For the past few years I’ve suffered this seemingly random problem when connecting to a Solaris or Mac OS X server via SSH: the connection would take forever to negotiate. It would connect, exchange keys, but then pause for up to a minute, plus or minus eternity, before proceeding with authentication. I finally took some time to figure out how to make it go away. Here’s what I did.

The problem seems to be related to forward and/or reverse DNS lookups. A large number of IP addresses given out on the networks that I connect from do not have proper name entries in the network owner’s DNS. By default, both Solaris and Mac OS X Server try to lookup DNS names before proceeding with authentication. Luckily, that behavior is easy to turn off.

On Solaris

Sun’s /etc/ssh/sshd_config file can have these options for disabling the time-wasting DNS lookup behavior:


LookupClientHostnames no
VerifyReverseMapping no


On Mac OS X Server

Apple deploys OpenSSH, and it’s /etc/sshd_config file can include this option:

UseDNS no


Update your sshd_config files with these options, or ask your sysadmin to do it for you, and you’ll be connecting instantly.

Finally! One of the banes of running Mac OS X Server has been that there is no easy way for users to manage their own vacation messages, which creates a support request every time someone takes a day off. Until now. Mac OS X Server 10.6, “Snow Leopard Server”, includes a web-based interface for users to manage their own vacation messages.

The new feature is implemented via the wiki/blog server. Wiki Server 2 has many new features. One of them is a user-customized home page called “My Page” that displays updated wiki content that the user has access to. My Page is also where the user can enable, schedule, and edit their vacation messages.

This excerpt is from the Mail Service Administration Guide, page 61:

Vacation Notices

If you enable server-side mail rules and the Wiki Server, mail users can add vacation notices through a web interface. How a user modifies their vacation notices:

1. Log into any wiki page they have access to.
2. Select My Page.
3. Select “settings.”
4. Select Vacation Notice.
5. To enable vacation notices, for Enabled, select On; to disable vacation notices, select Off.
6. Click the date next to Vacation Begins and then select the date when notifications will
   start being sent.
7. Click the date next to Returning On and then select the date when notifications will stop being sent.
8. In the Email Subject field, enter the subject line of the mail that will be sent.
9. In the Vacation Message area, enter the body of the mail that will be sent.
10. Click Save.

This feature alone provides a big incentive for sysadmins to upgrade to Snow Leopard Server. I look forward to never using sieveshell to set user vacation messages again!

Tunneling VNC over SSH has several benefits. For one, if you are using a non-Mac version of VNC, your traffic is probably going over the network unencrypted. By default, the Mac VNC client encrypts keystrokes, including the login.

Another benefit of using VNC over SSH is that your client Mac may be behind a firewall, which you cannot reach directly. If there is some other host, like maybe the firewall itself, which you can SSH to, then you can use SSH port forwarding to “bounce” your VNC session off of that host and connect from there to your client Mac.

This procedure assumes that the remote Mac has SSH (“Remote Login” in Sharing Preferences) enabled, and you can login with it. Suppose that you want to connect to remote.host.com with VNC and your user account on that machine is remoteuser. Open Terminal, and issue the command:

Login at the prompt. Once you’ve logged in, your SSH tunnel is set up. Now simply connect to vnc://localhost:5901 (via Finder -> Go -> Connect to Server), and your VNC traffic will be automagically transported over a secure SSH tunnel to the remote host, and you should get a VNC login prompt.

If remote.host.com is behind a firewall that is preventing access via SSH, but you can access another host via SSH, and that host can access remote.host.com via SSH, then you can forward your traffic through the accessible host. Suppose that host is called dmz.host.com. Run:

Login to dmz.host.com, and now when you connect to vnc://localhost:5901, your network traffic will go through an SSH tunnel to dmz.host.com, and will be forwarded from there to remote.host.com. Isn’t SSH wonderful?

This article will show you how to dramatically improve the effectiveness of the anti-spam system that is built into Mac OSX Server 10.5. After the upgrade, at least 99.9% of spam should be prevented from reaching your user’s e-mail Inboxes.

This process requires that the Developer Tools are installed on the system. As always, backup your server before making any changes.

(more…)