Extra Pepperoni

To content | To menu | To search

Tag - BBEdit

Entries feed - Comments feed

Wednesday, January 16 2008

Macworld & NYSec

This afternoon (morning in SF), Steve announced the excellent MacBook Air (which I don't want), the iPhone 1.1.3 update (which I very much like and have already benefitted from), AppleTV "Take 2" (which I will order if it can play MPEG2 from the TiVo easily), and iTunes movie rentals (which are useless for parents who watch half a movie at a time).

This afternoon, I went to NYsec, hosted by Ryan Naraine and Matasano Security. An interesting group with several good stories.

Saturday, January 5 2008

Cyrus IMAPd: only about as complex as a USENET news server

For several years, I've been saying Apple made a bad choice when they picked Cyrus IMAPd as the POP/IMAP server for Mac OS X Server. It's a huge and complicated system, encompassing IMAP, POP, SSL, Sieve filtering, LMTP delivery, USENET news, clustering/proxy (Murder), pluggable authentication (SASL), etc. I cannot think of a single company outside Cupertino where it would make sense to run an enterprise mail system on Mac OS X Server, but Apple continues to add these inexplicable high-end features to its mail server, most recently XSan-based email clustering in Leopard Server.

The statement that convinced me (shortly after I had migrated to Cyrus IMAPd on Mac OS X Server 10.4 "Tiger") that I would never choose to run Cyrus for my personal use, was the following -- which I came across again today:

Installation Overview

This system should be expected to have the same order-of-magnitude installation complexity as a netnews system. Maintenance should have similar complexity, except administrators will have to deal with creation and deletion of users and will have the option of managing quotas and access control lists.

USENET news is infamously demanding and bandwidth intensive. It would be wonderful if Apple had taken Cyrus IMAPd, repackaged it (without too many changes!), and put a powerful and simple interface on top. The did this quite successfully with Apache httpd (although Server Admin breaks down on complicated configurations and has obscure bugs). Lots of people use Mac OS X Server to run websites and think it's easy & simple. Considering the typical reactions of those same people to the httpd .conf files "under the hood", this is a noteworthy triumph. Similarly, Time Machine provides a reasonable approximation of scheduled snapshots on a high-end NAS for do-it-yourself file recovery, with a simple interface that insulates users from the nitty-gritty of copy-on-write and hard links.

Cyrus did not get as much attention, though. Basically, Apple makes it pretty easy to create email accounts, provides a Repair button for the overall Cyrus database, and provides a Reconstruct button for individual accounts. That's about it. Unfortunately, Apple doesn't really document maintenance beyond "press the button and it will fix your problem". I've had several serious database problems which Apple's Repair button did not help with. Those were bad times.

Similarly, I have had problems where users could not log in, but Workgroup Manager claimed their accounts were usable. I eventually discovered that resetting passwords with passwd works sometimes, and re-setting passwords in Workgroup Manager works consistently, but when I asked Apple about it, the eventual response was basically, "Yes, that's bad; you should restore your accounts from your recent Open Directory export." Not a good answer.

It doesn't help that Apple's SpamAssassin and ClamAV installations are broken, as these result in more spam and slower deliveries.

So why am I planning to migrate to Cyrus IMAPd on CentOS 5.1? Well, I'd really like to just copy my 5gb mail directory to the new system and have my clients not notice the difference. Eudora doesn't handle (IMAP) change well -- renaming a single IMAP directory can force it to download all messages again, and various other things can cause Eudora to lose date stamps on sent mail, or message state information (when it gets disassociated from the actual message on the IMAP server). If I can make Cyrus work, I'll be very happy, and if I can't I'll try Dovecot (Red Hat's default) or Courier (which I hear is also good).

Also, I know it can work, and I have a rough model to work from on my Tiger Server, but if I wasn't using Cyrus already I would stay away from it, as I wish Apple had done.

Wednesday, January 2 2008

PowerBook won't boot from Leopard DVD

Update 2008/01/04: I tried again with a bulk (manufactured/pressed, not burned ont a DVD-R/DVD+R) DVD, and it worked fine. In retrospect, it seems likely to be drive deterioration, as I installed several betas from DL DVD+Rs I burned.

