Hacker News new | past | comments | ask | show | jobs | submit login
I think Catalina 10.15.4 broke SSH (tyler.io)
733 points by chmaynard 8 months ago | hide | past | favorite | 340 comments


99.999% of all of us got that just from the title, thanks. Congrats on puzzling it out.

I didn't and funny you'd think Mac userbase is that big

Mac users are not the only group who know what those words mean.

Yeah, I don't use macOS and I don't own any Apple computer. But a weird California location name + version number 10 is a dead giveaway.

didn't know Catalina was a California location either, to me is just a female name. I actually though she might be a contributor to SSH project.

You thought "Catalina 10.15.4" referred to a human woman? Come on.

A prominent branch of a project named after the maintainer, accompanied by a version number?

That's a reasonable option for what "Catalina" might mean from context clues. Have you never run Alan Cox or Con Kolivas?

> That's a reasonable option for what "Catalina" might mean from context clues.

Agreed! But my comment was in reply to someone who wants you to believe that he genuinely read "99.999%" as a claim about the size of the Mac user base. His game is not one of context clues, and you don't need to play it.

yeah the numbers were weird but thought there's plenty of crazy usernames out there. Didn't pay a lot of attention though, went through the comments and saw it was about Mac and I could safely ignore it.

Sounds like you used the site as intended.

On a website whose primary audience is technology professionals, it's reasonable to assume that a significant portion of the audience can recognise the version name of a computer operating system that is at least the second most-popular in the world, and possibly the most popular among this site's audience.

But it's also part of HN's ethos that not everything has to be spelled out all the time, and that it's OK if users sometimes have to "work a little":


People who have or care about Apple products were likely get that, but the title says "SSH", not "Apple". "Catalina 10" means absolutely nothing to almost everyone.

Those people can search it up, rather than being told about "Apple's proprietary MacOS [sic] operating system".

it's more like referring to the specific animal that represents the release of Ubuntu you want to talk about.

Not that many people would understand 'I think Eoan Ermine 19.10 broke SSH'.

Plenty of people understand 'I think Ubuntu 19.10 broke SSH', or 'I think maxOS 10.15.4 broke SSH'.

To be fair, I would have written 'macOS 10.15.4' rather than 'Catalina 10.15.4' partly for this reason (macOS is a stronger brand), but also partly because I think it's more accurate/less redundant.

To summarize OP:

Their 10.15.4 macOS built-in ssh terminal command is unable to reach hostnames when a port number higher than 8192 is used.


Comments differ; one indicates issues SSH'ing to lower than 8192 ports, another indicates no issues SSH'ing to higher than 8192 ports.


Catalina is broken in many ways.

This complain and Remote Access in (so I can SSH to my $4k MacBook) disables itself anytime the computer is restarted.

But more importantly, I’ve still not found a Thunderbolt Display that doesn’t routinely crash screen manager services upon idle user activity. 3 x $300 thunderbolt3 dock solutions later and not a one hasn’t crashed this computer. All main brands, two of which sell accessories in the Apple store.

Problem also existed with a top of the line 13” MacBook Pro.

I’ve just gotten used to the shoddy-ness that is Catalina. Figure if I go to the bathroom, upon return I have a fresh, new clean desktop environment. Feature not a bug. Yay!

This is why I went back to Mojave. Apple has had a history of breaking dev environments on release for people who don't code under their ecosystem of dev tools (well on second thought, they make life difficult at times even for people that do), and I don't see that trend changing in the future.

Eventually every new release has stabilised, but it seems that doesn't hold true for Catalina.

A history of breaking dev environments? I'd argue they have a history of breaking everything on release. I do agree that they have a history of stablizing after a few months, but it's been longer than that.

Yea, Apple doesn't care about backwards comparability. You can run some ancient 32-bit Windows games on Win 10 (so long as they don't use DRM that uses low-level things like direct CD/DVD I/O). If you have a collection of physical disc Mac games, there is a good chance 0% of them run on 10.15 (or many of the releases leading up to it).

There is a good chance that less than 10% of your mac games from a few years ago work on current macos since they killed 32bit support. And now there will be essentially no new mac games since they will not support vulkan and stopped updating openGL.

The bit about a Vulkan and OpenGL isn't really accurate.

Practically no one, apart from some hobbyists working on side projects, are actually using Vulkan or Metal or D3D12 directly to make games or applications. These APIs weren't written for end-developers to use directly, they were written for engine developers.

I mean, it's fun to try. But you'll have to write something like ~1200 lines of C/C++ just to render a single triangle. It's a far cry from playing around with OpenGL immediate mode.

And to be frank, Vulkan/Metal/D3D12 are about as similar to one another as major graphics APIs have ever been. Sure, there's quite a lot of differences, but the broad strokes are more or less similar.

I agree that usually one uses a higher level API, but I've worked on commercial apps that use Metal both for graphics and compute. The code is not so unweildy as is suggested here. An old triangle test app I have here shows only about 100 lines of graphics code.

In Metal, yes. In Vulkan it's a lot more.

Of course, a lot of this code is code you only write once and then abstract on top of. Metal just has a lot of that abstraction "done for you" because it's only designed to work on a closed set of hardware profiles.

Vulkan requires a lot more signatures in triplicate and setup rituals. Not a bad thing, just a different target.

There are plenty of new Mac games, since all game engines that matter already added Metal support and I bet that long term Apple Arcade will have more games than Desktop Linux.

So far Vulkan has been mostly a thing on Linux anyway.

we are getting close to 10 years since I owned a Mac with an optical drive (and definitely a decade+ since I used an optical drive on my mac very often)

haha oh boy. I was actually just about to install Catalina today, figuring I'd put it off long enough and everything has to be smooth by now (and system update bugs me about it often enough)... But lo and behold, I log into HN and see this thread....

Just FYI, you can disable that notification:


It does not prevent the red notification dot on the System Preferences app, but it does mean at least you don't get the notifications pop up on your screen.

