pachico 1478 days ago [-]
Sorry, no, I mean that you can really give Ubuntu units to people and expect it to work without any issues. If this works in schools it works also for power users :)
jhoward321 1478 days ago [-]
I've never had a problem with my 4k in fedora, but I only have a single monitor
michaelmrose 1478 days ago [-]
Linux had good support for multiple monitors when I started using it in 2003. Obviously something is crashing but it's not apt to be plugging in a monitor.
vbezhenar 1478 days ago [-]
There are plenty of good laptops and Windows is absolutely fine.
Polylactic_acid 1477 days ago [-]
Windows is not "absolutely fine". Ignoring the garbage heap of bad/inconsistent ui/adverts/nagware. Its just not even capable of running a lot of dev software. The guide for running ruby on rails on windows is basically just to install a linux VM.
vbezhenar 1477 days ago [-]
I'm running a lot of dev software and I never had to revert to Linux VM.
I don't know why Ruby on Rails require Linux, but those reasons are not technical.
pjmlp 1477 days ago [-]
It runs perfectly fine lot of developer software, for those of us that are Windows developers first, and something else secondly.
Polylactic_acid 1477 days ago [-]
If you pick your laptop for linux support then you will have literally no driver issues. I'm running fedora on a Dell XPS and it runs flawlessly (Well the fingerprint scanner needs a 3rd party program).
Ubuntu is generally even easier since they bundle in proprietary drivers.
pjmlp 1477 days ago [-]
As if, I bought a Linux Laptop from Asus with Ubuntu, and my APU is still to get the OpenGL 4.4 that it had with the proprietary AMD driver, instead I should be happy that the open source version at least offers me OpenGL 3.3.
Polylactic_acid 1477 days ago [-]
Thats unlucky but it doesn't apply to all laptops. My dell XPS is currently running on a vulkan version released in 2020. AMD strangely seems to lag behind intel in drivers at the moment. Perhaps because until just now AMD laptops were rare.
rvz 1478 days ago [-]
Well no business end-user or any typical Mac user is going to be bothered about something technical like 'SSH' breaking their system. Only actual devs here would care.
For those business users, it just still works. For developers it's a problem.
quantified 1478 days ago [-]
Apple's made huge inroads with developers over the last few years, partly coasting off of a social dislike for Microsoft. There's enough Apple fandom out there that they can probably annoy developers a good deal more without affecting the inroads. After all, exactly what can a dev do about it anyway?
IggleSniggle 1478 days ago [-]
Switch to OpenBSD ;-)
pjmlp 1477 days ago [-]
Apple developers are perfectly fine.
UNIX developers, well, support OEMs that sell BSD and GNU/Linux laptops.
twunde 1478 days ago [-]
Macs have a fairly large share of devs, especially in the startup centers like SF and NYC. Most startups end up with macs as the default computer because of the developer experience as well as the ability to manage them for a consistent user experience using MDM solutions like Jamf or Fleetsmith (both Apple-only)
KarlKemp 1477 days ago [-]
You seem to be nurturing some stereotype of Mac users. Just check (photos of) any Silicon Valley or MIT Cafeteria to maybe calibrate your worldview.
Keverw 1478 days ago [-]
Catalina I haven’t had much problems with, however noticed some odd stuff. Like the Apple Menu and System Preferences it reports one update available but if I go look - nothing. Then was playing with the new TV app and went to watch one of the Apple TV+ shows and all I get is a black screen with audio when watching a show.
Then even before Catalina, my AirPods mic seems to act odd, can hardly hear it and it messses with audio output too when listening to music, sounds like I’m listening to hold music on a telephone unless I disable the mic using a third party app. I think having a old Bluetooth chip might be the reason though since I have a older MacBook while it works great on my iPhone.
sooper 1478 days ago [-]
Almost everyone in my office has issues with Bluetooth headphones mysteriously disconnecting - the sound output drops even though Bluetooth is still connected.
Very annoying and can't find a resolution.
emmelaich 1478 days ago [-]
A focus on security produces problems like these.
I can't blame them too much. It's probably worth it.
From that and the discussions.apple.com. post, hyperlinked elsewhere in this discussion, it appears that the >8192 condition varies according to what the hostname actually is.
The bug report is datelined 2020-04-26, interestingly. There might be a bug in the bug reporting system. (-:
oefrha 1478 days ago [-]
> The bug report is datelined 2020-04-26, interestingly. There might be a bug in the bug reporting system.
No, you can type whatever date you want. The "add a new radar" screen is just a bunch of text input boxes: https://i.imgur.com/nNf457J.png
JdeBP 1477 days ago [-]
The ability to type whatever date one wants is often considered to be a bug. The ability to post-date reports a month into the future sometimes is, too. (-:
oefrha 1477 days ago [-]
You can not only type whatever date, but also whatever non-date. The site just assumes good intentions and is working as designed.
saagarjha 1478 days ago [-]
OpenRadar is community-maintained, and rather poorly at that these days.
0x0 1478 days ago [-]
I can't reproduce this. macOS 10.15.4, ssh'ing to a very high (5digit) port with a hostname no problems.
jpwgarrison 1478 days ago [-]
Same here, 5 digits and a hostname = no problem. There must be some other factor(s) in play.
0xff00ffee 1478 days ago [-]
Ditto. There's a post a few levels above where they are digging into the source of ssh, I'm following that!
ajphdiv 1478 days ago [-]
I can't either, in fact all 10+ of the hosts that I routinely access have ports higher than OPs issue.
andai 1478 days ago [-]
Offtopic but why are people using high port numbers? Additional security due to a nonstandard port? If so, does that go together with anything additional like port knocking? Or is it multiple hosts on the same IP, but different ports?
vbezhenar 1478 days ago [-]
Some people think that it adds to security. Some people want to reduce noise in logs.
cozzyd 1478 days ago [-]
A relatively common use case is multiple devices behind a NAT, where each port goes to a different device.
ajphdiv 1477 days ago [-]
It's to keep my logs cleaner. It doesn't add any security value since the port is still open. I don't allow password auth. I was just always annoyed with how many times port 22 was getting hit everyday by attackers.
1478 days ago [-]
vgene 1478 days ago [-]
I had the same problem on a MacBook after upgrading to 10.15.4. However, I wasn't using a port number higher than 8192, the socket was 75 with a hostname. The problem was solved when I replaced the hostname with its IP or plugged in an Ethernet Cable. I tried to restart mDNSResponder and flush the dns cache and switch to a different DNS server. Nothing works so far.
colechristensen 1478 days ago [-]
I experienced a similar issue with a git repository hosted on a high port, `brew install openssh` fixed it even though the homebrew `ssh` was not first on my $PATH. Didn't bother to investigate further.
moonchild 1478 days ago [-]
Possibly that overwrote the config file for the system ssh?
colechristensen 1478 days ago [-]
I was thinking homebrew's git perhaps had a different $PATH (or was using shared objects?) that used the different openssh. Just guessing, didn't seem worth my effort at the time.
saagarjha 1478 days ago [-]
Isn't /usr/local/bin first on $PATH?
KarlKemp 1477 days ago [-]
Homebrew tends not to install to bust/local/bin when that would replace a native version.
acdha 1478 days ago [-]
I suspect this is due to a feature being enabled for canonicalization and that the key part is the presence of the colon rather than the port number. On a 10.15.4 system, I see a line in the debug output which is not present in the screenshot:
> debug1: resolve_canonicalize: hostname example.org:7999 is an unrecognised address
If instead I use `-p` or a config-file option, everything works as expected.
lilyball 1478 days ago [-]
hostname:port is not a valid destination according to ssh syntax. A destination may either be [user@]hostname or a URI of the form ssh://[user@]hostname[:port].
richardkmichael 1478 days ago [-]
The Apple forum article cites by the OP indicates it's a problem with `-p <PORT>` as well.
That's a fair point. I use either a ssh config file with all the correct options in it, or the -p option if I'm doing it without a config file, perhaps that's why I've never had a problem.
KiDD 1478 days ago [-]
"I don’t want to end up on Hacker News again bitching about Catalina." Pretty sure that guarantees getting to the front page :D
phlakaton 1478 days ago [-]
This is truly the darkest timeline for that poor blogger. :-P
spaniard_dev 1477 days ago [-]
Those are the magic words. F*ck SEO, add that and you'll get a couple million page views.
derefr 1478 days ago [-]
Is macOS /user/bin/ssh just upstream OpenSSH, or does Apple maintain a fork? If no fork, this would be an upstream OpenSSH problem, no?
paxswill 1478 days ago [-]
Apple includes a customized version of OpenSSH. From what I recall from the last time I looked at it, the changes were mostly integrating the key retrieval mechanisms with the rest of macOS. For example, Apple's ssh-add can store key passphrase in Keychain with the -K option, and then later access those passphrase with the -A flag.
skoskie 1478 days ago [-]
If using the upstream version there is one line to add to a startup script or to your zshrc (et. al.) file ...
ssh-add -A > /dev/null
... and one default value to place in your ssh config file...
