 Questions
and Answers
Amy Rich
I'd like to open this column with thanks to Kevin Taylor for the
following hints for anyone using OpenSSH's internal pseudo-random
number generator. Kevin writes:
We were experiencing some issues with OpenSSH on our larger servers,
where we would receive a message saying "Not enough entropy
in RNG". These were IRIX machines, which do not come with a
/dev/random device, so we were concerned with users' ability
to use ssh as more and more connections were being made.
After some poking around, I noticed a file called "ssh_prng_cmds",
which is installed in the "etc" directory of the OpenSSH
installation (wherever you put it). Inside this file, are listings
of several UNIX commands that OpenSSH will execute to gather more
entropy for its RNG.
For example:
# entropy gathering commands
# Format is: "program-name args" path rate
# The "rate" represents the number of bits of usable entropy per
# byte of command output. Be conservative.
#
# $Id: ssh_prng_cmds.in,v 1.6 2001/02/09 01:55:36 djm Exp $
"ls -alni /var/spool/lpd" undef 0.04
"ls -alni /var/adm" /sbin/ls 0.04
"ls -alni /var/mail" /sbin/ls 0.04
"ls -alni /var/adm/SYSLOG" undef 0.04
"ls -alni /var/mail" undef 0.04
"ls -alni /proc" /sbin/ls 0.04
The only problem is that this file is not thoroughly documented. There's
some, but not lots.
Basically the stuff inside the quotes is the command that's
executed, and the last field of the line is the weight this command
is given to the total entropy gathered. What the difference between
"undef" and the actual command name is I'm not sure.
What we observed, in looking through this file on an IRIX system,
was that most of the commands were incorrect. Some had bad options
on the commands, which caused the command to never execute. Some
had bad paths to commands, etc.
After fixing this up, we haven't come across those entropy
errors... and I'd swear connections are faster, but don't
have any quantitative benchmarks to prove it. So, I would recommend
that anyone configuring OpenSSH take a look in that file (regardless
of the OS) and just make sure that these commands/paths are functional.
It could save a lot of trouble later.
Q I've been charged with writing
some Web pages for our internal Web site. One of the features that's
been requested is that I create "mailto" links with arguments
for the Subject header and the Body of the message. Is this possible,
and is it within spec?
A Adding extra information is certainly
possible, yes, but not all of your clients may support it. Take
a look at RFC 2368 (http://www.faqs.org/rfcs/rfc2368.html)
for detailed information. The Body, Subject, and Keywords headers
are believed to be both safe and useful according to the RFC, but
the clients have no obligation to honor them.
If you were to create such a link, you need to be aware that RFC
1738 (http://www.faqs.org/rfcs/rfc1738.html) requires that
many of the characters in the URL must be encoded. The two most
common problematic characters that you'll run into are the
space ("%20") and line breaks ("%0D%0A"). A
good example of a "mailto" link that uses both the Subject
and Body tags would be an automated mailer subscription:
mailto:majordomo@host.domain.com?subject=Please%20subscribe \
%20me&body=subscribe%0D%0Aend%0D%0A--%20click \
%20%60Send%27%20now%20to%20subscribe.%0D%0A
The "mailto" URL scheme does not allow you to substitute
variables. A message body that must include a user's email address
cannot be encoded using the "mailto" URL. In this case,
you're better off using a script to generate your mail.
Q I acquired a Sun Enterprise 220R
that I'm trying to install the OS on. I'm trying to boot
from CD-ROM (I don't have a jumpstart server yet), but the
system just seems to hang during the boot and never come up. I have
a VT terminal attached to it, but I don't see any out of the
ordinary messages. Do I have bad media, or a bad CD-ROM drive, or
what?
A Of course, start by verifying
that you can boot another machine off your media. If you have bad
media, you can always download and burn your own Solaris 8 CD-ROMs
from Sun's Web site. Once you know that the media is good,
make sure that the diagnostics are set to full. From the "ok"
prompt, do the following:
setenv diag-level max
setenv diag-switch? true
setenv auto-boot? false
This should set the diag level to the maximum and stop the machine
from attempting to actually boot. You can also try testing components
individually (if they are completely failed, they won't show
up in POST). Test the SCSI bus with the following:
probe-scsi-all
If you don't see your CD-ROM device, there's an issue with
the CD-ROM drive. Make sure all of the cables are seated correctly
and try again.
