Category Archives: Apple

Remotely disabling Firewall of Mac OS X

I just happened to be unable to log in to my Mac using ScreenSharing (VNC). It is enabled, but probably the firewall is asking if ScreenSharing should be allowed to receive incoming connections… Bummer!

If at least SSH is working, it is possible to disable the firewall completely from the command line. Please be sure to only do this in a secured environment:

sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 0

After this you will have to restart the firewall agent:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist

You should now be able to use ScreenSharing.

Do not forget to re-enable the firewall again after you have finished your work, same procedure, but with 1 instead of 0, of course 🙂

To enable ScreenSharing in general, please read this older post: Activate screen sharing on Mac OS X when you only have SSH enabled

FhGFS glitches

Installing FhGFS leads to little glitches. I am installing on Debian 7.0 running XQuartz on Mac OS X.

  • to avoid the XTEST error message when starting the Java GUI, follow the instructions on http://xquartz.macosforge.org/trac/ticket/414 and enter defaults write org.macosforge.xquartz.X11 enable_test_extensions -bool yes in a terminal window before starting the GUI
  • if you are using a proxy, be sure to define it in /etc/environment before starting the admon process or else the automatic wget downloads will fail

IPSEC using Strongswan for iPhones and Mac computers

If you want to use the built-in IPSEC VPN clients of iPhones and Mac computers, there is a very good documentation at the Strongswan site itself.

Most important are two things – you have to make sure your binaries have been built using the --enable-cisco-quirks option. Then it will behave like a Cisco router and you can make an IPSEC only tunnel. [This is not necessary anymore.]

The second issue (which is important for the Mac computers, iPhones seem to ignore this) is the server certificate. You must add the server’s full qualified domain name as it is seen by the clients to the certificate’s common name (which is normal) and the “X509v3 Subject Alternative Name” as “DNS:your.domain.tld”. Otherwise you will get the message that your server’s certificate is not correct.

Since my ipsec binaries were unable to add the “Subject Alternative Name”, I went back to good old openssl to create my CA and certificates. It is all standard, but you have to add the option “subjectAltName = DNS:copy:commonName” to openssl.cnf (server_cert section).

If you follow the documentation mentioned above and the two issues explained here you will be able to use the tunnel for both iPhones and Macs!

Temporary IPv6 address not MAC based

If you want to get a temporary IPv6 address which is not MAC based (so you do not always surf with the same address and can be tracked), you should enter

sudo sysctl -w net.inet6.ip6.use_tempaddr=1

on your Mac’s commandline. You will then get an additional temporary IPv6 address which does not reveal your network card’s MAC address as part of it. This gives a bit more privacy!

Should also work on iPhone/iPad in case of a JB!

iPhone Certificates

Today I was worrying how to get my own CA’s root certificate AND a certificate signed by my own CA into my iPhone.

After reading lots of stuff I finally made it:

First, send an email containing your CA’s root certificate (the .crt file) to an address which you will receive on your iPhone. Open this mail, click onto the attachment – and voila, you will be asked to install that Certificate. Do it 🙂

Your “Identity” – which consists of your client’s .crt and .key files need to be converted into a single PKCS12 .p12 file to be understood by the iPhone.

This conversion can be done by the following command (taken from http://shib.kuleuven.be/docs/ssl_commands.shtml):

openssl pkcs12 -export -in your_iphone_s.crt -inkey your_iphone_s.key -out your_iphone_s.p12 -name “name_of_your_iphone” -CAfile your_ca_s.crt -caname “your_ca_s_name” -chain

You will be asked for an export password which will protect your identity during transmission via email later. If your_iphone_s.key is protected with a password you will probably be asked for that one, too – but this was not the case with my file, so I cannot tell you.

Again, mail the resulting your_iphone_s.p12 to an address which you will receive on your iPhone. Open this mail, click onto the attachment – and voila, you will be asked to install that PKCS12 identity. Do it 🙂

You will be asked for the export password which you entered when creating the .p12 file.

How to compile the client of Bacula 5.0.2 on Mac OS X Snow Leopard 64bit

After a fiddling around quite a while I finally managed to compile a working 64bit client of Bacula 5.0.2 for Mac OS X Snow Leopard (10.6.4).

After downloading the source tar.gz from http://www.bacula.org you would untar the file, enter the directory – and there is a special make command make -C platforms/osx to compile the client. This does not work on 10.6.4 and not with 64bit.

My patch (bacula-5.0.2-snowleopard-64bit.patch.gz) can be applied as follows:

  • Download bacula-5.0.2.tar.gz from http://www.bacula.org
  • tar xvzf bacula-5.0.2.tar.gz
  • cd bacula-5.0.2/platforms/osx
  • zcat ../../../wherever_you_saved_the_patch/bacula-5.0.2-snowleopard-64bit.patch.gz | patch -p1
  • make dmg

You will then find a mountable DMG within the products directory.

My patch is changing the following:

  • Runs the file daemon as root after startup of the system
  • Creates the config file with a director name of bacula-dir – to change this edit the file resources/postflight.in AFTER patching and replace bacula-dir by your_director_host-dir. This way all your clients already know the director host!
  • Compiles a native 64bit executable under 10.6.4 with current SDKs

Hope this will help others!

iPhone refusing to re-pair with headset

For whatever reason today my iPhone and my Sennheiser MM 450 did not want to communicate with each other anymore via Bluetooth. I managed to factory reset my headset, but of course wanted to avoid this on my iPhone. But no chance, no new pairing happened and I could not get rid of the old entry of the headset in my iPhone list.