I’ve had zero problems with Catalina. You can also find complaints about every release of MacOS going back a decade+.

The unix illusion breaks more and more with every release

Every day they stray further from BSD's light

The main reason why I won't buy the new MacBook Air is that it's Catalina only. Good thing my Mac Mini shipped with Mojave despite my ordering it months after the Catalina release. It's really the Windows Vista of macOS.

I've tried to find a thunderbolt3 dock that worked perfectly but none have - not even limited to Catalina. My monitors will randomly switch refresh rates or resolutions or not even display picture. Plug them into a pc and they work every single time.

I have Catalina. It doesn't play nicely with a Dell D6000 powerbrick / dock.

The display is fine but it won't charge at the same time.

I have not installed the Dell 'driver'; it loads a kext so probably won't work anyway. I'm not upset about that. Docking should not require a kernel module.

That's about it. Catalina has been fine every other way.

The thing is with this charging bullshit is, it worked fine prior to 10.15.4. Prior to that version, my Mac charged and outputted to multiple screens at the same time.

Try a Henge dock. Been using one for 6 years. No monitor or thunderbolt issues.

I actually have one but haven't really used it yet since I decided to just use windows and be done with all the mac problems for now. Still use my MBP but only from the couch.

Wow, there are so many mac problems in your workflow that WINDOWS is easier to use? Ouch.

I know, sad right? Thankfully most of the stuff I do is on a dev server so doesn’t really matter. As long as vs code works.

The Dell U3419W (with Thunderbolt 3) works exactly as promised for me.


I've had a lot of compatibility issues between my U3818DW and macOS and Dell doesn't care. Even more, their support staff on their public forums don't even acknowledge their buggy USB-C implementation and insists on blaming Apple. [1]

[1]: https://old.reddit.com/r/UsbCHardware/comments/ettgrg/dell_r...

That's a shame. This monitor is spectacular over DisplayPort with my good old 2015 MBP.

Indeed, the image, price and size are spectacular. But this atitude has put me off Dell and they won't get my business anytime soon.

That's true for most Macs, too: people are very prone to believing that their experience is universal rather than a hardware failure or local configuration issue.

FWIW, the monitor I talked about is the standard issue monitor for most employees (~500) at my office. My company has MBPs ranging from 2016 to 2020 of varying sizes and I've never heard anyone say anything negative about the connectivity to their monitor.

It has USB-C, not Thunderbolt.

I completely disabled everything to do with sleep. “Solved” the problem for me.

The first thing I install on a fresh Mac is amphetamine.

Just curious, how is this different from Caffeine?


It has more features. Check https://apps.apple.com/us/app/amphetamine/id937984704?mt=12 for details.

The one you linked to looks like a simple wrapper of caffeinate(8).

Caffeine might be better in this scenario, but amphetamine has some auto triggers and custom settings for keeping the system awake but still turning off the screen, etc.

One difference is that Amphetamine isn't updated as well, also seems more hackish. I switched to Caffeine a while ago.

Or just running caffeinate -t 10000?

Maybe I will get flamed for saying it. What a shockingly tasteless name for an app.

Edit: guessing that downvoters haven't encountered a lot of people suffering from addiction

The most popular third party software installation tool for MacOS is called Homebrew. Alcoholics exist. That doesn't make the name offensive.

Amphetamines have legitimate therapeutic uses, it's not only crippling addiction.

Actually you just made a pretty convincing case that Homebrew has similar issues. I am already not a fan of it because I have hit too many amateurish bugs, but now I have another reason.

By the way, the word brew is also used for other things, eg. coffee or tea, and homebrew is a common metaphor for other things where amphetamine is unbiguously one thing.

Overdiagnosis & misuse etc aside the number of people using amphetamines therapeutically may well outnumber your "unambiguous" cohort by a larger fraction than drinkers do alcoholics.

Tasteless comment.

I didn't say use was unambiguously non-therapeutic. I said it was unambiguously a drug. There are no famous cultural metaphors analogous to "homebrew computer club" etc. It always refers directly to the substance.

Maybe you should consider that a close family member had problems with this very recently before you call me tasteless. It is in fact really fucking stupid that some privileged Mac programmer, probably young and of limited life experience, thinks that is a cutesy name for his (yes I am assuming male) project and not the name of something ruining a lot of lives, probably thinks it's hilarious and clever. He has no taste. Opiates also have legit use. I wouldn't name a project after those either. There is a thing such as tone deafness.

Yeah Homebrew is kind of a bad example. I wish there was at least an option to use descriptive names instead of tortured analogies.

Is there a world-wide approved list of names and topics that we're allowed to use to avoid infringing on sensibilities of 100% of world population?

I take prescribed amphetamine [0] twice every day. The taste of the name is not in the name, it's from whatever else you had in your mouth at the same time.

[0]: https://en.m.wikipedia.org/wiki/Lisdexamfetamine

Yeah, I've had my problems in the past and whatever that app is, I wouldn't be keen on having that on my computer, it would only serve to remind me.

My issue with Catalina is that every time i open up the laptop and log in (so sleep, not reboot) it has forgotten the Apple-ID password and needs to be entered. I've tried all suggested solutions (I'm not alone) including resetting the NVMRAM etc. But so far no luck.

I'm holding off installing Catalina on my main machine. And now they seem to focus on 10.16 instead.

I have two CalDigit TS3+ docks (home and office). At home, I have a 4k monitor in the display port and a Thunderbolt 27" plugged into the TB3 port using an adapter. My previous dock couldnt handle the 27" at all, so I had to plug that in directly to the Mac. Usually when I needed to wake the machine, I had to unplug both the doc and the 27", log in, and then plug them back in again. Now with the CalDigit, it just works. It's also like $300, so I guess TB3 is hard and they know it =)

I am still on Mojave tho, so may suck on Catalina.

