Fix broken SSH key based authentication on OS X El Capitan

A fresh OS X El Capitan 10.11.3 install on my new Hackintosh broke my well working SSH key based authentication (passwordless). I wasn’t able to connect from a remote systen to my OS X system without getting asked for the password. Before this I created a key based login to the OS X system without any negative feedback. So what the hell is wrong?

To figure out the problem I debugged SSH with the -v option on the remote where I tried to connect to my Hackintosh.

ssh -v USERNAME@example.com

Between all the debug messages I found a very useful information:

debug1: Remote: Ignored authorized keys: bad ownership or modes for directory /Users/USERNAME

Well, this line tells enough. I had to fix the permissions of the /Users/USERNAME folder.

chmod 700 /Users/USERNAME

chmod 700 grants full permissions to the owner, but group and others cannot access it. That’s fine!
Problem solved for me :-)

Fix fonts displayed as squares in Cordova and iOS

I’m currently developing a new Cordova app and I found out that some TTF fonts won’t get displayed with Cordova and PhoneGap – it’s all about iOS. My project uses Google Fonts, they work very well, but the Font Awesome package shows a square instead the correct the glyph on iOS.

iOS is blocking some fonts, but it’s easy to allow your app to use the fonts you want!

Navigate to the info tab of your app target and add a new row inside the iOS target properties:

xcode-ios-uiappfonts-01


Write or paste the magic raw word UIAppFonts (in pretty words just Fonts provided by application) in the input field:

xcode-ios-uiappfonts-02


Now you have to add the full path to your fonts. Each file gets an own key, just add a new row if you are using multiple fonts.
For example: /www/fonts/fontawesome-webfont.ttf

xcode-ios-uiappfonts-03

Disable PHP notice logging

The default PHP configuration reports all errors and also notices, this could blow up the logs very fast. If you want to log only errors instead of all, including notices, you have to edit the php.ini.

Where is the php.ini configuration file located? PHP delivers us all configuration details with the phpinfo(); function, you’ll find the path to your php.ini using this function.

You could also run this command in your console, but beware: If you are using PHP-FPM your php.ini is stored on a different location.
To find the php.ini with PHP-FPM run this command:

/usr/sbin/php5-fpm -i | grep php.ini

This will give you:

Configuration File (php.ini) Path => /etc/php5/fpm
Loaded Configuration File => /etc/php5/fpm/php.ini

With a default PHP setup:

php -r "phpinfo(INFO_GENERAL);" | grep php.ini

You are using PHP only with your webserver? Simply create a new php file with this content:

<?php phpinfo(INFO_GENERAL); ?>

… and request it in your browser. Search for php.ini and you’ll find the correct path.

Now it’s time to edit the php.ini, in my case the configuration is inside /etc/php5/fpm/php.ini.

nano /etc/php5/fpm/php.ini

Default PHP configuration (try CTRL + W to search with nano for error_reporting, it’s a big config!):

error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT

New configuration:

error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR

Finally restart your webserver or only the php5-fpm process, depends on what you are using:

  • Apache 2: /etc/init.d/apache2 restart
  • nginx: /etc/init.d/nginx restart
  • PHP-FPM: /etc/init.d/php5-fpm restart

Fix Mail IMAP and SMTP problems on Mac OS X Yosemite

Mac OS X is sometimes a pain. The system delivers a lot of awesome futures, but more futures will bring more problems. OS X Yosemite Mail problems are well known by many users.

My own mail server is based on Courier, Dovecot and some other services and I never have had any problems with this setup.

But from time to time my outgoing and ingoing mail traffic was broken with Mail on OS X Yosemite. I never changed the configuration – also why, when it’s working very well? So why does it stop working?

But as Apple always says: There are no problems with their software. So what can we do? Apple says: Create a backup and reinstall your system. Funny joke by Apple? No. But I have found a solution that works very well for me – without editing the raw config files, reinstalling the complete system or what ever for crazy and time wasting methods.

Mail automatic detection IMAP

And now disable the automatic detection of the account settings inside the mailbox settings – for both: IMAP/POP and SMTP!

Be sure using the right configuration for your mailbox account (port, SSL option, authentication type, …), otherwise it won’t work.

Mail automatic detection SMTP

The Mail application has reconfigured my mailbox account settings from time to time and I don’t know why. But disabling the automatic detection option did the trick! OS X Mail runs fine and stopped messing up again.

nginx/Apache: force the browser to show a file instead of downloading

Linking to a text file could force the browser to download the file instead of parsing the files content to the browser window.

With nginx and Apache it’s easy to force the browser to show the content directly, this could be very useful. The trick is to add the text/plain content-type.

The examples below will add Content-Type text/plain to the header for .js, .sh and .txt files.

nginx configuration inside the server { } configuration block:

location ~* ^.+\.(js|sh|txt)$ {
	add_header Content-Type text/plain;
}

Apache requires mod_mime (should be installed/activated by default!). You could add this line to your .htaccess or in the httpd.conf:

AddType text/plain .js .sh .txt

Reset Spotlight to fix broken Finder search on OS X Yosemite

OS X Yosemite looks great but has some strange bugs (See «How to fix the Notification Center on OS X Yosemite»). An other bug is the broken Finder search. I found this after I tried to search files in a unpacked folder of some downloaded files. They were inside the folder, but Finder just didn’t found them. Looks like Spotlight is broken on OS X Yosemite.

