Letters to the Editor

Various

Issue #85, May 2001

Readers sound off.

Tech Tipsy

The Tech Tip on page 16 [Linux Journal, March 2001] is great! Unfortunately, your tech ignored least common multiples and lowest common denominators. With the numbers given in paragraph five, you will fsck all four filesystems every 15th reboot, making the problem worse than the default scenario.

A better approach is to use prime numbers like 13, 17, 19 and 23. This way, you won't fsck two filesystems until the 221st reboot (13*17), and you won't fsck all four filesystems until the 96,577th reboot. Assuming an average uptime of 90 days (bad hardware, security updates), this is in the year 25,814.

—George Toft

Awkward Solution

I found Mick Bauer's proposed solution on page 33 [“Paranoid Penguin”, March 2001] a bit awkward at best. Renaming a start script this way will result in a failure if you upgrade. (For example, ude to a security fix in the package.)

The preferred way for Red Hat Linux is to use chkconfig. So the sample should be:

chkconfig named off

For other distributions, you should move it to K70named (that is 100-n) or use whatever system that distribution uses.

—Hugo van der Kooij

Bauer replies: You are of course correct, chkconfig is the preferred way to manage startup-scripts in Red Hat. I didn't know this, having only recently switched from SuSE to Red Hat. But “awkward”? My way is common practice on most of the SysVInit implementations I deal with, including SuSE (unless SuSE 7.1 is different—haven't tried it yet). Regardless, I consider this a minor point: any upgrade “failure” caused by my method would be easy to fix. The only such weirdness I've experienced myself has been the occasional creation of redundant symbolic links, which I'd hardly categorize as a failure.

Mandrake 7.2 Review

I am greatly concerned about the review of Mandrake 7.2 found in the March 2001 issue. To cut to the chase, Mandrake works almost flawlessly out of the box, and many of the problems were as a result of the reviewer trying to install Helix GNOME on top of the Distribution (Helix GNOME has known errors and does not support Mandrake7.2). Taking screen shots in the GIMP does work out of the box, just not with the Helix version, which was obviously tacked on after the fact. The lack of a back button is absolutely false because the installer does not need a back button. (The installer screen has icons on the side which allow you to jump to any point in the install and shows you where you are in the installation.)

The sidebar says that Mandrake includes Helix GNOME; this is false. It does include GNOME, but not Helix. In fact, Helix does not even support Mandrake 7.2 (but it does support earlier versions).

I personally run Mandrake 7.2 both at work and at home, out of the box, and it runs almost flawlessly (though there are a few minor issues, but updates are available). I have also tried the GNOME formerly known as Helix on one of my 7.2 machines and found that it did break many things. The point is, Mandrake 7.2 worked fine out of the box and only started breaking after adding Helix GNOME!

—Chris Hendrickson

Black replies: As clearly stated in the article, the review I did was, evidently and provably, not of the final released version. I twice inquired of Mandrakesoft regarding this and they would not answer my e-mail. None of the Helix/Ximian problems evaporated with a clean, Helix/Ximian-free installation, and while the stars on the left side of the screen do work as back buttons, this sure isn't obvious to the Mandrake newbie. I have heard some wonderful things about the actual release version of Mandrake. I'm thinking about downloading it and putting it on a server, as it seems to work especially well in that capacity. Its security is well-noted. But as a reviewer, I can only work with what is sent. I can do the research, ask the questions (or try to), etc., but I can't say “well, gee, this is marvelous” if I can't run the software in a normal fashion. I have a rule for developing software: if I can break software with my innocuous little system, then that software probably needs fixing anyway.

OpenSSH and DSA Keys

Mick Bauer's “The 101 Uses of OpenSSH: Part 2” [February 2001] is an excellent article with a small flaw. He writes: “To specify a particular key to use in either an ssh or scp session, use the -i [flag].” He also provides an example that suggests the use of DSA keys.

However, OpenSSH did not support the use of DSA keys with the -i flag until the very latest version (2.5.1, released just four days ago). Earlier versions silently ignored the DSA key indicated (RSA keys work just fine). Hence, anyone trying that example will see ssh mysteriously default to password authentication every time.

