Peter's Blog

Xming is an X server for Windows. With it one can run linux applications on a remote linux box with the X user interface windows appearing on ones Windows desktop:

xming demo

Internet Explorer, xeyes and xterm in perfect harmony.

How to do this wonderous thing?

• install xming
• run xlaunch to fire up xming as your windows X server (should be added to quick launch), selecting the following options:
  • Multiple Windows (each app gets its own windows window)
  • Display Number 0
  • Start no Client (client is the program that runs)
  • No Access Control (I'm a trusting soul)
• you now have an X server on your windows box as display :0. An X server is something that displays the user interface for X client programs (X keeps you on your toes by using counter-intuitive terminology).
• open putty at the configuration of your favourite linux box.
• enable the X forwarding option:
  
  

  X forwarding in Putty

  the 127.0.0.1:0 means remote X clients will display on your new windows X server (:0) running on your pc (127.0.0.1)
• open the ssh connection in putty and enter a command such as xterm. Amazingly, an xterm window should open on your local pc! It's wonderous, xterm is running on the remote pc but the user interface is on your windows box.

Interestingly, the ssh session you open has a DISPLAY environment variable open that tells the X clients you launch from it where to stick their displays.

peter@server:~$ echo $DISPLAY
localhost:10.0
peter@server:~$

Through the miracle of ssh this is routed back to xming on the Windows box.

Now, how about if beyond your gateway ssh server is another ssh server and you want to run your X client applications on that? The answer is amazingly simple. Open the session on the gateway server as described above and then use the command:

ssh -X name-of-other-server

you now have a command prompt on the remote remote server and if you now run

xterm

then again you get a xterm display coming up on your local windows pc but this time from the remote^2 box.

UPDATE: troubleshooting

• may need this in /etc/ssh/sshd_config

  X11UseLocalhost yes
  

• may need to

  sudo apt-get install xauth
  

  I needed this on a previously x-less box where I had installed gitk to do some git study on a headless server box

Somebody at work was fiddling with the fuse box and took out all the servers in the IT room. I rebooted them all but our main file server wouldn't boot, the hard disk partition was fried.

I used a knoppix CD (excellent tool for any pc that won't boot from its hard disk) to delete the corrupt partition and then reinstalled Windows 2k server on it. Experience has taught me that there is little point in trying to repair windows installations. Fortunately this file server is set up with two disks, one for the OS and another for the data. This is a nice arrangement as if either disk dies, that's approximately half the work required to get the thing back up. I only had to reinstall Windows.

Things were back online by lunchtime, the only problem being that one of the computers in the building was unable to access the new shared file system: mine! Vista strikes again (this is one reason why I am using Vista, to iron out these sillies). It wouldn't connect to the file share without prompting for user name and password and it wouldn't accept any that I gave (apart from those for a local account on the PC, it wouldn't accept domain account details).

I decided the problem may be that in my haste to get the files online and people working, I omitting to install the latest service packs on the server. I ran the setup for service pack 4 and then remotely rebooted the server from home early this morning while nobody was using it. I connected to it using an ssh tunnel and ultravnc. For reference, the ssh tunnel command was:

ssh -L 5900:192.168.0.54:5900 me@work.com

This is saying, 'connect port 5900 on the pc 192.168.0.54 on the remote network to port 5900 on my local pc'. I connected to a linux server and used this as a relay to connect to the file server. I was able to open ultravnc at 127.0.0.1:5900 and see the windows desktop of the file server. Secure, magical, free. Yes, I could do all this with VPN's, Windows Remote Desktop, Terminal Services or whatever but ssh/vnc is much easier to set up and is immune to random weird Active Directory problems.

I opened 'Computer Management' and 'Shared Folders' and 'Open Files' which gives a nice list of who is using the file server. One user had 'desktop.ini' opened, nothing important so ZAP.

Anyway, the service pack did the trick and when I got to work Vista connected instantly.

Lessons learnt:

• Know where the Windows Install disks are
• Have the licence numbers printed and hung on the wall (not in a file on the server that just died, in an Access 2003 database, in a room full of servers with no copies of Access).
• Buy a UPS, although it runs the risk that nothing ever fails and everyone thinks administration is easy. With the right tools it is, but don't let the world know.

Just got X going over ssh again, so a reminder to self on how I did it:

• make sure

  X11Forwarding yes
  

  is in /etc/ssh/sshd_config at the server end
• then, in client:

  ssh -X -2 user@server
  

  • -X means X forwarding
  • -2 forces v 2 ssh protocol
• this should give you a remote terminal. In it start whatever application, e.g.

  xclock &
  

  this will be running on the remote system but will display locally.
• if you get the error "cannot connect to X server localhost:10.0" then you need to do

  xhost +
  

  in a local terminal: the error means the remote app cannot open an X window on your local system, xhost + releases this.

I tried a suggestion Breezer left in a comment. It allows you to create shortcuts to your ssh logins. Here is the recipe:

• Create a symbolic link from your hostname to something called ssh-argv0. You might have to find it first:

  $ which ssh-argv0
  /usr/bin/ssh-argv0
  $ ln -s /usr/bin/ssh-argv0 ~/mysshserver.org
  

• Now you can connect to mysshserver.org by typing:

  $ ~/mysshserver.org
  

That's it. If your username is different on the ssh server then you should use:

$ ln -s /usr/bin/ssh-argv0 ~/username@mysshserver.org

Combined with bash tab completion this is a handy little tip.

For my ssh server I have disabled root login and I have chosen a slightly less common username and reasonably tough password but still I get people testing the locks. In the log files it is typically shown as a burst of login failures due to unknown name/incorrect password. This is no more than an annoyance, log files full of rubbish, but I'd like to prevent it and who knows, some day someone may hit the jackpot.

Linux iptables has a neat trick to limit the rate of connection attempts: three failed connection attempts and you can ban whatever is trying to connect for a couple of minutes. This is cool as it will still allow you yourself in as long as you get the password right in the first attempt or two.

I use the firewall module in webmin to manage iptables and I figured out how to implement this feature. It can be edited through webmin but I found it easier to edit the /etc/webmin/firewall/iptables.save file directly and to use webmin to apply it. This is the important bit:

# Allow connections to our SSH server from my IP address
-A INPUT -p tcp -m tcp -s 12.34.56.78 --dport ssh -j ACCEPT
# Allow connections to our SSH server from my other IP address
-A INPUT -p tcp -m tcp -s 65.66.67.68 --dport ssh -j ACCEPT
# Allow connections to our SSH server from localhost
-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport ssh -j ACCEPT
# Allow three connection attempts in 60 seconds for anyone else
-A INPUT -p tcp -m tcp -m state -m recent --dport ssh \
   --state NEW  --set
-A INPUT -p tcp -m tcp -m state -m recent --dport ssh \
   --state NEW -j DROP  --update --seconds 60 --hitcount 3

One objection I have read to this technique is that it can allow someone to lock you out of your own server by continually hitting it with spoofed IP packets of your own originating server. For this reason I added rules to let connections from my normal haunts straight in: if someone bothers to IP spoof these addresses then they are talking directly to sshd and cannot do much more than a DOS attack, no different to if the firewall was not there. This also means I can get the password wrong or open and close connections as often as I like from the computers I normally use.

I could simply deny access from any alien IP except that the IP address of my home PC is not technically static (although it doesn't change very often) and I don't want to lock myself out if it suddenly changes. Besides, who knows, I may be out and about and want to log in (putty and a USB memory key, the world is mine).

This appears to work in both ubuntu and debian.

This is the script I am using to back up my debian dedicated server to my ubuntu desktop. It uses ssh and rsync. It uses the cool rsync link-dest trick so that instead of creating multiple copies of the same file, it creates only one copy of the file with multiple hard links to it. I have my ssh keys set up so I don't need to give a password to log in via ssh.

This uses a 'pull' technique: the desktop reads the files from the server using this script.

This is not entirely efficent in that it will create a new set of backup files even if nothing changes: if you run the script ten times in a row then you will end up with ten identical sets of files. However, it backs up a web site that changes every day so running it once a day is valid.

Next job is to put selected files within the backup set into subversion. I decided against using subversion for everything, I can't see a way to automatically delete files bit I'd like to put the main sql dump into subversion.