This is odd. I have a 1.5GHz 15" PowerBook G4 (3.5 years old), running Leopard, which I want to reinstall. I have tried booting from two different Leopard DVDs I burned (both DVD+R DL, since I can't find any DVD-R DL media) from legit Apple ISOs. It won't boot from either, and often if I insert one of these DVDs while it's running, the DVD drive chugs a bit and spits the DVD out. Sometimes, however, it reads the DVD -- I can run the "Install Mac OS X" app (which just sets the startup disk and reboots), but not boot from disc.

Nothing in the logs.

Hardware Overview:

Model Name: PowerBook G4 15"
Model Identifier: PowerBook5,4
Processor Name: PowerPC G4 (1.1)
Processor Speed: 1.5 GHz
Number Of CPUs: 1
L2 Cache (per CPU): 512 KB
Memory: 1 GB
Bus Speed: 167 MHz
Boot ROM Version: 4.8.6f0
Serial Number: ****

When the disk was mounted, Apple System Profiler showed:


Firmware Revision: DAM5
Interconnect: ATAPI
Burn Support: Yes (Apple Shipping Drive)
Cache: 2048 KB
Reads DVD: Yes
CD-Write: -R, -RW
DVD-Write: -R, -RW, +R, +RW
Write Strategies: CD-TAO, CD-SAO, DVD-DAO
Blank: No
Erasable: No
Overwritable: No
Appendable: No

Disk Utility on an un-bootable DVD

Wednesday, December 26 2007

Leopard Install Ate Account, Again

Over Christmas, I updated Dad's backup (SuperDuper is great), and upgraded to Leopard. It failed miserably -- in exactly the same way as my own first Leopard upgrade failed, although I didn't know what was going on back then. There wasn't any documentation about the problem then, but now Apple describes a closely related issue:

Mac OS X 10.5: Unable to log in after an upgrade install

Issue or symptom

You may not be able to log in with a user account that has a password of 8 or more characters and was originally created in Mac OS X 10.2.8 or earlier, after performing an upgrade installation of Mac OS X 10.5 Leopard (the default installation type).

I do indeed use a password longer than 8 characters. At least on my own system, the accounts were not created under or before 10.2.8. On my father's system, the accounts may date back that far, but his password was not longer, and Apple's suggested workaround did not work either.

On my own upgrade, I installed Leopard, and was unable to log in with my (known correct) password, or my root password. I booted from DVD and was able to see my home directory, but there was no information on how to fix Leopard accounts (and really not much information on Leopard accounts at all) at that time. Reset Password from DVD didn't work, and neither did passwd. I reinstalled from scratch and restored my home directory.

For Dad, I didn't have time to do that, so I created a new account with a different username and real name, and swapped his old home directory with the new (basically empty) one. This took about 5 minutes, compared to several hours spent unsuccessfully trying to fix his old account. Somehow during the upgrade, his account was disabled, and I was unable to re-enable it. I booted from the Leopard DVD, and the Reset Password tool said it reset his password, but did not. I booted into my own admin account, and used passwd, which gave me a Directory Services account disabled error. The only references to that error Google has to that error code are copies of the manual page, which lists the error code but not a way to enable such an account. I even updated to get the Login & Keychain update, but it didn't help.

In the interim, Apple has documented that Leopard stores accounts as .plist files in /var/db/dslocal/nodes/Default/users/, which is very helpful -- it makes it easy to do things like change UIDs, which I need to do periodically. On the other hand, those files point into other places for some information, such as the Kerberos KDC (Key Distribution Center) for actual passwords. I don't know enough Kerberos to feel comfortable creating an identity for his account, as should have automatically happened during the upgrade (before Leopard, non-Server versions of Mac OS X don't include a KDC, and they store passwords differently). I considered pointing his account to the KDC identity for a new account with the right password, but this seemed fragile, so I went with the new account, which seems to have worked reasonably well.


