apache is memory and resource heavy - would be great to replace with nginx.

we could also maybe build in lets encrypt? (wishful thinking)

For example, .technology TLDs are not accepted. I see that there is an email validation filter in php that would work for this case:

filter_var($email, FILTER_VALIDATE_EMAIL)

but it won't recognize the default case of root@localhost.

need to look into having our scripts check permissions on .ssh folders etc better.

This is not a bug - just feedback how I use BlueSky.

Since I add the admin-Mac's id_rsa.pub to the clients authorized_keys via Munky, I do not want that dialog to appear before ScreenSharing opens:

so I added a repeat loop, that checks if the vnc port is already available via nc - and then proceed without dialog

on screen_share(blueSkyID, sshPort, vncPort, serverAddr, userName)
	set vncCheck to do shell script "ps -ax | grep ssh | grep " & vncPort & " | grep -v grep;exit 0"
	if vncCheck is "" then
		tell application "Terminal"
			activate
			do script "ssh-keygen -R \\[localhost\\]:" & sshPort & "; ssh -t -o \"ProxyCommand ssh -p 3122 -i ~/.ssh/bluesky_admin admin@" & serverAddr & " /bin/nc %h %p\" -o \"LocalForward " & vncPort & " localhost:5900\" -o \"StrictHostKeyChecking=no\" -p " & sshPort & " " & userName & "@localhost"
			set current settings of selected tab of window 1 to settings set "Bluesky"
		end tell
		repeat 20 times
			do shell script "sleep 1"
			try
				set vncCheck2 to do shell script "nc -zv 127.0.0.1 " & vncPort & " 2>&1 | grep refused"
			on error
				exit repeat
			end try
		end repeat
	end if
	do shell script "open vnc://" & userName & "@localhost:" & vncPort
end screen_share

(I have a Terminal.app Preset called "Bluesky" to quickly identify all open tunnels beside my other terminal windows)
(ssh-keygen -R \[localhost\]:" & sshPort & "; is just there, because I am transitioning to new blueSkyID's .. see below)

And then I have 2 instances of BlueSky - my own & one at a customer.
So I changed the URL bluesky://com.solarwindsmsp.bluesky.admin to bluesky://INSTANCE-NAME.admin
That enables to set the server name based on the site I use
The blueSkyID + 1500 enables to have different VNC passwords stored in keachain

	--set_server()
	if this_URL begins with "bluesky://INSTANCE-NAME.admin" then
		set serverAddr to "<First Server's DNS>"
		set blueSkyID to blueSkyID + 1500
	else
		set serverAddr to "<Second Server's DNS>"
	end if

Thx - BlueSky is a gret project!!
Maybe these ideas fit for someone else too

To reproduce:

1. Login as the admin user.
2. Navigate to the Admin Area > Utilities > Admin Settings
3. Change the sender email.
4. Logout and try logging in again.

This is what appears in the apache error.log:

PHP Fatal error: Uncaught Error: Call to undefined function simplexml_load_string() in /usr/local/bin/BlueSky/Server/html/admin/pageHome.php:116\nStack trace:\n#0 {main}\n thrown in /usr/local/bin/BlueSky/Server/html/admin/pageHome.php on line 116

Early tests show a good tunnel established on Mojave beta 7

emailHelper always fetches the "To:" address from global. Processor looks up the individual notification email address from each computer record (because it used to do the email in 1.5) but doesn't pass it on to the emailHelper.

i have been testing a build in which the above lines have -o ConnectTimeout=10 added to the command. this should allow for the processor to exit out quicker than it does right now. i had been noticing that the number of processes running on my bluesky server is very high because it is trying to check dead connections. any thoughts on this? dont want to submit a PR until it is discussed.

Line 162 has:

cp /var/bluesky/com.solarwindsmsp.bluesky.plist /Library/LaunchDaemons/com.solarwindsmsp.bluesky.helper.plist

Should the cp not have com.solarwindsmsp.bluesky.helper.plist ?

Installing the agent on a virgin install that doesn't have SSH enabled, helper.sh is trying to use systemsetup to enable ssh but Apple has nerfed it:

root@users-Mac ~ # systemsetup -setremotelogin on
setremotelogin: Turning Remote Login on or off requires Full Disk Access privileges.

🖕 🍎

Sooooo a couple ways to address that I can think of:

1. Do it the Apple way and change nothing, hope that there's some manual config to enable SSH and/or MDM has given systemsetup FDA rights. Since this kinda the only way to get ScreenSharing enabled, it wouldn't be unheard but it would be nice to at least get SSH always.

2. Add a provision to helper.sh around line 129 that if we're running on 10.15, try this instead:
   /bin/launchctl load -w /System/Library/LaunchDaemons/ssh.plist
   Still seems to work.

I'd vote option 2 as something is better than nothing and it's a pretty easy workaround to code. I wanted to take public temperature before take the time to send up a PR if anyone can think of a better route.

Im not familiar with appgini - although i suppose i could take a look... was wondering if we could set a timezone to use for the display of dates within the dashboard. currently last check in date etc is in UTC.

On line 34, the end quote of the echo'd warning is a funky double quote, causing an unexpected EOF while looking for matching `"'

admin-wrapper.sh is reading /var/log/auth.log to collect info for recording admin activity in the connections mySQL table. There is a column to capture which key is being used (i.e. which admin is doing the connecting) but first we need to use the SHA2 fingerprint from auth.log to lookup which key from /home/admin/.ssh/authorized_keys is being used, and then put the key comment (which is the description made by the user via Admin Setup) in the column.

