ssh-agent and Mac OS X

Introduction: I am beefing up security by requiring password protected SSH keys (two factor) for authentication. With this change, the use of ssh-agent is quite important. Because I use ssh frequently, it’s worth making its use as transparent as possible.

The Problem: Ssh-agent lacks an easy way to use it for multiple shell/terminal sessions. This is best explained by example. I log onto my Mac OS X/FreeBSD machine at the console. I needs to administrate a server so I open a terminal window. Now I must launch ssh-agent followed by ssh-add and then type in my passphrase to set up my ssh key(s). Now my ssh key is authenticated and ready for use during the rest of this session. So far, so good.

While I’m working on that first server, I needs to connect to another machine to see how I configured something there. This is where ssh-agent becomes onerous. I open another terminal window and must once again launch ssh-agent, and then ssh-add, type in my passphrase, and finally connect. But now I have two instances of ssh-agent running.

Having multiple ssh-agents is the default behavior because ssh-agent has no built-in mechanism for detecting and reusing an existing ssh-agent process. To do so, one must determine the correct path to the socket file and set SSH_AUTH_SOCK accordingly.

Research: I researched the options available for solving this issue on my Mac. I found Xander Schrijen’s SSH Agent for Mac OS X but had several issues that prevented me from falling into love with it. There is also SSHKeychain but it didn’t work at all on my Intel macs (it has since been fixed).

The Solution: After giving up on a easy point-and-click solution, I decided the best solution is one that works equally well on all the UNIX-like systems I use regularly: Mac OS 10.4, 10.5, Linux, and FreeBSD. I wrote a simple shell script, then a more complex one, then a perl script, and finally another shell script that I think is just about perfect. Its only requirement (beyond openssh) is bash.

Documentation is contained in the script. It has been tested on Mac OS X and FreeBSD. It should run without modification on any UNIX-like OS and requires the [ba]sh shell. I attempted a script that worked with both bash and tcsh but it simply wouldn’t work. Tcsh is a perfectly adequate shell but a miserable programming environment.

Demonstration: Opening a new Terminal window:

Last login: Sat Jul 28 20:41:10 on ttys001
cleaning up stale ssh agent
starting ssh-agent -a /Users/matt/.ssh/agent.sock
ssh agent for matt found at pid 30268.
adding ssh key(s) to agent
Identity added: /Users/matt/.ssh/id_rsa (/Users/matt/.ssh/id_rsa)
Identity added: /Users/matt/.ssh/id_dsa (/Users/matt/.ssh/id_dsa)
[matt@IntelliBigMac] ~ %

Opening a second Terminal window:

Last login: Sat Jul 28 20:52:54 on ttys002
ssh agent for matt found at pid 30268.
[matt@IntelliBigMac] ~ %

Enjoy
http://www.tnpi.net/computing/mac/agent.sh.txt

customer service

It’s all too common that customer service leaves much to be desired. Today I was quite surprised when I received excellent customer service from my telephone provider, VoicePulse. I was able to call out, but people weren’t able to call me.

So I called and inquired. Matt, in Newark, NJ answered my call. I explained the problem. He looked into briefly. Then, wonder of wonders, he explained exactly what the problem was. It turns out it was an issue they already knew about but the extent was greater than they realized. He demonstrated that he actually understood exactly the problem because he asked for another number where he could reach me. No more than an hour later, he actually called back to let me know the problem was fixed!

That’s what I call service. Thank you Matt @ VoicePulse, for surpassing my expectations.

About the iPhone

Hey Jay, this post is for you. 🙂

First, let me be perfectly clear. The iPhone is an extraordinarily wonderful technical achievement. iLust. What was unusual about this years Macworld keynote is that my wife started watching the keynote as well. And she was interested.

