Monthly Archives: October 2007

Mac OS X Server Mac Security

Mac OS X Server 10.5: Introduction to RADIUS

I originally posted this at http://www.318.com/TechJournal

Remote Authentication Dial In User Service (RADIUS) can help to take the security of your wireless network to the next level beyond standard WPA authentication. Prior to Leopard RADIUS communications could be obtained using Elektron or OpenRADIUS running on OS X – but in Leopard no 3rd party software is required beyond Leopard Server. So how difficult is it to setup RADIUS on Leopard? You be the judge after reading this quick walkthrough. For the purpose of this walkthrough we are going to assume that you are using the Advanced Mac OS X Server style.

Before you begin this walkthrough, make sure that the server is running Open Directory and that the forward and reverse DNS information for the server is correct.

The first step to using RADIUS is to enable it. To do this, open Server Admin, click on the name of the server in the SERVERS list and click on the Services tab. Find RADIUS in the services list and place a checkmark in the box to the left of it. When you click on Save then you should see RADIUS in the SERVERS list.

Now that RADIUS has been enabled, let’s select a certificate. For the use of this walkthrough we’re going to use the default certificate that comes with OS X Server. Click on RADIUS under the SERVERS list and then click on the Settings button. Click on the RADIUS Certificate drop-down menu and select the Default certificate. Click on the Edit Allowed Users… button.

By default all users of the OS X Server will have access to authenticate to the wireless network setup, so here we are going to click on the For Selected Services below Radio Button. Then click on RADIUS in the Service list. Now click on Allow Only Users and Groups Below and then click on the + sign. Now drag the users and groups into the Name list from the Users and Groups window. Once all users that should have access to your new wireless environment have been enabled, click on the Save button.

From here, click on RADIUS and click on the Start RADIUS button in the bottom left hand corner of the screen. RADIUS is now ready to accept authentication. The next step is to configure an AirPort to work with RADIUS. To do this, click on the Base Stations button in the toolbar at the top of the screen. Now click on Browse and select the first base station of your new wireless environment from the list of found base stations. Enter the password for the AirPort and click on Save. Wait for the AirPort to complete its restart and then you should be able to log in from a client.

To log in from a client, select the name of the wireless network from the wireless networks list and enter the username and password to the environment. The first time you do so you will get a second dialog asking you to enter the 802.1x username and password. Enter the same username and password and click on OK. If you click on the “Use this Password Once” checkbox then this password will not be saved for future use.

That’s it, you’re done. Now this setup may be a little more complicated than WPA personal or WEP 128, but it’s far more secure and should be considered for any AirPort environment that has an OS X Server. While the default certificate will work for clients, things are often easier from a deployment and interoperability perspective if you purchase a certificate from a CA such as Thawte. Also, this has all been tested in a pure Mac OS X Leopard environment, not with an OD structure based on Tiger. More on that as time goes on…

Mac OS X Mac Security

Mac OS X: New Trojan Discovered

I originally posted this at http://www.318.com/TechJournal

Monday, October 29th, 2007 – Intego issued a security alert about a new Trojan Horse called OSX.RSPlug.A targeting the Mac. OSX.RSPlug.A changes the DNS (Domain Name Server) address that infected systems use to access web sites and installs a new task on infected systems to change the DNS server again if the end user changes it back to what it was before. This is similar to many attacks against the Windows Hosts files. However, if anyone is going to get this worm they have to authenticate as an administrative user for their system to get infected.

OSX.RSPlug.A has been found on some pornographic Web sites and when an user is trying to view a movie, they are told that “Quicktime Player is unable to play movie file. Please click here to download new version of codec.” If the user clicks the link a disk image (.dmg) is downloaded to the desktop. When the software is used, the user is actually installing the Trojan as root, giving it access to the full computer. When the malicious DNS server is active, it hijacks some web requests, leading users to phishing web sites or to web pages displaying ads for other pornographic web sites, according to Intego.

For more information, see the original security alert from Intego at:

http://www.intego.com/news/ism0705.asp

Football

Football: Georgia-Florida

Ah, the memories.  Nights in Jacksonville, getting ready for the “Worlds Largest Cocktail Party” – heading out to the game, usually too early to be up – but rallying to go – and then loosing our shirts to a team in the title race.

It never got any easier.  But today, we went out there, with all their hype and put up a 12 point win on the University of Florida.  Ya’ll can have your Heisman – we’ll take one sweet victory at a time.

