Binding a Service to a specific IP-Address

June 6th, 2011

On one of my Servers I needed access to a Port by different Services.

So, in my Case the Requirement was to use the Apache Webserver on
SSL Port 443 and to use SSH on the same Port.

In an earlier Article I wrote how to create an launchd Deamon to use SSH on Port 443.

The Problem is you can only bind one Port to an Service but you can bind
different Services to different IP-Addresses. Anyway, you need 2 IP-Addresses to work around this.

So, first I selected in Server Admin -> Web Service -> General an specific IP to use for the SSL Website

Next you have to edit the in an previous Article introduced ssh443.plist

You have to add these 2 Lines:

<key>SockNodeName</key>
<string>192.168.0.1</string>

The complete plist looks like this:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
<dict>
<key>Label</key>
<string>com.openssh443.sshd</string>
<key>Program</key>
<string>/usr/libexec/sshd-keygen-wrapper</string>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/sshd</string>
<string>-i</string>
</array>
<key>SHAuthorizationRight</key>
<string>system.preferences</string>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>Bonjour</key>
<array>
<string>ssh</string>
<string>sftp-ssh</string>
</array>
<key>SockNodeName</key>
<string>192.168.0.1</string>
<key>SockServiceName</key>
<string>ssh443</string>
</dict>
</dict>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>inetdCompatibility</key>
<dict>
<key>Wait</key>
<false/>
</dict>
</dict>
</plist>

Use ‘launchctl’ to load the Service:

launchctl load -w /Library/LaunchDaemons/ssh443.plist

Tags:
Posted in Mac OS X, Mac OS X Server, SSH | Remote Desktop | Comments Off

Start a VMware Host Headless via CLI

July 26th, 2010

For Testing i often use VMware Fusion 3 in my Lab. But i don’t use it on my own workstation. I have some Mac’s around that do the Job and connect by ARD. I searched for a way to run VM instances in the Background and found one that work for me in Version 3.1.0.

You can Start a VM via CLI as follows.

sfischer$ /Library/Application\ Support/VMware\ Fusion/vmrun start /Users/ladmin/Documents/Virtual\ Machines.localized/Srv.vmwarevm nogui

Check Activity Monitor. Now you see there “vmware-vmx”is  running. That’s your Virtual Host.

If you want to shutdown the Host use ARD or stop the VM with this Command:

sfischer$ /Library/Application\ Support/VMware\ Fusion/vmrun stop /Users/ladmin/Documents/Virtual\ Machines.localized/Srv.vmwarevm

Check the Help-Page via Terminal to get more Details

sfischer$ /Library/Application\ Support/VMware\ Fusion/vmrun

As positive result i notice a much better ARD Performence. The Feeling is now like you use a real Mac OS Client via a remote connection.

Posted in Command Line, Mac OS X | No Comments »

Support a Corporate-Mac-Server without having VPN Access to this Network by an SSH-Bridgeserver

May 21st, 2010

A short while ago i had to Support a Xsan System in a Company and hadn’t VPN Access to this Corporate-Network .

I consider about the Situation and found for me the best way to get Remote Access by using SSH Reverse Tunneling.

The only Ports you require are 22 (SSH) & 5900 (Screen Sharing).

To get these Ports forwarded you need a Server on that runs SSH with a Public IP. Fortunately i had one that i was able to use for this.

I get in contact with the People at this Company and told them to check that SSH and ARD vs. Screen Sharing are enabled.
As they was sure that the Services are active i told them to forward me the 2 Ports to my Server:

sfischer$ ssh -N -R 5901:localhost:5900 -R 2222:localhost:22 user@remoteip

After i got Feedback from the Guys i checked on the Server if the connections are established.

sfischer$ netstat -an | grep -e 5901 -e 2222

If there is no output on this Commands the Tunnel is not active!

