Monthly Archives: June 2011

Mac OS X Mac OS X Server Mac Security

S/MIME in OS X Isn't Just For Tin Hat Wearing Nerds Anymore

S/MIME, or Secure/Multipurpose Internet Mail Extensions is the de facto standard for encrypting and signing mail. You can encrypt mail to keep prying eyes off of it. Signing though, is much more common as it addresses the issue of non-repudiation in many organizations, or giving people a way to make sure that the email that they think you sent really came from you. It was also available in GPG plug-ins for mail, back in the day.

But S/MIME used to really be for people who thought the government was out to get them, work for government agencies, just liked to be kinda’ nerdy or actually had something to hide. But is email security overkill? After a bunch of people get their Google Apps accounts exposed from phishing attacks I’d argue not. I use it for various situations but not all. That may just change in Lion, because while S/MIME has been built into OS X for some time in the form of the smime command it will be much easier to use in OS X as of Lion and now available in iOS 5.

First, get a certificate from one of these providers (my favorite is Verisign, but Comodo is free):

  • Comodo: http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html
  • CAcert: https://www.cacert.org/index.php?id=1
  • Secorio: http://www.secorio.com/index.php?S_MIME_Email_Certificates
  • Symantec: http://www.trustcenter.de/en/index.htm
  • StartCom: https://cert.startcom.org
  • Verisign: https://www.verisign.com/authentication/digital-id/index.html
  • GlobalSign: http://www.globalsign.com/authentication-secure-email

Once you have downloaded the certificate files from the sites you can easily install them by double-clicking them, which imports them into the login keychain. Many organizations are going to want to script this process. To import the certificates, use the security command. Here we’ll import a Comodo p7 cert:

security import -/Downloads/CollectCCC.p7s -f pkcs7

Once imported, the certs can be escrowed by control-clicking on the cert in Keychain Access and exporting as .pem files. For organizations that want users to import their certs off of a site, the certs can be curl’d down for user-specific entries and intermediaries and certificates imported:

curl -o /tmp/mycert.crt http://username:password@www.krypted.com/username/username.crt

Which brings up a final point. If you give certificates to users, rather than having them download and load up their own, you will have control over whether or not keys get escrowed and if so, how. When just using signing, you may not care. But when messages are being encrypted, many organizations will have regulatory or eDiscovery situations that require the escrowing of keys to be able to unlock the contents of messages that are encrypted. For this reason, the some will need to export the certificate that was imported. Of course, if you escrow private keys for certificates then can the receiver ever know for certain you sent the message? I guess that comes down to process. If you require two people to turn a key at the same time when the sun shines through this one special crystal and makes the tomb glow red, then you may be able to keep people out. But then there are conspiracies and we’re back to preparing our tin foil as head gear…

Anyway, mail has supported smime for some time, as can be seen in this O’Reilly article from 8 years ago. There’s also an smime command line tool that goes pretty far back. Importing certificates into iOS is about as easy as importing them into OS X, but you can also distribute certificates using mobileconfig files, which I wrote an article on awhile ago. One can assume that the Profile Manager feature announced in OS X Server will allow you to deploy these over MDM, but then we might just have to wait until fall to see what that’s all about…

Mac OS X Mac Security Mass Deployment

Where Did My Folder Go?

I know I’ve written up telling OS X to show you invisible files, but what if you don’t want to make all invisible files show up, just make one file or folder go invisible, or for that matter, visible. Well, it’s easier than you might think. Apple has bundled a nice little command called chflags into the OS. To use it to hide a file, simply type chflags followed by hidden and then the folder. For example, let’s say you wanted to hide your ~/Library folder. Just run the following to hide it:

chflags hidden ~/Library

And then let’s say you wanted to unhide it ’cause you realized that it’s one of those folders best left visible:

chflags nohidden ~/Library

You can also use the SetFile command (both are located in /usr/bin, although chflags is included by default whereas SetFile is installed with the OS X Developer Tools). SetFile has a -a option and can set the v or V attribute to make a file shown or hidden respectively. Run the following command to make this same folder invisible:

