Linux Travel Kit (2020)

Last updated on 08/01/2020

Refer to local files with href as summary.




Use "uname -m" to discover "x86_64" is the Ubuntu architecture installed.



Package management

Linux versions

To find out Linux version: Hence: Documentation: Legacy: 'Lucid Lynx' (Ubuntu 10.04), 'Karmic Koala' (Ubuntu 9.10). BlackBetty is running 'Hardy Heron' april 2008 or Ubuntu 8.04. As Ubuntu relies on Debian, the following is worth reading:

Debian dpkg / apt-*

Basics: dpkg

Debian package manager dpkg is foundation for installing '.deb' packages. It is used by

APT etc

Info: The most used apt-get commands are apt-get install package name (frequently the package name is simply the name of the desired executable application), apt-get update, upgrade and apt-get dist-upgrade. You can use apt-file to find out where a file resides.

Which packages are currently installed/available?


What's installed:

Package information

Use 'apt show packagename'.


What is available in the wild can be found e.g. at Debian or What is available for installation on your platform is function of the repositories you connect to (your /etc/apt/sources.list). Simplest way seems to be via utils as above.

How to install/remove a package?


File '/etc/apt/sources.list' is used to locate the desired packages and retrieve them, and also obtain information about available (but uninstalled) packages. Use:


Do 'apt-get --purge remove foo'



Hardware recognition via lshw (if supported). Command "lshw -C " e.g. "lshw -C -network". Command "iwconfig" will show you wireless interface but not IP info. Command "ipconfig" will show less wireless info but also the IP info. E.g. lshw:

You can see which kernel modules are loaded via "lsmod". You can see iwlagn, iwlcore and rfkill.

To find out which wireless devices are in range you can do "iwlist wlan0 scan". This will report eg the C4 <-?-> network. As this network uses channel 6, you can configure: "iwconfig wlan0 channel 6". Or "iwconfig wan0 essid PwCGuestw ap any". Then try dhclient.

Default Ubuntu tool is "network-admin" if it's present.

Help & documentation


'man' information is stored inside files, residing in /usr/man.
Examples include man1, ... , mann and X.
As the Red Hat tips suggest to run /usr/sbin/makewhatis /usr/man /usr/X11R6/man to create 'the database' (whatever that is), did so. As a result, you can do 'man -k xyz'. This will inform you whether man information is available inside the various man sections like man1, man2, ... . For example 'man -k password' comes up with more than 10 suggestions. Changing a user's password ON A NETWARE SERVER is done by 'nwpasswd'. (And how on a simple Linux? Well, by using the Control Panel/user and group management.) Xman, with his 'search' function is also nice to use. I

II.102 whatis and id

'whatis' another kind of basic help system. 'id' is useful as it displays who you are.

II.103 file

Try e.g. 'file /etc/resolv.conf'. This will tell you it's an ASCII text file.

II.104 info / xinfo

The 'info' system is the old non-graphical hypertext documention tool. Try "xinfo" now.

II.105 find / locate

Try e.g. "find / -name xyz". This starts the search from / for any file called xyz. Try also "locate". This requires you build an index via 'updatedb'. This is supposed to run automatically via crontab.

II.106 Ubuntu documentation

II.107 The Linux Documentation Project

Found in /usr/doc/html.

Basic sysadmin & security


Is disabled by default. First account created i.e. marcsel has administrator rights, can do 'sudo'. Precede any command you would need to execute as root by sudo.

Ubuntu rootsudo To have administrator access, one must use one of two special commands, either "sudo" or "gksudo". The first is issued from a command-line. To use either command, your login must be registered in the "sudoers" file. This file is so called because it lists all users who can use the "sudo" command. To add a user to the "sudoers" file, the system administrator (the person with the login that was registered during the installation of Ubuntu) must login, and add the user with the "Users and Groups" administration utility. To access that program, select System ⇒ Administration ⇒ Users and Groups from the top toolbar. [Note: the system administrator cannot launch this application from within someone else's login session] To use a graphical tool such as Dolphin or Kate, do a "gksu dolphin" from the command line. You can simulate a root login with 'sudo -i'. If you really want you can enable root with 'sudo passwd root'. Or you can just do a 'su' without specifying anything, and then provide the root password.

Adding new users and changing permissions

Ubuntu Angkor

Root is created but only accessible for login if you force a boot in safe mode. You can open a terminal in Dolphin. User marc was created by PC Tronics but erroneously disabled by me by renaming his homedirectory. Naming it back did not help. So I created marc3:

Changing permissions:

Generating a new password - Red Hat

You can use mkpasswd to generate passwords. And to force them on a user. However, 'mkpasswd -l 6 patti' fails, stating there is no /etc/passwd file. Does Red Hat use some kind of shadow password file? No, since a 'less /etc/passwd' reveals the contents and all the userids. Patti has been created, apparently without a password. Still, she can't login, and only get the message 'login incorrect'.

So what, Red Hat? ===> Use GUI (control panel) for user management, and you're OK.

Mounting devices

Your kernel needs to support the device type you want to mount. Good place to find out is via the systemlog viewer (e.g. KSystemLog) or in /var/log/messages. To access a device you need to be able to 'see' the device, and then you need to specify a mount point that applications can reach.

The commands:

Mounting CD

Question : Is kernel supporting this?
Answer : Yes, e.g. on Toshiba laptop: look in /var/log/messages : kernel : hdc: TOSHIBA CDROM XM1402B ATAPI CDROM Drive.

Question : How to mount?
Answer : look in /usr/doc/howto/cdrom : mount -t iso9660 -r /dev/cdrom /mnt
WRONG - you have to replace /dev/cdrom by /dev/hdc. Then it works. So : mount -t iso9660 -r /dev/hdc /mnt Do a cd /mnt, and you'll see the CD.

Question : How to unmount?
Answer : umount /mnt

Question : What if you get the message /dev/hdx device is busy?
Answer : that means a process is still accessing the CD. If you're working under X, your previous non-X terminal might still hold the CD. Try fuser -v /mnt... to identify the holder of the lock.

Mounting a floppy

First, do a 'mkdir /floppy'. Then 'mount -t msdos /dev/fd0 /floppy'.

Mounting a USB device

USB is a bus, with a single host, controlling all connected devices. Devices can't directly talk to one-another. Ways to find info:

Removable harddisks are mostly simulating SCSCI, so prereq is to have SCSI in the kernel (ref Device can be formatted as FAT32, NTFS, etc.

Find info via

First create mountpoint directory e.g. /usbntfs (since formatted as ntfs). Mount with mount -t usbntfs /dev/sda5 /usbntfs and you're in.

Used USB's include:

Question: how does this automounting with eg Dolphin work? /etc/fstab, /etc/mtab ...stuff.

Creation and removal of directory

Command rmdir will only remove empty dirs. Otherwise use rm -r dir. You will be prompted to confirm. To avoid the prompt, use rm -rf dir.

Packaging a directory with tar, gzip and pgp



VERSION 1.b TAR and GZIP in two steps

VERSION 1.c TAR, GZIP and PGPE -C (Conventional, i.e. symmetrical)

VERSION 2.a TARZIP (tar including compress)

VERSION 2.b TARZIP and PGPE -R (Asymmetrical)

VERSION 3 TARZIP and PGP -C (Conventional, i.e. symmetrical)

VERSION 4 TARZIP and Geheimnis/gpg - SuSE 7.2

RH: via the 'time machine' on the control panel.

Process/service starting, stopping, monitoring

There seem to be now


Logging comes in two types:

(1) from executing processes, calling the log function, whose calls are served by a logging daemon such as klog and syslogd (the daemon then writes the entries into the logfile). Typical logfiles include /usr/adm/lastlog (each user's most recent login time), /etc/utmp (a record per login) and /usr/adm/wtmp (a record per login/logout). You can use last to view such a file.

(2) from the accounting, started via the accton command, the /usr/adm/acct contains a log of every command run by the users.

The syslog facility allows any program to generate a log message by writing to /dev/log, /dev/klog and 514/udp. Grouping of the sources generating the log entries is done in syslog's facilities such as kern, user, mail, lpr, auth, daemons, ... .

In addition to facilities, there are priorities as well: emerg, alert, crit, err, warning, ... .

Incoming log entries are parsed against a table in /etc/syslog.conf, defining for each facility & priority where to forward or log the message.

An example: *.err;kern.debug;auth.notice /dev/console auth.* root

On previous Slackware Linux, standard logfiles include:
- /var/adm/syslog, messages (bootmessages), lastlog, utmp (binary logfile about current users), wtmp (binary logfile about login/logout)
- /etc/utmp (binary logfile about current users)

Under RedHat, have a look in /var/log. I modified /etc/syslog.conf to log everything into /var/log/syslog.kassandra. For this purpose, I saved the original syslog.conf into .original, and I did 'touch /var/log/syslog.kassandra'. I then stopped/restarted syslogging through the control panel/runlevel manager.

'Tail /var/log/syslog.kassandra' tells me the restart worked out fine.

To make sure I log the absolute maximum and know where, I modified /etc/syslog.conf, now everything goes to /var/log/avina001.log ---- key line in /etc/syslog.conf--------------- # enable this, if you want to keep all messages # in one file *.* -/var/log/avina001.log ---- end of /etc/syslog.conf ------------------- Remember: the "dmesg" command is also useful to display kernel boot time messages.


Basics are documented in On Angkor I installed "BUM" to manage what gets started at boottime.

Some more detailed information can also be found in the files in the /usr/share/doc/sysv-rc directory. Linux run levels are based on System V init:

Each defined run level should have an rcX.d directory where X is the run level number. The contents of the rcX.d directory determines what happens at that run level.

Use 'runlevel' to find out current runlevel (typically 2).

When changing runlevels, init looks in the directory /etc/rcn.d for the scripts it should execute, where n is the runlevel that is being changed to, or S for the boot-up scripts.


Use SystemV init GUI editor. On malekh, unfortunately, this utility has gone... Checked it out on boy, 'sysvinit-2... is another package. Apparently, the package gets installed by default by YaST, but this excludes the GUI I used on boy, ksysvinit. Check out the package kdeadmin contains ksysvinit. I downloaded it into /Kassandra_Data/AdditionalRPM, but it is in .bz2 format, which gzip does not recognize. Alternative: get kdeadmin package from a CD. SuSE 6.1 only comes with a kdeadmin-1-1.dif file on CD1, this seems to be some kind of patch file, not the real thing. Now what, ksysvinit?

