UNIX Administratosphere

Google has revealed a new protocol – SPDY – that has been part of a research project to speed up the HTTP protocol that makes up the Internet. The speed increase is amazing – and sorely needed.

There is already a development version of Google’s Chrome browser available that supports SPDY; the branch is code-named Flip.

This new protocol requires a modified web server; this will be forthcoming from Google in the future. This is an exciting development that bears watching.

If you don’t know where to look, OpenVMS networking information can seem to be confined inside a mysterious black box. It doesn’t have to be.

The ANALYZE command can provide a lot of good information. Be sure to have a large enough scroll-back buffer on your terminal when you do this:


$ ANALYZE /SYSTEM
SDA> SHOW LAN /FULL


You can also find out a lot of good information in a hurry with the LANCP command:


$ RUN SYS$SYSTEM:LANCP
LANCP> SHOW CONFIGURATION


You can also look up information using the TCPIP command:


$ TCPIP
TCPIP> ifconfig -a


However, while this information is all good, it isn't complete without marking the back of the computer in some way so that you know which port is which. If you have to, you can hook up a laptop with a network cable and watch the traffic: the DECNet clustering traffic is such that you'll see it on every active interface - which provides you with the MAC address for that port.

You don’t need a business to have a business card; if you have a card, you can hand it out to colleagues and to friends and family as necessary. You can use a card to give your personal details out, or to keep your network updated with your information, or as a “note card” if you miss someone.

The Freelance Switch blog had a nice article on business cards, and on some fantastic designs they’ve found. These designs come from a site that is like Flickr for designers: Creattica. Specifically, Creattica has a gorgeous section for business cards.

What a tremendous congregation of creativity! Your imagination will be sparked: I guarantee it.

Powered by ScribeFire.

This article is a very concise description not only of enabling the HP-UX NFS server, but also configuring it and testing it.

However, it is for HP-UX 11.23 (11i v2); the current version is 11.31 (or 11i v3). Things may be slightly different with 11i v3.

BarCamp Chicago wrapped up nicely yesterday with a number of talks. There was a talk about Python (I still don’t get why folks aren’t using Ruby, but that’s just me), an open source hardware project demo, a talk on wikis, a talk on couchdb – very nice indeed.

The open source hardware project is called Arduino and is available prebuilt for a minimal price (about US$30 to US$40) – though you could build it yourself if you like (the diagrams are online and available to all). An accelerometer was attached to the Arduino device (which was attached to the computer via USB) and the outputs printed out on the console.

The wiki talk covered what it took to install a wiki and the speaker’s experience with wikis (and MediaWiki in particular).

The couchdb talk discussed couchdb (which was particularly pertinent, because it runs using Erlang, discussed earlier). Couchdb is a database which is based on documents and uses RDF for everything, and which can be spread out among a set of computers quite easily. Note that it is not relational, and it is not object-oriented either.

And of course, what is BarCamp Chicago without Ron May?

I’ll be at BarCamp Chicago this weekend; why not join us there? I’ll be speaking about GNU Screen on Saturday.

I plan to post entries directly from BarCamp; we’ll see how it goes. Of course, my laptop is a tad more advanced than last time – now it’s a Pentium III Compaq Armada E500 with FreeBSD 6.3 loaded (and a complete graphical KDE environment).

Looking forward to seeing you there!

Do you need a reminder? Send a message to HitMeLater at the address hours@hitmelater.com (such as 24@hitmelater.com) and they’ll send your message back to you. The address dayofweek@hitmelater.com also works: wednesday@hitmelater.com will resend on the next wednesday after today.

When bringing up a machine, and having to debug network connectivity, there is no substitute for being able to look at network traffic on the wire. Be aware that sniffing traffic can be fatal to your employment and perhaps your career if you do not follow the approved practices in your environment. If you do have the permission to perform network sniffing, it is an invaluable asset for debugging network problems.

One thing to be aware of, especially when not using UNIX or Linux, is that TCP/IP is an add-on protocol for other environments such as Windows and OpenVMS.

What can you determine from sniffing the network traffic?

• Is the system sending out traffic at all?
• What is the actual MAC address of the interface?
• Are ARP requests going out?
• Is DHCP being used? Is it failing or succeeding?
• Is DNS being used? Is it failing or succeeding?
• Is ping working? Are replies being received?