This limitation is actually documented in the ssh man page. Versions prior to 2.5.1 said:

-i identity_file<\n>
  Selects the file from which the identity
  (private key) for RSA authentication is read. [...]

Version 2.5.1, of course, says “...RSA or DSA...”. However, it's easy for even experienced users to miss the distinction—I certainly did the first few times.

—Adrian Ho

Missed the Tripwire

In the article “Designing and Using DMZ Networks ...” [March 2001] Mick Bauer covered ways of securing DMZ hosts. In my opinion he missed a simple but very efficient tool to detect intruders at DMZ hosts or firewalls: Tripwire. It calculates checksums for all files on the system and stores these fingerprints in a database. Doing a compare run against this database in regular intervals (cron), it is easy to detect changes. If somebody modified /bin/login, /etc/passwd or installed other back doors, you will realize it at least after the next compare run. The key is to store Tripwire itself and the initial database on read-only media (e.g., CD-ROM) to prevent modifications. There is no way in doing the same with diff, as mentioned in the article.

Tripwire is commercial software now, but there is a GNU GPL edition for Linux available at www.tripwire.org and www.tripwire.com/. There is another GPL'd software dealing with the same subject, but I never tried it. It is at www.cs.tut.fi/~rammer/aide.html.

Another issue is the design of the DMZ shown in Figure 2. I wouldn't recommend having all hosts in a single DMZ. If you are using three different boxes for doing the job, you should use three DMZs as well . If one of the machines is compromised by an intruder, he has to cross the firewall again to attack the others. So fill up your firewall with additional NICs and use crossed cables—you won't need a switch either.

Regards

—Markus Hogger

FAT Problems

I enjoyed Robin Rowes' article, “Debian Multiboot Installation” LJ, March 2001, but have a couple of points to make about it. In the part about running rawrite2.exe, it is implied that you can't run this program from a FAT32 partition. This is wrong; the versions of DOS that come with Win98 (and Win95 OSR2) know about FAT32 (but not long filenames); otherwise, they wouldn't be able to boot Windows from a FAT32 partition either. Perhaps the author had FIPS (the DOS repartitioning tool) in mind at the time, the original versions of which cannot handle FAT32.

A discussion of the problems with WindowsME would have been useful. This is basically Windows98 with a flashier GUI and other useless features, except Microsoft tried as hard as possible to stop you from running its DOS in “real” (16-bit) mode, mainly by nobbling the FORMAT and SYS commands and removing the options for starting or restarting in DOS mode.

To boot to DOS in WindowsME, create a startup floppy from Control Panel --> Add/Remove Programs --> Startup Disk. If you reboot the PC from this floppy and select the Minimal Boot option, you will end up at a DOS prompt from which you can change to drive C: and run the rawrite2.exe program as instructed in the article. Alternatively, you could get your own back on Microsoft by nobbling the startup floppy to get CD support and a DOS prompt without any of that Windows recovery malarkey. (The easiest way is just to rename the AUTOEXEC.BAT file.)

Also, a lot of the pathnames in the article use forwardslashes instead of backslashes.

—Ian Abbott

Rowe replies: You are correct that covering WinME would have been nice. The only reason I didn't was I don't have a copy and didn't want to buy one. Thanks for the nice notes on how to use it. Another interesting approach that I haven't tried is using WinImage to create the Debian floppies. I think you are right about being able to see a FAT32 partition when booting from a newer DOS. I haven't tried that in a long time, since I generally prefer FAT16 or NTFS partitions. I should have created a FAT32 partition to test that, but was in a rush to complete the article and didn't. Thanks for the correction. I've never used FIPS. Forwardslashes are correct in UNIX or Windows, although Windows persists in defaulting to backslashes. Using forwardslashes everywhere is a habit I picked up in writing portable code. Unfortunately, that only works with UNIX and Windows. The Mac doesn't like slashes (forward or back). Darwin will, I hope, change that. If you go to the file search box in Win2k, for instance, and use forwardslashes, that works fine. The one place it won't accept forwardslashes is at the DOS command prompt.