Which is more common? Someone says "I don't want to end up on ___ news again" and they really mean they don't? Or they say that and they really want to? It feels like the old "Please, Br'er Fox, don't upvote this post. I don't want anyone to see it."
One important thing to always remember is that unless someone posted their article to Hacker News themselves they might have had absolutely no expectation that a huge audience was about to descend and dissect everything they wrote. They might have just been talking off the cuff, mentally noodling around or even just using the process of writing stuff down as a means to sort their thoughts. Far too often HN commenters work from the assumption that an author is intending to make A Big Point and very uncharitably deconstruct every sentence the author wrote.
It's only a matter of time before we see a reply along the lines of "OBVIOUSLY 10.15.4 did NOT break SSH, the author just didn't do X Y and Z to fix a very OBVIOUS mistake in their SSH config".
> Why would you take down the post as it’s probably useful to others?
More broadly, Tyler doesn't owe the world anything in this regard. If he wants to post it, cool. If he wants to remove it, cool.
This is so true, I wish I could upvote this twice. I've been on the receiving end of this too, where something I wrote in the moment without much thought ended up at the top of HN with a whole lot of criticism.
Hey, not sure if this is a side-effect of you taking this post down but I was interested in reading another of your posts about B2 vs S3 Glacier and am getting "Error establishing a database connection".
I wouldn’t trip at all. There are great folks on HN, and you can tell from comments who are the sour ones just because. I personally enjoy reading your posts. I worked at Apple for a long time, loved it. I still use their products and want to understand what bugs exist. I use SSH daily for many things.
The post was excellent, I’ve been locked away from Catalina updates now that my work mac is my primary Mac so I like keeping abreast of all the little gotchas I might be hitting. And it’s a great debugging chain for something that is truly weird. Sorry you’ve had bad past experiences here, the quote gave me quite a chuckle
Yeah, it's a $5/month DigitalOcean box with only my blog on it and nothing else. All assets come off a CDN and Varnish is sitting in front of WP, but looks like that still wasn't enough this time. It worked fine for my previous two HN'ings earlier this year.
Apple includes a customized version of OpenSSH. From what I recall from the last time I looked at it, the changes were mostly integrating the key retrieval mechanisms with the rest of macOS. For example, Apple's ssh-add can store key passphrase in Keychain with the -K option, and then later access those passphrase with the -A flag.
Those stored key passphrases are visible with the Keychain Access application, Kind: "application password", name: "SSH: /full/path/to/key", in the login & iCloud keychains.
> Is there nobody there that connects by hostname to a ssh server with a port > 8192?
I use alternative port but < 1023 since binding to those ports requires root. And I've never seen it being used. I'm not saying it's not, just that I did not see it in 10 years.
I'm not. Not all 'testers' actually try to test edge cases. The /good/ testers do try edge cases, but for every /good/ tester you have, you'll have hired 100+ testers who do little more than check that the standard happy-path works correctly and sign off as "passes tests".
"I've learned that Apple engineers have internal tools which allow them to delete macl xattr as well as to bypass other Catalina privacy and sandbox protections without rebooting and disabling SIP.
"Inside Apple they don't suffer the same problems as external users and developers."
Mental note for future blog post: the secret to getting onto the front page of HN is to publicly state that I do not want this blog post getting onto the front page of HN.
I feel like the subject matter also signifies. I mean, if I post a 5000-word paean to the Polistinae - they're good wasps, Brent - and say I don't want it to end up on the front page of HN, I feel like I'm not going to get what I don't want, you know?
"It just works" -- Is Apple too large now? Is this a QA problem, product team problem? Management? Catalina is still stumbling and Im surprised to be honest after the past 4 years.
My feeling is that Apple beancounters have decided macOS is mostly a gateway to Xcode for iOS development, anything else is just to help sell laptops. The stuff in "anything else" doesn't need to actually work well, just exist so it can be something on the features list.
It does help that there is no overall competitor to MacBooks in terms of ease of use or (now that the butterfly keyboard is dead) build quality.
There are decent build PC laptops but you have to run Windows or Linux on them. Windows is a dumpster fire these days with ads in the start menu, the use of "dark patterns" to herd people into MS cloud, and out of control unnecessary telemetry. Linux is fine only if you have a lot of time on your hands to troubleshoot edge case issues and hunt for drivers. Linux also still (through no fault of its own) can't run a lot of apps that many people need.
Linux is the only option IMO, but I have a very high yakshaving tolerance. That said, if you run a recent Ubuntu, most stuff "just works" as long as you don't need Photoshop or the Office suite.
Or 4k monitors, or screen sharing when running more than one monitor. That's the reason I haven't switched from macos back to linux (I was all in on linux until about 5 years ago when I started to care about display quality and working remotely).
External monitor support on macOS is terrible.
When it does work, you can't turn on HiDPI resulting in a tiny UI.
And the latest 16" macbooks simply kernel panic: https://discussions.apple.com/thread/250876794
It sucks that you are having issues with your setup, but in general macOS is the king of external monitor support.
Compare the experience with Windows for example, where disconnecting from your external monitors pushes all applications and windows to the remaining monitors, and doesn't restore them when the external monitor is reconnected.
macOS also handles mixed-DPI really well, no other vendor even comes close, Windows simply scales according to the monitor most of the application window is on, resulting in ugly resizing of applications when moving from one monitor to another.
I don't know what you're talking about with regards to "turning on HiDPI", can you elaborate?
> Compare the experience with Windows for example, where disconnecting from your external monitors pushes all applications and windows to the remaining monitors, and doesn't restore them when the external monitor is reconnected.
Huh? I have a dock that I disconnect and reconnect from all the time; windows move onto my laptop screen when I disconnect, and move back onto my docked screen when I reconnect.
Do you have multiple screens active at one time? This is really only a problem when you have multiple screens, applications don't "remember" which screen they are supposed to be on, they just go to the "primary" screen when docked.
Ah, you're right. I do use the dock screen and the laptop screen, but hadn't noticed that everything moves to the dock screen even if it was previously on the laptop screen when docked.
High-DPI is still a mess on Ubuntu (and Debian, for that matter). Last time I used Ubuntu on a 4k panel I had to manually edit some xorg config files. I'm using Debian+KDE right now and I had to manually make some adjustments (in a UI, at least) and it still randomly gets confused sometimes.
Not true for me. I've used several distros (including Ubuntu) with Gnome on my 4K XPS and the worst I've had to do is go into Gnome settings and click 200% GUI scale. I'm pretty sure Ubuntu set that automatically.
High DPI is fine as long as you have just one display. However, there's no good way to have one high-dpi display and one normal one (for example, a laptop with high dpi screen connected to a standard external monitor).
There is a good way to have mixed-dpi setup: you use Gnome-on-Wayland (for normal users who expect normal desktop) or Sway (for those who want tiling wm).
Mixed DPI is not coming to X11 displays. If you insist on X11, you are going to have bad time.
Not to mention mixed-DPI. Apple is the only vendor who actually handles HiDPI and mixed-DPI environments really well in my opinion.
macOS can scale different parts of an application differently depending on which screen it is on. So if you are in the process of moving an application from one screen to another, it doesn't change size mid-move.
Windows can't do that, and I've even seen applications where all windows belonging to an application use the same DPI (chosen based on which window is in focus), regardless of the DPI of the screen the window itself is on.
So it seems to me the integration of mixed-DPI into window rendering APIs was not well handled by the development team behind its implementation in Windows.
The most common "solution" I see is lowering the resolution of the high-DPI display, but that's not a solution, that's actually not even a workaround, it is literally removing the problem by pretending my screen is not as good as it is.
If all your monitors are 4k it works, but if you have a mix of high dpi and standard dpi monitors it does not work. And I'm betting you can't share just one of those monitors with any screen sharing software. Something I need to do frequently.
I would agree were it not for the hairy yaks. As a startup founder I just don't have time for my computer to not "just work." This is the primary thing that keeps me absolutely glued to Apple.
I do kind of like MacOS, but am concerned about their lack of strong interest in it.
