krypted.com

Tiny Deathstars of Foulness

SSH allows administrators to connect to another computer using a secure shell, or command line environment. ARD (Apple Remote Desktop) allows screen sharing, remote scripts and other administrative goodness. SNMP allows for remote monitoring of a server. You can also connect to a server using the Server app running on a client computer. To enable all of these except SNMP, open the Server app (Server 3), click on the name of the server, click the Settings tab and then click on the checkbox for what you’d like to enter.

SSH1

All of these can be enabled and managed from the command line as well. The traditional way to enable Apple Remote Desktop is using the kickstart command. But there’s a simpler way in OS X Mavericks Server (Server 2.2). To do so, use the serveradmin command. To enable ARD using the serveradmin command, use the settings option, with info:enableARD to set the payload to yes:

sudo serveradmin settings info:enableARD = yes

Once run, open System Preferences and click on Sharing. The Remote Management box is then checked and the local administrative user has access to ARD into the host.

SSH2

There are also a few other commands that can be used to control settings. To enable SSH for administrators:

sudo serveradmin settings info:enableSSH = yes

When you enable SSH from the serveradmin command you will not see any additional checkboxes in the Sharing System Preferences; however, you will see the box checked in the Server app. To enable SNMP:

sudo serveradmin settings info:enableSNMP = yes

Once SNMP is enabled, use the /usr/bin/snmpconf interactive command line environment to configure SNMP so you can manage traps and other objects necessary.

Note: You can’t have snmpd running while you configure SNMPv3. Once SNMPv3 is configured snmpd can be run. 

To allow other computers to use the Server app to connect to the server, use the info:enableRemoteAdministration key from serveradmin:

sudo serveradmin settings info:enableRemoteAdministration = yes

To enable the dedication of resources to Server apps (aka Server Performance Mode):

sudo serveradmin settings info:enableServerPerformanceMode = yes

October 17th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , ,

I had previously been using the gcutil command. But I cheated a little with the one liner promise to get the new tool, gcloud, installed:

curl https://dl.google.com/dl/cloudsdk/release/install_google_cloud_sdk.bash | bash ; unzip google-cloud-sdk.zip ; ./google-cloud-sdk/install.sh

The installation shell script is interactive and will ask if you want to update your bash profile. Once run, kill your terminal app and the new invocation will allow you to log into App Engine using the gcloud command followed by auth and then login:

gcloud auth login

Provided you’re logged into Google using your default browser, you’ll then be prompted to Accept the federation. Click Accept.

Screen Shot 2014-01-03 at 11.14.21 PM

The gcloud command can then be used to check your account name:

gcloud config list

To then set a project as active to manage it, use the set option (or unset to not manage it any longer:

gcloud config set project kryptedmuncas

You can then use components, sql or interactive verbs to connect to and manage instances. Each of these commands are interfacing with the API, so if you ever find that you’ve exceeded what this simple command provides for, you can always hit the API directly as well. I found that the interactive command was my favorite as I could figure out what limitations I had using interactive and then try and figure out how to accomplish tasks with commands from there.

January 8th, 2014

Posted In: cloud, Mac OS X

Tags: , , , , , , , ,

Recently I needed to create a bunch of files that had names starting with a dash. If you simply run touch followed by the filename, if the filename starts with a dash, it will throw an error that there’s an illegal option. Therefore, you must escape out the dash by passing a double dash in front of it. For example, to create a file with a dash in the name, use the following syntax:

touch -- -man

Likewise, to remove that file:

rm -- -man

You can also use the double dash when passing commands to ssh rather than have ssh interpret them as arguments, making it useful for command and control scripting. For example, to ssh into a host and repair a volume:

ssh cedge:mypassword@krypted.com -- cvfsck goldengirls --nv

The double dash indicates there are no more command line options for the command in front of it.

January 7th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Ubuntu, Unix

Tags: , , , , ,

SSH allows administrators to connect to another computer using a secure shell, or command line environment. ARD (Apple Remote Desktop) allows screen sharing, remote scripts and other administrative goodness. SNMP allows for remote monitoring of a server. You can also connect to a server using the Server app running on a client computer. To enable all of these except SNMP, open the Server app (Server 3), click on the name of the server, click the Settings tab and then click on the checkbox for what you’d like to enter.

Screen Shot 2013-10-05 at 9.18.55 AM

All of these can be enabled and managed from the command line as well. The traditional way to enable Apple Remote Desktop is using the kickstart command. But there’s a simpler way in OS X Mavericks Server (Server 2.2). To do so, use the serveradmin command.

To enable ARD using the serveradmin command, use the settings option, with info:enableARD to set the payload to yes:

sudo serveradmin settings info:enableARD = yes

Once run, open System Preferences and click on Sharing. The Remote Management box is then checked and the local administrative user has access to ARD into the host.

Screen Shot 2013-10-05 at 9.15.00 AM

There are also a few other commands that can be used to control settings. To enable SSH for administrators:

sudo serveradmin settings info:enableSSH = yes

When you enable SSH from the serveradmin command you will not see any additional checkboxes in the Sharing System Preferences; however, you will see the box checked in the Server app.

To enable SNMP:

sudo serveradmin settings info:enableSNMP = yes

Once SNMP is enabled, use the /usr/bin/snmpconf interactive command line environment to configure SNMP so you can manage traps and other objects necessary.

Note: You can’t have snmpd running while you configure SNMPv3. Once SNMPv3 is configured snmpd can be run. 

To allow other computers to use the Server app to connect to the server, use the info:enableRemoteAdministration key from serveradmin:

sudo serveradmin settings info:enableRemoteAdministration = yes

To enable the dedication of resources to Server apps (aka Server Performance Mode):

sudo serveradmin settings info:enableServerPerformanceMode = yes

October 22nd, 2013

Posted In: Mac OS X Server

Tags: , , , , , , , , , , , , , , ,

Sometimes when we’re doing work, we end up changing an SSH key. You then access the host using something like this:

ssh krypted@10.10.10.10

When accessing the host you then get a warning similar to the following if the key changed:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
aa:bb:cc:dd:ee:ff:00:11:22:33:00:11:22:33:44:55.
Please contact your system administrator.
Add correct host key in /home/remi/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/remi/.ssh/known_hosts:1
In case you know the host identification has changed, you can safely discard this warning.

To fix you can edit the ~/.ssh/known_hosts file and remove the offending line (usually the number in the Offending ECDSA line) or just regenerate the key using ssh-keygen, which will automatically edit the known_hosts file for you:

ssh-keygen -R 10.10.10.10

September 12th, 2013

Posted In: Mac OS X, Mac OS X Server, Mac Security, Ubuntu

Tags: , , , , ,

Updating the firmware on Promise arrays is straight forward enough from the WebPAM. But what happens if a firmware update goes funky and you can’t get into the WebPAM any longer (ah, the joys of beta testing)? Well, you can always download an older firmware and reload it provided you can ssh or telnet into the host. Download from http://www.promise.com/support/download.aspx?m=93&region=en-global for your given model.

Then, you need the firmware accessible to the Promise chassis via tftp. A simple tftp GUI tool is available at http://ww2.unime.it/flr/tftpserver. Once configured, log into the Promise array and then use the ptiflash command to update the firmware. In the following command we’ll use the -s option to identify the IP address of our tftp server and then the -f option to identify the name of the file (note that I’ve shortened the ptif file for this X30 to be just fw.ptif so I don’t fat finger the multiple hyphens in a ridiculously long file name that I can’t autocomplete):

ptiflash -t -s 192.168.69.30 -f fw.ptif

If the server can’t access the file note that you have a tftp client binary that works much like the ftp binary built into OS X to test that you can access the server and the file from the IP address the X30 is using. If the file is accessible, when prompted to update the flash, enter y and press enter.

The update process is going to take about 15 to 20 minutes. If running the latest versions of the X30 firmware I recommend using Firefox.