Tuesday, December 18 2007

Leopard's bash auto-completion vs. symlinked directories

In Leopard, Tab completion in bash doesn't immediately append trailing slashes to symbolic links that point to directories. When I complained about this change to Apple, I was told it was user configurable, and I should just configure the old behavior. It took me a while to actually find the solution -- partially because it isn't within bash itself, and partially because it was quite a nuisance but not a serious problem.

For example, ~/www is a symlink to /Volumes/www, and I cd to directories below it quite frequently. I'm in the habit of typing "cd w[Tab]/pu[Tab]", which should expand to "cd www/public_html". This broke in Leopard -- I needed an extra Tab to get the / -- otherwise I'd end up with the ugly and non-functional "cd wwwpu". Anyway, the fix is:

echo "set mark-symlinked-directories on" >> ~/.inputrc

Now Tab completion works the way I want it to again. Thanks, stylishpants!

Monday, December 10 2007

Struggling with Apple engineering (Power Mac G5)

I put 2 750gb drives in a Power Mac G5 to run Leopard. Now I want to get them out, so they can go in a Linux PC. I've spent at least an hour struggling with the stupid things, and losing.

They were a bit odd to get in, but they're almost(?) impossible to get out. The drives are inside plastic guides, and only the edges stick out. I can't get a good grip on the top & bottom because the PCB (circuit board) is at the bottom and fragile. I can grab the left & right edges, but all I can do is wiggle. I removed a fan screw so I could have some more room to work; I loosened a drive bracket screw, but only a little bit, and stripped my philips screwdriver some on the process -- thus also the screw-head, of course. I would take the whole drive cage out, but it has 2 screws at the far (un-removable) side of the case, and I'd need to do quite a bit more disassembly to get at them.

I've been loosening the plastic cage -- basically just wiggling it to soften it up -- with a flat-head screwdriver. It's visibly looser, but the drives are still quite stuck. I've been prying up on the left edge of the drives with a flat-head screwdriver -- there's a lip I can just get a bit of a grip on -- but only moved 1-2mm so far, and I have to hope I don't damage anything by prying at the drive like this. I can see I've already scraped black paint off the drive.


Perhaps this is why they came up with a totally different drive mounting design in the similar-looking Mac Pros.

Saturday, December 8 2007

Upgrading from Tiger Server to Linux

For over a year now, I've been following the development of Mac OS X Server 10.5 Leopard and testing betas, and anticipating upgrading reppep.com from Tiger Server on a dual 1.25GHz Power Mac G4 to Leopard Server on a dual 2GHz Power Mac G5. Over the weekend I had a change of plans, though.

Although I support Mac OS X Server at Rockefeller, I don't recommend it for most requirements, as Linux compares favorably for transparency (some of the MOSXS internals are unique and poorly documented), server software compatibility (although Macs are quite good here too), and price/features at the low end. A Core Duo Mac mini has plenty of juice to saturate our 768kbps/3mbps DSL circuit, but adding a couple drives more than doubles its price, and Apple's software RAID is quite broken; Linux software RAID is apparently quite good; I might eventually switch to hardware RAID. An Xserve is a great piece of hardware, but it's a bit exotic and I can get a fast generic PC cheaper; I don't want all the high-end features for a box that sits in our apartment.

Additionally, I've read perhaps 600 pages of docs on Leopard Server, and had at another 400-1500 yet to go. This is an investment I was finding hard to justify. The migration process is quite complicated, and Apple doesn't support migrating accounts from a Tiger system to a Leopard system -- I don't want to do an upgrade. I could clone the G4 to the G5 and upgrade it there, but I prefer to handle upgrades as scratch installations with manual migration of applications, so I know exactly what's been done. A lot of this is masked by upgrade procedures.

As part of this, I've decided to invest a bit more time in learning RHEL5 -- we have a couple systems at Rockefeller, but not much in production yet, and now seems like a good time to dig in some more.

Fortunately, all the services I've been using on reppep.com are available on Linux (and FreeBSD), so aside from another incredibly inconvenient password change cycle (for which it is arguably time anyway), the switch should be largely transparent to reppep.com users, although I still have plenty of research to do.