Till next year…

Mac OS X Server

Mac OS X Server 10.5: Self Updating Directory Entries

I originally posted this at http://www.318.com/TechJournal

If you’re migrating to Leopard and Leopard Server then you’ve likely noticed the welcome addition of a new program in /Applications/Utilities called Directory. Directory allows users bound into an Open Directory environment to update LDAP records provided they have access to do so. Using LDAP ACLs it’s possible to give users access to update their own directory information using an LDAP directory browser such as Directory.

When you open Directory you should see a listing of all of the directory information that has been created. From here you can create Shared Contacts, Groups, Locations and Resources. Each of these can be connected to a calendar. Groups can have multiple members and get a Mailing List, Calendar or Blog connected to them.

Resource types include Automobiles, Conference Phones, Copiers, Digital Cameras, Notebooks, Printers, Projection Screens, Projectors, Scanners and Video Cameras. Resources can be reserved in an iCal Server Calendar and can have a delegate. Delegates are users that are able to manage particular resources.

The fact that there are a lot of objects in the LDAP database that can be managed means that it’s important to have a tool for configuring who can manage them. Workgroup Manager has basic permissioning built it but it isn’t as granular as a lot of organizations will need. To get more granular it might be required to dip into the command line and configure LDAP using the configuration files. To get started with this, see the article from a couple of days ago about LDAP ACLs.

Mac OS X Mac OS X Server Mac Security

Mac OS X 10.5: Advanced Networking Options

I originally posted this at http://www.318.com/TechJournal

Slight change from how things were done in Tiger/Tiger Server, but all the old options are there if you look. The first change is that now there is a wizard that you can use to configure your network interface. Since this is on more advanced topics we’ll skip that but it’s worth noting.

Another shift is that a network interface is now referred to as a Service. So when you go to add a interface you will associate it with a Service Name. If you remove a Service using the – icon in the list you can always readd it by clicking on the + in the services list, selecting the interface and assigning it a Service Name. If you check ifconfig you will find that if you remove a service and readd it then it will come back up with the BSD name that it originally had. For example, remove the Firewire Service, Apply your changes, readd the Firewire Service and in ifconfig it will still show as fw0 in the list. If you add a second service for fw0 and assign it unique IP stack information then it too will show as a second IP address under the same BSD interface as can be seen below:
inet 192.168.210.110 netmask 0xffffff00 broadcast 192.168.210.255
inet 10.0.0.9 netmask 0xffff0000 broadcast 10.0.255.255

In order to setup a second IP address for one NIC using the GUI for Leopard:
Open System Preferences and go to the Network Preference Pane.
Click on the interface you would like to run a second IP address on.
Click on the cog wheel at the bottom of the list.
Click on Duplicate Service.
Type the name for your new Interface and click OK.
Click on the New Interface and click the Advanced button.
Click on TCP/IP and enter the appropriate IP information.
If needed, enter information for DNS, WINS and Proxies under their respective tabs.
Click on OK.
Click on Apply.

Now, rather than use one NIC you might want to use two NICs as one, or use Link Aggregation. Assuming the switch supports it and you have that side of things configured, here’s where you configure Link Aggregation:
Open System Preferences and go to the Network Preference Pane.
Click on the cog wheel at the bottom of the list.
Click on Manage Virtual Interfaces…
Click on the + icon.
Click on New Link Aggregate.
Enter the name for the new Link Aggregate “bond”.
Check the boxes for the interfaces that support Link Aggregation in the list.
Open Terminal and run ifconfig.
Find bond in the list and verify that the correct MAC addresses for your aggregated NICs are in the list of MAC addresses for bond0 (or whatever BSD name was given to your bond when it was created).

To reorder services, click on a service and use the cog wheel to select the Set Service Order… option. From here you will be able to drag services up or down the list. The first service in the Service Order is still the default service that traffic will reply to. Therefore, if you want to actually use the additional services to respond to traffic you will still need to use the route command as has been used in *nix for a long time.

Uncategorized

Logout via ARD

The following AppleScript (via osascript) can logout of a system running OS X:

tell application "System Events" to log out

alias maclogout="osascript -e 'tell application "System Events" to log out'"

Mac OS X

Mac OS X 10.5: Custom Installations

I originally posted this at http://www.318.com/TechJournal

Installing Mac OS X is a fairly simple task to complete and can typically take up to an hour or more depending on the installation options you choose. However, you should review all of your options in the installer as many items are not needed unless you have a specific need for them. Installing any operating system involves choices, which we will reveal throughout this chapter. If you are reinstalling your operating system, just make sure to have a valid backup before you continue on with this chapter.

