Remote Management

Power Manager supports remote management over the network. Remote management allows users on distant computers to monitor and alter Power Manager. This ability is particularly useful for system administrators and for those managing computers that are difficult to physically reach.

Remote management can be enabled and disabled using the Power Manager System Preference pane. The Allow remote management checkbox controls the default connection settings.

Procedure 1.6. Enabling Remote Management using the System Preferences

Launch the System Preferences and navigate to the Power Manager pane.
Enable (check) the Allow remote management checkbox.

Procedure 1.7. Disabling Remote Manager using the System Preferences

Launch the System Preferences and navigate to the Power Manager pane.
Disable (uncheck) the Allow remote management checkbox.

Customising Remote Management

By default, the user interface sets up a single network socket listening to all interfaces on a system provided port. The default network socket is advertised via Bonjour.

The default socket's unique identifier is uk.co.dssw.powermanager.systempreference.remote-management. You should avoid altering sockets whose name begins with uk.co.dssw.powermanager. This namespace is reserved for use by Power Manager's graphical and command line tools.

Power Manager can be set up to listen to more than one network socket.

You can add additional sockets for remote management using the command line pmctl tool, or with an AppleScript script.

To create a remote management socket with a fix port number (1234) listening on all network interfaces, see Example 1.13, “Creating a fixed port socket”.

Example 1.13. Creating a fixed port socket

bash% cd '/Library/Application Support/Power Manager/Tools'
bash% ./pmctl listen.applysocket 'unique ID=Fixed' 'port=1234'

Remote management is provided by the Listen API object. The Listen object provides an interface for creating (listen.applysocket), listing (listen.sockets), and removing (listen.removesocket) network sockets.

The listen.applysocket command accepts a range of parameters. The parameters are all optional. Power Manager will choose a suitable default for each missing parameter.

The command above creates a listening socket on port 1234 with the unique identifier 1234.

To check the socket has been created and is listening, issue the commands in Example 1.14, “Listing the fixed port socket details”.

Example 1.14. Listing the fixed port socket details

bash% ./pmctl listen.sockets
[{"port"=>1234.000000,"protocol family"=>"IPv4","state"=>"listening","unique ID"=>"Fixed","URLs"=>["pm://Mac-Pro.local:1234"]}]

The command's response lists every listening socket, along with information such as the name, port number, and URL.

You can immediately start using your new socket.

To remove a remote management socket, issue the commands in Example 1.15, “Remove the fixed port socket”.

Example 1.15. Remove the fixed port socket

bash% ./pmctl listen.removesocket 'unique ID=Fixed'

The listen.removesocket command removes the socket with the provided unique identifier.

Procedure 1.8. Creating a new remote management socket using pmctl

Issue the command:
```
bash% ./pmctl listen.applysocket port=1234 'protocol family=IPv6'
```
This command creates a new Internet Protocol version 6 (IPv6) remote management socket listening on all network interfaces on port 1234.

Procedure 1.9. List all remote management sockets using pmctl

Issue the command:
```
bash% ./pmctl listen.sockets
```
This command returns a list of all Power Manager's listening network sockets.

Procedure 1.10. Removing a remote management socket using pmctl

Issue the command:
```
bash% ./pmctl listen.removesocket 'unique ID=Fixed'
```
This command removes the listening socket with the unique ID Fixed.

How Remote Management is Secured

Remote management connections are secure. All connections are encrypted using SSL/TLS industry standard encryption. Authentication and authorisation are provided by Pluggable Authentication Modules (PAM), in additional to a secondary group membership check within Power Manager.

Pluggable Authentication Modules (PAM) Support

Power Manager's PAM configuration is controlled by the PAM configuration file /etc/pam.d/uk.co.dssw.powermanager.

You may alter the PAM configuration file to match your needs. We generally advise against making alterations. The default configuration will be ideal for the great majority of environments, and should be left untouched.

If you are familiar with PAM configuration files, and wish to use alternative modules or configuration settings, this is possible. Changes to the PAM configuration take effect immediately for new remote management connections.

Apple changed to OpenPAM for Mac OS X 10.6, aka Snow Leopard. Previously Linux-PAM had been used. This change in PAM implementation means Power Manager's PAM configuration file is different depending on your edition of Mac OS X.

OpenPAM Configuration

Power Manager's OpenPAM configuration file restricts remote management to users who are members of either group admin or group wheel.

OpenPAM was introduced to Mac OS X 10.6, aka Snow Leopard.

Figure 1.1. uk.co.dssw.powermanager.openpam:1

# Power Manager remote management configuration for OpenPAM
auth       required       pam_opendirectory.so
account    required       pam_permit.so
account    required       pam_group.so no_warn group=admin,wheel fail_safe
password   required       pam_deny.so
session    required       pam_permit.so

# Restrict remote management to members of group admin and wheel.
# DssW Power Manager / http://www.dssw.co.uk/powermanager/

Linux-PAM Configuration

Power Manager's Linux-PAM configuration file restricts remote management to any valid user.

Linux-PAM is used on Mac OS X 10.4, aka Tiger, and Mac OS X 10.5, aka Leopard.

Figure 1.2. uk.co.dssw.powermanager.pam:1

# Power Manager remote management configuration for Linux-PAM
auth       sufficient     pam_securityserver.so
auth       sufficient     pam_unix.so
auth       required       pam_deny.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

# Restrict remote management to known users (including non-admin users)
# Power Manager implements an additional check for specific group membership.
# DssW Power Manager / http://www.dssw.co.uk/powermanager/

Authorised Group Check

Apple's change in PAM implementation prompted us to include a second layer of authorisation checks. Mac OS X 10.6's OpenPAM includes a module capable of checking the user's group memberships, but Linux-PAM did not include this capability.

Once PAM has authenticated and authorised the remote user according to the PAM configuration file, Power Manager confirms the user is a member of at least one authorised group.

Power Manager will deny access to remote users, unless they are a member of either the wheel group or the admin group.

You can alter the groups Power Manager checks against using the defaults tool. See Example 1.16, “Authorising two groups for remote management”.

Table 1.4. Available Defaults

Key	Purpose	Type	Default
`remotemanagement.groups`	Restrict remote management access to users of these groups.	array	`wheel`, `admin`

Example 1.16. Authorising two groups for remote management


bash% defaults write /Library/Preferences/uk.co.dssw.powermanager remotemanagement.groups -array admin wheel

Prev	Up	Next
Working With Other Scheduling Tools	Home	Finding and Fixing Problems