Cover V11, I05

Figure 1


Questions and Answers

Amy Rich

I'd like to open this column with thanks to Kevin Taylor for the following hints for anyone using OpenSSH's internal pseudo-random number generator. Kevin writes:

We were experiencing some issues with OpenSSH on our larger servers, where we would receive a message saying "Not enough entropy in RNG". These were IRIX machines, which do not come with a /dev/random device, so we were concerned with users' ability to use ssh as more and more connections were being made.

After some poking around, I noticed a file called "ssh_prng_cmds", which is installed in the "etc" directory of the OpenSSH installation (wherever you put it). Inside this file, are listings of several UNIX commands that OpenSSH will execute to gather more entropy for its RNG.

For example:

# entropy gathering commands
# Format is: "program-name args" path rate
# The "rate" represents the number of bits of usable entropy per
# byte of command output. Be conservative.
# $Id:,v 1.6 2001/02/09 01:55:36 djm Exp $

"ls -alni /var/spool/lpd" undef 0.04
"ls -alni /var/adm" /sbin/ls 0.04
"ls -alni /var/mail" /sbin/ls 0.04
"ls -alni /var/adm/SYSLOG" undef 0.04
"ls -alni /var/mail" undef 0.04
"ls -alni /proc" /sbin/ls 0.04
The only problem is that this file is not thoroughly documented. There's some, but not lots.

Basically the stuff inside the quotes is the command that's executed, and the last field of the line is the weight this command is given to the total entropy gathered. What the difference between "undef" and the actual command name is I'm not sure.

What we observed, in looking through this file on an IRIX system, was that most of the commands were incorrect. Some had bad options on the commands, which caused the command to never execute. Some had bad paths to commands, etc.

After fixing this up, we haven't come across those entropy errors... and I'd swear connections are faster, but don't have any quantitative benchmarks to prove it. So, I would recommend that anyone configuring OpenSSH take a look in that file (regardless of the OS) and just make sure that these commands/paths are functional. It could save a lot of trouble later.

Q I've been charged with writing some Web pages for our internal Web site. One of the features that's been requested is that I create "mailto" links with arguments for the Subject header and the Body of the message. Is this possible, and is it within spec?

A Adding extra information is certainly possible, yes, but not all of your clients may support it. Take a look at RFC 2368 ( for detailed information. The Body, Subject, and Keywords headers are believed to be both safe and useful according to the RFC, but the clients have no obligation to honor them.

If you were to create such a link, you need to be aware that RFC 1738 ( requires that many of the characters in the URL must be encoded. The two most common problematic characters that you'll run into are the space ("%20") and line breaks ("%0D%0A"). A good example of a "mailto" link that uses both the Subject and Body tags would be an automated mailer subscription: \
  %20me&body=subscribe%0D%0Aend%0D%0A--%20click \
The "mailto" URL scheme does not allow you to substitute variables. A message body that must include a user's email address cannot be encoded using the "mailto" URL. In this case, you're better off using a script to generate your mail.

Q I acquired a Sun Enterprise 220R that I'm trying to install the OS on. I'm trying to boot from CD-ROM (I don't have a jumpstart server yet), but the system just seems to hang during the boot and never come up. I have a VT terminal attached to it, but I don't see any out of the ordinary messages. Do I have bad media, or a bad CD-ROM drive, or what?

A Of course, start by verifying that you can boot another machine off your media. If you have bad media, you can always download and burn your own Solaris 8 CD-ROMs from Sun's Web site. Once you know that the media is good, make sure that the diagnostics are set to full. From the "ok" prompt, do the following:

setenv diag-level max
setenv diag-switch? true
setenv auto-boot? false
This should set the diag level to the maximum and stop the machine from attempting to actually boot. You can also try testing components individually (if they are completely failed, they won't show up in POST). Test the SCSI bus with the following:

If you don't see your CD-ROM device, there's an issue with the CD-ROM drive. Make sure all of the cables are seated correctly and try again.

I've also seen the system fail to boot in this manner because of bad memory. Make sure that you have all four slots in a bank full with either 32, 64, or 128M DIMMs (you can't use 256M or 512M in the 220Rs). If POST indicates an error with one of the memory modules, it should be listed with a U number. Figure 1 shows an example identifying which slot has the bad DIMM:

If POST isn't showing you any errors at all, and you've tried various things from the Sun 220R diagnostics page at:
you can swap out parts to try and identify the problem, or place a service call to Sun. If you don't have a Sun contract and don't want to pay the per-incident fee, start by replacing the CD-ROM drive with a known working one (or put the suspect CD-ROM drive into another machine to verify that it works). After that, strip the memory in the machine to the bare minimum (4 DIMMs in one bank) and use known good DIMMs.

Q I'm writing a shell script, and I want to be able to update the current line so I can compact what would be several screens of output into one screen. The output is supposed to look something like the following:

connecting to node 1
connecting to node 2
connecting to node X
Instead of printing out all of the "connecting to..." statements on a line-by-line basis, I just want to update the current line. I've seen this done in other software, but I'm not sure how I would go about coding this myself. Any suggestions? Will I be forced to write the program in C?

