Firewall strangeness
Oct 17th, 2012 by Ken Hagler

My Mac Pro’s firewall suddenly started blocking ssh connections for no apparent reason. I eventually figured out that I had to set sshd-keygen-wrapper to “Allow incoming connections” before it would start working again. I’m guessing a recent system update suffered from overzealous security.

New MacBook Pro
Jul 2nd, 2012 by Ken Hagler

My new Retina screen MacBook Pro arrived today. I’d been planning to buy one even before they were announced, on the assumption they would come out sometime this year, and my old MacBook Pro (an early 2008 model) died just as they were being announced.

Although the improved screen is noticeable, the biggest improvement to me is how much lighter it is than the old model it replaces. On the other hand, all was not perfect–for some reason, it came without a recovery partition. Since this model doesn’t have a DVD drive and didn’t come with a system disc, this would be pretty bad for anyone who got it as their only Mac and then had a problem. It also kept me from turning on Filevault, which requires the presence of a recovery partition. Fortunately, some searching turned up instructions on how to create a recovery partition on a system that didn’t have it.

Setting up iChat Server
Feb 11th, 2012 by Ken Hagler

I’ve finally got the iChat portion of my Mac Mini Server up and running. It turned out that some fairly important parts of the process were poorly documented (or not at all), so I decided to write down the process in the hope that someone setting it up in the future will have better luck with their search results than I did.

Initial DNS Setup

The very first thing I did, before I even took the Mac Mini out of the box, was get its domain name set up. I’m on a cable modem, which means that all of my computers have local IPs (192.168.x.x) and share the same external IP address, which is subject to change at any time. That’s obviously a problem for any kind of server, but fortunately it was solved long ago by dynamic DNS services. These work by giving you a subdomain such as, which resolves to your current IP, and automatically updating the DNS record whenever your IP changes. I signed up for an account with FreeDNS, which is supported by my router’s firmware, so it will automatically keep my subdomain on their service updated.

Next I logged into the administrative interface for the domain, which has been hosted for many years by the excellent Mac-centric hosting service MacHighway. I then created a CNAME record pointing to the fully qualified domain name from Free DNS. There were some other DNS changes needed later, but to avoid confusion I’ll cover them later, where they fit into the process.

Finally, when I started up Frontier for the first time I told it that its name was The actual server has no knowledge of the Free DNS FQDN. I assigned it a static IP address in my local subnet, and then logged into the router to forward all the ports I’d need (there were quite a few) to that static local IP. With all this done, an outside request for will (so long as it’s for one of the forwarded ports) end up at the Mac Mini Server.

Getting a Signed SSL Certificate

When I set the server’s name, it automatically created a self-signed SSL certificate. In order to avoid potential problems from poorly designed software putting up scary warnings or possibly refusing connections via XMPP, I wanted to get this signed by a certification authority. A few days before I’d read an article which mentioned StartSSL, which issues free certificates.

On the server side, the software makes it very easy to export a special file called a Certificate Signing Request, and then import the signed certificate once it’s received from the CA. The process of actually getting certificate signed proved tricky, but thanks to StartSSL’s very helpful Eddy Nigg I was eventually able to manage it. The trick is that when you first go to their web site it seems like you’re requesting a signed certificate, but what you’re really doing is creating an entirely new certificate which identifies you for logging in to their system. Once that’s done, it’s simple to paste the contents of the CSR file exported by the Server app into a form and then download the signed certificate. The trick is to know ahead of time that it’s a two-stage process.

Setting up SRV Records

At this point my iChat service was up and running and I could use the XMPP address However, I wanted to make it just, so that my IM address would be the same as the email address that I’ve had since 1996. To do this, I needed to create DNS SRV records to send XMPP traffic for along to (the actual machine is a web server in Colorado which would just ignore XMPP traffic).

The system my hosting provider uses to administer the domain, cPanel, doesn’t have a way to create SRV records so I wasn’t able to do this all myself as I did with the CNAME record earlier. I new that MacHighway wouldn’t be able to offer any support for this, so I carefully checked and re-checked and then submitted a support request asking them to manually enter the following lines into the record for the domain: 14400 IN SRV	0 1 5222 14400 IN SRV	0 1 5269

Once I got a reply from MacHighway support that the change had been made, I checked with dig and confirmed that everything was working perfectly on the DNS side. Note that if I had used the Free DNS FQDN it would have worked, but that would also have made it impossible for me to move to another dynamic DNS service should the need arise without bugging someone at MacHighway to make another manual change for me.

