boltblog

bash time limit on commands

Posted on September 1, 2011

Several programs, like "timelimit" and "timeout", exist to prevent a process from running for too long.
However, if you want to do this on a box where neither is installed, there's a way to do so with bash alone.

Based on the original script I found at pixelbeat.org...
#!/bin/sh

# Execute a command with a timeout

# Author:
# http://www.pixelbeat.org/
# Notes:
# If the timeout occurs the exit status is 128.
# There is an asynchronous (and buggy) equivalent of this
# script packaged with bash (under /usr/share/doc/ in my distro),
# which I only noticed after writing this.
# I noticed later again that there is a C equivalent of this packaged
# with satan by Wietse Venema, and copied to forensics by Dan Farmer.
# Changes:
# V1.0, Nov 3 2006, Initial release
# V1.1, Nov 20 2007, Brad Greenlee
# Make more portable by using the 'CHLD'
# signal spec rather than 17.

if [ "$#" -lt "2" ]; then
echo "Usage: `basename $0` timeout_in_seconds command" >&2
echo "Example: `basename $0` 2 sleep 3 || echo timeout" >&2
exit 1
fi

cleanup() {
{ kill %1 2>/dev/null; }& # kill sleep $timeout if running
kill %2 2>/dev/null && exit 128 # kill monitored job if running
}

set -m # enable job control
trap "cleanup" CHLD # cleanup after timeout or command
timeout=$1 && shift # first param is timeout in seconds
sleep $timeout& # start the timeout
"$@" # start the job

I made a new script in bash, which also returns the correct exit status if the command completed before the timeout:
http://www.dhampir.no/stuff/bash/timeout.bash

Works well for me, at least :)

Debian and Ubuntu auto-login and Xorg without a display manager

Posted on July 15, 2011

If you have a harddrive password (most laptops do this) or full disk encryption, you might not feel the need for an additional login after your system boots.

On most Debian-based systems, TTY's 1 through 6 are available after boot, while TTY 7 is used for Xorg. Therefore, I like to put my auto-login TTY on TTY 8, so it's out of the way and leaves TTY 1 available for troubleshooting and similar.

Auto-login to Xorg requires two things: The actual auto-login and a script which loads Xorg.

First things first. The autologin.
In the olden days on a Debian system, this was done by adding a line similar to this one in /etc/inittab:
8:23:respawn:/bin/login -f bolt tty8 /dev/tty8 2>&1
This spawns a TTY 8 and logs in as "bolt" (change to suit your needs). It will do so on runlevels 2 and 3.

Now, however, the tool "rungetty" is generally used for this, as it's more flexible and performs the same functions with a cleaner syntax. First, "apt-get install rungetty" to make sure it's there, then add a line similar to the following:
8:3:respawn:/sbin/rungetty tty8 --autologin bolt
Note that on Debian Lenny and older, the version of rungetty has a specific check in code which only allows --autologin to work on tty1. If asked to autologin on another tty, rungetty would silently fail and spawn a normal login tty. This restriction has been removed from Squeeze and onwards.

On Ubuntu 10.10, the tty configuration is not in /etc/inittab. There, you have to add a file called "/etc/init.d/tty8.conf" with the following contents:
# tty8 - getty
#
# This service maintains a getty on tty8 from the point the system is
# started until it is shut down again.

start on runlevel [23]
stop on runlevel [!23]

respawn
exec /sbin/rungetty tty8 --autologin bolt

I basically copied tty6.conf and modified it to make that.

Autostarting Xorg
So by default when you login, both Debian and Ubuntu will leave you with a bash prompt, and very little graphical goodness. Thus, you want your login script to start Xorg, but only if Xorg is not already running, and we're on tty8. Otherwise, switching from Xorg to a console with, for example, ctrl+alt+f1, would cause another attempt to launch Xorg.

Thus I made this script, named ".bash_login", and put it in my home directory.
# ~/.bash_login: executed by bash(1) for login shells.

