What's it all about, Alfie?

OK, I've become a little more educated today about yet another way for ftp to be transported. It turns out that sftp uses OpenSSH as the transport mechanism whereas ftp on SSL/TLS simply uses OpenSSL. Interesting, but a pain in the rear as I'm trying to find a way to upload changes to my Comcast web pages without using clear-text passwords. In it's infinite wisdom, Comcast has decided to use the SSL/TLS form of securing FTP, and for Windows users, that's probably just fine. But I'm on Mac OS X, and there aren't a lot of SSL/TLS clients out there.

In fact, a Google search said that several clients for Mac OS X were capable of dealing with SSL/TLS, but when I tried them I was unable to get any of them to work with the Comcase upload site. Now there's certainly a possibility that the port number I'm using is wrong. In one client it allowed me to set the port number but defaulted to 990. Interestingly, there's no mention of a port number on the Comcast web site for SSL/TLS. Why should there be?

So I'm left with the email I sent to Panic.com - makers of Transmit, the ftp client that I like to use (and have purchased) for Mac OS X, and we'll see if they come back with anything helpful to try. One source listed Transmit as an ftp client that did SSL/TLS, but I've yet to be able to prove that with the program in hand.

One of the things I really like is getting surprised by really well written software. It doesn't happen everyday, so it's really nice to be really shocked by a chunk of code.

Thankfully, today is one of those days.

I was working with a few of my web sites and one of them happened to be on an NT box. I have the NT box for several reasons, but they all seem to be less important the more I try to do something on that box and find out that because it's NT, I can't. No good telnet server... no really solid ftp server... no OpenSSH server for security... it's so unlike all my other systems (all Unix of one sort or another), it's difficult to get some things done.

So I was trying to figure a way to get the web site fixed and I thought about BBEdit's "Open from FTP Server..." functionality. It's nothing short of amazing. I was able to look at the directory structure and load in the file as clean as you please. Then edit it a bit, save it and reload the page. Everything was working perfectly. I was stunned that it was as easy as it was.

In the end, it didn't matter that my NT FTP server wasn't really 'good', it was good enough for BBEdit. I got everything I wanted done.

I should write in this journal more often. Hard to believe that I'd have enough stuff to put into it each day to fill a few pages. Now work and such is slower and there seems less and less to write about. But I'll try to bring things up to date.

I got a windfall and purchased a 17-inch Powerbook. It's everything that all the reviewers are saying: awesome display, excellent keyboard, fast and a lot of fun. I ended up moving everything from my iBook to the new Powerbook so I didn't loose anything and it took a lot less time than I had thought. The Transfer Mode in OS X is exceptionally nice and makes the one machine look like a firewire drive to the other. I slaved my iBook to my Powerbook and simply copied things over. Very nice.

I've added several things to BKit, most notably is the inclusion of the VantagePoint graphing from Visualize Inc. to enable quick and easy graphing of data sets that I run into from time to time. The licensing for VantagePoint is excessively expensive (starts at $25,000), but for large corporations, I can see it being a reasonable payoff.

I've started work on a new version of the potential/electric field simulator for OS X - nothing fancy, but it's nice to be working on something like that again. I'm taking a new approach on the class structure as well as the simulation/solver code. I already like the way the changes have made things easier and cleaner, I hope they also make things quite a bit faster. I'm also banking on the AltiVec and the math libraries compiled into OS X to help on the speed issue.

Work has been somewhat interesting in that recently the powers that be have decided to thin things out a little more. This round of cuts comes to a group that's consistently been the most arrogant, unlikable group of people that I've ever met in one place. Lead, of course, by the two singularly most unlikable folks I've ever met. Now, to put a little bit of perspective on this, I haven't met any serial killers, or national politicians - yet. But up to now, these two are at the top of the list and by a wide margin. So now they get theirs. Karma... excellent.

It's getting close to Summer and that's nice, but it's still Spring, and that means school, activities, and work around the house. Lots of work around the house.