I would pay for a "vertically integrated" open hardware Linux laptop. I've seen some promising projects but none are mature enough.
The second issue is apps, but that can be mitigated by having a Windows VM.
> But this entire thread of comments and even the topic of the post is proof that it really just doesn't work.
Yeah, there may actually be close to a dozen people commenting here!
>I would argue that any major Linux distro at this point "just work" just as well as MacOS
Given my perennial attempts to switch to Linux which are inevitably thwarted by aggravating driver bugs and incompatibility issues with X Windows and Wayland (both), I'm inclined to disagree.
I’m not saying it cannot work but I am saying an IT department cannot just install Ubuntu on a laptop, hand it to someone who doesn’t know how to hack at Linux, and have the display aspects “just work” with any monitor.
I have no beef with Linux, but we have to be honest about what it needs to be capable of to compete with MacOS for the general user unable or unwilling to hack at it a bit.
If the solution in any way involves "enter this command", you have lost the vast, vast majority of users. Those users will never have any idea that "Catalina broke SSH".
I think you are wrong. I have seen it happen more than once, even in my current company. Especially when companies use mostly online tools, like our case, it's a no brainer.
Do you mean I am wrong that standard users won't notice ssh broken?
You're right, my statement may have been too strong.
We do know that Catalina isn't broken for everyone though as alluded to by others in this thread. No one in my company or anyone I personally know with a MacBook has been affected. There must be another interaction happening.
Sorry, no, I mean that you can really give Ubuntu units to people and expect it to work without any issues. If this works in schools it works also for power users :)
Linux had good support for multiple monitors when I started using it in 2003. Obviously something is crashing but it's not apt to be plugging in a monitor.
I've had problems with printer drivers consistently since I switched to (K)ubuntu on the desktop in 2010ish. Since 2 years however, they are basically gone. That's thanks to IPP becoming more commonplace.
Then I'm having issues with PTP from my phone. Windows is fine but Plasma is broken. The phone also offers an MTP mode which thankfully works.
When I bought a Lenovo netbook in 2015, I was unable to set the screen brightness. It took a few years but eventually the issue got fixed with a new version of Kubuntu.
On my brand new ThinkPad T495 I'm having an issue with the graphics drivers, which crash and require me to issue an ACPI reboot when I close the lid and reopen it again. Pretty sure it's this issue as the error messages, symptoms and working workarounds all match. https://gitlab.freedesktop.org/drm/amd/issues/883
It might be that I use pretty standard hardware and don't have any fancy requirements, but really, I have evangelized several people and installed mostly Xubuntu in their laptops and I haven't had problems.
My APU stuck in OpenGL 3.3 without video hardware decoding, would like to get OpenGL 4.4 and hardware video decoding back that it had with the AMD proprietary driver.
Windows is not "absolutely fine". Ignoring the garbage heap of bad/inconsistent ui/adverts/nagware. Its just not even capable of running a lot of dev software. The guide for running ruby on rails on windows is basically just to install a linux VM.
If you pick your laptop for linux support then you will have literally no driver issues. I'm running fedora on a Dell XPS and it runs flawlessly (Well the fingerprint scanner needs a 3rd party program).
Ubuntu is generally even easier since they bundle in proprietary drivers.
As if, I bought a Linux Laptop from Asus with Ubuntu, and my APU is still to get the OpenGL 4.4 that it had with the proprietary AMD driver, instead I should be happy that the open source version at least offers me OpenGL 3.3.
Thats unlucky but it doesn't apply to all laptops. My dell XPS is currently running on a vulkan version released in 2020. AMD strangely seems to lag behind intel in drivers at the moment. Perhaps because until just now AMD laptops were rare.
I feel like they are doing random deprecations with replacements that don't work as well as the original. As in, leaving the deprecated thing unmaintained but present in the install would be a better outcome. I wonder why they are wasting so much time doing this when they appear to have a working system. I'm not even talking about big items like 32-bit support or opengl but completely random libraries that work fine.
As just another random instance, I updated my MacOS about a year ago and now I can only change the last 3 parts of my MAC address, the remainder appear to be fixed.
I know my hardware has the ability to change my entire MAC address - I don't get why they are doing this.
The leading octets in MAC addresses are often called "vendor prefixes", and are assigned to various hardware vendors. Apple probably wants to ensure that all their devices show up in ARP scans and MAC lookups as Apple devices.
To make it harder to spoof specific devices, perhaps. Commercial end-user OS vendors generally don't think your computer being able to do something implies you should have control over that capability.
This is a completely standard failure mode of large organizations. You have a product that works perfectly fine the way it is, but you also have an entire team of people whose job it is to do something with that product. The existing product has already been optimized for years and most changes are moves away from optimal rather than towards it, but they can't get paid to do nothing, so they change things that were better the way they were.
This is related to the thing where what customers want most is bug fixes for existing bugs but what marketing wants most is new features to sell to new customers and marketing tends to win, which causes the number of bugs to go up rather than down over time.
It's also a problem of company culture and career ladders. Fixing bugs and making a more stable product isn't going to line you up for a promotion - but some fancy new feature no one asked for will.
Well no business end-user or any typical Mac user is going to be bothered about something technical like 'SSH' breaking their system. Only actual devs here would care.
For those business users, it just still works. For developers it's a problem.
Macs have a fairly large share of devs, especially in the startup centers like SF and NYC. Most startups end up with macs as the default computer because of the developer experience as well as the ability to manage them for a consistent user experience using MDM solutions like Jamf or Fleetsmith (both Apple-only)
Apple's made huge inroads with developers over the last few years, partly coasting off of a social dislike for Microsoft. There's enough Apple fandom out there that they can probably annoy developers a good deal more without affecting the inroads. After all, exactly what can a dev do about it anyway?
Catalina I haven’t had much problems with, however noticed some odd stuff. Like the Apple Menu and System Preferences it reports one update available but if I go look - nothing. Then was playing with the new TV app and went to watch one of the Apple TV+ shows and all I get is a black screen with audio when watching a show.
Then even before Catalina, my AirPods mic seems to act odd, can hardly hear it and it messses with audio output too when listening to music, sounds like I’m listening to hold music on a telephone unless I disable the mic using a third party app. I think having a old Bluetooth chip might be the reason though since I have a older MacBook while it works great on my iPhone.
Almost everyone in my office has issues with Bluetooth headphones mysteriously disconnecting - the sound output drops even though Bluetooth is still connected.
As a long-time Mac user who gets irritated about something trivial within minutes of using any Linux desktop environment, I'd have to say this is pretty spot on. :)
If this tree only carried a few cherries you'd be right. By now it is such an abundant source of fruit that they'd do well by changing their logo to just this, a Catalina Cherry [1,2].
I was completely at my wit’s end and feeling like I had lost my mind until about a half hour ago. Let me start from the beginning…
I don’t have an exact date, but within the last week I realized that I was unable to ssh into my primary web server – the one that runs my business website, activation server, etc. It’s sort of the linchpin for my tiny software company. When it goes down, I get worried.
At first I thought maybe the server was down? I hadn’t received any alerts, so I did a quick check. And, yes, it was still up and running and serving web traffic. Ok, did sshd somehow become unresponsive? I login through the Linode control panel and restart the service. Still can’t login.
It’s odd. I don’t get a connection refused. Not even a timeout. It just…hangs.
That’s the ssh output with the verbose flag. Nothing. I waited 10+ minutes and it never timed out or produced any other output.
I reboot the server itself and the problem persists.
Then, I notice some more oddities. I’m able to connect using ForkLift – my FTP client, which connects via SFTP. Also, SequelPro is able to connect to MySQL via ssh as well.
And then things get even stranger. This is all happening on my iMac. I try connecting from my laptop, and it works. My MacBook Pro is at home right next to my iMac, which is refusing to login. They’re both on the same wifi and thus the same IP. So, it can’t be that my home IP address got mistakenly banned somehow.
Next, I ssh into a different server and then hop to the problematic one. It connects without any trouble. At this point I’m thinking maybe the permissions on my local private key got screwed up. So, I blow away ~/.ssh and recreate all of my keys from a backup. Still can’t login.