# include .profile if it exists
if [ -f "${HOME}/.profile" ] && [ -r "${HOME}/.profile" ]; then
source "${HOME}/.profile"
fi

# if we're not root and we're logged in on tty8, we assume a rungetty autologin and start xorg
if [ ! -z "${UID:-}" ] && [ "$UID" != "0" ] && [ -z "${DISPLAY}" ] && [ ! -z "${SHLVL:-}" ] && [ "$SHLVL" == "1" ]; then
if [ "$(tty)" == "/dev/tty8" ]; then
trap "chvt 1; logout" INT TERM EXIT
chvt 8
while true; do
echo "starting xorg"
startx
echo "sleeping 2 seconds"
sleep 2
done
fi
fi

This script will do a few sanity checks, then run Xorg. If Xorg exits, it will sleep 2 seconds and run it again. If the script is told to stop, it will change to tty1, then logout of tty8.

Filed under: Howto's, Linux No Comments

Remote desktop does not support colour depth 24; falling back to 16

Posted on May 18, 2011

rdesktop on Linux will give this warning message when connecting to a Windows machine which has not been configured for 24-bit color RDP connections. This has, amongst other things, the effect of showing some horrible, jaggy desktop icons. See the pictures on the right for reference.

On Vista, Windows 7 and later (?), the solution is simple: Use 32-bit colors (-a 32)

On XP, which doesn't support 32-bit colors, it gets a little more complicated. XP does support 24-bit connections, but this mode is disabled by default because of bandwidth concerns and bad choices.

To fix this problem on XP (nothing needs changing on the Linux or Windows client) you need to access the Local Machine Group Policy editor.

If you're lucky, going to Start -> Run -> "gpedit.msc" will work for you. Type "gpedit.msc" without the quotes (and click "Run").

If that does not open the group policy editor, this is the long way around:

  • Start -> Run and type in "mmc"
  • Add the Group Policy snap-in by going to File -> Add/Remove Snap-in -> Add -> Group Policy Object Editor -> Add -> Finish (Local Machine) -> Close -> Ok

In the Group Policy Editor, navigate to Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Terminal Services, and double-click on the 'Limit maximum Color Depth' object.

Set the item to "Enabled" and set "Color Depth" to "24 bit"

Click OK, then log in with the remote client. If the changes haven't been applied, reboot the server.

Rejoice with your new, shiny desktop icons and full 24-bit desktop.

OTP (one-time passwords) on Debian Squeeze SSH logins

Posted on October 21, 2010

So, you're out of your secret lair and now you need to log in from a computer you don't trust. After all, every computer you don't administer is most likely full of viruses, malware and probably even a hardware keylogger somewhere along the keyboard cord, right?

So you want to use a one-time password, so that even if someone snatches it, it has already been used and can never be used again.

Fortunately, one-time passwords on Debian is a breeze to set up.

apt-get install opie-server

This will install opie-server, which will drag along opie-client and libpam-opie as dependencies, unless you have them already.

Now you have to choose if you want one-time passwords for every single login, or only the ones happening over SSH

I wanted it only for SSH logins, so I edit /etc/pam.d/sshd (might be named just "ssh" in other distros)

At the bottom of the file, I appended:

auth sufficient pam_opie.so
auth required pam_deny.so

This will make your server first ask for your password, then ask for the one-time password if the password is correct. If you want it to not ask for your normal password, comment out the last line of the file, saying "@include common-auth"

"common-auth", in /etc/pam.d, is also the file you have to edit if you want one-time passwords for all logins, not just for SSH. Don't have sshd ask for your normal password if you also use that for FTP connections or other stuff which doesn't also require a one-time password. Your normal password should be unique.

Then you need to enable challenge response authentication in SSH, which is disabled by default in Debian Squeeze. Edit /etc/ssh/sshd_config and locate the line "ChallengeResponseAuthentication no" change this to "yes" and restart sshd

/etc/init.d/ssh restart

Next, all you have to do is set a passphrase for your one-time passwords:

opiepasswd -cf

-c is for console mode, -f is only needed if you're currently logged in remotely, to force opiepasswd to assume the connection is secure.

Enter the passphrase it asks for. This should be some sentence you can easily remember, preferably with upper and lower case and punctuation.