I'm guessing that's what's kept me from writing more in this journal than I have lately - not a lot of fun things I felt like sharing. Sure, life is generally good for me and I shouldn't complain. But there's a big difference between "not bad" and "good". I guess it takes more "good" things to happen for me to take the time to write them down.

I've been working on a few changes to the code for these projects at work and I've gotten myself to a point today that I've tested everything, but there is so much to release it's going to be a pain in the morning. I've changed more than I probably should have for one day, and while I'm not worried about the changes working (I have tested them), there are still a lot of things to do when rolling out new versions of the apps that it's going to be a very busy morning tomorrow to get everything done in time for the first traders.

Thankfully, I stopped changing things when I realized that I'd pushed the limits, and so I've had time to write everything up, update the docs, and make a good To Do list for tomorrow morning. I'm pretty sure I've got everything covered, but it's going to take a bit of final testing to make sure that everything's OK in the morning.

Yikes!

On a lighter note, it's interesting to see how interdependent everything is when you build a large number of large systems and each feeds data into the other. Yup, it's circular data time, and it just makes keeping things straight that much more important. However, it is interesting to see that all these systems work together to get the complete job done. Of course, no user is really interested in the least, but they aren't really supposed to either.

From here on out, I'll be planning my daily changes a little more carefully so as not to get into this spot again. Just a little bit uncomfortable this afternoon keeping everything straight.

I know I've said it before, but here's another reason to switch to Mac OS X - the Mail client that comes with Mac OS X is the next generation of the mail client that was in OPENSTEP/NeXTSTEP. The advantage is that in these earlier versions, there was the capability for developers to add plug-ins into the Mail application simply by placing their plug-in bundle into the proper directory and restarting the application.

The developer of httpmail plugin has used this capability to add to OS X's Mail the capability to download mail sitting at Hotmail. This means that email sent to a properly configured Hotmail account appears as though it was sent to your normal email account - be it IMAP, POP, whatever. Since I have a Hotmail account for the MSN Messenger (really Fire which does a lot more than just Hotmail) I end up getting a bit of spam to the Hotmail account. Normally, I'd have to pull up the web page, login, and then delete the emails. Now with this plug-in, I can let OS X's Mail application get the spam and let it's spam filtering take care of it.

While this isn't like getting a new machine for free, it's a very nice little functional addition to an already excellent application. I don't have to hassle with the problems of getting to Hotmail, and yet I don't have to worry about having hundreds of junk emails there that need to be cleaned out every month or so.

It's really an incredible platform - OS X... I haven't found something that I wished it could do that it can't. And then there are these wonderful little surprises like
httpmail plugin that makes something good really extraordinary.

Let's not forget that in the past few days Apple has released the second version of X11 for OS X in an elegant little package. I'm really not able to think of something that I might want to do that I can't do with this machine. Wow... that's nice.

I got into ARPAnet while in college at Purdue. There was no such thing as the web and http: protocol - it was telnet, ftp, and a few new things like gopher, archie, etc. And there was newsgroups. I loved the newsgroups. They have since really been replaced by web logs and news sites, but in my day they were the place to find all your questions answered, you could buy and sell anything and know that it was a decent, honest, person on the other end because they had figured out newsreaders, after all. Yes, back in the day, it was an entirely different place.

Still, I'm not ready to let go of newsgroups - so I have always tried to keep a newsreader up and going on at least one platform I was near. For the time I was working out of my home office it was
RadicalNews on NeXTSTEP which is an incredible newsreader given when it was written and the hardware it runs on. Really impressive. Then I changed jobs and started carrying my Linux notebook and started using
Pan. Not bad at all. Multi-threading meant that this guy could do things that RadicalNews just could not. It could load all the articles on the subscribed newsgroups so that I could read them on the train. This was nice since I didn't have the time to read it in my office anymore.

Then I got my iBook and started carrying it. So I needed a new newsreader on Mac OS X - none of this Classic for me. I looked at
newsreaders.com for all the OS X readers and went through them one by one. I had to be able to run in OS X natively, and needed to be able to do online as well as offline reading. While I don't mind paying for some software, a newsreader is not one of the things I was willing to pay for. It's just a little quirk about all the news reading on terminals with rn and the other Unix readers. I don't mind working on freeware/open source, so if I had to help build I was ready to do that.

After my search and playing with what passed for demos, I settled on Halime as it did all I wanted to do and had a nice icon to boot. I have been using it ever since. But when I downloaded the 1.0b1 version I noticed that it no longer seemed to be reading the articles from my newsserver. I pulled out one of the other readers I'd tried and sure enough, it looks like the server has the articles, so am I crazy or what?

I spent a day and a half recreating the subscriptions from the massive group listing, trying to fiddle with resetting the article numbers, but in the end nothing I did seemed to matter and I was beginning to think that I was crazy.

So I wrote the author and mentioned my problems. He suggested I crank up the debug level and see what it was saying. I did it and BINGO! I saw a ton of error messages - looked like one for each article header it was trying to read. Ah... I could relax. I wasn't going crazy.

Now I'm waiting for a message from the author who's been a really nice guy about other questions/issues I've had in the past. I'm guessing it's something with the newsserver that I'm using. Probably changed the length of some field or something and that's causing the problems. So I hope that soon I'll get an email about an update to fix the problem and I'll be back to reading news.

OK, there's no doubt that their systems are more expensive than the Wintel ones, but after today's MacWorld Expo keynote, you still just have to love Apple for what it's doing for their platform. Sure, I wish .Mac was still iTools - and free, but it's not, and I can appreciate Steve's point that it was costing too much to keep it free, and they still wanted to invest in it. They certainly could have handled it better, but they could have charged less for Jaguar too... matters of degree certainly, but their steps are in the right direction.

So today we see that they have a new browser, and sure, it's not perfect, but it's a lot nicer than IE and the other browsers I've tried for Mac OS X. I need a browser that just plain works, and was forced to use IE simply because many of the sites I need to get to are really best viewed in IE. Now that Apple has a browser of their own I see this as a terribly good thing for me. I acknowledge a good job in IE for OS X, but I don't like the idea of supporting Microsoft, the company. Now I don't have to. That's a big win for me.

Also, adding X11R6 to their list of supported apps is excellent. I have used XDarwin (XFree86 on OS X) and while it's OK and works, it wasn't ever what I wanted to do as it seemed like too much of a hack - I mean there's already the display system, and X11 is just a protocol... anyway, with Apple giving us X11 I'm about as happy as I've been in a while. It's fast, nice, and completly integrated into the OS X environment. Clearly, both Safari and X11 are only going to get better.

Of course, I'd love to have one of the new 17-inch PowerBooks, but I can wait on that for a while. I'm not ready to be the early adopter for that but if I had to get a machine right now, I'd work awfully hard to make a case for getting that laptop. It's got to be exceptionally nice.

One thing that I'm a little disappointed in with OS X is the JVM. Specifically, loading a Swing-based app is terribly long. I'm sure there's a cost to the JIT, and another to the loading of the JVM, but on a 600MHz G3 with 640MB of RAM it shouldn't take 15 sec. to load a simple app. Once it's loaded, it runs fine, and that's the trade-off I'm sure they made - speed durnig runtime to speed of loading. But still, it makes quick debugging and running something that you just really can't do.

Hopefully in the future, there will be an update that will make this less of an issue. Certainly every problem I've had with OS X to date has been addressed by an update in the not-too-distant future. Like I said - you gotta love Apple. It almost makes me want to pay $99/yr for .Mac

Almost.

OK, I didn't check enough things and now I have it much better in hand. When you start a new terminal session on OS X, the code I had for starting ssh-agent would restart a new copy each time a new terminal session was started. This is not what I wanted, so I needed to be a little bit more careful on what was being done.

