enable SSH for new non-admin on OSX

Pick a suitable UID and GID :

$ sudo dscl . -list /Groups PrimaryGroupID | sort -n -k2
$ sudo dscl . -list /Users UniqueID |sort -n -k2


Add the user :

$ sudo dscl . -create /Users/newuser
$ sudo dscl . -create /Users/newuser UserShell /bin/bash
$ sudo dscl . -create /Users/newuser RealName "New User"
$ sudo dscl . -create /Users/newuser UniqueID "503"
$ sudo dscl . -create /Users/newuser PrimaryGroupID "20"
$ sudo dscl . -create /Users/newuser NFSHomeDirectory /Users/newuser


Create the users home directory :

$ sudo mkdir /Users/newuser
$ sudo chown newuser:staff /Users/newuser
$ sudo chmod 700 /Users/newuser


View the users details :

$ sudo dscl . -read /Users/newuser


Set the users password

$ sudo dscl . -passwd /Users/newuser PASSWORD


Add them to the allowed SSH users list :

$ sudo dseditgroup -o edit -a newuser -t user com.apple.access_ssh
$ sudo dseditgroup com.apple.access_ssh


DD-WRT, DNSmasq, fight!

I half completed this mini project, including getting a GPS driven ntp time source working, but haven’t felt it necessary to finish the write-up…

Aim

1. DHCP addresses for all connected hosts (some statically allocated)
2. DNS caching on the router
3. DHCP hostnames available through DNS (DNSmasq [Local DNS])
4. (optional) Blackhole certain DNS queries for ad blocking (add-hosts/pixelserv?)
5. (optional) DHCP options (4|42) – Time Server (Clients to sync time to router) (DNSmasq “dhcp-option = 42,192.168.0.4″)
6. (optional) DHCP options (7) – Log Server (Central syslog server)
7. (optional) DHCP options (123) – GeoConf

Method

…

Debian Squeeze – Openswan

During installation, the /var/lib/dpkg/info/openswan.postinst post installation script fails to check whether a CA cert exists before trying to copy it.

This throws the mysterious error : "cp: cannot stat `': No such file or directory"

Wrap the offending line (around line 176) with a quick check :

if [ "$cafile" ]; then
cp "$cafile" /etc/ipsec.d/cacerts
fi

OSX dialog boxes

Ever since OSX ran on X86 hardware, it has been my primary OS – exclusively on MacBook Pro’s – and whilst learning it’s idiosyncrasies didn’t take long, as a heavy user of keyboard shortcuts I’d always been frustrated by dialog box choices.

 

The Tab key wouldn’t switch between the buttons, holding Alt or Cmd doesn’t hint at any shortcut letters available, but what does work is pressing the first letter of each buttons text whilst holding Cmd.

So in the example dialog box above, Cmd-C would cancel the choice, Cmd-K would keep the file and lastly Cmd-M would move the file to the trash. Simple, but not as obvious as you might think!

Debian squeeze, distcc-pump and kernel builds

Compiling a new kernel on an Intel N270 Atom-based Linux system can be awfully slow, so setting up distcc or ccache begins to really make sense.

However, there’s something about ccache and the Linux build process that don’t play nicely, using it’s masquerade setup I didn’t get a single hit from its cache.

Distcc on the other hand, especially when distributed pre-processing too with the distcc-pump invocation has a dramatic effect on the time taken to produce a new kernel (it’s very easy to fire up a stripped down Debian virtual machine to use as an extra distcc node), and here’s how I setup this Debian Squeeze 6.0.1 installation :

 

Firstly, install the kernel source of your choice and distcc using apt :

# apt-get install distcc-pump linux-source-2.6.32


 
Secondly, fix the distcc-pump script as it looks for python modules in the version 2.5 path, whereas Debian Squeeze comes with 2.6 out of the box :

# vi +43 /usr/bin/distcc-pump
include_server='/usr/lib/pymodules/python2.6/include_server/include_server.py'


 
Thirdly, setup some hosts to distribute the compiling to, here I choose to limit my faster ‘compute’ node to eight simultaneous jobs, and just one job at a time for the slower Atom system (the cpp,lzo options tell distcc to push pre-processing jobs to this host also and compress the source files across the wire) :

# cat /etc/distcc/hosts
compute/8,cpp,lzo localhost/1


 
Finally, as we can’t pass a ‘-j8′ option to the make command to request eight threads of compiling at once, we set the environment variable CONCURRENCY_LEVEL accordingly, the distcc-pump startup creates a socket which distcc can then talk to, though it borks the PATH, so we change that back to put /usr/lib/distcc at the beginning for its masquerading as a compiler to work correctly, and thats all you need to do before compiling and installing your kernel the Debian way.

# export DISTCC_VERBOSE=0
# export CONCURRENCY_LEVEL=8
# eval `distcc-pump --startup`
# echo $PATH
/usr/bin:/usr/lib/distcc:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# export PATH=/usr/lib/distcc:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# cd /usr/src/linux-source-2.6.32
# make menuconfig
# fakeroot make-kpkg --initrd --append-to-version=testbuild --revision=0.1 kernel_image
# distcc-pump --shutdown
# dpkg -i ../linux-image-2.6.32.testbuild_0.1_i386.deb


root password exposure on Ops Center provisioned hosts?

# ls -l /var/opt/sun/jet/config/jumpstart.conf
-rwxr-xr-x 1 root other 1551 Apr 13 2010 /var/opt/sun/jet/config/jumpstart.conf

Contains the DES encrypted root password on line prefixed “JS_Default_Root_PW=” set during installation and is world-readable.

PingChat! EULA

License from You for Your Content

Clause 9 : “By submitting, transmitting, making available or posting Your Content through PingChat!, You grant Us a world-wide, royalty free, perpetual, irrevocable and non-exclusive right and license to use, sublicense, reproduce, modify, adapt, publish, translate, distribute, perform and display Your Content worldwide and/or to incorporate it in other works in any form, media, or technology now known or later developed for the purposes of operating and providing PingChat!“

Err, no thanks.