   1  #!/bin/bash
   2  
   3  #
   4  # Rotate old backups:
   5  #   $1 = remote directory to backup
   6  #   $2 = local backup directory
   7  #
   8  function rotate {
   9      # Ripple old backups
  10      rm -rf $2/Backup9
  11      mv $2/Backup8 $2/Backup9
  12      mv $2/Backup7 $2/Backup8
  13      mv $2/Backup6 $2/Backup7
  14      mv $2/Backup5 $2/Backup6
  15      mv $2/Backup4 $2/Backup5
  16      mv $2/Backup3 $2/Backup4
  17      mv $2/Backup2 $2/Backup3
  18      mv $2/Backup1 $2/Backup2
  19      mv $2/latest $2/Backup1
  20  
  21      # Copy current version to latest, creating hard links where files have not changed.
  22      #
  23      rsync -avz --delete --exclude=.svn --link-dest=$2/Backup1 -e ssh $1/  $2/latest/
  24  
  25      #
  26      # Put a date stamp in the backup directory.
  27      #
  28      echo >`date +$2/latest/Backup-%Y-%m-%d` "Hello Peter"
  29  }
  30  
  31  rotate sshusername@ssh.server.address:/var/www/petersblog.org /home/peter/Backup/petersblog.org
  32  
Toggle Line Numbers

I have implemented a daily backup from my oneandone dedicated server to my home desktop pc. I used rsync over ssh using the notes I wrote myself which work with ubuntu as well as windows. It is only backing up the websites, I'm not backing up the configuration yet, I could add a backup of /etc only that has to run as root.The PC is set up to turn itself on everyday via the BIOS, it will run the backup, do any other daily stuff I can think of, then switch itself off.

At the server end, just before the backup schedule, the mysql databases for the websites are all dumped. The sql for this site is now 9M although a lot of that appears to be server logs.

Once the backup has reached the desktop pc I'd like to create some form of historical backup and I am deciding whether to create incremental differences or chuck everything into subversion. I am leaning towards the latter.

One option for the servers daily activities could be to download podcasts and dump them onto my phone...

I found one advantage of using ssh (e.g. putty) over vnc: no error bells. I was using a terminal under vnc and the bells were driving me mad. I disabled them in vim with:

:set visualbell t_vb=

but still got them on the bash command line. Tried various things from google to disable them at the linux end but nothing worked. Tried disabling the sounds in vnc (Control Panel/Sounds, VNC = None) but not joy.

Don't especially want to unplug the speaker so I went with the flow and used ssh.

Sudden thought: maybe I WAS going mad?

Looking through the Linode control panel options I discovered that it is possible to request a 2.6 kernel instead of the standard 2.4. I tried this and it indeed booted up but ssh fails to work. I can still log in through the linode console which appears to emulate a tty console so you can watch the system boot and log in that way but if I try to ssh the connection gets suddenly closed with no clues as to why, not even in the sshd log wth full debugging enabled.

There is mention of some odd devpts thing in kernel 2.6 being to blame for these ssh problems but I haven't pinned it down yet.

I resized the disk space on my Linode to free up 400M for a debian linux install, to use to rescue the main ubuntu install if I ever break it. You can change the size of your partitions without losing all your data if you are using ext2 or ext3. Cool.

Linode is looking good.

Got a Linode and I've installed ubuntu on it. So far it seems really quick: ssh login is fast and responsive, better than site5. This may be because the server does not have many users yet or maybe because it's 8:30 on a sunday morning.

It is just like my Ubuntu box at work but 10x faster.

I'm paying monthly for the linode, just trying it for now. If I'm still using it in August I may ditch site5 as linode is far cooler.

Damn, have to go out

I decided to put a new backup strategy in place at work. I have my desktop PC running windows and an Ubuntu server. I wanted to back up my day-to-day work under windows to the server. I wanted incremental backup so I have the option to backtrack through file history if necessary.

rsync is a nice utility to copy an set of files from one pc to another and works under windows {via Cygwin) and Linux. It can copy over ssh and hence I can use my ssh keys to avoid having to log into the server or put my password in scripts. However it does not do incremental backups, it just duplicates.

rdiff-backup is a nice backup tool that can do cross-network incremental backups. It uses the rsync protocol so it is very efficient. It is also easy to use, no weird command line switches, just give it the name of the source and target directories. However, support for this on windows is not straightforward and it relies on using a cygwin version of python rather than the standard distribution.