AddToKeychain Yes
... to get around this issue. It works fine after that.
(On mobile. Sorry for formatting)
floatingatoll 1478 days ago [-]
Those stored key passphrases are visible with the Keychain Access application, Kind: "application password", name: "SSH: /full/path/to/key", in the login & iCloud keychains.
Maybe a weird ControlMaster/ControlPath config? I have had issues with the ControlPath result being too long with certain hostname/port combinations in the past -- which resulted in ssh to ip working but ssh to hostname not working. As a result, I haven since started using %C instead of %l%h%p%r in my ControlPath config.
_-___________-_ 1478 days ago [-]
If you have Homebrew or something similar, I recommend installing openssh through there -- you get a newer version to boot.
2ion 1478 days ago [-]
It's usually not a full replacement. SSH for macOS has some integration built in that current OpenSSH does not have, like Keychain integration.
lilyball 1478 days ago [-]
I thought Homebrew patched OpensSSH using Apple's keychain patch, but looking at the formula right now I see
# Please don't resubmit the keychain patch option. It will never be accepted.
# https://github.com/Homebrew/homebrew-dupes/pull/482#issuecomment-118994372
Sadly the homebrew-dupes repo seems to have been deleted so this comment can't be read anymore.
> We are uncomfortable continually supporting a 1900+ line patch which upstream hasn't signed off on that has the potential to both compromise OpenSSH security and Keychain security. From 10.11 it will also be impossible to edit plists in /System/* without disabling rootless, which isn't a configuration we'll be intentionally supporting.
saagarjha 1478 days ago [-]
> Sadly the homebrew-dupes repo seems to have been deleted so this comment can't be read anymore.
They're kinda bad at that in general :/
skoskie 1478 days ago [-]
Really? I have my ~/.ssh/config file set to “AddToKeychain” on all entries and it doesn’t seem to be a problem.
_-___________-_ 1478 days ago [-]
I prefer ssh-agent anyway, but yeah, I think they did remove the keychain integration patch.
Doctor_Fegg 1478 days ago [-]
Oh god no. Homebrew managing openssh has been the cause of more command-line instability and forced reinstalls than anything else I’ve encountered in the last few years of OS X (sorry, macOS). I’ve started installing stuff from source again just to prevent a cascade of Homebrew upgrades breaking everything.
rswail 1477 days ago [-]
Why don't people use MacPorts instead? I've never had any problems with it.
Homebrew wants to screw around in /usr, Macports installs itself in /opt and doesn't interfere with things in the MacOS world.
Set your PATH to have /opt/local/{bin,sbin} and everything Just Works.
saila 1477 days ago [-]
What is the practical difference between /usr/local and /opt or /opt/local? I don't think macOS puts anything in /usr/local.
theonemind 1478 days ago [-]
I sometimes use NetBSD's pkgsrc on macOS because it installs super cleanly in any prefix you like and never, ever breaks the system. It doesn't have everything, and you will occasionally encounter a package that won't build, but it doesn't even dream of taking over /usr/local or disrupting your system. You could install it into your home directory if you wanted to (which I have done, on systems where I don't have root or enough ownership to just throw things anywhere)
fmajid 1477 days ago [-]
I always build SSH from source myself using my own scripts and meta-makefiles. Both the most recent OpenSSH release, and the latest one supported by HPN-SSH (for use on high-latency links).
OpenSSH 8.2p1 notably has support for using FIDO U2F 2FA keys to secure SSH keys, it works perfectly, as long as your server also runs 8.2p1 (only the client needs to be compiled with libFIDO2).
As for the Catalina train wreck, it's clear both hardware and software quality is on a severe downward trend at Apple, you can either rant and moan about it, or take control back by switching to Linux or BSD, which is what I am doing, very slowly and deliberately.
_-___________-_ 1478 days ago [-]
Never experienced this in a decade or so of using Homebrew's OpenSSH, but you can absolutely use something other than Homebrew to get a more up-to-date and standard OpenSSH install if you prefer.
lloeki 1478 days ago [-]
> I’ve started installing stuff from source again just to prevent a cascade of Homebrew upgrades breaking everything.
Since you crossed that line, do yourself a favour and check out nixpkg.
rovr138 1478 days ago [-]
I always do this.
I'm not sure what's the current state, but there are features on SSH I wasn't able to use due to the version provided being old.
I know that `Include` on `config` is/was one.
Include "some/path"
This is something I use frequently that wasn't available on previous built in versions.
oefrha 1478 days ago [-]
> I'm not sure what's the current state, but there are features on SSH I wasn't able to use due to the version provided being old.
> I know that `Include` on `config` is/was one.
That's both terribly out of date info and hardly ever true as far as I can tell.
The Include directive was a new feature of OpenSSH 7.3, released on 2016-08-01.[1] Apple shipped OpenSSH 7.3 in macOS 10.12.2[2][3], released on 2016-12-13. That's a very reasonable four months gap.
I only use the system ssh because stock OpenSSH didn't integrate well with system keychain many years ago (not sure about the current state). But I've been using the Include directive for a long time.
I'm surprised nobody noticed this bug at Apple before the release. Is there nobody there that connects by hostname to a ssh server with a port > 8192?
pwg 1478 days ago [-]
I'm not. Not all 'testers' actually try to test edge cases. The /good/ testers do try edge cases, but for every /good/ tester you have, you'll have hired 100+ testers who do little more than check that the standard happy-path works correctly and sign off as "passes tests".
>Not all 'testers' actually try to test edge cases.
Yeah, but surely macOS devs are eating their own dog food.
bangonkeyboard 1478 days ago [-]
"I've learned that Apple engineers have internal tools which allow them to delete macl xattr as well as to bypass other Catalina privacy and sandbox protections without rebooting and disabling SIP.
"Inside Apple they don't suffer the same problems as external users and developers."
And a simple shell script to test it would be easy.
amelius 1477 days ago [-]
Well, I hope for them they put it in their automated regression test suite now.
gray_-_wolf 1478 days ago [-]
> Is there nobody there that connects by hostname to a ssh server with a port > 8192?
I use alternative port but < 1023 since binding to those ports requires root. And I've never seen it being used. I'm not saying it's not, just that I did not see it in 10 years.
So it probably really is not that common.
saagarjha 1478 days ago [-]
Probably not. I doubt I’ve used a port that high.
Yetanfou 1478 days ago [-]
Why not? I regularly use 5-digit ports - 3-digit prefix plus 2-digit 'official' port - for various systems which reside behind a NATting router.
syncsynchalt 1478 days ago [-]
Ports <1024 require root access to bind, so on a multi-user system it would be insecure to run ssh on such a high port.
(Granted, multi-user hosts are very rare nowadays).
the_mitsuhiko 1478 days ago [-]
I'm pretty sure it's generally not advisable to use ports this high since they are used for other purposes.
Avamander 1478 days ago [-]
All purposes are equally as valid on unallocated port ranges. Inconfigurable port ranges with no fallback when those ports are in use is bad design.
user5994461 1478 days ago [-]
High port numbers, above 30000 usually, are ephemeral ports and get pre-empted by the system. They're not safe to listen to for server applications.
codegladiator 1478 days ago [-]
Isn't 8080 used almost everywhere ?
desdiv 1478 days ago [-]
8080 is less than 8192. This bug only happens when the port is _higher_ than 8192.
codegladiator 1478 days ago [-]
sorry my bad what was i thinking
Yeri 1478 days ago [-]
Not for SSH. Common alternate SSH ports are 222 or 2222 which are well below.
bni 1478 days ago [-]
443 to pass the stupid corporate firewall. I used that once 15 years ago anyway.
SteveNuts 1478 days ago [-]
For webservers sometimes, never seen that used for ssh.
saagarjha 1478 days ago [-]
< 8192, and that’s mostly the alternate HTTP port.
rimliu 1478 days ago [-]
8080 < 8192
1478 days ago [-]
floatingatoll 1478 days ago [-]
I haven't in ten or twenty years, no.
oefrha 1478 days ago [-]
One more data point: just tried to repro with hostname and port 8193 and failed, so the issue is probably more intricate than described.
(Guest in my test: OpenSSH 7.6p1 on ubuntu bionic, stock config other than sshd port.)
zimpenfish 1476 days ago [-]
Tried with dropbear and sshd on Arch, port 9022 from 10.15.4 Beta (19E258a) - no issues with a variety of hostnames that end up at the same host.
zimpenfish 1476 days ago [-]
Just updated to 10.15.5 Beta (19F53f) and still no issues with dropbear or sshd.
nathell 1478 days ago [-]
I've been a Linux user for the last ~15 years, and now I need to do some iOS development so just a few days ago I've ordered a Mac Mini. I guess I'm in for a bumpy ride. Oh well.
redsymbol 1478 days ago [-]
I used linux on all my laptops/work machines for about 7 years, then switched to macbook pros 5 years ago. Definitely some things you have to adapt to (I still miss focus-follows-mouse). But for the most part, you'll find it's a smooth ride. When bumps like this happen, they tend to push out a fix quickly - especially when it gets traction on HN like this.
toast0 1478 days ago [-]
I used a mac for almost 8 years. When things worked, and you shared the same preferences as the designers (or were willing to adapt), things were pretty good.