SetFile -a V ~/Library

Or the following to make it visible:

SetFile -a v ~/Library

Oh, you can always throw a dot in front of a filename to hide it, but that’s not nearly as much fun…

Mac OS X Mac OS X Server Mass Deployment Network Infrastructure

Use ARD to Restart to NetBoot Server

It’s summer! And at many schools that means that the kids are gone and it’s time to start imaging again. And imaging means a lot of rebooting holding down the N key. But wait, you have ARD access into all those computers. And you have automated imaging tools. This means you can image the whole school from the comfort of your cabin out by the lake. Just use ARD and a little automation and you’ll be fishing in no time!

If you haven’t used the bless command to restart a client to NetBoot server then you’re missing out. The bless command is used to set the boot drive that a system will use. It comes with a nifty –netboot option. Define the –server and (assuming you have one nbi) you can reset the boot drive by sending a “Unix command” through ARD:

bless --netboot --server bsdp://192.168.210.9; restart

I added the restart for posterity. This is something everyone with an automated imaging environment really needs to put into their ARD command templates! Now, that all works fantastic in a vanilla environment. But in more complex environments you will need potentially more complex incantations of these commands. Well, Mike Bombich wrote all this up awhile back and so I’ll defer to his article on nvram and bless here to guide you through any custom settings you’ll need. It’s a quick read and really helpful. What else are you gonna’ do while you’re fishing anyway… BTW, if you have more than three beers, please put the MacBook down. And if you don’t, at least close both terminal and ARD. And email. And iChat. Actually, just close the machine now…

Mac OS X Mac OS X Server Ubuntu Unix

Aliasing Commands

I find there are a lot of commands I run routinely. Some of which are pretty long strings that are thrown together in order to find what can, at times, be a small piece of information. Or, I might routinely log into a server and want to trim down the command required to do so. Let’s take an example of this in using the open command to vnc into a server. The command to open a server in this fashion would be (assuming a server name of mail.mygroup.mycompany.com, a username of krypted and a password of mypass):

open vnc://krypted:mypass@mail.mygroup.mycompany.com

For this exercise we’re going to be saving the above command into a file in clear text and so we are not going to actually embed the password. We’re going to use the alias command to create an alias, which can then be called on as a normal command, called vncmail. This way, that’s all we have to type in a terminal window to execute the string from the command above. Do this by using alias then the command you would like to have, followed by an equals sign (assuming bash here, btw) and then a quoted command:

alias vncmail='open vnc://mail.mygroup.mycompany.com'

Once you close your bash shell this alias will disappear. So let’s make it permanent by placing it into the .bash_profile file in your home directory. First, if it’s not there, we’ll create the .bash_profile:

touch ~/.bash_profile

Then add the alias line from above into the ~/.bash_profile file. Then make sure this file roams using a mobile home for your admin account. Then, whichever system you sit at, you can quickly VNC, SSH or even ‘dscl . read /Users/localadmin’ or whatever. Lots of stuff you can do with aliasing commands. One of my favorite is ‘/Applications/Utilities/Network Utility.app/Contents/Resources/stroke ODServer 389 389′ to do a quick port scan of an LDAP server over port 389 (or 636 if you’re using SSL). Anyway, hope this saves you as much time as it’s saved me over the years!

Mac OS X Mac OS X Server Mass Deployment

Managing Mail and Safari RSS Subscriptions from the Command Line

Safari can subscribe to RSS feeds; so can Mail. Podcast Producer is an RSS or XML feed as are the feeds created by blog and wiki services in Mac OS X Server. And then of course, RSS and ATOM come pre-installed with practically every blogging and wiki tool on the market. Those doing mass deployment and scripting work can make use of automatically connecting users to and caching information found in these RSS feeds. If you have 40,000 students, or even 250 employees, it is easier to send a script to those computers than to open the Mail or Safari client on each and subscribe to an RSS feed.

