MEFTGG: Networking with MacOSX

This page is maintained by James Wookey ( ).

This page provides instructions for various networking tasks on Apple MacOSX machines.

This information is provided in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Any views represented here are entirely personal; they do not reflect the views of the School of Earth Sciences, or the University of Bristol.

Remote logins

• By default remote login to your Mac is disabled. To enable it, go to System Preferences -> Sharing and check Remote Login.

SSH logins without passwords

• If there are machines you regularly log into / remote copy to it is very handy to be able to do so without a password. This is helpful for example if you want to set up a backup script or similar which copies files to a remote server when you are not present. The simplest way to do this is with a Public-Private key pair with an empty passphrase.

  Example: Suppose you want to login/copy from your desktop machine (called 'larry' with an IP of 194.168.1.100) to another machine (called 'barry' with an IP of 194.168.1.200).

  Firstly, on larry type:
  

        larry$ ssh-keygen -t dsa
        

  And hit return to save the file in the default place. (Note that it may take a few moments to generate the key). It will then prompt you for a passphrase. Just hit return for an empty passphrase (and again to confirm). This will generate two files in the directory ~/.ssh: id_dsa (your private key) and id_dsa.pub (your public key). You need to put the public part of the key on any machine you wish to login to without a password:

        larry$ scp ~/.ssh/id_dsa.pub user@194.168.1.200:
        larry$ ssh user@194.168.1.200
        password: xxxxx
        barry$ cat id_dsa.pub >> ~/.ssh/authorized_keys2
        barry$ logout
        

  You should now be able to log onto barry without being prompted for a password. Note that this will not enable passwordless login in the other direction (i.e., from barry to larry). In order to do this, repeat the process in reverse. Remember that you should take steps to protect your private key (the file id_dsa). Don't copy it anywhere where it is publically accessible, for example. It is all that someone needs to log into your computer!

  If having an empty passphrase bothers you, it is possible to set up a Mac utility that will remember it for you. For step by step instructions for how to set this up on your Mac see here.

  Troubleshooting: Passwordless login can fail for quite a variety of reasons, and it can be a pain to try and find out why it is going wrong. If it doesn't work, try typing ssh -vvv user@host and look at the output for clues in that. If that doesn't work it is possible to increase the level of logging on the server (in Mac OSX 10.4, by default authorisations are not logged in the system log). For instructions on how to do this, see this hint at macosxhints.com. One thing to check which SSH is very fussy about is the file permissions set on your home directory and the .ssh directory and config files therein (both on the local and remote host). For reference the permissions on my system (which work!) are:

        /Users/me                       = drwxr-xr-x
        /Users/me/.ssh                  = drwx------
        /Users/me/.ssh/authorized_keys2 = -rw-------
        /Users/me/.ssh/id_dsa           = -rw-------
        /Users/me/.ssh/id_dsa.pub       = -rw-r--r--
        /Users/me/.ssh/known_hosts      = -rw-r--r--  
  	

SSH segmentation fault / AFP connection errors (Intel only, I think)

If, after an update from Apple, you find that you are getting a segmentation fault trying to run ssh (or scp etc); or that you can no longer connect to remote servers using AFP in Finder, you may have a corrupted Kerberos framework. The solution is as follows (thanks to Eric Salathe for this, see his post here).
• First, install the utility Pacifist. Then download the 10.4.10 Combo updater file. Mount the DMG and drag the .pkg file into the Pacifist window. Find the and highlight the directory /System/Library/Frameworks/Kerberos.framework, and click install. Authenticate, and replace all files. When this is finished, ssh and afp should be working again. You may have to repeat this after subsequent Apple updates.
• Others have reported that SSH can also be fixed by downloading the full update file of the offending version from Apple and re-applying it, though this doesn't seem to work universally.

SSH X11 forwarding

• X11 commands can be tunnelled over an ssh connection. You will have to enable this in /etc/sshd_config on the remote host. Just change the line:

         #X11Forwarding no
         

  to

         X11Forwarding yes
         

  Then type:

  ssh -X user@whatever_host.domain.com 
  

  If you are getting BadAtom errors with certain applications (such as NEdit), try ssh -Y instead of -X.

Using Wake-on-LAN

• Wake-on-LAN is a nifty feature built into (at least newer) Macs. It enables someone who knows the hardware MAC address and IP address for a machine to wake up the machine remotely from sleep mode. To enable this go to System Preferences->Energy Saver->Options and check the "Wake for Ethernet network administrator access" box.
• Once this is enabled, you can use a simple Python script to wake it up from a remote machine:

  #!/usr/bin/env python
  import socket
  s=socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  s.sendto('\xff'*6+'\x??\x??\x??\x??\x??\x??'*16, ('??.??.??.??', 80))
  

  replacing the pairs of question marks with the MAC address (first 6 pairs; to find out your ethernet MAC address type ifconfig and look for the ether entry under en0) and IP address (last four pairs) of the machine you want to wake up. Don't forget to keep the \x's between the MAC address pairs.
• There are more sophisticated utilities available to do this (for example from a Windows platform). A good place to start is: gsd.di.uminho.pt/jpo/software/wakeonlan/mini-howto/.