I've also seen the system fail to boot in this manner because
of bad memory. Make sure that you have all four slots in a bank
full with either 32, 64, or 128M DIMMs (you can't use 256M
or 512M in the 220Rs). If POST indicates an error with one of the
memory modules, it should be listed with a U number. Figure 1 shows
an example identifying which slot has the bad DIMM:
If POST isn't showing you any errors at all, and you've
tried various things from the Sun 220R diagnostics page at:
http://docs.sun.com/ab2/coll.583.2/RAZORSVC/%40Ab2PageView/6016
you can swap out parts to try and identify the problem, or place a
service call to Sun. If you don't have a Sun contract and don't
want to pay the per-incident fee, start by replacing the CD-ROM drive
with a known working one (or put the suspect CD-ROM drive into another
machine to verify that it works). After that, strip the memory in
the machine to the bare minimum (4 DIMMs in one bank) and use known
good DIMMs.
Q I'm writing a shell script,
and I want to be able to update the current line so I can compact
what would be several screens of output into one screen. The output
is supposed to look something like the following:
connecting to node 1
connecting to node 2
...
connecting to node X
Instead of printing out all of the "connecting to..." statements
on a line-by-line basis, I just want to update the current line. I've
seen this done in other software, but I'm not sure how I would
go about coding this myself. Any suggestions? Will I be forced to
write the program in C?
A There are a couple ways to accomplish
this visual without resorting to C and the curses routines. You
don't mention what OS or what shell you're working with,
so I'll suggest a couple of quick ideas, and you can work from
there:
This example uses tput to clear the line:
#!/bin/ksh
el=$(tput el) # our "clear line" variable
for i in 1 2 3
do
# use print -n to avoid linefeed,
# carriage return (\r) to go to beginning of line, clear line (tput),
# print message
print -n "\r${el}Connecting to node ${i}"
sleep 5 # put your actual code to do things here
done
# send a linefeed so the shell prompt returns on its own line
echo ""
This example uses the backspace character to back up one space. It
has the added side effect of keeping the cursor on the last character
instead of after it (á la tput):
#!/bin/ksh
print -n "connecting to node "
for i in 1 2 3
do
print -n "${i}\b\c"
sleep 5 # put your actual code to do things here
done
Q Using AIX 4.3.3, I'm trying to
create a filesystem that spans an entire drive (no other filesystems
on the drive) and will then be mirrored. When trying to allocate a
filesystem, it comes back with an error advising that I don't
have enough resources or drives to keep integrity. I've verified
that the drives aren't assigned to another VG and the drives
are empty. I must be missing something obvious here.
A Try getting some information
on your volume groups and disks. First, get a listing of volume
groups:
lsvg
Then (substituting your actual volume group name for <vgname>)
do:
lsvg <vgname>
You should get an entry that looks like:
FREE PPs: 200 (1600 megabytes)
This indicates how much unused space you actually have. The rest of
the space is allocated in some way, but it may be to raw logical volumes
or swap and not "visible" to you.
To verify that you're actually working with the expected
disks, do:
lsvg -p <vgname>
It may also be helpful to list the sizes of the logical volumes in
the specified volume group:
lsvg -l <vgname>
If all these numbers match up, then perhaps you're trying to
mirror the logical volume onto a disk that's too small. Also,
if this is the first filesystem you've created on this volume
group, remember that you must leave free space for the jfslog logical
volume (at least one PP). As a test, you can create your logical volume
with just one PP and then mirror it onto the other disk. Create your
filesystem, mount it, and then try to grow it to its maximum size.
Q I've compiled mod_perl into
my Apache installation, and it shows it as being successfully installed
when I run httpd -l. When I run the suggested test script,
however, I get an internal server error.