Figure this is the place to jump in here. I tried a couple cheaper docks and sent them back to Amazon immediately. I bought a CalDigit, and it's been rock solid for many months now. I connect an external display (Asus 27" 4K) to it, remove it, use the built-in display, and use it in clamshell, off and on, all through the day. Not one problem at all. There's no sugar-coating it; they're at the top of the range for TB3 docks, but mine's been worth every penny. I've been on Catalina since launch day.

I know "me too" is discouraged here but yes I have the same experience (Caldigit TS3+ dock, works great in Mojave). Expensive, yes, but at least now it's down to $250 both at apple as well as amazon.

I had this problem as well on a 13" MacBook Pro.

My "fix" was to go HDMI to USB-C (instead of Thunderbold to USB-C).

I understand this might not be viable for everyone, but it resolved the issue for me.

", I’ve still not found a Thunderbolt Display that doesn’t routinely crash screen manager services upon idle user activity. "

I've been using a Dell U2515H for almost six years on my late 2013-model MBP and thunderbolt port, never had an issue. I'm also going through a Henge thunderbolt dock. It's not a macOS problem.

I think Dell U2515H doesn't have Thunderbolt, only Display Port. So I wouldn't call that a Thunderbolt display, if it doesn't have ability to chain further Thunderbolt devices.

naive take, i have same problem but if i boot into windows on the mbp it works fine. how do you explain that?

Trivially easy to explain:

The monitor you have didn't properly implement the Thunderbolt spec, and since Windows has looser adherence to the spec than macOS, things work fine.

This happens with web browsers every decade or so. "Browser X" follows the Javascript spec to a tee, which breaks millions of poorly written websites, so "Browser X" has to degrade its performance or lose market share, and thus we have lots of sites that are out of spec.

Make sense?

Your explanation could be plausible but do you have any evidence to back it up? Most curious is the fact that people are complaining about a specific OS version with regard to the problems. Did the spec change between OS releases?

No but the OS could have fixed a bug or tightened the spec.

I have evidence in other domains, as per my example.

But thanks for moving the goalpost. /salute/

OP asked for an explanation, I gave one. Was it correct? I don't know, I just provide reasoning skills.

My intent was not to move the goalposts, I was just wanting you to elaborate. Even though the explanation is trivial to you, it may not be that way to others.

(A corollary to this are the forum posts starting with a technical problem and ending with the OP saying "figured it out!" and no further explanation :)

Assume this is true. Why is it a good thing? If the looser spec handling on Windows fixes the bug without introducing other problems, then from the user perspective, Windows is doing the correct thing and OSX is failing.

But it then ends up with standards being meaningless and people who are running not-Windows get screwed (like UEFI, ACPI, and various other nonsenses that "work fine" on Windows but not on Linux, etc.)

That assumes Microsoft broke the spec and the hardware was designed for it. The scenario in the thread is that the hardware broke the spec and Microsoft just made it work. I don't think that's much different than a lot of other software. Look at all the application specific code and fixes added to graphics drivers, for example.

LG 4K works perfectly for me.

I've tried every T3 dock available. They all have bugs that render them unusable for me. The one that was the closest to being good -- OWC 12 port I think -- wouldn't tolerate MBP sleep. After wake from overnite sleep (maybe the Mac would go to hibernate -- I didn't investigate further) the dock would need to be reset. I've never had the MPB crash though, but I haven't gone back to trying docks now with Catalina.

There certainly is something particular to your environment causing this crash. Such a bug would be in all the news.

I haven’t encountered that, but have other more minor gripes. When in clamshell and an external monitor is plugged in and you restart all you have actually done is shutdown (you you have to open up the laptop and turn it on again). The way things break for ‘security reasons’ which you have to hunt for though the settings page. Eg VMWare Fusion won’t work unless you happen to know that it needs enabling in security settings, but some breakages are even more obscure and don’t generate an error message.

Oh, so that's why my computer restarts from time to time when I get away from my desk. And I'm not even on Catalina yet, just use a 13" MacBook Pro.

My 2013 Mac Pro does this too - it's actually (at least in my case) a kernel panic.

> This complain and Remote Access in (so I can SSH to my $4k MacBook) disables itself anytime the computer is restarted.

I've found IPv6 stops working after sleep, the appropriate area in the network pane is blank (I use RA not DHCPv6). Since the Mac updates its DNS records and puts IPv6 addresses in I've found accessing via hostname stops working, but then of course I can use the IPv4 address which works fine.

Yep. I turned off ipv6 support on my router an computers, and still use RA. No more issues on local network except one ... the DNS settings on my MacBook constantly revert to a default value, killing my host name access to my docket containers. But at least it’s a quick fix.

Yeah both of my TB3 docks result in crashes after unplugging or plugging in while the display is off. Very annoying behavior.

I've been using the Belkin Thunderbolt 3 dock for years now, and have had 0 issues with crashes.

So, some quick debugging here...

In his screenshot the bad login hangs at "Connecting to clickontyler.com port" (noting that no port number appears and no period at the end).

While I can’t be sure exactly which "ssh" patch Apple may have, this seems to be the relevant file and logging code (starting at line 448):


In that code, the only thing that can set the "strport" value that is used in the log is a call to getnameinfo().

If that string is corrupted in any way, e.g. not terminated or perhaps has invisible characters that trigger bad terminal behavior (such as invisibility), the act of logging it might produce the apparent hang seen here.

Again, a guess but it is possible that getnameinfo() is not necessarily processing the record correctly (for whatever reason). One such example is in the "getnameinfo" man page at the end, under CAVEATS, where they show an example of not simply trusting the result of the first call.

Good sleuthing, but the missing port number is simpler than that. I just blacked it out of the screenshot. I know very well that running sshd on a non-standard port has no benefits security-wise, but it does lessen the length of my log files from dumb script kiddies. I redacted the port in the screenshot for that reason.

You should mention that in the caption, or use a non-black colour as a mask.

