Firewall strangeness
Oct 17th, 2012 by Ken Hagler

My Mac Pro’s fire­wall sud­den­ly start­ed block­ing ssh con­nec­tions for no appar­ent rea­son. I even­tu­al­ly fig­ured out that I had to set sshd-keygen-wrapper to “Allow incom­ing con­nec­tions” before it would start work­ing again. I’m guess­ing a recent sys­tem update suf­fered from overzeal­ous secu­ri­ty.

New MacBook Pro
Jul 2nd, 2012 by Ken Hagler

My new Reti­na screen Mac­Book Pro arrived today. I’d been plan­ning to buy one even before they were announced, on the assump­tion they would come out some­time this year, and my old Mac­Book Pro (an ear­ly 2008 mod­el) died just as they were being announced.

Although the improved screen is notice­able, the biggest improve­ment to me is how much lighter it is than the old mod­el it replaces. On the oth­er hand, all was not perfect–for some rea­son, it came with­out a recov­ery par­ti­tion. Since this mod­el doesn’t have a DVD dri­ve and didn’t come with a sys­tem disc, this would be pret­ty bad for any­one who got it as their only Mac and then had a prob­lem. It also kept me from turn­ing on Fil­e­vault, which requires the pres­ence of a recov­ery par­ti­tion. For­tu­nate­ly, some search­ing turned up instruc­tions on how to cre­ate a recov­ery par­ti­tion on a sys­tem that didn’t have it.

Setting up iChat Server
Feb 11th, 2012 by Ken Hagler

I’ve final­ly got the iChat por­tion of my Mac Mini Serv­er up and run­ning. It turned out that some fair­ly impor­tant parts of the process were poor­ly doc­u­ment­ed (or not at all), so I decid­ed to write down the process in the hope that some­one set­ting it up in the future will have bet­ter luck with their search results than I did.

Initial DNS Setup

The very first thing I did, before I even took the Mac Mini out of the box, was get its domain name set up. I’m on a cable modem, which means that all of my com­put­ers have local IPs (192.168.x.x) and share the same exter­nal IP address, which is sub­ject to change at any time. That’s obvi­ous­ly a prob­lem for any kind of serv­er, but for­tu­nate­ly it was solved long ago by dynam­ic DNS ser­vices. These work by giv­ing you a sub­do­main such as, which resolves to your cur­rent IP, and auto­mat­i­cal­ly updat­ing the DNS record when­ev­er your IP changes. I signed up for an account with FreeDNS, which is sup­port­ed by my router’s firmware, so it will auto­mat­i­cal­ly keep my sub­do­main on their ser­vice updat­ed.

Next I logged into the admin­is­tra­tive inter­face for the domain, which has been host­ed for many years by the excel­lent Mac-centric host­ing ser­vice MacHigh­way. I then cre­at­ed a CNAME record point­ing to the ful­ly qual­i­fied domain name from Free DNS. There were some oth­er DNS changes need­ed lat­er, but to avoid con­fu­sion I’ll cov­er them lat­er, where they fit into the process.

Final­ly, when I start­ed up Fron­tier for the first time I told it that its name was The actu­al serv­er has no knowl­edge of the Free DNS FQDN. I assigned it a sta­t­ic IP address in my local sub­net, and then logged into the router to for­ward all the ports I’d need (there were quite a few) to that sta­t­ic local IP. With all this done, an out­side request for will (so long as it’s for one of the for­ward­ed ports) end up at the Mac Mini Serv­er.

Getting a Signed SSL Certificate

When I set the server’s name, it auto­mat­i­cal­ly cre­at­ed a self-signed SSL cer­tifi­cate. In order to avoid poten­tial prob­lems from poor­ly designed soft­ware putting up scary warn­ings or pos­si­bly refus­ing con­nec­tions via XMPP, I want­ed to get this signed by a cer­ti­fi­ca­tion author­i­ty. A few days before I’d read an arti­cle which men­tioned StartSSL, which issues free cer­tifi­cates.