If you had different preferences, mostly too bad. Maybe if you reboot with system protection turned off, you can edit the config file, and hope it doesn't get reverted.
If things didn't work, like when I was getting static for audio 25% of the time I hit Play in iTunes from a shoutcast server for a whole major release, there wouldn't be any useful help on the internet. Maybe somebody had a similar problem 3 releases ago, but that fix doesn't work anymore. Other problems, or irritants are often the same way.
With Windows, most of the problems you run into are fixable, and easy to find. With an open source OS, at least you can dig in and try to fix your own problems.
quesera 1478 days ago [-]
For me, focus-follows-mouse is most useful for terminal windows. It is a feature you can enable in iTerm2.
This doesn't help across applications of course, and there's a reasonable argument that the inconsistency is worse than the absence -- but for me, iTerm2's FFM feature helps.
redsymbol 1478 days ago [-]
Didn't know iTerm2 did that. Thanks, I'll check it out - might help a lot.
john_alan 1478 days ago [-]
macOS is POSIX UNIX. it definitely has focus follows mouse.
You just mean that hover over a lower window allows scrolling right? MacOS has that.
It's honestly not that bad, but I'd advise to go into it with an open mind. A lot of switchers get angry at macOS when their habits from other systems don't work with it (e.g. wanting to maximize all the windows)
jonfw 1478 days ago [-]
You don't have to have that open of a mind. I was angry at macOS because I didn't have good window management, but it was really easy to install a third party utility to do so.
I use Amethyst which is much easier to setup than my old Linux WMs. There are also tools like Yabai which are more customizable.
fredsted 1477 days ago [-]
Sure, I guess you can also do that. I'd still advise to not go out and "fix" everything the minute you boot up OS X. It's worth learning how and why it works before you hack it.
jonfw 1478 days ago [-]
If you're a linux user for that long you've probably got experience updating CLI utilities. That's all that's required here, simply installing a new openSSH.
I recently made the transition (from ~10yrs Linux) to Mac and it was really smooth. At the end of the day it's just a Unix system with a really nice looking Window Manager and lots of supported apps. If you don't like the included version of SSH, just use a different one, same as linux.
hazebooth 1478 days ago [-]
I'm on mac OS 10.15.4. SSH has worked on all betas and the official release from Apple.
beervirus 1478 days ago [-]
Using a port above 8192 and connecting by hostname?
hazebooth 1478 days ago [-]
Yes, but maybe I've mucked around with my ssh too much.
1478 days ago [-]
Zelphyr 1478 days ago [-]
As an aside; is there a reason to host SSH on a non-standard port? I recently came across a system that had it listening to a really high port number. I dismissed it as security through (bad) obscurity but is there a valid security reason to do this?
EDIT: Thanks to everyone who answered my question! It makes sense to me now why one might do this.
spzb 1478 days ago [-]
It massively reduces the number of script kiddie attacks. It's not hard to find SSH on a non-standard port but most SKs don't know or don't bother.
Other possible reason is NAT. If you've got several machines or VMs but only one public IP you can port forward different public ports to port 22 on different machines. Not the only solution by a long way but a relatively straightforward one.
carlisle_ 1478 days ago [-]
There's actually a good reason to not use SSH on a non-privileged port: It allows an unprivileged user to bind their own binary to the port when SSH restarts or otherwise stops listening.
nickodell 1478 days ago [-]
That unprivileged user will not have the SSH host key, which will create a warning for any user who connects, just as though someone had conducted a man-in-the-middle attack.
Of course, there are plenty of privileged ports to choose from.
IMHO, this isn't "security through obscurity" but it's a way of weeding out automated attacks and reducing logs filling up with completely avoidable entries. I'd say it has valid "sysadmin" reasons but not "security" ones.
Given 2 boxes with the exact same SSH setup (key auth, fail2ban, or whatever else you use) I'd prefer to admin the one with a non-standard port solely for the fact that it's not undergoing constant attack which uses resources (albeit tiny).
pwg 1478 days ago [-]
Valid reason:
Testing something that uses ssh, but the test host already has a sshd running on port 22, and one does not want to disrupt that setup for the test. Or running tests as a local, non admin, user and one does not want to bother the admin with modifying the system sshd setup for those tests.
Other reasons:
Those doing it /instead/ of running on port 22 are usually doing it for one of at least two reasons:
1) a false sense of security. If you do an internet search, you'll find plenty of blog posts boasting that using an alternate port is a security feature (it is not, it is security via obscurity); or
2) to reduce the log growth from all the script kiddie scans that target port 22 (note, no security is added here, but one's log files don't grow quite as rapidly either).
nucleardog 1478 days ago [-]
Slighty reduces your risk from all the automated spam. Most things that are scanning the entire internet trying to brute force weak passwords and stuff aren't trying 65,000 ports on each host. Any sort of worm/botnet will probably be in the same situation.
The only hosts we have with any SSH exposed to the world at all are a couple of bastion hosts. Day-to-day we access everything else through a VPN, so its only exposed at all as an emergency backup in case the VPN breaks. Really no inconvenience to having it moved to a high port.
0x0 1478 days ago [-]
It reduces the amount of endless bruteforce attempts somewhat, so log files are slightly more readable. Although recently this seems to be significantly less effective compared to the previous 20 years...
joombaga 1478 days ago [-]
If it's exposed to the internet, definitely. Port 22 gets hammered.
wazoox 1478 days ago [-]
Indeed. In fact it's hammered so bad that it made my home machine crawl at times. By changing ports it went from several thousands attempts per hour to a few per day.
__s 1478 days ago [-]
I use Chrome SSH to ssh into my WSL2 debian instance on Windows 10. Native terminals don't support mouse events. But port 22 can already be in use by the host system, so I have WSL2 configured to listen on port 222
matthew-hollick 1478 days ago [-]
There are pros and cons. It does mean that you should get less ssh bot spam but it also means that you run ssh on a non privileged port - one that a malicious application running as non-root might attempt to exploit.
_-___________-_ 1478 days ago [-]
The author didn't say it had anything to do with security. I have one or two SSH daemons out there listening on non-standard ports because of stupid limitations of middleboxes I'm forced to use, or because they're port-forwarded through something that already listens on 22 itself.
Security-wise, it seems pointless; my daemons on random non-standard ports still get hammered, and fail2ban takes care of keeping the log spam down just as easily as it does the ones on 22.
jerf 1478 days ago [-]
Security-through-obscurity isn't a bad thing. It's just bad to overestimate what it can do, or for it to be your only security.
I have my publicly-accessible SSH port on not-22, just to avoid the log messages from scanners. I'm well aware it does not, on its own, actually "secure" anything, but it brings more convenience to me for it to be a bit obscure, and it certainly isn't hurting anything.
1478 days ago [-]
clarry 1478 days ago [-]
Significantly less log spam.
di3goleite 1478 days ago [-]
I faced the same problem two weeks ago with the previous version of Catalina (I don't remember the correct number but was a previous on 10.15.4) and git (I use SSH to authenticate with the server). So I did a report to Bitbucket with a solution that worked for me after investigate more about the problem: https://twitter.com/di3goleite/status/1239596891471581189?s=...
Thank you about that clarification. Also your website seems to be down actually.
anongraddebt 1478 days ago [-]
"I’m not even going to go into it. I don’t want to end up on Hacker News again bitching about Catalina."
+1
chmaynard 1478 days ago [-]
Apple's stance is that it didn't happen unless someone reports it using Radar (internal) or bugreport.apple.com (external). Unfortunately, they don't believe in Linus's Law, which states that "given enough eyeballs, all bugs are shallow."
saagarjha 1478 days ago [-]
Things that end up on the front page of Hacker News get fixed.
LilBytes 1478 days ago [-]
This is an anecdote but the latest update forced me to rebuild my Mac from a hard/factory reset. My Dell D6000 on my 2019 MacBook Pro no longer charges the laptop. I've tried.
My Mac's resources were getting gobbled up by an internal process I coudln't terminate and my keychain was borked and I couldn't log in after a reset (to try and get around the resource hogging). Recovery didn't get me any where so I used Recovery over the Internet to do a clean install.
I'm running 10.15.4, no issues as of yet. And this all occurred after the security update. I'm running on the version prior for now but will make sure I've got a good backup and give it another go.
gangstead 1477 days ago [-]
I had a d6000 and had to update the firmware (with a borrowed windows machine) before it would charge my mbp.
