Category Archives: Tool of the Week

Changing Putty’s right-click behaviour

Anyone who uses Putty a lot will inevitably accidentally paste something into their putty window due to Putty’s right-click to paste default behaviour, often resulting in pasting relatively embarassing content like SQL that should never be seen in daylight, or at least a customer’s root password.
However, I found this putty enhancement request today. Note at the bottom:

Update: as of 2003-11-21, there is a new mouse-handling option whereby the right button brings up a context menu containing a Paste option, rather than pasting directly.

And sure enough, putty supports this. It also supports “xterm mode”, which is a more standard middle-click to paste mode. Solved!

Why I love dmidecode

I was asked to provide more ram for a server today, specified only by name. I have login details, but it’s in a datacentre in Auckland, and I’m in Hamilton, so I can’t wander over to check details.

Enter dmidecode:

System Information
Manufacturer: Dell Computer Corporation
Product Name: PowerEdge 860

That’s basically all I need right there. Having a namebrand machine helps, of course – getting the same sort of information from a generic motherboard isn’t as easy or useful. However, while checking which ram banks are populated I can also (typically) get the type of ram as well:

Handle 0x1100, DMI type 17, 27 bytes
Memory Device
Array Handle: 0x1000
Error Information Handle: Not Provided
Total Width: 72 bits
Data Width: 64 bits
Size: 1024 MB
Form Factor: DIMM
Set: 1
Locator: DIMM1_A
Bank Locator: Not Specified
Type: DDR2
Type Detail: Synchronous
Speed: 533 MHz (1.9 ns)
Manufacturer: 7F7F7F0B00000000
Serial Number: 7A947291
Asset Tag: 0D0718
Part Number: NT1GT72U8PB0BY-37B

In this case, the other “Memory Device” entries had “No module installed” in the Size: section, so I know that this machine has one (1) 1GB DDR2-533 DIMM installed.

Of course, that output doesn’t seem to tell me that the Dell PowerEdge 860 wants ECC ram (although I know that anyway). And the output from dmidecode on a newer machine:

Handle 0x1100, DMI type 17, 23 bytes.
Memory Device
Array Handle: 0x1000
Error Information Handle: Not Provided
Total Width: 72 bits
Data Width: 64 bits
Size: 2048 MB
Form Factor:
Set: 1
Locator: DIMM 1A
Bank Locator: Not Specified

Type Detail: Synchronous
Speed: 667 MHz (1.5 ns)

That’s from a brand new HP DL360 with FB-DIMMs, so I guess my version of dmidecode on this machine isn’t new enough to handle that.

In general though, it’s more than good enough :)

OSS Network Imaging / Install services

I’m very interested in the topic of network deployments of operating systems, specifically the various Microsoft OSs, as I can already install linux via PXEboot. There’s two main groups of software in this field – unattended or scripted installs, and imaged installs.

A while ago I found a tool called Unattended, which is a network based unattended installation tool for Windows. If it works, it looks very promising. It’s basically a DOS boot disk which mounts a network share and executes the windows installer. Simplicity. The basic install seems to require you to enter a number of responses to questions (such as administrator password, timezone and Microsoft product key), but the documentation explains how to customise the script to meet your business needs, including examples. Once the OS install is done, Unattended can be configured to install third party packages, as long as the packages (eg, MSI bundles) also support some level of unattended installation procedure.

Today I discovered Free Online Ghost, or FOG. FOG is network based computer imaging tool, designed to both read images from, and write images to hosts on your network. I’ve used tools like partimage in the past for exactly this purpose – creating a golden image of a lab machine and then reimaging the entire lab every couple of months to keep everything clean. FOG seems to be more polished than partimage does, as it claims to support things like creating AD accounts for the machine and so on.

The Unattended documentation includes a concise explanation of why the approach adopted by FOG, partimage, and commercial tools like Acronis and Ghost is bad, however I think this is really a case of using the right tool for the job. I can see a system like FOG being used with great success in a lab environment, or for periodic backup of individual host OSes to near-line storage, providing bare-metal restore functionality without requiring major investment in tape backup expansion. And Unattended makes a lot more sense for initial deployments, especially for my workplace, as we use such a wide range of hardware that an imaged install would be fairly problematic.

There are other commercial systems for doing these deployments of course – IBM Director, HP ICE, Citrix Provisioning Server are just a few of them, but these systems invariably make more sense for in-house deployment control.

Using monit for system and process monitoring

One of the servers I maintain is the jabber server at This is a free public service, anyone can use it, and it does get quite a wide range of use – for a long time we seemed to be very popular for south american users, possibly because of the web based clients and the range of transports to other protocols we support. We typically see between 50 and 100 concurrent users, depending on time of day and week, but the active account base is normally in the low thousands.

The transports themselves cause me a lot of problems. In the past they’ve been downright buggy, crashing all the time, but with the current codebase for all four protocols in use (AIM, ICQ, MSN and Yahoo) all being in python, we don’t seem to have as many outright crashes. We do have slow memory leaks however, which prompted me to move the services to a new server a while back. Part of me was hoping that the memory leaks were caused by the gentoo system I was using initially, but this doesn’t seem to be the case.

So, I needed to either fix these memory leaks, or to work around them. Enter monit. I’ve heard about monit quite a bit, but never really looked into it other than thinking it might be interesting. I really wish I’d looked further ages ago. It’s easy to set up, is designed specifically to monitor and restart services, and it solved my memory leak problem in about 5 minutes.

