Posts Tagged ‘Zack Smith’

MacSysAdmin 2012 Slides and Videos are Live!

Thursday, September 20th, 2012

318 Inc. CTO Charles Edge and Solutions Architect alumni Zack Smith were back at the MacSysAdmin Conference in Sweden again this year, and the slides and videos are now available! All the 2012 presentations can be found here, and past years are at the bottom of this page.

Visit our booth at Macworld 2010

Thursday, February 11th, 2010

Come visit our booth at Macworld 2010 on the expo floor. We are located in Booth 566C and have a bunch of free schwag to give out.

We also have a number of sessions this year:

Hands-on Snow Leopard Server: Collaboration Services with Charles Edge
2/10 – 1:00PM to 3:00PM

Push: The Next Generation of Collaboration is Snow Leopard Server with Charles Edge
2/11 – 4:30PM to 6:00PM

Advanced Integration with Final Cut Server with Beau Hunter
2/12 – 3:30PM to 5:00PM

iPhone Mass Deployment with Zack Smith
2/13 – 2:30PM to 4:00PM

We hope to see you there!

318 & MacWorld 2010

Thursday, September 24th, 2009

318 is proud to announce that we will have 3 speakers doing a total of 4 sessions at the upcoming MacWorld Conference & Expo in San Francisco in February. Speakers will be Beau Hunter, Zack Smith and Charles Edge.

We will also be announcing some events as the conference gets closer. If you are planning to attend then you can sign up here. We hope to see you there!

[ DNS ] Setting hostnames based on PTR

Friday, August 29th, 2008

Xsan 2 will use the hostname to connect to a client, normally this is set correctly but due to some caching issues I had to manually set this via ARD the other day. Enjoy the quick code:

scutil --set HostName "$(host $(ifconfig en0 |

awk '/inet /{ print $2;exit}') |

awk '{print $NF;exit}' |

sed 's/.$//g')"

If would you like to contact me with comments or inaccuracies about this article, feel free

Using cmpindex4 to Fix Kerio Status and Index Files

Friday, May 9th, 2008

Installation
This is a BASH(shell) script deployed on a few select client systems, it is not installed by default. To use it you must upload the script to the server using any method available such as ARD’s copy command, scp/sftp or as a last resort cut and paste via ARD (if the ARD UDP ports have not been opened on the host).
If you do cut and past to recreate the file, make sure to use a command line editor such as nano or vi ( or just use TextEdit with (Format ->Make Plain text Selected). The scripts creator suggests you place it in the mailstore directory (which could need to be done as root) i.e.
sudo cp ~/Desktop/cmpindex* /usr/local/kerio/mailserver/store/mail/
chmod +x usr/local/kerio/mailserver/store/mail/cmpindex*

Usage
Once installed the general use is fairly simple, the script does a line count on any index.fld (or status.fld ) file passed to it, i.e:
sudo /usr/local/kerio/mailserver/store/mail/cmpindex4 /path/to/mailserver/store/mail/318.com/anna/INBOX/index.fld

Alternatively using the preferred method you can use find command in conjunction with the cmpindex to search for all index.fld files in the mailstore, while this takes longer , it will yield a more complete fix for all index and status files having issues.
sudo -s
cd /usr/local/kerio/mailserver/store/mail/
find . -name index.fld -exec ./cmpindex4 {} \;

The scripts behavior is to compare the line numbers in the index.fld and status files and either correct the mistakes in size by recreating the file ( in the case of the status files ) or to rename the index.fld to index.bad automatically(which is picked up by the built in kerio reindex tool ) . The script will output the names of the files affected.The script uses the BASH shell, and thus will be default only work on *nix and Mac OS X Systems, however you can use it under cygwin on windows with the following commands installed sed,rm,touch,mv,perl,awk,grep. The script was created by a Kerio engineer and could use some rewriting but is generally solid.

Create Mobile Accounts From Local Accounts in 10.4 and 10.5

Sunday, March 2nd, 2008

This setup can be performed locally or remotely via Apple Remote Desktop 1. Have the user change the local password to the network password via the System preferences, if this step is skipped , add the Keychain minder application as a login item.

http://www.afp548.com/article.php?story=20050306085715981

2 . Login as the 318admin account ( Create if necessary ) Do not use Fast User Switch!