The truly striking part was watching Jobs actually use the iPhone. There were very different aspects about the phone that wowed her and others that wowed me. The ease of using all the devices is likely the phones most endearing feature, but I’m not in love. Yet. First, my list of pros, cons, and questions:

Pros:
Ease of use.
Multi-touch
Wide screen iPod!
Switch between portrait and landscape via accelerometer
Sync contacts from Mac or PC
Fully functional web browser (yes, I have Opera on my mobile)
Text message context bubbles (ala iChat)
WiFi

Cons:
Painfully slow data access (EDGE).
Cingular only
No tethering (with a PDA / laptop)
Expensive.

Concerns:
SSH client (this is a must have)
Does email support multiple IMAP accounts?
Is there support for IMAP SSL/TLS encryption?
The Google Maps did not have traffic info in the demo, but is a claimed feature.

I will not be buying a v1.0 iPhone for two reasons. The first is past bad experiences with Cingular, and the second is lack of useful data plans. One of the “killer apps” for me and my mobile phone is being able to tether with my laptop and have the ability to manage my internet based business anywhere, anytime. Until Cingular has HSPDA rolled out to the degree that Sprint and Verizon have EVDO available, Cingular is not even a consideration.

When the 2nd generation of iPhones hit the market and include 3G mobile networking, I will consider the iPhone if Apple adds tethering support. I care little about the visual voice mail (its my mobile, I normally answer it) and the push IMAP. I’d much rather have an unlocked 3G phone I can use on the carrier of my choice (Sprint).

For myself, the iPhone is not quite “there” yet. But, that only accounts for me. The iPhone might just be the perfect phone for my wife.

What were they thinking?

Riddle me this; assume that you are the worlds largest Operating System vendor. One of your core markets, and the one generating the profit that keeps your entire operations rolling in cash, is sales to businesses (and governments). You work in marketing and hired a research company to determine the impact if businesses were to upgrade to the latest version of your OS. When the results of the report come back, they reflect a strong negative impact. Do you:

a) Cram the report in a barrel and bury it with nuclear waste in Nevada
b) Forward the results to your boss and let him/her decide
c) Spin the results as a job creation benefit to the US economy

Apparently someone at Microsoft thought c) was a good idea and published a report concluding that Vista would create 100,000 new jobs in the USA and 50,000 more in Europe. Now, if you were in charge of keeping IT costs down in your organization and read this, how excited would you be about upgrading?

That’s almost as embarrassing as two Word exploits that let remote attackers hijack your entire PC, or having your development chief say, I would buy a Mac if I didn’t work for Microsoft, or getting caught stealing icons off your competitors web site.

Are Apple’s “picky” about RAM?

Scot Finnie, a “Windows Expert” wrote an article for Computerworld in which he describes his 3 month experiment using only a MacBook Pro. One of the comments he makes is,

I haven’t had a spontaneous reboot since the moment I pulled the [bad] RAM SIMM, the second day I had the machine. It’s been about six weeks. Apple computers are picky about RAM.

What surprised our dear friend Scot is that Apple hardware seems to care about the quality of RAM it is given. He is of course, correct. However, what he fails to note is that EVERY computer is quite finicky about RAM. Bad RAM will cause any Operating System running on any hardware to behave in undesirable ways.

During the legacy Mac OS days, when stability on Mac or Windows was not a thing to be depended upon, I remember joining a mailing list specific to BSD UNIX, which I was getting acquainted with. Another list member described a type of crash his system was experiencing. I thought it a bit presumptive when others pointed out his problem was almost certainly bad RAM. It was as if they were saying, “the problem is not our OS, it’s your hardware that is junk!” That scenario played out dozens more times during the years, as guys with only PC experience ventured into the land of UNIX where servers run for years and hardly ever crash.

The difference is one of perspective and requires a paradigm shift. Scot’s experience is one where frequent crashes are still commonplace. Now Scot has tasted a computing environment where six weeks, or six months without a reboot is common. It’s not that Apple computers are more picky about RAM. It is that you tend to notice when your system goes from rock solid dependable to sporadically crashing, which it had never done before. Scot, we welcome you to a brave new world.

PS: NewEgg has great prices, great service, and ample options for buying RAM for any computer.

compressed air is so passe

Every geek worth his salt is bound to get requests to fix aged and ailing computers. A friend of mine, who shall remain nameless, dropped his ancient Dell off in the hopes that I could salvage some of the files off the disk. A few months ago it had crashed so he reinstalled the OS, and got a few more months use before it crashed really hard.

