Half because WordPress really needs to stay upgraded, and half in hopes of fixing the Admin-SSL bug which was blocking posting, I upgraded to WordPress 2.5, a compatible beta of Admin-SSL (now under new management), and a few other plug-ins.

Not knowing how well the upgrade would go, I did the safe thing — I installed WP 2.5 separately from the live Extra Pepperoni site, installed and configured all the plugins I use (with my personal patches), created a new MySQL database, and configured everything, including a couple test comments (not as myself). After I got it working, I brought down the old site, moved the new one in place, reconnected it to the old MySQL DB (with all posts and comments), clicked the button to upgrade, and we’re up.

Unfortunately, there’s still a problem with comments. When I log into a new account to comment, I get a link to https://secure.reppep.com/wp-admin/profile.php, which is bogus; it needs to be https://secure.reppep.com/ep/wp-admin/profile.php. If you have an existing account (Tony), you might be able to login through https://secure.reppep.com/ep/wp-admin/ and comment, but it seems that viewing an actual post (which must be non-SSL) still loses its association with the login session, so you can visit the HTTP site as an anonymous user, or use the HTTPS site as your registered user, but the plaintext side has no access to comment, and the encrypted side doesn’t show the posts you would want to comment on. Hopefully BCG will be able to fix the problem in Admin-SSL. He’s already fixed the Preview function.

Also freaky: When I log into EP as a brand-new user (to comment), I get the Dashboard, telling me I (the brand-new user) have 184 posts. I didn’t think Subscriber users saw the Dashboard, but the post count is definitely bogus.

I did the initial installation as a Subversion checkout, which is very cool. Now, though, I have to create my own private WP hacks repos (easy), and figure out how to set up externals to pick up my additions.

A tip: Don’t try to check out the WordPress source over AFP; the permissions weren’t right, and the checkout couldn’t complete; when I did it locally on the Linux server, there was no problem. I hadn’t even noticed I was running “svn co” on the Mac instead of the server, but it was easy to fix once I noticed the cause.

pctony (congratulations on your Apache httpd PMC membership, Tony!) just informed me that comments here are broken. I knew Preview was broken, and am guessing that it’s a problem with my configuration of Admin-SSL, but hadn’t known it affected anyone other than myself. Admin-SSL in this configuration creates a disruption between the public (reading) side and the SSL-encrypted authenticated side, and preview & user logins for commenting both appear to be falling into that crack.

If I can’t get Admin-SSL working this way, I’ll come up with something else, although at this point I’m hoping Haris can tell me how to sort myself out.

In the meantime, I’m sorry for the inconvenience (especially Tony’s).

His two suggestions were to quote the path in the UltraEdit installer, or to use “dir /x” in CMD.COM to find the DOS-style 8.3 pathname of the destination folder. Unfortunately, I seem to have been wrong about the cause for their installer’s terribly vague “1925″ error message, as I tried another viable path (not containing spaces) today, and UE failed to install there too. Perhaps it’s a registry access issue — I sent email to IDM Software, and hope they have a more useful suggestion than “become an administrator”.

I just got a 1tb Time Capsule — it was a natural accessory for my new MBP, since I finally have a Mac with 802.11n support, and I routinely move large files or folders (500gb-8gb) around our home network; I also like the GE ports.

The Capsule replaced a WRT54G (hacked) and an AirPort Extreme — the APE is now serving as a print server in WDS mode (overkill, but otherwise it would just sit on a shelf, and the print server is handy). It is also providing backup space for all three of our laptops (including Julia’s), and the magic of Time Machine seems like a good security vs. convenience compromise — keeping conventional AFP or SMB shares from reppep.com mounted all the time on all three laptops would be suboptimal. Time Machine seems to handle mounting & unmounting gracefully.

On to the meat of my problem, though: Once I set up the Time Capsule, I noticed my MBP (10.5.2 latest) was getting the TC’s IP as its only DNS server via DHCP. This is annoying, as I configured the TC with 2 upstream DNS servers, and I want it to configure my Macs with at least those two; if the TC inserts itself first that’s fine, but it shouldn’t be my only nameserver.

The problem is aggravated (considerably!) by the fact that the TC is not actually serving names. My dig queries against it all time out.

