I’m a huge fan of Bare Bones Software’s Yojimbo, an extremely useful tool for keeping information organised. It has been one of my most important applications since around 2008. I rely on Yojimbo as my ‘Anything Bucket‘ to save scraps of information, from code snippets and troubleshooting notes to project logs and research sources. A downside is that it’s only available for Apple Mac OS X and therefore was a factor in tying me to the Mac OS X platform.
When I started moving back to Linux for day-to-day development work, finding a Yojimbo replacement was a top priority. A colleague pointed me towards the GNOME project’s Tomboy application which runs on Linux, Unix, Windows, and Mac. Tomboy is a basic though perfectly usable cross-platform alternative but of course, I still needed to find a way of migrating my old Yojimbo notes.
Fortunately, Yojimbo has a sharing feature called Sidekick that exports your data to a set of web pages. Digging in to the Tomboy Note XML format showed me that Sidekick together with a bit of Python and some BeautifulSoup magic would provide a quick solution. I threw together pyYojimbo2Tomboy which I’m releasing under the The MIT License on GitHub in case anyone else needs it.
Keep in mind that Sidekick does not export the Yojimbo note metadata, like tags and modification times, but you can to migrate the title and note body over to Tomboy. Time permitting, I would like to find a way to save the extra metadata in a future version.
Though Bare Bones Software hasn’t released any updates and new features in a while, I still highly recommend Yojimbo for anyone on Mac OS X who needs an information organiser. It’s a little dated and doesn’t offer modern features you’d expect like an easy way to sync to the cloud and across devices. Personally, I find this one of Yojimbo’s strengths. An app in 2016 that doesn’t keep pestering you to push your information to some remote data centre with questionable privacy policies is somewhat refreshing.
Hopefully having a way to export data to a multi-platform open source alternative will reassure anyone worried about getting locked-in.
When mounting an encrypted disk in OS X for the first time, you’ll be presented with a dialog box that doesn’t allow you to paste in the password. This can be troublesome, especially if you’ve used a long, high-quality random password. Here’s how to get around having to manually enter your password into OS X’s password dialog box.
A. Get the logical volume UUID
First get the universally unique identifier (UUID) for the drive using diskutil. Open a terminal window and enter the following command:
$ diskutil corestorage list
Look for the Logical Volume for the disk. Ensure that you copy the Logical Volume UUID, not the Logical Volume Group or Logical Volume Family UUID.
B. Save a Keychain Access password item
Now we need to save a Keychain Access password item for the disk. Open Keychain Access and create a new password item:
Keychain Item Name: Name for your disk
Account Name: Name for your disk
Password: Password to unlock the disk
We’ll need to save more information into the item so once it has been created, search for it in Keychain Access and open.
Edit the password item to make sure it contains the details for your encrypted drive:
Name: Name for your disk
Kind: encrypted volume password
Account: Name for your disk
Where: UUID for the volume copied found using diskutil
Show password: checked
The important part for this step is to make sure you enter the UUID for the volume in the Where field.
Save the password item and OS X will no longer ask you to enter a password when you mount your drive.
This is a guide for setting up an Apple Mac OS X workstation with SSH key-based authentication to a remote FreeBSD server. I won’t go into any detail about these protocols or try to make a case for using them. If you’re reading this, you probably already have a basic grounding on SSH, SFTP and the implications of SSH key-based authentication. My goal is to outline the steps needed so you can start using key-based authentication on your Mac.
I. Intended audience
The instructions here are aimed at Mac OS X based web developers with at least a moderate level of systems administration knowledge. Most likely you host websites for your clients or employer on *nix servers controlled through a command line interface. You generally work on multiple servers per project. Repeatedly entering secure long random passwords is becoming a hassle. If this sounds familiar, this guide is for you.
I’m on a Mac OS X workstation, currently Yosemite, using the Mac Terminal App to connect via SSH and Panic’s Transmit FTP client to transfer files. The server instructions here are for FreeBSD but you should still find the information useful if you run a Linux-based web server. I expect that you’re familiar with your own environment and have a preferred way of doing things so won’t list every command needed.
The prerequisites for this guide are that you:
already have your server set up to SSH and SFTP with password authentication;
have an account on the server that you use for day-to-day web development;
also have root access to the server.
II. Setting up your Mac workstation and server for SSH Key-Based Authentication
We’ll need to do two main things to get everything working:
Set up your server to accept the key files instead of a password.
Configure your Mac OS X workstation to use SSH key files.
We’ll be moving back-and-forth between the them so for clarity, open up two terminal windows: one will be used for configuring the server, which I’ll refer to as your server terminal and another for configuring your Mac workstation, which I’ll call the Mac terminal.
A. Configure the server
First make sure your server is configured to accept key-based authentication. On the server terminal, open a secure shell to the server as you normally would. Edit the configuration file for your OpenSSH Daemon at /etc/ssh/sshd_config.
Look for the following lines and uncomment or add them:
You may need to return to this file later but for now, save it and restart sshd. On FreeBSD, it’s the command:
# /etc/rc.d/sshd reload
B. Generate the key files on your Mac
Now you need to generate your private and public SSH key files. The private key file will remain on your Mac and you’ll place a copy of the public key file on the server. To generate the key files, switch to your Mac terminal and run:
$ ssh-keygen -t rsa
The -t flag specifies that you’re creating an RSA key.
