Category Archives: Unix

The Art of Writing Linux Utilities

I’m midway through a small project to migrate some old utilities I originally wrote many, many years ago for FreeBSD and that I’ve migrated from system to system over the years with small tweaks and various cross-platform improvements.  It’s been a while since I’ve done any real programming so I’ve been reading some refreshers on things like documentation best practices and I stumbled across a good article, that’s aged quite well I thought was worth sharing.

It appears to be an IBM document from back in the day when they were making a big effort to enterprise-ify Linux and improve the level of documentation and tools for developers, but somebody at Harvard saw fit to host a mirror.

Peter Seebach: The art of writing Linux utilities

Modifying the login text on Debian (or Ubuntu)

I’m getting back into the Debian world after years of being pretty much a RHEL guy and I’ve bee dealing with an annoying “feature” which I was at a loss to resolve. Every time I log into the EC2 instance that this server runs on, I get a “No mail.” message which clutters up my login scripts and shouldn’t be there since I’m not receiving mail on this instance in the first place.

Today I finally decided I’d get to the bottom of it since it clearly wasn’t coming from a login script and even though it’s a minor thing it bugs me and I find it somewhat distracting!

It turns out that Debian and it’s derivatives have what is a rather elegant, if initially opaque, way of setting up the login info: it’s managed in a PAM module for the SSHD which can be found at /etc/pam.d/sshd.

Not only does PAM load a module that checks mail by default, it also does a couple of cool things with the MOTD info (this is where the kernel version info comes from when you login).

Here’s the relevant section:

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
#session    optional     pam_mail.so standard noenv # [1]

As you can see I’ve commented out the mail check, I’ve decided to leave the MOTD piece, I think I’m going to play around with it.  It’s the first time I’ve ever encountered the pam_motd module and I’m curious what I can do with it.

Hopefully somebody else finds this helpful, there seems to be little information about this available when I did a quick Google search.

Let’s Encrypt!

I started to write a draft of an article about Let’s Encrypt back in November, but quite finished it to my satisfaction.  In any case I would like to draw attention to the project as it gets closer to becoming live.  They just posted the draft of their certificate management policy so things are starting to heat up a bit which is kind of exciting!

If you’re not familiar with the project, here’s an overview of how it works.  But basically it’s an automated tool that web server administrators can install and use to generate, sign, manage, and revoke TLS certificates for sites they host.  It takes most of the human factor out of things and also helps implement some of the more esoteric features of modern TLS for HTTP.

In light of the news over the past couple of years and the complete ubiquity of the Internet and WWW at this point it’s fairly obvious that proper encryption of All The Things is long overdue.  There are a number of steps in that direction taking place right now (HTTP/2 standard is more or less final, 1024-bit roots have been widely superseded, OCSP stapling and HSTS are becoming much more widely deployed), but the biggest challenge I see is that, particularly for small website owners and businesses, properly implementing X.509 certificates for TLS is still enough of a pain that it’s largely avoided unless you’re somewhat savvy or paranoid.

I’ve read a few good blog posts and articles on the Let’s Encrypt project but for some reason it doesn’t seem to be getting that much mainstream coverage.  At first I was a bit leery of the idea that I hand certificate management over to a 3rd party system, but the more I’ve looked at it the more the idea seems solid.  Basically their assumption is that their tooling can handle certificate management better than the average web administrator can.  Combined with the fact that the project has major backing from folks like Cisco, Akamai, the EFF, and Mozilla I’m hoping that it gets major traction.  I know that I’m planning on adopting it early even though I have a couple of years left on the RapidSSL certs I’m currently using.

Oh and did I mention that it will be entirely free?