On a related note, nmap points out that the Capsule is running an FTP server, which I (fortunately) cannot actually log into. I don’t see FTP anywhere in the UI or help (aside from a note about forwarding FTP through NAT). FTP is evil, and I don’t want it on at all! I know why ports 139 & 445 are open — to support SMB/CIFS and WINS, which I could configure but cannot turn off — but why RTSP and RealServer ports, and port 10,000?? I cannot get anything out of 10,000, so it’s not a normal Webmin, but what is Apple doing here??

I filed 3 bugs against Time Capsule, one against AirPort Admin Utility, and one against SP:Network, which I discovered while working around the TC DNS issue.

Meanwhile, I’m not holding my breath for answers & fixes from Apple. Do you all have more information about what’s going on here? Do TC users find a) the TC is the only only nameserver assigned via DHCP, and b) it doesn’t actually work as a nameserver??

After DreamHost’s breach 8 months ago, I was aggravated at their poor handling of the situation, but willing to give them the benefit of the doubt, and still happy with their low prices and flexible services.

With the new bad news and worse confirmation (still with poor incident handling), though, it’s time to get out of dodge.

I have moved Extra Pepperoni back onto my own hardware. I started blogging on Apple’s Blojsom install, but gave up on Tiger Server for Blojsom (and Mailman) because the services kept silently shutting down, leaving me to notice they were disabled days or weeks later (no fault of Blojsom or Mailman — Apple didn’t do a good job porting SpamAssassin either). Bringing up a WordPress blog and mailing lists at DreamHost was easy and cheap, but that’s no good if they are unsafe.

I’ll look at moving a couple very light-duty Mailman lists off DH next, but the lists are so lightly used I’m not too concerned. There just isn’t any confidential information on the mailing lists, aside from their tiny subscriber lists.

Ah, well. I now know much more about WordPress and MySQL than I cared too, but the setup wasn’t too bad. I hadn’t realized how many customizations and tweaks I made to WordPress until it came time to recreate them on my own system:

1. Almost Spring theme (included by DreamHost); with minor hack
2. PHP Markdown Extra; with minor hack
3. MySQL admin UI
4. WP-DB-Backup (DH included one, which I’m no longer using)
5. mod_rewrite for permalinks
6. Admin-SSL, with “Shared SSL” tweak, integrated into my existing SSL site (meaning EP is available through two different “sites”, and I have to keep the Apache configurations reconciled)
7. Twitter
8. WP-Cache (DH standard)
9. Akismet anti-spam registration
10. Technorati pinger (came over automatically with the DB).
11. Fix for widget.php to use legal JavaScript tag.

DreamHost wrote back, and the news isn’t good. Someone sent them a list which is apparently circulating, of username/password pairs for “FTP” accounts; one was mine. I had hoped that if a password leaked it was my old password, which I replaced back in June (on my birthday) when DreamHost told me they got hacked. No joy, though — the password they received was active on Extra Pepperoni (and chrispepper.com) until they sent me mail yesterday; I don’t use it elsewhere and changed it last night, but that means someone had access to EP very recently. It looks like nobody ever used the account, but methinks it’s time to install MySQL and WordPress on www.reppep.com, and probably Mailman too.

Crud on a cracker!

http://www.finjan.com/Pressrelease.aspx?id=1868&PressLan=1819&lan=3

And I still have no idea how they got me.

I got a message from DreamHost tonight which both confused and disturbed me.

Telling me there’s evidence that I have been intruded upon is scary — but what was the evidence?? Without more information, this is upsetting but not helpful.

I only access this account from fully patched Macs under my direct control. None of them were running Windows spyware, and I know there hasn’t been a hardware keylogger in operation on my equipment recently (I don’t believe every, but I’ve been doing lots of work on my equipment lately, so I know not recently). It’s certainly possible I got hacked by some brand-new Mac OS X exploit, but (especially given my understanding of DreamHost’s security model, which entails emailing plaintext passwords at the drop of a hat) I consider it considerably more likely this is a false alarm or miscommunication.

Especially given that, despite “we have reset your password”, the affected account’s password was NOT changed. I logged in normally and changed it myself. This makes me very glad that I created a brand-new password only for DreamHost last time they got hacked. On the other hand, I could have been sniffed logging in over the Internet (most of their access is unprotected); I only set up SSL for administration of Extra Pepperoni a month ago…

We’ll see how they respond to my request for clarification.

In the meantime, I am worried and aggravated.