There are many other things that can be answered through looking at the network traffic. At its most basic (if network connectivity is the problem), the server can be disconnected and traffic looked at from the switch (with the normal cable) and from the server (using a cross-over cable).

With this information, it may be possible to clear up many netowrk connectivity problems.

If you want to start some exciting discussion in a security forum, just say you use telnet: you’ll find that every admin knows that telnet is insecure, that one should use OpenSSH or similar to encrypt the traffic, and that telnet should be banned from the server environment entirely.

However, telnet is not the only server that transmits its passwords in the clear. There are a lot of others. Here’s a list I came up with:

• FTP
• HTTP
• IMAP
• IPP
• LDAP
• LPD
• NFS
• POP3
• rsync
• SMTP
• SNMP
• syslog
• VNC
• X11
• XDMCP

I won’t cover all of these here (more about these items can be found in my book) but I do want to cover just a few.

Consider, for example, the mail protocols: SMTP, POP3, and IMAP. SSL encryption is available with all three – but do you use it? And what about your logins to your mailbox at your ISP? Every time you login, your password to your mailbox goes across the wire in the clear.

What about NFS – particularly NFS home directories? If you have unencrypted secrets in your home directory, then these items will be transmitted across the network in the clear as well. What about private SSH keys? Unfortunately, there is no way to encrypt NFS traffic.

VNC is another one to watch for: if you type passwords for your root logins over VNC – even if you are using SSH in your VNC session – the passwords are in the clear. The only way to secure VNC entirely is to use an SSH tunnel to encrypt it.

X11 is insecure in the same way, but presents special problems. However, OpenSSH handles X transparently through the use of special tunnels just for X.

syslog is another unencrypted service; do you have passwords put into the system logs? What about secret doings of your servers? How much information leakage can you handle? Unfortunately, syslog is another service that cannot be secured unless you use something such as syslog-ng which permits you to use TCP (and thus, an OpenSSH tunnel).

The Pittsburgh Supercomputing Center (PSC) has a nice writeup on their research into adjusting TCP parameters in order to maintain a high throughput on a system.

The article is constantly being updated, and in addition to general principles, provides specific instructions on adjusting the network stack parameters on FreeBSD, Linux, MacOS X, Solaris, Windows XP, and even more! However, despite the broad breadth of converage (including Netware 5 and HP-UX 9 and up) there is no coverage of OpenVMS. This can perhaps be forgiven considering the newness of TCP/IP on OpenVMS.

I’ll be implementing this in FreeBSD on my laptop shortly and I’ll let you know how this goes. HP-UX details and Linux details will follow as I experience them.

Recently, I had the chance to get a book that described how to make OpenVMS work with Linux.  Unfortunately, the entire book was 1) a list of screen-shots, and 2) about how to get OpenVMS 7 to act like (or interact with) Red Hat 7.

I was hoping for more details, and so on.  I was also hoping for documentation on how to get Linux to support OpenVMS networking and data and so forth.  The biggest project in this area is the Linux DECnet project, which wasn’t mentioned even once.

Well…. I went looking.  I’m not a OpenVMS wizard (yet!) but there are many tools that seem to be quite nice, though many of them aren’t maintained any longer:

• CDROMS: an application (written by a fellow at SUSE!) to allow reading OpenVMS ODF CDs on Linux
• A DECnet network bridge
• A KDE IO slave for DECnet
• An authentication module for Linux that allows VMS users to use their VMS passwords on the Linux system

Support for DECnet is now included in the kernel, though the Linux DECnet Project still has some excellent documentation like this DECnet FAQ.  There is a nice (though old) article about DECnet from Linux Journal.

Remember: I can’t vouch for any of these – it just seemed to me that projects like these are not likely to be known, and I wanted to get them out there.

One aside: it turns out there is a shop that provides VAX emulators, PDP-11 emulators, and Alpha emulators for running OpenVMS on Windows: Salem Automation Incorporated is probably best known for CHARON-VAX, though they have all of the others as well. There is a personal version of the CHARON Alpha Emulator.  Again, I can’t vouch for them, but I do know that CHARON-VAX in the past seems to have been quite popular and well respected – but your experience may vary.