So, a compromise solution, use both. I have set things up so that this is done every night when I go home:

cd c:\Projects
rsync -avz --exclude-from="rsync.cnf" -e ssh ./ pcw@rd-pcw2:Projects/ > backup.log
blat backup.log -to pcw@itl.co.uk

this copies files from my 'Projects' directory to the server. The "rsync.cnf" file is a set of things to exclude from the copy, e.g.:

#
# Doxygen output files
#
- Doxygen/

#
# Anything downloaded
#
- Download/
- lstfiles/
- ofiles/
- *.bak
- *.Bak

#
# Anything generated by py2exe
#
- build/
- dist/

#
# Anything in a folder called Old
#
- Old/

#
# VC build directorys
#
Debug/
Release/
debug/
release/

#
# Miscellaneous.
#
- *.obj
- *.tmp
- *.pyc
- setup/*.exe
- Output/setup.exe

After running this I use blat to email me what happened so I know it succeeded.

On the server I have crontab set up to run rdiff-backup every night after the files have been uploaded:

0 18 * * * rdiff-backup /home/pcw/Projects /home/pcw/Backup

This system gives me two full copies of my project files and incremental backups to boot.

Todo: rdiff-backup to a different disk, giving three copies.

Uploading images to this blog can be kinda fiddly. Say I have an image in the windows clipboard (e.g. a screen clip from OneNote and I want it on the blog, I have to fire up a graphics program, paste it in, save it to a file, fire up filezilla, upload it, delete the image file.

This little script does all this for me. It asks for a file name, writes the image in the clipboard to the file, uploads it and deletes the image. Job Done.

The uploading is done using pscp, a version of scp from the putty camp. It uses my putty private key so I don't have to give a password for access to the server (I didn't use the cygwin version of ssh as it didn't like having 'c:\' in file names). The script uses the Python Imaging Library to do the grabbing and wxPython to ask for the file name.

   1  #
   2  # Upload image in clipboard to server
   3  #
   4  import wx
   5  import ImageGrab
   6  import Image
   7  import os
   8  import tempfile
   9  
  10  class MyApp(wx.App):
  11      def OnInit(self):
  12          oImage = ImageGrab.grabclipboard()
  13  
  14          if not isinstance( oImage, Image.Image):
  15              #
  16              # In no way is wxPython an easy to use library.
  17              #
  18              dlg = wx.MessageDialog( None, 'No image in clipboard', 'Error', wx.OK)
  19              dlg.ShowModal()
  20              dlg.Destroy()
  21              return True
  22  
  23          dlg = wx.TextEntryDialog( None, 'Enter a file name', 'Upload Clipboard', '')
  24          if dlg.ShowModal() != wx.ID_OK:
  25              dlg.Destroy()
  26              return True
  27  
  28          strName = dlg.GetValue()
  29          dlg.Destroy()
  30  
  31          strTempFile = tempfile.mktemp( strName)
  32          oImage.save( open( strTempFile, 'wb'))
  33  
  34          strCmd = 'pscp -q -i "c:\my documents\puttykey.ppk" %s me@myserver.com:www/images/%s' % (strTempFile, strName)
  35  
  36          os.system( strCmd)
  37  
  38          os.unlink( strTempFile)
  39  
  40          return True
  41  
  42  app = MyApp(0)
  43  app.MainLoop()
Toggle Line Numbers

This is the result of alt-print screen and running this script:

The script itself inside VIM

ToDo:

• handle file names in clipboard
• detect upload errors
• allow resizing images

Putty is a simply great ssh client and works nicely with open-ssh, which is found in Ubuntu Linux, Site5 and just about everywhere.

A nice feature of ssh is the ability to generate a public key that can be used to log into a server without having to give a password, or as extra secutiry in addition to the password.

Here is a procedure for creating ssh keys that can be used in both open-ssh and putty:

• On windows, install the open-ssh package with Cygwin
• execute the command

  ssh-keygen -t ssh-dss
  

  to generate the dss key. You may need to create the directory ~/.ssh in Cygwin bash for this to work. This will create a file in this directory called id_dsa.pub
• use sftp/ssh to copy the id_dsa.pub file to your ssh server box. Put the contents of this file (which is one big long line) at the end of a file called ~/.ssh/authorised_keys2, adding it to any other keys that are already there.
• back on windows, execute the command 'puttygen', from the putty site.
• In putty gen, use file/load private key to load in the file ~/.ssh/id_dsa
• Choose 'save private key' and store it somewhere handy where putty can find it. You may be prompted to enter a passphrase. This is a password used in addition to the key when connecting to the server. If the passphrase is blank then you don't have to enter it, the connection will be automatic.
• Open putty and enter the details of the server you want to connect to (address etc)
• In the 'connection' settings, enter your login name in 'Auto-login username'.
• In Connection/SSH/Auth, in the box 'Private key file for authentication' load the putty private key file.
• Save this configuration so you don't have to do it again.
• Click 'open'

Your life won't be the same again.