Here's the script:
use strict;
my $r = shift;
$r->send_http_header('text/html');
$r->print("It worked!!!\n");
A You may have mod_perl compiled in
but not enabled on whatever directory you're running your test
script from. If you're putting all of your mod_perl scripts in
a directory called /usr/local/www/perl, your httpd.conf
file should have something that looks like:
ScriptAlias /perl /usr/local/www/perl
<Location /perl>
SetHandler perl-script
PerlHandler Apache::Registry
</Location>
There should be a printenv script that's distributed with Apache
that you can use to test your perl directory. If mod_perl is not enabled
on the directory you run the printenv script from, it should say GATEWAY_INTERFACE="CGI/1.1".
If you test a mod_perl-enabled directory, it should say GATEWAY_INTERFACE="CGI-Perl/1.1".
Q I have an HP 8550MFP printer connected
to our network. I was using telnet to connect the printer
to configure some parameters, and I noticed that there was an option
called "allow". According to the brief help notes, this
was to allow printing only from certain machines or subnets. I thought
this was great, since we want to limit our printer to those people
on our 10.5.5.0 class C-sized network. The syntax of the command
is:
allow: <IP> <MASK>
Unfortunately, instead of using netmask, I typed in:
allow: 10.5.5.0 0.0.0.255
To save the changes, you have to type in "quit", which I
did. Now no one can print to the printer and I can't log back
in via telnet to undo my screwup. I tried disabling and re-enabling
TCP/IP from the printer menus themselves, and I tried actually resetting
the printer from the RESETS menu on the printer, but nothing seems
to work. How the heck do I get back in to fix this?
A As far as I know, there's
no way to fix the printer from its own menus. You can, however,
set up a BOOTP/TFTP server and reset the access list from there.
You don't mention what OSs you're using, so I'll
give an example for a UNIX box on the same network. It's easiest
to install and configure the BOOTP server if you install the jetdirect
package from HP and use its menu-driven system, but that may not
be an option if you don't have a UNIX variant that they support.
Instead, I'll demonstrate a step-by-step hand setup of the
BOOTP/TFTP server on Solaris 8 (though HP does support this OS with
its jetdirect setup software).
First, make sure that in.tftpd and rpc.bootparamd
(found in SUNWcsu) are installed, along with any supporting packages
that might be needed.
Enable TFTP by making sure inetd is running and that the
following line is not commented out in /etc/inetd.conf:
tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot
If you had to add this line or uncomment it, make sure to restart
inetd:
kill -HUP '/bin/ps -ef | grep /usr/sbin/inetd | awk '{print $2'}'
Create an entry for the printer in /etc/bootptab that looks
something like the following, substituting the correct values for
your printer:
hpmfp:\ # printer name
:hn:ht=ether:vm=rfc1048:\ # you shouldn't need to change
:ha=000000000000:\ # printer's MAC address
:ip=10.5.5.5:\ # printer's IP
:sm=255.255.255.0:\ # printer's subnet mask
:T144="hpnp/mfp.cfg": # name of configuration file
Now, in /tftpboot/, create the configuration file that's
listed in the last line above. To get you started, add in the following
basic keywords:
mkdir /tftpboot/hpnp/
touch /tftpboot/hpnp/mfp.cfg
echo "name: hpmfp" >> /tftpboot/hpnp/mfp.cfg
echo "allow: 10.5.5.0 255.255.255.0" >> /tftpboot/hpnp/mfp.cfg
Start up in.rarpd and rpc.bootparamd:
/usr/sbin/in.rarpd -a
/usr/sbin/rpc.bootparamd
Use the printer's console menu to enable BOOTP, and power-cycle
the printer. If you use snoop on your Solaris box (or tcpdump on other
UNIX variants), you should see the BOOTP and TFTP transactions between
the printer and the BOOTP/TFTP server. You should now be able to print
and telnet in from 10.5.5.*.
For more useful information that can go into the TFTP configuration
file for the printer, take a look at the LPRng HOW-TO, section 11.7.3:
http://www.lprng.com/LPRng-HOWTO-Multipart/x5102.htm#AEN5119
Amy Rich, president of the Boston-based Oceanwave Consulting, Inc.
(http://www.oceanwave.com), has been a UNIX systems administrator
for more than five years. She received a BSCS at Worcester Polytechnic
Institute, and can be reached at: qna@oceanwave.com.
| 
