Been a while….
Wow, it’s been almost a year since I’ve posted. I knew I’ve been slacking, but didn’t realize it was that much. I’m going to start posting again soon. Stay tuned.
Leopard Active Directory Integration Headaches
Ever since Leopard came out, we have been having a heck of a time trying to get Leopard to bind and/or authenticate to Active Directory reliably. We use Active Directory sites and our Leopard macs were trying to authenticate to Domain Controllers in the wrong site. I’m reminded of something Joel Rennich said in a Troubleshooting Directory Services (I can’t find the link at the moment) webcast, (I’m paraphrasing here) “adding Macs to AD can reveal problems with your AD you didn’t known about”.
Disabling Automatic Updates for Office 2008, Apple Software Updates and Adobe CS4
Over at the Make Mac Work blog, Ellis has a very informative article about how to disable automatic update notifications for Apple Software Update, Microsoft Office 2008 and Adobe CS4.
Allow Non-Admin users to Manage Printers
Apple added a "feature" to Leopard which restricts non administrator users from managing printers on their Macs. While this is desired behavior on a public machine such as a classroom, it is a problem for single user machines such as faculty, staff and 1:1 deployments.
Read the rest of this entry »
Securing SSH on Mac OS X by limiting who can log in
This post will describe two different methods for securing SSH that work on both Tiger and Leopard (client or server). These tips can be done as needed on machines that will have ssh enabled, or as part of your deployment image(s). Personally, I make these changes to our images because if a machine is bound to a directory service such as Open Directory, Active Directory or LDAP and the user is an admin of their own machine, then all users within your domain can remotely log in to that machine. This would greatly increase your chances of your machines being compromised from an ssh dictionary attack. Also, I find that some of our users will enable services such as SSH and never use them, and I know this because they never came to us when they found they weren’t able to ssh into their own machine. In which case I will send out a command to disable ssh on those machines periodically without them even noticing (because they’re not using it!).
The methods I will describe here are:
- Modify the /etc/sshd_config file
- Service access control lists (SACL)