>I know very well that running sshd on a non-standard port has no benefits security-wise

I don't know if Mac OS is different but on other unices ports above 1024 are not privileged, meaning that anybody can bind them. Now it increases the attack surface only a tiny bit (you have to have your sshd offline, and the attacker have local access, and them bind a fake sshd to your port in order to MitM. And even then they won't be able to spoof the server key unless it's not chmoded correctly).

Still, better safe than sorry IMO, I also use a non-standard sshd port but I keep it in the low range. In my experience it's more than sufficient to get rid of 99% of dumb attacks that generally don't bother looking beyond port 22.

I think using a non-standard port is a good layer of security, among other layers.

My personal suggestion though is to use 1022 because it's below 1024. This means only root is allowed to bind to it. Preventing possible connection jacking attacks if an attacker is able to crash your own server and run theirs to harvest your passwords.

You might add a few "-v"'s to your "ssh" command-line for more verbose debugging information.

A port is mentioned in this line, you may want to redact it. Where I put X's below, is a port number.

> So, I tried ssh ip-address -pXXXXXXXXX

Thanks, but that's not the port number :-) That was just for illustrative purposes.

Ok great.

Have you tried running ssh in lldb/gdb and dumping a stacktrace when it hangs? Might have to copy the ssh binary to a temp dir to avoid SIP denying ptrace.

Doesn't even need to go this hardcore; simply reading the verbose output would show where things are getting stuck.

The verbose output didn't seem to point out the exact system call or libc call that got stuck. A lldb/gdb bt stacktrace could pinpoint what's hanging (for example, some people mentioned parsing /etc/services). I don't think this has been resolved yet?

Disable password auth and go with keys only, and your logs will go quiet.

Maybe there is something funny in /etc/services on this machine that throws the call into an infinite loop? Perhaps near the bottom beyond port 8192?

"It just works" -- Is Apple too large now? Is this a QA problem, product team problem? Management? Catalina is still stumbling and Im surprised to be honest after the past 4 years.

My feeling is that Apple beancounters have decided macOS is mostly a gateway to Xcode for iOS development, anything else is just to help sell laptops. The stuff in "anything else" doesn't need to actually work well, just exist so it can be something on the features list.

I feel like they are doing random deprecations with replacements that don't work as well as the original. As in, leaving the deprecated thing unmaintained but present in the install would be a better outcome. I wonder why they are wasting so much time doing this when they appear to have a working system. I'm not even talking about big items like 32-bit support or opengl but completely random libraries that work fine.

This is a completely standard failure mode of large organizations. You have a product that works perfectly fine the way it is, but you also have an entire team of people whose job it is to do something with that product. The existing product has already been optimized for years and most changes are moves away from optimal rather than towards it, but they can't get paid to do nothing, so they change things that were better the way they were.

This is related to the thing where what customers want most is bug fixes for existing bugs but what marketing wants most is new features to sell to new customers and marketing tends to win, which causes the number of bugs to go up rather than down over time.

It's also a problem of company culture and career ladders. Fixing bugs and making a more stable product isn't going to line you up for a promotion - but some fancy new feature no one asked for will.

I think this is why Google's products have gotten worse over the last 6 years.

As just another random instance, I updated my MacOS about a year ago and now I can only change the last 3 parts of my MAC address, the remainder appear to be fixed.

I know my hardware has the ability to change my entire MAC address - I don't get why they are doing this.


The leading octets in MAC addresses are often called "vendor prefixes", and are assigned to various hardware vendors. Apple probably wants to ensure that all their devices show up in ARP scans and MAC lookups as Apple devices.

To make it harder to spoof specific devices, perhaps. Commercial end-user OS vendors generally don't think your computer being able to do something implies you should have control over that capability.

I guess they are getting ready to run MacOS on Arm rather than AMD64

It does help that there is no overall competitor to MacBooks in terms of ease of use or (now that the butterfly keyboard is dead) build quality.

There are decent build PC laptops but you have to run Windows or Linux on them. Windows is a dumpster fire these days with ads in the start menu, the use of "dark patterns" to herd people into MS cloud, and out of control unnecessary telemetry. Linux is fine only if you have a lot of time on your hands to troubleshoot edge case issues and hunt for drivers. Linux also still (through no fault of its own) can't run a lot of apps that many people need.

Linux is the only option IMO, but I have a very high yakshaving tolerance. That said, if you run a recent Ubuntu, most stuff "just works" as long as you don't need Photoshop or the Office suite.

Or 4k monitors, or screen sharing when running more than one monitor. That's the reason I haven't switched from macos back to linux (I was all in on linux until about 5 years ago when I started to care about display quality and working remotely).

You know, in 5 years, many things changed.

What's wrong with 4k monitors? I'm typing this on Fedora machine with one (default install with no tinkering, Gnome on Wayland).

High-DPI is still a mess on Ubuntu (and Debian, for that matter). Last time I used Ubuntu on a 4k panel I had to manually edit some xorg config files. I'm using Debian+KDE right now and I had to manually make some adjustments (in a UI, at least) and it still randomly gets confused sometimes.

Not true for me. I've used several distros (including Ubuntu) with Gnome on my 4K XPS and the worst I've had to do is go into Gnome settings and click 200% GUI scale. I'm pretty sure Ubuntu set that automatically.

High DPI is fine as long as you have just one display. However, there's no good way to have one high-dpi display and one normal one (for example, a laptop with high dpi screen connected to a standard external monitor).

There is a good way to have mixed-dpi setup: you use Gnome-on-Wayland (for normal users who expect normal desktop) or Sway (for those who want tiling wm).

Mixed DPI is not coming to X11 displays. If you insist on X11, you are going to have bad time.

Not to mention mixed-DPI. Apple is the only vendor who actually handles HiDPI and mixed-DPI environments really well in my opinion.

macOS can scale different parts of an application differently depending on which screen it is on. So if you are in the process of moving an application from one screen to another, it doesn't change size mid-move.

Windows can't do that, and I've even seen applications where all windows belonging to an application use the same DPI (chosen based on which window is in focus), regardless of the DPI of the screen the window itself is on.