Additionally, pubsub offers what I like to call Yet Another Scripting Interface to RSS (my acronym here is meant to sound a bit like yessir).  Pubsub caches the feeds both within the SQLite database and in the form of XML files. Because pubsub caches data onto the client it can be parsed more quickly than using other tools, allowing a single system to do much more than if a feed were being accessed over the Internet.

Using pubsub

We’ll start by looking at some simple RSS management from the command line to aid in a quest at better understanding of the underpinnings of Mac OS X’s built-in RSS functionalities. The PubSub framework stores feeds and associated content in a SQLite database. Interacting with the database directly can be a bit burdensome. The easiest way to manage RSS from Mac OS X is using a command called pubsub. First off, let’s take a look at all of the RSS feeds that the current user is subscribed to by opening terminal and simply typing pubsub followed by the list verb:

pubsub list

You should then see output of the title and url of each RSS feed that mail and safari are subscribed to. You’ll also see how long each article is kept in the expiry option and the interval with which the applications check for further updates in the refresh option. You can also see each application that can be managed with pubsub by running the same command with clients appended to the end of it (clients are how pubsub refers to applications whose subscriptions it can manage):

pubsub list clients

To then just look at only feeds in Safari:

pubsub list client com.apple.safari

And Mail:

pubsub list client com.apple.mail

Each of the above commands will provide a URL for the feed. This url can be used to show each entry, or article in the feed. Extract the URL and then you can use the list verb to see each feed entry, which Apple consistently calls episodes both within PubSub, in databases and on the Podcast Producer server side of things but yet somehow calls an entry here (consistency people). To see a list of entries for a given URL:

pubsub list http://googleenterprise.blogspot.com/atom.xml

Episodes will be listed in 40 character hex keys, similar to other ID space mechanisms used by Apple. To then see each episode, or entry, use the list verb, followed by entry and then that key:

pubsub list entry 5fcef167d77c8c00d7ff041a869d45445cc4ae42

To subscribe to a pubsub, use the –client option to identify which application to subscribe in along with the subscribe verb, followed by the URL of the feed:

pubsub --client com.apple.mail subscribe http://krypted.com/LameAssFeed.xml

To unsubscribe, simply use pubsub followed by the unsubscribe verb and then the url of the feed:

pubsub unsubscribe http://example.com/UninterestingFeed.xml

Ofline Databases and Imaging

While these can be run against a typical running system, they cannot be run against a sqlite database that is sitting in all of your users home folders nor can they be run against a database in a user template home on a client. Therefore, to facilitate imaging, you can run sqlite3 commands against  database directly. The database, stored in ~/Library/PubSub/Database/Database.sqlite3.

To see the clients (the equivalent of `pubsub list clients`):

sqlite3 /Volumes/Image/Username/Library/PubSub/Database/Database.sqlite3 'SELECT * FROM clients'

To see each feed:

sqlite3 /Volumes/Image/Username/Library/PubSub/Database/Database.sqlite3 'SELECT * FROM feeds'

To see each entry:

sqlite3 /Volumes/Image/Username/Library/PubSub/Database/Database.sqlite3 'SELECT * FROM entries'

To see the column headers for each:

sqlite3 /Volumes/Image/Username/Library/PubSub/Database/Database.sqlite3 'PRAGMA TABLE_INFO(Clients)';

sqlite3 /Volumes/Image/Username/Library/PubSub/Database/Database.sqlite3 'PRAGMA TABLE_INFO(Feeds)';

sqlite3 /Volumes/Image/Username/Library/PubSub/Database/Database.sqlite3 'PRAGMA TABLE_INFO(Subscriptions)';

sqlite3 /Volumes/Image/Username/Library/PubSub/Database/Database.sqlite3 'PRAGMA TABLE_INFO(Entries)';

sqlite3 /Volumes/Image/Username/Library/PubSub/Database/Database.sqlite3 'PRAGMA TABLE_INFO(Enclosures)';

sqlite3 /Volumes/Image/Username/Library/PubSub/Database/Database.sqlite3 'PRAGMA TABLE_INFO(Authors)';

sqlite3 /Volumes/Image/Username/Library/PubSub/Database/Database.sqlite3 'PRAGMA TABLE_INFO(Contents)';