July 8th, 2013

Posted In: Mac OS X, Mac OS X Server, Mac Security, Xsan

Tags: , , , , , , , , ,

Mobile Home Directory synchronizing in OS X Server environments is used to synchronize the home folder of clients with a copy that lives on the server, so users can roam between computers with their desktop, documents and preferences following them from machine to machine. Server Side File Tracking creates and keeps a copy of the sync database on client machines and servers, comparing the two databases when synchronizing rather than scanning directories for all the synced files each time a synchronization occurs. In environments with synchronizing Mobile Home Directories, Server Side File Tracking (SSFT) can help reduce the amount of time required for syncs. Server Side File Tracking is disabled by default in OS X Mountain Lion Server and cannot be enabled from the Server app. To enable Server Side File Tracking (aka – FileSyncAgent), use the following command:

sudo serveradmin settings info:enableFileSyncAgent = yes

To then turn it back off, if you so choose:

sudo serveradmin settings info:enableFileSyncAgent = no

Logs are then stored in ~/Library/Logs/FileSyncAgent/FileSyncAgentVerbose.log if you need further information. Note that TCP port 2336 needs to be open for the FileSync Agent to connect over ssh on port 2336 to the server; however, ssh doesn’t need to be enabled on the standard port 22 but mobile users must have access to the SSH SACL.

August 16th, 2012

Posted In: Mac OS X, Mac OS X Server, Mass Deployment

Tags: , , , , , , , , , ,

The traditional way to enable Apple Remote Desktop is using the kickstart command. But there’s a simpler way in OS X Mountain Lion Server. To do so, use the serveradmin command.

To enable ARD using the serveradmin command, use the settings option, with info:enableARD to set the payload to yes:

sudo serveradmin settings info:enableARD = yes

Once run, open System Preferences and click on Sharing. The Remote Management box is then checked and the local administrative user has access to ARD into the host.

The Server app will also have the “Enable screen sharing and remote management” option checked.

There are also a few other commands that can be used to control settings. To enable SSH for administrators:

sudo serveradmin settings info:enableSSH = yes

To enable SNMP:

sudo serveradmin settings info:enableSNMP = yes

To enable the dedication of resources to Server apps (aka Server Performance Mode):

sudo serveradmin settings info:enableServerPerformanceMode = yes

August 14th, 2012

Posted In: Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , ,

When working at scale, and particularly with hosts that need to have the same configuration or you want to perform the same queries on, the issue becomes how do I ‘reach out and touch’ my fleet? Without centralized infrastructure backed by a messaging broker or a heavier process that leaves hooks in systems and/or requires its own domain specific language, sometimes you can get by with… plain ol’ ssh. Apple Remote Desktop can take us a lot of the way there, and one of the announced features of Mountain Lion is that screen sharing gets another piece of ARD’s pie, the ability to drag-and-drop files to transfer them to the remote machine. But when trying to use features other than screen control, ARD has been found to be hit-or-miss (or misreporting the functionality of hosts) in some circumstances.

csshX in action

‘Scripty’ folks look at these issues and craft tools to meet the challenge-slash-obscure-use case. Perl has long been relied upon for network-aware utilities, and csshX is a tool for managing a ‘cluster’ of  ssh sessions on the Mac. You can download or checkout the code from its googlecode site, and it has a man page that can be accessed when calling the binary directly with the -m switch. Options include telling it the login and/or password to use, feeding it a text file of hosts to access, or merely list hosts by DNS name or IP with spaces in between. Even if user names or passwords are different, fully-functional windows open as it attempts ssh connections to each host, with a red window you can use to control them all once you’ve authenticated to the ssh sessions.
From that point on, the world is your proverbial jerry-rigged oyster! To mimic ARD’s file transfers you could scp back to your machine (as kludges go, smileyface,) and another random tip: using the emacs readline functionality to jump to the beginning of a line with Ctrl-a still works, even though csshX uses that for a special purpose (as does the terminal multiplexer screen,) simply hit Ctrl-a again and the program will understand you wanted to send that to the remote sessions. Enjoy!

June 28th, 2012

Posted In: Mass Deployment

Tags: , , , , , , , , , , , , ,

Next Page »