But in my Situation all worked well and i could Connect these Ports with my Computer by this Command:

sfischer$ ssh -g -N -L 5901:localhost:5901 -L 2222:localhost:2222 user@remoteip

So, now the Ports was tunneled to my Computer.

Last i only had to connect by “localhost”.

Access Screen Sharing by:

There is no need to enable VNC Access on the Preference Pane. Screen Sharing speaks easy with the Server only on Port 5900. So you can authorize with the local Username and Password of the Admin.

To get the Remote SSH Shell:

sfischer$ ssh -p 2222 user@localhost


Tags:
Posted in SSH | Remote Desktop | No Comments »

Tunneling SSH-traffic over an HTTPS Proxy to an Internetmachine

May 21st, 2010

Sometimes in bigger Companies there are Security policies that do not permit outgoing SSH & HTTP/S Traffic. There is often used a Proxy like Squid to surfing the Web via HTTP/S. But no capability to use SSH.

I found a great Solution to bypass this by using a Tool named “corkscrew”. With corkscrew you can tunnel SSH traffic over an HTTPS Proxy. You can get it from there.

Its a little bit work to compile it but it is worth for sure.

After the building of your Binary you can place it in /usr/local/bin/

As next you need to add or create some Config information into $HOME/.ssh/config

Host *
ProxyCommand /usr/local/bin/corkscrew http-proxy.example.com 8080 %h %p

If you only have a few Hosts Outside you can replace * with your Connections.

Also replace “http-proxy.example.com 8080” with your Proxy Data.

In my experience often the Firewall restrictions for the Proxy only allow Port 80 & 443.  So, your SSH Counterpart has to listen on that Port to establish a Connection, too.

If you have a Mac OS X Machine on the Web as Counterpart you have to told sshd to listen on Port 443. If you do this, there is no Chance to use the same Computer as a Webserver that provide HTTPS Services!

The following worked for me under Snow Leopard and should work with Leopard as well.

First Add to /etc/services these 2 Lines:

ssh443         443/udp    # SSH 443
ssh443         443/tcp    # SSH 443

As next Copy the ssh.plist that Control sshd.

cp /System/Library/LaunchDaemons/ssh.plist /Library/LaunchDaemons/ssh443.plist

Edit /Library/LaunchDaemons/ssh443.plist like this:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
<dict>
<key>Label</key>
<string>com.openssh443.sshd</string>
<key>Program</key>
<string>/usr/libexec/sshd-keygen-wrapper</string>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/sshd</string>
<string>-i</string>
</array>
<key>SHAuthorizationRight</key>
<string>system.preferences</string>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>Bonjour</key>
<array>
<string>ssh</string>
<string>sftp-ssh</string>
</array>
<key>SockServiceName</key>
<string>ssh443</string>
</dict>
</dict>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>inetdCompatibility</key>
<dict>
<key>Wait</key>
<false/>
</dict>
</dict>
</plist>

You have to Change “Label” & “SocketServiceName” Information.

That’s all, now you can load the plist File with:

launchctl load -w /Library/LaunchDaemons/ssh443.plist

To deactivate you only need to unload the Property List.
launchctl unload -w /Library/LaunchDaemons/ssh443.plist

This Config doesn’t influence the Apple SSH Config at
/System/Library/LaunchDaemons/ssh.plist
and runs independently!

Now you should be able to connect your internal Machine with your external Machine by following Command:

ssh -p 443 user@myexternalmachine.com

Posted in SSH | Remote Desktop | 1 Comment »

Binding your Client to your own Softwareupdate Server

March 1st, 2010

If you have a Mac OS X Server you can use it as your own internal Company Softwareupdate Server to manage the Roll-Out of new Packages. Please note, the SUS only serves Updates for the same OS Version that the Server Build is!