Fixing the Server’s Identity Crisis

At this point I discovered that as far as the iChat service was concerned it was still, and it was certainly not going to allow users of to connect! I needed to change the name that just the iChat service had for itself, without affecting anything else on the server, and this turned out to be the biggest headache of the whole process, mostly due to the general lack of documentation. After a great deal of searching and a few red herrings, I finally came up with the answer: sudo serveradmin settings jabber:hostsCommaDelimitedString = "" (the iChat service is actually a variation of jabbered2).

Chat Room DNS Setup

The last thing I needed to do was create a DNS record for the multi-user chat part of the iChat service. This has its own subdomain, “rooms.” followed by whatever the host name is–in this case, To get it working, I created another CNAME record which pointed to that Free DNS FQDN. That completed the setup, and if I ever need to change dynamic DNS services, or if I get a static IP at home, I can make all the necessary changes without have to involve anyone else.

New Server
Feb 2nd, 2012 by Ken Hagler


Earlier this week I added this Mac Mini Server, which I named Frontier, to my home network. It’s a bit strange after so many years of working with Macs, and helping to administer Windows and Linux servers, but this is actually my first Mac server!

I got it primarily as a file server for scanned photos, but I’ve also enabled the iChat Server, which is Apple’s front end for the popular XMPP server jabberd. The idea is that once I’ve got some DNS stuff straightened out I’ll finally have the same address for instant messages that I do for email.

Good Lion article
Jul 31st, 2011 by Ken Hagler

Managing Mac OS X Lion’s application resume feature. [MacFixIt]

This article has some very useful information on how to control Lion’s resume feature, including how to disable it on a per-application basis and how to create a specific unchanging resume state.

IT actually concerned about security
May 31st, 2010 by Ken Hagler

‘Microsoft We Don’t Feel So Good About’.

David Gelles and Richard Waters, in a piece titled “Google Ditches Windows on Security Concerns” in the Financial Times:

New hires are now given the option of using Apple’s Mac
computers or PCs running the Linux operating system. “Linux is
open source and we feel good about it,” said one employee.
“Microsoft we don’t feel so good about.”

[Daring Fireball]

I wish the “security” company I worked for had that much sense. Unfortunately, they make it as hard to get Mac (or Linux) machines as Google has made it to get Windows. And since the Powers That Be decided to “outsource” our entire IT department to a company that manufactures Windows PCs, I don’t expect that to change any time soon.

Non-Apple Mac
Jul 27th, 2009 by Ken Hagler

The following was posted to an internal Mac users’ mailing list at work. Since it doesn’t mention any company business, I thought it was interesting enough to post here:

Figured I would let people know I was able to get a rather nice
hackintosh up and running w/out any sort of modified OS install software
using the EFi-X “dongle”. I build I quad core with 8 GB of RAM with a
Gigabyte motherboard for about 1/3 the cost of equivalent Apple hardware
(even better if you assume the monitor I bought is comparable to the
apple 23 inch – likely it’s not the same quality). After 4 days of
running it still seems stable. I’ve been successful in updating all the
OS and software patches for my legally owned copies of apple software
(yah family license!) with no problems what so ever. Basically you plug
a usb dongle directly into the usb pins on the mother board and use it
as a boot loader that mimics the EFI code from the Apple bios. Pop in
your normal install disk and away things go. About time I replaced my
2k1 Sunflower Imac! If anyone else wants to hear more about it shoot me
a question.

It depends on the meaning of “use”
Jan 7th, 2009 by Ken Hagler

How Many Mac Users Use Microsoft Office?.

Todd Bishop:

About 77 percent of Mac users in the U.S. are running Microsoft’s Office for Mac, the Redmond company said today.

I know Office for Mac is a huge seller, but 77 percent sounds crazy high to me.

[Daring Fireball]

I wonder how they define “running” in this case? I have Office on my Mac, in case I need it for work, but since I switched from Entourage to Mail last spring I’ve hardly ever even launched any of it. When I need a word processor, I use Pages.

City of Heroes on Mac
Oct 30th, 2008 by Ken Hagler

City of Heroes superhero MMO comes to Mac. NCsoft is opening one of its massively multiplayer online (MMO) game franchises, City of Heroes, to the Mac. The company has used TransGaming’s Cider engine, which enables the subscription-based game to operate on Intel-based Macs. Beta testing is expected to get underway this week…. [The Macintosh News Network]

I’ve been playing this game on the PC since about a month after it came out. It still has the ubiquitous class-and-level system, but between the wide variety of power combinations and the excellent costume creator (which is almost worth the price all by itself) the problem of cookie cutter characters common to such systems is not present.

»  Substance:WordPress   »  Style:Ahren Ahimsa
© Ken Hagler. All rights reserved.