Ok. I think about it for a few minutes and then – aha! – I have an Ubuntu virtual machine running on this iMac inside Parallels. I’ll ssh into it and then try and connect. That will rule out if there’s just something odd about my iMac’s LAN IP. (To be clear, my home network is perfectly ordinary. Just a cable modem and a router.) So, I login to the VM, try and connect, and it works fine.
At this point here’s what I’ve found:
My iMac is the only machine that cannot login.
I’ve connected successfully from behind the same public IP using a laptop, a virtual machine, and my iPhone and iPad.
I’ve verified my ssh keys are correct and have the appropriate permissions.
I can connect to other servers from the problematic machine – both at the same hosting provider (Linode) and others (AWS and DigitalOcean).
I can connect from my iMac if I jump through any other server, first.
I start trying to think what could possibly be different about this one machine. And then it dawns on me. This all started around the time I updated my iMac to 10.15.4. My laptop is still on 10.15.3 – and, of course, the virtual machine isn’t macOS at all.
Totally grasping for straws I google for “10.15.4 ssh” and find this top result on the Apple discussion forums:
Catalina 10.15.4 SSH port > 8192 does not work when using server name instead of IP
This issue started just after upgrading to macOS Catalina 10.15.4.
After that update I am no longer able to open a SSH connection to a port greater than 8192 using server name (instead of IP). Yes, I do change the port on the server side prior to every test.
That can’t possibly be real?
Up until this point, I was connecting via a saved hostname defined in my ~/.ssh/config, which let me login simply by tying ssh some-server. So, I tried ssh ip-address -p9944 and it worked! (That server runs on an alternate ssh port.)
Ok. Time to narrow this down a bit further. I changed the server to listen on standard port 22 and tried connecting via the hostname once again.
Holy crap, it worked.
The user in the Apple forums was right. At least in my case, my one server that happened to be running on a non-standard ssh port above 8192 will not connect from Catalina 10.15.4 when using the hostname instead...
This complain and Remote Access in (so I can SSH to my $4k MacBook) disables itself anytime the computer is restarted.
But more importantly, I’ve still not found a Thunderbolt Display that doesn’t routinely crash screen manager services upon idle user activity. 3 x $300 thunderbolt3 dock solutions later and not a one hasn’t crashed this computer. All main brands, two of which sell accessories in the Apple store.
Problem also existed with a top of the line 13” MacBook Pro.
I’ve just gotten used to the shoddy-ness that is Catalina. Figure if I go to the bathroom, upon return I have a fresh, new clean desktop environment. Feature not a bug. Yay!
Caffeine might be better in this scenario, but amphetamine has some auto triggers and custom settings for keeping the system awake but still turning off the screen, etc.
Actually you just made a pretty convincing case that Homebrew has similar issues. I am already not a fan of it because I have hit too many amateurish bugs, but now I have another reason.
By the way, the word brew is also used for other things, eg. coffee or tea, and homebrew is a common metaphor for other things where amphetamine is unbiguously one thing.
Overdiagnosis & misuse etc aside the number of people using amphetamines therapeutically may well outnumber your "unambiguous" cohort by a larger fraction than drinkers do alcoholics.
I didn't say use was unambiguously non-therapeutic. I said it was unambiguously a drug. There are no famous cultural metaphors analogous to "homebrew computer club" etc. It always refers directly to the substance.
Maybe you should consider that a close family member had problems with this very recently before you call me tasteless. It is in fact really fucking stupid that some privileged Mac programmer, probably young and of limited life experience, thinks that is a cutesy name for his (yes I am assuming male) project and not the name of something ruining a lot of lives, probably thinks it's hilarious and clever. He has no taste. Opiates also have legit use. I wouldn't name a project after those either. There is a thing such as tone deafness.
I take prescribed amphetamine [0] twice every day. The taste of the name is not in the name, it's from whatever else you had in your mouth at the same time.
My issue with Catalina is that every time i open up the laptop and log in (so sleep, not reboot) it has forgotten the Apple-ID password and needs to be entered. I've tried all suggested solutions (I'm not alone) including resetting the NVMRAM etc. But so far no luck.
I'm holding off installing Catalina on my main machine. And now they seem to focus on 10.16 instead.
I've tried to find a thunderbolt3 dock that worked perfectly but none have - not even limited to Catalina. My monitors will randomly switch refresh rates or resolutions or not even display picture. Plug them into a pc and they work every single time.
I actually have one but haven't really used it yet since I decided to just use windows and be done with all the mac problems for now. Still use my MBP but only from the couch.
I have Catalina. It doesn't play nicely with a Dell D6000 powerbrick / dock.
The display is fine but it won't charge at the same time.
I have not installed the Dell 'driver'; it loads a kext so probably won't work anyway. I'm not upset about that. Docking should not require a kernel module.
That's about it. Catalina has been fine every other way.
The thing is with this charging bullshit is, it worked fine prior to 10.15.4. Prior to that version, my Mac charged and outputted to multiple screens at the same time.
This is why I went back to Mojave. Apple has had a history of breaking dev environments on release for people who don't code under their ecosystem of dev tools (well on second thought, they make life difficult at times even for people that do), and I don't see that trend changing in the future.
Eventually every new release has stabilised, but it seems that doesn't hold true for Catalina.
haha oh boy. I was actually just about to install Catalina today, figuring I'd put it off long enough and everything has to be smooth by now (and system update bugs me about it often enough)... But lo and behold, I log into HN and see this thread....
It does not prevent the red notification dot on the System Preferences app, but it does mean at least you don't get the notifications pop up on your screen.
A history of breaking dev environments? I'd argue they have a history of breaking everything on release. I do agree that they have a history of stablizing after a few months, but it's been longer than that.
Yea, Apple doesn't care about backwards comparability. You can run some ancient 32-bit Windows games on Win 10 (so long as they don't use DRM that uses low-level things like direct CD/DVD I/O). If you have a collection of physical disc Mac games, there is a good chance 0% of them run on 10.15 (or many of the releases leading up to it).
we are getting close to 10 years since I owned a Mac with an optical drive (and definitely a decade+ since I used an optical drive on my mac very often)
There is a good chance that less than 10% of your mac games from a few years ago work on current macos since they killed 32bit support. And now there will be essentially no new mac games since they will not support vulkan and stopped updating openGL.
There are plenty of new Mac games, since all game engines that matter already added Metal support and I bet that long term Apple Arcade will have more games than Desktop Linux.
So far Vulkan has been mostly a thing on Linux anyway.
The bit about a Vulkan and OpenGL isn't really accurate.
Practically no one, apart from some hobbyists working on side projects, are actually using Vulkan or Metal or D3D12 directly to make games or applications. These APIs weren't written for end-developers to use directly, they were written for engine developers.
I mean, it's fun to try. But you'll have to write something like ~1200 lines of C/C++ just to render a single triangle. It's a far cry from playing around with OpenGL immediate mode.
And to be frank, Vulkan/Metal/D3D12 are about as similar to one another as major graphics APIs have ever been. Sure, there's quite a lot of differences, but the broad strokes are more or less similar.
I agree that usually one uses a higher level API, but I've worked on commercial apps that use Metal both for graphics and compute. The code is not so unweildy as is suggested here. An old triangle test app I have here shows only about 100 lines of graphics code.
Of course, a lot of this code is code you only write once and then abstract on top of. Metal just has a lot of that abstraction "done for you" because it's only designed to work on a closed set of hardware profiles.
Vulkan requires a lot more signatures in triplicate and setup rituals. Not a bad thing, just a different target.
The main reason why I won't buy the new MacBook Air is that it's Catalina only. Good thing my Mac Mini shipped with Mojave despite my ordering it months after the Catalina release. It's really the Windows Vista of macOS.
", I’ve still not found a Thunderbolt Display that doesn’t routinely crash screen manager services upon idle user activity. "
I've been using a Dell U2515H for almost six years on my late 2013-model MBP and thunderbolt port, never had an issue. I'm also going through a Henge thunderbolt dock. It's not a macOS problem.
The monitor you have didn't properly implement the Thunderbolt spec, and since Windows has looser adherence to the spec than macOS, things work fine.
This happens with web browsers every decade or so. "Browser X" follows the Javascript spec to a tee, which breaks millions of poorly written websites, so "Browser X" has to degrade its performance or lose market share, and thus we have lots of sites that are out of spec.
Your explanation could be plausible but do you have any evidence to back it up? Most curious is the fact that people are complaining about a specific OS version with regard to the problems. Did the spec change between OS releases?
My intent was not to move the goalposts, I was just wanting you to elaborate. Even though the explanation is trivial to you, it may not be that way to others.
(A corollary to this are the forum posts starting with a technical problem and ending with the OP saying "figured it out!" and no further explanation :)
Assume this is true. Why is it a good thing? If the looser spec handling on Windows fixes the bug without introducing other problems, then from the user perspective, Windows is doing the correct thing and OSX is failing.
But it then ends up with standards being meaningless and people who are running not-Windows get screwed (like UEFI, ACPI, and various other nonsenses that "work fine" on Windows but not on Linux, etc.)
That assumes Microsoft broke the spec and the hardware was designed for it. The scenario in the thread is that the hardware broke the spec and Microsoft just made it work. I don't think that's much different than a lot of other software. Look at all the application specific code and fixes added to graphics drivers, for example.
I think Dell U2515H doesn't have Thunderbolt, only Display Port. So I wouldn't call that a Thunderbolt display, if it doesn't have ability to chain further Thunderbolt devices.
I've had a lot of compatibility issues between my U3818DW and macOS and Dell doesn't care. Even more, their support staff on their public forums don't even acknowledge their buggy USB-C implementation and insists on blaming Apple. [1]
That's true for most Macs, too: people are very prone to believing that their experience is universal rather than a hardware failure or local configuration issue.
FWIW, the monitor I talked about is the standard issue monitor for most employees (~500) at my office. My company has MBPs ranging from 2016 to 2020 of varying sizes and I've never heard anyone say anything negative about the connectivity to their monitor.
> This complain and Remote Access in (so I can SSH to my $4k MacBook) disables itself anytime the computer is restarted.
I've found IPv6 stops working after sleep, the appropriate area in the network pane is blank (I use RA not DHCPv6). Since the Mac updates its DNS records and puts IPv6 addresses in I've found accessing via hostname stops working, but then of course I can use the IPv4 address which works fine.
Yep. I turned off ipv6 support on my router an computers, and still use RA. No more issues on local network except one ... the DNS settings on my MacBook constantly revert to a default value, killing my host name access to my docket containers. But at least it’s a quick fix.
I haven’t encountered that, but have other more minor gripes.
When in clamshell and an external monitor is plugged in and you restart all you have actually done is shutdown (you you have to open up the laptop and turn it on again).
The way things break for ‘security reasons’ which you have to hunt for though the settings page. Eg VMWare Fusion won’t work unless you happen to know that it needs enabling in security settings, but some breakages are even more obscure and don’t generate an error message.
I have two CalDigit TS3+ docks (home and office). At home, I have a 4k monitor in the display port and a Thunderbolt 27" plugged into the TB3 port using an adapter. My previous dock couldnt handle the 27" at all, so I had to plug that in directly to the Mac. Usually when I needed to wake the machine, I had to unplug both the doc and the 27", log in, and then plug them back in again. Now with the CalDigit, it just works. It's also like $300, so I guess TB3 is hard and they know it =)
I am still on Mojave tho, so may suck on Catalina.
Figure this is the place to jump in here. I tried a couple cheaper docks and sent them back to Amazon immediately. I bought a CalDigit, and it's been rock solid for many months now. I connect an external display (Asus 27" 4K) to it, remove it, use the built-in display, and use it in clamshell, off and on, all through the day. Not one problem at all. There's no sugar-coating it; they're at the top of the range for TB3 docks, but mine's been worth every penny. I've been on Catalina since launch day.
I know "me too" is discouraged here but yes I have the same experience (Caldigit TS3+ dock, works great in Mojave). Expensive, yes, but at least now it's down to $250 both at apple as well as amazon.
I've tried every T3 dock available. They all have bugs that render them unusable for me. The one that was the closest to being good -- OWC 12 port I think -- wouldn't tolerate MBP sleep. After wake from overnite sleep (maybe the Mac would go to hibernate -- I didn't investigate further) the dock would need to be reset. I've never had the MPB crash though, but I haven't gone back to trying docks now with Catalina.
There certainly is something particular to your environment causing this crash. Such a bug would be in all the news.
I've been a Linux user for the last ~15 years, and now I need to do some iOS development so just a few days ago I've ordered a Mac Mini. I guess I'm in for a bumpy ride. Oh well.
I used linux on all my laptops/work machines for about 7 years, then switched to macbook pros 5 years ago. Definitely some things you have to adapt to (I still miss focus-follows-mouse). But for the most part, you'll find it's a smooth ride. When bumps like this happen, they tend to push out a fix quickly - especially when it gets traction on HN like this.
For me, focus-follows-mouse is most useful for terminal windows. It is a feature you can enable in iTerm2.
This doesn't help across applications of course, and there's a reasonable argument that the inconsistency is worse than the absence -- but for me, iTerm2's FFM feature helps.
I used a mac for almost 8 years. When things worked, and you shared the same preferences as the designers (or were willing to adapt), things were pretty good.
If you had different preferences, mostly too bad. Maybe if you reboot with system protection turned off, you can edit the config file, and hope it doesn't get reverted.
If things didn't work, like when I was getting static for audio 25% of the time I hit Play in iTunes from a shoutcast server for a whole major release, there wouldn't be any useful help on the internet. Maybe somebody had a similar problem 3 releases ago, but that fix doesn't work anymore. Other problems, or irritants are often the same way.
With Windows, most of the problems you run into are fixable, and easy to find. With an open source OS, at least you can dig in and try to fix your own problems.
It's honestly not that bad, but I'd advise to go into it with an open mind. A lot of switchers get angry at macOS when their habits from other systems don't work with it (e.g. wanting to maximize all the windows)
You don't have to have that open of a mind. I was angry at macOS because I didn't have good window management, but it was really easy to install a third party utility to do so.
I use Amethyst which is much easier to setup than my old Linux WMs. There are also tools like Yabai which are more customizable.
Sure, I guess you can also do that. I'd still advise to not go out and "fix" everything the minute you boot up OS X. It's worth learning how and why it works before you hack it.
If you're a linux user for that long you've probably got experience updating CLI utilities. That's all that's required here, simply installing a new openSSH.
I recently made the transition (from ~10yrs Linux) to Mac and it was really smooth. At the end of the day it's just a Unix system with a really nice looking Window Manager and lots of supported apps. If you don't like the included version of SSH, just use a different one, same as linux.
Offtopic but why are people using high port numbers? Additional security due to a nonstandard port? If so, does that go together with anything additional like port knocking? Or is it multiple hosts on the same IP, but different ports?
It's to keep my logs cleaner. It doesn't add any security value since the port is still open. I don't allow password auth. I was just always annoyed with how many times port 22 was getting hit everyday by attackers.
As an aside; is there a reason to host SSH on a non-standard port? I recently came across a system that had it listening to a really high port number. I dismissed it as security through (bad) obscurity but is there a valid security reason to do this?
EDIT: Thanks to everyone who answered my question! It makes sense to me now why one might do this.
It reduces the amount of endless bruteforce attempts somewhat, so log files are slightly more readable. Although recently this seems to be significantly less effective compared to the previous 20 years...
Indeed. In fact it's hammered so bad that it made my home machine crawl at times. By changing ports it went from several thousands attempts per hour to a few per day.
The author didn't say it had anything to do with security. I have one or two SSH daemons out there listening on non-standard ports because of stupid limitations of middleboxes I'm forced to use, or because they're port-forwarded through something that already listens on 22 itself.
Security-wise, it seems pointless; my daemons on random non-standard ports still get hammered, and fail2ban takes care of keeping the log spam down just as easily as it does the ones on 22.