If you doesn’t manage your Clients via OD you can set the SWU-Server by the following Command:

sfischer$ sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://172.16.1.103:8088/index.sucatalog

To go back to the Apple Server only revert it to “swupdate.apple.com”:

sfischer$ sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://swupdate.apple.com:8088/index.sucatalog

Posted in Mac OS X, Mac OS X Server | No Comments »

Kerio WebMail through Mac OS X Server provided Apache

February 15th, 2010

If you hosting on your Server multiple Websites with you Build-In Mac OS X Apache Server than you can not use the same Port with your Kerio Webservice, but it is often required to use the Standard HTTPS Port because of Firewall Rules. In this Case you have the Possibility to use the Reverse Proxy Feature on your Build-In Apache Server.

First Set Up your Kerio HTTP Server Port to 8080. As next create your Website, something like https://webmail.sf809.de in Server Admin. The Web Folder Path you can ignore. Activate on the Security Pane SSL to use an encrypted Connection, set your Web Server Alias as webmail.sf809.de on the Alias Pane and Jump to the Proxy Pane. There it should looks like my Screenshot:

Save your Settings. After this it should be possible to reach your Webmail via the arranged Website. This works for me in 10.6.2 with Kerio Connect 7.

Posted in Kerio Connect | 1 Comment »

Change NSUmask Preferences on a Mac

February 12th, 2010

On my Final Cut SAN Installations it is often needed that the People can edit theirs Files from different Craft-Edit-Stations.

Normally they are not  managed by personalised User Accounts. So each Station has his own User with different UID.

If you create a new File on Mac OS X the Basic Setting only allows the Owner to read/write to the File. If you want to change these to allowing even the POSIX Group and Others to write on the File you have to change the NSUmask Preferences on the Apple Computer.

You can do this by typing the follwing Commands into the Terminal App (First become ROOT than enter Command):

sfischer$sudo -s

bash-3.2#echo umask 000 >>/etc/launchd.conf

After this please Reboot your Mac that the Change is wrapped. This works for 10.5 & 10.6!

Alternative you can use Access Control Lists on the Volume to control this Behavior.

Posted in Command Line, Mac OS X, Mac OS X Server | No Comments »

Disable mounting of a Volume at Boot

February 12th, 2010

Sometimes you don’t want that a Volume of your System is mounted automatically.

You can edit the /etc/fstab with vifs to prohibit this.

First you need the UUID from the Volume. You can get this by typing the following Command:

sfischer$ diskutil info /Volumes/sf809

This Line we need:

Volume UUID:              879BD142-4066-32DE-B1DD-D2D72F5C8762

Now we have to edit the /etc/fstab via vifs. You need for this a little bit Knowledge about the Editor vi.

sfischer$sudo vifs

Insert the following line:

UUID=879BD142-4066-32DE-B1DD-D2D72F5C8762 none hfs rw,noauto

Please use your UUID that you received from the upper Command!

After the next Reboot the Volume should not be mounted. This is testet on a 10.5 System.

Posted in Command Line, Mac OS X, Mac OS X Server | No Comments »

Getting Serial Numbers from Mac OS X Server & Xsan

February 12th, 2010

If you have a new Apple-System installed for a Customer you maybe want to note down the used Serial Numbers in an Documentation.

It’s easy to get them if you have Apple Remote Desktop. Only select the Computers and push the “UNIX Command” Button.

Insert the following Line and execute as Root:

Get Mac OS X Server 10.6 Serial Number

/System/Library/ServerSetup/serverserialnumberutil -get

Get Mac OS X Server 10.5 Serial Number

/System/Library/ServerSetup/serversetup -getServerSerialNumber

Get Xsan Serial Number

cat /etc/systemserialnumbers/xsan

Then export the Output as Text file.

Posted in Command Line, Mac OS X Server, SSH | Remote Desktop, Xsan | StorNext | No Comments »

Hello world!

January 1st, 2010

After a few months searching for the right Wordpress Theme as the perfect Solution i stopped looking for and determine to start with something like the basic Design.

Hope you have fun with my Site and find a few useful Tricks.

Posted in Misc | No Comments »