Weird keychain related problems

[My ramblings. I was soooo pissed off at Apple for these obscure problems, and the total lack of error messages]

For a while I had problems related to password prompts, for example MS RDP which would no longer store any passwords. I blamed MS RDP at first, but it seems that was just a tip of the iceberg. It became worse after changing the password for my iCloud account. I needed to use various passwords on the lock, login and other prompts.

No remedy worked, like disabling and enabling all of iCloud or only keychain related settings on all the devices in the account. Nor would changing the password help.

In the end I concluded the problem must be in the keychain and I reset my keychain. Scary, right? Because all the passwords are in there. Apple Keychain Access however makes a backup. You can find it in:

ls -lotra ~/Library/Keychains/login*.keychain-db

This is useful to know because you can safely reset your keychain and then re-add the old keychain file again, by using open.

open ~/Library/Keychains/login-backup-2.keychain-db

Or… [drum roll] recover the file from a time machine backup without replacing the current version!

Probably it would have been possible to reset the password on the keychain somehow (although I think that option was greyed out), but this gave me a workable solution. Once it is available in Keychain Access, you can drag all or some passwords across to the login keychain. Or use the file as is, because any keychain request searches through all the available keychains.

My MS RDP passwords work again, and it looks like the passwords are being saved there again as well.

Recursive ssh config files and bash hostname completion

I use ssh a lot, so hostname completion in bash is a must. Lately I’ve introduced Include statements in the ssh configuration files. Below the adapted bash completion code to handle this:

_ssh_completions () {
        local cur=${COMP_WORDS[COMP_CWORD]}
        local prev=${COMP_WORDS[COMP_CWORD-1]}

        COMPREPLY=( $(
                set -- $HOME/.ssh/config;
                while [ $# -gt 0 ]; do
                        f=$(eval echo $1)
                        set -- $@ $(awk '/^Include /{print $2}' $f)
                        awk '/^Host [a-zA-Z0-9._ -]+$/ {sub("^Host ", ""); gsub(" ", "\n"); print $0;}' $f
                done | sort -u | grep "^$cur"
                ) )
complete -o default -o nospace -F _ssh_completions scp sftp ssh mosh rsync ssh-copy-id

Add it to your .bashrc and you should be good to go.

Apple Software Update Server Notes

I installed the software update service (or short: SUS; ‘Content Caching’ in High Sierra) on a box. But does it work?! Well, took some time investigate this feature. Below a brain dump of things I found out while looking into it. I need to remotely managed the thing so my focus is on the command line.

Previously this service was part of, but this has been moved into the base macOS High Sierra install.

Enable Content Caching through System Preferences -> Sharing -> Content Caching. If you press Alt while in that screen you will notice the ‘Options’ button change to ‘Advanced options’ for things like multi-WAN link support, etc.

It goes by several names:

  • Content Caching
  • Software Update Server, or SUS
  • Update Cache
  • AssetCache

SUS Server


This tool allows controlling and checking the Asset Cache. It provides you information on the amount of data for example:


which will produce output like:

... Built-in caching server status: {
 Activated = 1;
 Active = 1;
 CacheDetails = {
  iCloud = 17514000;
  "iOS Software" = 4376897000;
 CacheFree = 1092067810304;
 CacheLimit = 0;
 CacheStatus = OK;
 CacheUsed = 4394411000;
 Parents = (
 Peers = (
 PersonalCacheFree = 1092067810304;
 PersonalCacheLimit = 0;
 PersonalCacheUsed = 17514000;
 Port = 49304;
 PrivateAddresses = (
 PublicAddress = "";
 RegistrationStatus = 1;
 RestrictedMedia = 0;
 ServerGUID = "043694F8-BCB8-4F4A-81EF-6DBA9CAA5DAF";
 StartupStatus = OK;
 TotalBytesDropped = 0;
 TotalBytesImported = 17514000;
 TotalBytesReturnedToChildren = 0;
 TotalBytesReturnedToClients = 3537583328;
 TotalBytesReturnedToPeers = 0;
 TotalBytesStoredFromOrigin = 2927451538;
 TotalBytesStoredFromParents = 0;
 TotalBytesStoredFromPeers = 0;


To show logging for this service:

log show --predicate 'subsystem == ""' | less

If you replace show with stream it will report the logging live. It contains the much needed information on wether it actually works, for example lines like these (prefix replaced with ‘…’):