A brief timeline of reppep.com

  1. 1999: I left the National Audubon Society, and bought the Power Mac 7300 with accelerator card I'd been using there. I set it up with LinuxPPC and Apache, and started offering free web hosting to friends & family. LinuxPPC was eventually discontinued.
  2. I upgraded from LinuxPPC to Yellow Dog Linux, which was better than LinuxPPC, but had serious flaws.
  3. 2001: I was working on a couple remote FreeBSD machines (as admin of the Info-Mac server, and a user on the Apache Software Foundation userhost), and decided to learn more; I bought a cheap Celeron PC and installed FreeBSD 4.3 (IIRC); I upgraded through about v5.1 and a Pentium 4 (giving the Celeron box to the Info-Mac Archive, where it became the Info-Mac server for a while). I learned a lot about FreeBSD and UNIX in general, but eventually realized I was investing more time learning FreeBSD than I could justify. The best thing about FreeBSD is not a technical feature, but rather that the user community is so rich with knowledge. Reading the FreeBSD-STABLE list was amazing, as there was so much depth, freely shared with the community. While running on FreeBSD, I added mail services to the web services I had been offering. Note: Disruptions to personal email service are much worse than problems with personal web service.
  4. 2005: It became clear that I needed anti-spam, so I began researching SpamAssassin. While I was figuring out how to build the SMTP sandwich, with a public untrusted Postfix listener on port 25 & 587, and a filter, and then a listener on a high port like 10025 to accept and deliver mail to actual users, I installed a beta of Mac OS X Server 10.4 "Tiger", which had the whole thing implemented, plus ClamAV as a bonus. I started testing heavily before the release, and switched to MOSXS 10.4 shortly after it was finalized. It's been very good, but as time has passed, I've had more and more problems. In particular, Apple chose to use Cyrus as an IMAP/POP server, and Cyrus is complicated, but Apple ignores the complexity; this can make troubleshooting impossible. The SpamAssassin installation is slightly broken; it's a bit too old to offer the newer SpamAssassin self-upgrade mechanism. Server Admin is great, but has a bunch of bugs around SSL certificates, some of which destroy the certificates. Blojsom was nice, but Apple's installation was very unstable; I eventually moved my blog to WordPress hosted externally.
  5. 2008: I intend to switch to CentOS 5.1, which is basically a (legal) no-charge clone of Red Hat Enterprise Linux 5.1. This should make future upgrades a bit more straightforward, as I won't have to deal with Apple's Open Directory (OpenLDAP); it will also give me a bit more experience with RHEL5, which is a better investment for my time than Leopard Server.

Tuesday, December 4 2007

Holiday Albums

I take a lot of pictures of Julia, and every year we make holiday photo albums (normally from iPhoto); last year we got 6.

I just went through December 2006's photos, picking 5. Now I have 2,400 that made the initial cut from January through November 2007 to review. There are also 47 Julia took this year to check out.

It's a big job! The books tend to be a bit longer than the base 20 pages, but we like them.

Sunday, December 2 2007

iPhoto: Cropping is much improved

I've been complaining about iPhoto's Crop command for years (generally to Apple). Crop worked, then it got erratic, then I complained, and then Apple disimproved it, removing the flaky feature (Keyboard shortcut? Something like that). This removed the bug from their dashboard at a cost in functionality and convenience

In iPhoto 7 (iLife 08), cropping is much improved. Hit the 'c' key to start a crop. Since grabbing the handles is problematic with top and bottom strips that flash over the photo at the edges of the screen, iPhoto helpfully (in full-screen Edit mode) shrinks the whole photo to not touch the edges. It looks strange, but helps a lot. When done, hit Enter to perform the crop.

There are still several rough edges, though:

  1. Sometimes the un-cropped image appears. This is confusing!
  2. iPhoto 6 always set a consistent proportional default crop area when selecting a new image. I liked this, as it offered a standard (relative) resolution when cropping photos, and I used that suggested size to sizes some photos the same. This is minor, but I miss it.
  3. The crop constraint (I normally use "4 x 3 (Book)", which can be inverted with the Option key) sometimes gets unset; it should stay the way I set it (ideally, even across launches of iPhoto). Additionally, when the Crop checkbox clears itself, the proportion flips back to "3072 x 2304 (Original)" on images from my Canon PowerShot SD800IS.
  4. The default crop constraint (original) for some reason cannot be inverted with Option, so I have to switch to "4 x 3 (Book)" when I want to crop "crossways".