This is the ssh command line to connect to a squid proxy server via ssh:

ssh -L 3128:127.0.0.1:3128 user@remoteaddress

using cygwin open-ssh.

What is this doing? Well ssh starts running on the local pc and creates a socket on port 3128 (this is given by the first 3128 on the command line). Firefox is then configured to use localhost:3128 as the http proxy. ssh then takes connections to that port and forwards them to the ssh server running remotely. It will go through any firewalls in between provided that port 22 (the ssh port) is open. It encrypts whatever is going through it. The ssh server connects to port 3128 on the remote pc which is the squid server port. The squid server acts as a nice caching proxy server and fetches whatever web pages you are looking for.

This works with Ubuntu after installing the standard open-ssh package and the squid proxy.

It must work or you wouldn't be reading this.

Even more cool: using VNC over SSH. This allows gives you a remote desk top

• install tightvnc package on remote server
• on local pc run the command:

  ssh -L 5900:127.0.0.1:5901 user@remoteaddress
  

• on server, run the command

  vncserver :1
  

  The first time you do this you will be asked for the login password.
• On local pc, run a vnc viewer such as ultravnc. Connect to 127.0.0.1:0 and enter the password

This gives you remote access to the server desktop. Easy really and better, in my humble opinion, that using remote X, especially with a local PC running cygwin as X on that is a bit buggy.

Note: for me, vncserver :1 worked as X was already running on the box. The 5901 in the ssh command caters for display 1 being on a port number 1 higher than the default of 5900.

Was using dselect under Ubuntu linux to install some stuff over an ssh connection. While the install was underway the network connection died. When the network came up again I could not continue using dselect without getting the following error:

dselect: the access method area is already locked

After much fiddling, I found the lock file and deleting it fixed the problem:

sudo rm /var/lib/dpkg/methlock

While I was messing around I found out how to disable the annoying help messages that dselect keeps popping up. Just edit the file /etc/dpkg/dselect.cfg and add the line:

expert

UPDATE: this post which describes a more modern approach using xming which is a far better X server than cygwin.

Retracing earlier steps I find Ubunto works as a headless X box, running programs while displaying remotely on a windows 2000 pc (X windows has the definitions of 'client' and 'server' randomised).

Here are the steps it takes to do this, rationalised from what I wrote before:

• Install Cygwin on the windows box. In particular, install the openssh and X11 base packages.
• Edit the sshd_config file on the remote server and make sure this is set:

  X11Forwarding yes
  

  and restart sshd. On my Ubuntu this was how it was already set up.
• on the local pc run the cygwin command startxwin.bat. It is buried in:

  <cygwin base dir>\usr\X11R6\bin\startxwin.bat
  

  where <cygwin base dir> is wherever you installed cygwin. This should bring up a window with an X desktop in it.
• from a terminal window on the X desktop, run an ssh command of the form:

  ssh -X -l <username> <host address>
  

  the -X tells ssh to do magic X port forwarding.
• in the new ssh session run an X program, e.g.:

  xterm &
  

• and away you go

I tried running Synaptic Package Manager from this, i.e.

sudo synaptic &

and it worked, a bit sluggishly, until it got to the point where I tried to accept changes and install packages, where it died with an X error. It did this twice so it is probably a deep X problem. I will have to stick with dselect

If you have a file on an ssh enabled server that you want to edit with VIM and you don't want to mess around with ftp you can use VIM's ftp support.

However, I find the support for scp to be more useful. Having installed Cygwin and open ssh I have also acquired the scp command. VIM knows about this and can use it to edit files.

Suppose I want to edit the file 'interesting.txt' on the server 'stuff.com'? I use the VIM command:

:e scp://peter@stuff.com/interesting.txt

and start editing. When I am finished I just write the file normally:

:w

Because I have already created an ssh key on stuff.com (as shown here) I am not hastled for passwords.

Very nice for quick .css tweeks, editing drupal modules etc. I can edit the file locally in a windows GUI and upload it to nice secure linux server. Best of both worlds.

Downsides?

1. Win32 vim leaves a silly dos box with a 'Hit any key to close this window...' message on it when reading the file.
2. Have to know the exact path to the file.