3 . Verify the Bind for the system to Open or Active Directory

4 . Survey the existing home directory permissions viewing them numerically:

ls –lnd /Users/anna

# drwxr-xr-x+ 38 505 505 1292 Feb 29 14:36 anna

In this example 505 is the local users UID 5 . Obtain the UID of the local user:

id –u anna

# 505

6. Obtain the UID of the network user ,in this example the network username and local username are the same, the steps are the same if they are different

6.1 When using Active Directory Note “WALLCITY” is the NT STYLE DOMAIN for wallcity.org.

id –u ‘WALLCITY\anna’

# 138809240

6.2 When using Open Directory: Note iduro.wallcity.org is the Open Directory Server that the client is bound to.

dscl /LDAPv3/iduro.wallcity.org/ -read /Users/anna uidNumber

# uidNumber: 1035

Note the UID discovered for both the local user and the network user

7. Delete the local user account reference If configuring remotely via ARD, lock the screen before performing this step, so that the user cannot accidentally login during the process.

dscl . -delete /users/anna

8. Change the ownership (recursively) numerically using the network uid and the “staff” group in this example 138809240 is the AD network uid discovered on step 6.

chown -R 138809240:staff /Users/anna

9. Create the mobile account

9.1 For Leopard 10.5 Systems sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n anna Note: NO line break above

9.2 For Tiger 10.4 Systems Note: MCXCacher-Uanna sudo /System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher -U anna

10. Verify permissions where changed to network account numerically ls -lnd /Users/anna

# drwxr-xr-x+ 39 138809240 20 1326 Feb 29 16:04 /Users/anna

10.1 Verify uid->username resolution works (i.e. 138809240 equals anna or WALLCITY\anna and 20 equals staff as shown

ls -ld /Users/anna

# drwxr-xr-x+ 39 anna staff 1326 Feb 29 16:04 /Users/anna

Migrating FileVault Images (10.5)

Thursday, January 24th, 2008

10.5: Boot clean “new” machine, create default admin user(318admin) Login in as 318admin.

Run “id” terminal command on “old” machine to find out the “old” uid is

Run “id” terminal command on “new” machine to find out 318admin uid (prob 501)

Migrate /Library/Keychains/FileVaultMaster.keychain and FileVaultMaster.cer from old to new (same place) . This is for good measure, and migrates the master password (back door ) as well

Create new accnew ount with same shortname and password.(password must match old account for FV image to work ,This will migrate the keychain as well) Check the “Turn on FileVault protection” box when creating the new account

Right click on the new “zack” user in system preferences >accounts and choose “Advanced Options” 10.5+

If old uid is not the same as this current uid change it to that old value , if however that uid conflicts with 318admin(i.e. they are both 501) that you discovered above then just leave it and you will have an extra step below.

We don’t need the fresh FV images so on the NEW machine so we can move it or delete it, and clean it up when done:

“sudo mv /Users/zack/ /Users/fresh.zack”

Copy the old machine’s /Users/zack/zack.sparsebundle to the new machine /Users/zack/zack.sparsebundle (10.5->10.5 only)

Change the ownership on the migrated home directory folder and FV image inside “sudo dscacheutil -flushcache”” “sudo chown -R zack:zack /Users/zack”

Now if earlier you changed the current zack uid to the old one, you are done

however if you had a uid conflict with 318admin above you need to mount the diskimage (with zack password), choose get info and uncheck “ignore permissions on this volume”, then run “chown -R zack:zack /Volumes/zack” to change the uids on within the disk image itself. If you migrated the permissions over from the old machine(i.e cp -Rp) then you won’t be able to just double click on the images to mount it as you don’t have access to the parent folder, so you can run: sudo hdid /Users/zack/zack.sparsebundle to mount it via the c/l (you will be prompted for the password), then run the chown -R zack:zack /Volumes/zack as mentioned above For good measure set the permissions to user=rwx group= other = using: “sudo chmod -R 700 /Users/zack” For good measure you can cleanup the “fresh” home dir “rm -r /Users/fresh.zack” or drag to the trash the UI as “rm -r” can be bad when using /Users/ if you make a mistake.

A Brief History of Cryptography

Tuesday, October 23rd, 2007

Cryptology is derived from the Greek words kryptos, which stands for “hidden” and grafein, which stands for to “write”. Through history, cryptography has meant the process of concealing the contents of a message from all except those who know the key. Cryptography is used to protect e-mail messages, credit card information, and corporate data. Cryptography has been used for centuries to hide messages when they are submitted through means where they might be intercepted, such as the Internet.

But encrypting email messages as they traverse the Internet is not the only reason to understand or use various cryptographic methods. Every time you check your email, your password is being sent over the wire. Many ISPs or corporate environments use no encryption on their mail servers and the passwords used to check mail are submitted to the network in clear text (with no encryption). When a password is put into clear text on a wire it can easily be intercepted. This is especially dangerous when you are on the road, at hotels, on wireless hotspots, or at an internet café. However, it is often simple to also obtain another users password for email, payroll systems and file servers while at work and on the same network. Applications such as WireShark, Ethereal and many others and have existed for a long time and are now fairly advanced, allowing the user to possibly replay the password or a stream of packets that resemble credentials to a server in order to gain entry.

To aid in protecting communications between computers, there are a wide variety of cryptographic implementations in use. They are typically provided for one of two reasons: to protect data on the computer or to protect data as it is being transferred. Most cryptographic techniques rely heavily on the exchange of cryptographic keys.