It massively reduces the number of script kiddie attacks. It's not hard to find SSH on a non-standard port but most SKs don't know or don't bother.
Other possible reason is NAT. If you've got several machines or VMs but only one public IP you can port forward different public ports to port 22 on different machines. Not the only solution by a long way but a relatively straightforward one.
Security-through-obscurity isn't a bad thing. It's just bad to overestimate what it can do, or for it to be your only security.
I have my publicly-accessible SSH port on not-22, just to avoid the log messages from scanners. I'm well aware it does not, on its own, actually "secure" anything, but it brings more convenience to me for it to be a bit obscure, and it certainly isn't hurting anything.
Testing something that uses ssh, but the test host already has a sshd running on port 22, and one does not want to disrupt that setup for the test. Or running tests as a local, non admin, user and one does not want to bother the admin with modifying the system sshd setup for those tests.
Other reasons:
Those doing it /instead/ of running on port 22 are usually doing it for one of at least two reasons:
1) a false sense of security. If you do an internet search, you'll find plenty of blog posts boasting that using an alternate port is a security feature (it is not, it is security via obscurity); or
2) to reduce the log growth from all the script kiddie scans that target port 22 (note, no security is added here, but one's log files don't grow quite as rapidly either).
Slighty reduces your risk from all the automated spam. Most things that are scanning the entire internet trying to brute force weak passwords and stuff aren't trying 65,000 ports on each host. Any sort of worm/botnet will probably be in the same situation.
The only hosts we have with any SSH exposed to the world at all are a couple of bastion hosts. Day-to-day we access everything else through a VPN, so its only exposed at all as an emergency backup in case the VPN breaks. Really no inconvenience to having it moved to a high port.
IMHO, this isn't "security through obscurity" but it's a way of weeding out automated attacks and reducing logs filling up with completely avoidable entries. I'd say it has valid "sysadmin" reasons but not "security" ones.
Given 2 boxes with the exact same SSH setup (key auth, fail2ban, or whatever else you use) I'd prefer to admin the one with a non-standard port solely for the fact that it's not undergoing constant attack which uses resources (albeit tiny).
There are pros and cons. It does mean that you should get less ssh bot spam but it also means that you run ssh on a non privileged port - one that a malicious application running as non-root might attempt to exploit.
There's actually a good reason to not use SSH on a non-privileged port: It allows an unprivileged user to bind their own binary to the port when SSH restarts or otherwise stops listening.
That unprivileged user will not have the SSH host key, which will create a warning for any user who connects, just as though someone had conducted a man-in-the-middle attack.
Of course, there are plenty of privileged ports to choose from.
I use Chrome SSH to ssh into my WSL2 debian instance on Windows 10. Native terminals don't support mouse events. But port 22 can already be in use by the host system, so I have WSL2 configured to listen on port 222
> I'm not sure what's the current state, but there are features on SSH I wasn't able to use due to the version provided being old.
> I know that `Include` on `config` is/was one.
That's both terribly out of date info and hardly ever true as far as I can tell.
The Include directive was a new feature of OpenSSH 7.3, released on 2016-08-01.[1] Apple shipped OpenSSH 7.3 in macOS 10.12.2[2][3], released on 2016-12-13. That's a very reasonable four months gap.
I only use the system ssh because stock OpenSSH didn't integrate well with system keychain many years ago (not sure about the current state). But I've been using the Include directive for a long time.
I thought Homebrew patched OpensSSH using Apple's keychain patch, but looking at the formula right now I see
# Please don't resubmit the keychain patch option. It will never be accepted.
# https://github.com/Homebrew/homebrew-dupes/pull/482#issuecomment-118994372
Sadly the homebrew-dupes repo seems to have been deleted so this comment can't be read anymore.
> We are uncomfortable continually supporting a 1900+ line patch which upstream hasn't signed off on that has the potential to both compromise OpenSSH security and Keychain security. From 10.11 it will also be impossible to edit plists in /System/* without disabling rootless, which isn't a configuration we'll be intentionally supporting.
Oh god no. Homebrew managing openssh has been the cause of more command-line instability and forced reinstalls than anything else I’ve encountered in the last few years of OS X (sorry, macOS). I’ve started installing stuff from source again just to prevent a cascade of Homebrew upgrades breaking everything.
Never experienced this in a decade or so of using Homebrew's OpenSSH, but you can absolutely use something other than Homebrew to get a more up-to-date and standard OpenSSH install if you prefer.
I sometimes use NetBSD's pkgsrc on macOS because it installs super cleanly in any prefix you like and never, ever breaks the system. It doesn't have everything, and you will occasionally encounter a package that won't build, but it doesn't even dream of taking over /usr/local or disrupting your system. You could install it into your home directory if you wanted to (which I have done, on systems where I don't have root or enough ownership to just throw things anywhere)
I always build SSH from source myself using my own scripts and meta-makefiles. Both the most recent OpenSSH release, and the latest one supported by HPN-SSH (for use on high-latency links).
OpenSSH 8.2p1 notably has support for using FIDO U2F 2FA keys to secure SSH keys, it works perfectly, as long as your server also runs 8.2p1 (only the client needs to be compiled with libFIDO2).
As for the Catalina train wreck, it's clear both hardware and software quality is on a severe downward trend at Apple, you can either rant and moan about it, or take control back by switching to Linux or BSD, which is what I am doing, very slowly and deliberately.
I had the same problem on a MacBook after upgrading to 10.15.4. However, I wasn't using a port number higher than 8192, the socket was 75 with a hostname. The problem was solved when I replaced the hostname with its IP or plugged in an Ethernet Cable. I tried to restart mDNSResponder and flush the dns cache and switch to a different DNS server. Nothing works so far.
Security through obscurity shouldn’t be used as an edict that something is not effective. You are talking about the fact that it doesn’t increase the security of the protocol itself or the passphrases/keys used. This is true. However, there are tons of bots out there that scan 22 and try to exploit common logins. There are presumably quite a few less that are port scanning every machine for every possible high port and attempting to handshake ssh and then try logins. Do you disagree with that? If not, this is not security through obscurity, it has a very real impact on the volume of bots that have knowledge that this service is running and are actively exploiting it. It’s just a different type of security, it’s discoverability of the service.
Here’s another example. Say you have a web server running that is only for internal employee use. But you want to expose it externally so that they can reach it without a VPN. Even if you follow proper security protocols, why would you not turn off search engine indexing on this page, and limit the pages that link to it? It will not increase the inherent security of the protocol or the user accounts, but it will drastically lower the # of bots using up CPU and iptables entries trying to fail2ban or blacklist them.
Security is a spectrum and you want to have defense in depth. Moving ssh to a nonstandard port is a security best practice and you shouldn’t be advising people not to use it. But should they also have good key setting, fail2ban, ip whitelisting/blacklisting, etc? Of course they should.
In time, any server with port 22 exposed to the Internet will have a system log with hundreds of failed authentication attempts per minute from IP addresses all over the world. By simply moving it to a high port number, the attempts are rare and troubleshooting is easier without all the noise.
And it is script kiddies, typically the login is root, ubuntu, or similar and a password of password, god, other silly things that people actually use.
In that code, the only thing that can set the "strport" value that is used in the log is a call to getnameinfo().
If that string is corrupted in any way, e.g. not terminated or perhaps has invisible characters that trigger bad terminal behavior (such as invisibility), the act of logging it might produce the apparent hang seen here.
Again, a guess but it is possible that getnameinfo() is not necessarily processing the record correctly (for whatever reason). One such example is in the "getnameinfo" man page at the end, under CAVEATS, where they show an example of not simply trusting the result of the first call.
Good sleuthing, but the missing port number is simpler than that. I just blacked it out of the screenshot. I know very well that running sshd on a non-standard port has no benefits security-wise, but it does lessen the length of my log files from dumb script kiddies. I redacted the port in the screenshot for that reason.
Have you tried running ssh in lldb/gdb and dumping a stacktrace when it hangs? Might have to copy the ssh binary to a temp dir to avoid SIP denying ptrace.
The verbose output didn't seem to point out the exact system call or libc call that got stuck. A lldb/gdb bt stacktrace could pinpoint what's hanging (for example, some people mentioned parsing /etc/services). I don't think this has been resolved yet?
>I know very well that running sshd on a non-standard port has no benefits security-wise
I don't know if Mac OS is different but on other unices ports above 1024 are not privileged, meaning that anybody can bind them. Now it increases the attack surface only a tiny bit (you have to have your sshd offline, and the attacker have local access, and them bind a fake sshd to your port in order to MitM. And even then they won't be able to spoof the server key unless it's not chmoded correctly).
Still, better safe than sorry IMO, I also use a non-standard sshd port but I keep it in the low range. In my experience it's more than sufficient to get rid of 99% of dumb attacks that generally don't bother looking beyond port 22.
I think using a non-standard port is a good layer of security, among other layers.
My personal suggestion though is to use 1022 because it's below 1024. This means only root is allowed to bind to it. Preventing possible connection jacking attacks if an attacker is able to crash your own server and run theirs to harvest your passwords.
You can just get the security patches for Mojave. You are trying to make it sound like of you are on previous version there are no security patches. Factually untrue.
> I’m not even going to go into it. I don’t want to end up on Hacker News again bitching about Catalina. I just hope I’ve stuffed this post with enough keywords so that anyone else searching on Google might come across the answer.
Apple's stance is that it didn't happen unless someone reports it using Radar (internal) or bugreport.apple.com (external). Unfortunately, they don't believe in Linus's Law, which states that "given enough eyeballs, all bugs are shallow."
364 comments
[ 4.6 ms ] story [ 234 ms ] threadWelp.
(I'm about 80% kidding but amused. Lockdown.)
One important thing to always remember is that unless someone posted their article to Hacker News themselves they might have had absolutely no expectation that a huge audience was about to descend and dissect everything they wrote. They might have just been talking off the cuff, mentally noodling around or even just using the process of writing stuff down as a means to sort their thoughts. Far too often HN commenters work from the assumption that an author is intending to make A Big Point and very uncharitably deconstruct every sentence the author wrote.
It's only a matter of time before we see a reply along the lines of "OBVIOUSLY 10.15.4 did NOT break SSH, the author just didn't do X Y and Z to fix a very OBVIOUS mistake in their SSH config".
> Why would you take down the post as it’s probably useful to others?
More broadly, Tyler doesn't owe the world anything in this regard. If he wants to post it, cool. If he wants to remove it, cool.
That's my intent. I'll put it back online for others to find once the fuss dies down.
https://tyler.io/followup-comparing-my-current-b2-storage-co...
Actually now I look at it, a lot of pages don't seem to work. I guess it's just the classic Hacker News friendly DDOS.
dang, join in if you must.
Their 10.15.4 macOS built-in ssh terminal command is unable to reach hostnames when a port number higher than 8192 is used.
EDIT:
Comments differ; one indicates issues SSH'ing to lower than 8192 ports, another indicates no issues SSH'ing to higher than 8192 ports.
ssh-add -A > /dev/null
... and one default value to place in your ssh config file...
AddToKeychain Yes
... to get around this issue. It works fine after that.
(On mobile. Sorry for formatting)
(Granted, multi-user hosts are very rare nowadays).
I use alternative port but < 1023 since binding to those ports requires root. And I've never seen it being used. I'm not saying it's not, just that I did not see it in 10 years.
So it probably really is not that common.
The good testers all tend to fall into what Bruce Schneier calls the 'Security Mindset' way of thinking: https://www.schneier.com/blog/archives/2008/03/the_security_...
Yeah, but surely macOS devs are eating their own dog food.
"Inside Apple they don't suffer the same problems as external users and developers."
— https://twitter.com/lapcatsoftware/status/121929275891082854...
Hahaha
There are decent build PC laptops but you have to run Windows or Linux on them. Windows is a dumpster fire these days with ads in the start menu, the use of "dark patterns" to herd people into MS cloud, and out of control unnecessary telemetry. Linux is fine only if you have a lot of time on your hands to troubleshoot edge case issues and hunt for drivers. Linux also still (through no fault of its own) can't run a lot of apps that many people need.
Compare the experience with Windows for example, where disconnecting from your external monitors pushes all applications and windows to the remaining monitors, and doesn't restore them when the external monitor is reconnected.
macOS also handles mixed-DPI really well, no other vendor even comes close, Windows simply scales according to the monitor most of the application window is on, resulting in ugly resizing of applications when moving from one monitor to another.
I don't know what you're talking about with regards to "turning on HiDPI", can you elaborate?
Huh? I have a dock that I disconnect and reconnect from all the time; windows move onto my laptop screen when I disconnect, and move back onto my docked screen when I reconnect.
What's wrong with 4k monitors? I'm typing this on Fedora machine with one (default install with no tinkering, Gnome on Wayland).
Mixed DPI is not coming to X11 displays. If you insist on X11, you are going to have bad time.
macOS can scale different parts of an application differently depending on which screen it is on. So if you are in the process of moving an application from one screen to another, it doesn't change size mid-move.
Windows can't do that, and I've even seen applications where all windows belonging to an application use the same DPI (chosen based on which window is in focus), regardless of the DPI of the screen the window itself is on.
So it seems to me the integration of mixed-DPI into window rendering APIs was not well handled by the development team behind its implementation in Windows.
The most common "solution" I see is lowering the resolution of the high-DPI display, but that's not a solution, that's actually not even a workaround, it is literally removing the problem by pretending my screen is not as good as it is.
I do kind of like MacOS, but am concerned about their lack of strong interest in it.
I would pay for a "vertically integrated" open hardware Linux laptop. I've seen some promising projects but none are mature enough.
The second issue is apps, but that can be mitigated by having a Windows VM.
I would argue that any major Linux distro at this point "just work" just as well as MacOS
Yeah, there may actually be close to a dozen people commenting here!
>I would argue that any major Linux distro at this point "just work" just as well as MacOS
Given my perennial attempts to switch to Linux which are inevitably thwarted by aggravating driver bugs and incompatibility issues with X Windows and Wayland (both), I'm inclined to disagree.
I have no beef with Linux, but we have to be honest about what it needs to be capable of to compete with MacOS for the general user unable or unwilling to hack at it a bit.
If the solution in any way involves "enter this command", you have lost the vast, vast majority of users. Those users will never have any idea that "Catalina broke SSH".
You're right, my statement may have been too strong.
We do know that Catalina isn't broken for everyone though as alluded to by others in this thread. No one in my company or anyone I personally know with a MacBook has been affected. There must be another interaction happening.
Then I'm having issues with PTP from my phone. Windows is fine but Plasma is broken. The phone also offers an MTP mode which thankfully works.
When I bought a Lenovo netbook in 2015, I was unable to set the screen brightness. It took a few years but eventually the issue got fixed with a new version of Kubuntu.
On my brand new ThinkPad T495 I'm having an issue with the graphics drivers, which crash and require me to issue an ACPI reboot when I close the lid and reopen it again. Pretty sure it's this issue as the error messages, symptoms and working workarounds all match. https://gitlab.freedesktop.org/drm/amd/issues/883
https://rubyinstaller.org/ Ruby for Windows.
I don't know why Ruby on Rails require Linux, but those reasons are not technical.
Ubuntu is generally even easier since they bundle in proprietary drivers.
I know my hardware has the ability to change my entire MAC address - I don't get why they are doing this.
The leading octets in MAC addresses are often called "vendor prefixes", and are assigned to various hardware vendors. Apple probably wants to ensure that all their devices show up in ARP scans and MAC lookups as Apple devices.
This is related to the thing where what customers want most is bug fixes for existing bugs but what marketing wants most is new features to sell to new customers and marketing tends to win, which causes the number of bugs to go up rather than down over time.
For those business users, it just still works. For developers it's a problem.
UNIX developers, well, support OEMs that sell BSD and GNU/Linux laptops.
Then even before Catalina, my AirPods mic seems to act odd, can hardly hear it and it messses with audio output too when listening to music, sounds like I’m listening to hold music on a telephone unless I disable the mic using a third party app. I think having a old Bluetooth chip might be the reason though since I have a older MacBook while it works great on my iPhone.
Very annoying and can't find a resolution.
I can't blame them too much. It's probably worth it.
[1] https://en.wikipedia.org/wiki/Prunus_ilicifolia
[2] https://calscape.org/Prunus-ilicifolia-ssp.-lyonii-(Catalina...
I was completely at my wit’s end and feeling like I had lost my mind until about a half hour ago. Let me start from the beginning…
I don’t have an exact date, but within the last week I realized that I was unable to ssh into my primary web server – the one that runs my business website, activation server, etc. It’s sort of the linchpin for my tiny software company. When it goes down, I get worried.
At first I thought maybe the server was down? I hadn’t received any alerts, so I did a quick check. And, yes, it was still up and running and serving web traffic. Ok, did sshd somehow become unresponsive? I login through the Linode control panel and restart the service. Still can’t login.
It’s odd. I don’t get a connection refused. Not even a timeout. It just…hangs.
That’s the ssh output with the verbose flag. Nothing. I waited 10+ minutes and it never timed out or produced any other output.
I reboot the server itself and the problem persists.
Then, I notice some more oddities. I’m able to connect using ForkLift – my FTP client, which connects via SFTP. Also, SequelPro is able to connect to MySQL via ssh as well.
And then things get even stranger. This is all happening on my iMac. I try connecting from my laptop, and it works. My MacBook Pro is at home right next to my iMac, which is refusing to login. They’re both on the same wifi and thus the same IP. So, it can’t be that my home IP address got mistakenly banned somehow.
Next, I ssh into a different server and then hop to the problematic one. It connects without any trouble. At this point I’m thinking maybe the permissions on my local private key got screwed up. So, I blow away ~/.ssh and recreate all of my keys from a backup. Still can’t login.
Ok. I think about it for a few minutes and then – aha! – I have an Ubuntu virtual machine running on this iMac inside Parallels. I’ll ssh into it and then try and connect. That will rule out if there’s just something odd about my iMac’s LAN IP. (To be clear, my home network is perfectly ordinary. Just a cable modem and a router.) So, I login to the VM, try and connect, and it works fine.
At this point here’s what I’ve found:
My iMac is the only machine that cannot login. I’ve connected successfully from behind the same public IP using a laptop, a virtual machine, and my iPhone and iPad. I’ve verified my ssh keys are correct and have the appropriate permissions. I can connect to other servers from the problematic machine – both at the same hosting provider (Linode) and others (AWS and DigitalOcean). I can connect from my iMac if I jump through any other server, first. I start trying to think what could possibly be different about this one machine. And then it dawns on me. This all started around the time I updated my iMac to 10.15.4. My laptop is still on 10.15.3 – and, of course, the virtual machine isn’t macOS at all.
Totally grasping for straws I google for “10.15.4 ssh” and find this top result on the Apple discussion forums:
Catalina 10.15.4 SSH port > 8192 does not work when using server name instead of IP
This issue started just after upgrading to macOS Catalina 10.15.4.
After that update I am no longer able to open a SSH connection to a port greater than 8192 using server name (instead of IP). Yes, I do change the port on the server side prior to every test.
That can’t possibly be real?
Up until this point, I was connecting via a saved hostname defined in my ~/.ssh/config, which let me login simply by tying ssh some-server. So, I tried ssh ip-address -p9944 and it worked! (That server runs on an alternate ssh port.)
Ok. Time to narrow this down a bit further. I changed the server to listen on standard port 22 and tried connecting via the hostname once again.
Holy crap, it worked.
The user in the Apple forums was right. At least in my case, my one server that happened to be running on a non-standard ssh port above 8192 will not connect from Catalina 10.15.4 when using the hostname instead...
This complain and Remote Access in (so I can SSH to my $4k MacBook) disables itself anytime the computer is restarted.
But more importantly, I’ve still not found a Thunderbolt Display that doesn’t routinely crash screen manager services upon idle user activity. 3 x $300 thunderbolt3 dock solutions later and not a one hasn’t crashed this computer. All main brands, two of which sell accessories in the Apple store.
Problem also existed with a top of the line 13” MacBook Pro.
I’ve just gotten used to the shoddy-ness that is Catalina. Figure if I go to the bathroom, upon return I have a fresh, new clean desktop environment. Feature not a bug. Yay!
http://lightheadsw.com/caffeine/
The one you linked to looks like a simple wrapper of caffeinate(8).
Edit: guessing that downvoters haven't encountered a lot of people suffering from addiction
Amphetamines have legitimate therapeutic uses, it's not only crippling addiction.
By the way, the word brew is also used for other things, eg. coffee or tea, and homebrew is a common metaphor for other things where amphetamine is unbiguously one thing.
Tasteless comment.
Maybe you should consider that a close family member had problems with this very recently before you call me tasteless. It is in fact really fucking stupid that some privileged Mac programmer, probably young and of limited life experience, thinks that is a cutesy name for his (yes I am assuming male) project and not the name of something ruining a lot of lives, probably thinks it's hilarious and clever. He has no taste. Opiates also have legit use. I wouldn't name a project after those either. There is a thing such as tone deafness.
[0]: https://en.m.wikipedia.org/wiki/Lisdexamfetamine
I'm holding off installing Catalina on my main machine. And now they seem to focus on 10.16 instead.
The display is fine but it won't charge at the same time.
I have not installed the Dell 'driver'; it loads a kext so probably won't work anyway. I'm not upset about that. Docking should not require a kernel module.
That's about it. Catalina has been fine every other way.
Eventually every new release has stabilised, but it seems that doesn't hold true for Catalina.
https://www.macworld.com/article/3447396/how-to-stop-getting...
It does not prevent the red notification dot on the System Preferences app, but it does mean at least you don't get the notifications pop up on your screen.
So far Vulkan has been mostly a thing on Linux anyway.
Practically no one, apart from some hobbyists working on side projects, are actually using Vulkan or Metal or D3D12 directly to make games or applications. These APIs weren't written for end-developers to use directly, they were written for engine developers.
I mean, it's fun to try. But you'll have to write something like ~1200 lines of C/C++ just to render a single triangle. It's a far cry from playing around with OpenGL immediate mode.
And to be frank, Vulkan/Metal/D3D12 are about as similar to one another as major graphics APIs have ever been. Sure, there's quite a lot of differences, but the broad strokes are more or less similar.
Of course, a lot of this code is code you only write once and then abstract on top of. Metal just has a lot of that abstraction "done for you" because it's only designed to work on a closed set of hardware profiles.
Vulkan requires a lot more signatures in triplicate and setup rituals. Not a bad thing, just a different target.
My "fix" was to go HDMI to USB-C (instead of Thunderbold to USB-C).
I understand this might not be viable for everyone, but it resolved the issue for me.
I've been using a Dell U2515H for almost six years on my late 2013-model MBP and thunderbolt port, never had an issue. I'm also going through a Henge thunderbolt dock. It's not a macOS problem.
The monitor you have didn't properly implement the Thunderbolt spec, and since Windows has looser adherence to the spec than macOS, things work fine.
This happens with web browsers every decade or so. "Browser X" follows the Javascript spec to a tee, which breaks millions of poorly written websites, so "Browser X" has to degrade its performance or lose market share, and thus we have lots of sites that are out of spec.
Make sense?
I have evidence in other domains, as per my example.
But thanks for moving the goalpost. /salute/
OP asked for an explanation, I gave one. Was it correct? I don't know, I just provide reasoning skills.
(A corollary to this are the forum posts starting with a technical problem and ending with the OP saying "figured it out!" and no further explanation :)
https://www.dell.com/en-us/work/shop/accessories/apd/210-arc...
[1]: https://old.reddit.com/r/UsbCHardware/comments/ettgrg/dell_r...
I've found IPv6 stops working after sleep, the appropriate area in the network pane is blank (I use RA not DHCPv6). Since the Mac updates its DNS records and puts IPv6 addresses in I've found accessing via hostname stops working, but then of course I can use the IPv4 address which works fine.
