First I check for the user and create it if it doesn’t exist

#!bash
user_exists=`dscl . -read /Users/remote GeneratedUID | grep -c GeneratedUID`
if [ $user_exists -ne 1 ]; then
    echo "creating remote user"
    sudo dscl . -create /Users/remote
    dscl . -create /Users/remote UserShell /bin/bash
    sudo dscl . -create /Users/remote RealName "remote"
    dscl . -create /Users/remote UniqueID 509
    dscl . -create /Users/remote PrimaryGroupID 1000
    dscl . -create /Users/remote NFSHomeDirectory /Local/Users/remote
    dscl . -passwd /Users/remote remote
fi

because these are fully managed machines, I know what UIDs are available. (For a method that checks for available UID I’ve posted a script from Andrew Mortensen below)

The next part of the script will check if the user is logged in as “remote” and on campus using a regular expression (our two subnets are 10.5.5.X and 10.6.6.X). You could also check a router, DHCP server, or internal DNS as other approaches. If they are on campus I use a display utility called BigHonkingText to throw up a message and then kill the loginwindow.

#!bash
user="$1"

if [ "$user" == "remote" ]; then
    IP=`ifconfig | grep "inet " | grep -v 127.0.0.1 | awk 'NR>1{exit};{ print $2 }'`
    echo $IP
    if [[ "$IP" =~ 10.[5,6].[5,6].[0-9]* ]]; then
        echo "on campus"
    /usr/local/bin/BigHonkingText "account not allowed on campus"
    killall loginwindow
        # reboot
    fi
fi

Here is the script from Andrew Mortensen:

#!bash
#! /bin/sh

# create a template user

export PATH=/bin:/usr/bin:/sbin:/usr/sbin

# arbitrary uid
N_UID=501

# arbitrary gid
N_GID=501

# user name
N_USERNAME="$1"

# home
N_HOME="/var/${N_USERNAME}"

# system default user home template
SYSHOMETEMPLATE="/System/Library/User Template/English.lproj"

# make sure the uid and gid are available
while [ true ]; do
    user="`dscl . -search /users UniqueID ${N_UID} 2>/dev/null`"

    if [ -z "${user}" ]; then
    break
    fi

    N_UID=$((${N_UID} + 1));
done

while [ true ]; do
    group=`dscl . -search /groups PrimaryGroupID ${N_GID} 2>/dev/null`

    if [ -z "${group}" ]; then
    break
    fi

    N_GID=$((${N_GID} + 1));
done

# create user
dscl . <<EOF
create "/users/${N_USERNAME}"
create "/users/${N_USERNAME}" AppleMetaNodeLocation /Local/Default
create "/users/${N_USERNAME}" GeneratedUID `uuidgen`
create "/users/${N_USERNAME}" UniqueID ${N_UID}
create "/users/${N_USERNAME}" PrimaryGroupID ${N_GID}
create "/users/${N_USERNAME}" Password "*"
create "/users/${N_USERNAME}" RecordName ${N_USERNAME}
create "/users/${N_USERNAME}" RecordType dsRecTypeNative:users
create "/users/${N_USERNAME}" NFSHomeDirectory ${N_HOME}
create "/users/${N_USERNAME}" RealName "Template User"
create "/users/${N_USERNAME}" UserShell /bin/bash
EOF
if [ $? -ne 0 ]; then
    logger -is Creation of ${N_USERNAME} failed.

    # destroy account
    dscl . -delete "/users/${N_USERNAME}" 2>/dev/null
    exit 2
fi

# create group
dscl . <<EOF
create "/groups/${N_USERNAME}"
create "/groups/${N_USERNAME}" AppleMetaNodeLocation /Local/Default
create "/groups/${N_USERNAME}" GeneratedUID `uuidgen`
create "/groups/${N_USERNAME}" PrimaryGroupID ${N_GID}
create "/groups/${N_USERNAME}" RecordName ${N_USERNAME}
create "/groups/${N_USERNAME}" RecordType dsRecTypeNative:groups
create "/groups/${N_USERNAME}" Password "*"
create "/groups/${N_USERNAME}" GroupMembership ${N_USERNAME}
EOF
if [ $? -ne 0 ]; then
    logger -is Creation of ${N_USERNAME} failed.

    # destroy account
    dscl . -delete "/users/${N_USERNAME}" 2>/dev/null
    dscl . -delete "/groups/${N_USERNAME}" 2>/dev/null
    exit 2
fi

# make home directory
mkdir -m 0700 -p ${N_HOME}
ditto --rsrc "${SYSHOMETEMPLATE}" "${N_HOME}"

if [ $? -ne 0 ]; then
    logger -is Creation of ${N_USERNAME} failed.

    # destroy account
    dscl . -delete "/users/${N_USERNAME}" 2>/dev/null
    dscl . -delete "/groups/${N_USERNAME}" 2>/dev/null
    exit 2
fi

chown -R ${N_USERNAME}:${N_USERNAME} ${N_HOME}

logger -i Creation of template user ${N_USERNAME} succeeded.

exit 0

So OE-Cake now has a beta for windows – but not OS X.

We still have the binary from their old version that expired some time ago – we were launching it with ARD with the below trick, but now I’ve moved it into a read-only applescript application that the students can launch themselves:

try
    do shell script "sudo date 1103100008" user name "admin" password "*****" with administrator privileges
end try

do shell script "open /Applications/OE-CAKE\\!.app"
delay 10
do shell script "launchctl stop org.ntp.ntpd" user name "admin" password "*****" with administrator privileges
do shell script "launchctl start org.ntp.ntpd" user name "admin" password "*****" with administrator privileges

First off we have a student web proxy that works based on a whitelist concept. So we have to allow any web traffic explicitly. With the help of little snitch and one incomplete help page from google, here is what I’ve added to our global whitelist and seems to be allowing all the features:

• kh.google.com
• www.keyhole.com
• mw2.google.com
• earth.google.com
• auth.keyhole.com
• maps.google.com
• khmdb.google.com

It also want access to www.google.com – but we don’t allow students to full google access – but Google Earth still seems to run fine.

The next annoyance was Google’s softwareupdate which wants to run for all users and update Google Earth on launch.

Adding the following to our loginhook fixed that:

mkdir -P $nethomedir/Library/Google/
touch $nethomedir/Library/Google/GoogleSoftwareUpdate
chown root $nethomedir/Library/Google/GoogleSoftwareUpdate
chmod 644 $nethomedir/Library/Google/GoogleSoftwareUpdate

the $nethomedir var is fetched from dscl earlier in the script

Students need to have stored the proxy password in their keychain – but most have already done that when visiting a web page earlier. They then just need to allow Google Earth to access their keychain.

First for me their was the discovery of cntl-a which jumps one back to the beginning of a line, but just as often I wanted to delete a long path as an opt to a long command.

The first thing is to set your default Editor in your environment variables. I use TextMate – but you could use textwrangler, VI, Emacs.

add a line like this to your ~/.bash_profile

export EDITOR=”mate -w”

then close your terminal session or “source ~/.bash_profile”

Now when you are in the middle of typing a long command, or after hitting the up arrow, press cntl-x and hold it, then hit “e”

boom – your current command opens up in your editor, you can use all the features of that editor, and when you save and close that file – the command will be executed back in your shell.

Since I’ve integrated this tip into my workflow – I find I use it all the time.

Only downside is GUI editors won’t work for SSH since you are in the remote hosts env – there is probably a tricky way to reverse-ssh the editor command back to you, but I haven’t explored that.