Daemon News 199812 : From the Ports Tree

From the Ports Tree

Copyright © 1998 Ian Darwin

In the first installment of this column, we described "ports" as a good way of getting third-party software. off the Internet and onto your *BSD system. This installment describes two ported programs that I use a lot.

SSH

rlogin & telnet have long been the mainstay of "remote access" for UNIX and the Internet. But as we move to an ever-larger Internet, the chance of having somebody eavesdrop on your conversation increases. And the consequences could be severe: many versions of rlogin and telnet transmit everything - including your password - "in the clear", or unencrypted. The SSH (secure shell) protocol, created by Tatu Ylonen of Espoo, Finland, is a popular answer. SSH encrypts the entire conversation, using one of several popular encryption methods, but its user interface is similar to that of rlogin. So on "host1" I can say ssh host2 and be logged in on host2. This way, somebody snooping packets will just see a bunch of gibberish.

One of the neater features of ssh is its ability to "piggyback" additional connections over the single TCP connection. For example, once I've ssh'd into host2, from host1, I may find that my X11 DISPLAY variable has been set to host2:10. Now most PCs don't have 10 physical screens connected to them. It looks like a valid display to X programs, but in fact maps to TCP port number 6010 (6000 is the base for X11). SSH is simply listening on port 6010, and any X11 traffic on that port is piggybacked over the login connection and connected back to the local X display on host1. Mostly, it works automagically, and you can create X windows where you really are.

Note that this is not limited to the X11 protocol; it can in theory be used with almost any TCP-based protocol. Here is a screendump; you'll have to translate "host1" being daroad, "Darwin's Road machine" (my notebook computer), and "host2" being "darian", my server.

[screenshot: ssh session to darwin, running xterm on darwin, new xterm appears in foreground]

I ssh from daroad to darian and, when I'm logged in there, my DISPLAY has been set to "darian:10", which is a placeholder for the piggybacked X connection. As you can see by my prompt, the xterm I start up is running on darian - the machine I logged into - but is displaying on the machine I started on.

There is now a commercial version but, as a credit to its UNIX background, there's a free version for UNIX. The SSH2 protocol has also been submitted to the IETF for publication as a series of Internet Draft Standards. Good software, free in source: that's your cue. Look for it in the Ports tree. In OpenBSD, it's in /usr/ports/security/ssh. In other operating systems, it'll be in a similar place. For more information, either cd to the appropriate ports directory and install it, or check out the SSH Home Page.

Zap

Here's a smaller program to wind down with. A common operation on UNIX is to find a process by name, look up its process id number or PID, and send the process a signal such as TERM to terminate it. Many routines have been written to combine these two operations. Among the oldest is the zap program, from the 1984 book by Kernighan & Pike, The UNIX Programming Environment. This book, BTW, predates dirent and belittles screen editors, but most of its advice is still current.

K&P Zap just runs "ps" for you with the right options, and looks through the output for the string you gave. If it's found, the ps output line is printed as a prompt and, if you type y, the process is sent a TERM signal. For example, if you have a berzerk xterm, you can type zap xterm and might see something like
PID TT STAT TIME COMMAND
15240 ?? S 0:04.12 xterm ? n
22827 ?? I 0:58.50 xterm -e /usr/local/libexec/watchlog ? y
25160 ?? I 0:01.17 xterm ? n
And immediately the xterm that is watching your system logfiles disappears.

Options could be added by the C programmer. I once had a version with '-s' to provide different signal numbers and '-y' (for yes, like fsck) to automatically send the signal without the prompt. I'll try to get these changes in by the time this DaemonNews article hits the streets.

In the OpenBSD ports tree, look in /usr/ports/sysutils/zap. On the other BSD systems, to which I presume it will get migrated, look in the corresponding ports or pkgsrc tree. If you want to look in a port, you can type "make patch", which will download, checksum, extract, and patch, but not build). The original K&P version of Zap is in there (with permission of Bell Laboratories), along with some of my changes. There's also a version that reads /proc instead of ps to find the process(es). It's very fast, but it's for Solaris 2, and hasn't been adapted to *BSD. This is left as an exercise for the reader, if you're a BSD developer.

These are two programs that I use very often. They're free, they're useful, and they're easy to install. That's the beauty of The Ports Tree.