I am still on Mojave tho, so may suck on Catalina.
I've tried every T3 dock available. They all have bugs that render them unusable for me. The one that was the closest to being good -- OWC 12 port I think -- wouldn't tolerate MBP sleep. After wake from overnite sleep (maybe the Mac would go to hibernate -- I didn't investigate further) the dock would need to be reset. I've never had the MPB crash though, but I haven't gone back to trying docks now with Catalina.
There certainly is something particular to your environment causing this crash. Such a bug would be in all the news.
You just mean that hover over a lower window allows scrolling right? MacOS has that.
https://en.wikipedia.org/wiki/Focus_(computing)#Focus_follow...
This doesn't help across applications of course, and there's a reasonable argument that the inconsistency is worse than the absence -- but for me, iTerm2's FFM feature helps.
If you had different preferences, mostly too bad. Maybe if you reboot with system protection turned off, you can edit the config file, and hope it doesn't get reverted.
If things didn't work, like when I was getting static for audio 25% of the time I hit Play in iTunes from a shoutcast server for a whole major release, there wouldn't be any useful help on the internet. Maybe somebody had a similar problem 3 releases ago, but that fix doesn't work anymore. Other problems, or irritants are often the same way.
With Windows, most of the problems you run into are fixable, and easy to find. With an open source OS, at least you can dig in and try to fix your own problems.
I use Amethyst which is much easier to setup than my old Linux WMs. There are also tools like Yabai which are more customizable.
I recently made the transition (from ~10yrs Linux) to Mac and it was really smooth. At the end of the day it's just a Unix system with a really nice looking Window Manager and lots of supported apps. If you don't like the included version of SSH, just use a different one, same as linux.
EDIT: Thanks to everyone who answered my question! It makes sense to me now why one might do this.
Security-wise, it seems pointless; my daemons on random non-standard ports still get hammered, and fail2ban takes care of keeping the log spam down just as easily as it does the ones on 22.
Other possible reason is NAT. If you've got several machines or VMs but only one public IP you can port forward different public ports to port 22 on different machines. Not the only solution by a long way but a relatively straightforward one.
I have my publicly-accessible SSH port on not-22, just to avoid the log messages from scanners. I'm well aware it does not, on its own, actually "secure" anything, but it brings more convenience to me for it to be a bit obscure, and it certainly isn't hurting anything.
Testing something that uses ssh, but the test host already has a sshd running on port 22, and one does not want to disrupt that setup for the test. Or running tests as a local, non admin, user and one does not want to bother the admin with modifying the system sshd setup for those tests.
Other reasons:
Those doing it /instead/ of running on port 22 are usually doing it for one of at least two reasons:
1) a false sense of security. If you do an internet search, you'll find plenty of blog posts boasting that using an alternate port is a security feature (it is not, it is security via obscurity); or
2) to reduce the log growth from all the script kiddie scans that target port 22 (note, no security is added here, but one's log files don't grow quite as rapidly either).
The only hosts we have with any SSH exposed to the world at all are a couple of bastion hosts. Day-to-day we access everything else through a VPN, so its only exposed at all as an emergency backup in case the VPN breaks. Really no inconvenience to having it moved to a high port.
Given 2 boxes with the exact same SSH setup (key auth, fail2ban, or whatever else you use) I'd prefer to admin the one with a non-standard port solely for the fact that it's not undergoing constant attack which uses resources (albeit tiny).
Of course, there are plenty of privileged ports to choose from.
https://www.google.com/search?q=random+number+between+1+and+...
I'm not sure what's the current state, but there are features on SSH I wasn't able to use due to the version provided being old.
I know that `Include` on `config` is/was one.
This is something I use frequently that wasn't available on previous built in versions.> I know that `Include` on `config` is/was one.
That's both terribly out of date info and hardly ever true as far as I can tell.
The Include directive was a new feature of OpenSSH 7.3, released on 2016-08-01.[1] Apple shipped OpenSSH 7.3 in macOS 10.12.2[2][3], released on 2016-12-13. That's a very reasonable four months gap.
I only use the system ssh because stock OpenSSH didn't integrate well with system keychain many years ago (not sure about the current state). But I've been using the Include directive for a long time.
[1] https://www.openssh.com/txt/release-7.3
[2] https://opensource.apple.com/release/macos-10122.html
[3] https://opensource.apple.com/source/OpenSSH/OpenSSH-209.30.4...
They're kinda bad at that in general :/
> We are uncomfortable continually supporting a 1900+ line patch which upstream hasn't signed off on that has the potential to both compromise OpenSSH security and Keychain security. From 10.11 it will also be impossible to edit plists in /System/* without disabling rootless, which isn't a configuration we'll be intentionally supporting.
Since you crossed that line, do yourself a favour and check out nixpkg.
Homebrew wants to screw around in /usr, Macports installs itself in /opt and doesn't interfere with things in the MacOS world.
Set your PATH to have /opt/local/{bin,sbin} and everything Just Works.
OpenSSH 8.2p1 notably has support for using FIDO U2F 2FA keys to secure SSH keys, it works perfectly, as long as your server also runs 8.2p1 (only the client needs to be compiled with libFIDO2).
As for the Catalina train wreck, it's clear both hardware and software quality is on a severe downward trend at Apple, you can either rant and moan about it, or take control back by switching to Linux or BSD, which is what I am doing, very slowly and deliberately.
Shocking!
Granted high ports shouldn't be broken, but running SSH on a non-standard port is security (read obscurity) theater at best.
There's really not much benefit, unless you need multiple sshds on the same IP, but at that point I'd question the sanity of the approach.
Here’s another example. Say you have a web server running that is only for internal employee use. But you want to expose it externally so that they can reach it without a VPN. Even if you follow proper security protocols, why would you not turn off search engine indexing on this page, and limit the pages that link to it? It will not increase the inherent security of the protocol or the user accounts, but it will drastically lower the # of bots using up CPU and iptables entries trying to fail2ban or blacklist them.
Security is a spectrum and you want to have defense in depth. Moving ssh to a nonstandard port is a security best practice and you shouldn’t be advising people not to use it. But should they also have good key setting, fail2ban, ip whitelisting/blacklisting, etc? Of course they should.
For whom? Could you please cite this?
In his screenshot the bad login hangs at "Connecting to clickontyler.com port" (noting that no port number appears and no period at the end).
While I can’t be sure exactly which "ssh" patch Apple may have, this seems to be the relevant file and logging code (starting at line 448):
https://github.com/openssh/openssh-portable/blob/master/sshc...
In that code, the only thing that can set the "strport" value that is used in the log is a call to getnameinfo().
If that string is corrupted in any way, e.g. not terminated or perhaps has invisible characters that trigger bad terminal behavior (such as invisibility), the act of logging it might produce the apparent hang seen here.
Again, a guess but it is possible that getnameinfo() is not necessarily processing the record correctly (for whatever reason). One such example is in the "getnameinfo" man page at the end, under CAVEATS, where they show an example of not simply trusting the result of the first call.
> So, I tried ssh ip-address -pXXXXXXXXX
I don't know if Mac OS is different but on other unices ports above 1024 are not privileged, meaning that anybody can bind them. Now it increases the attack surface only a tiny bit (you have to have your sshd offline, and the attacker have local access, and them bind a fake sshd to your port in order to MitM. And even then they won't be able to spoof the server key unless it's not chmoded correctly).
Still, better safe than sorry IMO, I also use a non-standard sshd port but I keep it in the low range. In my experience it's more than sufficient to get rid of 99% of dumb attacks that generally don't bother looking beyond port 22.
My personal suggestion though is to use 1022 because it's below 1024. This means only root is allowed to bind to it. Preventing possible connection jacking attacks if an attacker is able to crash your own server and run theirs to harvest your passwords.
The issue with them is lack of testing before deploying them.
> I’m not even going to go into it. I don’t want to end up on Hacker News again bitching about Catalina. I just hope I’ve stuffed this post with enough keywords so that anyone else searching on Google might come across the answer.
(Guest in my test: OpenSSH 7.6p1 on ubuntu bionic, stock config other than sshd port.)