Some Mac Admin

As admins, we often have to SSH into computers and/or servers. The default way of doing this is by typing user@servername into Terminal, and then entering the user’s password. Simple enough.

Now, what if I told you there was a way to SSH into a server without entering passwords? This is done by generating RSA keys, which are much more secure than simple passwords. If you’re interested in how RSA works, read this article by Jeronimo Garcia.

Excited? Follow along.

Note: Everything below was done on macOS. If you’re looking at doing this on non-macOS computers, the instructions will mostly work, but you’ll need to change a few things like directory paths, etc…

Step one: Generate a keypair

In Terminal on your local computer, type ssh-keygen -t rsa -b 4096. This will generate a 4096 bit RSA key as opposed to the smaller, less secure 2048 bit RSA key. Because security!

I strongly recommend giving your keys unique names (the default names are “id_rsa” and “id_rsa.pub”), especially if you’ll be generating keypairs for multiple servers. So for “Enter file in which to save the key”, type /Users/your_username/.ssh/id_rsa_servername. This will save a public and private key named “id_rsa_servername” and “id_rsa_servername.pub” in the ~/your_username/.ssh directory. Before we continue, let’s talk about these two keys. “id_rsa_servername.pub” is your public key. This is the key that you’ll be putting on the server. “id_rsa_servername” is your private key. It’s extremely important that you never copy/share it. This key will remain on your local computer.

Step two: Copy the public key to the server

SSH into your server and navigate to ~/.ssh. Now we’ll need to create a file named “authorized_keys” (if it doesn’t already exist). This is where we’ll put the contents of our “id_rsa_servername.pub” key. To create the file, type touch authorized_keys && chmod 700 authorized_keys. touch authorized_keys will create a file named “authorized_keys”, and chmod 700 authorized_keys will change the file’s permissions so that it can only be read, modified, and executed by the user.

Back on your local computer and in the ~/.ssh directory, type cat id_rsa_servername.pub | pbcopy to copy the contents of “id_rsa_servername.pub” to your clipboard.

On the server, type nano authorized_keys to edit the file, hit command + v to paste your clipboard, and finally save the file by hitting control + x and then y to confirm.

Step three: Modify the config file

The last step is to edit the SSH config file on your local computer. In the ~/.ssh directory, type nano config, and then enter the following: Host servername User user IdentityFile "~/.ssh/id_rsa_servername” Make sure you change “servername”, “user”, and “~/.ssh/id_rsa_servername”.

Save the file by hitting control + x and then y to confirm.

Step four: Enjoy!

In Terminal, typing ssh servername should automatically get you into your server without prompting you for a password.

Yet another non-Mac related post! Maybe I should rename this blog? Anyway… Microsoft released their April 2018 update of Windows 10 a few weeks ago, and in it they now enable the OpenSSH client by default. There isn’t as much of a need to install third-party apps like PuTTY or install Windows Subsystem for Linux anymore to do something like SSH-ing into another machine.

One thing that isn’t enabled by default though is the OpenSSH server. Here’s how to do just that:

Open PowerShell as admin, and type Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

If that fails for whatever reason (e.g.: your computer points to a WSUS server), download the following OpenSSH server package .cab file here

Type dism /Online /Add-Package /PackagePath:C:\path\to\file.cab

Set the sshd and ssh-agent services to start automatically, and then start them both with:

Get-Service -Name *ssh* | Set-Service -StartupType Automatic

Get-Service -Name *ssh* | Start-Service

While this post isn’t related to Macs, it’s something I think the people reading this blog would enjoy. So here goes!

I’m a big fan of Aaron Nagler’s PackersNews Facebook live recordings, but I don’t always have the time to watch the ~30 minute videos. Instead, I would much rather listen to them on my way to and from work in Overcast, which is my podcast player of choice.

USA TODAY NETWORK-Wisconsin uploads the recordings to YouTube shortly after they’re over, so it’s easy to extract the audio from the video using tools like youtube-dl. But I want to be able to do this from my phone. This is where Apple’s Workflow comes in.

Here’s what I wanted the workflow to do: YouTube URL > extract the video’s audio > save it to iCloud Drive > open Overcast’s upload page in Safari > upload file

A quick Google search later, I came across this post on the Workflow subreddit, which really helped me get started. I looked through the workflow’s actions, and quickly figured out what I had to change to get it work.

Here’s the result:

As you can see in the video, the whole process took 40 seconds for a 1:30 minute video. A 30 minute video takes about 3-4 minutes to complete.

Yes, doing this on my laptop would be faster, but I like that I have the freedom to do this from just about anywhere.