LilBytes 1477 days ago [-]
Hadn't considered that, I'll give it a go. Thanks!
LilBytes 1466 days ago [-]
If anyone comes across this comment, this 100% worked.
supernintendo 1478 days ago [-]
I've moved to Linux for 99% of my computing but still use macOS for some audio production work. Catalina is unusable for me personally (most of the software I need just silently crashes) so I disabled the upgrade prompt:
Apple should really slow down on major releases of macOS or stop altogether in my opinion. macOS Mojave is a great OS and it's basically feature complete. Just stick with that, introduce bug fixes and security patches as needed and I think people will be happy.
stinos 1478 days ago [-]
At this point I’m thinking maybe the permissions on my local private key got screwed up. So, I blow away ~/.ssh and recreate all of my keys from a backup
Is that a common thing to do, or any reason why the OP would do that? Doesn't ssh reject your key, saying it does that if there's such a problem? And even if not wouldn't it be advisable to at least look at the permissions; I mean suppose they're not -rw------- or so, wouldn't you want to know that, and also why they are not ok?
zeveb 1478 days ago [-]
> Am I and this one other forum poster just doing something totally bizarre yet the same?
One might uncharitably suggest that using macOS and expecting standard decades-old Unix behaviour is itself bizarre … but that's also true of using Linux with systemd (viz., nohup no longer nohups, or systemd-resolved, or innumerable other broken bits).
It's almost as though no-one cares about quality anymore.
ulkesh 1478 days ago [-]
I agree, that’s an annoying bug/feature.
However, there is an amazingly easy workaround, assuming the IP and port don’t change often: create a ~/bin shell script that connects via IP and port, make it executable, and add ~/bin to PATH.
This workaround doesn’t excuse Apple of doing something so egregiously stupid, but it’s so easy that you may as well do it and move on.
teilo 1478 days ago [-]
Well, the description of this bug is not generally reproducible, so whatever is causing it, it's not as simple as using a high port with a server name.
I tested this specifically on a number of servers that I run with port numbers > 10000, using /usr/bin/ssh on macOS 10.15.4, with and without IP addresses. Nothing broke for me.
Catalina seems to have bust Wifi monitor mode on tcpdump on my MacMini 2018, yet it works fine on my Mac Air.
Still not sure if that is my machine, or a general fault - but the lack of monitor and promiscuous mode is playing havoc with IPv6 multicast packets from VMware Fusion VMs.
steve1977 1477 days ago [-]
"I don’t want to end up on Hacker News again bitching about Catalina. I just hope I’ve stuffed this post with enough keywords so that anyone else searching on Google might come across the answer."
Ok. And did you actually report it as a bug to Apple?
wyattpeak 1477 days ago [-]
Whether or not he did, there's absolutely nothing wrong with posting about a problem in case others come across the same. In fact it's damned helpful.
tkubacki 1478 days ago [-]
It is time to move to Linux or Windows desktop. Really if you are not hostage of Apple ecosystem then decent desktop is much more reliable in my experience (got old MacBook which is ok too but eg can't connect to old vpn on it)
epiphanitus 1477 days ago [-]
What’s the backstory to why apples bash has to be different than gnu bash?
I love having the Linux kernel with a nice UI but there are some useful commands that are missing.
There are ways to get them set up but in any case it’s kind of a pain
buildbot 1478 days ago [-]
Wow, just the other day this started happening to me as well with one of my serversfrom my MacBook. It used to work fine, but now only that laptop can’t connect to it. iIt’s on a high port too.
1478 days ago [-]
1478 days ago [-]
1478 days ago [-]
jki275 1478 days ago [-]
I'm using ssh to a named server online using a port >8192 from a 10.15.4 machine right now.
Have had no issues with it at all.
vgaldikas 1477 days ago [-]
>I’m not even going to go into it. I don’t want to end up on Hacker News again bitching about Catalina.
Whoops
ThePowerOfFuet 1478 days ago [-]
> Next, I ssh into a different server and then hop to the problematic one. It connects without any trouble. At this point I’m thinking maybe the permissions on my local private key got screwed up. So, I blow away ~/.ssh and recreate all of my keys from a backup. Still can’t login.
Someone should have paid more attention to that verbose SSH output first.
1478 days ago [-]
liquidify 1478 days ago [-]
Are you talking about the new apple feature?... non working ssh? It's all the rage.
ipv6ipv4 1478 days ago [-]
In my experience the breakage is with IPv6. Try forcing IPv4.
'ssh -4 <hostname>'
StreamBright 1478 days ago [-]
Thank god I did not upgrade. Software upgrades are the best way to waste time.
rovr138 1478 days ago [-]
They're the best way to stay secured and receive new features.
The issue with them is lack of testing before deploying them.
anonymou2 1477 days ago [-]
I think proprietary software and staying secure are contradictory ideas.
StreamBright 1478 days ago [-]
You can just get the security patches for Mojave. You are trying to make it sound like of you are on previous version there are no security patches. Factually untrue.
Elrac 1477 days ago [-]
Am I the only one who thought this article was about Apache Tomcat?
1478 days ago [-]
viburnum 1478 days ago [-]
If I'm still on Sierra, which version should I upgrade to?
v64 1478 days ago [-]
I have a MacBook Pro (Retina, 13-inch, Mid 2014) and Mojave runs very well on it. I have no plans to upgrade to Catalina.
geuis 1478 days ago [-]
Looks like the post was just deleted.
krzysztofeng123 1478 days ago [-]
laughs in Linux
dang 1478 days ago [-]
Please don't do this here.
awinder 1478 days ago [-]
“I’m not even going to go into it. I don’t want to end up on Hacker News again bitching about Catalina.”
Welp.
draw_down 1478 days ago [-]
Which is a weird sentiment. HN is, let's say, not exactly shy about criticizing Apple hardware/software, especially software.
karol 1478 days ago [-]
With this foresight he sadly didn't enable CloudFront and the website went down.
tylerhall 1478 days ago [-]
Yeah, it's a $5/month DigitalOcean box with only my blog on it and nothing else. All assets come off a CDN and Varnish is sitting in front of WP, but looks like that still wasn't enough this time. It worked fine for my previous two HN'ings earlier this year.
asveikau 1478 days ago [-]
I am still able to access it. So I don't think it's doing so bad.
1478 days ago [-]
1478 days ago [-]
hoistbypetard 1478 days ago [-]
Which is more common? Someone says "I don't want to end up on ___ news again" and they really mean they don't? Or they say that and they really want to? It feels like the old "Please, Br'er Fox, don't upvote this post. I don't want anyone to see it."
(I'm about 80% kidding but amused. Lockdown.)
tylerhall 1478 days ago [-]
Sadly, I mean it. Don't want to go through this again. Taking down the post for now.
psaux 1478 days ago [-]
I wouldn’t trip at all. There are great folks on HN, and you can tell from comments who are the sour ones just because. I personally enjoy reading your posts. I worked at Apple for a long time, loved it. I still use their products and want to understand what bugs exist. I use SSH daily for many things.
awinder 1478 days ago [-]
The post was excellent, I’ve been locked away from Catalina updates now that my work mac is my primary Mac so I like keeping abreast of all the little gotchas I might be hitting. And it’s a great debugging chain for something that is truly weird. Sorry you’ve had bad past experiences here, the quote gave me quite a chuckle
azinman2 1478 days ago [-]
Go through what? Why would you take down the post as it’s probably useful to others?
tylerhall 1478 days ago [-]
> it’s probably useful to others?
That's my intent. I'll put it back online for others to find once the fuss dies down.
bspammer 1478 days ago [-]
Hey, not sure if this is a side-effect of you taking this post down but I was interested in reading another of your posts about B2 vs S3 Glacier and am getting "Error establishing a database connection".
Actually now I look at it, a lot of pages don't seem to work. I guess it's just the classic Hacker News friendly DDOS.
untog 1478 days ago [-]
Hacker News can be a cesspool at times.
One important thing to always remember is that unless someone posted their article to Hacker News themselves they might have had absolutely no expectation that a huge audience was about to descend and dissect everything they wrote. They might have just been talking off the cuff, mentally noodling around or even just using the process of writing stuff down as a means to sort their thoughts. Far too often HN commenters work from the assumption that an author is intending to make A Big Point and very uncharitably deconstruct every sentence the author wrote.
It's only a matter of time before we see a reply along the lines of "OBVIOUSLY 10.15.4 did NOT break SSH, the author just didn't do X Y and Z to fix a very OBVIOUS mistake in their SSH config".
> Why would you take down the post as it’s probably useful to others?
More broadly, Tyler doesn't owe the world anything in this regard. If he wants to post it, cool. If he wants to remove it, cool.
notRobot 1478 days ago [-]
This is so true, I wish I could upvote this twice. I've been on the receiving end of this too, where something I wrote in the moment without much thought ended up at the top of HN with a whole lot of criticism.
saagarjha 1478 days ago [-]
I often do a pass to Hacker News (and Twitter, and Reddit)-proof topics which are not highly technical but are likely to appear on here.
hoistbypetard 1478 days ago [-]
Wow. Yes. Sorry to see you take it down. I liked the post and was just amused by the one line.
fmajid 1477 days ago [-]
I was wondering if it was because you were afraid of retaliation by Apple.
kgraves 1478 days ago [-]
understood. in line to respect your wishes I encourage everyone to flag this post.
dang, join in if you must.
m_a_g 1478 days ago [-]
>I don’t want to end up on Hacker News again bitching about Catalina.
Ends up on Hacker News again bitching about Catalina.
jbverschoor 1478 days ago [-]
I don't wanna pay taxes.
Paying taxes anyway
kulix425 1478 days ago [-]
"I’m not even going to go into it. I don’t want to end up on Hacker News again bitching about Catalina."
lol
tambourine_man 1478 days ago [-]
>I don’t want to end up on Hacker News again bitching about Catalina.
davidkuhta 1478 days ago [-]
To be fair, full context tempers that sentence:
> I’m not even going to go into it. I don’t want to end up on Hacker News again bitching about Catalina. I just hope I’ve stuffed this post with enough keywords so that anyone else searching on Google might come across the answer.
AsyncAwait 1478 days ago [-]
Another post to my collection of how macOS works flawlessly and Linux breaks stuff when it comes around again.
rimliu 1478 days ago [-]
I think the technical term for this is "cherry-picking".
fanatic2pope 1478 days ago [-]
Exactly. Just like people do with Linux issues.
chipotle_coyote 1478 days ago [-]
As a long-time Mac user who gets irritated about something trivial within minutes of using any Linux desktop environment, I'd have to say this is pretty spot on. :)
Yetanfou 1478 days ago [-]
If this tree only carried a few cherries you'd be right. By now it is such an abundant source of fruit that they'd do well by changing their logo to just this, a Catalina Cherry [1,2].
I was completely at my wit’s end and feeling like I had lost my mind until about a half hour ago. Let me start from the beginning…
I don’t have an exact date, but within the last week I realized that I was unable to ssh into my primary web server – the one that runs my business website, activation server, etc. It’s sort of the linchpin for my tiny software company. When it goes down, I get worried.
At first I thought maybe the server was down? I hadn’t received any alerts, so I did a quick check. And, yes, it was still up and running and serving web traffic. Ok, did sshd somehow become unresponsive? I login through the Linode control panel and restart the service. Still can’t login.
It’s odd. I don’t get a connection refused. Not even a timeout. It just…hangs.
That’s the ssh output with the verbose flag. Nothing. I waited 10+ minutes and it never timed out or produced any other output.
I reboot the server itself and the problem persists.
Then, I notice some more oddities. I’m able to connect using ForkLift – my FTP client, which connects via SFTP. Also, SequelPro is able to connect to MySQL via ssh as well.
And then things get even stranger. This is all happening on my iMac. I try connecting from my laptop, and it works. My MacBook Pro is at home right next to my iMac, which is refusing to login. They’re both on the same wifi and thus the same IP. So, it can’t be that my home IP address got mistakenly banned somehow.
Next, I ssh into a different server and then hop to the problematic one. It connects without any trouble. At this point I’m thinking maybe the permissions on my local private key got screwed up. So, I blow away ~/.ssh and recreate all of my keys from a backup. Still can’t login.
Ok. I think about it for a few minutes and then – aha! – I have an Ubuntu virtual machine running on this iMac inside Parallels. I’ll ssh into it and then try and connect. That will rule out if there’s just something odd about my iMac’s LAN IP. (To be clear, my home network is perfectly ordinary. Just a cable modem and a router.) So, I login to the VM, try and connect, and it works fine.
At this point here’s what I’ve found:
My iMac is the only machine that cannot login.
I’ve connected successfully from behind the same public IP using a laptop, a virtual machine, and my iPhone and iPad.
I’ve verified my ssh keys are correct and have the appropriate permissions.
I can connect to other servers from the problematic machine – both at the same hosting provider (Linode) and others (AWS and DigitalOcean).
I can connect from my iMac if I jump through any other server, first.
I start trying to think what could possibly be different about this one machine. And then it dawns on me. This all started around the time I updated my iMac to 10.15.4. My laptop is still on 10.15.3 – and, of course, the virtual machine isn’t macOS at all.
Totally grasping for straws I google for “10.15.4 ssh” and find this top result on the Apple discussion forums:
Catalina 10.15.4 SSH port > 8192 does not work when using server name instead of IP
This issue started just after upgrading to macOS Catalina 10.15.4.
After that update I am no longer able to open a SSH connection to a port greater than 8192 using server name (instead of IP). Yes, I do change the port on the server side prior to every test.
That can’t possibly be real?
Up until this point, I was connecting via a saved hostname defined in my ~/.ssh/config, which let me login simply by tying ssh some-server. So, I tried ssh ip-address -p9944 and it worked! (That server runs on an alternate ssh port.)
Ok. Time to narrow this down a bit further. I changed the server to listen on standard port 22 and tried connecting via the hostname once again.
Holy crap, it worked.
The user in the Apple forums was right. At least in my case, my one server that happened to be running on a non-standard ssh port above 8192 will not connect from Catalina 10.15.4 when using the hostname instead of the IP address.
Just to verify, I boot up a Mojave and Catalina (10.15.3) VM on the same iMac. They both connect fine, while the host machine continues to fail.
The internals of this is all so incredibly above my head I have no idea what the underlying problem might be. Am I and this one other forum poster just doing something totally bizarre yet the same? This ssh setup has been working for years for me until just the last week. I would love to be proven wrong and told I’m an idiot. But I don’t know what difference connecting via the hostname versus the IP address would make when specifically using a non-standard port above a certain threshold.
It just….sigh.
I’m not even going to go into it. I don’t want to end up on Hacker News again bitching about Catalina. I just hope I’ve stuffed this post with enough keywords so that anyone else searching on Google might come across the answer.
sgehly 1478 days ago [-]
>>I don’t want to end up on Hacker News again bitching about Catalina.
Hahaha
AdmiralAsshat 1478 days ago [-]
Mental note for future blog post: the secret to getting onto the front page of HN is to publicly state that I do not want this blog post getting onto the front page of HN.
throwanem 1478 days ago [-]
I feel like the subject matter also signifies. I mean, if I post a 5000-word paean to the Polistinae - they're good wasps, Brent - and say I don't want it to end up on the front page of HN, I feel like I'm not going to get what I don't want, you know?
deeblering4 1478 days ago [-]
> I changed the server to listen on standard port 22 and tried connecting via the hostname once again. Holy crap, it worked.
Shocking!
Granted high ports shouldn't be broken, but running SSH on a non-standard port is security (read obscurity) theater at best.
There's really not much benefit, unless you need multiple sshds on the same IP, but at that point I'd question the sanity of the approach.
lukevp 1478 days ago [-]
Security through obscurity shouldn’t be used as an edict that something is not effective. You are talking about the fact that it doesn’t increase the security of the protocol itself or the passphrases/keys used. This is true. However, there are tons of bots out there that scan 22 and try to exploit common logins. There are presumably quite a few less that are port scanning every machine for every possible high port and attempting to handshake ssh and then try logins. Do you disagree with that? If not, this is not security through obscurity, it has a very real impact on the volume of bots that have knowledge that this service is running and are actively exploiting it. It’s just a different type of security, it’s discoverability of the service.
Here’s another example. Say you have a web server running that is only for internal employee use. But you want to expose it externally so that they can reach it without a VPN. Even if you follow proper security protocols, why would you not turn off search engine indexing on this page, and limit the pages that link to it? It will not increase the inherent security of the protocol or the user accounts, but it will drastically lower the # of bots using up CPU and iptables entries trying to fail2ban or blacklist them.
Security is a spectrum and you want to have defense in depth. Moving ssh to a nonstandard port is a security best practice and you shouldn’t be advising people not to use it. But should they also have good key setting, fail2ban, ip whitelisting/blacklisting, etc? Of course they should.
deeblering4 1478 days ago [-]
> Moving ssh to a nonstandard port is a security best practice
For whom? Could you please cite this?
dade_ 1478 days ago [-]
In time, any server with port 22 exposed to the Internet will have a system log with hundreds of failed authentication attempts per minute from IP addresses all over the world. By simply moving it to a high port number, the attempts are rare and troubleshooting is easier without all the noise.
And it is script kiddies, typically the login is root, ubuntu, or similar and a password of password, god, other silly things that people actually use.
jbverschoor 1478 days ago [-]
Or you can just firewall the box?
notyourday 1478 days ago [-]
For me SSH on a standard port get connection attempts and every few minutes. SSH on a non-standard port get connections attempts every few weeks.
Rendered at 15:56:34 GMT+0000 (Coordinated Universal Time) with Vercel.
That's a reasonable option for what "Catalina" might mean from context clues. Have you never run Alan Cox or Con Kolivas?
Agreed! But my comment was in reply to someone who wants you to believe that he genuinely read "99.999%" as a claim about the size of the Mac user base. His game is not one of context clues, and you don't need to play it.
On a website whose primary audience is technology professionals, it's reasonable to assume that a significant portion of the audience can recognise the version name of a computer operating system that is at least the second most-popular in the world, and possibly the most popular among this site's audience.
But it's also part of HN's ethos that not everything has to be spelled out all the time, and that it's OK if users sometimes have to "work a little":
https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...
Not that many people would understand 'I think Eoan Ermine 19.10 broke SSH'.
Plenty of people understand 'I think Ubuntu 19.10 broke SSH', or 'I think maxOS 10.15.4 broke SSH'.
Their 10.15.4 macOS built-in ssh terminal command is unable to reach hostnames when a port number higher than 8192 is used.
EDIT:
Comments differ; one indicates issues SSH'ing to lower than 8192 ports, another indicates no issues SSH'ing to higher than 8192 ports.
This complain and Remote Access in (so I can SSH to my $4k MacBook) disables itself anytime the computer is restarted.
But more importantly, I’ve still not found a Thunderbolt Display that doesn’t routinely crash screen manager services upon idle user activity. 3 x $300 thunderbolt3 dock solutions later and not a one hasn’t crashed this computer. All main brands, two of which sell accessories in the Apple store.
Problem also existed with a top of the line 13” MacBook Pro.
I’ve just gotten used to the shoddy-ness that is Catalina. Figure if I go to the bathroom, upon return I have a fresh, new clean desktop environment. Feature not a bug. Yay!
Eventually every new release has stabilised, but it seems that doesn't hold true for Catalina.
Practically no one, apart from some hobbyists working on side projects, are actually using Vulkan or Metal or D3D12 directly to make games or applications. These APIs weren't written for end-developers to use directly, they were written for engine developers.
I mean, it's fun to try. But you'll have to write something like ~1200 lines of C/C++ just to render a single triangle. It's a far cry from playing around with OpenGL immediate mode.
And to be frank, Vulkan/Metal/D3D12 are about as similar to one another as major graphics APIs have ever been. Sure, there's quite a lot of differences, but the broad strokes are more or less similar.
Of course, a lot of this code is code you only write once and then abstract on top of. Metal just has a lot of that abstraction "done for you" because it's only designed to work on a closed set of hardware profiles.
Vulkan requires a lot more signatures in triplicate and setup rituals. Not a bad thing, just a different target.
So far Vulkan has been mostly a thing on Linux anyway.
https://www.macworld.com/article/3447396/how-to-stop-getting...
It does not prevent the red notification dot on the System Preferences app, but it does mean at least you don't get the notifications pop up on your screen.
The display is fine but it won't charge at the same time.
I have not installed the Dell 'driver'; it loads a kext so probably won't work anyway. I'm not upset about that. Docking should not require a kernel module.
That's about it. Catalina has been fine every other way.
https://www.dell.com/en-us/work/shop/accessories/apd/210-arc...
[1]: https://old.reddit.com/r/UsbCHardware/comments/ettgrg/dell_r...
http://lightheadsw.com/caffeine/
The one you linked to looks like a simple wrapper of caffeinate(8).
Edit: guessing that downvoters haven't encountered a lot of people suffering from addiction
Amphetamines have legitimate therapeutic uses, it's not only crippling addiction.
By the way, the word brew is also used for other things, eg. coffee or tea, and homebrew is a common metaphor for other things where amphetamine is unbiguously one thing.
Tasteless comment.
Maybe you should consider that a close family member had problems with this very recently before you call me tasteless. It is in fact really fucking stupid that some privileged Mac programmer, probably young and of limited life experience, thinks that is a cutesy name for his (yes I am assuming male) project and not the name of something ruining a lot of lives, probably thinks it's hilarious and clever. He has no taste. Opiates also have legit use. I wouldn't name a project after those either. There is a thing such as tone deafness.
[0]: https://en.m.wikipedia.org/wiki/Lisdexamfetamine
I'm holding off installing Catalina on my main machine. And now they seem to focus on 10.16 instead.
I am still on Mojave tho, so may suck on Catalina.
My "fix" was to go HDMI to USB-C (instead of Thunderbold to USB-C).
I understand this might not be viable for everyone, but it resolved the issue for me.
I've been using a Dell U2515H for almost six years on my late 2013-model MBP and thunderbolt port, never had an issue. I'm also going through a Henge thunderbolt dock. It's not a macOS problem.
The monitor you have didn't properly implement the Thunderbolt spec, and since Windows has looser adherence to the spec than macOS, things work fine.
This happens with web browsers every decade or so. "Browser X" follows the Javascript spec to a tee, which breaks millions of poorly written websites, so "Browser X" has to degrade its performance or lose market share, and thus we have lots of sites that are out of spec.
Make sense?
I have evidence in other domains, as per my example.
But thanks for moving the goalpost. /salute/
OP asked for an explanation, I gave one. Was it correct? I don't know, I just provide reasoning skills.
(A corollary to this are the forum posts starting with a technical problem and ending with the OP saying "figured it out!" and no further explanation :)
I've tried every T3 dock available. They all have bugs that render them unusable for me. The one that was the closest to being good -- OWC 12 port I think -- wouldn't tolerate MBP sleep. After wake from overnite sleep (maybe the Mac would go to hibernate -- I didn't investigate further) the dock would need to be reset. I've never had the MPB crash though, but I haven't gone back to trying docks now with Catalina.
There certainly is something particular to your environment causing this crash. Such a bug would be in all the news.
I've found IPv6 stops working after sleep, the appropriate area in the network pane is blank (I use RA not DHCPv6). Since the Mac updates its DNS records and puts IPv6 addresses in I've found accessing via hostname stops working, but then of course I can use the IPv4 address which works fine.
In his screenshot the bad login hangs at "Connecting to clickontyler.com port" (noting that no port number appears and no period at the end).
While I can’t be sure exactly which "ssh" patch Apple may have, this seems to be the relevant file and logging code (starting at line 448):
https://github.com/openssh/openssh-portable/blob/master/sshc...
In that code, the only thing that can set the "strport" value that is used in the log is a call to getnameinfo().
If that string is corrupted in any way, e.g. not terminated or perhaps has invisible characters that trigger bad terminal behavior (such as invisibility), the act of logging it might produce the apparent hang seen here.
Again, a guess but it is possible that getnameinfo() is not necessarily processing the record correctly (for whatever reason). One such example is in the "getnameinfo" man page at the end, under CAVEATS, where they show an example of not simply trusting the result of the first call.
I don't know if Mac OS is different but on other unices ports above 1024 are not privileged, meaning that anybody can bind them. Now it increases the attack surface only a tiny bit (you have to have your sshd offline, and the attacker have local access, and them bind a fake sshd to your port in order to MitM. And even then they won't be able to spoof the server key unless it's not chmoded correctly).
Still, better safe than sorry IMO, I also use a non-standard sshd port but I keep it in the low range. In my experience it's more than sufficient to get rid of 99% of dumb attacks that generally don't bother looking beyond port 22.
My personal suggestion though is to use 1022 because it's below 1024. This means only root is allowed to bind to it. Preventing possible connection jacking attacks if an attacker is able to crash your own server and run theirs to harvest your passwords.
> So, I tried ssh ip-address -pXXXXXXXXX
This is related to the thing where what customers want most is bug fixes for existing bugs but what marketing wants most is new features to sell to new customers and marketing tends to win, which causes the number of bugs to go up rather than down over time.
I know my hardware has the ability to change my entire MAC address - I don't get why they are doing this.
The leading octets in MAC addresses are often called "vendor prefixes", and are assigned to various hardware vendors. Apple probably wants to ensure that all their devices show up in ARP scans and MAC lookups as Apple devices.
There are decent build PC laptops but you have to run Windows or Linux on them. Windows is a dumpster fire these days with ads in the start menu, the use of "dark patterns" to herd people into MS cloud, and out of control unnecessary telemetry. Linux is fine only if you have a lot of time on your hands to troubleshoot edge case issues and hunt for drivers. Linux also still (through no fault of its own) can't run a lot of apps that many people need.
What's wrong with 4k monitors? I'm typing this on Fedora machine with one (default install with no tinkering, Gnome on Wayland).
Mixed DPI is not coming to X11 displays. If you insist on X11, you are going to have bad time.
macOS can scale different parts of an application differently depending on which screen it is on. So if you are in the process of moving an application from one screen to another, it doesn't change size mid-move.
Windows can't do that, and I've even seen applications where all windows belonging to an application use the same DPI (chosen based on which window is in focus), regardless of the DPI of the screen the window itself is on.
So it seems to me the integration of mixed-DPI into window rendering APIs was not well handled by the development team behind its implementation in Windows.