A There are a couple ways to accomplish this visual without resorting to C and the curses routines. You don't mention what OS or what shell you're working with, so I'll suggest a couple of quick ideas, and you can work from there:

This example uses tput to clear the line:

el=$(tput el)  # our "clear line" variable

for i in 1 2 3
  # use print -n to avoid linefeed,
  # carriage return (\r) to go to beginning of line, clear line (tput),
  # print message
  print -n "\r${el}Connecting to node ${i}"  
  sleep 5      # put your actual code to do things here

# send a linefeed so the shell prompt returns on its own line
echo ""        
This example uses the backspace character to back up one space. It has the added side effect of keeping the cursor on the last character instead of after it (á la tput):

print -n "connecting to node "

for i in 1 2 3
  print -n "${i}\b\c"
  sleep 5      # put your actual code to do things here
Q Using AIX 4.3.3, I'm trying to create a filesystem that spans an entire drive (no other filesystems on the drive) and will then be mirrored. When trying to allocate a filesystem, it comes back with an error advising that I don't have enough resources or drives to keep integrity. I've verified that the drives aren't assigned to another VG and the drives are empty. I must be missing something obvious here.

A Try getting some information on your volume groups and disks. First, get a listing of volume groups:

Then (substituting your actual volume group name for <vgname>) do:

lsvg <vgname>
You should get an entry that looks like:

FREE PPs:       200 (1600 megabytes)
This indicates how much unused space you actually have. The rest of the space is allocated in some way, but it may be to raw logical volumes or swap and not "visible" to you.

To verify that you're actually working with the expected disks, do:

lsvg -p <vgname>
It may also be helpful to list the sizes of the logical volumes in the specified volume group:

lsvg -l <vgname>
If all these numbers match up, then perhaps you're trying to mirror the logical volume onto a disk that's too small. Also, if this is the first filesystem you've created on this volume group, remember that you must leave free space for the jfslog logical volume (at least one PP). As a test, you can create your logical volume with just one PP and then mirror it onto the other disk. Create your filesystem, mount it, and then try to grow it to its maximum size.

Q I've compiled mod_perl into my Apache installation, and it shows it as being successfully installed when I run httpd -l. When I run the suggested test script, however, I get an internal server error.

Here's the script:

use strict;
my $r = shift;
$r->print("It worked!!!\n");
A You may have mod_perl compiled in but not enabled on whatever directory you're running your test script from. If you're putting all of your mod_perl scripts in a directory called /usr/local/www/perl, your httpd.conf file should have something that looks like:

ScriptAlias /perl /usr/local/www/perl
<Location /perl>
  SetHandler      perl-script
  PerlHandler     Apache::Registry
There should be a printenv script that's distributed with Apache that you can use to test your perl directory. If mod_perl is not enabled on the directory you run the printenv script from, it should say GATEWAY_INTERFACE="CGI/1.1". If you test a mod_perl-enabled directory, it should say GATEWAY_INTERFACE="CGI-Perl/1.1".

Q I have an HP 8550MFP printer connected to our network. I was using telnet to connect the printer to configure some parameters, and I noticed that there was an option called "allow". According to the brief help notes, this was to allow printing only from certain machines or subnets. I thought this was great, since we want to limit our printer to those people on our class C-sized network. The syntax of the command is:

allow: <IP> <MASK>
Unfortunately, instead of using netmask, I typed in:

To save the changes, you have to type in "quit", which I did. Now no one can print to the printer and I can't log back in via telnet to undo my screwup. I tried disabling and re-enabling TCP/IP from the printer menus themselves, and I tried actually resetting the printer from the RESETS menu on the printer, but nothing seems to work. How the heck do I get back in to fix this?

A As far as I know, there's no way to fix the printer from its own menus. You can, however, set up a BOOTP/TFTP server and reset the access list from there. You don't mention what OSs you're using, so I'll give an example for a UNIX box on the same network. It's easiest to install and configure the BOOTP server if you install the jetdirect package from HP and use its menu-driven system, but that may not be an option if you don't have a UNIX variant that they support.

Instead, I'll demonstrate a step-by-step hand setup of the BOOTP/TFTP server on Solaris 8 (though HP does support this OS with its jetdirect setup software).

First, make sure that in.tftpd and rpc.bootparamd (found in SUNWcsu) are installed, along with any supporting packages that might be needed.

Enable TFTP by making sure inetd is running and that the following line is not commented out in /etc/inetd.conf:

tftp   dgram  udp6   wait  root  /usr/sbin/in.tftpd  in.tftpd -s  /tftpboot
If you had to add this line or uncomment it, make sure to restart inetd:

kill -HUP '/bin/ps -ef | grep /usr/sbin/inetd | awk '{print $2'}'
Create an entry for the printer in /etc/bootptab that looks something like the following, substituting the correct values for your printer:

hpmfp:\                                # printer name
 :hn:ht=ether:vm=rfc1048:\             # you shouldn't need to change
 :ha=000000000000:\                    # printer's MAC address
 :ip=\                        # printer's IP
 :sm=\                   # printer's subnet mask
 :T144="hpnp/mfp.cfg":                 # name of configuration file
Now, in /tftpboot/, create the configuration file that's listed in the last line above. To get you started, add in the following basic keywords:

mkdir /tftpboot/hpnp/
touch /tftpboot/hpnp/mfp.cfg
echo "name: hpmfp" >> /tftpboot/hpnp/mfp.cfg
echo "allow:" >> /tftpboot/hpnp/mfp.cfg
Start up in.rarpd and rpc.bootparamd:

/usr/sbin/in.rarpd -a
Use the printer's console menu to enable BOOTP, and power-cycle the printer. If you use snoop on your Solaris box (or tcpdump on other UNIX variants), you should see the BOOTP and TFTP transactions between the printer and the BOOTP/TFTP server. You should now be able to print and telnet in from 10.5.5.*.

For more useful information that can go into the TFTP configuration file for the printer, take a look at the LPRng HOW-TO, section 11.7.3:
Amy Rich, president of the Boston-based Oceanwave Consulting, Inc. (, has been a UNIX systems administrator for more than five years. She received a BSCS at Worcester Polytechnic Institute, and can be reached at: