Macintosh-Admin

Previous to my switching over to a Mac Mini for my Apple servers I used Xserves which had dual Ethernet ports. This allowed for a external public IP and an internal private IP address. This of course if the optimal setup for creating a VPN when using Mac OS X Server.

Initially I had thought I had setup my VPN correctly, as I was able to connect to it, although after looking at some websites and AFP shares from the server, I wasn’t getting the results I had wanted.

Unfortunately after checking my IP when I was on the web, I noticed it was still using my non-VPN IP which meant all my web traffic was not going through the VPN. I then tried to connect to some AFP shares, and they worked, but after looking in Server Admin, I was still connecting with my Verizon IP address, and not the IP from the VPN.

Speaking with my good friend we figured out that the IP blocks couldn’t be the same. I was dishing out 192.168.1.x from the VPN and my local network was also dishing out that same block. I also had to make sure I had “Send all traffic through VPN” was switched on. This parameter can be found in System Preferences >> Network >> VPN Connection’s Advanced button >> and under the Session section. It’s turned off by default but make sure it’s turned on.

Now for the IP block that the VPN dishes out, I changed that to something a bit more secure, something that normal home routers don’t dish out. I chose 192.168.10.x, which I’ve yet to see a DHCP/home router dish out. I would think you might find that block in a bigger organization, but it should be safe to use. Saved that setting and then I tried to connect. Unfortunately, it didn’t work right just yet.

Then I added a virtual interface to the single Ethernet port and assigned it an IP address within the range that the VPN server was handing out. I gave it the router address of my public IP and then tried to connect again.

It worked! So in summary, when you’ve got a server with a single Ethernet port and an external IP address, it’s a good idea to:

1. Give it a virtual interface
2. Change the block range of IPs your VPN hands out
3. Give your virtual interface an IP from that range
4. Make sure your client(s) have the “Send all traffic through VPN” turned on. Security is good
5. Verify that it’s working correctly by visiting FindMyIP.com and looking in Server Admin

I’ve also allowed people to connect to the AFP service ONLY if they’re coming from the VPN IP range, which is much more secure then letting everyone connect to it.

I really enjoy how easy Tiger and Leopard makes setting up RAIDs. A RAID is essentially a collection of hard drives connected together. There are multiple RAID types but I generally stick with the mirror RAID type as it works well for my purposes.

To the point, one of the two drives in my mirror RAID failed. It made those tell tale clicking noises and wouldn’t mount at all. I opened up Disk Utility and sure enough it reported that my RAID was degraded. A day or two later I had bought a new hard drive to replace the failed one. I connected it up to my system and opened up Disk Utility again. I added the new drive (a simple drag and drop) into my degraded RAID and clicked on ‘rebuild’. Within a few seconds I was told that the ‘filesystem was unrecognized’ and the RAID could not be rebuilt. After trying again multiple times, I was prompted with that lovely message each time.

Being that I had about 450GBs of data on that RAID set I wasn’t about to give up so easily. I search Google for the exact error message that I was getting. I came across 2 good sources.

First was this thread in the Apple mailing lists. Apparently it’s a known bug. Great. Unfortunately the site didn’t seem to provide any solution for fixing the degraded RAID set.

The second link was to the Apple discussion boards. A few posts down a user posted a solution that worked and was confirmed working by following posts by other users. With only 450GBs of data to loose I thought I’d just give it a shot!

So a few days later I came back with my Leopard install disk and booted the machine off that. I opened up a terminal window and used the following commands (taken right from the post):

• diskutil list (to find the partition that is going to be added)
• diskutil checkRAID (to get the RAID UUID)
• diskutil addToRAID
• diskutil checkRAID (to watch the rebuild)
• diskutil removefromRAID (to remove the “Failed” drive once the rebuild is done)

12-13 hours later my RAID had been rebuilt and worked just great! It’s too bad that Disk Utility isn’t working the way it should, although I could have sworn that I read something about 10.5.1 including a fix so that it works the way it should, and doesn’t return the ‘unrecognized filesystem’ error. Either way, if you have a degraded RAID system and are receiving that error when trying to rebuild it, the previous steps should get you back on track.

Of course if you’ve got some really important data and aren’t too daring, and use a mirror RAID, I recommend copying all the data to another drive, purchase a new drive for the RAID set, destroying the current set and then creating it again with the new drive. Then copy the data back over.

This is an article aimed at mostly system administrators and people that use SSH on a daily basis to connect to remote clients and servers. I myself have been wanting to set this up for quite some time and now I’ve found the time and need too! I currently have multiple servers each running several various services. I plan on setting it up so that when one server makes a backup of a few databases it can automatically connect to another server and upload the backups there for safe keeping. While it sounds semi-complicated, especially when trying to get the servers talk to each other without any user interaction, it’s not all that bad!

In order to get the servers to talk to each other without having me type in usernames and passwords I’ll be creating special “keys” that allow them to talk without user intervention!

In our example I have Server1 which makes the actual backups of my databases, on Server2 I have a nice RAID setup so I can keep my backups safe and secure! Server2 is where I want to put Server1’s backup files. Also the user I am using for an example on Server1 is jimmy and on Server2 it is jimmy2. Hopefully it’s not too confusing!

On Server1 I will open up a Terminal and type in:

ssh-keygen -t rsa

It will ask you where you want to save the key (usually something like /Users/your-username/.ssh/) - just hit enter here. It will then ask you to input a passphrase, just hit here and again when it asks you to ‘enter in the same passphrase’. It will then spit out something like:

Your identification has been saved in /Users/jimmy/.ssh/id_rsa.
Your public key has been saved in /Users/jimmy/.ssh/id_rsa.pub.
The key fingerprint is:
88:99:60:ee:eb:e5:ac:1f:fb:fe:ae:83:5c:3c:c4:0b jimmy@mycomputer

Perfect!

Now we need to put this special key onto the machine you want to remotely connect too, in this case Server2.

What I did was use rsync:

rsync -avz /Users/jimmy/.ssh/id_rsa.pub jimmy@ip-address-of-Server2:/Users/jimmy2/.ssh/

This bit:

rsync -avz /Users/jimmy/.ssh/id_rsa.pub

Will sync the file — id_rsa.pub from Server1 to the user account of ‘jimmy2′ on Server2. It will put that file into:

/Users/jimmy2/.ssh/

So now you can SSH into Server2, you will still be prompted for a password. Go into the .ssh directory for the user you synced the id_rsa.pub file too, in this example the user is jimmy2:

cd ~/.ssh/

Now type:

mv id_rsa.pub authorized_keys

You can even copy and paste that command. That command will just rename the id_rsa.pub file to ‘authorized_keys’.

Now if all went well you can SSH from Server1 to Server2 and not be prompted for a password! This is a really excellent technique for moving files such as backups or when making mirror(s) of a website and not needing to input the password to the server(s) each time!

A note of warning though! If you remember when we were making our special key it prompted to input a passphrase, the passphrase makes your key more secure, but it will prompt you for that passphrase every time you want to connect defeating the purpose of this exercise. You should also keep track of which servers/clients can connect to each other without a password.

It’s also possible to get Server2 to go into Server1 without requiring a password. Follow the same steps to create the key, I renamed it to id_rsa2.pub and then used rsync to move it to Server1. Then I just renamed it authorized_keys using the above ‘mv’ command.

Good luck!

I used this website to help me:
http://ammonlauritzen.com/blog/index.php/2006/04/16/shared_key_ssh_authentication