The most common "solution" I see is lowering the resolution of the high-DPI display, but that's not a solution, that's actually not even a workaround, it is literally removing the problem by pretending my screen is not as good as it is.
Compare the experience with Windows for example, where disconnecting from your external monitors pushes all applications and windows to the remaining monitors, and doesn't restore them when the external monitor is reconnected.
macOS also handles mixed-DPI really well, no other vendor even comes close, Windows simply scales according to the monitor most of the application window is on, resulting in ugly resizing of applications when moving from one monitor to another.
I don't know what you're talking about with regards to "turning on HiDPI", can you elaborate?
Huh? I have a dock that I disconnect and reconnect from all the time; windows move onto my laptop screen when I disconnect, and move back onto my docked screen when I reconnect.
I do kind of like MacOS, but am concerned about their lack of strong interest in it.
I would pay for a "vertically integrated" open hardware Linux laptop. I've seen some promising projects but none are mature enough.
The second issue is apps, but that can be mitigated by having a Windows VM.
I would argue that any major Linux distro at this point "just work" just as well as MacOS
Yeah, there may actually be close to a dozen people commenting here!
>I would argue that any major Linux distro at this point "just work" just as well as MacOS
Given my perennial attempts to switch to Linux which are inevitably thwarted by aggravating driver bugs and incompatibility issues with X Windows and Wayland (both), I'm inclined to disagree.
Then I'm having issues with PTP from my phone. Windows is fine but Plasma is broken. The phone also offers an MTP mode which thankfully works.
When I bought a Lenovo netbook in 2015, I was unable to set the screen brightness. It took a few years but eventually the issue got fixed with a new version of Kubuntu.
On my brand new ThinkPad T495 I'm having an issue with the graphics drivers, which crash and require me to issue an ACPI reboot when I close the lid and reopen it again. Pretty sure it's this issue as the error messages, symptoms and working workarounds all match. https://gitlab.freedesktop.org/drm/amd/issues/883
I have no beef with Linux, but we have to be honest about what it needs to be capable of to compete with MacOS for the general user unable or unwilling to hack at it a bit.
If the solution in any way involves "enter this command", you have lost the vast, vast majority of users. Those users will never have any idea that "Catalina broke SSH".
You're right, my statement may have been too strong.
We do know that Catalina isn't broken for everyone though as alluded to by others in this thread. No one in my company or anyone I personally know with a MacBook has been affected. There must be another interaction happening.
https://rubyinstaller.org/ Ruby for Windows.
I don't know why Ruby on Rails require Linux, but those reasons are not technical.
Ubuntu is generally even easier since they bundle in proprietary drivers.
For those business users, it just still works. For developers it's a problem.
UNIX developers, well, support OEMs that sell BSD and GNU/Linux laptops.
Then even before Catalina, my AirPods mic seems to act odd, can hardly hear it and it messses with audio output too when listening to music, sounds like I’m listening to hold music on a telephone unless I disable the mic using a third party app. I think having a old Bluetooth chip might be the reason though since I have a older MacBook while it works great on my iPhone.
Very annoying and can't find a resolution.
I can't blame them too much. It's probably worth it.
* https://openradar.appspot.com/radar?id=4931259776106496
From that and the discussions.apple.com. post, hyperlinked elsewhere in this discussion, it appears that the >8192 condition varies according to what the hostname actually is.
The bug report is datelined 2020-04-26, interestingly. There might be a bug in the bug reporting system. (-:
No, you can type whatever date you want. The "add a new radar" screen is just a bunch of text input boxes: https://i.imgur.com/nNf457J.png
> debug1: resolve_canonicalize: hostname example.org:7999 is an unrecognised address
If instead I use `-p` or a config-file option, everything works as expected.
https://discussions.apple.com/thread/251226509
ssh-add -A > /dev/null
... and one default value to place in your ssh config file...
AddToKeychain Yes
... to get around this issue. It works fine after that.
(On mobile. Sorry for formatting)
> We are uncomfortable continually supporting a 1900+ line patch which upstream hasn't signed off on that has the potential to both compromise OpenSSH security and Keychain security. From 10.11 it will also be impossible to edit plists in /System/* without disabling rootless, which isn't a configuration we'll be intentionally supporting.
They're kinda bad at that in general :/
Homebrew wants to screw around in /usr, Macports installs itself in /opt and doesn't interfere with things in the MacOS world.
Set your PATH to have /opt/local/{bin,sbin} and everything Just Works.
OpenSSH 8.2p1 notably has support for using FIDO U2F 2FA keys to secure SSH keys, it works perfectly, as long as your server also runs 8.2p1 (only the client needs to be compiled with libFIDO2).
As for the Catalina train wreck, it's clear both hardware and software quality is on a severe downward trend at Apple, you can either rant and moan about it, or take control back by switching to Linux or BSD, which is what I am doing, very slowly and deliberately.
Since you crossed that line, do yourself a favour and check out nixpkg.
I'm not sure what's the current state, but there are features on SSH I wasn't able to use due to the version provided being old.
I know that `Include` on `config` is/was one.
This is something I use frequently that wasn't available on previous built in versions.> I know that `Include` on `config` is/was one.
That's both terribly out of date info and hardly ever true as far as I can tell.
The Include directive was a new feature of OpenSSH 7.3, released on 2016-08-01.[1] Apple shipped OpenSSH 7.3 in macOS 10.12.2[2][3], released on 2016-12-13. That's a very reasonable four months gap.
I only use the system ssh because stock OpenSSH didn't integrate well with system keychain many years ago (not sure about the current state). But I've been using the Include directive for a long time.
[1] https://www.openssh.com/txt/release-7.3
[2] https://opensource.apple.com/release/macos-10122.html
[3] https://opensource.apple.com/source/OpenSSH/OpenSSH-209.30.4...
The good testers all tend to fall into what Bruce Schneier calls the 'Security Mindset' way of thinking: https://www.schneier.com/blog/archives/2008/03/the_security_...
Yeah, but surely macOS devs are eating their own dog food.
"Inside Apple they don't suffer the same problems as external users and developers."
— https://twitter.com/lapcatsoftware/status/121929275891082854...
I use alternative port but < 1023 since binding to those ports requires root. And I've never seen it being used. I'm not saying it's not, just that I did not see it in 10 years.
So it probably really is not that common.
(Granted, multi-user hosts are very rare nowadays).
(Guest in my test: OpenSSH 7.6p1 on ubuntu bionic, stock config other than sshd port.)
If you had different preferences, mostly too bad. Maybe if you reboot with system protection turned off, you can edit the config file, and hope it doesn't get reverted.
If things didn't work, like when I was getting static for audio 25% of the time I hit Play in iTunes from a shoutcast server for a whole major release, there wouldn't be any useful help on the internet. Maybe somebody had a similar problem 3 releases ago, but that fix doesn't work anymore. Other problems, or irritants are often the same way.
With Windows, most of the problems you run into are fixable, and easy to find. With an open source OS, at least you can dig in and try to fix your own problems.
This doesn't help across applications of course, and there's a reasonable argument that the inconsistency is worse than the absence -- but for me, iTerm2's FFM feature helps.
You just mean that hover over a lower window allows scrolling right? MacOS has that.
https://en.wikipedia.org/wiki/Focus_(computing)#Focus_follow...
I use Amethyst which is much easier to setup than my old Linux WMs. There are also tools like Yabai which are more customizable.
I recently made the transition (from ~10yrs Linux) to Mac and it was really smooth. At the end of the day it's just a Unix system with a really nice looking Window Manager and lots of supported apps. If you don't like the included version of SSH, just use a different one, same as linux.
EDIT: Thanks to everyone who answered my question! It makes sense to me now why one might do this.
Other possible reason is NAT. If you've got several machines or VMs but only one public IP you can port forward different public ports to port 22 on different machines. Not the only solution by a long way but a relatively straightforward one.
Of course, there are plenty of privileged ports to choose from.
https://www.google.com/search?q=random+number+between+1+and+...
Given 2 boxes with the exact same SSH setup (key auth, fail2ban, or whatever else you use) I'd prefer to admin the one with a non-standard port solely for the fact that it's not undergoing constant attack which uses resources (albeit tiny).
Testing something that uses ssh, but the test host already has a sshd running on port 22, and one does not want to disrupt that setup for the test. Or running tests as a local, non admin, user and one does not want to bother the admin with modifying the system sshd setup for those tests.
Other reasons:
Those doing it /instead/ of running on port 22 are usually doing it for one of at least two reasons:
1) a false sense of security. If you do an internet search, you'll find plenty of blog posts boasting that using an alternate port is a security feature (it is not, it is security via obscurity); or
2) to reduce the log growth from all the script kiddie scans that target port 22 (note, no security is added here, but one's log files don't grow quite as rapidly either).