Finally I tried to reset Spotlight.

Open the Terminal application (Terminal @Spotlight – this should work!) and run these commands to reset Spotlight:

sudo rm -rf /.Spotlight-V100
sudo rm -rf /.Spotlight-V200
sudo mdutil -i off /
sudo mdutil -i on /
sudo mdutil -E /

The Finder search should work fine right now, but it could break again – just run the commands above again.

Alternatively you could download (or just create your own) the commands bundled to a bash script and run it directly:

wget http://marcel.zurreck.com/files/os_x_spotlight_reset.sh
./os_x_spotlight_reset.sh

How to enable Cross-Origin Requests (CORS) on nginx

Requesting files from a different host could cause problems because of Cross-Origin Resource Sharing (CORS) polices:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://cdn.example.com/fonts/fontawesome-webfont.woff. This can be fixed by moving the resource to the same domain or enabling CORS.

Cross-domain requests would otherwise be forbidden by a lot of web browsers, because of the same-origin security policy.
Because there are some browsers which ignore the same-origin security policy, you should enable CORS on nginx if you host content on a different domain or subdomain. Otherwise the client can’t load the requested files.

In my case Safari ignores the same-origin security policy if the file is on the same domain, but on a different subdomain – Firefox takes care of the policy and blocks the request – and the client isn’t able to load the file. This could change from version to version. So it’s recommend to enable cross-origin requests!

To enable CORS you have to modify the nginx config file with your server block configuration which serves the external files.

Just place a add_header option inside location to your server block:

location / {
	add_header 'Access-Control-Allow-Origin' *;
}

In my example I use a wildcard to allow every requests. We could restrict the access instead of using a wildcard by changing it to http://www.example.com.

To enable CORS only for *.example.com you should use this:

location / {
	if ($http_origin ~* (https?://[^/]*\.example\.com(:[0-9]+)?)) {
		add_header 'Access-Control-Allow-Origin' "$http_origin";
	}
}

Multiple domains with enabled cross-origin requests are also able:

location / {
	if ($http_origin ~* (https?://[^/]*\.example\.com(:[0-9]+)?|https?://[^/]*\.otherdomain\.com(:[0-9]+)?)) {
		add_header 'Access-Control-Allow-Origin' "$http_origin";
	}
}

Finally reload nginx (Debian: /etc/init.d/nginx reload) and test it. Have a look on the header response – Firebug helps – (Maybe you have to clear your browser cache!):

Firebug - CORS Request on nginx

Or something like this:

HTTP/1.1 200 OK
...
Access-Control-Allow-Origin: *
...

How to fix the Notification Center on OS X Yosemite

A lot of users have problems on OS X Yosemite 10.10 with the Notification Center, it doesn’t store the settings correctly. All custom settings are gone after a restart and you have to configure it again and again… Because I don’t want to loose my precious time I found a easy solution.

Just a few commands to fix it

Just open the Terminal application (you could start the application with Spotlight -> Terminal) and move the NotificationCenter folder (located in your current users ~/Libaray/Application Support/) to your Desktop, just to keep it as backup (I never needed it!)

mv ~/Library/Application\ Support/NotificationCenter ~/Desktop/

Now go to the DARWIN_USER_DIR folder, delete the settings for the Notification Center and kill the Notification Center processes.

cd `getconf DARWIN_USER_DIR`
rm -rf com.apple.notificationcenter
killall usernoted; killall NotificationCenter

I have had to restart my Mac twice to get this work finally, so just do it also.

Let me know if this could fix your problem too!

OS X El Capitan change SSH port

This tutorial works also with Mavericks and Yosemite.

OS X is based on UNIX, but there are some big differences. On an Linux or UNIX you could easily edit the sshd_config to change the default port. On OS X you have to go a longer way – but it’s still easy. I change the default sshd port after a fresh system installation, or a system upgrade (major upgrade, like from Yosemite to El Capitan will change the port to 22 again…), because of security.

Modify the /etc/services file and add two new entries (in this example I use port 60225):

sudo nano /etc/services
ssh2             60225/udp     # SSH Remote Login Protocol
ssh2             60225/tcp     # SSH Remote Login Protocol

Now you could add a secondary ssh port on OS X. Both values should be the same! Save end exit (CTRL+O and CTRL+X).

Create a copy of your ssh.plist configuration and modify the new file:

sudo cp /System/Library/LaunchDaemons/ssh.plist /System/Library/LaunchDaemons/ssh2.plist
sudo nano /System/Library/LaunchDaemons/ssh2.plist

Rename sshd to sshd2 and ssh to ssh2:

<key>Label</key>
<string>com.openssh.sshd2</string>
...
<key>SockServiceName</key>
<string>ssh2</string>

Reload the ssh2.plist to activate the new port:

sudo launchctl unload /System/Library/LaunchDaemons/ssh2.plist
sudo launchctl load -w /System/Library/LaunchDaemons/ssh2.plist

Test the login:

ssh -l USERNAME localhost -p YOUR_NEW_PORT

For more security you could just change the port 22 inside /etc/services, without adding a second one. Skip the ssh2.plist copy & reload part, just reload the ssh.plist instead.

×