Fixing macOS Sierra/OpenSSH 7.x Compatibility

aaa cliI’ve seen this question come up several times from users of macOS Sierra who use SSH after upgrading. It usually goes something like, “Has anyone seen this since upgrading to Sierra?”

Unable to negotiate with 192.0.2.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Another issue you might come across is your public key ceasing to work. If you connect with the verbose option (ssh -v hostname), you might catch a bit like this in the output:

Skipping ssh-dss key /Users/scottm/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes

These aren’t a Sierra issue per-se, but is more specifically related to the upgrade from OpenSSH 6.9 in El Capitan to OpenSSH 7.2 in Sierra. OpenSSH deprecated a number of methods and algorithms in 7.0. They are still supported, but are disabled by default. For more information, check out OpenSSH: Legacy Options.

That’s all fine and dandy, but what you really want is a solution. You probably have some security appliance, router, or similar that doesn’t support any other methods and you just need it to work. Perhaps like me, you have an older private key that isn’t up to the new requirements, but you still need to use it. The options to fix these issues are KexAlgorithms +diffie-hellman-group1-sha1 and PubkeyAcceptedKeyTypes=+ssh-dss. You can add these at the command line (ssh -o PubkeyAcceptedKeyTypes=+ssh-dss hostname), but that’s kind of a pain.

A more convenient way to use them is to add these options to your ~/.ssh/config file. If you don’t already have this config file, it’s a plain text file you can create with your text editor of choice. At the top of the file, add:

# Settings for all hosts
PubkeyAcceptedKeyTypes=+ssh-dss
KexAlgorithms +diffie-hellman-group1-sha1

Now your public key and the key exchange algorithm will work anywhere you connect. Perhaps you’d like a bit more granularity?

# Settings for all hosts
PubkeyAcceptedKeyTypes=+ssh-dss

# Host specific settings
Host *.net.mydomain.net
 KexAlgorithms +diffie-hellman-group1-sha1
 User username

This allows the public key for all hosts, but only allows the diffie-hellman-group1-sha1 algorithm to be used with hosts matching the wildcard. Additionally, this example shows using a different username than your login on your local machine. There are a lot of options available, but these are the ones I use most. You might also find Compression yes to be useful if you connect to hosts with low bandwidth links.

As an aside, if you are a macOS user using Terminal, I highly recommend checking out iTerm2. It’s far superior to Terminal and has many features to improve the experience of using the shell.

FIN

Fixing the Prolific Driver on OS X

Prolific USB to Serial Adapter

Prolific USB to Serial Adapter

There are a couple different USB to serial adapters that you might use as a network engineer. The one pictured in the article is manufactured by Prolific, but sold by multiple different vendors. There’s also another manufactured by FTDI, which I’ve heard good things about, and of course the one built into recent Cisco hardware. The driver for the chip used by Cisco is conveniently included in OS X, but the FTDI and Prolific chips require their own drivers. Myself, I have used the Prolific cables for years and have been generally happy with them.

The best drivers for the Prolific come directly from the manufacturer, not the vendors that resell them. This is because the vendor provided drivers always seem to be out of date. However, the drivers from Prolific don’t work with all cables out of the box. I’m going to show you how to fix that.

1. Get the Driver

If you haven’t already, hop over to the Prolific site to download the driver and install it. Here’s the URL at the time of this writing:

http://www.prolific.com.tw/us/showproduct.aspx?p_id=229&pcid=41

If you are running OS X Yosemite, you may need to read this article to get the driver working: OS X Yosemite and Prolific USB Drivers.

2. Discover Magic Numbers

OK, the numbers aren’t really magic, but the driver will need them so that it can be associated with your USB device. Head to Apple -> About This Mac and and choose System Report. Select USB and scroll until you find your Prolific USB device. It should look something like this:

Watch for the Manufacturer (circled in blue). Then note the Product ID and Vendor ID (circled in red). We will be adding these to the driver.

3. Hex to Decimal Conversion

Calculator in hex mode

Calculator in hex mode

We need to convert the hex numbers to decimal. An easy way to do that is to run Calculator and hit Command-3. Click the “16” above the clear button to switch to hex and enter the number you want to convert (like 0x2008 from the example). Now click the 10 and you have the hex to decimal conversion. If you used 0x2008, you should get 8200. You need to convert both the product and vendor IDs.

4. Edit the Driver

Fire up your favorite terminal emulator and head here:

cd /System/Library/Extensions/ProlificUsbSerial.kext/Contents

At this point, you will need to either fire off a root shell or sudo everything.[1]

Safety First! Backup your Info.plist so you can fix the driver if you break it.