... Registering with local address: (150 Mbit/sec wireless); port 49
304; local subnet range only:; version: 196; on AC power: yes; cache size: ~1 TB; capabilities: im,ns,pc,qp,sc,ur; portable: no
... Cleanup succeeded.
... Request for registration from
... Got back public IP
... This server knows about 0 other caching servers.
... Since server start: 0 bytes returned to clients, 0 bytes to peers, 0 bytes to children; 0 bytes stored from Internet, 0 bytes from peers, 0 bytes from parents; 7.6 MB imported.
... #pOi5EbtX2lWK Received PUT request by "cloudd/719" to store /abcdefghijklmnopqrst [icloud:abcdefghijklmnopqrst]

To see the effectiveness of the cache you check out these lines:

... Since server start: 2.89 GB returned to clients, 0 bytes to peers, 0 bytes to children; 2.28 GB stored from Internet, 0 bytes from peers, 0 bytes from parents; 17.5 MB imported.

Cached content

To see the cached content check out the sqlite database with commands on this page:

## Log onto SQL-Lite DB
# For High Sierra:
sudo sqlite3 '/Library/Application Support/Apple/AssetCache/Data/AssetInfo.db'
# For earlier versions:
sudo sqlite3 /Library/Server/Caching/Data/AssetInfo.db
## Then paste the following commands to see updates
.mode column
.headers on
select ZTOTALBYTES, datetime(ZCREATIONDATE+978307200,'unixepoch','localtime') as ZCREATIONDATE, datetime(ZLASTACCESSED+978307200,'unixepoch','localtime') as ZLASTACCESSED, ZLASTMODIFIEDSTRING, ZURI from ZASSET order by ZCREATIONDATE;

Other stuff

AssetCache configuration information can be found in:

 less /Library/Preferences/

Information on these settings can be found in this Apple support page.

To see the actual space used by the cache (the directory can be found in the .plist file mentioned above, or in the output of AssetCacheManagerUtil settings):

 sudo du -sh '/Library/Application Support/Apple/AssetCache/Data'

You can change the location of the cache, but this is restricted. See the AssetCacheManagerUtil man page.

Configuring WAN IP address(es)

If you use a setup with multiple WAN links you need to provide discovery information for these WAN IP addresses through DNS. You need to add an entry like (example for bind):

_aaplcache._tcp 259200 IN TXT "prs=,"

This specifies that the name _aaplcache._tcp, in the domain this entry is added to, provides a TXT record in class IN Internet with an expiry of 259200s (3 days) with the value prs=, That’s it. You can find this info after setting My local networks to use custom IP addresses in Sharing -> Content Caching -> Advanced Options -> Clients -> DNS Configuration.

Now, the domain this should be in: This should be the local domain the clients use for resolving. So, say your client requests an IP address through DHCP and is returned a DNS search domain of, then the _aaplcache._tcp needs to be in that domain. ` . The trailing dot is important, as it indicates that that’s it, no more adding of search domains. On your MacBook you can find this search domain in System Preferences -> Network -> Wi-Fi -> Advanced… -> DNS -> Search Domains. In Windows you can for retrieve that search domain from the ipconfig command in a cmd window. On any UNIX you can find it in /etc/resolv.conf .


In unbound you can add this DNS record through a local-data statement in the server section of the unbound.conf file:

  local-data: ' 14400 TXT "prs=,"'

Note that I left out the IN class as it is the default. I also changed the expiry to 4h.

With unbound this can even be submitted into a running DNS service using the following commands (you need to remove any old data first to avoid duplicate entries; it doesn’t overwrite):

unbound-control local_data_remove
unbound-control local_data \ 14400 TXT prs=,

If you change it frequently, use an even lower expiry, like 1800s (30 min.) (the second line is split over two lines, and can be either cut&pasted as is with the \ at the end, or combined into one line).


To test whether the cache is actually working, start off with running


on the content cache itself to see whether the cache machine can use itself as a cache. Then try the same command on a client. Check in both to see whether it can reach (at least one of) the content cache(s).