Default solution suggested by SuSE is

Source of information : RedHat's 'Boot-Process-Tips'. Linux now uses SysV-style initialization.

(1) Start kernel, LILO starts a kernel image (e.g. vmlinuz...)
(2) Start 'init' The kernel searches /etc, /sbin (and maybe some other places) for 'init', and runs the first one it finds. (
3) 'init' opens /etc/inittab By opening '/etc/inittab', 'init' finds out the sysinit script ('/etc/rc.d/rc.sysinit') and the runlevel ('id:3:initdefault' => runlevel 3 is default). I'm not sure whether the rc.sysinit script runs before the rest of the scripts is kicked off, but lets assume it is.
(4) the /etc/rc.d/rc.sysinit script executes Here, a lot of things happen, including starting rc.serial (if it exists).

-*- On default RedHat, rc.serial does NOT seem to exist. However, under the Control Panel/Network Configurator, you can define and activate interfaces, including e.g. a ppp0 on /dev/cua0. So would it not be possible to define another ppp interface, on /dev/ttyS0? Whow would deal with the 'setserial' aspects? -*-

(5) the scripts for the desired runlevel are executed

The default runlevel (defined in 'id:3:initdefault') is 3, which (I assume) requires the running of all the scripts in the '/etc/rc.d/rc3.d' directory. In this directory, there are only links to scripts. The scripts are actually residing in '/etc/rc.d/init.d'. For runlevel 3, this includes :

Now each of these scripts can be executed manually as well, e.g. '/etc/rc.d/init.d/httpd.init stop[or start] '

Link with the control panel/runlevel editor? Well, if you add/remove a script from a runlevel, this is automatically reflected in the links in the /etc/rc.d/rc3.d directory.


Use 'shutdown now', 'shutdown -h now' (halt), 'shutdown -r now' (reboot).

Getting back that color ls

On Kassandra:
Try 'man color-ls' and 'man dircolors'. The .bash-profile needs to be updated with 'eval 'dircolors' and an alias for 'ls=color-ls --color=yes'. Check this out in the mini-HOWTO.

On Toothbrush
Automatically provided by SuSE.

Creating a new kernel

Getting the sourcetree in place. Start from InfoMagicGreen9612, CD 1, directory /SRPMS, which contains a file called kernel-2.0.18-5.src.rpm. Unfortunately, glint refuses to read it, while a manual browse shows all the rpms. Have a look in the Kernel-HOWTO (however, assumes you have to ftp the kernel in tar format over the Internet).

So let's go for manual install. If you peek in /usr/src/redhat and /linux, you find that the sources are apparently expected here. So let's try 'rpm -i /mnt/SRPMS/kernel-2.0.18-5.src.rpm'.

No message comes back whatever. Let's do 'rpm -qa | less': this only shows kernel 2.0.18-5, which is the executable format. Glint does not show me any source, and running 'rpm -V kernel-2.0.18-5.src.rpm' says it's not installed.

So what? Well:

You now have sources in /usr/src/redhat/SOURCES/linux/kernel.

Lesson learnt: glint does not show you this tar.gz file anywhere, you have to manually work your way through the rpm -ivv / gunzip / tar command...
  Running make according to the RedHat 4.0 Manual. Position yourself at /usr/src/linux, go. 'make mrproper' results in error ARCH2 'make config' results in the familiar question and answer game... New kernel will be written to .................

Making your new kernel bootable via LILO

Edit /etc/lilo.conf, provide a label and a pointer to your new kernel. Run lilo.

Step 1 - Fact gathering:

'/usr/src/linux-2.2.14.SuSE/Documentation/kernel-parameters.txt' contains an overview of kernel parameters. CHECK OUT '/usr/src/linux-2.2.14.SuSE/Documentation/kbuild/commands.txt' Step 2 - Carry it out: Make sure the new kernel does not overwrite the original one....

Description: p. 233 of the SuSE 7.2 reference manual.

Kernels on imagine2: SuSE72001 and SuSE72002 (try outs, network OK). SuSE72003 created for SCSI-PCMCIA support.

Video hardware and display

Intro on Angkor

GigaByte Angkor comes with Nvidia 'GT200- Geforce G 210'. You can get details via 'lspci -vv'. After upgrade to Lucid Lynx v10.4, lots of problems with installing the nvidia driver. Apparently this is a kernel module. Problems you have to solve:

Finally got it working with instructions from

Website: ''. This reads QUOTE: Installation instructions: Once you have downloaded the driver, change to the directory containing the driver package and install the driver by running, as root, "sh ./". You may need to cd to "/marc4/downloads". UNQUOTE

One of the last installation steps will offer to update your X configuration file. Either accept that offer, edit your X configuration file manually so that the NVIDIA X driver will be used, or run nvidia-xconfig.

What gets installed

If your X configuration disappears for a userid e.g. marc3, then boot in recovery mode, do a login marc3, and then a "sudo /usr/bin/nvidia-xconfig". This writes a new xconfig.

NVIDIA troubleshooting

When you get strange behaviour in X, you can boot in recovery mode, login as root, and then execute "/usr/bin/nvidia-installer --update". This will download latest driver from You get guided through n-curses-based installer, that rebuilds kernel modules and re-configures. Legacy: VGA compatible controller: nVidia Corporation GT200 [GeForce 210] (rev a2) Subsystem: XFX Pine Group Inc. Device 2941 Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- SERR- Kernel modules: nvidiafb Ref above: kernelmod is nvidiafb. Also: ''xrandr' shows all possible resolutions.

What does this mean 'kernelmod nvidiafb'? Executing 'lsmod' does not list this module. Modules are found in '/lib/modules': you can find '/modules/2.6.31-14-generic/kernel/drivers/video/nvidia/nvidiafb.ko'. What's that? Use systemlogview to peek inside log. This shows a device section with driver "nv". Furtherdown it's specified what "nv" supports... a long list but not the GEFORCE G 210. And a little bit further down you see that X probes and does indeed find a GEFORCE G210.

So the mediocre quality is probably due to using just the "standard" driver "nv". What would be better?

Libraries: libc, libXm, ..

Introduction: format of executables

First of all, be aware that Linux supports 2 formats for executables: - a.out (assembler output) and - ELF (Executable and Linking Format). The a.out is discontinued. ELF is standard now. Full details in "The Linux Kernel Book".


Libraries are essentially a means of gathering several object fields together. This can be done in two ways:

Note that the name of dynamic libraries is conform to:

These libraries are defined as:

1. /lib (a so-called "trusted" library)
2. /usr/lib (=)
3. Libraries specified in "/etc/"


For shared libraries:

III.115.2 Kassandra RH 4.0
The libc package contains the basic shared libraries that are necessary for Linux to function. RH 4.0 came with libc 5.3.12-8 . Prior to ELF, Linux used a.out format. The library aout provides backward compatibility with this format.

III.115.3 Borsalino RH 5.0
For example: JDK library requirements: Before downloading the jdk, I checked my libs and found in glint: libc: 5.3.12-24 1.9.5-3 Xfree86: 3.3.1-14 Should be alright. Try ldconfig -D for obtaining an overview.

III.115.4 Suse53 problem Programs such as kpackage, man and xman suddenly started complaining they can't load Why not, how did I delete it(man used to work)? On Suse53-CD5 there is a /usr/lib/, and a /usr/i486-linuxaout/ (which is the older aout format I suppose...). Oddly enough, if I run a find on, the file is locally found in /usr/i486-linuxaout/ --- so why are they complaining? How are libs specified on my machine: in the three locations specified supra. Runnng ldconfig -D reveals a lot of info, including that apparently libdb.so1. get loaded ok from (the version found on Suse53 CD5). Now what?

Hard disk partitioning

With Ubuntu try 'gparted'. History: Using fdisk 'print' option on Kassandra reveals:
Disk /dev/hda: 64 heads, 63 sectors, 786 cylinders
Units = cylinders of 4032 * 512
Device Boot Begin Start End Blocks ID System
/dev/hda1 * 5 5 385 768096 7 OS/2 HPFS
/dev/hda2 386 386 776 788256 83 Linux native
/dev/hda3 1 1 4 8032+ 12 Unknown
/dev/hda4 777 777 786 20160 5 Extended
/dev/hda5 777 777 782 12064+ 82 Linux swap
/dev/hda6 783 783 786 8032+ 4 DOS 16-bit <32M


Use Alt-Gr key to access ~.

Red Hat 5.0

Red Hat 5.0 User Guide: use /usr/sbin/kbdconfig. Use e.g. "be-latin1". Note that this does not define your keyboard under X.

SuSE 5.3

Console: use YaST to configure an azerty keyboard. This definition goes into "/etc/rc.config".

Under X: use SaX to configure an international keyboard, with "Belgian" keys.   Use keymap to finetune if required.

SuSE 6.4

Use Sax to define 800x600 SVGA, with a Belgian keyboard.



Start with the security HOWTO in /usr/doc/howto/en/html/Security-HOWTO.html. On the web, check-out the Linux Security homepage (url in /LinuxWeb1000ITLinux.html). How about LASG, PAM, /etc/security entries, hardening SuSE ...?


Check out man page. Linux uses either a single large /etc/pam.conf file, or a number of files in /etc/pam.d (if the latter is present, the former is ignored). SuSE 6.4 came with /etc/pam.d provided. Documentation is found in e.g. /usr/doc/packages/pam/text. Apparently the /etc/security entries also seem related to PAM in some way.

Mini audit

Use e.g.:



Original source: As per man rsync, there are 4 basic scenarios to use rsync:

On Linux, rsync can be used as a client, or can be started as a daemon ("rsync --daemon"). On Windows, likewise, with "service" rather than daemon. Backing up Angkor2 to USB with rsync: "rsync -vvvrt /home/marc/Documents ""/media/Samson Two/201306/Backup Angkor2".

Using rsync from laptop to usbdisk

Mount e.g. "Samson One" so it's visible in Dolphin. Then do an rsync -vvrt /home/marc/Documents "/media/Samson One" This results in the contents of /home/marc/Documents be replicated into /media/Samson One.