Saturday, December 1 2007

Yay! Leopard fixed kickstart

ARD includes a very handy script called kickstart (/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart), to configure the Remote Desktop agent, which is also what Leopard's Screen Sharing uses. This is important because Murphy says that you will always first need to connect to a recently installed machine and only then discover the ARD agent is off. With the kickstart agent, you can configure user access to Remote Desktop through an ssh connection, and turn the agent on.

Unfortunately, it never worked for me. I have tried to use kickstart on at least 4 separate occasions (always on Tiger systems), and it never did what I wanted. Tonight, I used it on a 10.5.1 system, and in about 5 minutes I had access (manually tunneled through ssh, no less). It would have been faster if the kickstart command was simple (it's somewhat involved), or if I wasn't determined to configure access controls before turning on ARD. It's easy to configure ARD access via System Preferences:Sharing, but bad practice to enable services without access control configured.


To learn about kickstart, use sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -help. If WordPress won't let you read that whole line, try copying it into another program. Apple's Apple Remote Desktop Administrator’s Guide includes some helpful examples.

We also use an UID 0 account, which doesn't appear in System Preferences:Sharing, so I tend to create the account, set the UID, remember ARD, and curse as I discover I can no longer enable ARD access to that account without restoring the UID -- quite a nuisance. Since local accounts are now stored in .plist files, adding our UID 0 account and giving it ARD access should both be much easier now.

Friday, November 30 2007

iPhone Subtleties

Update 2007/12/15: The iPod has two shuffle modes. I'd been going to the list of songs and hitting Shuffle, but this isn't sticky. The trick is to 1) start playing a song, 2) tap on the cover area to get the track position slider, and 3) tap the shuffle icon on the right side. This is sticky, and I now have shuffle play by default! Still no shuffle by album, though...

The iPhone has a few very small features which show a surprising level of thought went into its design before launch.

The do not disturb switch. This has been a signature feature of Treos for years -- completely disabling the speaker. Apple got smarter: the iPhone's side switch mutes incoming calls, SMS notifcations, & calendar alerts. But the alarm clock and immediate actions on the phone, including speakerphone and iPod playback (with earphones disconnected) -- still use the speaker. So Apple has evolved from "mute" to "do not disturb", which is much more useful.

Keyboard key-up. Registering keys on finger lift allows correction without mistyping (if you're paying attention) and provides some really handy tricks, like dragging from shift to I to get a capital I in one (long) tap instead of three -- works for numbers & punctuation too.

iPod stop on earphone removal. When you unplug earphones, the iPhone stops music or video playback. I use this feature at least twice a day, when I get home or to work. If the iPhone is in a holster or bag, this saves the trouble of getting it out to stop playback. Apple could have opted to activate the speaker instead, but people unplug their earphones and stop using the iPod much more often than they switch from earphones to speakers.

Earphone remote behavior. When listening to music, it fades out if the phone rings; I thought this was silly, but it's nice. When I hit the button on the remote, the phone answers; when I hit the button later to hang up, the music resumes. If I'm using the iPhone (in any app) and hit the earphone remote, music starts (or stops) playing; this saves me a few steps on switching into the iPod app and back to what I was doing. When watching video, it pauses and resumes. Between that, the double-click to skip to next track, and the volume controls on the side of the iPod (easily accessible in a belt holster), I don't miss the 6-button iPod remote.

Unfortunately, it's always alphabetical play of everything on the iPhone, so I have to switch to iPod and start Shuffle play the first time; then it stays in Shuffle mode until either a) the iPhone gets confused and stops playing, or b) I plug into a Mac; neither of these should switch me out of Shuffle mode, actually.

And that reminds me: What genius at Apple decided that iPhone users don't want to shuffle by album? So much for "the best iPod ever". Pfeh!

But overall, the iPhone is remarkably sophisticated. Perhaps Ive & Jobs and their 5 closest friends spent a year writing down all the things about cellphones that annoyed them, and brought that into the iPhone design discussions.

Tuesday, November 27 2007

Parallels Oddness: Network mis-configured

I use Parallels Desktop for Mac to run the Action Request System (Remedy) for trouble ticket tracking at work. They have a webapp, but it's not really usable.

A couple weeks ago, about when I upgraded my work desktop to Leopard, Parallels broke. I couldn't connect to the Remedy server, or our voicemail system. I don't really think about Parallels networking, but it's all virtual so normal troubleshooting is unavailable. Basically there's a fake DHCP server (or two) inside Parallels for the VMs, and I had very little visibility into why it was doing the wrong thing. I reinstalled Parallels but hadn't spent much time on it, since I don't use Remedy heavily.

It turns out I needed to re-set Parallels from Bridged to Shared networking mode, whereby it uses the Mac as a NAT server. The NAT alleviates many of my concerns about running Windows. But how & why did that setting get changed in the first place??

Friday, November 16 2007

Securosis: ipfw ruleset

Update: After revising more than once, the permanent link to the latest ipfw ruleset is http://securosis.com/publications/ipfw.html.

Over at Securosis, Rich and I posted a piece on using ipfw to increase your security. Leopard's new 'firewall' isn't a network firewall at all. It restricts applications' ability to listen on ports, rather than working at the level of the network stack, which means it cannot do things like allow ssh from home but not from the rest of the Internet. If you want classic packet filtering, it makes sense to use ipfw as well. We cooked up a starter ruleset for people to customize, with instructions on installing it using WaterRoof.

Saturday, November 10 2007

Leopard's "socket firewall"

The new "firewall" in Leopard is called socketfilterfw, but as far as I can tell it doesn't actually do any packet filtering, which is how ipfw and classic packet filtering firewalls work. Instead, it restricts the ability of programs to "bind" a port so they can receive all traffic for that port. This discrimination is not novel -- UNIX systems (including Mac OS X) will not allow any program to bind ports 0-1023 unless they're running as root (UID 0). Normal users get an error when they attempt to take over low ports like this.

In recent years, many operating systems have made adjustments to this restriction, in an attempt to make permissions more granular. Apple, however, has added an entirely different (and much more sophisticated) test to the process of binding a port: does socketfilterfw trust it? socketfilterfw can even cryptographically 'seal' a binary (program), to make sure that if it is changed in the future, it automatically loses its authorization to listen on the network. Unfortunately, Apple seems to have gotten a bit carried away, and signed some tools that are as likely to be used by crackers who have just broken into a system as legitimate Mac users (netcat, I'm looking at you)

If socketfilterfw allows the request, the port is bound and the program receives traffic that reaches the port; if socketfilterfw denies the request, the port is not bound to the requesting program, and it doesn't get any traffic. Ironically, this is very much more like a Windows firewall (e.g., ZoneAlarm), of restricting and allowing individual applications, rather than working at a network level that has little or nothing to do with individual programs.

Anyway, here's the help message for socketfilterfw. Note the reference to firewallapp, which does not exist on my system. Presumably it is an unreleased CLI tool to manage the firewall, like the ipfw command manges the kernel firewall, or iptables on Linux. Note that the FreeBSD-derived ipfw is still available in Mac OS X Leopard (user), but not activated or used by the system -- it just passes all traffic through unless manually configured. On the other hand, Mac OS X Leopard Server's Server Admin (used in Advanced mode, but unavailable in favor of Server Preferences in Standard mode) still uses ipfw. Over at Securosis, I'm working on an example ipfw ruleset to get people dissatisfied with socketfilterfw started, but before we post any rules, we need to decide upon a suitable (easy) way for people to use them without delving into writing custom rc boot scripts.