 

 

sqlite3 /Volumes/Image/Username/Library/PubSub/Database/Database.sqlite3 'PRAGMA TABLE_INFO(SyncInfo)';

To narrow an ID down to a specific row within any of these searches add a WHERE followed by the column within the table you’d like to search. For example, if we wanted to only see the article with the identifier of 5b84e609317fb3fb77011c2d26efd26a337d5d7d

sqlite3 --line /Volumes/Image/Username/Library/PubSub/Database/Database.sqlite3 'SELECT * FROM entries WHERE identifier="5b84e609317fb3fb77011c2d26efd26a337d5d7d"'

Note: Sqlite3 can use the –line option to show each entry in an XML feed per line.

Dumping pubsub to be Parsed By Other Tools

Pubsub can also be used as a tool to supply feeds and parse them. You can extract conversations only matching specific patterns and text or email yourself that they occurred without a lot of fanfare. You can also dump the entire feed’s cached data by specifying the dump verb without the entry or identifier but instead the URL:

pubsub dump http://googleenterprise.blogspot.com/atom.xml

Once dumped you can parse the XML into other tools easily. Or to dump specific entries to XML for parsing by another tool using syntax similar to the list entry syntax:

pubsub dump entry 5fcef167d77c8c00d7ff041a869d45445cc4ae42

Because these feeds have already been cached on the local client and because some require authentication and other expensive (in terms of script run-time) processes to aggregate or search, looking at the files is an alternative way of doing so.

Instant refreshes can also be performed using pubsub’s refresh verb followed by a URL:

pubsub refresh

Also, feeds are cached to ~/Library/PubSub/Feeds, where they are nested within a folder with the name of the unique ID of the feed (row 2 represents the unique ID whereas row 1 represents the row). Each episode, or post can then be read by entry ID. Yhose entries are basic xml files.

You can also still programatically interface with RSS using curl. For example:

curl --silent "http://${server}.myschool.org/search/cpg?query=%22random+curse+word%22&catAbbreviation=cpg&addThree=&format=rss" | grep "item rdf:about=" | cut -c 18-100 | sed -e "s/"//g" | sed -e "s/>//g"

Mac OS X Mac OS X Server Mac Security Ubuntu Unix Windows XP

NTP, OS X, Windows, Cisco and You

At this point, most Mac admins know to how to enable ntp on a Mac OS X Server and set clients to the server. Most Mac admins also know how to use managed preferences to set ntp as well. We all know that time is pretty important and most are using ntp at this point.

Network time should, almost by definition, be continuous, which allows ntpd in Mac OS X can update clocks in small denominations. Thus, managing corrections with little overhead or impact to the system enables ntp to be an inexpensive method for managing clocks. But ntp is also built to keep things running smoothly even when there are a lot of corrections. When there are a lot of corrections made by ntp, these are tracked and can be seen using the ntpdc command. The ntpdc is used to view and set the state of the ntp daemon and is interactive. To enter the interactive environment, simply type ntpdc at a terminal prompt:

ntpdc

Once you are in the ntpdc interactive environment you will need to use one of the many verbs provided for ntpdc. One such verb is looping, used to “display loop filter information:”

ntpdc> loopinfo

offset: 0.017866 s
frequency: -499.996 ppm
poll adjust: 13
watchdog timer: 209 s

The above output has four items of interest:

  • Offset: How far off the client is from the server (drift is natural, so all zeros in this category typically represent the server being offline).
  • Frequency: Frequency external signals can offset correction of the kernel clock
  • Poll adjust: Used to Increase or decrease the polling interval. The range is -30 to 30. 13 is an increase of 13 seconds whereas -30 would represent a decrease of 30 seconds.
  • Watchdog timer: The time since the last update to the system.