After a lot of searching and playing around I found two files on the iPhone you have to edit:

Convert the first file into editable XML format:

plutil -convert xml1 /private/var/mobile/Library/Preferences/com.apple.MobileBluetooth.devices.plist

Here you will find your device’s MAC address (00:16:94:09:AA:AA) which you will need for the second file:

sqlite3 /Library/Keychains/keychain-2.db

Look for your MAC address in the output of the command

select * from genp;

It will look like this:

54||||||||||||||00:16:94:09:AA:AA|MobileBluetooth||h######a;#########9Hx###fd######a####zo####

To remove that line having a 54 in the first column (with name rowid), enter

delete from genp where rowid=54;

and your iPhone will not know how to talk to your headset anymore and ask for re-pairing.

Of course you will need to have a JB iPhone and the packages com.ericasadun.utilities and sqlite3 available via Cydia!

I hope this saves you a reset of your networking settings as it did for me!

How to compile Bacula FD 2.2.8 on Mac OS X 10.6 Snow Leopard

First patch the original source code with this:

--- ./src/filed/restore.c-orig 2009-11-06 10:20:57.000000000 +0100
+++ ./src/filed/restore.c 2009-11-06 10:22:43.000000000 +0100
@@ -153,7 +153,7 @@
uint32_t buf_size; /* client buffer size */
int stat;
ATTR *attr;
- intmax_t rsrc_len = 0; /* Original length of resource fork */
+ int64_t rsrc_len = 0; /* Original length of resource fork */
r_ctx rctx;
/* ***FIXME*** make configurable */
crypto_digest_t signing_algorithm = have_sha2 ?
@@ -547,7 +547,7 @@
continue;
}

- rctx.fork_size = rsrc_len;
+ rctx.fork_size = (intmax_t)rsrc_len;
Dmsg0(30, "Restoring resource fork\n");
}

--- ./src/findlib/find.c-orig 2009-11-06 10:23:34.000000000 +0100
+++ ./src/findlib/find.c 2009-11-06 10:24:18.000000000 +0100
@@ -67,13 +67,13 @@

/* Get system path and filename maximum lengths */
path_max = pathconf(".", _PC_PATH_MAX);
- if (path_max < 1024) { - path_max = 1024; + if (path_max < 2048) { + path_max = 2048; } name_max = pathconf(".", _PC_NAME_MAX); - if (name_max < 1024) { - name_max = 1024; + if (name_max < 2048) { + name_max = 2048; } path_max++; /* add for EOS */ name_max++; /* add for EOS */ --- ./src/lib/base64.c-orig 2009-11-06 10:17:36.000000000 +0100 +++ ./src/lib/base64.c 2009-11-06 10:19:12.000000000 +0100 @@ -74,9 +74,9 @@ * stored (not including the EOS). */ int -to_base64(intmax_t value, char *where) +to_base64(int64_t value, char *where) { - uintmax_t val; + uint64_t val; int i = 0; int n; @@ -98,7 +98,7 @@ val = value; where[i] = 0; do { - where[--i] = base64_digits[val & (uintmax_t)0x3F]; + where[--i] = base64_digits[val & (uint64_t)0x3F]; val >>= 6;
} while (val);
return n;
@@ -112,9 +112,9 @@
* Returns the value.
*/
int
-from_base64(intmax_t *value, char *where)
+from_base64(int64_t *value, char *where)
{
- uintmax_t val = 0;
+ uint64_t val = 0;
int i, neg;

if (!base64_inited)
@@ -131,7 +131,7 @@
val += base64_map[(uint8_t)where[i++]];
}

- *value = neg ? -(intmax_t)val : (intmax_t)val;
+ *value = neg ? -(int64_t)val : (int64_t)val;
return i;
}

--- ./src/lib/protos.h-orig 2009-11-06 10:19:28.000000000 +0100
+++ ./src/lib/protos.h 2009-11-06 10:28:46.000000000 +0100
@@ -42,8 +42,8 @@

/* base64.c */
void base64_init (void);
-int to_base64 (intmax_t value, char *where);
-int from_base64 (intmax_t *value, char *where);
+int to_base64 (int64_t value, char *where);
+int from_base64 (int64_t *value, char *where);
int bin_to_base64 (char *buf, int buflen, char *bin, int binlen,
int compatible);

Then configure using

./configure --prefix=/usr/local --enable-client-only --with-openssl --with-working-dir=/var/db/bacula --with-pid-dir=/var/run

Run make && sudo make install

Configuration and the like can be found here

Enjoy!

Disable “Call forwarding”/”Call forwarded” message on iPhones

If you are using an unlocked iPhone, you might be getting messages telling you that this call is being forwarded in either direction. You always have to press the OK button to get rid of them – annoying.

To switch this off, you need a JB phone. Then you can log in to the phone using SSH and either convert the file

/System/Library/Carrier Bundles/Unknown.bundle/carrier.plist

so that two keys get different values:

[code lang=”xml”]ShowCallForwarded

ShowCallForwarding
[/code]

A final reboot is needed.

You can do this by converting the binary file into XML using plutil before editing – but if you have that tool already installed you can use the easier method

[code]cd /System/Library/Carrier Bundles/Unknown.bundle/
plutil -key ShowCallForwarding -setvalue 0 carrier.plist
plutil -key ShowCallForwarded -setvalue 0 carrier.plist
reboot[/code]

HTH!
Kic