I needed to clean up the initial test on the existence of the running ssh-agent and I also needed to clean up the .tcshrc and .login files to make them work better when starting new terminal sessions.

My ${HOME}/bin/sshAgent script now looks like this:

#!/bin/tcsh
##
# Start SSH Key Agent
##
if (`where ssh-agent` != "") then
	#
	# See if there's already a running copy of ssh-agent
	#
	set proc=`ps -aux | grep 'ssh-agent' | grep -v grep`
	if ($%proc >= 10) then
		set pid=`echo "${proc}" | awk '{ print $2 }'`
		kill ${pid}
	endif
	#
	# ...and make sure to unset the variable for the PID of the agent
	#
	if ($?SSH_AGENT_PID) then
		unsetenv SSH_AGENT_PID
	endif
	#
	# Now see if we have the socket connection already defined as well
	#
	if ($?SSH_AUTH_SOCK) then
		if (! -S "${SSH_AUTH_SOCK}") then
			unsetenv SSH_AUTH_SOCK
		endif
	endif
	#
	# This is the file location that will hold the environment-setting
	# commands for all subsequent shells based on the results of running
	# ssh-agent for the first time.
	#
	setenv SSH_AGENT_STATE "/tmp/.ssh-agent-state.${user}"
	#
	# If it's still there, it's got old data and needs to be wiped out
	#
	if (-f "${SSH_AGENT_STATE}") then
		rm -f "${SSH_AGENT_STATE}"
	endif
	#
	# If we're all clean, then we need to start up a new instance, and
	# save the environment settings in the proper file for later
	# invocation by other shells.
	#
	if (! $?SSH_AGENT_PID && ! $?SSH_AUTH_SOCK && ! -f "${SSH_AGENT_STATE}") then
		ssh-agent | grep -v '^echo ' >"${SSH_AGENT_STATE}"
		source "${SSH_AGENT_STATE}"
	endif
endif

And my .tcshrc starts off with:

#!/bin/tcsh
if (-f /tmp/.ssh-agent-state.${user}) then
        source /tmp/.ssh-agent-state.${user}
endif

And finally, my .login has the following at the end:

#
# Now get the SSH-Agent up and working on this box so I can get into
# the machines at home where the keys are set up to match.
#
if ( $?SSH_AUTH_SOCK == "0" ) then
        ${HOME}/bin/sshAgent
        source /tmp/.ssh-agent-state.${user}
endif

The important points are these:

• the sshAgent script gets the process info once so that it's not as much of a drain on the system. Also, it now does it correctly so that we don't get errors on the if statement.
• the .login doesn't start the sshAgentunless it hasn't already been started. This is important as it keeps the number of instances to 1 for all terminal windows under OS X.
• the .tcshrc now doesn't fail if there is no ssh-agent running. Previously, if there was none, you'd get an error trying to source a non-existent file.

These changes make it a lot nicer and though I thought I had tested it before, I've beaten the crud out of it now, and I'm happy with the results. There are probably some improvements to be made, but for now, this is a lot better than it was - because it works right.

One of the nicest things about SSH is the ssh-agent which serves up the authentication codes for SSH sessions so that you don't have to keep typing in your password to establish secure connections to all the different machines.

On most Linux distributions, the ssh-agent is invoked at login and all you really need to do is to establish your private keys and then do an ssh-add to load up those keys. On Mac OS X it's a little different and I have to say that I'm a little surprised that there's not a preferences setting that starts this at login. But it's not that hard to do if you get a reasonably nice script written that restarts ssh-agent for you.

Here's what I came up with to restart ssh-agent and update the file that holds the environment variables for subsequent shells:

#!/bin/tcsh
##
# Start SSH Key Agent
##
if (`where ssh-agent` != "") then
	#
	# See if there's already a running copy of ssh-agent
	#
	if (`ps -aux | grep 'ssh-agent' | grep -v grep | wc -l` -eq 1) then
		kill `ps -aux | grep 'ssh-agent' | grep -v grep | awk { print $2 }`
	endif
	#
	# ...and make sure to unset the variable for the PID of the agent
	#
	if ($?SSH_AGENT_PID) then
		unsetenv SSH_AGENT_PID
	endif
	#
	# Now see if we have the socket connection already defined as well
	#
	if ($?SSH_AUTH_SOCK) then
		if (! -S "${SSH_AUTH_SOCK}") then
			unsetenv SSH_AUTH_SOCK
		endif
	endif
	#
	# This is the file location that will hold the environment-setting
	# commands for all subsequent shells based on the results of running
	# ssh-agent for the first time.
	#
	setenv SSH_AGENT_STATE "/tmp/.ssh-agent-state.${user}"
	#
	# If it's still there, it's got old data and needs to be wiped out
	#
	if (-f "${SSH_AGENT_STATE}") then
		rm -f "${SSH_AGENT_STATE}"
	endif
	#
	# If we're all clean, then we need to start up a new instance, and
	# save the environment settings in the proper file for later
	# invocation by other shells.
	#
	if (! $?SSH_AGENT_PID && ! $?SSH_AUTH_SOCK && ! -f "${SSH_AGENT_STATE}") then
		ssh-agent | grep -v '^echo ' >"${SSH_AGENT_STATE}"
		source "${SSH_AGENT_STATE}"
	endif
endif

I call it sshAgent and then in my .login file I have the following lines:

#
# Now get the SSH-Agent up and working on this box so I can get into
# the machines at home where the keys are set up to match.
#
${HOME}/bin/sshAgent
source /tmp/.ssh-agent-state.${user}

Then it's just a matter of generating the keys and getting them to the right hosts for authentication purposes. To generate keys for both SSH v1 and v2 you can simply do this:

ssh-keygen -t rsa1
ssh-keygen -t rsa
ssh-keygen -t dsa

And when each command is executed enter the same pass-phrase so that one pass-phrase activates all key sets. You should have several files in ${HOME}/.ssh and you need to copy most of these to the other hosts you want to make SSH connections to. Specifically, copy:

id_dsa
id_dsa.pub
id_rsa
id_rsa.pub
identity
identity.pub

And make sure to have the non-.pub files read/write only by you, the user.

You're almost done. Now, on these other machines execute the following commands to copy the public keys to the authorized key lists:

cd ${HOME}/.ssh
cp id_dsa.pub authorized_keys2
cat identity.pub id_dsa.pub id_rsa.pub > authorized_keys

Then, on your Mac OS X box, run the sshAgent script and then run ssh-add and enter your pass-phrase - you should see it adding the three keys - DSA, RSA, and RSA1. Now you can simply ssh to the machines that have those copied keys. It's all done.

Excellent!

Well... today's been a good day so far, and I'm going to work hard to keep it that way. I upgraded sherman to Mac OS X 10.2.3 and was very happy to see that Apple had fixed the SMTP over SSL so that I can send emails from anywhere my iBook is connected to the net. This is a very nice addition as I now don't really need to get the .Mac account to be able to send email from work. Not a major problem, but very nice to have.

I also upgraded to 0.32a of Fire the ICQ/MSN/AOL/Yahoo IM client that I run on sherman to chat with friends and family and got a few nice things there, but wasn't really needing any of them. Still, nice to see that it's still actively being developed.

Finally, today is the last day before I take off a week and a half for Christmas Vacation. I won't be back in the office until Jan 2, 2003. I really need this week and a half (with two holiday days in there). Today is, after all, the last day for all those that were given the news on Red Tuesday. I'm going to miss the Team a whole lot. It's going to be a big change not to see them daily. Sad times.

But I'm going to try and stay up-beat today because I physically feel bad enough with a bad chest cold coming on strong and feeling very very tired. I don't need to let this all get to me mentally too.