Kerberos, vnc, and ssh

Similar Messages

• Trouble with Kerberos and SSH

  I'm working in a test environment to configure Solaris 10 hosts to authenticate against an Active Directory environment using LDAP and Kerberos. I have all of the hard parts done - I can login locally, ssh, telnet, ftp, etc to the Solaris 10 device using a username/password within the Active Directory.
  I am having trouble, however, getting SSH to forward Kerberos tickets for passwordless authentication. I can login locally to a Solaris box, run a klist to verify that I have a Kerberos ticket, and the ssh to another Solaris 10/Kerberos box, but I am still prompted for my password. Below is a snippet of SSH debug traffic:
  debug1: GSS-API error while calling GSS_Init_sec_context(): An invalid name was supplied
  service not available
  debug1: Skipping GSS-API mechanism kerberos_v5 (An invalid name was supplied
  service not available
  No amount of googling has been able to help me thus far. Perhaps you can.

  Apparantly my initial problem was related to hostname resolution; I initially was accessing everything by IP address because it was easier than setting up a DNS server in my testing environment. I have resolved those issues within my testing environment, but I still can't seem to get SSH to pass the Kerberos ticket along, or maybe SSHD isn't accepting it. This is what I see now, after getting a Kerberos ticket with kinit and attempting to ssh to another host:
  debug1: Next authentication method: gssapi-with-mic
  debug1: ssh_gssapi_init_ctx(<xxxxxxxxxxxxxxxxxxxx>)
  debug3: ssh_gssapi_import_name: snprintf() returned 41, expected 42
  debug2: we sent a gssapi-with-mic packet, wait for reply
  But it moves on to the next method, never receiving a reply. What's up?

• Are "Back to My Mac" FTP and SSH services visible to "everyone"?

  With the MobileMe "Back to my Mac" service, I can establish SSH terminal and SFTP connections from my Mac Mini at home to my Mac Pro at my work.  The SSH (Remote Login) and SFTP (File Sharing) services are enabled under System Preferences -->  Sharing.
  Does this make the SFTP and SSH services on my Mac visible/accessible to anyone else?  I like using "Back to my Mac" because it is simple and it uses key exchange for authentication when connecting.  However, I'm concerned that by enabling the SFTP and SSH services under Sharing, I'm also opening these services up to anyone who can see them.  Is this true, and if so, how can I maintain the security of my computers?
  Thanks in advance,
  jjw

  OK, besides putting me to sleep, the BTMM description seems to indicate that it is your MobileMe password that is important when making BTMM connections through a home NAT router.
  BTMM does open a port through the router, but if I understand correctly, it does not listen for ssh, or vnc, or afp protocols, but rather for the BTMM IPsec secure tunnel to be established, and then all the BTMM supported servers travel over the IPsec secure tunnel.  NOTE: the paper was putting me to sleep, so I could have this wrong.
  Kerberos is used for authentication of the IPsec tunnel.
  What I'm thinking is that if your Mac stays behind a home NAT router, or corporate firewall (that allows BTMM to work), then the important password is your MobileMe password.   If the Mac goes out in public, then all your Mac OS X user account (and guest) passwords need to be strong (where longer is better).
  A GRC Shields-UP probe will not check all possible ports.  If BTMM is running and all the standard ports are marked as stealth, then BTMM is using a non-standard port (as in one GRC does not check by default).  That makes it more difficult for someone to find your NAT router and then your Mac.  While this is NOT security, it does add some difficulty to the intruder's attempts at finding you.
  AGAIN, I did not fully understand the BTMM paper, so "Your Mileage May Vary" with respect to my analysis acccuracy.