Using rsync from laptop to usbstick

What's the usbstick called? Issue “mount”, results in: /dev/sdb1 on /media/KINGSTON type vfat (rw,nosuid,nodev,uid=1000,gid=1000,shortname=mixed,dmask=0077,utf8=1,showexec,flush,uhelper=udisks) So the usbstick is formatted as vfat. VFAT is an extension of the FAT file system and was introduced with Windows 95. The command “rsync -vvvrt /home/marc/Documents /media/KINGSTON” creates /Documents on the usbstick and syncs the files. Options: -v verbose -r recursive (into directories) -t preserver modification times “--modify-window=2” is recommended if the target file system is different from ext2 or ext3, because the time management of VFAT/FAT32 etc less accurate than that of ext2 or 3.


Legacy: try scenario 4, push from Windows to rsync daemon on Angkor2. Needs /etc/rsyncd.config and /etc/rsyncd.secrets to be created. Done, daemon starts, but authentication continues to fail. Tried various users and passwords. Legacy: try scenario 2:

  1. on Windows, install cygwin from, including ssh-openssh and rsync

  2. on Linux, install ssh, sshd and rsync

  3. on Windows, execute keygen (remember passphrase on private keyfile), mail pubkey to Linux, store in /home/marc/.ssh/authorized_keys, try 'ssh marc@'

  4. on Windows, open cygwin terminal, perform rsync -avvvr --rsh=/usr/bin/ssh /cygdrive/c/Users/selm/Desktop marc@


bash and tracing the execution of a script or program

For login and scripting, Linux typically relies on bash.Bash is a sh-compatible command interpreter. Info via 'man bash' and in /usr/share/doc/packages/bash. Personalisation:

When bash is invoked as sh, it tries to mimic the behaviour of older versions of sh, and it will not consider any tailoring from start-up files. You can see the value of the environment variables by using 'env'. If you want to see the value of one particular variable, do e.g. 'echo $CLASSPATH'. Rember it is good practice to set values via /root/.bash_profile.

Tracing: use "sh -x /foo/script parm1". Program: try "strace".

Sound and Audio


Angkor: ALC888 (apparently digital and analogue) ALSA ? alsactl?

Secure delete and privacy


Linux manual removal of trash is done by e.g. rm -rf ~/.local/share/Trash/*

Source: Ubuntu comes with the “shred” command. The basic format of the shred command is this: shred [OPTIONS] filename Common options you’ll want to use when you shred a file are: -n [N] Overwrite a file N times. For example, -n 20 will perform twenty passes over the file’s contents. -u Remove the file after you’ve shredded it. You’ll probably want to use this option in most cases. -z After shredding a file with random bits (ones and zeros), overwrite the file with only zeros. This is used to try and hide the fact that the file was shredded. So, for example, to shred a file “topsecret.txt” with twenty-six iterations (I want to make sure it’s really, really gone!), and delete it afterwards, and hide the fact that it was shredded, I would run: shred -u -z -n 26 topsecret.txt

secure-delete tools (also directories)

Installation: apt-get install secure-delete

Commands: srm, smem, sfill, sswap srm – secure remove This tool is basically a more advanced version of the “shred” command. Instead of just overwriting your files with random data, it uses a special process – a combination of random data, zeros, and special values developed by cryptographer Peter Gutmann – to really, really make sure your files are irrecoverable. It will assign a random value for the filename, hiding that key piece of evidence. srm is used like this: srm myfile.txt Or, for directories: srm -r myfiles/ with the “-r” for recursive mode. smem – secure memory wipe While it’s true that your computer’s RAM is emptied when you power-off your computer, you probably didn’t know that residual traces of data remain in memory, like hard drives, until they are overwritten many times. This means that it’s relatively easy for someone with the right tools to figure out what you had stored in RAM, which may be the contents of important files, internet activity, or whatever else it is you do with your computer. The basic use of smem is the same as srm, although it is a good deal slower. There are options to speed things up, but they increase the risk by performing fewer overwrite passes. For a complete list of options, read the manual on smem (the man smem command), but its basic use is just running the “smem” command sfill – secure free space wipe sfill follows the same general method as srm. It is used to wipe all the free space on your disk, where past files have existed. This is particularly useful if you are getting rid of a hard disk for good; you can boot a LiveCD, delete everything on the disk, and then use sfill to make sure that nothing is recoverable. You may have to be root in order to use this tool effectively, since regular users might not have write access to certain filesystems, and you might have a quota enabled. sfill usage is: sfill mountpoint/ If you specify a directory that isn’t a mountpoint itself (for example, if you have /home/ on a separate partition, but you select /home/me/fun), sfill will wipe the freespace on which the directory resides (in the above example, the /home partition). sswap – secure swap wipe The sswap program is used to wipe your swap partitions, which store the data of running programs when your RAM is filled up. Therefore, feel a need to run smem, it’s probably a good idea to run sswap, too. However, before you use it you must disable your swap partition. You can determine your mounted swap devices by running: cat /proc/swaps Or looking in your /etc/fstab file for filesystems of the type “swap”. In my case, my swap partition is /dev/sda5, so to disable it I run: sudo swapoff /dev/sda5 Once your swap device is disabled, you can wipe it with sswipe. In my case, I run: sudo sswap /dev/sda5 If you aren’t running this as root (sudo), you’re likely to get a permission denied error. As with any of the above commands, you can get more information while it’s running by adding the “-v” option for verbose mode. Also, don’t forget to re-enable swap when you’re finished! Use the swapon command: sudo swapon /dev/sda5 Advertisement: Trying to recover deleted data? Try the most powerful PC/Mac data recovery tool – Wondershare Data Recovery A word on passes and filesystems Passes A commonly asked question is, “how many passes does it take before a file can’t possibly be recovered by advanced tools, such as those used by law-enforcement? The answers here vary, and you can get a lot of extra information via google, but the basics are that the US Government’s standard is 7 passes, while data has been known to be recovered from as many as 14 passes. The “shred” tool allows you to specify the number of passes you wish to make, Secure-Delete tools use a default of 38 passes (enabling the “fast” and “lessen” options on the secure-delete tools significantly decreases the number of passes, however). Of course, more passes means more time, so there’s a trade-off here; depending on how private the data is, and how much time you have available, you may want to use a fewer or greater of passes. Filesystems Another thing to note is that RAID configurations and networked filesystems may affect the performance and effectiveness of these tools. Using a networked filesystem, for example, unless you can SSH into the remote computer, you can’t wipe the machine’s memory and swap. With RAID striping, there are more disks to consider, hence more redundant data traces, so you may want to consider doing a few extra passes. especially using the shred tool.


Remember stuff will reside in /home/.cache/tumbnails directories.

Basic programming (vi, emacs, gcc, ... )

vi and beav

Remember it's
esc - : - w to write the file,
esc - : q to quit.


Seems to be a hex editor. Check this out.


OK. Works nicely. Question : how do I enter shell commands from within Emacs?
Answer : esc - x - 'shell'. Then enter your shell commands.

Question: how do I create special characters like the at-sign?
Answer: this seems to be depend whether you run under X or not...

Question: how do I display line numbers?
Answer: esc - x - 'line-number-mode'

Question: how do I modify the size of the split windows?
Answer: Note that there is also a more sophisticated "xemacs".

gcc and gpc

The GNU C and Pascal compilers. Use "man gcc / man gdb / man gpc". Check-out . Note that "gcc -v" gives you your gcc basics. SuSE 7.2 comes with gcc 2.95.3 .


ALTERNATIVE 1 Plain gcc compilation. For example "gcc -v -o testy showenv.c" where:

Execution is by cd-ing into the directory and specifying the full path of the executable. PROBLEM - Number Theory A Programmer's Guide. Copied source code to /CH1 and numtype.h to /usr/include. Had to change NUMTYPE.H into numtype.h . Then run into cc1plus problem (signalled as a 'gcc installation problem'). The gcc manual explains that cc1plus is the name of the compiler for C++. So what? PROBLEM - Cryptography in C and C++ - gcc complains about missing flint.h and assert.h - copied them to /usr/include - OK but now whole list of "undefined references". SOLUTION - "gcc -v -o testrand testrand.c /flint/src/flint.c" i.e. statically link with flint.c itself. Other interesting gcc options include:

ALTERNATIVE 2 MAKE For compiling, you can use a 'makefile', residing in the same directory as the sources and called 'make'. See inside for usage.

In case of problems with make, you can try "make programname -d" (d for debug) - quid this a.out ---? It makes a lot of sense to use make with a prefix

ALTERNATIVE 3 Automake, autoconf, libtool Can be downloaded and installed from .

ALTERNATIVE 4 ANT The Java way...


Execution of the program: "/Kassandra..../full-path/showenv"


JDK1.1.3 on toothbrush (SuSE 5.3)

Be aware that there are many alternatives to run Java on Linux. This includes the jdk port from, guavac, kaffe, tya etc.

I went for jdk113, included with SuSE 5.3. This brings along:

Key troubleshooting to get jdk113 running:

  1. You need the right PATH statement. ">which java" results in ">/usr/lib/java/bin/java". Mind you, "java" is just a wrapper script, locating and starting the right binaries. Apparently, PATH gets set in /etc/profile.

  2. You need the right CLASSPATH statement. What is your current CLASSPATH's value? ">echo $CLASSPATH". If nothing comes back, the variable is not set.

Compile with

Check that you indeed have a brandnew compilation e.g. with "ls -l"

Run with ">java nsm1" (note the lack of the .class extension).

JDK1.1.3 - a word about Applets

Running the appletviewer:

Set the classpath (refer to above). Then ">appletviewer HelloWorldApplet.html"

Adding an applet to your webpage: Which applets does Sun provide to play with? Demos go (discovered through YaST) in /usr/doc/packages/javadoc/demo. Just open the html files there.

JDK1.1.3 - a word about Security

Security settings are defined in /usr/lib/jdk1.1.3/lib/security/

JDK1.1.7 on malekh (SuSE 6.1)

Documentation in:

Installation done as part of the overall YaST installation, and:

On CLASSPATH: Java(c) on Linux runs via a 'wrapper' script, located in e.g. "/usr/lib/java/bin/javac ---> .java_wrapper". The wrapper checks (if [-z "$CLASSPATH ...)" whether the CLASSPATH had been set already, and always appends his stuff to what was already set. So if you want to add your own classfiles for IMPORT statements: set CLASSPATH and export it.