Symmetric-key cryptography refers to encryption methods where both senders and receivers of data share the same key and data is encrypted and decrypted with algorithms based on those keys. The modern study of symmetric-key ciphers revolves around block ciphers and stream ciphers and how these ciphers are applied. Block ciphers take a block of plaintext and a key, then output a block of ciphertext of the same size. DES and AES are block ciphers. AES, also called Rijndael, is a designated cryptographic standard by the US government. AES usually uses a key size of 128, 192 or 256 bits. DES is no longer an approved method of encryption triple-DES, its variant, remains popular. Triple-DES uses three 56-bit DES keys and is used across a wide range of applications from ATM encryption to e-mail privacy and secure remote access. Many other block ciphers have been designed and released, with considerable variation in quality.

Stream ciphers create an arbitrarily long stream of key material, which is combined with a plaintext bit by bit or character by character, somewhat like the one-time pad encryption technique. In a stream cipher, the output stream is based on an internal state, which changes as the cipher operates. That state’s change is controlled by the key, and, in some stream ciphers, by the plaintext stream as well. RC4 is an example of a well-known stream cipher.

Cryptographic hash functions do not use keys but take data and output a short, fixed length hash in a one-way function. For good hashing algorithms, collisions (two plaintexts which produce the same hash) are extremely difficult to find, although they do happen.

Symmetric-key cryptosystems typically use the same key for encryption and decryption. A disadvantage of symmetric ciphers is that a complicated key management system is necessary to use them securely. Each distinct pair of communicating parties must share a different key. The number of keys required increases with the number of network members. This requires very complex key management schemes in large networks. It is also difficult to establish a secret key exchange between two communicating parties when a secure channel doesn’t already exist between them.

Whitfield Diffie and Martin Hellman are considered the inventors of public-key cryptography. They proposed the notion of public-key (also called asymmetric key) cryptography in which two different but mathematically related keys are used: a public key and a private key. A public key system is constructed so that calculation of the private key is computationally infeasible from knowledge of the public key, even though they are necessarily related. Instead, both keys are generated secretly, as an interrelated pair.

In public-key cryptosystems, the public key may be freely distributed, while its paired private key must remain secret. The public key is typically used for encryption, while the private or secret key is used for decryption. Diffie and Hellman showed that public-key cryptography was possible by presenting the Diffie-Hellman key exchange protocol. Ronald Rivest, Adi Shamir, and Len Adleman invented RSA, another public-key system. Later, it became publicly known that asymmetric cryptography had been invented by James H. Ellis at GCHQ, a British intelligence organization and that both the Diffie-Hellman and RSA algorithms had been previously developed. Diffie-Hellman and RSA, in addition to being the first public examples of high quality public-key cryptosystems are among the most widely used.

In addition to encryption, public-key cryptography can be used to implement digital signature schemes. A digital signature is somewhat like an ordinary signature; they have the characteristic that they are easy for a user to produce, but difficult for anyone else to forge. Digital signatures can also be permanently tied to the content of the message being signed as they cannot be ‘moved’ from one document to another as any attempt will be detectable. In digital signature schemes, there are two algorithms: one for signing, in which a secret key is used to process the message (or a hash of the message or both), and one for verification, in which the matching public key is used with the message to check the validity of the signature. RSA and DSA are two of the most popular digital signature schemes. Digital signatures are central to the operation of public key infrastructures and to many network security schemes (SSL/TLS, many VPNs, etc). Digital signatures provide users with the ability to verify the integrity of the message, thus allowing for non-repudiation of the communication.

Public-key algorithms are most often based on the computational complexity of “hard” problems, often from number theory. The hardness of RSA is related to the integer factorization problem, while Diffie-Hellman and DSA are related to the discrete logarithm problem. More recently, elliptic curve cryptography has developed in which security is based on number theoretic problems involving elliptic curves. Because of the complexity of the underlying problems, most public-key algorithms involve operations such as modular multiplication and exponentiation, which are much more computationally expensive than the techniques used in most block ciphers, especially with typical key sizes. As a result, public-key cryptosystems are commonly “hybrid” systems, in which a fast symmetric-key encryption algorithm is used for the message itself, while the relevant symmetric key is sent with the message, but encrypted using a public-key algorithm. Hybrid signature schemes are often used, in which a cryptographic hash function is computed, and only the resulting hash is digitally signed.

OpenSSL is one of the main applications used in Linux and Mac OS X to access the various encryption mechanisms supported by the operating systems. OpenSSL supports Diffie-Hellman and various versions of RSA, MD5, AES, Base, sha, DES, cast and rc. OpenSSL allows you to create ciphers, decrypt information and set the various parameters required to encrypt and decrypt data.

THIS ARTICLE IS A REPRINT FROM: Foundations of Mac OS X Security, from Apress Written by Charles Edge, William Barker and Zack Smith of 318