• Cli connection to masterserver: ssl and ssh

  It is possible to use SSL connection from one CLI-host and SSH from an other CLI-host to the same masterserver or can I only use one of them methods?
  If yes, how I have to configure the masterserver config.properties: hostdb.ms.connectiontype

  First off, you DON"T need a vnc SERVER. Do not launch that application, and eventually, I think you will agree that you can remove that application from your server.
  Instead of using vnc server, go into System Preferences > Sharing > Services on that machine and enable Apple Remote Desktop.
  With Apple Remote Desktop selected, click on Access Privileges...
  Configure as desired in there, making sure that you have the VNC viewers may control screen checkbox checked.
  Get out of there, then click on the Firewall tab and click on New...
  One of the choices in the pull-down menu will be VNC. Select it.
  Save and close System Preferences.
  Now go to the other computer.
  Create a connection in CotVNC to connect to 127.0.0.1:5901 (note: do not use localhost:5901; use 127.0.0.1:5901).
  Launch Terminal.
  Your ssh login command should look something like this:
  ssh -l {yourShortUserNameOnServer} -L 5901:127.0.0.1:5900 {ServerHostNameOrIPaddress}
  Once the ssh connection is established, any traffic to/from port 5901 on localhost of your local machine is tunneled over secure shell to port 5900 on the server.
  Launch CotVNC, select and activate the connection 127.0.0.1:5901. You now have an VNC session up and running, tunneled inside an encrypted secure shell tunnel.
  If you already have an alias command set up in your .bash_login (or whatever) to ssh into this server computer, essentially, all you need to do is add the additional port tunneling option -L 5901:127.0.0.1:5900 to it.
  (if this solves your problem, or is actually helpful towards arriving at a solution to your problem, please consider clicking on either the gold or green star in order to mark this reply as "helpful" or "solved")

• Chicken of the VNC and conneting to multiple computers on a single LAN

  I've successfully got Chicken of the VNC operating so that I can reach my iMac (running Leopard) from outside my LAN using my iBooks (running Tiger). And I can also connect to all computers inside my LAN by using Bonjour in chicken of the VNC.
  What I cannot figure out is how to setup Chicken of the VNC and port forwarding to access my other three computers from outside of my LAN.
  I suppose it is simply configuring the port forwarding correctly and apparently I'm not doing that.
  I've got each Mac configured with a fixed IP as follows...
  iMac is at 192.168.0.100
  iBook is at 192.168.0.102
  iBook2 is at 192.168.0.103
  Acer is at 192.168.0.120
  Right now the port forwarding on my Linksys WRT54G looks like this...
  VNC1 5500 to 5500 Both 192.168.0.100 enable
  VNC2 5800 to 5800 Both 192.168.0.100 enable
  VNC3 5900 to 5900 Both 192.168.0.100 enable
  VNC-iBook 5502 to 5502 Both 192.168.0.102 enable
  VNC-iBook2 5503 to 5503 Both 192.168.0.103 enable
  VNC-Acer 5504 to 5504 Both 192.168.0.120 enable
  Enabling Bonjour in Chicken of the VNC lets me connect to all computers on my LAN. And I can connect to my iMac outside of my LAN using the WAN-IP:5900
  But I cannot connect to any of the others except the iMac (at internal IP address 192.168.0.100 or outside IP of xx.xx.xxx.xx:5900) outside of my LAN.
  Any quick tips?

  If you have all of your Macs inside the LAN operating okay with remote access by CotVNC, then 3/4 of the battle is done. But first thing I would do is tunnel your VNC through an encrypted ssh tunnel, unless you don't mind the possibility of a sniffer outside your home network being able to intercept every one of your vnc packets in plain text and monitor your every vnc move.
  The easy way to do it would be to connect via ssh to one of the computers inside the LAN with a bunch of ports tunneled through the encrypted ssh connection. I've got several posts that talk about tunneling vnc through ssh. Do a search on posts by me (j.v.) since last year with search terms "vnc ssh 5901". Port forward port 22 through your home router to, for example, your imac, and turn on remote login (ssh login) on your imac. You do not need 5900 port forwarded through the router, only port 22.
  To access multiple computers, modify your ssh login command, that you type in Terminal on the computer outside your LAN, to add additional "-L" port forward switches, for example, "ssh -L 15900:127.0.0.1:5900 -L 15901:192.168.0.102:5900 -L 15902:192.168.0.103:5900 -L 15903:192.168.0.120:5900 [email protected] Then in CotVNC, you connect to 127.0.0.1:15900, 127.0.0.1:15901, 127.0.0.1:15902, or 127.0.0.1:15903, in order to connect to imac, ibook, ibook2, or acer. All the VNC traffic is encrypted and tunneled inside the ssh connection. All traffic to all computers is delivered to the imac's localhost interface, and depending on which port you specified in CotVNC, it goes to the computer specified in the "-L" switches for that port.

• VNC and WebDAV:  Now what?

  Hi all,
  First, thanks to those that responded to my previous post!
  A recap of my dilemma: I want to be able to access my home computer (imac G5) from anywhere. I want to be able to transfer files from my imac to my ibook when I'm on the road so I don't have to keep everything on my ibook (I don't want to have to lug around an external HD). I want to be able to run iTunes on my ibook from anywhere in the country using the songs that are on my imac at home. I want to access my iPhoto libraries in my imac so I can burn CD's of the pictures when I'm out of town using my ibook. I have work-related videos on my imac (this is what's really taking up all of my HD space) that I want access to on the road for when I go to meetings.
  My parents always told me I wanted everything!
  So I loaded OSXvnc on my imac and Chicken of the VNC on my ibook. This is really neat in that I can control my imac from afar (I also have a dyndns account), but it doesn't really help with the iTunes, iPhoto, or video stuff. So then I set up a webdav folder on my imac (using the terminal was a big step for me). Now I can access this folder from anywhere with my ibook, but that doesn't really help me either.
  What do I need to do to accomplish my goals above?
  Thanks,
  Darren

  In order to share your iphoto library, itunes library and videos over the internet you would first of need a connection at your home that has a big fat upload pipe.
  For example a standard 128k or 256k upload speed would not cut.
  The next thing you would be best doing is setting up SSH. SSH can create secure tunnels between your ibook and your mac. You can run a number of different services over ssh and you only need to upen up port 22 on your router.
  how to setup ssh
  Once you have ssh setup using public key authentication then to run VNC over ssh fire up your terminal and the command.
  ssh -L 5901:127.0.0.01:5900 your.dyndns.org
  Setup your vnc server to run on port 5900 and then on your ibook connect your vnc client to
  127.0.0.1:5901
  Now your vnc server is running over a secure encrypted tunnel.
  OK so what next?
  you can run afp shares over ssh so you could mount your imac's hard drive on your ibook.
  ssh -L 5480:127.0.0.1:548 your.dnydns.org
  Then you can mount the sharepoint on our ibook using
  afp://127.0.0.1:5480
  Then you have access to your tunes photo's and movies.

• Not able to HTTP to SUB and SSH is not allowing any command to execute

  Hi All,
  I came across an issue, where CUCM SUB is not accessible by HTTP/S and SSH is giving following output while trying to re-start or executing any command :
  admin:utils service list
  /usr/java/jdk1.6.0_24/jre/lib/rt.jar: error reading zip file
  Exception in thread "main" java.lang.NoClassDefFoundError: java/net/ConnectException
          at com.cisco.iptplatform.cli.CliClassLauncher.<init>(CliClassLauncher.java:86)
          at sdMain.main(sdMain.java:1824)
  Caused by: java.lang.ClassNotFoundException: java.net.ConnectException
          at java.net.URLClassLoader$1.run(URLClassLoader.java:199)
          at java.security.AccessController.doPrivileged(Native Method)
          at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
          at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
          at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
          at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
          ... 2 more
  Caused by: java.util.zip.ZipException: error reading zip file
          at java.util.zip.ZipFile.read(Native Method)
          at java.util.zip.ZipFile.access$1200(ZipFile.java:31)
          at java.util.zip.ZipFile$ZipFileInputStream.read(ZipFile.java:460)
          at sun.misc.Resource.getBytes(Resource.java:108)
          at java.net.URLClassLoader.defineClass(URLClassLoader.java:257)
          at java.net.URLClassLoader.access$000(URLClassLoader.java:58)
          at java.net.URLClassLoader$1.run(URLClassLoader.java:197)
          ... 7 more
  Any inputs please ??  Waiting for a hard re-boot to the device bit not sure if that would resolve the issue, Also when I first logged into SUB using SSH , I got the following :
  Command Line Interface is starting up, please wait ...
  java.io.FileNotFoundException: /var/log/active/platform/log/cli.bin (Read-only f                             ile system)
          at java.io.RandomAccessFile.open(Native Method)
          at java.io.RandomAccessFile.<init>(RandomAccessFile.java:212)
          at com.cisco.iptplatform.fappend.ciscoRollingFileAppender.restoreIndex(c                             iscoRollingFileAppender.java:100)
          at com.cisco.iptplatform.fappend.ciscoRollingFileAppender.setFile(ciscoR                             ollingFileAppender.java:43)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.                             java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces                             sorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:597)
          at org.apache.log4j.config.PropertySetter.setProperty(PropertySetter.jav                             a:196)
          at org.apache.log4j.config.PropertySetter.setProperty(PropertySetter.jav                             a:155)
          at org.apache.log4j.xml.DOMConfigurator.setParameter(DOMConfigurator.jav                             a:530)
          at org.apache.log4j.xml.DOMConfigurator.parseAppender(DOMConfigurator.ja                             va:182)
          at org.apache.log4j.xml.DOMConfigurator.findAppenderByName(DOMConfigurat                             or.java:140)
          at org.apache.log4j.xml.DOMConfigurator.findAppenderByReference(DOMConfi                             gurator.java:153)
          at org.apache.log4j.xml.DOMConfigurator.parseChildrenOfLoggerElement(DOM                             Configurator.java:415)
          at org.apache.log4j.xml.DOMConfigurator.parseRoot(DOMConfigurator.java:3                             84)
          at org.apache.log4j.xml.DOMConfigurator.parse(DOMConfigurator.java:783)
          at org.apache.log4j.xml.DOMConfigurator.doConfigure(DOMConfigurator.java                             :666)
          at org.apache.log4j.xml.DOMConfigurator.doConfigure(DOMConfigurator.java                             :616)
          at org.apache.log4j.xml.DOMConfigurator.doConfigure(DOMConfigurator.java                             :584)
          at org.apache.log4j.xml.DOMConfigurator.configure(DOMConfigurator.java:6                             87)
          at sdMain.initialize(sdMain.java:479)
          at sdMain.main(sdMain.java:646)
  java.lang.NullPointerException
          at com.cisco.iptplatform.fappend.ciscoRollingFileAppender.updateIndex(ci                             scoRollingFileAppender.java:117)
          at com.cisco.iptplatform.fappend.ciscoRollingFileAppender.nextFileName(c                             iscoRollingFileAppender.java:92)
          at com.cisco.iptplatform.fappend.ciscoRollingFileAppender.append(ciscoRo                             llingFileAppender.java:74)
          at org.apache.log4j.AppenderSkeleton.doAppend(AppenderSkeleton.java:221)
          at org.apache.log4j.helpers.AppenderAttachableImpl.appendLoopOnAppenders                             (AppenderAttachableImpl.java:57)
          at org.apache.log4j.Category.callAppenders(Category.java:187)
          at org.apache.log4j.Category.forcedLog(Category.java:372)
          at org.apache.log4j.Category.debug(Category.java:241)
          at com.cisco.iptplatform.cli.CliSettings.getInstance(CliSettings.java:10                             6)
          at sdMain.initialize(sdMain.java:491)
          at sdMain.main(sdMain.java:646)
  log4j:ERROR No output stream or file set for the appender named [CLI_LOG].
  /usr/java/jdk1.6.0_24/jre/lib/rt.jar: error reading zip file
  Exception in thread "Thread-9" java.lang.NoClassDefFoundError: java/net/URI$Pars                             er
          at java.net.URI.<init>(URI.java:578)
          at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:350)
          at java.net.Socket.connect(Socket.java:529)
          at java.net.Socket.connect(Socket.java:478)
          at java.net.Socket.<init>(Socket.java:375)
          at java.net.Socket.<init>(Socket.java:189)
          at com.cisco.ccm.util.ncs.NcsClient.connect(NcsClient.java:342)
          at com.cisco.ccm.util.ncs.NcsClient$ReceiveThread.run(NcsClient.java:447                             )
     Welcome to the Platform Command Line Interface
      WARNING:
          The /common file system is mounted read only.
          Please use Recovery Disk to check the file system using fsck.
  Cheers
  Anjali

  Check this Bug: CSCti52867 - https://supportforums.cisco.com/docs/DOC-12955
  I have a customer with this same problem, we use to use the Callmanager Recovery DVD, as Amine said, to recover the HD. But some times reseting the server resolved the problem.
  Mártin

• Screen Sharing and SSH sessions freeze occasionally on multiple mac minis

  I have 28 Mac Minis at work. With such a large number of minis, I obviously can't have a monitor attached to each of them so I've got them plugged into a network switch and access them via Screen Sharing (both via regular Screen Sharing and ARD) and SSH sessions.
  A few of them seem to suffer from intermittent problems however. I'll be using Screen Sharing when the session freezes. It may unfreeze eventually, but I can also usually just quit out and re-connect and it will be unfrozen. The same thing happens when I'm connected via SSH, it will freeze and I won't be able to type in any more commands.
  I need help troubleshooting (or if anyone knows what could be causing this, that'd be cool too).
  I've tried connecting from both a Mac Pro on the wired network and a MacBook Pro on the wireless network. The freezing seems to only happen on certain Mac Minis as well.
  I've tried switching network cables from a Mac Mini that doesn't suffer from this problem with one that does and nothing changed.
  I also thought it might be a bandwidth issue at first, despite being a gigabit switch connected via cat6 to the rest of our gigabit network, but even when no significant bandwidth is being used, the freezing still occurs.
  One more thing I want to test is the connection between the switch all these Mac Minis is plugged into and one of the other switches that all our other network traffic goes through. I didn't set it up myself so I fear that it might be an old, damaged cable or something. Failing that, I have no idea what the problem could be, which is why I'm posting here.
  So, does anyone have any idea what the problem could be? Or any other ideas for troubleshooting the problem? Thanks.
  (They're all running 10.6.8, and range from Mid-2007 to 2009 models).

  It would be in the system log. However, the next step would be to safe-boot in order to eliminate third-party system modifications. That goes for both client and server. If you can reproduce the problem in safe mode, then you probably have a network issue. Take everything offline except one client and one server, and test.

• Trouble w/VNC and Bonjour

  Having trouble using vnc on my home (AExpress) network. I've tried chicken of the vnc and vine viewer, but both give me the same problem. I have two macs running 10.4, and I set up one of them as a vnc server using ARD, but when I try to connect to it from the other one, it can't connect. Chicken of the vnc says "can't connect:()", and Vine viewer just spins for a while and then reports a timeout.
  AGain, this is from one machine into the other inside my home network. I'm not trying to access anything from the internet. Both machines have internet access via airport cards through the AE, they both show up in each other's networks, etc.
  What's strange to me is that when I try to open a connection, the target computer does show up via Bonjour. So why doesn't the connection occur? The vnc client seems to 'know' it's there, right??
  From doing some so-far fruitless research on this it looks like assigning static ip addresses is something I'll have to (reluctantly) try. Reluctantly because I fear I'll mess up their internet connections or something. Any ideas on why I can't connect?

  Bump.

• Kerberos/Keychain and PHD: Am I trying to do something silly?

  Howdy-
  I'm new to Mac OS server; and I've run into a slight issue - I've set up a Network Account with a roaming profile on OD, and that works fine - Kerberos/SSO all works, and the keychain shows my normal keychains.
  However, I'm forever transferring gigs of temporary data into and out of my user account - Which means that I'm constantly waiting for data to move onto and off of my server. I'm only on 100mbit lan, so this can take a while.
  So I thought if I switch my user to a Mobile account, I can work like a local user; and simply sync data at the beginning and end of session to keep my roaming profile up to date. This works beautifully albeit one caveat:
  Both kerberos/sso and my keychain don't work. So whenever I try to connect to a server, either for screen sharing or AFP, I get prompted for a username and password every time I connect.
  I've tried repairing the keychain; adding a new one, etc to no avail - So I'm wondering, am I being silly and I'm trying to do something which the system isn't designed to do?
  Many thanks any advice!
  - Kogen

  You've not provided a lot of detail so I am going to suggest that you look at a common point of trouble. But before I do, I will ask, is your DNS working properly (forward and reverse resolution), and if so, when you open /System/Library/CoreServices/Kerberos, do you have a valid TGT after login (this is a Kerberos ticket granting ticket)?
  Ok, if the answers to those questions are yes and yes, then try this:
  1: On the server, open Terminal
  2: Type the following command:
  sudo serveradmin settings afp:kerberosPrincipal
  3: You should get a result that look something like:
  afp:kerberosPrincipal = "afpserver/[email protected]"
  4: If you do not get this, then your AFP service is not configured to properly use Kerberos.
  5: Correct the value by using the serveradmin command line tool and determining your proper hostname (hostname) and realm name.
  Hope this helps. Oh, if the answers to either of the first two questions is no, then either fix DNS or resolve the issue of why you are not getting a TGT. Remember that time is critical. You client and server must be within 5 minutes delta for basic authentication. Less than that for many services. Time and DNS is the mantra.

• VNC and RDP problems with 1800W

  I have two 1800W routers, one in the main office the other at the secondary office. If I VNC or RDP from a PC in the main office to a PC in the secondary through the GRE tunnel I do not see the other screen, the mouse moves okay but no picture. If however, I do the same from the secondary office to the main office it works fine. I have tried changing the access-list, the NAT, everything, but nothing seems to work.
  I have the original network still going. It consists of (main) a 2600 and secondary a 1700. To setup the 1800 routers I copied the conf from the originals. The origianl network works fine both ways with both VNC and RDP.
  Any help would be greatly appreciated.

  Check your TCP segment size. To find out what it should be you can try the following.
  From a PC at site A, ping a PC at Site B. You need to set some ICMP switches though.
  C:\>ping 10.10.2.100 -f -l 1500
  The -f is set the Do Not Fragment flag, the -l is the send buffer size. Continue to do this each time decreasing the packet size until you have a successful ping. When you find that number, that is your maximum TCP segment size. You can then set that on the router. Any packet that is too big, the router will respond to the sending device saying it is too big, send a smaller size. It will do that until the packet is less than or equal to the number you set. In most routers the largest size you can set is 1460, so that might save you some time. To set it in the router, go to the tunnel interface and enter "ip tcp adjust-mss
  HTH and please rate.

• Ping and ssh don't work after waking from sleep

  Hi!
  I have been running Arch on my 2010 Macbook since May and there's always been this one annoyance which I can't figure out: after it is woken from sleep, the wireless (using netctl) happily reconnects and I can browse, check email, run pacman, do dns lookups---everything, it seems, apart from ssh or ping.  Both ping and ssh seem to hang.  If I reboot or restart [email protected], then they both work.
  Running :
  $ ssh XXX.XXX.XXX.XXX
  connect(3, {sa_family=AF_INET, sin_port=htons(22), sin_addr=inet_addr("XXX.XXX.XXX.XXX")}, 16
  where XXX.XXX.XXX.XXX is my work computer. (Full strace: http://pastie.org/private/xhmee0oltrnx3qmblnzq)
  Running strace ping google.com (as root) gives the repeated lines:
  $ strace ping google.com
  sendmsg(3, {msg_name(16)={sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("173.194.34.102")}, msg_iov(1)=[{"\10\0\270\345b\325\0\2\336\36QR\0\0\0\0\353\376\2\0\0\0\0\0\20\21\22\23\24\25\26\27"..., 64}], msg_controllen=0, msg_flags=0}, 0) = 64
  recvmsg(3, 0x7fff2f6d6f90, 0) = -1 EAGAIN (Resource temporarily unavailable)
  (Full strace: http://pastie.org/private/bfygaqtccz0ms2w8hqea4g)
  I can, however, sucessfully ping my router and other devices connected to it.  I have not been able to find out anything relevant that might fix this. I've checked the MTU settings match those on the router and my other laptop running Arch does not have this problem.
  Any suggestions on how to debug this further?
  Thanks!

  I have several mid-2009 8-core Mac Pro's, all running Snow Leopard, and all have been having this problem as well.
  I will not guarantee this is going to work for anyone else....but we have found a (slightly inelegant) workaround for it that has been working for several weeks now without fail.
  Prior to putting your MacPro to sleep, run the volume all the way up and leave it there. Afterwards, put it to sleep as usual. We use the keyboard to do this, but I would imagine any method should have the same affect. However, I've not experimented.
  Anyway...this has worked 100% of the time for us. The only downside of it is that you have to remember to run it up before....and then back down after waking (else that first alert sound or music file you play will really wake YOU up!)
  If this works for anyone else, let me know.
  Apple should never have let this one out the door with this bug. Especially, as Apple Support is....wanting, at best.
  ...sT

• CW LMS IPSec and SSH or... SNMPv3 for security?

  Two questions?? IPSec and SSH, and SCP? or SNMPv3? to protect my SNMP etc. traffic? If the answer is IPSec then how do you set up the LMS/Windows 2003 server side of the tunnel?
  Will the LMS SSH run inside of the tunnel? SCP? How big of a hit will I take on the CPU? How slow? Is DES56 being used for encryption on both? (Sorry, that's more than 2 questions) thx

  I would go for SNMPv3, it would be the easier to setup and manage. For the RME portion go for SSH, just make sure that SNMPv3 is supported on all desired applications (RME,DFM,HUM,CM etc.)
  I don't think they all support V3 yet.
  Regards
  Farrukh

• OD, Kerberos, SPNEGO and Single Sign-On

  I have been asked to identify ways to improve a company intranet, the entire network is Mac OS X for both clients and servers. The first thing I though of was using Kerberos for Single Sign-on functionality. Is anyone familiar with any issues surrounding setting this up in an all OS X environment. The Intranet hosts a number of web applications that would need to be converted to use Kerberos authentication and I just wanted to know if anyone is aware of any issues with the Apache mod_spnego or Safari 2.x's support for SPNEGO that could make things difficult. Also, I'm coming up blank for all my searches for any implementation instructions that might be out there so if anyone knows of any implementation descriptions that could be really helpful.
  Thanks,
  James

  Hi,
  the best thing would be the mapping, I thought it would work either the SSO was activated or not. I thought that once the system can't match the user with SSO it would try with the mapped user.
  The problem if I am not wrong is that the index_service user can't be created in R/3 side, the name is too long. I guess you'll have to find another workaround.
  Gregori Coll Ingles.

• HT200259 Configuring adaptive firewall for VNC and RDP connections

  Hello, I'm using Yosemite with OSX Server.  Is there a way of configuring adaptive firewall for VNC and RDP connections?

  Apple has never documented what the adaptive firewall really does, as far as I know. It seems that the built-in network services send it some kind of notification whenever there is a connection attempt. The Screen Sharing service is one of those, so it should be protected. There is no built-in RDP service, so if you somehow added one, it would not be protected.