Problem-1: I set my classpath, but it seems to go unnoticed to javac. Solution-1: Careful: if /JavaSamples/CoreJavaVol1+2/corejava is a directory containing useful classes such as CloseableFrame, then set the classpath just above it:

  1. "CLASSPATH=/JavaSamples/CoreJavaVol1+2" (setting the classpath too deep results in not finding your imports...)

  2. alternatively, you can also append more: "CLASSPATH=/JavaNSMsec:/JavaSamples/CoreJavaVol1+2"

  3. "export CLASSPATH"

  4. "env" shows you the value of your environment variables, include CLASSPATH

  5. "sh -x javac" will show the wrapper's substitution of CLASSPATH

Problem-2: I set my classpath, but classes in my current working directory are no longer accessible now. Solution-2: explicitly include ".:" when setting the classpath:

  1. "CLASSPATH=/JavaSamples/CoreJavaVol1+2:/JavaNSMsec" (no leading ".")

  2. "export CLASSPATH" - you can use "env" to check...

  3. "javac" or "sh -x javac"

  4. now again explicitly set CLASSPATH, with a leading ".": "CLASSPATH=.:/JavaSamples/CoreJavaVol1+2:/JavaNSMsec"

  5. "java myprogram" or "sh -x java myprogram"

You can also modify "/usr/lib/java/bin/.java_wrapper" to obtain some more feedback.

For NSM:

  1. "cd /JavaNSM"

  2. "javac" or

  3. "sh -x [/usr/lib/java/bin/]javac" to see substitutions in the wrapper

  4. "ls -l" will show the timestamp of the .class file

  5. "java master09" (or "sh -x java master09")

CRYPTIX ---> ref to the crypto software (including how to compile a package).

APPLETS: for O'Reilly's "Java in a nutshell": chapter 6. The resides in "/JavaSamples/SampeNutshell/ch06/". I created the necesarry html as: ""

This runs smoothly, and you can check out the Java console of Navigator to see what happens. Here you see that Navigator 4.51 runs Java 1.1.5 (only).

JDK1.1.7v3 on avina

Basic documentation in '/usr/doc/packages/java'. Blackdown 1.1.7v3. Oddly enough, there are both:

Which is in use? Running 'env' shows I have /usr/lib/java/bin' in my PATH. Running 'java -version' shows I use '1.1.8'. YaST shows that 1.1.8 comes from package ibmjdk & ibmjre. More info on As you can see in /usr/lib/jdk1.1.8, there are goodies added such as javap (disassembly). Further down the tree you'll find property files and the file.

Checkout: java support in the Linux kernel: "/usr/src/linux.../documentation/java.txt"

Java2 on malekh- direct download from Sun

Given up, rather migrate to Java2 as part of SuSE 7.0.

Java2 on tux (SuSE 7.0)

Installation of various Java components done as part of the overall YaST2 installation. xrpm tells me we now have:

What do we have:

Which version is this? Sun/Blackdown? IBM? Most likely Sun/Blackdown. Some investigation: Java2 demo's:

  1. Java2D demo's:

  2. SwingSet demo's:

  3. "appletviewer /usr/share/doc/packages/IBMJava2-SDK/jfc/demo/SwingSet2/SwingSet2.html"

  4. Others: Metalworks, SwingApplet, ...

* Remark * Netscape 4.74 supplied with SuSE 7.0 still only runs jdk115. However, a plug-in allows to run Java2 programs. The plug-is is provided by Sun for Win32, Linux is under development.

Java2 on imagine2 (SuSE 7.2)

FIRST TRY Installation of basic JDK and JRE done as part of the overall YaST2 installation. Running "java -version" tells me I have "java 1.3.0". xrpm tells me "java2 1.3-46" resides in "/usr/lib/jdk1.3". Doc and demos in "/usr/share/doc/packages/java2". SECOND TRY Yast2 installation of Java does not result in a working "javac" or "which java". So I did: "PATH=$PATH:/usr/lib/jdk1.3/bin" and "export PATH". Then OK.

Prerequisites for J2EE: J2SE 1.3.1 (not included in SuSE 7.2)


See JTK1.html .


From the "LDAP programming in Java" book. The actual SDK classes reside in /packages/ldapjdk.jar and /packages/ldapfilt.jar. These must be included in the CLASSPATH. Useful programs include /src/netscape/ldap/tools/ etc. Usage e.g. "java LDAPSearch -h -b" "ou=member_directory," "cn=tony d*"

JBuilder V3.5

Note that having Java2 installed is a prerequisite.


Move javacomp... file from CD to /. Run "tar xvfz ....", which results in /javacomp-1.2.15. Now you have to copy to the jre directory. Use xrpm to find this jre directory: probably /usr/lib/jdk1.2.2/jre/lib/i386. From now on, you can use the JIT by specifying flags on javac / java: Quote from README.TXT: To use the JBuilder JIT for Linux you can either set the environment variable JAVA_COMPILER to javacomp (e.g export JAVA_COMPILER=javacomp if you are running bash) or you can set the JDK system property when you invoke the java runtime: java -Djava.compiler=javacomp HelloWorld to run HelloWorld using the JBuilder JIT for Linux or javac -J-Djava.compiler=javacomp to use the JBuilder JIT for Linux with javac Unquote.

JBuilder - install

Follow instructions. Into /usr/local/jbuilder35. Also installed JDatastore, a DBMS, the JBuilder documentation, the samples. Installated the OpenTools documentation into /usr/local/jbuilder35/opentoolsdoc as well. Running: unclear how to start from CLI, but an entry was added in KDE's personal settings. First start-up required to enter licensekey. Running JBuilder and JDataStore goes fine.

JBuilder - components

There is:

  1. JBuilder

  2. JDatastore

  3. Documentation

  4. Samples

  5. OpenTools

Where does it live:

Further details can be found in jBuilderToolKit.html


IV.109.1 What have we got..

The manual is found here

Following directories are used:

IV.109.2 Completing the installation

Execute "mysql_install_db", which results in creation of 6 tables: db, host, user, func, tables_priv, columns_priv in /var/mysql.

Provided a password (vwp91) via "mysqladmin -u root -h localhost -password vwp91 -p". Apparently this failed since the server was not yet running.

Start the server via "safe_mysqld &". You can now e.g.

IV.109.3 Creating databases and tables

Creating a database means creating a directory under the "mySLQ data directory" to hold the tables. Various ways exist:

IV.109.4 Batch mode (scripts)

Via "mysql -h localhost -u root < script". You can also "... | more" or "... > output.txt".

IV.109.5 Via JDBC

MM.MySQL driver(apparently version 1.2c) downloaded via (an alternative seems to be via GNU). Downloaded and unpacked in /Java55mysqldriver. Sample programs downloaded in /Java90Samples/JDBC2. Results in "no suitable driver".

MM.MySQL 2.04 states: requirements: any JVM supporting JDBC-1.2 or JDBC-2.0. What am I using??? and also: MySQL protocol 9 or 10. What am I using???


Installing Ant

Downloaded from Untar installs Ant in e.g. "/jakarta-ant-1.4.1". Ant requires a JAXP-compliant XML parser. The binary version of Ant includes the Apache Crimson parser. Ant (binary version) consists of /bin, /lib and /docs.

Preparing to run Ant

To run Ant, you need to:

Ant basics

Each build.xml file contains one project. Each project has three attributes:

Each project has one or more targets, for which tasks are executed.

Running Ant

Just "ant". By default Ant will look for a "build.xml" file. If not found at the level of the working directory, Ant will search in higher directories. You can also specify "-find". And "-verbose", which is very helpful.

Poseidon UML

Installing Poseidon

Download from . Install in /poseidon1.3 (no good under Kassandra's subdirs). Tinker a bit with /poseidon1.3/bin/ . Hardcode the classpath, make sure the right ".:/" is there (. for current, : to concat, and / to start the classpath dirs with). I used the following classpath def: CLASSPATH=.:/poseidon1.3/lib/poseidon.jar CLASSPATH=$CLASSPATH:/poseidon1.3/lib/docs.jar CLASSPATH=$CLASSPATH:$HOME/temp


Tried Forte/Sun One Studio - but this only works on Sun Linux or Red Hat. Gave up and switched to - download executable. Unpack. Start with '/netbeans/bin/ -jdkhome /usr/lib/java' .


Install on Kali

Run apt-get install nodejs. Msgs: installs libnode64 and nodejs-doc. Suggests to install npm.

Run apt-get install npm. Msgs: installs 250 packages, whose name is starting with node-. Tries to get them from kali-rolling/main 'node-name'. Sometimes fails. Fixed following the apt feedback.

What and where

In /usr/lib/nodejs you find all modules plus npm. Use apt show nodejs informs you ca-certificates and nodejs-doc are recommended to be installed. Use apt show nodejs-doc informs you this contains documentation - but WHERE is this stored?


See ''. Rather complicated, drop.

Visual Studio Code


See, where you can find a .deb file. On Kali, download .deb file into /Downloads. Then apt install ./code_1.41_etc. Software in /Sierra/VSCode.

Getting started

Start as code but will request a dedicated data directory if you're working as root. So create /root/Sierra/VSCode, start as code --user-data-dir /root/Sierra/VSCode

Refer to Steps:



Version control system created by Linus Torvald in 2005. As with most other distributed version control systems, every Git directory on every computer is a full-fledged repository with complete history and full version tracking abilities, independent of network access or a central server.

See also summary.

Bring something existing under git control


Clone an existing git repository from another server

EBSI try 1: All EBSI repos are on internal bitbucket:

EBSI try 2: ok:



Just remember :

What does rpm tell me about X? Go into glint (the package manager), and query under X11. You'll find some packages like fvwm, and the query will show you all the files (executables, definitions of resources, man pages, ...).

Customization of XF86, the X-server

What have we got to start with in case of Red Hat?

Obviously, in case of SuSE, use SaX.

Well, you run with a XF86Config file that you defined when first installing X.

Run 'SuperProbe' to find out the very basics, even before X is willing to start.

Run 'X -probeonly' and 'X -showconfig' to find out the basic parameters of my current set-up.

X -probeonly : 'SVGA, chipset clgd5436, videoram 1024K, clocks 25.23 .. 135.00, mode : 640x480, no mode def named 800x600'

X -showconfig : 'XFree86 3.1.2 / X Windows System V.11, revision 0, vendor release 6000, configured drivers : SVGA for 8 bit colour SVGA ...clgd5436...generic... Now how do I tailor my resolution? Via XF86Config, read on.