Now you're ready to try it. Connect, enter your password, watch the one-time password challenge appear:

ssh myserver.dhampir.no
Password:
otp-md5 498 sl8229 ext, Response:

You can generate the one-time passwords using any suitable tool. I use VeJOTP to generate the passwords on my Java phone, which is really neat, but you can also just use "opiekey" to generate passwords and print them out:

$ opiekey -n 10 498 sl8229
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Sorry, but you don't seem to be on the console or a secure terminal.
Warning: Continuing could disclose your secret pass phrase to an attacker!
Enter secret pass phrase:
489: BABY NAN GALL MONA WEST LUG
490: FEND DES WOO RACE BED AQUA
491: GET FAST HECK BELA NONE RAY
492: NINE SUCH CUNY ARID JUNO SOUR
493: DOTE DUG BRED WARN AWRY SAID
494: FAWN ABUT SAY KILL WAVE WATS
495: RASH AMES BLUE SAP DEE GAB
496: JACK DIRE LUCY ROOM JACK RENA
497: FLUE LOAM TICK LAMB ROWS BEST
498: GLIB ELBA POE OUCH ROW LEN

This command generates the 10 next passphrases, counting down from the requested one (498) based on challenge sl8229.

One-time passwords count downwards, because every key is based on the previous ones, and starting at the end of the list, you then can't calculate the "next" (previous) key.

Filed under: Howto's, Linux 1 Comment

Windows XP activation doesn’t pop up after repair or ghost

Posted on August 15, 2010

Also, how to log on without activating Windows :)

------------------------------------------------------------

Ghosted a machine to a new harddrive today, as the old one was failing.

Windows activation pops up on the first boot, as is to be expected, but when I clicked "Activate", nothing happened. The activation wizard simply wouldn't continue. And of course I couldn't get in and activate the system normally, because Windows didn't let me log on without activating. Gah!

The solution, it turns out, is the following:

  • Start the machine, while repeatedly hitting F8 from just after the initial BIOS image disappears
  • Choose "Safe-mode with command prompt"
  • When the command prompt appears, type "explorer" and press <enter>

You're in!

Now you need to (re-)install a hotfix, and Internet Explorer 8. Download them on another machine, and put them on a CD, a USB-stick, or whatever you have available. Install the hotfix first.

Hotfix KB946501: http://support.microsoft.com/default.aspx/kb/946501
Internet Explorer 8: http://www.microsoft.com/windows/internet-explorer/default.aspx

The files you need are called (for English Windows XP):
WindowsXP-KB946501-v2-x86-ENU (hotfix)
IE8-WindowsXP-x86-ENU (Internet Explorer 8)

Anyway, after they're installed, reboot and activate as usual.

Worked for me :)

Avoiding invalid commands in Bash history

Posted on June 24, 2010

To avoid having stuff like "ls" in my bash history, I added "ls" to the "HISTIGNORE" environment variable.
However, on late nights, the result of this, and my left and right hand becoming out of sync with each other when I'm tired, is that the entry "sl", which really doesn't do anything, started showing up in my history instead.

Now, invalid commands in bash result in two things. A message saying "command not found" and exit status 127.
The latter is interesting. We can use that to avoid having the invalid entries showing up in the history.

If you don't already have a bash PROMPT_COMMAND set, add this to .bashrc:

PROMPT_COMMAND="mypromptcommand"
function mypromptcommand {
}

That function will now be run every time your prompt is about to appear. Within it, we put this:

local exit_status=$?
# If the exit status was 127, the command was not found. Let's remove it from history
local number=$(history | tail -n 1 | awk '{print $1}')
if [ -n "$number" ]; then
    if [ $exit_status -eq 127 ] && ([ -z $HISTLASTENTRY ] || [ $HISTLASTENTRY -lt $number ]); then
        history -d $number
    else
        HISTLASTENTRY=$number
    fi
fi

What this does:

  • Gets the exit status of the last command
  • Gets the number for the latest entry in your history, if there is one
  • Checks if that entry was set to anything
  • If it was, we check if the exit status and see if it's 127. We also require the HISTLASTENTRY variable to be either unset or less than the number of the latest history entry. This means the command in question was either added to the history, increasing the number of entries already there, or it was the first command ever (empty history)
  • If the above is true, we delete the last history entry
  • Otherwise, we set the last history entry to the amount of entries we found, so we can check if it is increased next time.
Filed under: Howto's, Linux No Comments

Improve the mouse response and acceleration in Debian

Posted on March 4, 2009

Note: This information is now slightly outdated, as the patch is already in Debian Squeeze.