Edit Info.plist with your editor of choice. Scroll down and you will find a section that looks like this:

<key>0557_2008</key>
<dict>
        <key>CFBundleIdentifier</key>
        <string>com.prolific.driver.PL2303</string>
        <key>IOClass</key>
        <string>com_prolific_driver_PL2303</string>
        <key>IOProviderClass</key>
        <string>IOUSBInterface</string>
        <key>bConfigurationValue</key>
        <integer>1</integer>
        <key>bInterfaceNumber</key>
        <integer>0</integer>
        <key>idProduct</key>
        <integer>8200</integer>
        <key>idVendor</key>
        <integer>1367</integer>
</dict>

What you want to do is copy and paste that section. I don’t think the <key> actually matters, but you can change it to match the hex version of the vendor and product ID. So if your vendor ID was 0x2478 for Tripplite with a product ID of 0x2008, you can change the key for your new section to:

<key>2478_2008</key>

Then you will want to put the decimal version of that you converted before into the idProduct and idVendor sections. So for the Tripplite example you only need to change the idVendor and it would look like this:

        <key>idVendor</key>
        <integer>9336</integer>

So the final product for my Tripplite version of the Prolific adapter works when I have this section added:

                <key>2478_2008</key>
                <dict>
                        <key>CFBundleIdentifier</key>
                        <string>com.prolific.driver.PL2303</string>
                        <key>IOClass</key>
                        <string>com_prolific_driver_PL2303</string>
                        <key>IOProviderClass</key>
                        <string>IOUSBInterface</string>
                        <key>bConfigurationValue</key>
                        <integer>1</integer>
                        <key>bInterfaceNumber</key>
                        <integer>0</integer>
                        <key>idProduct</key>
                        <integer>8200</integer>
                        <key>idVendor</key>
                        <integer>9336</integer>
                </dict>

5. Kick the Driver

Now you need to unload and reload the driver to load the new settings:

$ kextload /System/Library/Extensions/ProlificUsbSerial.kext
$ kextunload /System/Library/Extensions/ProlificUsbSerial.kext

You should now have a working USB device! This is a bit of a hassle. I recently found another way to solve this problem, but it’s not free and it’s another blog post.

FIN

OS X Yosemite and Prolific USB Drivers

Prolific USB to Serial Adapter

[Note from November of 2015: This stopped working for me. I have not tried to make this work in El Capitan. I am now using the app Serial. It’s not cheap at $29.99 (£22.99), but it works. I’ve not had any problems with any USB serial adapter (including USB consoles of Cisco devices) since I started using it. Highly recommended!]

[Note from December 2015: You might try the driver from Aten. Go there, select Resources, then Software & Driver. It has been reported that this driver works on El Capitan.]

If you are an OS X user, you know that a new OS has come out. New OS upgrades are always shiny, but also come with some level of risk. I have an old MacBook that had been running the Yosemite beta, so I wasn’t too worried about upgrading my primary laptop when the Yosemite final was released. All was fine and dandy until I was onsite and couldn’t console into a router because my ATEN USB to serial adapter wasn’t working…

I’ve been using this particular model of adapter for a long time. They have had the occasional driver issue, but they’ve been good and reliable overall, so I was surprised when I tried to open the device it wasn’t present. This was odd, but I immediately realized it probably had to do with the OS upgrade. No problem, I’ll just reinstall the driver, problem solved!

Not so much. The device still wasn’t loading. At this point, I’m becoming concerned. I ran Console and saw this error when I plugged in my USB adapter:

10/30/14 14:32:09.553 com.apple.kextd[19]: ERROR: invalid signature for
com.prolific.driver.PL2303, will not load

Well, that’s not good. After a bit of searching, I discover that it’s Windows Vista all over again. Well, it’s not actually that bad, but it did remind me of a behavior change in Vista that required all drivers to be signed with a trusted signature. Apparently, Mavericks has been helpfully logging warnings about this, but since nothing had stopped working, I guess no one did anything to fix it. Now with Yosemite, all kernel extensions must be signed or they won’t load. No problem, I’ll just install the updated driver!