V.102.2 Initial customization via .Xclients

Created a .Xclients in my home directory of root (/root/.Xclients). If there is already an existing .Xclients file, save this as .Xclients.original. I'm sure you know you can verify the existence of . files via 'ls -a'. In my customized .Xclients file, I specified a minimal set-up of clients, and I start fvwm (rather than fvwm5).

V.102.3 Desktop customization via system.fvwmrc

Further desktop customization is carried out via /etc/X11/fvwm/system.fvwmrc . Here you set-up the pager, the colors, the menu items... .

Summary of configarable items

Part 1 : X - the display & keyboard server

CI 1 : the X server program
In fact 'X' (or rather /usr/X11R6/bin/X) is a symbolic link to the actual server program, e.g. /usr/X11R6/XF86_SVGA. This link is build via a 'ln' command. You can run SuperProbe to determine the setting of this link.

CI 2 : the X server configuration file
In pre-SAX systems, basic X configuration information went into /usr/X11R6/lib/X11/XF86Config. Now it seems to go into /etc/X11/XF86Config. Here you find the various sections :

Section "Files"
Section "ServerFlags"
Section "Keyboard"
Section "Pointer"
Section "Monitor" ... identifier - modes - modelines (documented in /usr/X11R6/lib/X11/doc) Section "Device" (linked to the chipset) Section "Screen" ... here we define Driver (the X server, e.g. SVGA), Device (cfr supra), Monitor (cfr supra), and a SubSection "Display", including the resolutions "1024x768"...

===> The easiest way to define this XF86Config file is by running the xf86config program.
Manually adjusting the contents of this file is, euh, very hard.

===> Your keyboard can be redefined through the XF86Config file. This might lead to problems with AZERTY keyboards etc. In case of doubt, disable these keyboad extensions in the Section "Keyboard".

===> Once you have e.g. three resolutions defined, you can toggle between them using cntl-alt-numkeypad minus/plus.

===> If your Xserver hangs, you can use Cntl-Alt-Backspace to kill it.

Part 2 : fvwm - the window manager

CI 3 : /etc/X11/fvwm/system.fvwmrc
Overall window manager & desktop settings. Here you call the executable program from the menu option.

CI 4 /root/.Xclients :
--- use the xsetroot command to set the root window ---

Part 3 : individual application settings

... to be further elaborated ...

X programming

cfr HP Xlib programming manual
cfr Xtoolkit

SuSe and SaX

SuSe's SaX will write your XF86Config into /etc/X11/XF86Config. So if you want to reuse the pre-toothbrush XF86Config, I guess you'll have to write it there... For some odd reason, the old XF86Config file does not seem to work. Fortunately SaX is pretty good. Running "startx" will create server logfiles in "/root/Serverlog".

You can use commands such as "xset q" to find out about settings.


Reinstall via 'sudo apt-get install kubuntu-desktop'


X goodies

Try: xinfo, xkill, xosview, xnetload, xgrab(sc), xwd, ...

Remote desktop - VNC and Krdc


Virtual Network Computing (VNC) mirrors the desktop of a remote ("server") computer on your local ("client") computer (it is not a separate remote login, as is XDMCP). A user on the remote desktop must be logged in and running a VNC server (such as X11VNC, Vino, or Krfb). Keyboard and mouse events are transmitted between the two computers. VNC is platform-independent —- a VNC viewer on one operating system can usually connect to a VNC server on any other operating system. (Windows users can use one of several clients such as UltraVNC Viewer.) Krdc is the default VNC client in Kubuntu/KDE. It can be used for both VNC and RDP connections.


Krdc is the default VNC client in Kubuntu/KDE. It can be used for both VNC and RDP connections.


VI.101 NET-3

VI.101.1 Intro

According to the NET-2/3-HOWTO, since kernel 1.1.5 you have NET-3. Programs like ifconfig, route and netstat are called the NET-3 'utility suite'. Programs like telnet(d) etc. are called the 'network applications'.

VI.101.2 Basic choices to be made

IP address : is defined per interface (ifconfig command) :
- for the loopback interface
- if Kassandra acts as a ppp server via nullmodem, this Class A address automatically uses as netmask. And the IP address of your host is also stored in /etc/hosts.

Network address : is the AND of your IP address and your netmask :
- AND = Broadcast address : is the network address OR the inverted netmask (cfr NET-2/3 HOWTO if you need this)

Router (gateway) : not necessary for loopback of PPP usage (but for PPP you may have to issue a "route add default gw" command).

Nameserver address : use the ISP's (or run named yourself)

rc files : to automate your configuration commands. Linux supports both BSD and SYS-V style rc commands.

/etc/rc.d/init.d/network : initial script that verifies the existence of /etc/sysconfig/network, which contains definitions like e.g. HOSTNAME=Kassandra. If it finds it, it cd's to /etc/sysconfig/network-scripts, where the configuration scripts (e.g. ifup-routes etc...) reside.

VI.102 Traceroute - tracepath

The old traceroute may still be available but there is also the newer "tracepath". And there is also "lft" layer four trace. Great.

VI.103 DNS - nslookup - ksoa

VI.103.1 DNS on Kassandra (RH 5.0):

In /etc/host.conf I have 'order hosts, bind multi on'. This means: first check the host file (/etc/host), then use the nameservers (aka bind). Multi means that you accept multiple resolutions. This looks OK. However,there is no /etc/resolv.conf. Well, the 'resolv.conf' file gets automatically created via the control panel.

VI.103.2 On Toothbrush (SuSE 5.3):

Use e.g. INnet's DNS on "". Configure this via YaST, System Admin/Network config. This results in an "/etc/resolv.conf" file with the remark "don't edit, created via SuSE configuration editor". Not bad.

VI.103.2 On boy (SuSE 6.0):

Similar to SuSE 5.3, use YaST to rely on INnet's DNS on "". Careful when using DHCP, this simply overwrites your "/etc/resolv.conf"

VI.103.3 nslookup - ksoa

Don't forget nslookup gives you plenty of info. And KDE comes with KSOA.

VI.103.4 DNS on malekh

Apparently the INnet DNS server ( went down at a certain point in time, so try:

Trying this yields no successful name resolution, maybe these are internal name servers? Tried again later with the INnet DNS server, ok again.

VI.104 Serial communication/nullmodem

VI.104.1 Com ports

The serial ports COM1..COM4 have specific names under Linux, depending whether you use them for input or output:

So outgoing Netscape traffic will talk to /dev/cua0, and incoming nullmodem traffic will be listened to via /dev/ttyS0 or ttyS2 (pcmcia card)

Note the subtle different with VCs (Virtual Consoles), which are called tty1 etc, WITHOUT the 's' (tty1 versus ttyS0).

Remember 'setserial' sets up the serial ports at boot time. Try 'statserial' to find out the status of your 'pins'.

VI.104.2 Incoming traffic : getty -mingetty-

For incoming communications, a getty program watches the port. This getty is started via INIT, with the definitions found in /etc/inittab. There you'll find lines stating : '1:12345:respawn:/sbin/mingetty tty1'.

--- I note a small inconsistency here: do ttys0 and tty1 match? Or not? CAREFULL : ttys0 is COM1, a serial port, tty1 is the first Virtual Console. So there is no inconsistency at all. ---

Also, 'man mingetty' informs me that this is 'minimal get tty' which does not support serial lines. So I first have to change the listening getty program. 'mingetty' suggests 'mgetty', but there's no manpage for that. -getty_ps & uugetty -

So let's look in the Serial-HOWTO, '/usr/doc/HOWTO/Serial-HOWTO.gz'. This explains how to set-up getty_ps and uugetty, but now where to get them from.

So let's look into Red Hat package manager etc. How to install getty_ps and uugetty? Well, do this via glint. Now how do we get getty_ps to listen to an incoming serial port? Right now, the /etc/inittab contains a definition like '1:12345:respawn/sbin/mingetty tty1' However, this only deals with the Virtual Consoles, hence the reference to tty1 rather than /dev/ttyS1. So add a line to /etc/inittab, making an executable out of the getty_ps package watch over ttyS0.

Question: what is the name of the loadmodule of 'getty_ps'?
Answer: Glint tells me that getty_ps is a package under 'utilities/system', the executables are /sbin/getty (for consoles) or uugetty (for modems). So I've added a line to let uugett watch over ttyS0, the incoming COM1 port.

In order to be able to let root login, I also added ttyS0 in /etc/securetty.

Question: how does setserial initialize my serials at boot time?
Answer: ...

VI.104.3 securetty

The file /etc/securetty can be used to restrict the login of root to a particular tty port. Refer to 'man securetty' and 'man login' for interesting details.

VI.105 Minicom

VI.105.1 Basics Documentation:

Can be found in /usr/doc/minicom - man minicom - minicom -h The executable is typically /usr/bin/minicom.

Configuration goes e.g. /var/lib/minicom/minicom.users and minirc.dfl (defaults). On SuSE, I also noticed an "/etc/minicom.users". Check out the contents of the package via glint or rpm if in doubt. Minicom can talk to the modem via:

This is defined in the Minicom-configuration.

VI.105.2 Minicom configuration

Minicom can be configured in at least two ways:

  1. by running it with the -s switch: minicom -s

  2. once within minicom, use Alt-O or Cntl-A O (cOnfigure?)

You typically create an entry for your ISP via Cntl-A D.
Remember help is provided via Cntl-A Z, quitting is via Cntl-A Q.

VI.105.3 Minicom trouble shooting

Make very sure dhcp-client is stopped (/sbin/init.d/dhclient stop - or /etc/init.d/...). If you get the message '/dev/modem is locked', you can at least try 2 solutions:

  1. identify the locking PID in the logfile and kill it: one way is to peek inside "/var/lock/LCK..cua1" - here you'll find a PID. Kill it with e.g. "kill -n 9 PID".

  2. reboot the machine.

Minicom via serial interface apparantly won't run together with pcmcia services. So stop these, e.g. via Sys V init editor.

After using pcmcia & dhcp, DNS seems to be screwed up as well. You need to manually adjust "/etc/resolv.conf" again. That's why I created a "resolv.conf.original". Anf finally, if you want to surf, remember that Netscape might have been configured to go via a proxy (edit preferences - direct connection).

VI.106 ppp

VI.106.1 PPP basics

Ultimately, pppd lives as /usr/sbin/pppd. Options go in /etc/ppp.

  1. Ensure dhcp-client has been stopped, e.g. /sbin/init.d/dhclient stop - or /etc/init.d/...

  2. Via minicom, dial out

  3. Logon to your ISP machine using your uid/psw

  4. [Optionally, you may need to start the pppd server on the ISP side (but this is rare)]

  5. Quit minicom without resetting the modem (Cntl-A Q or Alt-Q)

  6. Start pppd as a client, e.g.:

    1. cd /usr/lib/ppp

    2. pppd -d -detach/dev/____ &

  7. Optionally, you may need to define the ppp link as the default outgoing route. Do this in three steps:

    1. ifconfig will show you the other side of the ppp link, e.g. P-t-P:

    2. now do: route add default gw 193.....

    3. ping, e.g. your name server (cfr /etc/resolv.conf)

  8. check again with ifconfig, netstat, pppstats

  9. start your browser

  10. terminate with ppp-off.


VI.106.2 PPP : info via control panel/package manager

Basic directories include : /etc/ppp (options) /usr/doc/ppp-2.2.0f-2 (readme's, scripts directory with lots of ppp scrip ts , ...)

===> README.linux is helpful, as well as : /usr/sbin/pppd /usr/sbin/pppstats

VI.106.3 PPP via RH control panel & modem

RH's PPP can be basically defined and activated via the control panel/networking. I can dial out and start the ppp0 automatically from here, and since I've hardcoded my password, apparently he does the login for me as well. If I then run ifconfig, I can see that I have a ppp0 running, and I can ping the other side.

For example the 'other side' of the ifconfig output, or, the INnet name server. However, where are the oldfashioned PPP commands??? Have a look in the rpm : for example in usr/sbin/pppd - pppstats ...

VI.106.4 PPP server via nullmodem

No change required to /etc/inittab, you don't need a getty to watch over the port.

Starting the ppp daemons:
=> Server (Kassandra): pppd -d -detach crtscts lock /dev/ttyS0 38400 &
=> Client (Bugis): pppd -d -detach crtscts lock /dev/cua0 38400 &

Verify via 'ifconfig' command.

VI.106.5 PPP on malekh

You have to:

VI.106.6 PPP on avina

What string to use in order to let the modem sound appear?

VI.107 tcpdump

VI.107.1 tcpdump introduction

Remember the basic structure of the protocol stack:

Appl: _________________________| appl hdr / data |_______

TCP: _________________| TCP hdr | appl hdr / data |_______

IP:_____________| IP hdr | TCP hdr | appl hdr / data |_______

Eth:_____| Eth hdr | IP hdr | TCP hdr | appl hdr / data | Eth trl |_______

Also, consider:

Basic documentation can be found in /usr/doc/packages/tcpdump.

Tcpdump operates by putting the NIC in promiscuous mode (which must be allowed by the OS). Note that alternatives to tcpdump include Solaris' snoop and Aix iptrace.

Tcpdump relies on the kernel to capture and filter the packets for it. BSD-derived kernels provide BPF (BSD Packet Filter), Sun provides the NIT (Network Interface Tap). Linux provides LSF (Linux Socket Filtering), derived from the BPF. Check this out on /usr/src/linux... /Documentation/Networking/filter.txt

Filtering: BPF is instructed by the tcpdump process to put the interface into promiscuous mode, and to pass all packets to tcpdump or to filter some out. The filter is specified on the command line. By default, all packets should be captured. If the network outruns the box, packets are 'dropped'.

Timeout: since the data rate of the network can easily outrun the processing power of the CPU, and since it's costly for a userprocess to read from the kernel, BPF packs multiple frames into a single read buffer and returns only when the buffer is full, OR after a user-specified time-out (default 1 s).

On SuSE 6.1, there was no man page for bpf. The kernel feature is probably Linux-specif.

VI.107.2 tcpdump on malekh

Basic fact-finding: try running 'tcpdump -i eth0'.

According to the man page, tcpdump should by default capture all traffic. But how do we get it visualised? Flags include

Question 1: where do we see/save the output?
Answer 1.1: use 'tcpdump' and the output goes to your screen.
Answer 1.2: use 'tcpdump -l > /root/tcpdumpdata1 & tail -f /root/tcpdumpdata1. The output goes to the file.

Question 2: what do we see?
Answer 2.1: Output is 'raw'. First the name of the itf, then a timestamp. Next sending host, then destination host.
Answer 2.2: I ran some tests and dumped them into /root/tcpdump123. Tcpdump's manpage states it was created to dump HEADERS of packets. Default lenght is 68 bytes, this can be changed with -s. Also, remember, it's called 'tcpdump', so we should be watching at the level of tcp (however...). How do we interprete?

Interesting add-on: tcpslice (checkout man tcpslice).

Also: checkout ITA: - the Internet Traffic Archive.

If you run 'ifconfig', you'll see the IP address of your eth0, and the PROMISC flag.

VI.108 iptraf

A basic traffic monitor, monitors load, indicates types of traffic, etc. Apparently no real sniffer capability. Check out /usr/doc/packages/iptraf.

VI.109 cmu-snmp

Great tools from Carnegie Mellon University. Includes snmpget/set/trap, and also snmpwalk... Installed by default via the package manager. Check out /usr/bin/snmp* for various commands.

VI.110 fwtk

Copied over from previous Linux, zipped tarfile plus my descriptive logfile of actions undertaken. Stuffed this all in RMS_Programs.

VI.111 dhcp - proxy servers - Brussels/KL -

VI.111.1 General information on dhcp

The DHCP protocol is defined in RFC 2131 (obsoletes 1541). For Linux:

No "howto". No "man dhcp"- however, there's a "man dhcpd". No info in /howto/Net3 manual. However, found a "mini-howto" (at the end of the "howto" directory => mini). Covers both client & server set-up, however seems outdated. Rather:


Quite easy to use Yast2 for configuration.

VI.111.2 malekh - dhclient at PwC Brussels/KL

Yast: System Administration/Network/DHCP client. First install dhclient (series "n"). Then use Yast to activate it.

On start-up, dhclient reads "/etc/dhclient.conf". This:

Note that also "/etc/resolv.conf" is typically overwritten, since you receive a dns server.

Within PwC Brussels, a W95 client tells me that:

I've safeguarded working (at least @ PwC Brussels) versions /etc/dhclient.conf and dhcpd.conf in *.original files. In the Kuala Lumpur office, use the dhcp and the Sydney gateway ( to surf out. Within DigiCert, use their internal (port 8080) to surf out.

VI.111.3 malekh - dhclient & server - 'portable'


Configuration comes from '/etc/dhcpd.conf'. This contains essentially two types of statements:

Some core decisions for, taking into account the IPv4 address is 32 bits long, composed of network number and host number. Let's select a class B network address. This means: '10''--14-bits-network''---16-bits-host---', which makes 32 bits altogether. Class B ranges from 128.* to 191.* .

According to the rules for private networks (RFC1918), for class B, we can select between '' and ''. The standard subnetmask for class B is ''.

So let it be: network '', addresses ranging '', with a subnetmask of ''. Save this in '/etc/dhcpd.config'.

Two alternatives to start dhcpd:

  1. by updating '/etc/rc.config' (start dhcpd) and running '/sbin/SuSEconfig', or

  2. by '/sbin/init.d/dhcpd start'.

The second alternative is preferred. HOWEVER this runs into problems. The dhcpd parameters conflict with what's already defined in /etc/rc.config as IP address. SOLUTION:

  1. Manually stop your dhcp client'/sbin/init.d/dhclient stop';

  2. Manually 'ifconfig/ eth0'

Starting & stopping the dhcp server:

Starting & stopping the dhcp client:

VI.111.4 avina - dhclient

DHCP client is by default not installed, instead the DHCP server was automatically installed. Used YaST to remove the server and install the client. Then use Yast1 to configure and activate it.

VI.111.5 Overview of proxy servers

VI.112 diald

Configuration via "/etc/diald.conf".

VI.113 PCMCIA support

VI.113.1 Intro - PCMCIA on boy - SuSE 6.0

Howto in "/usr/doc/howto/en/PCMCIA-HOW.gz". SuSE uses a Sys V init editor's "initscript". However, I don't find a script to start pcmcia. Script should be "/sbin/init.d/pcmcia". I don't have the script, I assume pcmcia is not installed.

VI.113.2 PCMCIA installation on boy - SuSE 6.0

OK, pcmcia is a package of the "a" series, manually installed through YaST now. Card services is essentially a set of loadable modules. Use Sys V init editor. Remember: use "lsmod" to see what's loaded, however this reports no pcmcia is loaded. This seems to be a common problem according to the pcmcia howto. Some fact-finding on boy:

So I included a "PCMCIA=i82365" statement in "/etc/rc.config". And I invoked "sbin/SuSEconfig". Reboot, works OK. However, seems to be incompatible with running Minicom.

VI.113.3 PCMCIA on malekh SuSE 6.1

QUESTION: How to install PCMCIA services?

Remember that pcmcia is a package of the 'a' series. Some fact finding:

Conclusion: no pcmcia package installed.


Tried YaST, but is not really elegant to install a single package. Used kpackage instead. After the installation of the pcmcia package, I ran SuSEconfig. As a result, /etc/rc.config got updated and now includes the PCMCIA=i82365 statement. Also, lsmod shows that pcmciacore and i82365 modules are loaded. Cardinfo works fine now.

Using the 3COM 3C589C card as eth0 works fine on the PwC Brussels LAN.

Using the Xircom CEM-56-100 as modem is not that smoothly.

Further info:

Using the WISEcom at MBS: cardinfo registers this as ttyS2, pointing minicom to /dev/ttyS2 gets me a reply of ATZ / OK - ATDT / NO CARRIER.

VI.113.4 PCMCIA on avina SuSE 6.4

By default, PCMCIA does not work, cardmgr reports "no pcmcia driver in /proc/devices". PCMCIA How-To: your base kernel modules do not load. The SuSE website indicates this is a bug. Downloaded new pcmcia.rpm into /Avina/pcmcia.rpm, performed rpm -U /Avina/pcmcia.rpm . Now seems to discover the Toshiba chipset... Then download and install pcmcia_m.rpm . Reboot. Cardinfo now works and recognizes the 3COM Ethernet card. Then install dhcp client, and configure eth0 with dhcp addressing.