Note: To make it easier to parse, you can run looping with a online option, placing output into a single comma seperated line.

There are other verbs as well, which allow you to add servers (addserver), show peers (showpeer), set a password to use for password requests (passed), see various statistics (sysstats, sysinfo, stats, instates, ctlstats, clockstat, iostats) and set encryption keys (keyid, trustedkey, untrustedkey, etc). There’s a pretty good bit you can with these verbs; just run help to see a full list of supported verbs (my favorite verb other than looping is fudge).

You can also check ntp information on the fly using the ntpq command. Here, ntpq -p will show you the name, IP address and other information live:

ntpq -p

Returns:

remote refid st t when poll reach delay offset jitter
==============================================================================
*time.apple.com 17.72.133.55 2 u 181m 512 376 32.169 17.084 0.315

Windows clients using Active Directory domains automatically get time from domain controllers. If a client is part of an Open Directory or SMB-based domain, you can add a NTP server by clicking on the time in the system tray (bottom right corner of the Windows screen). Click on Internet Time. Click the check box for Automatically synchronize with an Internet time server. Enter the name or IP of the ntp server. Click the Update Now button.
When finished, you’ll see a note that Your time has been successfully synchronized.

For clients other than Windows, it makes little sense to set ntp settings with a GPO, given that systems not in Active Directory won’t really use them. And most environments that don’t have a directory service are pretty small. But this isn’t to say that you won’t want to deploy these settings en masse. Much as you can use the /etc/ntp.conf file or the systemsetup -setnetworktimeserver command to configure a time server in Mac OS X you can use the registry to do so in Windows. If you can use the registry to configure a setting you can then use regedit or regedit32 to set the keys programatically.

But if you choose to, the keys are in HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters (most notably is the NtpServer key) or you can use w32tm with the /config option. Once configured, reset the time to that of the time server to test. This can be tested with w32tm:

w32tm /resync /rediscover

Mac OS X and Windows can use an ntp-based server, but given that ntp is so widely used, what else? Using ntp with appliances can help with authentication protocols and also assist with triangulating issues from within log files. So, how about a Cisco IOS device. SSH into one and let’s get started. First off, run the enable command and then provide a password:

enable

Then, go into config mode:

config t

Now we’re going to use the ntp command and issue and update calendar to tell IOS to update the hardware clock from the software clock:

ntp update-calendar

Then we’ll specify our ntp server(s):

ntp server 10.0.0.88

Note: Just run the ntp server command twice if you want to specify a second ntp server.

Then exit config mode:

exit

And write your new settings into memory:

wr mem

Mac OS X Mac OS X Server Mac Security Unix

Making Autocomplete a Bit Less Sensitive

I can’t stand it when I open terminal and go to cd into a directory I know to exist only to be confused by why using the tab doesn’t autocomplete my command. For those that don’t know, when you are using any modern command line interface, when you’re indicating a location in a file system, the tab key will autocomplete what you are typing. So let’s say you’re going to /System. I usually just type cd /Sys and then use the tab to autocomplete. In many cases, the first three letters, followed by a tab will get you there and you can therefore traverse deep into a filesystem in a few simple keystrokes.

But then there’s all this case weirdness with a lot of the more Apple-centric stuff in the file system. For example, when it’s FileSystem vs. Filesystem vs. filesystem. This makes sense when using a partitioning scheme that allows for case-based namespace collisions, but not in HFS+ (Journaled), the default format used with Mac OS X. So I find myself frequently editing the .inputrc file. This file can be used to do a number of cool tricks in a terminal session, but the most useful for many is to take the case sensitivity away from tab auto-completes, effectively de-pony-tailing the sensitive pony-tail boy.