It’s also somewhat suspicious that the timezone is UTC, considering that DreamHost is in Los Angeles. If it wasn’t the right panel.dreamhost.com hostname, I’d think this was an attempt to get me to submit my DH account information to a spammer, but that information isn’t worth much.

To: “Chris Pepper” <—-> From: DreamHost Support <support@—-> Subject: [reppep ----] Account Concerns… Date: Fri, 7 Mar 2008 02:20:34 +0000 (UTC)

Dear DreamHost customer,

We have found evidence indicating that your ‘reppep’ web server account may have been subject to intrusion by a malicious 3rd party. As a precautionary measure, we have reset your password and ask that you change it, here:

https://panel.dreamhost.com/index.cgi?tab=users&subtab=users& current_step=Index&next_step=Edit&usid=1532237

At this time we have found no evidence to suggest that there has been a breach of our internal security. We believe that the passwords in question were likely obtained through the use of spyware/keyloggers/malware, possibly installed on your personal computer.

In order to secure your account, we ask that you immediately follow the recommendations provided in the DreamHost AbuseCenter - particularly those involving the removal of malware. You may visit the AbuseCenter, here:

http://abuse.dreamhost.com/cracking/#exploits

If you have any questions or concerns, please let us know.

• DreamHost Abuse/Security Team

Apple put a lot of effort into making network sharing (Mac and Windows networking using the AFP & SMB/CIFS protocols) easier in Leopard. One of the things they did was introduce credential caching at the system level, so once you mount another Mac via AppleShare (for instance), you could then connect to it with Screen Sharing too, without authenticating. This is neat, but a bit problematic. I have had cases where:

1. I had to kill NetAuthAgent (the background process that appears to hold username/password pairs on your behalf) to make mounting work
2. I had to rearrange windows around onscreen, because a (stalled) progress window was hiding a username/password window, and never going to get anywhere without some help; other times I have dismissed the progress dialog without realizing it was waiting for a concealed window.
3. I have had to Force Quit and relaunch the Finder before it could (re-)mount some or all network volumes.
4. I have had to reboot the Leopard server before I could (re-)mount its volumes.
5. I have had Leopard systems fail to share out volumes, and had to re-share them manually. Part of this appears to be a different issue, where Leopard systems don’t even mount additional drives until a user logs in (obviously unmounted volumes cannot be mounted over the network). That’s not right!

Tonight’s problem was a bit different — I was connecting to a Windows server running Samba, and not getting the right permissions. When I looked in the server’s /var/log/samba/smbd.log (because I cannot find any way to see the account used for a network mount in in the Finder), I discovered that the share was mounted as the wrong user. I had never gotten the username/password dialog for this mount, as I had (the wrong) user credentials cached in NetAuthAgent.

The Tiger behavior is to default to the client username (the account mounting the share from the server). Leopard instead uses whichever user it has a cached credential for. I have now changed my scripts to always specify the username when mounting shares, e.g., open smb://pepper@inspectore/inspector.

I’ve been thinking about using SSL to protect logins to this blog for a while, but thought it would be too complicated. This weekend, I took the time, and thanks to Haris’ Admin-SSL plug-in, it was very easy. First I used cert.command to create a certificate for www.extrapepperoni.com, then I configured my DreamHost account to provide SSL (https://www.extrapepperoni.com/) in addition to the existing http scheme; this took a while to go through. Then I installed Admin-SSL, and after a few loading errors, all authentication and authenticated access is now SSL only, while reading anonymously is non-SSL.

Note that I’m using a certificate signed by my private certificate authority, ca.reppep.com, so you’ll get a warning from your browser that it’s not trusted; this is normal. You can continue past the warning and get full 128-bit SSL encryption; you just don’t have the assurance of a public CA that I am who I say I am.

Thanks to Rich & Sam for encouraging me to do this.

The Onboard Administrators (we got a pair for redundancy) each ship with a unique password. When you connect them, it appears the active OA resets the standby password to match the active. This was a bit confusing, as OA #2 came up active, and the passwords were not as expected; SSL certificates are created and reloaded in terms of “Active” & “Standby”, so I initially loaded new certs onto the wrong OAs.

ssh Implementation Flawed

The OAs support ssh access and ssh keys, but apparently only for the single Administrator account. This is documented incorrectly — the docs say the last word on the key line is the username the key is for, but actually they’re all linked to Administrator. HP Support doesn’t know much about it. It’s bad when security features don’t work as documented — in this case, it would be easy to follow instructions and upload a key for an unprivileged Operator or User account, unintentionally granting full Administrator access — we had this for a while, until I figured out what was really going on.