So it seems to me the integration of mixed-DPI into window rendering APIs was not well handled by the development team behind its implementation in Windows.

The most common "solution" I see is lowering the resolution of the high-DPI display, but that's not a solution, that's actually not even a workaround, it is literally removing the problem by pretending my screen is not as good as it is.

4K support seems to vary a bit from distro to distro. Some are good, some are lagging.

I'm using Linux with 3x 4k monitors at work. I set the scaling to 150% and it just works. I'm using Awesome WM.

If all your monitors are 4k it works, but if you have a mix of high dpi and standard dpi monitors it does not work. And I'm betting you can't share just one of those monitors with any screen sharing software. Something I need to do frequently.

Sharing a window may work and amount to the same thing. Depends on the software perhaps.

Two 4k monitors here on Ubuntu Mate, works great. Shared my screen last week.

External monitor support on macOS is terrible. When it does work, you can't turn on HiDPI resulting in a tiny UI. And the latest 16" macbooks simply kernel panic: https://discussions.apple.com/thread/250876794

It sucks that you are having issues with your setup, but in general macOS is the king of external monitor support.

Compare the experience with Windows for example, where disconnecting from your external monitors pushes all applications and windows to the remaining monitors, and doesn't restore them when the external monitor is reconnected.

macOS also handles mixed-DPI really well, no other vendor even comes close, Windows simply scales according to the monitor most of the application window is on, resulting in ugly resizing of applications when moving from one monitor to another.

I don't know what you're talking about with regards to "turning on HiDPI", can you elaborate?

By "turning on HiDPI", I mean having access to a menu such as this https://miro.medium.com/max/3518/1*QXxPDSp60XIZJhz4isSpiw.jp... Without the ability to scale the UI, this is what part of the UI of Xcode looks like on a 4k monitor: https://imgur.com/a/beTxJNG It's unreadable.

> Compare the experience with Windows for example, where disconnecting from your external monitors pushes all applications and windows to the remaining monitors, and doesn't restore them when the external monitor is reconnected.

Huh? I have a dock that I disconnect and reconnect from all the time; windows move onto my laptop screen when I disconnect, and move back onto my docked screen when I reconnect.

Do you have multiple screens active at one time? This is really only a problem when you have multiple screens, applications don't "remember" which screen they are supposed to be on, they just go to the "primary" screen when docked.

Ah, you're right. I do use the dock screen and the laptop screen, but hadn't noticed that everything moves to the dock screen even if it was previously on the laptop screen when docked.

Does System Prefs > Displays > Scaled not work?

HiDPI is working fine on my 3 external displays

I would agree were it not for the hairy yaks. As a startup founder I just don't have time for my computer to not "just work." This is the primary thing that keeps me absolutely glued to Apple.

I do kind of like MacOS, but am concerned about their lack of strong interest in it.

I would pay for a "vertically integrated" open hardware Linux laptop. I've seen some promising projects but none are mature enough.

The second issue is apps, but that can be mitigated by having a Windows VM.

But this entire thread of comments and even the topic of the post is proof that it really just doesn't work.

I would argue that any major Linux distro at this point "just work" just as well as MacOS

> But this entire thread of comments and even the topic of the post is proof that it really just doesn't work.

Yeah, there may actually be close to a dozen people commenting here!

>I would argue that any major Linux distro at this point "just work" just as well as MacOS

Given my perennial attempts to switch to Linux which are inevitably thwarted by aggravating driver bugs and incompatibility issues with X Windows and Wayland (both), I'm inclined to disagree.

Or do any kind of serious 3D or audio related work.

Is this still an issue with Ubuntu? I haven't had any problems with drivers nor software for... 6 years and 7 laptops?

I've had problems with printer drivers consistently since I switched to (K)ubuntu on the desktop in 2010ish. Since 2 years however, they are basically gone. That's thanks to IPP becoming more commonplace.

Then I'm having issues with PTP from my phone. Windows is fine but Plasma is broken. The phone also offers an MTP mode which thankfully works.

When I bought a Lenovo netbook in 2015, I was unable to set the screen brightness. It took a few years but eventually the issue got fixed with a new version of Kubuntu.

On my brand new ThinkPad T495 I'm having an issue with the graphics drivers, which crash and require me to issue an ACPI reboot when I close the lid and reopen it again. Pretty sure it's this issue as the error messages, symptoms and working workarounds all match. https://gitlab.freedesktop.org/drm/amd/issues/883

KDE connect made plugging my phone into my computer basically obsolete, at least for me.

It might be that I use pretty standard hardware and don't have any fancy requirements, but really, I have evangelized several people and installed mostly Xubuntu in their laptops and I haven't had problems.

My APU stuck in OpenGL 3.3 without video hardware decoding, would like to get OpenGL 4.4 and hardware video decoding back that it had with the AMD proprietary driver.

Support for 4K monitors and multiple screens is still pretty miserable and causes stuttering, freezing, and crashing

Never had any problems with my 4K screen in Manjaro KDE, and only needed to change Xft.dpi in .Xresources in Manjaro i3

I’m not saying it cannot work but I am saying an IT department cannot just install Ubuntu on a laptop, hand it to someone who doesn’t know how to hack at Linux, and have the display aspects “just work” with any monitor.

I have no beef with Linux, but we have to be honest about what it needs to be capable of to compete with MacOS for the general user unable or unwilling to hack at it a bit.

If the solution in any way involves "enter this command", you have lost the vast, vast majority of users. Those users will never have any idea that "Catalina broke SSH".

I think you are wrong. I have seen it happen more than once, even in my current company. Especially when companies use mostly online tools, like our case, it's a no brainer.

Do you mean I am wrong that standard users won't notice ssh broken?

You're right, my statement may have been too strong.

We do know that Catalina isn't broken for everyone though as alluded to by others in this thread. No one in my company or anyone I personally know with a MacBook has been affected. There must be another interaction happening.

