With the introduction of OpenSSH 4.3p2, Darren Tucker introduced the “Match” keyword. This super nifty keyword can be used to limit features to specific users, hosts and groups, and allows administrators to enforce granular feature access (e.g., key-based authentication can only be used from specific hosts or subnets). To use the Match feature, the Match directive needs to added to the sshd_config configuration file with a criteria to enforce, and a set of directives to allow or deny. The Criteria can be either “User,” “Group,” “Address,” or “Host,” and wildcards are supported when the Host criteria is used. The following example shows how the Match keyword can be used to limit TCP port forwarding and X11 port forwarding to the user stew:
AllowTcpForwarding no X11Forwarding no
Match User stew AllowTcpForwarding yes X11Forwarding yes
The full list of directives that are supported inside a Match block are listed in OpenSSH bug #1180. This is an incredible feature, and something I have wanted for years. Thanks Darren for adding this!
OpenBSD has a number of nifty utilities, and I happened to come across the systat(1) utility this weekend while looking for an executable in /usr/bin. Systat prints out performance data in an ncurses display, and can be used to view CPU saturation, I/O statistics, swap utilization, netstat data, and MBUF and network interface utilization. The utility takes the metric to display as an argument, and allows an interval to be used to control how often data is displayed:
$ systat iostat 5
/0 /1 /2 /3 /4 /5 /6 /7 /8 /9 /10
Load Average >
/0 /10 /20 /30 /40 /50 /60 /70 /80 /90 /100
cpu user|
nice|
system|
interrupt|X
idle|XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
/0 /10 /20 /30 /40 /50 /60 /70 /80 /90 /100
wd0 Kps|
tps|
I absolutely love UNIX, BSD and Linux systems. There are so many nifty tools available for these operating systems, and it’s a h00t when you come across a new utility that you didn’t previously know about. Shibby!
On Linux and Solaris systems, the confstr() function and the sysconf() and pathconf() system calls can be used to programatically retrieve system, file and path limits. Periodically I need to view the value of a variable returned by sysconf(), pathconf() or confstr() from the command line. When these situations arise, I turn to the getconf utility. Getconf accepts a system variable name as an argument, and returns the value assigned to that variable:
$ <strong>getconf LONG_BIT
32
Getconf can also be invoked with the “-a” option to display all system and path variables along with their values:
$ getconf -a | more
AIO_LISTIO_MAX: 4096
AIO_MAX: undefined
AIO_PRIO_DELTA_MAX: 0
ARG_MAX: 1048320
ATEXIT_MAX: undefined
BC_BASE_MAX: 99
BC_DIM_MAX: 2048
BC_SCALE_MAX: 99
BC_STRING_MAX: 1000
CHARCLASS_NAME_MAX: 14
CHAR_BIT: 8
CHAR_MAX: 127
CHAR_MIN: -128
[ ..... ]
This is a useful utility, and is installed in /usr/bin on all the Linux and Solaris hosts I tested.
The watchdog daemon (watchdogd) was introduced in OpenBSD 3.8, and can be used to help machines automatically recover from system hangs. If the OpenBSD hardware watchdog daemon is enabled, it will periodically update the hardware watchdog timer built into the system. If this timer is not reset for a period of time, the hardware will reset itself. The watchdog daemon is not enabled by default, and can be enabled (assuming OpenBSD can find a watchdog timer in your system) by adding a pair of empty quotes to the watchdog_flags variables in /etc/rc.conf:
$ grep watchdog /etc/rc.conf
watchdogd_flags=”” # for normal use: "”
The update interval is controlled through the kern.watchdog.period variable, which can be set in /etc/sysctl.conf, and viewed with the sysctl(8) command:
$ sysctl -a | grep watchdog
kern.watchdog.period=30
kern.watchdog.auto=0
Using the hardware watchdog can be useful when you are running routers and access points in remote locations, and don’t want to spend time driving to a remote location to reboot a hung system. I always add an rc script to the servers I support to E-mail me when the system boots. If I get an E-mail while I am performing planned maintenance, I can toss it in the trash can. If I get an E-mail because the machine reboots due to faulty hardware or a kernel bug, I will know that the system reset, and can begin investigating the the source of the problem. There are definitely times (e.g., clustered nodes) when it’s better to leave the hardware watchdog disabled, and have a monitoring station alert you to a hung system.
On the last Metallica tour I got to see Godsmack open for James Hetfield and company. Prior to the concert, I had only heard a few Godsmack songs, and those were the tunes that got played excessively on the radio. Since I was there to see Metallica, I said what the heck, and decided to give Godsmack a shot at making my musical circle. The band did just that, and when they played the song “Voodoo,” I knew immediately that I liked them. So when ticketmaster pinged me a month or two ago to let me know that Godsmack was going on tour with Rob Zombie, I decided to get tickets and wander out to see them again.
The show started with Rob Zombie taking center stage after a band called Shinedown performed. Rob is quite an eccentric person, so I had no idea what to expect. It didn’t take much time until I was scared (he had a list of serial murders scrolling behind him at one point during the show) and amazed (the band had energy like no other band I have seen) with Rob Zombie’s performance. Rob and his band mates were bouncing around the stage like kids who had too much sugar, and they belted out numerous hits, including “Foxy Foxy,” “Never Gonna Stop,” “More Human Than Human,” “Thunder Kiss,” “Dragula,” “Living Dead Girl,” “Feel So Numb,” “American Witch” and a few others I didn’t recognize. Rob Zombie definitely knows how to put on a good show, and it looked like they were loving every minute they spent on stage.
Rob eventually finished his set, and the roadies wandered to the stage to set up Godsmack’s equipment. While I was down grabbing some water, I heard firecrackers go off, and as I walked back to my seat, I got to watch a tribute to rock and roll on the overhead monitors. Once the tribute finished, Godsmack’s lead guitarist started jamming, and Sully belted out the opening tune. The band sounded good, and they were definitely there to rock out with some hard edgy tunes. Their new album is pretty good, but I definitely prefer the material on “Awake,” “Faceless,” “Godsmack” " and “The Other Side” to the new stuff. Luckily for me, they played a ton of their old stuff, including “Serenity,” “Awake,” “Re-Align,” “Straight Out Of Line,” “Keep Away,” “Changes,” “Faceless,” “I Stand Alone,” and the classic hit “Voodoo.” While the guys in Godsmack where nowhere near as energetic as Rob Zombie, their music sounded awesome, and I had a blast at the show!