VI.113.5 PCMCIA on imagine SuSE 7.2

Package needs to be installed. Configuration via Yast1 or Yast2 does not work (at least not easily). Use 'cardctl status' to see if the card is found. Manually adjust /etc/rc.config, by making 'NETCONFIG_PCMCIA="_0" (i.e. the first device). Hey, apparently Yast2 decided (at an unknown point in time) to remove the dhclient software and to install dhcpd instead. This had to be manually adjusted again via Yast2. Also, in /etc/rc.config you may have to remake the adjustment to NETCONFIG_PCMCIA=_0. This seems to vanish occasionally too. Run SuSEconfig. NETCONFIG_PCMCIA="_0". Occasionally some other dhcp settings vanish. Apparently Yast2 is not so good in redefining them - Yast1 seems to do a better job.

VI.114 xnetload - ntop

Try 'xnetload ppp0'. Try 'ntop'.

VI.115 SAMBA - smbclient

Samba is a LanManager-like file manager for Unix, implementing SMB. Try "man samba". Key components include:

So it must be possible to:

  1. use smbclient to work on a windows share (e.g. Win2000-Kassandros)

  2. use smbd to let a windows client access an avina 'share'

HISTORY PART 1/2 Using smbclient

Playing ...

Uploading files to kassandros (win2000):

OK BASICS WORK BUT RECURSION ON SERVER SIDE DOES NOT. CAN ONLY UPLOAD WITHIN 1 LEVEL OF THE DIRECTORY, OR MUST MANUALLY BUILD THE ENTIRE TREE. Try C$ share: "smbclient //kassandros/C$ -U administrator": does not work either. HISTORY PART 2/2 Using smbd Objective: establish the Linux box as a Samba server, offering shares to Win2000. Major problem: Win2000 only allows you to go out if the server you're connecting to supports encrypted passwords. Therefor: create initial smbpasswd entries via "cat /etc/passwd | /usr/lib/samba/scripts/ > /etc/smbpasswd". Encrypted passwords obviously go in "/etc/smbpasswd". As root, you can execute "smbpasswd -d marcsel" and "smbpasswd -a marcsel" to reset the password on this smb userid (password set to "samba").

VI.116 sniffit

Downloaded sniffit, basic and patch file. Safeguarded into /Kassandra_Data/AdditionalRPM. Moved to '/' and unpacked. Also untarred the patch tar file, and moved the path to the source dir. Then 'patch Running 'configure' for a second time, the msg looked OK, what's in this 'config.status' file? Looks OK, also in 'configure.log'. Running 'make' for a second time: 'sniffit is up to date'. Thank you. But where is it??? OK, in /sniffit.0.3.5 there is an executable 'sniffit'. However, it comes back with 'cannot execute binary file'. So?

Alternatively, reviewing the index file of SuSE61, sniffit seems to be distributed on CD3. Let's have a look. Unfortunately, it does not seem to be there. Back to the Internet. Mailed the author. HOWEVER: try '/sniffit.0.3.5/sniffit'. This works, but does not recognize the device, even if I try '-F eth0'.

VI.117 ngrep

From . Configure script bumps out on 'can't find complete set of pcap headers'. Too bad.

Alternative: downloaded the binary executable, but I get a 'cannot execute binary file' on this one. Now what???

TO DO: Starting point: RFC 1470. a bit old (1993), but a good start. Other points of interest include the Linux Software Map and Trinux.

VI.118 Networking source code

Check out /usr/src/linux..., particularly the make files and:

Documentation can e.g. be found in "/usr/src/linux.../Documentation/networking/tcp.txt"

Quid firewalling code?


VI.119.1 Native ISDN connection

Here we deal with native (direct) ISDN connections, e.g. straight onto the S-bus.Check out:

Command: isdnctrl.

VI.119.2 ISDN via 3COM 3C891 ISDN LAN modem


VI.120 Fax

Check out /usr/doc/packages/hylafax. Here's a README.SuSE, providing installation instructions (start via faxsetup, which configures items such as your modem). There's also an html section, with lots of info. Apparently hylafax is the server, susefax is a client. Starting the client results in a nice GUI, but no server to talk to.

VI.121 NFS

NFS basics

NFS components:

Of course, there is an NFS-HowTO. The "tar" seems to be the fastest way to pass files over. Debugging: on the server-side, running "rpcinfo -p" should show at least portmapper, mountd and nfsd running. You can also check /var/log/messages for daemon output. Easy way: make a tar file, export it to the client. On the client, move the tar file into "/" and untar it there.

History - NFS with tintin (compaq Philippe Dhainaut)

SAVING to tintin

Connect both tintin (NFS server) and malekh (client issuing 'mount') to a hub, then:

  1. on tintin: mkdir ttmalekh, and include a line "/ttmalekh (rw)" in /etc/exports

  2. on tintin: restart the nfs server

  3. on malekh: mkdir tintin

  4. on malekh: mount /tintin (use "-v" for verbose output, and "-o timeo=n" with default n starting at 7 increased to e.g. 21)

You can also use KDE to copy files (but it's slow).

RESTORING from tintin

Mounting on tintin from avina fails with the msg: RPC timed out. Try the other way round: On avina:

On tintin:

NFS with tux (HP 4150)

SAVING to tux

Connect both tux (NFS server) and avina (client issuing 'mount') to a hub, then:

  1. on tux: mkdir TuxAvina, and include a line "/TuxAvina (rw)" in /etc/exports

  2. on tux: restart the nfs server ("/sbin/init.d/nfsserver stop" "start")

  3. on avina: mkdir tux

  4. on avina: mount /tintin

Then you can use e.g. the cp command to copy files.

VI.122 Wireless

In general: use iwconfig, iwlist, iwspy, iwevent, iwpriv, wireless.... You may have to do e.g. "sudo iwlist scanning". On BlackBetty (Dell mini): connect to <-?-> by entering the password. When editing the connection you get request: 'nm-connection-editor' wants to access the password for 'Network secret for Auto <-?-> / 802-11-wireless-security/psk' in the default keyring.

VI.201 NetworkManager Kubuntu 12.10

On Angkor2, Kubuntu 12.10 comes with "NetworkManager". Good intro in Wikipedia. Documentation seems hard to find on the running Angkor2, but there is

Files & database storage

VII.101 Berkeley db files

This database format is used e.g. by Netscape Communicator. Refer to

VII.102 Oracle

Oracle be provided.

Applications - WWW

VIII.101 Netscape client

VIII.101.1 Netscape 4.03 on bugis etc (manual install)

Ftp to '', cd to /pub/communicator/4.03/shipping/english/unix/... . Carry out a get into /RMS_Programs/Netscape/navi.... . Gunzip, tar -xvf. Then run ns-install.

First time : fails, even logs me out. Browsing ns-install. Run it a second time. OK. Executable goes into /usr/local/netscape/netscape. Added an entry in system.fvwmrc to call it.

VIII.101.2 Netscape 4.05 (part of SuSE 5.3)

Installation and configuration

As Navigator 4.05 is part of SuSE, it gets (almost) automatically installed. Basic files go into /opt/netscape. Plugins reside in /opt/netscape/plugins. Caching goes into /root/.netscape/cache etc. Don't forget to clean-up every now and then.

Resetting your visited links: edit/preferences/navigator/clear history. Alternatively, go to /root/.netscape and clean out manually.

LDAP client included now (edit/search directory)

Good info can be found at Netscape's developer's site. Configuration can be done via:

Don't forget that firewalls and proxy servers can also influence the behaviour of your browser (e.g. locking out https).

VIII.101.3 Netscape 4.72 (part of SuSE 6.4)


Surfing in the PwC office: needs PwC DNS ( and proxy (proxy-be, port 8080 for http, https and ftp). Also needs to accept the certificate from the firewall (, which is signed by PWC_TREE. The PWC_TREE certificate is not a root-signer and hence is not visible through the Netscape GUI-view on the certificate db. Nevertheless, you can view it (e.g. with mc), and then you'll notice there is a Novell certificate attribute embedded, including url.

Security configuration

All certificates go in /root/.netscape/cert7.db . This includes own personal certificate. You can use e.g. 'mc' to browse the contents of this cert7.db file. Alternatively, goo Communicator/Security Info/Cryptographic Modules and select e.g. Netscape internal PKCS #11 module. Here you find 'slots', one for crypto services and another one for certificate db. Here you can configure, change password, login/logout, etc.

HOWEVER, how good is my private key? Netscape says its servers and clients contain a piece of software called 'Security Module 1', which is FIPS-140 compliant. For example browsers version 4.02 and above include Security Module 1. HOWEVER, my Linux Navigator says my security module is Netscape Internal PKCS#11 Module. This sounds different... Email sent to ...

Netscape's FIPS-FAQ states they also obtained FIPS certificates for their DES, 3DES, SHA1 and DSA implementations. Do I have this?

Go to HELP - About Communicator - RSA product embedded: RSA public key support, MD2, MD5, RC2-CBC, RC4.

HOWEVER how good is my private key protected? Your key is stored in '/root/.netscape/key3.db'. Your certificates go in '/root/.netscape/cert7.db'. I assume they are protected under the relevant PKCS mechanisms such as PKCS #5 PBE etc.

What if your Netscape seems to hang ("Java starting...")? "ps -a" "kill -s 9 123".

VIII.101.3 Netscape 4.74 (part of SuSE 7.0)

Basic crypto support of the Communicator provided by SuSE (from the "about" screen): "This version supports U.S. security with RSA Public Key Cryptography, MD2,MD5, RC2-CBC, RC4, DES-CBC, DES-EDE3-CBC". Ciphers for SSL v3 include RC4 with 128 bit and 3DES. Ciphers for S/MIME include RC2 with 128 bit and 3DES.

Hence there does not seem to be any need to apply Fortify. Anyway, just for the record, Fortify is provided by SuSE, package fortify-1.4.6-10, from Info in /opt/fortify.

VIII.102 Ftpd

On Angkor3, installed pure-ftpd. Verify security settings... Documentation in /usr/share/doc/pure-ftpd. Executables in /usr/sbin. (pending question: how about the sftp which comes inside ssh?)

