Sunday, August 19, 2012

Lion server config … cont

  • S.T.Smith
    Jan 29, 2012 12:34 AM (in response to tagme10k)
    Thanks for the SSL instructions and Kerberos fix!

     

    Here are a few more useful items on Lion Server working with iOS:

     

    Encrypted and Signed Email

     

    OS X support of SMIME signed and encrypted emails works well once you discover the (undocumented) method of creating your own PKI certificate with Keychain Access.

     

    1. Quit Mail.app
    2. Open Keychain Acess and make sure you don't have any old certificates in your keychain with your email address. Look in "My Certificates" and use the search bar in the upper RHS. Delete any old SMIME certs that use your email address as these will prevent OS X's secure email functions from working without any error messages.
    3. Create your certificate using Keychain Access>Certificate Assistant>Create A Certificate… with these non-default details. See this Apple Discussions comment "OSX Mail - Encryption Won't Work" for the correct way to create a cert that will work with OS X Mail.
      • Self-signed root, check override defaults
      • Key Usage Extension: Check ALL boxes, not just the default "Signature" box. Certainly overkill, but it works. Perhaps someone can post the minimally necessary setting for this cert to work with OS X Mail encryption and signing.
      • Find your new certificate in Keychain Access, open it, and trust it. I trusted it for everything, but I believe that just S/MIME and X.509 settings are adequate.
      1. Relaunch Mail.app. You'll get a little encryption and signing toggle in the upper RHS of every email composition window. Once you send yourself or anyone else a signed email message, this will also work in iOS 5 devices. See this Ars article for details and screenshots. YOUR CONTACTS MUST TRUST YOUR CERT WITHIN THEIR OWN KEYCHAIN TO BE ABLE TO VERIFY AND ENCRYPT MESSAGES TO YOU.

     

    If someone knows an easy/convenient way to upgrade these certs after they expire after one year (and they've been shared with others in your contact list), please post.

     

     

    AirPrint

     

    iOS AirPrint works great with older printers that do not support AirPrint using AirPrint Activator. To install a working version on Lion Server:

     

    1. Copy AirPrint Activator  to the Applications folder
    2. System Preferences>Print and Scan>+ to add your printer, which may be connected over WiFi LAN.
    3. Reboot.
    4. Server Admin>Firewall>Add service "AirPrint Activator" with open ports 19631-19639and TCP AND UDP. Restart firewall.
    5. Reboot. And add AirPrint Activator to your account's Login Items so it launches automatically.

     

    You should now be able to print from your iOS devices through Lion Server to your printer.
    Mac mini, Mac OS X (10.7.2), Lion Server, 8 GB
  • Level 1 (0 points)
    S.T.Smith
    Jan 29, 2012 1:07 AM (in response to S.T.Smith)
    Fax

     

    Faxing is quite a stupid (ok antiquated) technology -- digitize paper, send the bits, print them on more paper and forget them -- but sometimes you need to send one, especially if you're interacting with the health care industry. Following this discussion, you can get a working ~$12 faxer on your server. I've confirmed that this USB Modem works with a Mac Mini. I'd also highly recommend a RJ12 surge protector to isolate your box from the phone lines -- I personally had a lightning strike fry the modem on an older box. After you attach the usb modem, go to System Preferences>Print & Scan and add your usb modem as a faxing device. OS X will now offer the option of faxing whenever you print something.

     

    This can also be done from the command line, ,allowing scripting, with the built-in/usr/bin/fax command. First, save your document as a PostScript .ps file. Then:

     

    $ sudo fax FROM='"123-456-7890"' NAME='"My Name"' make  file.ps
    $ sudo fax FROM='"123-456-7890"' NAME='"My Name"' send "*70-1-098-765-4321" file.ps.001

     

    Though faxing works fine with OS X print commends, this second command failed to send anything over my phone line. If anyone knows of a command line faxing fix, please post:

     

    efax v 0.9a-001114 Copyright 1999 Ed Casas. Compiled Jun 13 2011 16:41:35
    efax: Sat Jan 28 09:03:30 2012 Warning: local ID (123-456-7890) has non-standard characters
    efax: 03:30 opened /dev/cu.usbmodem24680241
    efax: 03:31 initializing modem
    efax: 03:32 using CX93001-EIS_V0.2002-V92 in class 1
    Mac mini, Mac OS X (10.7.2), Lion Server, 8 GB
  • Level 1 (0 points)
    S.T.Smith
    Feb 9, 2012 2:47 AM (in response to S.T.Smith)

    Privacy Enhancing Filtering Proxy and SSH Tunnel

     

    Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.

     

    If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:

     

    $ ./ssht 8080:user@domain.com:3128
    $ ./ssht 8080:alice@:
    $ ./ssht 8080:
    $ ./ssht 8018::8123
    $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]

     

    $ vi ./ssht
    #!/bin/sh
    # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]

     

    USERNAME_DEFAULT=username
    HOSTNAME_DEFAULT=domain.com
    SSHPORT_DEFAULT=22

     

    # SSH port forwarding specs, e.g. 8080:localhost:3128
    LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
    REMOTEHOST_DEFAULT=localhost    # Default is localhost
    REMOTEPORT_DEFAULT=3128         # Default is Squid port

     

    # Parse ssh port and tunnel details if specified
    SSHPORT=$SSHPORT_DEFAULT
    TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
    while [ "$1" != "" ]
    do
      case $1
      in
        -p) shift;                  # -p option
            SSHPORT=$1;
            shift;;
         *) TUNNEL_DETAILS=$1;      # 1st argument option
            shift;;
      esac
    done

     

    # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
    shopt -s extglob                        # needed for +(pattern) syntax; man sh
    LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
    USERNAME=$USERNAME_DEFAULT
    HOSTNAME=$HOSTNAME_DEFAULT
    REMOTEHOST=$REMOTEHOST_DEFAULT
    REMOTEPORT=$REMOTEPORT_DEFAULT

     

    # LOCALHOSTPORT
    CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
    CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
    CAR=${CAR%:}                            # delete :
    if [ "$CAR" != "" ]                     # leading or trailing port specified
    then
        LOCALHOSTPORT=$CAR
    fi
    TUNNEL_DETAILS=$CDR

     

    # REMOTEPORT
    CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
    CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
    CAR=${CAR#:}                            # delete :
    if [ "$CAR" != "" ]                     # leading or trailing port specified
    then
        REMOTEPORT=$CAR
    fi
    TUNNEL_DETAILS=$CDR

     

    # REMOTEHOST
    CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
    CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
    CAR=${CAR#:}                            # delete :
    if [ "$CAR" != "" ]                     # leading or trailing port specified
    then
        REMOTEHOST=$CAR
    fi
    TUNNEL_DETAILS=$CDR

     

    # USERNAME
    CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
    CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
    CAR=${CAR%@}                            # delete @
    if [ "$CAR" != "" ]                     # leading or trailing port specified
    then
        USERNAME=$CAR
    fi
    TUNNEL_DETAILS=$CDR

     

    # HOSTNAME
    HOSTNAME=$TUNNEL_DETAILS
    if [ "$HOSTNAME" == "" ]                # no hostname given
    then
        HOSTNAME=$HOSTNAME_DEFAULT
    fi

     

    ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
        && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
        || echo "SSH tunnel FAIL."

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)