Sorry, no, I mean that you can really give Ubuntu units to people and expect it to work without any issues. If this works in schools it works also for power users :)

I've never had a problem with my 4k in fedora, but I only have a single monitor

Linux had good support for multiple monitors when I started using it in 2003. Obviously something is crashing but it's not apt to be plugging in a monitor.

There are plenty of good laptops and Windows is absolutely fine.

Windows is not "absolutely fine". Ignoring the garbage heap of bad/inconsistent ui/adverts/nagware. Its just not even capable of running a lot of dev software. The guide for running ruby on rails on windows is basically just to install a linux VM.

I'm running a lot of dev software and I never had to revert to Linux VM.

https://rubyinstaller.org/ Ruby for Windows.

I don't know why Ruby on Rails require Linux, but those reasons are not technical.

It runs perfectly fine lot of developer software, for those of us that are Windows developers first, and something else secondly.

If you pick your laptop for linux support then you will have literally no driver issues. I'm running fedora on a Dell XPS and it runs flawlessly (Well the fingerprint scanner needs a 3rd party program).

Ubuntu is generally even easier since they bundle in proprietary drivers.

As if, I bought a Linux Laptop from Asus with Ubuntu, and my APU is still to get the OpenGL 4.4 that it had with the proprietary AMD driver, instead I should be happy that the open source version at least offers me OpenGL 3.3.

Thats unlucky but it doesn't apply to all laptops. My dell XPS is currently running on a vulkan version released in 2020. AMD strangely seems to lag behind intel in drivers at the moment. Perhaps because until just now AMD laptops were rare.

Well no business end-user or any typical Mac user is going to be bothered about something technical like 'SSH' breaking their system. Only actual devs here would care.

For those business users, it just still works. For developers it's a problem.

Apple's made huge inroads with developers over the last few years, partly coasting off of a social dislike for Microsoft. There's enough Apple fandom out there that they can probably annoy developers a good deal more without affecting the inroads. After all, exactly what can a dev do about it anyway?

Switch to OpenBSD ;-)

Apple developers are perfectly fine.

UNIX developers, well, support OEMs that sell BSD and GNU/Linux laptops.

Macs have a fairly large share of devs, especially in the startup centers like SF and NYC. Most startups end up with macs as the default computer because of the developer experience as well as the ability to manage them for a consistent user experience using MDM solutions like Jamf or Fleetsmith (both Apple-only)

You seem to be nurturing some stereotype of Mac users. Just check (photos of) any Silicon Valley or MIT Cafeteria to maybe calibrate your worldview.

Catalina I haven’t had much problems with, however noticed some odd stuff. Like the Apple Menu and System Preferences it reports one update available but if I go look - nothing. Then was playing with the new TV app and went to watch one of the Apple TV+ shows and all I get is a black screen with audio when watching a show.

Then even before Catalina, my AirPods mic seems to act odd, can hardly hear it and it messses with audio output too when listening to music, sounds like I’m listening to hold music on a telephone unless I disable the mic using a third party app. I think having a old Bluetooth chip might be the reason though since I have a older MacBook while it works great on my iPhone.

Almost everyone in my office has issues with Bluetooth headphones mysteriously disconnecting - the sound output drops even though Bluetooth is still connected.

Very annoying and can't find a resolution.

A focus on security produces problems like these.

I can't blame them too much. It's probably worth it.

Probably just trying to make Catalina thinner.

Here's an actual bug report:

* https://openradar.appspot.com/radar?id=4931259776106496

From that and the discussions.apple.com. post, hyperlinked elsewhere in this discussion, it appears that the >8192 condition varies according to what the hostname actually is.

The bug report is datelined 2020-04-26, interestingly. There might be a bug in the bug reporting system. (-:

> The bug report is datelined 2020-04-26, interestingly. There might be a bug in the bug reporting system.

No, you can type whatever date you want. The "add a new radar" screen is just a bunch of text input boxes: https://i.imgur.com/nNf457J.png

The ability to type whatever date one wants is often considered to be a bug. The ability to post-date reports a month into the future sometimes is, too. (-:

You can not only type whatever date, but also whatever non-date. The site just assumes good intentions and is working as designed.

OpenRadar is community-maintained, and rather poorly at that these days.

I can't reproduce this. macOS 10.15.4, ssh'ing to a very high (5digit) port with a hostname no problems.

Same here, 5 digits and a hostname = no problem. There must be some other factor(s) in play.

Ditto. There's a post a few levels above where they are digging into the source of ssh, I'm following that!

I can't either, in fact all 10+ of the hosts that I routinely access have ports higher than OPs issue.

Offtopic but why are people using high port numbers? Additional security due to a nonstandard port? If so, does that go together with anything additional like port knocking? Or is it multiple hosts on the same IP, but different ports?

Some people think that it adds to security. Some people want to reduce noise in logs.

A relatively common use case is multiple devices behind a NAT, where each port goes to a different device.

It's to keep my logs cleaner. It doesn't add any security value since the port is still open. I don't allow password auth. I was just always annoyed with how many times port 22 was getting hit everyday by attackers.

I had the same problem on a MacBook after upgrading to 10.15.4. However, I wasn't using a port number higher than 8192, the socket was 75 with a hostname. The problem was solved when I replaced the hostname with its IP or plugged in an Ethernet Cable. I tried to restart mDNSResponder and flush the dns cache and switch to a different DNS server. Nothing works so far.

I experienced a similar issue with a git repository hosted on a high port, `brew install openssh` fixed it even though the homebrew `ssh` was not first on my $PATH. Didn't bother to investigate further.

Possibly that overwrote the config file for the system ssh?

I was thinking homebrew's git perhaps had a different $PATH (or was using shared objects?) that used the different openssh. Just guessing, didn't seem worth my effort at the time.

Isn't /usr/local/bin first on $PATH?

Homebrew tends not to install to bust/local/bin when that would replace a native version.