	From the Ports Tree Copyright © 1998 Ian Darwin In the first installment of this column, we described "ports" as a good way of getting third-party software. off the Internet and onto your BSD system. This installment describes two ported programs that I use a lot. SSH rlogin & telnet have long been the mainstay of "remote access" for UNIX and the Internet. But as we move to an ever-larger Internet, the chance of having somebody eavesdrop on your conversation increases. And the consequences could be severe: many versions of rlogin and telnet transmit everything - including your password - "in the clear", or unencrypted. The SSH (secure shell) protocol, created by Tatu Ylonen of Espoo, Finland, is a popular answer. SSH encrypts the entire conversation, using one of several popular encryption methods, but its user interface is similar to that of rlogin. So on "host1" I can say `ssh host2` and be logged in on host2. This way, somebody snooping packets will just see a bunch of gibberish. One of the neater features of ssh is its ability to "piggyback" additional connections over the single TCP connection. For example, once I've ssh'd into host2, from host1, I may find that my X11 DISPLAY variable has been set to host2:10. Now most PCs don't have 10 physical screens connected to them. It looks like a valid display to X programs, but in fact maps to TCP port number 6010 (6000 is the base for X11). SSH is simply listening on port 6010, and any X11 traffic on that port is piggybacked over the login connection and connected back to the local X display on host1. Mostly, it works automagically, and you can create X windows where you really are. Note that this is not limited to the X11 protocol; it can in theory be used with almost any TCP-based protocol. Here is a screendump; you'll have to translate "host1" being daroad, "Darwin's Road machine" (my notebook computer), and "host2" being "darian", my server. I ssh from daroad to darian and, when I'm logged in there, my DISPLAY has been set to "darian:10", which is a placeholder for the piggybacked X connection. As you can see by my prompt, the xterm I start up is running on darian - the machine I logged into - but is displaying on the machine I started on. There is now a commercial version but, as a credit to its UNIX background, there's a free version for UNIX. The SSH2 protocol has also been submitted to the IETF for publication as a series of Internet Draft Standards. Good software, free in source: that's your cue. Look for it in the Ports tree. In OpenBSD, it's in /usr/ports/security/ssh. In other operating systems, it'll be in a similar place. For more information, either cd to the appropriate ports directory and install it, or check out the SSH Home Page. Zap Here's a smaller program to wind down with. A common operation on UNIX is to find a process by name, look up its process id number or PID, and send the process a signal such as TERM to terminate it. Many routines have been written to combine these two operations. Among the oldest is the zap program, from the 1984 book by Kernighan & Pike, The UNIX Programming Environment. This book, BTW, predates dirent and belittles screen editors, but most of its advice is still current. K&P Zap just runs "ps" for you with the right options, and looks through the output for the string you gave. If it's found, the ps output line is printed as a prompt and, if you type y, the process is sent a TERM signal. For example, if you have a berzerk xterm, you can type `zap xterm` and might see something like `PID TT STAT TIME COMMAND` `15240 ?? S 0:04.12 xterm ?` `n` `22827 ?? I 0:58.50 xterm -e /usr/local/libexec/watchlog ?` `y` `25160 ?? I 0:01.17 xterm ?` `n` And immediately the xterm that is watching your system logfiles disappears. Options could be added by the C programmer. I once had a version with '-s' to provide different signal numbers and '-y' (for yes, like fsck) to automatically send the signal without the prompt. I'll try to get these changes in by the time this DaemonNews article hits the streets. In the OpenBSD ports tree, look in /usr/ports/sysutils/zap. On the other BSD systems, to which I presume it will get migrated, look in the corresponding ports or pkgsrc tree. If you want to look in a port, you can type "make patch", which will download, checksum, extract, and patch, but not build). The original K&P version of Zap is in there (with permission of Bell Laboratories), along with some of my changes. There's also a version that reads /proc instead of ps to find the process(es). It's very fast, but it's for Solaris 2, and hasn't been adapted to BSD. This is left as an exercise for the reader, if you're a BSD developer. These are two programs that I use very often. They're free, they're useful, and they're easy to install. That's the beauty of The Ports Tree. Ian Darwin, ian@darwinsys.com

From the Ports Tree

Copyright © 1998 Ian Darwin

SSH

Zap

Ian Darwin, ian@darwinsys.com