Sunday, June 28, 2009

Parallels Dekstop - upgrade from version 3 to 4 never finishes

If you have upgraded Parallels Dekstop from version 3 to 4, there is a mandatory upgrade f your virtual machines.

If your VM is Windows XP and you have Zone Alarm installed, it will never finish.

You need to click the 'lock' icon to go into manual mode, make your Zone Alarm selections, and the upgrade will finish.

Wednesday, June 24, 2009

OSX SSH / Remote Login - prevent brute force password attacks with a Key and Passphrase

If you have a machine on the internet that you can connect to via SSH, then you should consider disabling password access and use only key / passphrase.

First you need to create a key on the client machine

$ ssh-keygen -t dsa -f ~/.ssh/id_dsa username@domain.com
(Enter passphrase)

The username@domain.com can be of the form fred@google.com, or just fred. For example, to get to my machine at home from the Internet I login as

$ ssh name@server.domain.com

so thats what I put in for the key. However, when I am at home, I don't need FQDN or a different account name, so

$ ssh server

will do. Either is good.

next you need to
copy the key to the remote server
$ scp ~/.ssh/id_dsa.pub remoteserver:
user@server's password:

Then you need to login to the remote server:

$ ssh user@remoteserver:
user@server's password:

then you need to copy the key into the authorized keys file:
$ cat id_dsa_something.pub >> .ssh/authorized_keys2
$ chmod 600 .ssh/authorized_keys2

if you get an error about "
authorized_keys2" not being available, its likely because the account on remote machine has never SSH'd to anywhere else. So SSH to somewhere and try again.

now, when you do

$ ssh remoteserver

you should get the SSH-AGENT dialog box


When this is working, you can then turn off password authentication. On the remote machine opne the sshd_config file

$ nano /private/etc/sshd_config

and locate the lines below, removing the #

PasswordAuthentication no
ChallengeResponseAuthentication no

restart SSH and you are good to go

on the client you can manage your SSH identities for example:

to list the identities
$ ssh-add -l

to delete all identities, which you might want to do if you are doing a key re-fresh

$ ssh-add -D
All identities removed.

more at the man page developer.apple.com/documentation/Darwin/Reference/ManPages/man1/ssh-add.1.html

Monday, June 22, 2009

OSX Server and AFP "No matching key:"

After a restart of the server, no users could log in. They got authenticated, but then after a loooong delay their Finder said 'disconnected'.

Checking the AFP log on the server I see lots and lots of

    IP 192.168.1.21 - - [21/Jun/2009:18:50:00 0000] "Login bob" 0 0 0
    **** - - [21/Jun/2009:18:50:02 0000] "Mounted Volume XServer" 0 0 0
    **** - - [21/Jun/2009:18:50:02 0000] "Mounted Volume Data" 1 0 0
    **** - - [21/Jun/2009:18:50:02 0000] "Mounted Volume Disk1" 2 0 0
    **** - - [21/Jun/2009:18:50:02 0000] "DiskArbStart -" 0 6403 0
    IP 192.168.1.21 - - [21/Jun/2009:18:50:11 0000] "Login bob" 0 0 0
    IP 192.168.1.21 - - [21/Jun/2009:18:50:11 0000] "Login bob" 0 0 0
    IP 192.168.1.21 - - [21/Jun/2009:18:50:11 0000] "No matching key: bob" 1247645341 1243892782 92
    **** - - [21/Jun/2009:18:50:12 0000] "Mounted Volume XServer" 0 0 0
    **** - - [21/Jun/2009:18:50:12 0000] "Mounted Volume Disk2" 1 0 0
    **** - - [21/Jun/2009:18:50:12 0000] "Mounted Volume Disk1" 2 0 0
    **** - - [21/Jun/2009:18:50:12 0000] "DiskArbStart -" 0 6403 0
    IP 192.168.1.21 - - [21/Jun/2009:18:50:21 0000] "Login bob" 0 0 0
    IP 192.168.1.21 - - [21/Jun/2009:18:50:21 0000] "Login bob" 0 0 0
    IP 192.168.1.21 - - [21/Jun/2009:18:50:21 0000] "No matching key: bob" 1247645341 1243892782 92

A restart didn't fix it, so decided to re-install the latest patch from the combo, in this case 10.4.11. Now everything is back to normal.