Not so much. The device driver is the same as the one I already have. Fortunately, I’d already found the workaround. With Windows Vista, you could hit F8 at boot and boot in a dev mode that allowed any driver to load. You had to do that every time you booted. Fortunately, with Mac you only need to run this command once and reboot, after which it’s set:

sudo nvram boot-args="kext-dev-mode=1"

After rebooting, I found that I had to manually load the kext the first time, but it seems to have been auto-loading ever since. To manually load the kext:

sudo kextload /System/Library/Extensions/ProlificUsbSerial.kext

If you check your logs, you’ll see its back to a warning when the kext is loaded:

11/12/14 19:12:41.747 com.apple.kextd[19]: kext-dev-mode allowing invalid
signature -67062 0xFFFFFFFFFFFEFA0A for kext
"/System/Library/Extensions/ProlificUsbSerial.kext"

More importantly, you’ll have your device working and can finally fix that router you’re supposed to be fixing…

FIN

NetScanTools Pro

We all like tools (sometimes read “toys”). Especially nifty ones. One of the tools I’ve used for years is NetScanTools Pro from NorthWest Performance Software. Kirk Thomas is the founder of the company and you can find him on twitter as @NetScanTools. I’ve talked to him many times on Twitter and he is extremely helpful and very open to input from his customers.

NetScanTools Pro

I was first introduced to NetScanTools Pro by Laura Chappell of Chappell University, where she teaches about protocol analysis and Wireshark. It’s something of a network discovery tool and then some. It has a collection of active and passive discovery tools, various DNS tools, and some packet level tools. The value in most of this is that all the tools are in one place and it has automation to grab lots of information very quickly, though there are a few unique tools. The only downside to this tool is that it’s only on Windows.

Discovery Tools

You can find out a lot about a network by digging through it’s DNS entries, scanning hosts, doing whois lookups, etc. That generally takes time. NST can really speed this up with several automated reports. In just a few minutes it can give you a report for a domain that includes whois records, DNS details, MX records, blacklists, traceroute with geolocation, port scans, and more.

NetScanTools Scanning

NetScanTools running a scan. You can see most of the options here.

This can save a lot of time in discovering information about a network. You don’t have to do everything as an automated scan. You can also run the tools individually.

There are also a number of tools that give you information about the computer and local network that NST is running upon. If it has something to do with the network, NST has a tool to tell you about it.

Testing Tools

NST also includes what I would call testing tools. SMTP testing, which is nice because you can set just about any set of options. You can test authentication, specific encryption settings, whether messages relay, and much more. It’s all the power of directly connecting to port 25 with telnet, but with checkboxes. You can perform SNMP walks and scans, including SNMPv3 support. A TCP terminal, which essentially allows you to telnet to any port, but with the added ability to choose the source port, is also included. Also, a TimeSync tool which is useful for checking NTP servers. How about this set of options for the enhanced ping tool:

More ping options than you know what to do with.

More ping options than you know what to do with.

Packet Tools

There are nice little collection of packet tools that let you generate arbitrary packets, send Wake on LAN packets, capture packets, and playback a capture. The capture app isn’t Wireshark, but it’s convenient and you can always save the capture and open it in Wireshark.

The options for the NetScanTools Pro packet generator

The options for the NetScanTools Pro packet generator

SSL Certificate Scanner

I like this one. Give it a list or range of IPs, and it’ll tell you about the SSL certs. This could be useful to scan a network and check for soon to be expired certificates, for example.

Yep, my SSL cert is still valid

Yep, my SSL cert is still valid

Graphical Traceroute

If you like mtr, you should also like the new Graphical Traceroute tool. Since a picture is worth 1000 words and since it is Graphical Traceroute, I think the best way to describe this tool is with a screenshot.

The new Graphical Traceroute tool is nifty.

The new Graphical Traceroute tool is nifty.

Closing Thoughts

I’ve had this toolset for years. It’s not one I use ever day, but it’s nice to have when I need it. It just has so many tools bundled into one place and most of them support IPv6. It has a free 30 day demo, so give it a shot and explore this toolset.

Disclosure

I use this software and have paid for this software, however, I did receive a nice discount on my last maintenance renewal when I planned to write a blog post about the software.

FIN

Making a Bootable ESXi USB Drive

The Quick and The Not So Quick

Today, I set out to do what I thought would be a simple and relatively quick task.

VMware USB

VMware USB Drive

As an aside, have you ever noticed that the “quick and easy” tasks seem to take the most time?

Anyway, I have an old Dell workstation with dual Intel Xeon E5520’s and 36GB of RAM that runs VMware. I use for testing and labbing. It’s currently running VMware 5.1 and my evaluation has expired. For a long time… It’s always bugging me about that and I can’t switch it to the free ESXi because it has more than 32GB of RAM. That limitation was removed with VMware 5.5, so I’m finally getting around to upgrading this machine.

I really wanted to install off USB and skip the optical drive, so I grabbed a 1GB USB drive that VMware gave me years ago (conveniently already labelled “VMware”) and copied the files from the ISO to it.

Yeah, not good enough. So I formatted the USB and tried to write an MBR to it. On my Mac. Running Mavericks (OSX 10.9).

Did you know that Mavericks appears to have removed the MBR? This is the error I received from fdisk:

$ fdisk -e /dev/disk3
fdisk: could not open MBR file /usr/standalone/i386/boot0: No such file or directory
Enter 'help' for information

Well, that’s inconvenient.  The I went on to try UNetbootin, which normally has been reliable, but not this time. Still no booting.

Rebooting this machine repeatedly to see if this USB boot is starting to get annoying.

Enter Rufus

While Googling for what I was missing, I found Rufus. Rufus worked great the first time and I was able to do my upgrade and move on. The only drawback is it’s for Windows, but I ran it in a Windows VM and it was fine. Rufus is a single .exe file and when you run it you get this screen:

Rufus

Listen to this dude Rufus, he knows what he’s talking about.

Click the little disc icon near “Create a bootable disk using”, choose your VMware ISO image, and you’re off and running.

You might get a prompt regarding your “menu.c32” being out of date. Let it update it and then it will create your bootable USB.

Next time, I’ll start with Rufus!

FIN

Solarwinds, HTTPS, and FQDN

When you first configure a Solarwinds Orion-based server the default website it configures is on port 80 only. You might want to go into IIS and add server bindings for port 443. I prefer to ensure all traffic is encrypted and disable remote access to port 80, but that is subject to your local policy. Don’t disable port 80 completely because sometimes you need to access it from the server console.

Adding HTTPS Support

To add HTTPS support, open IIS Manager on your Solarwinds host, right click on the SolarWinds site and select Edit Bindings.

Edit Bindings

To add HTTPS support, right click on the SolarWinds site in IIS Manager and select Edit Bindings…

Now click the Add… button. Change the type dropdown to https, make sure your port changes to 443, and select the appropriate SSL certificate for your server. I usually use the certificate that the machine already has from Active Directory, but your needs may vary. SSL certificate details are outside the scope of this article. :)

Adding an https binding

Choose add, select https from the type dropdown, and select the approriate SSL certificate.

Click OK and you should now have https available.

I Like FQDN, I Cannot Lie

Something that bugs me about Solarwinds is that out of the box it only uses the hostname for the URL. This isn’t the hostname configured in IIS (which normally doesn’t matter, since most Solarwinds installations won’t be using virtual hosts) but it is the hostname used internally for notifications. If you add the URL to a notification, it’ll only include the hostname. Something like this:

From: [email protected]
To: [email protected]
Subject: router.example.com rebooted at 3/18/2014 6:43 AM

Lastboot: Tuesday, March 18, 2014 6:38 AM
Device:   Catalyst 37xx Stack
IOS:      15.0(1)SE3, RELEASE SOFTWARE (fc1)
Image:  C3750E-UNIVERSALK9-MAcknowledge: http://solarwinds:80/Orion/Netperfmon/AckAlert.aspx

Note the URL at the end there with “solarwinds” as the hostname. Now, that might be acceptable if you are in your office. However, that can cause problems for VPN users and for people who it just plain bugs when they don’t see an FQDN. Fortunately, we can correct this URL problem pretty easily. This is also important if you want to use https, because it allows you to change the URL used in notifications to a secure one.

Change to FQDN

WARNING! Beware that you are editing the database live. You should know what you are doing here and be careful. If you break stuff, it’s not my fault. You have been warned.

To change this behavior you need to launch Database Manager and switch to the Websites table. To edit the fields, you’ll need to click Enable table editing. Now you can change the ServerName field to the FQDN. You also need to set the Port to “443” and SSLEnabled to “1” if you want the system to create proper https URLs. Here’s what mine looks like:

Solarwinds Database Manager

My opinion of a properly configured Solarwinds installation.

 

Enjoy your secure FQDN URLs in your notifications!

FIN

GNS3 1.0 CrowdFunding

I suspect everyone reading my blog uses GNS3. If you don’t, go check it out. From their website:

GNS3 is an open source software that simulate complex networks while being as close as possible to the way real networks perform. All of this without having dedicated network hardware such as routers and switches.

They are working towards 1.0 and are getting close. They are currently offering early access a year before the public release if you support the GNS3 1.0 Early Access CrowdFunding campaign.

Unlike products such as Juniper’s Junosphere and Cisco’s VIRL/CML, GNS3 is multi-vendor and multi-platform. This is key for learning and for validating real-world networks, since very few networks don’t have at least some mix of vendors.

Most of us use GNS3 and find it valuable for labbing, whether for certification study, validating configuration changes at the office, or just to test network behavior. It’s worthwhile to give these guys a few bucks to improve and enhance this free product that has been invaluable to the network community. I did and recommend you consider it, yourself.

FIN