The only hosts we have with any SSH exposed to the world at all are a couple of bastion hosts. Day-to-day we access everything else through a VPN, so its only exposed at all as an emergency backup in case the VPN breaks. Really no inconvenience to having it moved to a high port.
Security-wise, it seems pointless; my daemons on random non-standard ports still get hammered, and fail2ban takes care of keeping the log spam down just as easily as it does the ones on 22.
I have my publicly-accessible SSH port on not-22, just to avoid the log messages from scanners. I'm well aware it does not, on its own, actually "secure" anything, but it brings more convenience to me for it to be a bit obscure, and it certainly isn't hurting anything.
Thank you about that clarification. Also your website seems to be down actually.
+1
My Mac's resources were getting gobbled up by an internal process I coudln't terminate and my keychain was borked and I couldn't log in after a reset (to try and get around the resource hogging). Recovery didn't get me any where so I used Recovery over the Internet to do a clean install.
I'm running 10.15.4, no issues as of yet. And this all occurred after the security update. I'm running on the version prior for now but will make sure I've got a good backup and give it another go.
Is that a common thing to do, or any reason why the OP would do that? Doesn't ssh reject your key, saying it does that if there's such a problem? And even if not wouldn't it be advisable to at least look at the permissions; I mean suppose they're not -rw------- or so, wouldn't you want to know that, and also why they are not ok?
One might uncharitably suggest that using macOS and expecting standard decades-old Unix behaviour is itself bizarre … but that's also true of using Linux with systemd (viz., nohup no longer nohups, or systemd-resolved, or innumerable other broken bits).
It's almost as though no-one cares about quality anymore.
However, there is an amazingly easy workaround, assuming the IP and port don’t change often: create a ~/bin shell script that connects via IP and port, make it executable, and add ~/bin to PATH.
This workaround doesn’t excuse Apple of doing something so egregiously stupid, but it’s so easy that you may as well do it and move on.
I tested this specifically on a number of servers that I run with port numbers > 10000, using /usr/bin/ssh on macOS 10.15.4, with and without IP addresses. Nothing broke for me.
Still not sure if that is my machine, or a general fault - but the lack of monitor and promiscuous mode is playing havoc with IPv6 multicast packets from VMware Fusion VMs.
I love having the Linux kernel with a nice UI but there are some useful commands that are missing.
There are ways to get them set up but in any case it’s kind of a pain
Have had no issues with it at all.
Whoops
Someone should have paid more attention to that verbose SSH output first.
'ssh -4 <hostname>'
The issue with them is lack of testing before deploying them.
Welp.
(I'm about 80% kidding but amused. Lockdown.)
That's my intent. I'll put it back online for others to find once the fuss dies down.
https://tyler.io/followup-comparing-my-current-b2-storage-co...
Actually now I look at it, a lot of pages don't seem to work. I guess it's just the classic Hacker News friendly DDOS.
One important thing to always remember is that unless someone posted their article to Hacker News themselves they might have had absolutely no expectation that a huge audience was about to descend and dissect everything they wrote. They might have just been talking off the cuff, mentally noodling around or even just using the process of writing stuff down as a means to sort their thoughts. Far too often HN commenters work from the assumption that an author is intending to make A Big Point and very uncharitably deconstruct every sentence the author wrote.
It's only a matter of time before we see a reply along the lines of "OBVIOUSLY 10.15.4 did NOT break SSH, the author just didn't do X Y and Z to fix a very OBVIOUS mistake in their SSH config".
> Why would you take down the post as it’s probably useful to others?
More broadly, Tyler doesn't owe the world anything in this regard. If he wants to post it, cool. If he wants to remove it, cool.
dang, join in if you must.
Ends up on Hacker News again bitching about Catalina.
Paying taxes anyway
lol
> I’m not even going to go into it. I don’t want to end up on Hacker News again bitching about Catalina. I just hope I’ve stuffed this post with enough keywords so that anyone else searching on Google might come across the answer.
[1] https://en.wikipedia.org/wiki/Prunus_ilicifolia
[2] https://calscape.org/Prunus-ilicifolia-ssp.-lyonii-(Catalina...
I was completely at my wit’s end and feeling like I had lost my mind until about a half hour ago. Let me start from the beginning…
I don’t have an exact date, but within the last week I realized that I was unable to ssh into my primary web server – the one that runs my business website, activation server, etc. It’s sort of the linchpin for my tiny software company. When it goes down, I get worried.
At first I thought maybe the server was down? I hadn’t received any alerts, so I did a quick check. And, yes, it was still up and running and serving web traffic. Ok, did sshd somehow become unresponsive? I login through the Linode control panel and restart the service. Still can’t login.
It’s odd. I don’t get a connection refused. Not even a timeout. It just…hangs.
That’s the ssh output with the verbose flag. Nothing. I waited 10+ minutes and it never timed out or produced any other output.
I reboot the server itself and the problem persists.
Then, I notice some more oddities. I’m able to connect using ForkLift – my FTP client, which connects via SFTP. Also, SequelPro is able to connect to MySQL via ssh as well.
And then things get even stranger. This is all happening on my iMac. I try connecting from my laptop, and it works. My MacBook Pro is at home right next to my iMac, which is refusing to login. They’re both on the same wifi and thus the same IP. So, it can’t be that my home IP address got mistakenly banned somehow.
Next, I ssh into a different server and then hop to the problematic one. It connects without any trouble. At this point I’m thinking maybe the permissions on my local private key got screwed up. So, I blow away ~/.ssh and recreate all of my keys from a backup. Still can’t login.
Ok. I think about it for a few minutes and then – aha! – I have an Ubuntu virtual machine running on this iMac inside Parallels. I’ll ssh into it and then try and connect. That will rule out if there’s just something odd about my iMac’s LAN IP. (To be clear, my home network is perfectly ordinary. Just a cable modem and a router.) So, I login to the VM, try and connect, and it works fine.
At this point here’s what I’ve found:
My iMac is the only machine that cannot login. I’ve connected successfully from behind the same public IP using a laptop, a virtual machine, and my iPhone and iPad. I’ve verified my ssh keys are correct and have the appropriate permissions. I can connect to other servers from the problematic machine – both at the same hosting provider (Linode) and others (AWS and DigitalOcean). I can connect from my iMac if I jump through any other server, first. I start trying to think what could possibly be different about this one machine. And then it dawns on me. This all started around the time I updated my iMac to 10.15.4. My laptop is still on 10.15.3 – and, of course, the virtual machine isn’t macOS at all.
Totally grasping for straws I google for “10.15.4 ssh” and find this top result on the Apple discussion forums:
Catalina 10.15.4 SSH port > 8192 does not work when using server name instead of IP
This issue started just after upgrading to macOS Catalina 10.15.4.
After that update I am no longer able to open a SSH connection to a port greater than 8192 using server name (instead of IP). Yes, I do change the port on the server side prior to every test.
That can’t possibly be real?
Up until this point, I was connecting via a saved hostname defined in my ~/.ssh/config, which let me login simply by tying ssh some-server. So, I tried ssh ip-address -p9944 and it worked! (That server runs on an alternate ssh port.)
Ok. Time to narrow this down a bit further. I changed the server to listen on standard port 22 and tried connecting via the hostname once again.
Holy crap, it worked.
The user in the Apple forums was right. At least in my case, my one server that happened to be running on a non-standard ssh port above 8192 will not connect from Catalina 10.15.4 when using the hostname instead of the IP address.
Just to verify, I boot up a Mojave and Catalina (10.15.3) VM on the same iMac. They both connect fine, while the host machine continues to fail.
The internals of this is all so incredibly above my head I have no idea what the underlying problem might be. Am I and this one other forum poster just doing something totally bizarre yet the same? This ssh setup has been working for years for me until just the last week. I would love to be proven wrong and told I’m an idiot. But I don’t know what difference connecting via the hostname versus the IP address would make when specifically using a non-standard port above a certain threshold.
It just….sigh.
I’m not even going to go into it. I don’t want to end up on Hacker News again bitching about Catalina. I just hope I’ve stuffed this post with enough keywords so that anyone else searching on Google might come across the answer.
Hahaha
Shocking!
Granted high ports shouldn't be broken, but running SSH on a non-standard port is security (read obscurity) theater at best.
There's really not much benefit, unless you need multiple sshds on the same IP, but at that point I'd question the sanity of the approach.
Here’s another example. Say you have a web server running that is only for internal employee use. But you want to expose it externally so that they can reach it without a VPN. Even if you follow proper security protocols, why would you not turn off search engine indexing on this page, and limit the pages that link to it? It will not increase the inherent security of the protocol or the user accounts, but it will drastically lower the # of bots using up CPU and iptables entries trying to fail2ban or blacklist them.
Security is a spectrum and you want to have defense in depth. Moving ssh to a nonstandard port is a security best practice and you shouldn’t be advising people not to use it. But should they also have good key setting, fail2ban, ip whitelisting/blacklisting, etc? Of course they should.
For whom? Could you please cite this?