On the serv­er side, the soft­ware makes it very easy to export a spe­cial file called a Cer­tifi­cate Sign­ing Request, and then import the signed cer­tifi­cate once it’s received from the CA. The process of actu­al­ly get­ting cer­tifi­cate signed proved tricky, but thanks to StartSSL’s very help­ful Eddy Nigg I was even­tu­al­ly able to man­age it. The trick is that when you first go to their web site it seems like you’re request­ing a signed cer­tifi­cate, but what you’re real­ly doing is cre­at­ing an entire­ly new cer­tifi­cate which iden­ti­fies you for log­ging in to their sys­tem. Once that’s done, it’s sim­ple to paste the con­tents of the CSR file export­ed by the Serv­er app into a form and then down­load the signed cer­tifi­cate. The trick is to know ahead of time that it’s a two-stage process.

Setting up SRV Records

At this point my iChat ser­vice was up and run­ning and I could use the XMPP address How­ev­er, I want­ed to make it just, so that my IM address would be the same as the email address that I’ve had since 1996. To do this, I need­ed to cre­ate DNS SRV records to send XMPP traf­fic for along to (the actu­al machine is a web serv­er in Col­orado which would just ignore XMPP traf­fic).

The sys­tem my host­ing provider uses to admin­is­ter the domain, cPan­el, doesn’t have a way to cre­ate SRV records so I wasn’t able to do this all myself as I did with the CNAME record ear­li­er. I new that MacHigh­way wouldn’t be able to offer any sup­port for this, so I care­ful­ly checked and re-checked and then sub­mit­ted a sup­port request ask­ing them to man­u­al­ly enter the fol­low­ing lines into the record for the domain: 14400 IN SRV	0 1 5222 14400 IN SRV	0 1 5269

Once I got a reply from MacHigh­way sup­port that the change had been made, I checked with dig and con­firmed that every­thing was work­ing per­fect­ly on the DNS side. Note that if I had used the Free DNS FQDN it would have worked, but that would also have made it impos­si­ble for me to move to anoth­er dynam­ic DNS ser­vice should the need arise with­out bug­ging some­one at MacHigh­way to make anoth­er man­u­al change for me.

Fixing the Server’s Identity Crisis

At this point I dis­cov­ered that as far as the iChat ser­vice was con­cerned it was still, and it was cer­tain­ly not going to allow users of to con­nect! I need­ed to change the name that just the iChat ser­vice had for itself, with­out affect­ing any­thing else on the serv­er, and this turned out to be the biggest headache of the whole process, most­ly due to the gen­er­al lack of doc­u­men­ta­tion. After a great deal of search­ing and a few red her­rings, I final­ly came up with the answer: sudo serveradmin settings jabber:hostsCommaDelimitedString = "" (the iChat ser­vice is actu­al­ly a vari­a­tion of jabbered2).

Chat Room DNS Setup

The last thing I need­ed to do was cre­ate a DNS record for the multi-user chat part of the iChat ser­vice. This has its own sub­do­main, “rooms.” fol­lowed by what­ev­er the host name is–in this case, To get it work­ing, I cre­at­ed anoth­er CNAME record which point­ed to that Free DNS FQDN. That com­plet­ed the set­up, and if I ever need to change dynam­ic DNS ser­vices, or if I get a sta­t­ic IP at home, I can make all the nec­es­sary changes with­out have to involve any­one else.

New Server
Feb 2nd, 2012 by Ken Hagler


Ear­li­er this week I added this Mac Mini Serv­er, which I named Fron­tier, to my home net­work. It’s a bit strange after so many years of work­ing with Macs, and help­ing to admin­is­ter Win­dows and Lin­ux servers, but this is actu­al­ly my first Mac serv­er!

I got it pri­mar­i­ly as a file serv­er for scanned pho­tos, but I’ve also enabled the iChat Serv­er, which is Apple’s front end for the pop­u­lar XMPP serv­er jab­berd. The idea is that once I’ve got some DNS stuff straight­ened out I’ll final­ly have the same address for instant mes­sages that I do for email.

Good Lion article
Jul 31st, 2011 by Ken Hagler

Man­ag­ing Mac OS X Lion’s appli­ca­tion resume fea­ture. [Mac­Fix­It]

This arti­cle has some very use­ful infor­ma­tion on how to con­trol Lion’s resume fea­ture, includ­ing how to dis­able it on a per-application basis and how to cre­ate a spe­cif­ic unchang­ing resume state.

IT actually concerned about security
May 31st, 2010 by Ken Hagler

Microsoft We Don’t Feel So Good About’.

David Gelles and Richard Waters, in a piece titled “Google Ditch­es Win­dows on Secu­ri­ty Con­cerns” in the Finan­cial Times:

New hires are now giv­en the option of using Apple’s Mac
com­put­ers or PCs run­ning the Lin­ux oper­at­ing sys­tem. “Lin­ux is
open source and we feel good about it,” said one employ­ee.
“Microsoft we don’t feel so good about.”

[Dar­ing Fire­ball]

I wish the “secu­ri­ty” com­pa­ny I worked for had that much sense. Unfor­tu­nate­ly, they make it as hard to get Mac (or Lin­ux) machines as Google has made it to get Win­dows. And since the Pow­ers That Be decid­ed to “out­source” our entire IT depart­ment to a com­pa­ny that man­u­fac­tures Win­dows PCs, I don’t expect that to change any time soon.

Non-Apple Mac
Jul 27th, 2009 by Ken Hagler

The fol­low­ing was post­ed to an inter­nal Mac users’ mail­ing list at work. Since it doesn’t men­tion any com­pa­ny busi­ness, I thought it was inter­est­ing enough to post here:

Fig­ured I would let peo­ple know I was able to get a rather nice
hack­in­tosh up and run­ning w/out any sort of mod­i­fied OS install soft­ware
using the EFi-X “don­gle”. I build I quad core with 8 GB of RAM with a
Giga­byte moth­er­board for about 13 the cost of equiv­a­lent Apple hard­ware
(even bet­ter if you assume the mon­i­tor I bought is com­pa­ra­ble to the
apple 23 inch — like­ly it’s not the same qual­i­ty). After 4 days of
run­ning it still seems sta­ble. I’ve been suc­cess­ful in updat­ing all the
OS and soft­ware patch­es for my legal­ly owned copies of apple soft­ware
(yah fam­i­ly license!) with no prob­lems what so ever. Basi­cal­ly you plug
a usb don­gle direct­ly into the usb pins on the moth­er board and use it
as a boot loader that mim­ics the EFI code from the Apple bios. Pop in
your nor­mal install disk and away things go. About time I replaced my
2k1 Sun­flower Imac! If any­one else wants to hear more about it shoot me
a ques­tion.

It depends on the meaning of “use”
Jan 7th, 2009 by Ken Hagler

How Many Mac Users Use Microsoft Office?.

Todd Bish­op:

About 77 per­cent of Mac users in the U.S. are run­ning Microsoft’s Office for Mac, the Red­mond com­pa­ny said today.

I know Office for Mac is a huge sell­er, but 77 per­cent sounds crazy high to me.

[Dar­ing Fire­ball]

I won­der how they define “run­ning” in this case? I have Office on my Mac, in case I need it for work, but since I switched from Entourage to Mail last spring I’ve hard­ly ever even launched any of it. When I need a word proces­sor, I use Pages.

City of Heroes on Mac
Oct 30th, 2008 by Ken Hagler

City of Heroes super­hero MMO comes to Mac. NCsoft is open­ing one of its mas­sive­ly mul­ti­play­er online (MMO) game fran­chis­es, City of Heroes, to the Mac. The com­pa­ny has used TransGaming’s Cider engine, which enables the subscription-based game to oper­ate on Intel-based Macs. Beta test­ing is expect­ed to get under­way this week.… [The Mac­in­tosh News Net­work]

I’ve been play­ing this game on the PC since about a month after it came out. It still has the ubiq­ui­tous class-and-level sys­tem, but between the wide vari­ety of pow­er com­bi­na­tions and the excel­lent cos­tume cre­ator (which is almost worth the price all by itself) the prob­lem of cook­ie cut­ter char­ac­ters com­mon to such sys­tems is not present.

»  Substance:WordPress   »  Style:Ahren Ahimsa
© Ken Hagler. All rights reserved.