$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw -h
usage: /usr/libexec/ApplicationFirewall/socketfilterfw [-c] [-w] [-d] [-l] [-T] [-U] [-B] [-L] [-a listen or accept] [-s file to sign] [-v file to verify] [-p pid to write] 
firewallapp is used to control Application Firewall socket filter.
The command takes the following options that are evaluated in order, 
and several options may be combined:
 -h        display this help and exit
 -t app    set trusted app, e.g. -t app1 app2 app3
 -i        dump socket filter internal data info
 -d        turn on debugging
 -l        do logging and run in daemon mode
 -k        kill daemon
 -a        ask when listen or accept, ask "accept" or ask "listen"
 -s file   sign file
 -v file   verify file
 -c        check file

Note that sudo /usr/libexec/ApplicationFirewall/socketfilterfw -d dumps out a list of allowed programs; there's some other junk in the output that looks like the signatures checked against the binaries, and a bunch of references to "ALF", which could stand for "Application Level Firewall".

Time Machine: Exclude All System Files

Time Machine has a hidden feature, to "Exclude All System Files". In Leopard Server's Standard mode, Time Machine is a service, and in Server Preferences you can control whether clients back up their system files, or skip them. This is logical -- for personal backups you want everything, but if you have enough users to justify a file server, you might well not want to back up the same Leopard system files for each user.

Today's handy-dandy discovery was that Mac OS X Leopard "user" has this feature too, but there's no visible knob to turn it on. Interestingly, I cannot find such a control in Server Admin either, which could be my oversight or could simply be a bug (I've reported it, anyway).

Instead, if on the client you add /System to Time Machine's list of directories not to back up (I also skip /Developer, /sw, and my music files), Leopard pops up a handy dialog, asking if you really want to "Exclude All System Files". I chose yes, although I'd like to know exactly what (directories) are excluded by this option.

Tuesday, November 6 2007

Leopard Server Bug: Deleting an interface in Server Assistant is broken

10.5.0 Server: I have 3 interfaces. The onboard GE is broken, so I have GE cards in PCI 2 & PCI 3. When I delete Ethernet in Server Assistant (at installation time), it crashes and bounces me back to the Welcome screen at the beginning of the process. I can, however, just not leave it at DHCP (physically disconnected) and get through; I think I could also turn off TCP/IP for that port, but haven't verified in 10.5.0 GM.

Leopard: Minor authorization bug

System Preferences has a security feature whereby you must "unlock" and authenticate as an admin to change sensitive settings, including Network settings. Ethernet & AirPort both have "Advanced..." buttons behind which Apple hides most of the actual controls -- the non-Advanced settings are cut down and simplified (but definitely fine for normal use). Unfortunately, once you click Advanced... to change the settings, there's no authenticate button. I've found myself in the Advanced sheet, unable to make a change, and had to back out of the sheet, unlock, and then click Advanced... again to make a change.

Apple declines to address this issue, so I'm documenting it here for others annoyed by this bug.

Saturday, November 3 2007

Screen Sharing replaces Apple Remote Desktop

Update 2009/01/15 If you connect to a particular machine frequently, you could put a clickable icon into the Dock.

  1. Put these two lines into a plain text file (I'll call it myserver.command). The filename must end with .command to be launchable from the Finder.
  2. Make sure it has UNIX line breaks.
  3. Make it executable (chmod +x myserver.command).
  4. If you use it a lot, drag it into the Dock for quick access.
(sleep 4; open vnc:// & ssh -C -4 -L 5901: myserver

That will ssh to myserver, pop back a tunnel for VNC, and point Screen Sharing to the tunnel. After you close the Screen Sharing connection and log out of the ssh session, the tunnel will be closed automatically.