I suspect this is due to a feature being enabled for canonicalization and that the key part is the presence of the colon rather than the port number. On a 10.15.4 system, I see a line in the debug output which is not present in the screenshot:

> debug1: resolve_canonicalize: hostname example.org:7999 is an unrecognised address

If instead I use `-p` or a config-file option, everything works as expected.

hostname:port is not a valid destination according to ssh syntax. A destination may either be [user@]hostname or a URI of the form ssh://[user@]hostname[:port].

The Apple forum article cites by the OP indicates it's a problem with `-p <PORT>` as well.


That's a fair point. I use either a ssh config file with all the correct options in it, or the -p option if I'm doing it without a config file, perhaps that's why I've never had a problem.

"I don’t want to end up on Hacker News again bitching about Catalina." Pretty sure that guarantees getting to the front page :D

This is truly the darkest timeline for that poor blogger. :-P

Those are the magic words. F*ck SEO, add that and you'll get a couple million page views.

Is macOS /user/bin/ssh just upstream OpenSSH, or does Apple maintain a fork? If no fork, this would be an upstream OpenSSH problem, no?

Apple includes a customized version of OpenSSH. From what I recall from the last time I looked at it, the changes were mostly integrating the key retrieval mechanisms with the rest of macOS. For example, Apple's ssh-add can store key passphrase in Keychain with the -K option, and then later access those passphrase with the -A flag.

If using the upstream version there is one line to add to a startup script or to your zshrc (et. al.) file ...

ssh-add -A > /dev/null

... and one default value to place in your ssh config file...

AddToKeychain Yes

... to get around this issue. It works fine after that.

(On mobile. Sorry for formatting)

Those stored key passphrases are visible with the Keychain Access application, Kind: "application password", name: "SSH: /full/path/to/key", in the login & iCloud keychains.

Looks like that's for macOS 10.15.0 as version.h for that OpenSSH release is for 7.9p1 (macOS 10.15.4 has OpenSSH 8.1p1).

I'm pretty sure they use libressl now.

Maybe a weird ControlMaster/ControlPath config? I have had issues with the ControlPath result being too long with certain hostname/port combinations in the past -- which resulted in ssh to ip working but ssh to hostname not working. As a result, I haven since started using %C instead of %l%h%p%r in my ControlPath config.

If you have Homebrew or something similar, I recommend installing openssh through there -- you get a newer version to boot.

It's usually not a full replacement. SSH for macOS has some integration built in that current OpenSSH does not have, like Keychain integration.

I thought Homebrew patched OpensSSH using Apple's keychain patch, but looking at the formula right now I see

  # Please don't resubmit the keychain patch option. It will never be accepted.
  # https://github.com/Homebrew/homebrew-dupes/pull/482#issuecomment-118994372

Sadly the homebrew-dupes repo seems to have been deleted so this comment can't be read anymore.

Archive of the discussion: https://archive.is/hSB6d

> We are uncomfortable continually supporting a 1900+ line patch which upstream hasn't signed off on that has the potential to both compromise OpenSSH security and Keychain security. From 10.11 it will also be impossible to edit plists in /System/* without disabling rootless, which isn't a configuration we'll be intentionally supporting.

> Sadly the homebrew-dupes repo seems to have been deleted so this comment can't be read anymore.

They're kinda bad at that in general :/

Really? I have my ~/.ssh/config file set to “AddToKeychain” on all entries and it doesn’t seem to be a problem.

I prefer ssh-agent anyway, but yeah, I think they did remove the keychain integration patch.

Oh god no. Homebrew managing openssh has been the cause of more command-line instability and forced reinstalls than anything else I’ve encountered in the last few years of OS X (sorry, macOS). I’ve started installing stuff from source again just to prevent a cascade of Homebrew upgrades breaking everything.

Why don't people use MacPorts instead? I've never had any problems with it.

Homebrew wants to screw around in /usr, Macports installs itself in /opt and doesn't interfere with things in the MacOS world.

Set your PATH to have /opt/local/{bin,sbin} and everything Just Works.

What is the practical difference between /usr/local and /opt or /opt/local? I don't think macOS puts anything in /usr/local.

I sometimes use NetBSD's pkgsrc on macOS because it installs super cleanly in any prefix you like and never, ever breaks the system. It doesn't have everything, and you will occasionally encounter a package that won't build, but it doesn't even dream of taking over /usr/local or disrupting your system. You could install it into your home directory if you wanted to (which I have done, on systems where I don't have root or enough ownership to just throw things anywhere)

I always build SSH from source myself using my own scripts and meta-makefiles. Both the most recent OpenSSH release, and the latest one supported by HPN-SSH (for use on high-latency links).

OpenSSH 8.2p1 notably has support for using FIDO U2F 2FA keys to secure SSH keys, it works perfectly, as long as your server also runs 8.2p1 (only the client needs to be compiled with libFIDO2).

As for the Catalina train wreck, it's clear both hardware and software quality is on a severe downward trend at Apple, you can either rant and moan about it, or take control back by switching to Linux or BSD, which is what I am doing, very slowly and deliberately.

Never experienced this in a decade or so of using Homebrew's OpenSSH, but you can absolutely use something other than Homebrew to get a more up-to-date and standard OpenSSH install if you prefer.

> I’ve started installing stuff from source again just to prevent a cascade of Homebrew upgrades breaking everything.

Since you crossed that line, do yourself a favour and check out nixpkg.

I always do this.

I'm not sure what's the current state, but there are features on SSH I wasn't able to use due to the version provided being old.

I know that `Include` on `config` is/was one.

    Include "some/path"
This is something I use frequently that wasn't available on previous built in versions.

> I'm not sure what's the current state, but there are features on SSH I wasn't able to use due to the version provided being old.

> I know that `Include` on `config` is/was one.

That's both terribly out of date info and hardly ever true as far as I can tell.