To do so, create the hidden .inputrc file in your home folder:

touch ~/.inputrc

Then open it with your favorite text editor and add this line:

set completion-ignore-case on

Then save and close. Open a new terminal window and you should be able to tab auto-complete whether or not you have the case right. Try it with /sys-TAB instead of /Sys-TAB. Best of all, as you sudo the behavior follows your session (including sudo bash). However, if you su the behavior does not follow your session. Enjoy and may the pinky that is ever reaching for that shift key thank you as it gets a bit more rest in the next few days than in the last few…

Oh, to turn it back off either toss your .inputrc file (if you don’t have any other parameters in there) or just set the final word of the line to no

Mac OS X Mac OS X Server Mac Security Mass Deployment

Fast User Switching

Fast User Switching, when enabled, allows users to leave one session open and hop to another user account. Great for training, testing and impressing friends (ok, so maybe it won’t impress your friends, but the thumb trick is getting old). To enable Fast User Switching, open the Accounts System Preference pane and click on Login Options. Then check the box for Show fast user switching menu. By default you’ll then see your user name in the menu bar.

To do this from the command line:

defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool 'YES'

To then disable it from the command line:

defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool 'NO'

What’s really cool though, is once enabled, you can switch users with a script as well, using the command line options available with CGSession, located in the user.menu item at /System/Library/CoreServices/Menu Extras/User.menu/Contents/Resources/CGSession.

/System/Library/CoreServices/Menu Extras/User.menu/Contents/Resources/CGSession -switchToUserID 501

Or to simply go to a login screen:

/System/Library/CoreServices/Menu Extras/User.menu/Contents/Resources/CGSession -suspend

cloud Mac OS X Mac OS X Server Mac Security Mass Deployment MobileMe

iCloud, Lion and iOS5

As most people who are going to read anything I write will already know, Apple released their new cloud service today. The Apple pages are already up, with a splash page on the main site pointing to a dedicated iCloud page. Apple has also anticipated some of the questions that most of us using MobileMe were going to ask in a short Kbase article re: the transition from MobileMe to iCloud:

http://support.apple.com/kb/HT4597

Additionally, an email went out to MobileMe users today that read:

We’d like to share some exciting news with you about iCloud — Apple’s upcoming cloud service, which stores your content and wirelessly pushes it to your devices. iCloud integrates seamlessly with your apps, so everything happens automatically. Available this fall, iCloud is free for iOS 5 and OS X Lion users.

What does this mean for you as a MobileMe member?

When you sign up for iCloud, you’ll be able to keep your MobileMe email address and move your mail, contacts, calendars, and bookmarks to the new service.

Your MobileMe subscription will be automatically extended through June 30, 2012, at no additional charge. After that date, MobileMe will no longer be available.

When iCloud becomes available this fall, we will provide more details and instructions on how to make the move. In the meantime, we encourage you to learn more about iCloud.

Immediately, users of iOS 4.3.3 or higher, can make use of the new music features. I purchased a song in iTunes and received an alert from the iTunes store to enable the feature.

I could then go over to Store -> Settings from within the iPhone and enable Music and Apps automatically downloading when purchased from another device. It’s also possible to enable transfers over cell networks, although I can’t imagine a lot of people using such an option.

Apple also announced a slew of new features for iOS 5 and for Mac OS X 10.7, Lion. To me the most critical things announced today is that iOS 5 will not need to be tethered to a computer to activate and that it can wirelessly run software updates. Those items are extremely important for growing enterprises of iOS-based devices. The most important things that weren’t bothered to be announced is that Xsan is included in Mac OS X now and that Mac OS X Server survives another profitable year at Apple, but now as an App (or as much an App as you can be when you’re an operating system). These were published to the Apple website. Many thought Xsan would be disappearing, but it is obviously here to stay for some time. The most important thing that we haven’t heard jack-diddly-squat about is the future of our friend Final Cut Server given that Mac OS X can now do a subset of the features out of the box (versioning).

Considering that I have more Apple computers than Imelda Marcos had shoes I have a lot of mixed feelings about synchronizing media between devices. Luckily I don’t have to enable the new features on all of them, although I already have on some…