In such cases, I don’t even bother using the ancient computer. I just yank the disk and attach it to my computer using a FireWire ATA bridge. Then I can probe, test, and hopefully extract information from the disk. This is obviously much faster than working with a relic. This evening I pulled the unnamed person’s Dell out from under my desk and removed the lid. The greeting I got was a little unsavory.

656 Click photos to enlarge.

As the inside of computers go, this is not the worst I have seen. Most folks don’t bother to clean their engine before taking their car to a mechanic and they don’t bother to clean their computer before taking it to a technician. My intent in disassembly was simply to remove the drive, which you can see in the lower right hand side of the photo.

To remove the drive, there are two screws beneath the front panel that must be removed. I was thinking I could get the drive out without liberating too much of the dust, but I was wrong. Very wrong. When I partially removed the front cover, my wife, who happened to be watching the dissection, interrupted. With good cause, she insisted I put it back together and take it outside the clean it off.

660

Other than age, can anyone at home guess why the drive failed?

I heeded Jen’s advice and took the computer out into the driveway to clean it out. I keep cans of compressed air in the garage for just this purpose. Then inspiration struck. I had just, in the previous 10 minutes, come down off the roof after blowing all the leaves out of my gutters. If a picture is truly worth a thousand words, I need not explain any further.

663666669

Backing up a Mac

A friend recently asked a very good question, “What disk tools should be in a persons disk utility collection for backup/recovery of a Mac?” At the top of my list is two applications: SuperDuper! ($28) and Chronosync ($30).

SuperDuper is in a class of utilities used to duplicate the contents of your hard drive. There are other options (Synchronize! Pro X – $99, Carbon Copy Cloner – $5, Retrospect), but none that deliver so much for the money.

I owned Synchronize! Pro years ago but gave up on it during the switch to OS X. CCC was the perfect (and only) tool for duplicating OS X drives for quite a while. I used and recommended it for a few years. It’s so good and cheap that I paid the suggested donation for it several times. It “just works.” However, CCC has grown rather long in the tooth. As new versions of OS X arrived, it has been slow to get updated and even the latest version today does not support all of OS X’s file metadata features.

Say hello to SuperDuper.

Like CCC, SuperDuper will duplicate your drive contents from one drive to another, for free. However, with your paid registration, SuperDuper uses a sync engine that copies just the changes from one drive to the other. It works quite well and you (and I) are much more likely to back up often if only takes a few minutes (versus hours). I have a few bare ATA disks with sticky notes on them, so I know which computer they are for. I hook them up to my WiebeTech ComboDock and back up periodically. It works well.

The other half of my backup equation is keeping my home directory in sync between all of my computers. With two laptops and two desktops, keeping them all “up to date” is no small challenge. I have tried several solutions, including OS X Server 10.4 and portable home directories. However, the easiest to use and most reliable solution is using ChronoSync. I configure it to sync my entire home directory, minus Library, Movies, and Music. The latter two I exclude because they simply won’t fit on laptop hard drives. I only sync a small subset of my Library folder.

I run ChronoSync on an “as needed” basis, like right before I’m leaving the house, or when something is not on the laptop. Then I sync that laptop to my primary desktop system. ChronoSync has very good conflict resolution tools built in to help you sort out which version of a file you want to keep when both have changed since the last sync. It can also archive changed files and other nifty tricks. It is well worth the modest fee. Between those two apps, I can do everything I ever need to with my drives.

Notes:

Retrospect: the software from OS 9 days that I’m so pleased to no longer need. While Retrospect worked quite well, it was never easy to use, and thus I was always needed to help when clients needed to set up new backups, restore from them, or do anything more complex than inserting new backup media. It is not a good solution for end users.

Another good “Backing up a Mac” article.

Cleaning up our mailbox

There’s nothing like being away from home for most of the summer to make one realize just how much junk mail is arriving. We get at least one credit card offer a day and 3 morgtage protection insurance offers a week on top of local ad mailers (which are at least somewhat relevant). Today I found a Privacy link on the FTC web site that led me over to the OptOutPrescreen web site.

On the OptOutPrescreen site you can tell the “Big 3” credit reporting agencies not to provide your information to credit card and insurance companies that are “prescreening” you to determine if they want to mail you offers. Hopefully I just cleaned up our “postal” mailbox and helped save a few trees.

NOTE: This is different from the Do Not Call registry in that is is per-by-person so in our case, Jen and I must both opt-out.

Parallels Desktop review

I have used Parallels Desktop on my 20″ iMac since well before it was released, including most of the public beta versions. When they offered it for sale, I bought it without hesitation. In short, the software is much better than one would expect for the price.

One thing I must note about Parallels. Do not expect much if your system is RAM starved (ie, you have less than 768MB). Your poor mac will be paging to disk almost constantly and you’ll wonder why your blazing fast computer is so slow. That is because you are beating the tar out of your hard drive. Do yourself a favor. Spare your hard drive (and your precious data) by spending $160 for 2GB of RAM. I did this on my 20″ iMac and my MacBook and both scream.

I use Parallels for running three different operating systems, FreeBSD, Linux, and Windows XP. Since I develop software that runs on the first two, I regularly need access to them both so I am often running one of them in the background. I can code, rsync to the virtual server, test, and continue coding. I open SSH sessions to the virtual server just as if it were a real one. For nearly all intents and purposes, running these operating systems under Parallels is every bit as good as running them on a real server.

In some respects, it is quite a bit better. Since Parallels has come out, the dual 3.0GHz Xeon system that I have tucked away in a rack in our guest bedroom (because the fans are so loud) has not been powered up. In many ways, Parallels is much better than having a real server.

1. It uses far less power, dissipates far less heat, and generates almost no noise pollution which is quite nice in my Texas home.

2. Convenience. My dual Xeon is a server, so switching operating systems meant going into the other room, unplugging the active hotswap hard drive, and plugging in another. With Parallels, simply pause the running one, select another and start it up.

3. Portable. The dual Xeon is anchored to the rack in the closet. My virtual machines can be dropped onto my MacBook drive for portable access. I spent two months away from home this year and that feature was significantly better than dragging along another computer for testing.

4. Easy snapshots. I like to test my software on “virgin” boxes. This means reinstalling the OS quite frequently on a “real” server, or as I do on the Xeon, building a FreeBSD jail to test in. While the SATA disks in the iMac cannot keep pace with the Ultra320 SCSI disks in the server, I can generate a new system with a clean install simply by duplicating a Parallels disk image.

5. Leverages existing computing resources. I already have a really fast desktop, more than fast enough for development work and software testing.

6. More accessible. Because my virtual machines are so much faster (than Virtual PC on a dual G5), I use them much more frequently. Things I would have seldom have taken the time for such as, “I wonder what this looks like in IE for Windows” I check. There is value in that for developers.

7. Stability. My systems never crash. Anything that changes that makes me particularly grumpy. I have had only one crash while running a very early beta of Parallels. I stopped using it until the next beta came out and it’s been steady as a rock every since.

There are a couple downsides to using Parallels. For example, I could not run Virtual PC 2004 for Windows under XP when XP was running under Parallels.

You need enough RAM for Mac OS X (1GB min on Intel systems) and the operating system you will run. For most people, that will be XP which should have 512MB set aside for it.

Parallels is highly recommended.

Image thieves

Thank you myspace, for providing your users with a simple mechanism for stealing not just my images, but also my bandwidth. After perusing my web server logs to find the root of another problem, I noticed a significant amount of my images being served for myspace profile pages.

With a glint in my eye and a small grin, I have just single-handedly caused a rash of 403 Forbidden errors to appear on the pages of many myspace users. I doubt having broken images on a myspace profile is cool nor would having a random sysadmin expose your thievery to your fan base.

I can’t stop them from stealing my images, but I can stop them from stealing my bandwidth.