The Include directive was a new feature of OpenSSH 7.3, released on 2016-08-01.[1] Apple shipped OpenSSH 7.3 in macOS 10.12.2[2][3], released on 2016-12-13. That's a very reasonable four months gap.

I only use the system ssh because stock OpenSSH didn't integrate well with system keychain many years ago (not sure about the current state). But I've been using the Include directive for a long time.

[1] https://www.openssh.com/txt/release-7.3

[2] https://opensource.apple.com/release/macos-10122.html

[3] https://opensource.apple.com/source/OpenSSH/OpenSSH-209.30.4...

In case it's slow for you too: <removed since they wanted it taken down>

It’s been taken down on purpose: https://news.ycombinator.com/item?id=22738841

I'm surprised nobody noticed this bug at Apple before the release. Is there nobody there that connects by hostname to a ssh server with a port > 8192?

I'm not. Not all 'testers' actually try to test edge cases. The /good/ testers do try edge cases, but for every /good/ tester you have, you'll have hired 100+ testers who do little more than check that the standard happy-path works correctly and sign off as "passes tests".

The good testers all tend to fall into what Bruce Schneier calls the 'Security Mindset' way of thinking: https://www.schneier.com/blog/archives/2008/03/the_security_...

>Not all 'testers' actually try to test edge cases.

Yeah, but surely macOS devs are eating their own dog food.

"I've learned that Apple engineers have internal tools which allow them to delete macl xattr as well as to bypass other Catalina privacy and sandbox protections without rebooting and disabling SIP.

"Inside Apple they don't suffer the same problems as external users and developers."


And a simple shell script to test it would be easy.

Well, I hope for them they put it in their automated regression test suite now.

> Is there nobody there that connects by hostname to a ssh server with a port > 8192?

I use alternative port but < 1023 since binding to those ports requires root. And I've never seen it being used. I'm not saying it's not, just that I did not see it in 10 years.

So it probably really is not that common.

Probably not. I doubt I’ve used a port that high.

Why not? I regularly use 5-digit ports - 3-digit prefix plus 2-digit 'official' port - for various systems which reside behind a NATting router.

Ports <1024 require root access to bind, so on a multi-user system it would be insecure to run ssh on such a high port.

(Granted, multi-user hosts are very rare nowadays).

I'm pretty sure it's generally not advisable to use ports this high since they are used for other purposes.

All purposes are equally as valid on unallocated port ranges. Inconfigurable port ranges with no fallback when those ports are in use is bad design.

High port numbers, above 30000 usually, are ephemeral ports and get pre-empted by the system. They're not safe to listen to for server applications.

Isn't 8080 used almost everywhere ?

8080 is less than 8192. This bug only happens when the port is _higher_ than 8192.

sorry my bad what was i thinking

Not for SSH. Common alternate SSH ports are 222 or 2222 which are well below.

443 to pass the stupid corporate firewall. I used that once 15 years ago anyway.

For webservers sometimes, never seen that used for ssh.

< 8192, and that’s mostly the alternate HTTP port.

8080 < 8192

I haven't in ten or twenty years, no.

One more data point: just tried to repro with hostname and port 8193 and failed, so the issue is probably more intricate than described.

(Guest in my test: OpenSSH 7.6p1 on ubuntu bionic, stock config other than sshd port.)

Tried with dropbear and sshd on Arch, port 9022 from 10.15.4 Beta (19E258a) - no issues with a variety of hostnames that end up at the same host.

Just updated to 10.15.5 Beta (19F53f) and still no issues with dropbear or sshd.

I've been a Linux user for the last ~15 years, and now I need to do some iOS development so just a few days ago I've ordered a Mac Mini. I guess I'm in for a bumpy ride. Oh well.

I used linux on all my laptops/work machines for about 7 years, then switched to macbook pros 5 years ago. Definitely some things you have to adapt to (I still miss focus-follows-mouse). But for the most part, you'll find it's a smooth ride. When bumps like this happen, they tend to push out a fix quickly - especially when it gets traction on HN like this.

I used a mac for almost 8 years. When things worked, and you shared the same preferences as the designers (or were willing to adapt), things were pretty good.

If you had different preferences, mostly too bad. Maybe if you reboot with system protection turned off, you can edit the config file, and hope it doesn't get reverted.

If things didn't work, like when I was getting static for audio 25% of the time I hit Play in iTunes from a shoutcast server for a whole major release, there wouldn't be any useful help on the internet. Maybe somebody had a similar problem 3 releases ago, but that fix doesn't work anymore. Other problems, or irritants are often the same way.

With Windows, most of the problems you run into are fixable, and easy to find. With an open source OS, at least you can dig in and try to fix your own problems.

For me, focus-follows-mouse is most useful for terminal windows. It is a feature you can enable in iTerm2.

This doesn't help across applications of course, and there's a reasonable argument that the inconsistency is worse than the absence -- but for me, iTerm2's FFM feature helps.

Didn't know iTerm2 did that. Thanks, I'll check it out - might help a lot.

macOS is POSIX UNIX. it definitely has focus follows mouse.

You just mean that hover over a lower window allows scrolling right? MacOS has that.

It's honestly not that bad, but I'd advise to go into it with an open mind. A lot of switchers get angry at macOS when their habits from other systems don't work with it (e.g. wanting to maximize all the windows)

You don't have to have that open of a mind. I was angry at macOS because I didn't have good window management, but it was really easy to install a third party utility to do so.

I use Amethyst which is much easier to setup than my old Linux WMs. There are also tools like Yabai which are more customizable.

Sure, I guess you can also do that. I'd still advise to not go out and "fix" everything the minute you boot up OS X. It's worth learning how and why it works before you hack it.

If you're a linux user for that long you've probably got experience updating CLI utilities. That's all that's required here, simply installing a new openSSH.

I recently made the transition (from ~10yrs Linux) to Mac and it was really smooth. At the end of the day it's just a Unix system with a really nice looking Window Manager and lots of supported apps. If you don't like the included version of SSH, just use a different one, same as linux.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact