Tag Archives: system administration

XDMCP and a tale of a firewall

Posted on by
Reply

Recently we acquired a new firewall to place in between our datacenter and the rest of our network.  This is a fairly standard security procedure used to isolate the servers from the rest of a network that can be loaded with all kinds of nasty spyware, malware and viruses, not to mention really nifty people that want to violate the security of the data.

Security is a two-edged sword for many systems folk. Firewalls are really great security tools, yet they can also get in the way of nice tools that provide access into the servers for remote administration.

Prior to the placement of the new firewall, I often used XDMCP sessions to access my unix servers from the comfort of my office, rather than traipsing to the data center to use the console.  While these servers do have iLOM ports, there are some interface issues that make their use less elegant that I would wish.

After the new firewall entered the equation, I found that my normal XDMCP setup using Xephyr on my iMac no longer worked for some reason.  It appeared that some of the rulesets were blocking either the particular TCP or UDP traffic necessary for the communication to work.  Rather than worry our firewall administrator with troubleshooting the issue, I decided to find another way in via ssh.

It turns out that I could easily tunnel an X11 login session through an ssh session.  Given that I have sshd configured to allow for TCP forwarding I was able to use an Xnest session that was initiated after logging in via ssh.  Here’s the process I used:

First you need to initiate the ssh session while enabling X11 TCP forwarding.  Depending on your particulars this can be done by one of the following commands:

bash-3.2$ ssh -X server.example.com
bash-3.2$ ssh -Y server.example.com

The next command is executed on the server, but the X11 session is actually running under the X11 installation on the local workstation:

Xnest :1 -geometry 1280x1024 -query localhost -terminate

Here’s a breakdown of the command parameters:

:1

determines the X11 screen to be used on the local workstation, screen 0 is the default screen used for X11

-geometry

set the screen resolution to use for the X11 window on the local workstation

-query localhost

determines which host to actually make the connection with

-terminate

closes the XDMCP session once the user logs out

All of this can actually be accomplished with a single step, by chaining the ssh login command with the Xnest command:

ssh -X REMOTESERVERNAME Xnest :1 -geometry 1280x1024 -query localhost -terminate

iPad for the sysadmin

Posted on by
2

A few weekends ago I had the privilege of being assigned to evaluate an iPad for use as a support tool by my boss. (thanks Ike!)

The first order of business was to figure out some basic tasks that we would need to accomplish as sysadmins that we could realistically use the iPad for.

Remote control via ssh for a unix server

For ssh I already had the iSSH application by Zinger-Soft [iTunes]. Fortunately they updated the application to be a universal application for both the iPhone and the iPad. I had used it with a fair amount of success on my iPhone in the past to reboot several servers over both WiFi and 3G data, most notably when I needed to reboot a MySQL server will on the way to Atlanta on I-75.

I was pleased with the changes that they made for the expanded screen real estate of the iPad. The split screen function when in portrait mode is quite useful when you need to juggle two connections at the same time, even if it can be a bit confusing at first.

The ability to handle X11 forwarding is also a nice touch, because there are some administration activities that require the GUI even on a unix system (think that favorite Oracle installer that we all know and love).

Remote access via RDP to Windows servers and desktops

Generally this is actually an easier task to sort out, due to the number of RDP clients that exist of the iPad. There are more clients out to handle this than you can shake a stick at, however they don’t all have the same features. The fly in the ointment with RDP support is the ability to work with the widest variety of server and desktop os installations, with encryption, etc. The large majority of them did state that they supported Server 2003, 2008 as well as Windows XP, Vista and 7.

What took some doing to was to find a client that would work in our security environment. Currently we require that all off-site RDP connections be tunneled through SSH. It turns out that none of the RDP clients out there support this yet. One of the most promising from this standpoint looks like iTap RDP by Honeder Lacher Wallner Softwareentwicklung OEG [iTunes]. This client supports FIPS and NLA. They have a nice compression algorithm that makes the connection work well even on a 3G network. While they don’t currently support RDP over SSH tunnels this is a planned feature in a future release.

Another possibility, depending on where we go with our VDI initiative is Wyse PocketCloud by Wyse Technology [iTunes]. PocketCloud for iPad supports both VMWare View connections and standard RDP connections.  This is the application I ended up testing, and I must say, I was pretty happy with it.  The manner in which it handles the mouse functionality is superb.  The support for the application seems a little subpar, but there is a fairly active forum.

Currently the only solution that I was able to find was to use iSSH for a tunneled VNC connection, since iSSH supports this. Of course, this means that you will need to install a VNC server on your desktop or server, but in my testing it did seem to work fairly well if a little sluggishly. One advantage to this is the fact that Mac OS X includes a VNC server by default, making connections to Mac servers and clients a fairly easy thing to accomplish. With WIndows 2008, it was a little more challenging due to the changes in security that were added by the UAC system from MS. I was unsuccessful in getting RealVNC Enterprise trial to work properly, however the beta of TightVNC worked nicely.  The latest version of iSSH does support ssh tunnels.  When you combine this with multitasking support on iOS 4 you then have ability to access a remote machine through a perimeter firewall without the need for VNC server. Unfortunately, this support is useless on the iPad until we get iOS 4, but it is nice to know that it is there.

Access to various web-based support services

This is not really much of a challenge, however it is worth mentioning that there are a number of web-based systems that don’t cooperate easily with Mobile Safari for various reasons. Some of them are Flash-based, which obviously won’t work, others are just not designed to work properly on a touchscreen device. Your mileage may vary.

Password storage

As is the case with most system admins, I have way too many passwords to keep up with than I can easily remember. When you combine that with the necessity of locking accounts after a certain number of failed attempts, it becomes rapidly necessary that I have a secure method of carrying passwords with me.

On my iPhone I have been using Lockbox Pro by GEE! Technologies [iTunes] for a while now, however in investigating an app for the iPad I spent a fair amount of time playing around with SplashID by SplashData [iTunes]. (Also, it looks like GEE! Technologies is having issues, since the company website link for their app in the AppStore doesn’t work and the support website looks fairly similar to the myriad of web-squatter websites that are out there.) Now if you use password managers, you most likely have run into SplashID before. One of the major points in it’s favor is the use of both 256-bit Blowfish encryption. New for the iPad version is the ability to use a swipe pattern to unlock the application, similar to the process that you can use to unlock some Android-based devices. It also supports numeric and alpha passwords for unlocking the database.

One of my favorite features of Lockbox Pro is the ability to have a large number of additional fields for an entry, not just a username and password. SplashID also has this feature. Also, another great advantage to SplashID is the ability to have a desktop application (both Mac and Windows) that you can sync your mobile device to. Not only does SplashID support the iPhone, iPad and iPod Touch, they also have clients for Android, WebOS, PalmOS, Blackberry and Series 60. The simple fact that I can sync my password data between multiple devices as well as my desktop makes this an ideal application. SplashID also supports auto-fill for websites, if that is your thing.  Of course, if you want it all on your the iPhone, iPad and the desktop your are going to have to fork out a lot of money, since each application is a separate charge.

Access to notes, procedures and documentation

As an admin, one of the most useful applications is one that allows me to have notes, procedures and documentation available when I need it. It can be difficult the juggle a keyboard, serial cable and a big fat, dead tree manual when in a datacenter, so having the essential docs on hand in a mobile environment is a must.

I think there are actually more possibilities in this particular category than any other I researched for this post. I have been a big fan of Evernote by Evernote Corp [iTunes] since it was released. It syncs to both the iPhone and iPad, as well as to the client on my desktop. Combine those abilities with web-clipping functionality in both Safari and Firefox on the desktop and you have a great tool for support.

Of course, sometimes you will need to store large documents, and unless you feel like paying for storage with Evernote, it might not work to upload the entire Solaris 10 reference, or the latest edition of the PHP function reference. To begin with I started searching for the perfect sysadmin application in the App Store, then I realized that I already had it, iBooks [iTunes]. With iBooks 1.1, Apple made PDF storage easy. Just drag the PDF into your Books section in iTunes and sync. Voila! Of course to make the docs more useful, they need to be converted into eBook format so that you can use the highlighting and search features, but in a pinch a raw PDF is quite handy.

I wish I could do that

There are still somethings that I wish I could do with the iPad, however I doubt I will get them.  One item on my wishlist would be a mechanism to allow me to use the iPad as a serial terminal.  Frequently I have to use a laptop with a serial port (or USB-to-serial adapter) to connect to a server in order to access the console.  It would be really nice to be able to do this from the iPad.  Another feature that would be nice would be something along the lines of the certificate management that you have in the Keychain Access application on the Mac.  I can see where it could come in handy to be able to import and export SSL certs from the device.

Xephyr, RHEL5 and Mac OS X 10.5

Posted on by
Reply

When doing system administration it is often more convenient to connect to a server through some sort of remote connection setup rather than having to sit at a console in a datacenter.  The comfort of one’s office (or living-room) is often far superior in terms of noise and temperature than the environs of the datacenter itself.

When setting up the RHEL5 server this week here at VSU, I was forced to use the Sun iLOM connection to do the initial install of the server.  While I generally use command-line only tools, the ease of use one gains from the GUI tools can often make some tasks much simpler.  Towards this end I decided to setup the server and my client to allow XDMCP sessions so that I could have full access to the GUI when necessary.

On the server there are a couple of things that you need to configure in order to make this workFirew:

  1. Firewall ports
  2. GDM configuration options

On the client you will need to configure the OS X firewall, as well as use the correct Xephyr connection syntax.
Continue reading

Adding an Active Directory group to local admin on Mac OS X 10.5

Posted on by
Reply

One of the standard methods of configuring Mac OS X in the enterprise has become known as the magic triangle or golden triangle. This is generally described as a setup involving Active Directory (AD) for authentication of the clients and services and Open Directory (OD) for managing the client preferences.  The triangle comes from the fact that you have the Mac clients talking to AD, the clients also talking to OD, and the Mac server talking to AD. (Apple officially calls this the magic triangle setup in the Snow Leopard Server Open Directory Administration documentation.)

One of the issues I ran into was granting a non-admin in AD the ability to perform administrative functions on the clients bound to AD.  The way this is handled with the Windows clients is for the particular AD user to be a member of a group that grants local administrator privileges.

Unfortunately there is no simple equivalent on the OD side of the equation to allow this for the technicians working on the Mac OS X clients.  If you add an AD user to the system level group Open Directory Administrators using Workgroup Manager (WGM) this has no effect on whether a user is granted local administrator privileges to a connected client machine.

The solution to this involves:

  1. creating a group in OD to hold the members of AD that should have local administrative privileges,
  2. adding this OD group to the requisite local workstation groups to mimic the standard administrative privileges, and
  3. adding the OD group to the sudoers file

Continue reading