One of my biggest issues with moving from Windows to Linux as my desktop is how the mouse is handled in xorg. In xorg, the mouse had (and still has, in Debian Lenny) two settings for mouse speed: acceleration and threshold. Simply put, what these do is that whenever the mouse is moving faster than the threshold, it gets accelerated by the acceleration value, and otherwise it's unaccelerated.

While this may work for some people, I found it horribly annoying. Before anyone jumps up and bites me, I do know that I can set the threshold to 0 and get some sort of normal acceleration, but I hate that one too. Luckily, Simon Thum has come up with a solution.

His solution has been patched into the newer versions of xorg. The bug is available at freedesktop.org, and the latest patch is here. However, while this patch goes into version 1.4 or xorg without a hitch, the Debian (and probably Ubuntu) build system requires an additional change in the Makefile.in file.

In short, here's a howto for Debian Lenny on getting the new and much improved mouse handling in:

Become root

su (type root password)

First, make sure you've installed everything required to build stuff in the first place:

apt-get update && apt-get install build-essential fakeroot

Become a normal user again

exit

Make a temporary directory, cd to it, then get the sources for xserver-xorg-core

mkdir mousepatch
cd mousepatch
apt-get source xserver-xorg-core

apt-get will download the sources, extract them and apply the Debian-specific patches.
Next, we need all the build-dependencies. These are the libraries used in xserver-xorg-core, which we'll need to compile the source code.

apt-get build-dep xserver-xorg-core

Now make a backup of the source code (This is not strictly necessary, but I like to do so anyway before messing around with it. Saves doing another apt-get download.)

cp -r xorg-server-1.4.2 xorg-server-1.4.2-orig

Now we want to apply the mouse patch. You can either use Simon's original patch from the link above, or you can download a Debian-specific version of it here. This is the exact same patch as the one above, except it only fits into this specific source code, and it contains the changes to the Makefile.in file, which allows dpkg-buildpackage to successfully compile it.

LINK TO DEBIAN-SPECIFIC PATCH

cd xorg-server-1.4.2
patch -p1 <path to mouse patch>

Now build the package.

dpkg-buildpackage -rfakeroot

This will generate quite a few .deb files in the parent directory, and will probably also exit with a return value of 1, complaining it is unable to find Julien Christau's private key. You are most likely not Julien Christau, so you will not be able to sign the package as him. This is irrelevant, as we're not going to distribute this package anyway.

The only .deb you have actually changed is the one named xserver-xorg-core_1.4.2-10_i386.deb, so this is the one we want to install:

cd ..
su   (root password again)
dpkg -i xserver-xorg-core_1.4.2-10_i386.deb

Now, assuming all went well, you may restart X or reboot, whatever your preference, and enjoy your newfound mouse bliss. I actually prefer my new Linux mouse-setup to my dualbooted WinXP IntelliMouse drivers now.

To learn how to set up your new mouse acceleration, please refer to the developer documentation. For the record, these are the relevant lines from xorg.conf for my current setup:

Section "InputDevice"
    Identifier	"Configured Mouse"
    Driver		"mouse"
    Option		"Device"	"/dev/input/mice"
    Option		"Protocol"	"auto"
    Option		"Buttons"	"7"
    Option		"ButtonMapping"	"1 2 3 6 7"
    Option		"ZAxisMapping"	"4 5"
    Option		"AccelerationProfile" "1"
    Option		"VelocityScale" "10"
EndSection

Only the AccelerationProfile and VelocityScale is specific to this patch. Also, I use "xset m 18/10 0" to set my mouse speed.

Filed under: Howto's, Linux 3 Comments

Enlightened XFCE4

Posted on February 27, 2009

A howto stolen from http://ubuntuforums.org/showthread.php?t=101066 for later use. All credit to its writer, Iandefor.

ssh: how to permit root login only from local network / ip

Posted on October 22, 2008

From version 4.3p2, sshd supports an interesting option called Match. At the time of writing, this is the version supplied with Debian Etch (stable).

Filed under: Howto's Continue reading

Encrypted swap in Debian

Posted on October 18, 2008

So, you got your home directory encryopted, but you're not sure what sensitive material could end up in swap? After a long day of running a whole lot of applications and processes, many interesting things could potentially wind up there. So here's how to make sure that data is completely garbled after a reboot.

Filed under: Howto's Continue reading