When I am notified of a machine coming back online - I get a link like this is the email. It doesnt work :/

https://bluesky.XXXXXXX.com/blu=144

link domain sanitized.

For the purposes of diagnostics and 3rd party integrations:

Storing the agent's current version number on disk would be useful.

Perhaps in key within /var/bluesky/settings.plist

client-config.sh needs to be updated to look like this:

create server.plist

    hostKey=`ssh-keyscan -p 3122 -t ed25519 localhost | awk '{ print $2,$3 }'`
    hostKeyRSA=`ssh-keyscan -p 3122 -t rsa localhost | awk '{ print $2,$3 }'`

There's additional whitespace and possibly a carriage return/newline in

do shell script "echo 'Host " & serverAddr & " UseKeychain yes' >> ~/.ssh/config"

that renders ~/.ssh/config file unusable, causing ensuing ssh (outgoing) connections to fail.
The resulting config file shows the following which should of course all be on one line:

Host XX.ip.address
   Use Keychain yes

The problem might only occur if said file already has an entry.

Consider this an enhancement request…

In reading the man page for ssh-copy-id, I found this tidbit:

N.B. the modern approach is to use the -W option, rather than nc

I don't know if this has any other benefits (or drawbacks), but it does eliminate a dependency on nc.

To implement this, the connect.applescript would need to replace all instances of /bin/nc %h %p with -W %h:%p.
admin-wrapper.sh also references /bin/nc, but I'm less sure how best to change that. Maybe that testCmd could be eliminated altogether.

Just something to think about.

Line 188 currently has:

cp /usr/local/bin/sendmail-whois-lines.conf /etc/fail2ban/action.d/sendEmail-whois-lines.conf

The "sendmail-whois-lines.conf" should be "sendEmail-whois-lines.conf"

If you don't change that value, you will get this error in the script output:

cp: cannot stat '/usr/local/bin/sendmail-whois-lines.conf': No such file or directory

could you elaborate on the function of the file at:
/usr/local/bin/BlueSky/Server/defaultLogin.txt

it is referenced in code yet not in docs or normal setup. thx!

One some 10.13 clients it seems the tunnel is established from the client to the server, but the server fails the PKI stage when trying to get back through the tunnel to the client. Some theories are that this affects fresh installed 10.13 clients (non-upgrades) and perhaps Apple has added some level of security to not allow this hidden bluesky user that has no password to only auth via PKI.

Hard to track down.

Not sure how to do PR's to wiki pages :) the getting started page has 2 typos:

https://github.com/logicnow/BlueSky/wiki/Getting-Started

The 2 paths that reference the /usr/local/Bluesky/Server directory do not have "Server" with the initial cap.

• run BlueSky server-config sudo /usr/local/bin/BlueSky/server/server-config.sh
• run BlueSky server-config sudo /usr/local/bin/BlueSky/Server/server-config.sh

Also, you may want to configure /usr/local/bin/BlueSky/server/emailHelper.sh with your preferred SMTP setup so that the server can email you notifications, alerts, and Fail2ban alerts.
Also, you may want to configure /usr/local/bin/BlueSky/Server/emailHelper.sh with your preferred SMTP setup so that the server can email you notifications, alerts, and Fail2ban alerts.

VMWare sometimes creates some odd serials with slashes and pluses in it. We should account for that when we pass data from the client to the server etc.

Since Ubuntu 18.04 uses PHP 7.2, php-crypt has been removed. See:

http://php.net/manual/en/intro.mcrypt.php

dont seem to be working for me anymore :/

BlueSky 2.0 changed the SSH keys from rsa to ecdsa-sha2-nistp256. This means that only 10.11 and higher can run it.
10.6 - 10.10 will error on reKey sequence when trying to generate keys and do so every time launchd fires it.
The additional enforcement of certain ciphers and MACs may also break compatibility with OS X's earlier OpenSSH builds. Need to evaluate the security implications of bringing back rsa on older versions.

I'm running the docker build and if I pass in an SSL cert/key for Apache (SSL_CERT/SSL_KEY), then the certs needed for Bluesky admin and client are not created.

The problem occurs in client-config.sh lines 40–52:

if [ "$(find /certs -maxdepth 1 -type f -not -path '*/\.*')" ]; then
	# fixup files
	echo "Putting the provided ssh keys in place..."
	ln -fs /certs/blueskyclient.key /usr/local/bin/BlueSky/Server/
	ln -fs /certs/blueskyclient.pub /usr/local/bin/BlueSky/Client/
	ln -fs /certs/blueskyadmin.key /usr/local/bin/BlueSky/Server/
	ln -fs /certs/blueskyadmin.pub /usr/local/bin/BlueSky/Admin\ Tools/
	ln -fs /certs/blueskyd.pub /usr/local/bin/BlueSky/Server/
	ln -fs /certs/blueskyd /usr/local/bin/BlueSky/Server/
else
	echo "fresh docker container - lets rebuild keys..."
	IN_DOCKER_FRESH=true
fi

Basically, any file in the certs directory satisfies this find, so IN_DOCKER_FRESH is never set to true.

One possible solution would be to add -name 'bluesky*' to that find, but that doesn't take into account that my apache cert might be named "bluesky_ssl.pem". Another would be to add variables to explicitly specify the existing bluesky keys. Or maybe there's another, better solution.