You’ll be asked to enter a file name for the key. The default for key files on Mac OS X is /Users/username/.ssh/id_rsa.pub. While you can simply select the default, it might be a good idea to create a key file specifically for each project. That way, if your Mac workstation is ever compromised, you minimise the risk of access to servers used for past projects where your account has been inadvertently left active.
ssh-keygen will also ask if you want to set a password for the key. If you set a password, you’ll have to enter it every time you try to authenticate with the key file. 1
The result should be two new key files in your .ssh directory:
The public key: /Users/username/.ssh/yourkeyfile_rsa.pub
The private key: /Users/username/.ssh/yourkeyfile_rsa
If you use a service like GitHub you may also see your GitHub key files already in that directory.
C. Copy the public key to the server
Transfer your public key to the .ssh directory of the server account you use to do your day-to-day web development. There are two ways to do this on a standard-install Mac OS X workstation. You can follow these steps:
Go to the server terminal and cd into the account’s home directory.
Create a .ssh directory (~/.ssh/).
Switch back to the Mac’s terminal and copy the public key text using the command:
$ pbcopy < ~/.ssh/yourkeyfile_rsa.pub
Move back to the server terminal and create an authorized_keys file within the .ssh directory.
Paste the public key text into your authorized_keys file. (Remember that the pbpaste command won’t work on a non-Mac operating system.)
Alternatively, you can run the following command on your Mac’s terminal:
However it’s done, you should end up with a file ~/.ssh/authorized_keys for the developer account on the server.
It’s worth making this clear so there’s no confusion: you are giving the public key, yourkeyfile_rsa.pub, to the developer account that you’d previously been using to connect using a password. You should not be giving it to the root account. Make sure you put the authorized_keys file in the developer account’s home folder. Also make sure you don’t accidentally copy and paste the private key, yourkeyfile_rsa.
D. Test authentication to the remote server over SSH
Make sure everything worked by checking if you can connect to the server without having to supply a password. Log out of your existing connection on the server terminal and try connecting again:
The -i flag should be the path to the private key file we generated in step B. Also, if you set a key password, you will be asked to supply it before you can access the key.
You should see your server motd and terminal prompt after pressing enter.
E. Optional: disable password authentication
Since you’ve gone to the trouble of setting up SSH key-based authentication, you may want to disable password authentication after you’ve successfully testing the connection. Uncomment or add the following lines in /etc/ssh/sshd_config:
Finally, restart sshd:
# /etc/rc.d/sshd reload
Make absolutely sure that everything works before disabling password authentication, otherwise you may find yourself without any way to remotely connect to your server.2 Unscheduled trips to the data centre are no fun. (Can you tell I’m writing from experience?)
F. Optional: use a ssh config file
An option to save yourself some typing is to put the server and key details into an ssh config file. On your Mac terminal, create a config file at /Users/username/.ssh/config with the following:
This will let you login just by typing:
III. Setting up the Transmit FTP client for SSH Key-Based Authentication
After configuring SSH key-based authentication on your server, the SFTP service will start rejecting your login attempts unless you supply your key. Setting up Panic’s Transmit FTP client with key-based authentication is simple but it can be a little buggy.
In Transmit, delete your old connection details and add new connection settings 3
Leave the password blank
From the menu, select Favourites > Import SSH Key File
Or click the key picker, which is the key icon to the right of the password box
Import your private key file yourkeyfile_rsa
Connect with these new settings and the SFTP server will grant you access.
If you try this process with a password-encrypted key, Transmit will give you the error: “The file is not in a supported format.” This is a bug and you’ll have to apply a workaround. Panic’s customer support sent me the following instructions:
If the private key is passphrase encrypted (as yours is), or if it lives in a directory other than ~/.ssh/, there are a few extra steps needed to get up and running.
Instead of using the key picker, edit your ~/.ssh/config file and add the following:
Then set the site’s Password field to your key’s passphrase and try connecting.
Alternatively, you can try this method:
First, add the keyfile and password to your keychain:
ssh-add -K path/to/.ssh/yourkeyfile_rsa
Now add the connection details to Transmit but do not enter the password or set a key file.
Transmit will connect using the credentials in you keychain
In addition to being able to conveniently log in to your various servers, you will now also be able to use Transmit for your regular web development file transfers.
It’s tempting to think that setting a password for your key negates the whole point of this exercise. After all, if you have to enter a password to authenticate with the key file, you might as well keep the existing model of password authentication to the server, right? Not quite and here’s why: the ssh key is a cryptographically secure way of authenticating to your server and is exactly what you want for something accessible to the open internet. While manually typing in the key itself every time you want to open a connection isn’t practical, SSH key-based authentication handles key exchange automatically.
The key password protects against a different threat. It prevents unauthorised use of the key itself. This has a lower threat profile because it’s stored on your own private workstation. It therefore can be something that’s easier to remember and type.
Remember to backup your keys and store the backups in a secure location. If you lose your keys and have also disabled password authentication, you won’t be able to access the server without physical access or help from your hosting technical support.
I’ve found that editing a saved connection sometimes doesn’t work. This might be a bug in Transmit. Deleting the old connection and creating a new one seems to always work.