The web interface doesn’t allow copy & paste of keys — they must be downloaded by the OA from a web server. Afterwards, though, the public keys (which had to be accessible on through a web server, remember) are not visible to other authorized users of the OAs — only Administrator can see or modify keys. Feh.

Additionally, the web interface shows line breaks as ‘^’, so the keys look corrupt. Despite this they work, and display correctly in the command-line interface.

OA doesn’t automatically configure its accounts onto blade iLO. Instead, it creates an account for OA itself on each blade’s iLO. This is a bit odd, as it means authorized users cannot connect directly to iLO — instead they must connect through an OA, and have the OA login, before using iLO. We will presumably use the Compaq iLO configuration language to deploy our accounts to iLO, but this shouldn’t be necessary.

Good News

On the bright side, the chassis is easier to mount than our (smaller) IBM BladeCenter chassis; it’s also better labeled. The Onboard Administrator interface is better laid out, although it doesn’t work in Safari (seems fine in Firefox/Mac). The command line is a bit less bizarre than IBM’s.

HP makes it easy to dump the configuration to a text file, tweak it, and load it into another chassis, although we haven’t tested yet; they call this “Configuration Scripts”.

After getting burned too many times, I dropped my .Mac subscription. I never trusted my Apple keychains to iDisk anyway, but this means I have different subsets of passwords on different machines, and no good way to keep them in sync. I thought of a solution for manual sync last week: One keychain per Mac. Say I have 3 systems: work, home, and other. Each system has 3 Apple keychains: work.keychain, home.keychain, and other.keychain, with each host using its own as the default. Then I can rsync work.keychain to home.keychain & other.keychain, etc. This is awkward with rsync because it’s inherently unidirectional, but keychains are small so it’s quite feasible to script.

In Tiger, I know the keychain is actually stored in memory once it’s unlocked, so it’s good to lock (unload) all keychains with “security lock-keychain -a” before updating the files — this goes in the same script. I also set mine to lock after 2 hours of inactivity, or (on those systems where I run SSHKeychain) when sleeping or activating the (locking) screen saver.

This afternoon (morning in SF), Steve announced the excellent MacBook Air (which I don’t want), the iPhone 1.1.3 update (which I very much like and have already benefitted from), AppleTV “Take 2″ (which I will order if it can play MPEG2 from the TiVo easily), and iTunes movie rentals (which are useless for parents who watch half a movie at a time).

This afternoon, I went to NYsec, hosted by Ryan Naraine and Matasano Security. An interesting group with several good stories.

For over a year now, I’ve been following the development of Mac OS X Server 10.5 Leopard and testing betas, and anticipating upgrading reppep.com from Tiger Server on a dual 1.25GHz Power Mac G4 to Leopard Server on a dual 2GHz Power Mac G5. Over the weekend I had a change of plans, though.

Although I support Mac OS X Server at Rockefeller, I don’t recommend it for most requirements, as Linux compares favorably for transparency (some of the MOSXS internals are unique and poorly documented), server software compatibility (although Macs are quite good here too), and price/features at the low end. A Core Duo Mac mini has plenty of juice to saturate our 768kbps/3mbps DSL circuit, but adding a couple drives more than doubles its price, and Apple’s software RAID is quite broken; Linux software RAID is apparently quite good; I might eventually switch to hardware RAID. An Xserve is a great piece of hardware, but it’s a bit exotic and I can get a fast generic PC cheaper; I don’t want all the high-end features for a box that sits in our apartment.

Additionally, I’ve read perhaps 600 pages of docs on Leopard Server, and had at another 400-1500 yet to go. This is an investment I was finding hard to justify. The migration process is quite complicated, and Apple doesn’t support migrating accounts from a Tiger system to a Leopard system — I don’t want to do an upgrade. I could clone the G4 to the G5 and upgrade it there, but I prefer to handle upgrades as scratch installations with manual migration of applications, so I know exactly what’s been done. A lot of this is masked by upgrade procedures.

As part of this, I’ve decided to invest a bit more time in learning RHEL5 — we have a couple systems at Rockefeller, but not much in production yet, and now seems like a good time to dig in some more.

Fortunately, all the services I’ve been using on reppep.com are available on Linux (and FreeBSD), so aside from another incredibly inconvenient password change cycle (for which it is arguably time anyway), the switch should be largely transparent to reppep.com users, although I still have plenty of research to do.

A brief timeline of reppep.com

1. 1999: I left the National Audubon Society, and bought the Power Mac 7300 with accelerator card I’d been using there. I set it up with LinuxPPC and Apache, and started offering free web hosting to friends & family. LinuxPPC was eventually discontinued.
2. I upgraded from LinuxPPC to Yellow Dog Linux, which was better than LinuxPPC, but had serious flaws.
3. 2001: I was working on a couple remote FreeBSD machines (as admin of the Info-Mac server, and a user on the Apache Software Foundation userhost), and decided to learn more; I bought a cheap Celeron PC and installed FreeBSD 4.3 (IIRC); I upgraded through about v5.1 and a Pentium 4 (giving the Celeron box to the Info-Mac Archive, where it became the Info-Mac server for a while). I learned a lot about FreeBSD and UNIX in general, but eventually realized I was investing more time learning FreeBSD than I could justify. The best thing about FreeBSD is not a technical feature, but rather that the user community is so rich with knowledge. Reading the FreeBSD-STABLE list was amazing, as there was so much depth, freely shared with the community. While running on FreeBSD, I added mail services to the web services I had been offering. Note: Disruptions to personal email service are much worse than problems with personal web service.
4. 2005: It became clear that I needed anti-spam, so I began researching SpamAssassin. While I was figuring out how to build the SMTP sandwich, with a public untrusted Postfix listener on port 25 & 587, and a filter, and then a listener on a high port like 10025 to accept and deliver mail to actual users, I installed a beta of Mac OS X Server 10.4 “Tiger”, which had the whole thing implemented, plus ClamAV as a bonus. I started testing heavily before the release, and switched to MOSXS 10.4 shortly after it was finalized. It’s been very good, but as time has passed, I’ve had more and more problems. In particular, Apple chose to use Cyrus as an IMAP/POP server, and Cyrus is complicated, but Apple ignores the complexity; this can make troubleshooting impossible. The SpamAssassin installation is slightly broken; it’s a bit too old to offer the newer SpamAssassin self-upgrade mechanism. Server Admin is great, but has a bunch of bugs around SSL certificates, some of which destroy the certificates. Blojsom was nice, but Apple’s installation was very unstable; I eventually moved my blog to WordPress hosted externally.
5. 2008: I intend to switch to CentOS 5.1, which is basically a (legal) no-charge clone of Red Hat Enterprise Linux 5.1. This should make future upgrades a bit more straightforward, as I won’t have to deal with Apple’s Open Directory (OpenLDAP); it will also give me a bit more experience with RHEL5, which is a better investment for my time than Leopard Server.

ARD includes a very handy script called kickstart (/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart), to configure the Remote Desktop agent, which is also what Leopard’s Screen Sharing uses. This is important because Murphy says that you will always first need to connect to a recently installed machine and only then discover the ARD agent is off. With the kickstart agent, you can configure user access to Remote Desktop through an ssh connection, and turn the agent on.

Unfortunately, it never worked for me. I have tried to use kickstart on at least 4 separate occasions (always on Tiger systems), and it never did what I wanted. Tonight, I used it on a 10.5.1 system, and in about 5 minutes I had access (manually tunneled through ssh, no less). It would have been faster if the kickstart command was simple (it’s somewhat involved), or if I wasn’t determined to configure access controls before turning on ARD. It’s easy to configure ARD access via System Preferences:Sharing, but bad practice to enable services without access control configured.

Hoo-rah!

To learn about kickstart, use sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -help. If WordPress won’t let you read that whole line, try copying it into another program. Apple’s Apple Remote Desktop Administrator’s Guide includes some helpful examples.

We also use an UID 0 account, which doesn’t appear in System Preferences:Sharing, so I tend to create the account, set the UID, remember ARD, and curse as I discover I can no longer enable ARD access to that account without restoring the UID — quite a nuisance. Since local accounts are now stored in .plist files, adding our UID 0 account and giving it ARD access should both be much easier now.

Update: After revising more than once, the permanent link to the latest ipfw ruleset is http://securosis.com/publications/ipfw.html.

Over at Securosis, Rich and I posted a piece on using ipfw to increase your security. Leopard’s new ‘firewall’ isn’t a network firewall at all. It restricts applications’ ability to listen on ports, rather than working at the level of the network stack, which means it cannot do things like allow ssh from home but not from the rest of the Internet. If you want classic packet filtering, it makes sense to use ipfw as well. We cooked up a starter ruleset for people to customize, with instructions on installing it using WaterRoof.

The new “firewall” in Leopard is called socketfilterfw, but as far as I can tell it doesn’t actually do any packet filtering, which is how ipfw and classic packet filtering firewalls work. Instead, it restricts the ability of programs to “bind” a port so they can receive all traffic for that port. This discrimination is not novel — UNIX systems (including Mac OS X) will not allow any program to bind ports 0-1023 unless they’re running as root (UID 0). Normal users get an error when they attempt to take over low ports like this.

In recent years, many operating systems have made adjustments to this restriction, in an attempt to make permissions more granular. Apple, however, has added an entirely different (and much more sophisticated) test to the process of binding a port: does socketfilterfw trust it? socketfilterfw can even cryptographically ’seal’ a binary (program), to make sure that if it is changed in the future, it automatically loses its authorization to listen on the network. Unfortunately, Apple seems to have gotten a bit carried away, and signed some tools that are as likely to be used by crackers who have just broken into a system as legitimate Mac users (netcat, I’m looking at you)

If socketfilterfw allows the request, the port is bound and the program receives traffic that reaches the port; if socketfilterfw denies the request, the port is not bound to the requesting program, and it doesn’t get any traffic. Ironically, this is very much more like a Windows firewall (e.g., ZoneAlarm), of restricting and allowing individual applications, rather than working at a network level that has little or nothing to do with individual programs.

Anyway, here’s the help message for socketfilterfw. Note the reference to firewallapp, which does not exist on my system. Presumably it is an unreleased CLI tool to manage the firewall, like the ipfw command manges the kernel firewall, or iptables on Linux. Note that the FreeBSD-derived ipfw is still available in Mac OS X Leopard (user), but not activated or used by the system — it just passes all traffic through unless manually configured. On the other hand, Mac OS X Leopard Server’s Server Admin (used in Advanced mode, but unavailable in favor of Server Preferences in Standard mode) still uses ipfw. Over at Securosis, I’m working on an example ipfw ruleset to get people dissatisfied with socketfilterfw started, but before we post any rules, we need to decide upon a suitable (easy) way for people to use them without delving into writing custom rc boot scripts.

$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw -h
usage: /usr/libexec/ApplicationFirewall/socketfilterfw [-c] [-w] [-d] [-l] [-T] [-U] [-B] [-L] [-a listen or accept] [-s file to sign] [-v file to verify] [-p pid to write] 
firewallapp is used to control Application Firewall socket filter.
The command takes the following options that are evaluated in order, 
and several options may be combined:
 -h        display this help and exit
 -t app    set trusted app, e.g. -t app1 app2 app3
 -i        dump socket filter internal data info
 -d        turn on debugging
 -l        do logging and run in daemon mode
 -k        kill daemon
 -a        ask when listen or accept, ask "accept" or ask "listen"
 -s file   sign file
 -v file   verify file
 -c        check file

Note that sudo /usr/libexec/ApplicationFirewall/socketfilterfw -d dumps out a list of allowed programs; there’s some other junk in the output that looks like the signatures checked against the binaries, and a bunch of references to “ALF”, which could stand for “Application Level Firewall”.

System Preferences has a security feature whereby you must “unlock” and authenticate as an admin to change sensitive settings, including Network settings. Ethernet & AirPort both have “Advanced…” buttons behind which Apple hides most of the actual controls — the non-Advanced settings are cut down and simplified (but definitely fine for normal use). Unfortunately, once you click Advanced… to change the settings, there’s no authenticate button. I’ve found myself in the Advanced sheet, unable to make a change, and had to back out of the sheet, unlock, and then click Advanced… again to make a change.

Apple declines to address this issue, so I’m documenting it here for others annoyed by this bug.

Update 2008/2/3: Adam, thanks for the suggestion — I’d forgotten about the vnc:// scheme. But who’s Geoff?? I prefer aliases to functions because they’re simpler, and like to leave an ssh shell open, both for my own use and as a reminder to close the tunnel when done. Here’s a simpler alias — note that you must still supply the hostname on the command line after the alias, e.g., “stss salt“.

alias stss="(sleep 4; open vnc://127.0.0.1:5901) & \
ssh -C -4 -L 5901:127.0.0.1:5900"

Update 2007/12/14: I added a pbcopy command to put ‘127.0.0.1:5901′ on the Clipboard (pasteboard), so now I can just Paste and then delete (pbcopy appends an undesired Return to the Clipboard), which makes the whole thing easier. New alias (note that this is really properly one line, but it doesn’t wrap properly without help):

alias stss='echo 127.0.0.1:5901 | pbcopy; open \
/System/Library/CoreServices/Screen\ Sharing.app; \
ssh -C -4 -L 5901:127.0.0.1:5900'

I have a couple licenses for Apple Remote Desktop at work, for managing our 8+1 Mac cluster (”the orchard”) and for managing other Mac servers on campus. I find ARD very useful because although Remote Desktop uses VNC as the underlying protocol, Apple’s compatibility has been poor, so I had lots of trouble connecting from Chicken of the VNC and other clients. While I like ARD (particularly the automatic ssh tunneling in v3), I only use the remote control feature, never its other management capabilities.

With Mac OS X 10.5 Leopard, Apple has bundled /System/Library/CoreServices/Screen Sharing.app, which provides the VNC capabilities I use from ARD and skips the other features I don’t care about. It’s my favorite Leopard feature, accessible from the Finder Sidebar, iChat, Server Admin, and through Back to My Mac (which seems to have some problems with security).

The only thing I don’t like about Screen Sharing is that Apple apparently built encryption into the VNC protocol. Apple’s encryption is of course incompatible with all the other clients & servers, since it’s Apple proprietary (just like their proprietary compression encodings). It’s confusing because the Preferences options look identical to the ones in ARD3, which actually uses an ssh tunnel to provide encryption. It’s a firewall problem because there are lots of places we a) allow ssh, b) block unencrypted VNC, and c) would allow encrypted VNC. ARD3’s ssh tunneling is usable here but Screen Sharing’s port 5900 connection is blocked. Fortunately the workaround is simple — build the ssh tunnel manually, as is normal for non-ARD3 VNC users. I have this alias:

alias stss='open /System/Library/CoreServices/Screen\ Sharing.app/; ssh -C -4 -L 5901:127.0.0.1:5900'

I use it with a hostname, as in: stss www

That makes an ssh connection to the specified host (www in this case), sets up a tunnel from 5901 on my admin workstation to 5900 on the server (since the admin workstation is likely to be running the Remote Management/Screen Sharing agent on 5900 already), and gives me a shell on www. As a convenience, it also launches Screen Sharing for me. In the Screen Sharing Connect window, I type 127.0.0.1:5901, and connect to the local end of the tunnel on port 5901; it goes through ssh and I get secure remote control via the ssh port (so it works across any firewalls that allow ssh). It’s actually doubly encrypted if I’m going across the Internet, since I always leave Screen Sharing’s encryption on too — if I forget to start the tunnel or connect to a machine that’s not firewalled on port 5900, I want to be sure I’m not transmitting passwords in plaintext.

I have been reading about Mac OS X 10.5 Leopard Server and non-Server lately, and I was surprised to realize how many different authentication & authorization systems are running each with its own timer.

1. Access to the “console” (keyboard/video/mouse): Ends when you log out or the locking screen saver kicks in.
2. Authentication for administrative actions in Carbon/Cocoa programs (such as modifying system directories in the Finder): 5 minutes (I believe).
3. Apple Keychain: Doesn’t lock automatically unless you configure it in Keychain Access.
4. ssh-agent (now linked to the Apple keychain): Clears when you reboot or when the Apple keychain locks.
5. Kerberos V (both client-server and client-client): Apparently TGTs expire after 10 hours by default.
6. sudo: 5 minutes by default.

• Mac OS X 10.5: About Kerberos in Mac OS X 10.5 clients
• Mac OS X Server version 10.5: About Kerberized NFS

Setting up new Leopard (user) and Leopard Server systems, I was shocked to discover that, in System Preferences:Accounts:Guest, “Allow guests to connect to shared folders” is enabled by default. This is lousy security. Fortunately file sharing is off by default, but I turned file sharing on a day or two before I noticed guest access was enabled. I don’t want guest access enabled, and it shouldn’t be on without a conscious decision.