Update 2008/2/3: Adam, thanks for the suggestion -- I'd forgotten about the vnc:// scheme. But who's Geoff?? I prefer aliases to functions because they're simpler, and like to leave an ssh shell open, both for my own use and as a reminder to close the tunnel when done. Here's a simpler alias -- note that you must still supply the hostname on the command line after the alias, e.g., "stss salt".

alias stss="(sleep 4; open vnc:// & \
ssh -C -4 -L 5901:"

Update 2007/12/14: I added a pbcopy command to put '' on the Clipboard (pasteboard), so now I can just Paste and then delete (pbcopy appends an undesired Return to the Clipboard), which makes the whole thing easier. New alias (note that this is really properly one line, but it doesn't wrap properly without help):

alias stss='echo | pbcopy; open \
/System/Library/CoreServices/Screen\ Sharing.app; \
ssh -C -4 -L 5901:'

I have a couple licenses for Apple Remote Desktop at work, for managing our 8+1 Mac cluster ("the orchard") and for managing other Mac servers on campus. I find ARD very useful because although Remote Desktop uses VNC as the underlying protocol, Apple's compatibility has been poor, so I had lots of trouble connecting from Chicken of the VNC and other clients. While I like ARD (particularly the automatic ssh tunneling in v3), I only use the remote control feature, never its other management capabilities.

With Mac OS X 10.5 Leopard, Apple has bundled /System/Library/CoreServices/Screen Sharing.app, which provides the VNC capabilities I use from ARD and skips the other features I don't care about. It's my favorite Leopard feature, accessible from the Finder Sidebar, iChat, Server Admin, and through Back to My Mac (which seems to have some problems with security).

The only thing I don't like about Screen Sharing is that Apple apparently built encryption into the VNC protocol in an incompatible way. Apple's encryption is of course incompatible with all the other clients & servers, since it's Apple proprietary (just like their proprietary compression encodings). It's confusing because the Preferences options look identical to the ones in ARD3, which actually uses an ssh tunnel to provide encryption. It's a firewall problem because there are lots of places we a) allow ssh, b) block unencrypted VNC, and c) would allow encrypted VNC. ARD3's ssh tunneling is usable here but Screen Sharing's port 5900 connection is blocked. Fortunately the workaround is simple -- build the ssh tunnel manually, as is normal for non-ARD3 VNC users. I have this alias:

alias stss='open /System/Library/CoreServices/Screen\ Sharing.app/; ssh -C -4 -L 5901:'

I use it with a hostname, as in: stss www

That makes an ssh connection to the specified host (www in this case), sets up a tunnel from 5901 on my admin workstation to 5900 on the server (since the admin workstation is likely to be running the Remote Management/Screen Sharing agent on 5900 already), and gives me a shell on www. As a convenience, it also launches Screen Sharing for me. In the Screen Sharing Connect window, I type, and connect to the local end of the tunnel on port 5901; it goes through ssh and I get secure remote control via the ssh port (so it works across any firewalls that allow ssh). It's actually doubly encrypted if I'm going across the Internet, since I always leave Screen Sharing's encryption on too -- if I forget to start the tunnel or connect to a machine that's not firewalled on port 5900, I want to be sure I'm not transmitting passwords in plaintext.

Friday, November 2 2007

Mac OS X: Authentication Timers

I have been reading about Mac OS X 10.5 Leopard Server and non-Server lately, and I was surprised to realize how many different authentication & authorization systems are running each with its own timer.

  1. Access to the "console" (keyboard/video/mouse): Ends when you log out or the locking screen saver kicks in.
  2. Authentication for administrative actions in Carbon/Cocoa programs (such as modifying system directories in the Finder): 5 minutes (I believe).
  3. Apple Keychain: Doesn't lock automatically unless you configure it in Keychain Access.
  4. ssh-agent (now linked to the Apple keychain): Clears when you reboot or when the Apple keychain locks.
  5. Kerberos V (both client-server and client-client): Apparently TGTs expire after 10 hours by default.
  6. sudo: 5 minutes by default.

Thursday, November 1 2007

Leopard Server's Server Admin is NOT backwards compatible

Page 155 of Server_Administration_v10.5.pdf says "Mac OS X Server v10.4 servers can be administered using v10.5 server administration tools."

Alas, they cannot; this means there's no way to manage a Leopard and a Tiger system from the same box without screen sharing -- something I and every other Tiger admin would like to do for the upgrade process! More generally, people who have upgraded to Leopard must use screen sharing to manage our Tiger Servers. Let's hope Apple fixes this quickly -- rather than after most of us have slogged through our own upgrades.

This version of Server Admin is not compatible with this server.

- page 2 of 6 -