The Installation Process
Installing Mac OS X requires little of a user other than agreeging to the license agreement, known as an EEULA and being able to click on continue. Many of the choices available during installation can be left at their default settings. The system will simply guide you in many cases allowing you to click Continue or Agree at most of the dialog boxes and obtain a default installing.
But the power user knows better and wants to be up and running as quickly as possible. The power user wants to leave out any of the items from the operating system that they’re not going to use and the power user is going to want a level of control over what is on their system that can’t be had by doing a default installation.

Also, until the system starts the Checking Disk process, which it will do in order to verify your installation media, you can stop the installation and go back to the operating system you had before. Of course, if you reformat a drive going back to your operating system will no longer be an option.
Note: You can access Disk Utility while booted to the CD in order to partition your hard drive, but if you plan on using Boot Camp to install Windows onto a partition then you will need to leave your system with one partition.

The installation process takes users through a variety of steps to help choose which parts of the operating system to install. At most of the stages, you will be able to click on the default value and proceed without actually customizing anything. However, you will see a Customize button at many of the screens that can be used to

Note: Each version of OS X will have a slightly different installation process. This article is written for OS X 10.5. However, if you are using a previous version then while some of the screens will be similar do not expect them all to be the same.

Installing an Operating System onto an External Drive
When you install OS X you can choose to install it on any drive that is visible to your computer. This can be a USB jump drive, a FireWire hard drive or an Xserve RAID. There are a variety of reasons why you would use any of these as a boot medium rather than your internal drive. Whether the reason is portability, drive size, redundancy or performance, Apple has given us a lot of options by allowing the installation of the operating system on any medium the computer can access that doesn’t require special drivers.
• USB jump drive: Placing a customized and very trimmed down operating system onto a USB jump drive can provide you with the ability to have a quick and easy way to troubleshoot any computer in your pocket at any time. The size of a USB jump drive makes it a good choice for people just looking to
• FireWire: Firewire hard drives are becoming more and more inexpensive with each passing year. These portable drives can allow you to take your files with you anywhere. But they’re not as good for using as a full time operating system. They are great for carting around installers, using as targets for your backups and it never hurts to an operating system on to use for troubleshooting.
• Internal RAID 0: A RAID is a random array of independent disks, or disks that have been combined for a specified outcome. RAID 0 disks are particularly helpful with increasing performance and obtaining a larger drive than what is possible without using a RAID. Computers with an operating system installed on a RAID 0 will receive a slight speed increase, but if either drive fails then you risk loosing all of the data on the volume.
• Internal RAID 1: A RAID 1 disk set is also known as a mirror. In a mirrored disk set, if any single drive fails then all of the data is also located on the second drive. There is a slight reduction in speed for RAID 1 volumes.
• Internal RAID 5: Apple recently released a card that allows for using 3 internal drives to create a RAID 5 volume. RAID 5 allows for redundancy as is found with RAID 1 and a larger volume as is found in RAID 0 with an offset in the speed decrease.
• Xserve RAID: The Xserve RAID can be connected to a computer through a fibre cable and allows for a single volume size of up to 10 terabytes.

Once you have your drives ready to install onto you will want to choose whether to do an upgrade or a new installation. If you are coming from a previous version of Mac OS X or having problems with your existing installation then you will likely want to do an Archive and Install. If you are working on Mac OS X Server you will likely need to do a format prior to installation. Once you have chosen which of these you will be doing then click on the Next and get ready to customize your installation. At this point you will be able to click on the Custom… icon and choose which parts of the OS to install. Don’t worry, if you leave anything out that you later decide you would like you can always go to the installation CD and install it as a package manually.

Now, click Install and you’re off to the races.

Mac OS X Mass Deployment

Fun Times with the JAMF Binary

I originally posted this at http://www.318.com/TechJournal

Casper is an incredibly useful tool for package deployment, maintaining records of the systems in your environment and policy management. But for those of you already using Casper (or considering it) you’ll be glad to know that you can use the jamf binary to do all kinds of fun stuff that can help with troubleshooting computers in your environment. For example:

The following command will setup a hidden SSH user and restrict SSH access to be allowed by only that user:
jamf createAccount -username casperadmin -realname "Casper Admin" -password capseradmin -home /Users/casperadmin -hiddenUser -admin -secureSSH

This command can be used to display a popup on the system it’s run on that says “Hello Minnesota”:
jamf displayMessage -message "Hello Minnesota"

The following command will unmount a mounted server called mainserver:
jamf unmountServer -mountPoint /Volumes/mainserver

The following command can be used to change a users home page in all of their web browsers:
jamf setHomePage -homepage www.318.com

The following command can be used to fire up the SSH daemon:
jamf startSSH

The following command can be used to fix the By Host files on the local machine:
jamf fixByHostFiles -target 127.0.0.1

The following command can be used to run a Fix Permissions on the local machine:
jamf fixPermissions /

The following can be used to flush all of the caches on your local system:
jamf flushCaches -flushSystem

The following can be used to bless the drive externaldrive:
jamf bless -target /Volumes/externaldrive

The following can be used to run a software update on the local system:
jamf runSoftwareUpdate

The following can be used to bind to an AD environment (rather than dsconfigad if for some reason you just didn’t like using dsconfigad), but would need all the parameters for your environment put in as flags:
jamf bindAD

The following can be used to enable OpenFirmware passwords on your computer to secretpass:
jamf setOFP -mode full -password secretpass

Most of these options are available inside the Casper suite, but the ability to do some simple tasks very quickly from the terminal is yet another reason to fall in love with Casper.

Mac OS X Server

Mac OS X Server 10.5: Parsing and Formatting for CalDAV

I originally posted this at http://www.318.com/TechJournal

A key aspect of any groupware solution is the ability to share calendars. Leopard server brings the long-awaited ability to share calendars to the Mac OS X Server platform. Leopard uses CalDAV as the back end protocol for Calendar sharing. CalDAV is currently supported by Facebook, Novell Evolution, Zimbra, Drupal, Microsoft Exchange, Kerio and now Mac OS X Server.

CalDAV looks at each event as an HTTP resource, giving users the ability to view events in a web browser. Each event is stored in the iCalendar format.

A typical event in the iCalendar format:
BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Apple Calendar//Calendar1//Charles Edge
BEGIN:VTODO
DTSTAMP:19980130T134500Z
SEQUENCE:2
UID:uid4@host1.com
ORGANIZER:MAILTO:riaa@us.gov
ATTENDEE;PARTSTAT=ACCEPTED:MAILTO:riaa@host.com
DUE:19980415T235959
STATUS:NEEDS-ACTION
SUMMARY:Random Music File
BEGIN:VALARM
ACTION:AUDIO
TRIGGER:19980403T120000
ATTACH;FMTTYPE=audio/basic:http://myhost.com/publish/audio-
files/file.mp3
REPEAT:3
DURATION:PT1H
END:VALARM
END:VTODO
END:VCALENDAR

Parsing this data can help you to imbed data from Leopard Server into your 3rd party web services. One difference between CalDAV events in Mac OS X Server and other types of event handlers is how they are presented over the wire. For example, Kerio, a popular Mac-based groupware solution presents CalDAV in the form of an ICS file so it can be viewed through iCal in pre-Leopard computers.

Consulting Mac OS X Mac OS X Server

Apple's New Certification Track

I originally posted this at http://www.318.com/TechJournal

The Tiger Apple Certified Systems Administrator (ACSA) track allowed certification candidates to accomplish the ACSA by getting an Apple Certified Technical Coordinator (ACTC) and then obtaining 7 points. Points were obtained by taking a variety of exams whose point values were based on the number of days of the corresponding class.

Apple has now posted the ACSA requirements for 10.5. There is no longer a point system, which was a unique approach in the IT industry for achieving certifications. Instead, for the Leopard ACSA, Apple has now trimmed down the number of courses that are provided and require that all exams be completed to accomplish the ACSA. For now, the certificates listed include:
Mac OS X Server Essentials v10.5
Directory Services v10.5
Deployment v10.5
Advanced Administration v10.5

Notice that there are no workstation oriented exams listed. The Support Essentials exam is all that is required to achieve an Apple Certified Help Desk Specialist (ACHDS) for Tiger. The ACHDS certification has been retired and replaced with the Apple Certified Support Professional for Leopard, which replaces the ACHDS and only requires the Support Essentials exam.

More information on the new certification program can be found here:

http://training.apple.com/certification/macosx