Mission: to get rsync going over ssh. This will allow me to synchronise files on local client and remote server. Rsync is a nice fast incremental copy program designed for synchronising file sets between a client and server. The result is that both computers share identical versions of a set of files.

Steps:

• install openssh on client and server
• install rsync on client and server
• to avoid typing in passwords, create ssh key using:

  ssh-keygen -t dsa
  

• Log into server using sftp
• copy /home//.ssh/id_dsa.pub to the server
• on the server, merge contents of id_dsa.pub with ~/.ssh/authorized_keys2
• From client, try logging in using ssh or sftp. Key should be accepted.
• Start rsyncing.

Note: using a blank passphrase for ssh means you will not be prompted for a passphrase when you log in but this is a security risk: if anyone gets their hands on the key file they can get it.

Examples: Copy files in the directory 'logs' to the directory 'blah' on server ad-pc (files will be in blah/*).

rsync -avz logs/ -e ssh ad-pc:blah/

Copy the files back.

rsync -avz -e ssh ad-pc:blah/ logs/

Copy the directory 'logs' and files in it to the directory 'blah' on server ad-pc (files will be in blah/logs/*).

rsync -avz logs -e ssh ad-pc:blah/

Copy the directory 'logs' and files in it to the directory 'blah' on server ad-pc. Copy recursively and delete files on the receiver that do not exist on the sender (i.e. replicate deletion of files).

rsync -avzr --delete logs -e ssh ad-pc:blah/

Copy while logging in as a different user.

rsync -avz -e ssh <user>@ad-pc:www/modules/ modules/

Note the subtle use of the trailing /.

blah/

copy files to/from directory

blah

copy directory itself

Using cygwin on Windows 2000 I had a problem copying from the server to the local pc: the shell would hang real hard at the end of the transfer. I tried reinstalling the cygwin stuff from a different server (mirror.ac.uk) and found a much more recent version (2.6.2 as opposed to 2.5.5). This fixed the problem, which may have been this.

Decided upon Bloglines for my news aggregating needs. It has lots of features and is fast enough. It even allows me to add a blog roll box here.

It is comprehensive, almost overwhealming in the options that are available. My tip: subscribe to a blog just to get a username. That way you don't have to use your email address as an identifer that can be scraped by spambots.

Previously I was using the Python Desktop Server news aggregator that works very nicely but has two disadvantages:

1. it needs a server to run on and now I am shutting down my home server I won't have one.
2. I can access Bloglines from work without setting up an ssh tunnel.

I have managed to get remote X windows working via SSH. From a Windows 2000 desktop I can run X applications on my server at home. The steps involved are approximately as follows (i.e. I frigged around a bit but I think this will work):

• Install Cygwin. In particular, install the openssh and X11 base packages.

• Edit the sshd_config file on the remote server and make sure this is set:

   X11Forwarding yes 

  and restart sshd. This is important for avoiding the need for xauth

• start X on the remote computer.

• on the remote computer run:

   xhost + 

  This turns off strict access control. I am not entirely sure this command is needed when using ssh X port forwarding but I don't think it will hurt. Both local and remote systems are behind firewalls with an encrypted ssh link between then and I am not paranoid enough to worry about extra security.

• on the local pc run the cygwin command startxwin.bat. This should bring up a window with a X desktop in it.

• from a terminal window on the X desktop, run an ssh command of the form:

   ssh -X -l <username> <host address> 

  the -X tells ssh to do magic X port forwarding ¹.

• again in the terminal window, do this to check things are ok:

   export | grep DISPLAY 

  you should see that the DISPLAY variable has been set to something like 127.0.0.1:10.0. Setting this up is the job of the sshd server. If it is not there then the X port forwarding is broken.

• run an X program, e.g.:

   xterm & 

You should get a new term on your desktop running from the remote computer. I got as far as running mozilla across this but it was too slow to be of any use (12kbytes/sec upload speed achieved by Bit Torrent yesterday).

Cygwin defaults to twm which is a little primitive. I tried WindowMaker but that crashed. fvwm2 works, looks a little prettier than twm but is not much more sophisticated.

It's cool, but an awful lot can be done with just a straight ssh console.

I have managed to get remote X windows working via SSH. From a Windows 2000 desktop I can run X applications on my server at home. The steps involved are approximately as follows (i.e. I frigged around a bit but I think this will work):

• Install Cygwin. In particular, install the openssh and X11 base packages.

• Edit the sshd_config file on the remote server and make sure this is set:

   X11Forwarding yes 

  and restart sshd. This is important for avoiding the need for xauth

• start X on the remote computer.

• on the remote computer run:

   xhost + 

  This turns off strict access control. I am not entirely sure this command is needed when using ssh X port forwarding but I don't think it will hurt. Both local and remote systems are behind firewalls with an encrypted ssh link between then and I am not paranoid enough to worry about extra security.

• on the local pc run the cygwin command startxwin.bat. This should bring up a window with a X desktop in it.

• from a terminal window on the X desktop, run an ssh command of the form:

   ssh -X -l <username> <host address> 

  the -X tells ssh to do magic X port forwarding ¹.

• again in the terminal window, do this to check things are ok:

   export | grep DISPLAY 

  you should see that the DISPLAY variable has been set to something like 127.0.0.1:10.0. Setting this up is the job of the sshd server. If it is not there then the X port forwarding is broken.

• run an X program, e.g.:

   xterm & 

You should get a new term on your desktop running from the remote computer. I got as far as running mozilla across this but it was too slow to be of any use (12kbytes/sec upload speed achieved by Bit Torrent yesterday).

Cygwin defaults to twm which is a little primitive. I tried WindowMaker but that crashed. fvwm2 works, looks a little prettier than twm but is not much more sophisticated.

It's cool, but an awful lot can be done with just a straight ssh console.

[1]	the howto on the Cygwin site says '-Y' which is rejected by ssh.

Building Gentoo packages does take a while, even for something simple you have to wait for .configure to run which takes a couple of minutes. To live with this I have learnt a couple of things.

First was the nohup command which works like this:

 nohup emerge huge-package & 

which will build the huge package and dump all the output to a file called nohup.out. This is useful for me if I build using a ssh shell which is likely to disconnect and cause the build to halt. With nohup I don't need to worry about that, the build is disconnected from the login shell.

Next is the at command:

 at 03:00 >>emerge huge-package <CTRL-D> 

This will emerge the huge package at 3am so it should be ready the next day. When the command finishes I get emailed the results. I tried using this last night to build a kernel but I typed:

 make bZImage 

instead of:

 make bzImage 

and it failed, so it'll have to wait for another night.

I am in the process of installing Gentoo linux on a PC at work and also an old pc at home (the joys of ssh). Over the years I have installed Slackware, Redhat, Suse and Debian but none of those was as complex as installing Gentoo. The handbook is absolutely essential and it is probably best to read it through before starting (tip: install stage 3).

Installation is not just running a setup program, it is down to the basics of mounting file systems, chrooting, untarring, building kernels etc. I have learnt a lot from it and I now think I am competant enough to fix a broken linux system from a boot floppy. I had to install Gentoo this way as the Gentoo CD would not boot and I had to find some linux boot floppies to get things rolling.

Setting it up takes ages as it is building most things from source. The USE preferences variable allowed me to tell it I want perl and python but not ruby. I ran an emerge vim to get vim installed and, to my surprise, I got VIM 6.3 (which I didn't know was out) with python and perl support built in!

I haven't set up X yet. I may do it at home as an exercise but I dread to think how long it will take. You are supposed to be able to install precompiled packages but at my one attempt (lilo) it still spent 20 minutes compiling it from source.

Gentoo in a nutshell:

• Don't think about it unless you have broadband
• Don't think about it unless you are happy at a command prompt
• Don't think about it unless you are patient

  Gentoo: something to do in the background while reading RSS feeds.

I feel the need for a status report on various stuff I've mentioned in this blog.

Palm Tungsten T2

I haven't used this so much recently, I only use it as a diary. This is partly because it is summer and I don't wear a coat with pockets to carry it around. It's too big for trouser pockets. I do my blogging with Python Desktop Server, I don't use DayNotez any more.

Dell Inspiron 500m

I love my notebook, I'm using it now, I'd say it was my primary PC. I sit on the sofa in front of the TV and go through RSS feeds. My main gripe with it is that sometimes when it comes out of hibernate it does not see the wireless network and I have to hibernate it and unhibernate it again to kick it into life. Oh, also the SVideo output is only black and white. The laptop is just nice, no noisy fans and it doesn't make my lap overheat. About 2 hours of battery life.