SUS clients

To see whether or  not a host sees the content cache, for example on the SUS itself, run:


It will for example show you a line like

2017-11-06 12:54:51.814 AssetCacheLocatorUtil[44819:911557] localhost:49304, rank 0, guid 043694F8-BCB8-4F4A-81EF-6DBA9CAA5DAF, valid until 2017-11-06 13:14:51; supports personal caching: yes, and import: yes, shared caching: yes

showing you for example the IP address and port the asset cache is running on. It will write out a file diskcache.plist which you should be able to dump with plutil (as root):

ls -l /var/folders/*/*/C/

sudo plutil -p /var/folders/*/*/C/com.appleAssetCacheLocatorService/diskCache.plist

See the man page for more information on how to use this utility:

man AssetCacheLocatorUtil


ownCloud update to 10.0.2 fails for webdav

During an upgrade ownCloud from 9.x to 10.x on my FreeBSD 11 system it failed with an error related to webdav: ‘archives of type are not supported‘.

After some investigation it ended up being a conflict between webdav installed by subversion and the ownCloud specific webdav. Adding

 <IfModule mod_dav.c>
 Dav off

to the owncloud section and restarting Apache, as suggested in some posts and the documentation, did not suffice. I disabled svn (by renaming modules.d/220_subversion.conf to *.conf.unused) and then restarted Apache again.

After resetting the ‘maintenance‘ flag in owncloud/config/config.php to false again, I was able to run the update procedure. I enabled subversion again, but left the ‘Dav off’ in there for good measure, and it seems to sync my files just fine.

It then failed with an index being too big but that can be resolved by editing owncloud/core/Migrations/Version20170516100103.php and replacing ‘256’ with ‘255’ in line 53:

 $table->addColumn('term', Type::STRING, [
    'notnull' => true,
    'length' => 256

See for an explanation. Don’t forget to change it back after the upgrade to prevent owncloud from warning you about a code inconsistency.

tunefs -L labels don’t show up in /dev/ufs

I’ve had cases where

    tunefs -L IPKHIMGroot1 /dev/ada0p2

didn’t work. The label did not show up in /dev/ada0p3. After a reboot / could not be mounted from /dev/ufs/IPKHIMGroot1 because the label was still not there.

It dawned on me that I had written an image file into the partition file, but one that was shorter than the partition (which works fine). I remember reading somewhere that the label is stored at the beginning and at the end, or just at the end of the filesystem. That’s also the place where gpart looks for it (which is no coincidence). If the filesystem does not cover the whole partition the label is not found during boot. The following commands made that work:

gpart resize /dev/ada0p2
growfs /dev/ada0p2
tunefs -L IPKHIMGroot1 /dev/ada0p2

Do remember kids: if it breaks your system, you get to keep the pieces.

Bluetooth keyboard battery check

Every once in a while the rechargeable batteries of my keyboard or trackpad would be drained in the morning, right the moment when I needed them most. Of course there is the warning from the OS that I should check the battery, but that doesn’t fit my workflow: I keep forgetting the warning, or act on it when I should be doing more important stuff. I am a procrastinator: I would instantly hunt around the house for new batteries whenever Mac OS X warned me about battery levels. Continue reading Bluetooth keyboard battery check

Transparent DNS proxy

We would like to optimise our DNS traffic. For that to work we need a transparent DNS proxy, as we cannot force the end-users to use our DNS server. There are quite a few articles to be found on setting up a transparent Squid proxy. And there is also mention of setting up a transparent DNS proxy using unbound on Linux. Reading those articles this seems to be rather straightforward. Continue reading Transparent DNS proxy

Convert (lat,lon) to city close-by

Using the GeoNames database we can create a tool that provides the city closest to a given latitude, longitude. geonamesHere you find a script including documentation to create and query a mysql table. It also includes the cities15000.txt file downloaded from GeoNames (it is licenses under the Creative Commons License 3.0). Continue reading Convert (lat,lon) to city close-by

Tunnelling rdesktop through SOCKS

Case: I’d like to connect via RDP to a Windows host behind a closed network. But I don’t want to route all traffic through the SOCKS proxy, so configuring the SOCKS proxy in the Mac OS X network settings is a no-go for me. I need to proxy rdesktop through the SOCKS proxy on localhost in a different way. Unfortunately rdesktop does not support SOCKS itself (CoRD does, but only via the Mac OS X network settings). Continue reading Tunnelling rdesktop through SOCKS

Upgrading SPA504G pre-7.5.2.b firmware

I’ve had some trouble upgrading my Cisco SPA504G phone. I first tried to update to the latest and greatest (7.6.1) and that failed. It would download, flash red, and then return to normal. It stayed at 7.5.2. After browsing I found out that I had to upgrade to 7.5.2b first for firmwares before that. Tried that, but that didn’t take either. I tried several different versions, like downgrades but none of it worked. Continue reading Upgrading SPA504G pre-7.5.2.b firmware