Here’s the Workflow for those of you who are interested: YouTube to Overcast

For multiple reasons, we haven’t upgraded our Macs to High Sierra (10.13) just yet. This creates a problem for new machines we purchase from Apple as they come preinstalled with it. Here’s how I deal with downgrading to Sierra (10.12):

Boot up from a bootable macOS installer USB

In the menu bar, click on Utilities and then Terminal

Type diskutil apfs list to list the APFS Container(s)

More information on APFS Containers can be found here.

Type diskutil apfs deleteContainer disk1

Note: Your container might not be named "disk1”

[...]

Office for Mac 2011

Word, Excel, PowerPoint, Outlook and Lync have not been tested on macOS 10.13 High Sierra, and no formal support for this configuration will be provided.

All applications in the Office for Mac 2011 suite are reaching end of support on October 10th, 2017. As a reminder, after that date there will be no new security updates, non-security updates, free or paid assisted support options or technical content updates. Refer to the Microsoft Support Lifecycle for more information.

If you haven't already upgraded your fleet of Macs to Office 2016, now's the time.

Updates! Updates are great until they, well, break something…

Apple released version 3.9 of their Apple Remote Desktop (ARD) client and admin app earlier this week.

As I do too often, I installed all updates on our macOS Server without thinking twice, and ended up with a list full of “Needs Upgrade” in the Current Status column in the ARD admin app. All our client machines had ARD Client 3.8.5 installed, so the ARD admin app was no longer able to communicate with our client machines. Thankfully fixing this wasn’t too difficult!

I had two options:

SSH onto the client machines and run softwareupdate -l;sudo softwareupdate -i 'RemoteDesktopClient-3.9.0'

Host the update .pkg on our server, SSH onto the client machine, and run curl -o ~/Desktop/RemoteDesktopClient.pkg -O http://servername/RemoteDesktopClient.pkg;sudo installer -pkg ~/Desktop/RemoteDesktopClient.pkg -target /

I ended up going with option 2 because searching for updates with softwareupdate -l would take longer than downloading the .pkg from our server. A half hour or so later, all our client machines had ARD Client 3.9 installed!

But wait…

Not long after, I received an email from a colleague of mine saying the following pop-up appeared on her screen:

A quick restart of the ARD Agent using the kickstart utility fixed that issue.

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent

I haven’t tested it, but restarting the computer should also fix the pop-up window.

One more thing: if for some reason you can’t update the ARD client on your fleet of Macs, launch the Apple Remote Desktop admin app Preferences, go to the Security tab, and check the “Allow communication with older clients (less secure)” option. Doing that should allow you to do your thang until you update their client to 3.9. Thanks for the tip, Randy!

Munki’s Managed Software Center wouldn’t look nearly as good without Product Icons. Getting these icons can be tedious, but it doesn’t have to be!

The majority of app icons come in the Apple Icon Image format (.icns). Converting them to a .png can be done by opening the .icns file in Apple’s built-in Preview.app and going to File > Export > choosing “PNG” from the format list > clicking Save. From there you can resize the image to Munki’s preferred resolution of 350x350px directly in Preview.app, or in another image editor such as Photoshop. OR you can use icns2png!

If you haven’t already, install Homebrew. Once that’s done, launch Terminal and type brew install libicns to install icns2png.

With that out of the way, let’s convert Spotify’s icon from an .icns to a .png image. Launch Terminal and enter:

icns2png -x /Applications/Spotify.app/Contents/Resources/Icon.icns -o ~/Desktop/

The command above will extract the Spotify icon in different sizes to your Desktop. Now resize it, copy it over to your repo’s icons directory, and give yourself a high-five and you’re all set!

One more thing: Here’s how to extract a .png from an .icns file, and resize the image to 350x350px in one line:

icns2png -x -s 512x512 /Applications/Spotify.app/Contents/Resources/Icon.icns -o ~/Desktop/;sips -Z 350 *.png

Have you ever wanted to replace Homebrew’s 🍺 emoji with something else? Well, it turns out it’s possible!

@Heliomass sent out a quick tweet to the Homebrew’s Twitter account, and they got back to him with a way to do just that.

Yes! You can even enjoy some pumpkin spice Homebrew: `export HOMEBREW_INSTALL_BADGE=🎃` ^tim https://t.co/EO5KJRM0VT

The underlying problem is that by default HFS+ (the file system of OS X) is “case preserving, but case-insensitive.” That means the file system will remember wether you named a file or directory “README.TXT” “ReadMe.txt” or “readme.TXT” and preserve that case, but using either of these will point to the same file.

This might come in handy for some of you, so I thought I would dig it back up and post it here on my blog.

I learned something new today:

man -t killall | open -f -a Preview

The above command will open killall’s man page in Preview, which you’ll be able to save as a PDF.

It looks like Transmission has been compromised once again. Thankfully, it appears you’re only affected if you downloaded the app between 28 and 29 August.

Regardless, don’t take a chance and run John Kitzmiller's script below:

It might be time to start looking for another BitTorrent client...