Mac OS X Unleashed

By John Ray and William C. Ray

• Table of Contents
  • Copyright
  • About the Author
  • Acknowledgments
  • Tell Us What You Think!
  • Introduction
  • Part I: Introduction to Mac OS X
  • Chapter 1. Mac OS X Component Architecture
  • Chapter 2. Installing Mac OS X
  • Chapter 3. Mac OS X Basics
  • Chapter 4. The Finder: Working with Files and Applications
  • Chapter 5. Running Classic Mac OS Applications
  • Part II: Inside Mac OS X
  • Chapter 6. Native Utilities and Applications
  • Chapter 7. Internet Communications
  • Chapter 8. Installing Third-Party Applications
  • Part III: User-Level OS X Configuration
  • Chapter 9. Network Setup
  • Chapter 10. Printer and Font Management
  • Chapter 11. Additional System Components
  • Part IV: Introduction to BSD Applications
  • Chapter 12. Introducing the BSD Subsystem
  • Chapter 13. Common Unix Shell Commands: File Operations
  • Part V: Advanced Command-Line Concepts
  • Chapter 14. Advanced Shell Concepts and Commands
  • Chapter 15. Command-Line Applications and Application Suites
  • Chapter 16. Command-Line Software Installation
  • Chapter 17. Troubleshooting Software Installs, and Compiling and Debugging Manually
  • Chapter 18. Advanced Unix Shell Use: Configuration and Programming (Shell Scripting)
  • Part VI: Server/Network Administration
  • Chapter 19. X Window System Applications
  • Chapter 20. Command-Line Configuration and Administration
  • Chapter 21. AppleScript
  • Chapter 22. Perl Scripting and SQL Connectivity
  • Chapter 23. File and Resource Sharing with NetInfo
  • Chapter 24. User Management and Machine Clustering
  • Chapter 25. FTP Serving
  • Chapter 26. Remote Access and Administration
    • Security-Minded Thinking
    • What Is Secure Shell?
    • Starting SSH in OS X
    • Using SSH: From Unix Box to Unix Box
    • Using an SSH2 Client in Mac OS
    • Using an SSH1 Client in Mac OS
    • Public Key Authentication
    • Are There Any Graphical SSH Clients for OS X?
    • Are There SSH Clients Available for the PC?
    • Summary
  • Chapter 27. Web Serving
  • Part VII: Server Health
  • Chapter 28. Web Programming
  • Chapter 29. Creating a Mail Server
  • Chapter 30. Accessing and Serving a Windows Network
  • Chapter 31. Server Security and Advanced Network Configuration
  • Chapter 32. System Maintenance
  • Appendix A. Command-Line Reference
  • Appendix B. Administration Reference

Using an SSH2 Client in Mac OS

The SSH2 client we will use is F-Secure SSH 2.1. Although there is at least one freely available SSH2 client for the Macintosh, we choose to demonstrate the basic concepts with a product developed by one of the companies originally involved in creating the SSH protocol.

Install F-Secure SSH 2.1 as you would any other Macintosh software. It installs in a folder called F-Secure SSH in whatever location you specify.

The client can be used to make terminal connections and to forward arbitrary TCP connections. Because FTP and e-mail are the most popular kinds of TCP connections to tunnel, we will demonstrate setting up those tunnels. F-Secure SSH also has a Connection Manager feature to manage your connections. We will finish by taking a brief look at the Connection Manager.

Setting Up a Terminal

To set up a terminal, do the following:

1. Start F-Secure SSH 2.1. The Connection Manager will probably appear.
2. Click on the terminal window icon in the Connection Manager (the second icon) or choose New Terminal from the File menu. A Properties dialog box appears with Connect highlighted. Note that in the top left of the window the term Terminal appears.
3. Enter the remote machine as the SSH server. The default server port is 22. There is no need to change this unless you have been informed that the SSSH2 server is running on a different port.
4. Enter your username and password, as shown in Figure 26.2; then click Connect.
   

   Figure 26.2 Fill in the connection parameters in the Connect section of the Properties dialog box.

5. The first time you connect to an unknown host, you are asked whether you should accept the host key for the unknown host. If you plan to connect regularly to the remote host, click Accept & Store in the message box shown in Figure 26.3.
   

   Figure 26.3 Click Accept & Store to store the remote host's host key.

Assuming that you have entered your username and password correctly, you should be logged in to the remote host.

Note that the status connection of the terminal appears in the bottom left of the terminal window. In Figure 26.4, the status is SSH Shell Connected. When you have logged out, the status changes to Disconnected.

Figure 26.4 Connected terminal window.

If you plan to connect to the remote host regularly, you might want to choose Save under the File menu and then save the connection as an alias to your desktop.

There are various ways to end your terminal connection. You can type exit at the command line. You can also select the terminal connection in the Connection Manager, and then click on the Disconnect button. You will likely find that the connection to the remote host times out after some period of time. Of course, you can quit the F-Secure program. If you have a connection in progress, it will, of course, ask whether you really want to close the connection.

Setting Up an FTP Tunnel

As shown in the section detailing the use of SSH from the command line in Chapter 13, the SSH tools can also be used to secure other network protocols, such as FTP, by tunneling their connections through an SSH-encrypted network connection.

To set up an FTP tunnel, perform the following steps:

1. Click on the FTP icon in the Connection Manager, or select FTP Tunnel in the Tunnel list under the File menu. A Properties box appears, with Connect highlighted. Note that in the top left of the window, the description FTP Tunnel appears.
2. Name your tunnel by first clicking Document in the FTP Tunnel menu, and then add a tunnel name in the Name box. Next, check the Auto-Connect on Open box. Note that there is an Auto-launch on Connect feature, as shown in Figure 26.5. With this feature enabled, you can set F-Secure to automatically open another application upon connection.
   

   Figure 26.5 You can set a name for your FTP tunnel in the Document section of the Properties box. You can also do this for a terminal connection.

3. Next, select FTP Server in the FTP Tunnel menu, as shown in Figure 26.6. It is all right to click in the FTP Server Port boxes, even if you are using the default 21 port. SSH Server comes selected as the default item. If you do not do anything with this section, the client will assume port 21 for the local and remote ports and that the SSH server is the remote server.
   

   Figure 26.6 FTP server settings are set in the FTP Server section of the Properties box.

   If you will be accessing a machine that might be running an FTP server on an alternate port, be sure to change the port number appropriately. If you should ever have to do that, you will lose the ftp descriptor, but the tunnel will still work.
4. Select Connect in the left menu, and enter the remote machine as the SSH server.
5. Next, enter your username and password; then click Connect. Note that the Properties window now says Connected at the bottom left, and that the Connection Manager shows an FTP connection.
6. Under the File menu, choose Save. For your convenience, also save this alias directly to your desktop.

Setting Up the FTP Client

After your FTP tunnel is set up, you are ready to set up the FTP client. Although we have only done our testing with Anarchie and Fetch, the basic concepts shown here should prepare you to use other FTP clients, too.

1. If you are using Anarchie as your FTP client, you need to set it to use Passive Transfer (PASV) mode for connections. Although simply stated, this can sometimes be the most complicated step in setting it up.

   This setting can be found in various places in various versions of Anarchie, most notably in the Internet or Internet Config control panel. Some menu paths to follow to get Anarchie to launch Internet/Internet Config include:

   • Settings - Preferences—Automatically launches Internet/Internet Config
   • Settings - Preferences—Edits Internet Config
   • Edit - Firewalls—Automatically launches Internet/Internet Config
   • Edit - Preferences—Launches Internet Config
2. The Internet control panel will bring up a set of tabs. If Advanced is not one of them, select User Mode under the Edit menu, and set it to Advanced. An Advanced tab should appear directly. Click on File Transfer, if it is not already selected, and then check the Use FTP Passive (PASV) box. Figure 26.7 shows the advanced settings.
   

   Figure 26.7 Set PASV mode in the Internet control panel by checking the Use FTP Passive Mode (PASV) box on the Advanced tab.

3. Alternatively, your system might be using the Internet Config control panel, instead of the Internet control panel. To configure PASV mode with this control panel, select the Firewalls option in the Internet Config control panel, as shown in Figure 26.8, and then check the Use FTP Passive (PASV) box.

   

   Figure 26.8 The Internet Config control panel has a Firewalls option, where PASV mode can be set.

   In older versions, PASV is an option in Firewalls, under the Edit menu.

4. If you are using Fetch as your FTP client, you can set Fetch to FTP using PASV mode, by selecting Preferences in the Customize menu.
5. Click the Firewall tab in the Preferences dialog box, as shown in Figure 26.9. Check the Use Passive Mode Transfers (PASV) box and then click OK.
   

   Figure 26.9 Set PASV mode in Fetch at the Firewall tab in Preferences under the Customize menu.

6. After you have your FTP client configured, which should need to be done only once for each client, you are ready to initiate a connection. In Anarchie, either select FTP under the FTP menu or select Get via FTP under the File menu. In older versions of Anarchie, select Get under the FTP menu. In Fetch, select New Connection under the File menu.
7. A connection dialog will appear, allowing you to enter parameters for the connection. If you are using Fetch, the dialog will be similar to that shown in Figure 26.10—other FTP clients will require similar information. Enter localhost or 127.0.0.1 as Server/Host; then enter a path/directory, if you know what directory you are looking for. Entering 127.0.0.1 should always work, but whether localhost is acceptable will vary with the setup of your machine and network.
   

   Figure 26.10 Initiating a connection in Fetch to a remote host via an FTP tunnel in the SSH client.

8. Enter your username and password; then click OK or List, as appropriate.

   You should see a listing of your home directory. If you encounter a host error, try entering the alternative host suggestion from the previous step. If you were watching the FTP tunnel in the Connection Manager before the connection was made you saw that the data in/out transfer indicator was 0/0, indicating that the tunnel was not being accessed. Now that you have a connection, the data in/out indicator has changed. In Figure 26.11, that number changed from 0/0 to 52/1905.

   

   Figure 26.11 A connection to a remote host using Fetch via an FTP tunnel in the SSH client.

9. Choose File, Save Bookmark. If Anarchie asks about your password, select Ask Later. Save the alias to the desktop for your convenience.

To briefly summarize the FTP process, whenever you want to FTP, first open an FTP tunnel connection to the FTP server in the F-Secure SSH client. Then make a connection to localhost in the FTP client. The connection will be tunneled from one server, the Mac OS machine, to the other server, the remote FTP server, as you have specified in the F-Secure client.

Setting Up an E-Mail Tunnel

Another type of tunnel that you might want to make is a tunnel for your POP/IMAP account. Making a mail tunnel is much like making an FTP tunnel. Follow these steps:

1. In the F-Secure Connection Manager, click the e-mail icon (fourth icon) or select E-Mail Tunnel from the Tunnel list under the File menu. A Properties box appears with Connect highlighted. Note that in the top left of the window the description E-Mail Tunnel appears.
2. To name your tunnel, click Document in the menu at the left of the dialog box, and then provide a tunnel name in the Name text box. Check the Auto-connect on Open box. As with the FTP tunnel, the e-mail tunnel also has an Auto-launch on Connect feature, if you are interested in using it.
3. Click Services in the left-side menu to display the services dialog shown in Figure 26.12. If you will be accessing a POP account, deselect the IMAP tunnel service. If you will be accessing an IMAP account, deselect the POP tunnel service.
   

   Figure 26.12 The Services section of the Properties box is where you specify what e-mail services are to be tunneled.

   The Services section of the Properties box also includes a section to enter server names. These need to be filled out only if the e-mail services are on a host other than the server to which you are connecting. When in doubt, provide the complete information, even if the e-mail services are on the host to which you are connecting.
4. Select Connect in the left menu and then enter the remote machine as the SSH server.
5. Enter your username and password; then click Connect. Note that the Properties window now says Connected at the bottom left, and that the Connection Manager shows an e-mail connection.
6. Choose File, Save to save the connection properties for your e-mail tunnel. For your convenience, you might also want to make an alias from the saved file directly to your desktop.

Setting Up an E-mail Client

You will have to experiment with e-mail clients and some settings to see what ultimately works for you. Setting up Claris Emailer works for reading POPmail via an e-mail tunnel in SSH. However, Claris Emailer is no longer supported, so we cannot recommend it. The most important setting where you might see some variation is for your e-mail account. What account you list for your email client to check can vary, depending on the sendmail settings of the mail server. Expect either <username> @localhost or <username> @ <your-local-mac's-fully-qualified-domain-name> . You might have to talk with the mail server's administrator to tweak that setting. However, to give you visual examples of the most likely ways to enter your account information to successfully read your e-mail through an e-mail tunnel, check out the following figures. In Figure 26.13, the e-mail account to be checked in the e-mail reader is in the form <username> @localhost. Sendmail on the mail server is likely configured to accept mail from machines without a fully qualified domain name (FQDN).

Figure 26.13 The e-mail connection dialog for Claris Emailer, with representative tunnel settings for a mail server configured to accept mail from machines not using an FQDN.

In Figure 26.14, the e-mail account to be checked in the e-mail reader is of the form <use r name> @ <mac's FQDN> . Sendmail on the mail server is likely configured to accept mail only from machines with an FQDN.

Figure 26.14 The e-mail connection dialog for Claris Emailer, with representative tunnel settings for a mail server configured to require an FQDN.

Setting Up Other Tunnels

F-Secure SSH 2.1 also allows you forward arbitrary TCP services, for which prelabeled services might not already be listed in the TCP Tunnel Properties box. If you need to tunnel other TCP services, tunnel them using the TCP Tunnel type, which is the third icon in the Connection Manager, or the TCP Tunnel in the Tunnels section under the File menu.

For example, if you typically accessed a program on a remote host by a special telnet client (one that did something more special than show you a command-line prompt; otherwise, the SSH terminal is a perfectly sufficient alternative), you could forward the telnet connect through an arbitrary TCP Tunnel in the SSH client. As with FTP clients, the remote host you would list in the telnet client would be localhost.

In addition to arbitrary TCP tunnels, you can also tunnel X11 connections. Even though OS X does not come with an X11 package, you have seen in Chapter 19 how to install one. After you have been using your X11 package for a while, you might find some applications that run on it that you want to access from your older Mac. The ability to tunnel X11 connections can also be of particular use with applications on other Unix machines.

If you discover a need for X11 tunneling, simply check the Tunnel X11 Connections box in the X11 section of the Properties box for a terminal connection, as shown in Figure 26.15. The option to specify eXodus (a commercial X Window System server for Mac OS and Windows) as the local X server is even available.

Figure 26.15 Enable X11 tunneling in the X11 section of the Properties box for terminal connection in the SSH client.

If you are tunneling an X11 connection to your remote OS X machine, edit the X11 forward line in /etc/sshd_config to

X11Forwarding yes

Because this would be making a change to the default configuration of sshd, you need to have sshd reread its configuration file, as was demonstrated in the earlier section on enabling the sftp server.

Managing Your Connections

So far in this section, we have been creating independent tunnels in F-Secure 2.1. Because our tunnels are independent, we can choose, for example, to use only the FTP tunnel without having to log in to the remote host. We have been saving our independent tunnels as separate aliases on the desktop. If you made at least a terminal alias and an FTP alias, you now have two aliases on your desktop. This might be precisely what you need, especially if you regularly plan to access the remote host with only one type of connection. However, if you expect to regularly use both types of connections to the host, you might be interested in grouping your independent tunnels together.

When you group a set of independent tunnels that you have already made, the group alias you save on the desktop replaces the aliases for the independent tunnels. When you use the group alias, you automatically make all the desired connections at once. If you decide to terminate all the connections at once, you can select the appropriate folder in the Connection Manager, and then select Disconnect. You still have the freedom to terminate any given connection without terminating the other connections in your group by selecting the appropriate connection in the Connection Manager, and then selecting Disconnect.

Although we tend to group our connections by host, you can also group connections to different hosts, if that is more suitable to your needs. For example, you might regularly use a terminal connection to one host, but the FTP server might be on another host. You can set up your individual connection types, group them together, and save that group as an alias on the desktop. When you connect using that alias, you are asked for both passwords right away.

If you are interested in organizing your connections into groups, do the following:

1. Click on the group icon (the first icon) in the Connection Manager, or select New Group under the file menu.
2. Double-click the folder that appears in the Connection Manager to display the Properties dialog box.
3. Fill in the Document section.
4. Click the Override Connection Parameters box in the Connect section, shown in Figure 26.16, to cause any connect and security parameters specified for the group to override specifications in the individual connections that belong to the group. This might be particularly useful if all the connections in the group are to the same host. If you select the override option, fill in the appropriate host, username, and password information.
   

   Figure 26.16 The Connect section of the Properties box for a new group.

5. In the Connection Manager, shown, in Figure 26.17, drag whichever connections you want to include in the group.
   

   Figure 26.17 The Connection Manager with a set of independent connections as well as a set of grouped connections.

6. Save the group alias to your desktop. After you have quit the program, the desktop no longer has the independent aliases, but it does have the group alias.

Whether you make the tunnels first or the group first does not matter. In either case, you drag the appropriate connections to the appropriate group.

Share This