Here’s a snippet from the config file:

check process aim-transport with pidfile /var/jabberd/pid/
start program = “/etc/init.d/aim-transport start”
stop program = “/etc/init.d/aim-transport stop”
if cpu > 60% for 2 cycles then alert
if cpu > 80% for 5 cycles then restart
if totalmem > 300.0 MB for 5 cycles then restart
group transport

This is pretty self explanatory really. If CPU usage of this process gets too high, alert, then restart if it stays high for 5 cycles. And if the ram usage is over 300 MB for 5 cycles (a cycle is 2 minutes by default), restart the process. Problem solved. Or rather, the symptoms are solved, but that’s good enough for me at this stage

NoteThis is old, but somehow didn’t get posted

NUT: Network UPS Tools

I was tweaking the UPS rules at a client’s site, when I noticed that the base NUT configuration that we use didn’t really do a hell of a lot. The example config files had some hints as to what were needed, but unless I missed something fundamental, didn’t have the full picture.

After a bit of searching, my laptop battery ran out so I couldn’t carry on working onsite. I did get far enough to make some notes, but I have since lost the site I referred to, so can’t put proper attribution. It looked something like this one though, and was also dedicated to setting up NUT on a Mac, so I figure that will do.

I’ve since returned to this issue, and after fighting with serial and USB cables, have finally completed and tested it all. My configuration is on the WLUG wiki at the NutNotes page.

“Useful” command line tools

A coworker was doing some work on a server we’re building up, and wanted to kill a bunch of processes. The killall binary wasn’t installed for some reason (default etch install, probably just missing the package), but he found a killall5 binary instead.

For those of you who don’t know, killall5 is the SysV version of killall. It’s quite a bit more literal about it’s functionality than the killall most of us are used to – it will, without taking any command line arguments, prompting if you are sure, or any indication of what is about to happen, send a kill signal to all processes.

I was in the middle of saying “Don’t run that” when my coworker did. Oops. Good thing we were still building the server and it was on the build desk next to him.

This got me thinking though. Are there any other command line tools that are similarly dangerous as killall5? That is, they will do something terminal to your system, without prompting for help or confirmation?

Miro – Internet TV

Miro, formerly known as Democracy TV, made its first public release a few days ago.  It’s available at Miro is like a blog aggregator for video sources such as YouTube and Google Video, as well as provider content such as various news  and science tv channels, The Onion.

Installing it was trivial under Ubuntu, although it conflicts with the blackdown JRE. You can install the sun jre instead to get around this.

Restricting ssh password auth by group or shell

Matt Brown asked if I could think of any way to allow a certain group of users to scp into a host and use a password, while requiring a valid key pair for most other users. Perry suggested a solution to this a while ago, so I sat down and had a quick look at it, and got it working.

I configured sshd such that:

PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes

This bypasses direct /etc/passwd auth, but allows standard PAM based auth via the ChallengeResponseAuthentication mechanism. This will allow everyone to login with a password if possible, so we need to configure pam. For this, I used the pam_listfile module, checking that the user had a particular shell, /usr/bin/scponly, as their shell:

cat “/usr/bin/scponly” > /etc/scpshells

I then edited /etc/pam.d/sshd:

auth required
auth required item=shell sense=allow file=/etc/scpshells onerr=fail
auth sufficient likeauth nullok
auth required
auth required

session required
session required

account required

password required difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient nullok md5 shadow use_authtok
password required

I probably don’t need all of that in the sshd pam snippet, but I just dumped the contents of the included files into to to make editing it easier.

To test this I added /bin/bash to /etc/scpshells, and verified that I could ssh in by using a pasword. I then removed it, and verified that I could no longer ssh in with a password. Combine this with a suitable shell (/usr/bin/scponly), and I can create users that can scp in with a password – or with a key if they care – but cannot get a local shell; all other users cannot authenticate via PAM, and so must provide a valid key.

Building Debian packages with YADA

I have recently had to build some debian packages for software we distribute to our clients. I’ve built debian packages in the past, but I was a bit rusty so was looking at a similar package to the one I was working on at the time, a collection of php scripts for a web based tool. As it happened, the debian package I chose to inspect, phpmyadmin, used a program called YADA as an aid for building the deb.
YADA stands for Yet Another Debianisation Aid. I can’t find a decent definitive website for it (it’s not, btw!), but it’s in sarge and ubuntu. YADA takes two input files – debian/changelog and debian/packages, and generates a suitable set of files inside the debian/ subdir so that you can create your .deb package. The format of the debian/packages file is quite simple and gives, as far as I can tell, full control over the resulting configuration.

There is good documentation in the yada-doc package, including example packages files take from a range of debian packages that make use of YADA already.


If you have computer on a public-facing IP address, and it runs an SSH server on port 22, chances are pretty good you’ll be subjected to a number of dictionary attacks. Compromised hosts will try to login with a list of common user names and passwords.

Now, this isn’t a problem for most of us, right? We have secure passwords after all, and these attacks are just trying dictionary lists of words – username root, password of ‘password’ or ‘root’, for example. However, they are still annoying – if only because they fill up the logfiles. Also, it’d be better to just not have the connections, just in case they manage to get through.
I recently came across a tool called denyhosts. Denyhosts monitors your ssh log file and modifies /etc/hosts.deny to disallow SSH (or all access to tcpwrapped services) from hosts that have a significant number of failed login attempts. It also has a synchronised mode in which hosts running denyhosts on the internet share their list of denied IP addresses.

I set it up a week or so ago and get an email every couple of hours with a new IP address that has been blacklisted. I also managed to blacklist one of my own IP addresses while testing, which proved hard to remove – denyhosts kept adding the block back in. Fortunately I set it to purge entries after 3 days, so I can now ssh in again :)