Archive for September, 2005

5 Tips and Tricks with Apple Remote Desktop

Tuesday, September 27th, 2005

HOW TO…

1. Create a new user on remote machines.
There are several ways to create new users across multiple machines with ARD, including running niutil. But because the Send UNIX Command is not interactive, there is no way to enter a password when prompted unless you know more advanced Unix syntax.

My preferred method is to create an ARD installer package (you can even specify an account with no ARD privileges to just create a generic user without ARD rights), and then use the Install Package command on the client machine(s). If you need that user to have admin rights on his/her machine (the ARD package installer creates a standard, non-admin user by default), you can run the UNIX command after you have installed the package (be sure to run it as root):

niutil -appendprop / /groups/admin users newusername

2. Remove a user from remote machines.
It’s as easy as running two UNIX commands as root from ARD (be careful, these commands are case sensitive):

niutil -destroy . /users/deletedusername
rm -rf /Users/deletedusername

Be careful not to delete the user account that your ARD admin machine is using for ARD access!

3. Figure out who needs which updates.
Let’s say you have a large group of computers that need updating, but you have no idea which machines need which updates. You can send a UNIX command to all selected computers simultaneously to get a look at who needs updating:

10.2 clients:
softwareupdate

10.3 & 10.4 clients:
softwareupdate –-list

Software Update will launch as a background process on the selected machines, without requiring any action by the user (and without their even knowing it). Once their systems have checked with the Software Update server for the latest updates, you will see the results of your query in a separate window.

4. Force clients to get current via Software Update.
Tired of pushing patch after patch using the Install Package command? You can force client machines to run their own Software Update locally by sending a UNIX command (this must be run as root to work properly):

10.3 & 10.4 clients:
softwareupdate –-install –-all

Software Update will launch as a background process on the selected machines, without requiring any action by the user. Mac OS X 10.3 clients will retrieve their updates from Apple, so be mindful of sudden bandwidth constraints for your LAN if you try this during a busy time on a lot of machines simultaneously. But if your 10.4 Server and Clients are configured for Software Update services, the client machines will retrieve their updates from the cached packages on the server, saving you significant bandwidth resources and time.

10.2′s version of softwareupdate doesn’t have a man page, so I still haven’t figured out how to tell Jaguar systems to update everything to the current version. My workaround was to first get a list of all eligible updates (see item 3 above), then use the command:

softwareupdate –-install [list each update individually]

Be careful to not leave client systems in an unstable state. When the softwareupdate application is done installing an update that requires a restart, it will be indicated on the status window’s output screen.

5. Export and Import computer lists.
Unfortunately, there is no way to move the entire collection of Computers and Lists from one ARD Admin machine to another (that is, without moving the entire POSTGRESQL database, ARD .plist files, and ARD Keychain items). It’s less complicated just to export the list(s) of your choosing and import to the other machine.

Select a list and choose File > Export Window; you can now save the contents of the window to a text file. On the other ARD Admin machine, you can create a new Scanner, choose File Import, and drag-and-drop the text file into the Scanner window. You can then add those items to the Master List (or any other list you are managing).

I didn’t mention the software auditing capabilities of ARD: you can get a
full report of all software installed on the remote machine(s), and do a
search across multiple machines for a single app (you know, in case you
can’t remember which of your 50 macs you downloaded that special application
to).

You can also rename machines, tell groups of Macs to quit all apps and log
out and/or restart/shutdown, perform hard drive and network diagnostics,
clone a hard drive (local to remote: appears to be a remote ghosting
feature)….

Fear and Loathing Hackers in Los Vegas

Wednesday, September 14th, 2005

While attending DefCon, a hacking conference in Las Vegas, Three18 staff members learned of Ciscogate. Ciscogate revolves around the plight of Mike Lynn. He was a researcher for Internet Security Systems Inc (ISS) until he resigned last week after giving a speech at Black Hat, an Information Technology security conference in Las Vegas. Due to the presentation and the speech Lynn gave a suit was filed against him by ISS and Cisco.

Cisco hired people to go through the CDs given out by Black Hat containing all of the presentations and replace them with CDs absent the presentation. The first appearances of the case in the media were taken down, reportedly by Cisco. Cisco began to cover up the flaws Lynn exposed in their operating system, claiming that they were not as serious as Lynn had reported. In a bold move, Cisco also had Lynn slapped with a gag order and settled the case out of court with the stipulation that Lynn never talk of the vulnerabilities again.

The presentation exposes serious security vulnerabilities to the Cisco operating system. Theoretically it is possible to exploit this flaw in order to bring entire legs of the Internet dark. Due to the scale of the exploit and the anti-trust issues surrounding the case, the FBI and Justice Department are now investigating Lynn for criminal charges. If the flaws to Cisco’s operating system were not as serious as Lynn reported then why is the federal government involved?

We were amazed at the solidarity of the Hacker community around Lynn. A defense fund was started for him, copies of his speech were plastered across the Internet and shirts were printed overnight that read Ciscogate, the name given for the reported cover-up.

After returning home, Three18 worked hard at ensuring all of our clients’ routers were fully patched, which reportedly fixed the flaw Lynn uncovered. The point of Lynn’s disclosure of the seriousness of the vulnerabilities is to get System Administrators to patch their routers, which many of them might not have done otherwise.

Migrating Mac OS X User Profiles

Friday, September 2nd, 2005

This procedure assumes that you are not using the Migration Assistant that came with systems that shipped after 2004. It also assumes that you are only transferring user data (the home folder) and not Applications, Fonts, or other system data to the new Mac.

What you will need:

Old Mac (source of the profile)
New Mac (target of the profile)
FireWire cable

Before migrating the user it is wise to deauthorize iTunes accounts if possible to prevent the user from being locked out of their account.

1. Boot the old Mac into FireWire Target Disk Mode (hold T key during boot)

2. Connect the two Macs via FireWire cable. If possible, use FireWire 800, although this will not be available for all machines.

3. On the new Mac, create a user account with the same shortname and password as the profile on the old Mac. For the purposes of this demonstration, let’s say that the user is Ahi Kabob, with a shortname ahikabob, and that the boot drives of the old and new drives are OldMacHD and NewMacHD, respectively.

4. Once the user has been created, it’s time to dive into the command line…

sudo rm –rf /Users/ahikabob/*

This command deletes the contents of the home folder we created in Step 3 above. Don’t worry, the account still exists! Read on…

sudo ditto –rsrc –V /Volumes/[OldMacHD]/Users/ahikabob /Users/ahikabob

This command copies the user’s home folder from the /Users folder on the old Mac into the /Users folder on the new Mac. The –V argument allows you to see the progress of what is being copied. The –rsrc argument (needed only on pre-10.4 systems) ensures that files containing resource forks have their forks preserved.

sudo chown –R ahikabob:ahikabob /Users/ahikabob

This command assigns the proper owner and group permissions to the user’s home folder. The –R argument makes the specified permissions recursive through all of the child folders of the specified folder. The ahikabob:ahikabob argument stipulates that both the owner and the group will be set to ahikabob, the final argument.

You should now be able to log in as the user. All of the user’s settings will be preserved, especially the all-important keychain.

Remember that some programs will be deauthorized (ARD, Adobe programs, etc.), and you will need to re-enter the serials.