Desktop PC

Hasn't crashed recently but that may be because I don't use it very often. The only time I used it this week was as a print server. The drivers with the PC TV card might have fixed the PCI latency issues. There are a number of PCs at work, including the firewall PC, that use VIA chipsets and they randomly hang as well. I have no love for VIA.

Python Desktop Server

Use it most days. I use it at work for my engineering logs which are behind a firewall. I haven't got around to adding tools or anything, I mainly use it for RSS aggregation. Having the aggregation in the web browser makes it so convenient for following links: in firefox I middle-click and read in a new tab. As a blogging tool my main gripe is the lack of a preview facility: checking links and formatting before uploading. I have to set it to offline mode before I start composing.

Debian

My debian server is still whirring away (noisy fans this summer but it's in a room I don't go in much). It handles email and Python Desktop Server and is also useful as a squid proxy that I can access from work through an SSH tunnel. I can use this to check the work firewall, to make sure it is possible to get in through the firewall. I might change server to a desktop pc as the laptop is a bit slow (166MHz pentium). That would allow me to make it a headless X server.

Object Desktop

I got fed up with animated fish using my CPU time in DesktopX. I use windowsblinds on the laptop to make it a bit more interesting but I don't think it was worth buying.

Intellimail

Still using it at home but I am tempted to move to IMAP + thunderbird like I use at work. Awaiting a home server decision.

Thunderbird

It's ok if a bit utilitarian when compared to Intellimail. However it handles IMAP, if a little flakily (it sometimes displays Inbox(3) but doesn't show the new messages).

Firefox

Love it. I only use IE for broken websites.

ITunes

May register for it today. If I can buy just the tracks I want and blow them to an audio CD then I see no need to buy CD's that are 75% filler material.

Furl

I'm beginning to see Furl as a place to look for websites that other people find interesting. When I run out of RSS articles I now try, e.g. this.

Motorbike

Sold for the asking price to a dealer who was advertising for CBR600's.

At work I was inspired to find a way to get in from home through the firewall. Tunnelling out using ssh through the https port is tried and tested but I wanted a way in.

I've set things up so I can email myself at work with a certain subject line which triggers an exim .forward rule. This rule starts up ssh making a connection OUT to my home debian server. The outward connection includes a remote forwarded port so from my home debian box I can ssh back into the work box. I'm kinda pleased with this as it's secure so I won't get into trouble. The tunnel can only go to my home pc at my command. Even if someone else sent the magic email they would not get the ssh connection.

It took a couple of tricks to get this working:

• I had to edit sshd_config to add a new port at 8022 for forwarding to the home box as this is not a priveliged port.

• The .forward file does not run ssh directly (it cannot block and wait for the ssh session to finish) so it runs an 'at' command to launch ssh independantly in a totally separate process.

• ssh is fired up with the -n and -N commands to stop it screwing up the console.

Getting this going prompted me to load samba so I can copy stuff from the windows workhorse to the debian box and access it anytime from home without the risk of exposing my windows box through the firewall. Now that would get me into trouble...

Did background update of home server using dselect via ssh. Something like 63 packages were upgraded, things like nfs and openoffice dictionary that I don't need. SSL update said a restart was advised so I rebooted the box. It hasn't rebooted, it's offline. What can be wrong?

My god, it works and it's speed is ok. Hum, have to see how I can speed things up. The ssh tunnel is compressed which may be making a difference.

Been looking at the ISA firewall/proxy thing at work and studying the logs. It's amazing what people get up to when they are supposed to be working. This has filled me with paranoia (not that I look at naked ladies while I am supposed to be working).

I installed squid on my server at home. I can connect to that through ssh. I don't know how fast it will be because of the uplink speed but it does means I can do banking and stuff from work.

Got the key-based login to ssh working. The steps to do this are:

• use puttygen to genera SSH 2 RSA keys.

• Copy the public key to a text file and copy it to the ~/.ssh/authorised_users file on the server

• Save the private key file

• Configure putty to read the private key file when it connects

Login asks for a user name but then goes smoothly in.

Discovered FileZilla (http://filezilla.sourceforge.net/) a nice FTP and SFTP client. GPL so I can use it at work. I will disable FTP on my home server, I want to use SSH as much as possible.

Experimented with using RSA keys with ssh to avoid logging in. Didn't work: file formats are different. Have to try again later.

I found out why the print spooler was stopping my pc from hibernating: there was an unfinished print job waiting for paper.