Status: 'ps auxw|grep pure-ftpd' should show you the SERVER process and optionally some connected clients. To connect you can eg use 'ipconfig' on the server to list the server's IP-address. Then use eg Filezilla on the client.

Legacy on Angkor2: installed vsftpd via sudo apt-get etc. See There is a config file in /etc/vsftpd.conf. You start/restart with 'sudo /etc/init.d/vsftpd restart'. Only worked once, apparently then hung. On Angkor2, installed ftpd. No instructions to be found on how to start it, manually starting it as daemon fails, removed again. Tried pure-ftpd - seems OK.

So (O'Reilly's 'Managing Internet information services - p. 54 ) :

(1) inetd.conf must fire up a daemon contains the following line: 'ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a' to listen for incoming ftp. So inetd gives the hand to tcpd, which gives the hand to in.ftpd (which is actually /usr/sbin/in.ftpd, cfr glint).

(2) user ftp must exist
User ftp exists in /etc/passwd (this allows 'anonymous' to connect to your ftpd)

(3) wu-ftpd config files need to be adjusted
(31) /etc/ftpaccess (by default, definitions in here are active)
(32) /etc/ftpconversions
(33) /etc/ftphosts (can deny particular hosts)
(34) /etc/ftpusers ('inverse logic', denies users like root access)

(4) directories on the server side According to 'man ftpd', the server performs a chroot to '/home/ftp'. Here you find bin, dev, etc, pub, directories... . OK, I can 'get' from Bugis. However, to upload, I need an 'upload' statement in my /etc/ftpaccess file.

And I need to allow write access on the /home/ftp/pub directory: I've used a coarse way: chown ftp /home/ftp/pub; chmod a+w /home/ftp/pub. Verify the results with ls -al. You can now ftp to '0' or Kassandra, login as anonymous, cd /pub. If you want to upload, remember:

On Bugis:
- lcd: shows you the local directory, i.e. on Bugis, e.g. /root
- pwd: shows you the remote directory, i.e. on Kassandra.
- cd: changes the remote directory, i.e. on Kassandra.
- ls: lists the remote directory, i.e. on Kassandra.
- put: will write into the remote directory, and you need to have the access rights for that. So typically, you need to cd to it.

VIII.103 Httpd - Apache

Apache - basics

Apache is part of most distributions, you can also checkout "". The main configuration file is called the "ServerConfig" file, e.g. "/etc/httpd/httpd.conf". This is based on the NCSA server and its config file, full details on "".

SuSE 6.0 Apache - starting/stopping - configuration

Use "httpd -?" to find out all the options for starting Apache.

Use the manual command line or the System V Init editor to start/stop Apache. The editor's entry is linked to /etc/rc.d/init.d/apache. This currently starts "/usr/sbin/httpd -f /etc/httpd/httpd.conf -D SSL...". This -f flag specifies the full path to the "ServerConfig (=httpd.conf)" file. After processing ServerConfig, the settings of ResourceConfig and AccessConfig directives determine what happens next. Both directives are included in the ServerConfig file, and are by default commented out. This default results in processing "srm.conf" and "access.conf". Both are by default empty - it is suggested to leave them empty.

Note the role of the ServerRoot directive: if you specify a filename starting with a /, this is absolute. If there's no /, the value of ServerRoot (e.g. /usr/local/httpd) is prepended.

The SuSE 6.0 installation includes Apache 1.3: start it via System V Init editor, and point your browser simply to "localhost". There you are. ServerRoot points to "/usr/local/httpd", so the demo website is served from "/usr/local/httpd/index.html".

Directive DocumentRoot (default "/usr/local/httpd/htdocs") defines where you serve documents from. Further directives will specify authorizations on your documents.

SuSE 6.0 Apache - logging

As specified by directives in ServerRoot, logging goes by default into:

SuSE 6.0 Apache - status

Point your browser to "http://localhost:80/server-status". Setting directive ExtendedStatus on (in ServerConfig, i.e. httpd.conf) gives more info.

SuSE 6.1 Apache on malekh

Some facts:

Oddly enought, I get a "sqlinit: DBROOT must be set" when starting. Now "/etc/rc.d/rc3.d/K20apache" starts with "DBROOT=/dev/null". So when should this be set? WHAT IS THE NORMAL WAY TO START APACHE??? WHY DO I NEED sql???

OK, cool:

Now "rcapache start" works, but "sh -x rcapache start" shows it uses the standard /etc/httpd/httpd.conf file (rather than my own one). How to fix this? Save a copy of the original, and write my conf file over it. OK, now Netscape can talk to my Apache, and gets a "forbidden". Since the ServerRoot points to /Kassandra_Control, you should surf to e.g. "http://localhost/LinuxWeb.html". Indexes does not seem to be generated automatically.

HISTORY - Manual install of Apache 1.3.6 - SSL

Check out /usr/doc/howto/en/html/mini/Apache+SSL... Also, have a look at I decided to download SSL from the OpenSSL website. Resulted in /openssl-0.9.2b, with README and INSTALL files. The site explains you need:

Hence I now have three directories straight under "/":

Also, "Kassandra_Data/AdditionalRPM" still stores the .tar.gz originals.

Let's start with Apache itself, and its various README's etc. From within "/apache_1.3.6" I've executed "./configure --prefix=/usr/local/apache136". Next is "make" and "make install". Then I can start my newly created httpd with "/usr/local/apache136/apachectl start". Use "http://localhost" to see the newly created server. Use "/usr/local/apache136/bin/httpd -v" to see that you've effectively build it.

Now configuration can take place via a.o.:

I created "/Kassandra_Control/conf/*.*". Now issuing "/usr/local/apache136/bin/httpd -d /Kassandra_Control" hopefully starts Apache with LinuxWeb. Careful, under "/Kassandra_Control" you need to create the three subdirectories that Apache expects: conf, logs and htdocs. The "Kassandra_Control/conf/httpd.conf" needs some customisation to point to "/Kassandra_Control/..." files rather than the defaults. OK, basics seem to work.

Apache 1.3.12 on imagine - SuSE 7.0

Documentation in "/usr/share/doc/packages/apache". SuSE manual points to:

I saved the .conf into .original, and created a LinuxWeb specific .conf file. Useful:

Access via Netscape, "http://localhost" or "http://imagine".

VIII.104 Squid - wwwofle

Squid is a cache server/www-proxy. Documentation in /usr/doc/packages/squid. Configuration via "/etc/squid.conf".

WWWoffle is a www offline explorer, another proxy server, capable of interacting with e.g. diald. Configuration via "/etc/wwwofle/wwwofle.conf".

VIII.105 htdig

Builds an index over a document-base which is served from a webserver. No manpage for htdig. However, there is a full package and corresponding documentation: "/usr/doc/packages/htdig/htdoc/index.html".

htdig's files: "/opt/www/".

How it works:

Script "rundig (or rundig -vvv to see debug output)" executes both htdig and htmerge. Search via ... TODO: narrow search for htdig via config file.

VIII.108 Email clients - Angelfire/Netscape/Belgacom - pine - mail


There are accounts on


A simple but efficient email client. Ref man pine.


Ref man mail. Use q to quit, p to print a mail message.

VIII.109 Ecommerce - minivend

An electronic catalog system (shopping cart). Refer to the article in LJ June 1999. Check-out

VIII.110 Corba - mico

Check out mico.


Getting started: via xrpm.

Xrpm: /etc/openldap. Info in /usr/share/doc/packages/openldap. Start via "/sbin/init.d/ldap start" or "start -v". "Man ldap" comes with suggestions. Query via ldapsearch.

Config in /etc/openldap. Major configfile"/etc/openldap/slapd.conf".

You get some feedback in "/var/log/messages". Configuration:


VIII.112 Jboss/Tomcat

Included in EJBCA installation.



Refer to jtk1.html .


Refer to jtk1.html .

VIII.114 Xerces

XML parser - version 2.2.1 . Installed from into /xerces.... Unpack with jar xvf xerces....jar into /xerces-2_2_1 and into /tools . I also extracted the xercesSamples.jar . Usage see jtk1.html.

Applications - cryptography

Key formats PEM etc

In a nutshell

Four different ways to present certificates and their components:

Some detail

Different ways to present certificates and their components:

Standard Linux goodies


Crypt is DES based, with a salt added and slower encryption.


This utility factors:

According to man factor, you can also generate primes, but that does not seem to work. Way forward: use Cryptix Prime class etc.


Calculates the md5 hash over a file: "md5sum filename".


Kassandra - Red Hat - PGP 5.0i

Installation on Kassandra. Downloaded in RPM format from "". Mind you, this is the "international" website and correspondig PGPi version. Strength?

Installed the rpm via glint, "utilities/text". Executables go in /usr/bin. Doc goes into /usr/doc. There's also a short man page for pgp, pgp.cfg (configuration), pgpk, etc...

Just running pgpk gives you an overview of key management. For details, refer to the user manual.

Running "man pgp.cfg" describes all the entries in the config file. An example would be nice. A quick peek in the rpm reveals that no default config file is provided. Where's this user manual? O'Reilly has an excellent book! Or there is a user manual in pdf on Win95.

Toothbrush - SuSE 5.3

Installation on Tootbrush. Run "rpm -ivv /Kassandra_Data/AdditionalRPM/pgp____.rpm". This installs binaries into /usr/bin (pgp and pgpk).

Starting pgpk results in the message: cannot open configuration file "/root/.pgp/pgp.cfg". Indeed, there's no such file.

O'Reilly nicely describes all the fields of this file on p. 271. I created a minimal "pgp.cfg" file.

Question: Can I transfer my existing Win95 keyrings and continue to use them here?
Answer: Yes, I copied my pub/secrings into /Kassandra_Data/AdditionalCONFIG. From there, copy pgp.cfg, the pubring.pkr and secring.skr into "/root/.pgp". Now "pgpk -l" lists the content of my keyring, both public and private (PGP: secret) keys.

Question: How do I wipe without a GUI?
Answer: Use the -w flag, e.g. "pgpe -cw ...".

Boy - SuSE 6.0

Reinstalled as described for Toothbrush.

Encrypting with a passphrase and "conventional cryptography (what's that, Phil? IDEA? Yes Marc, IDEA)": "pgpe -c foo"results in being asked a passphrase to encrypt with IDEA. Use "pgpv foo" to decrypt. You'll be challenged for the passphrase.

Encrypting with a public key: "pgpe -r foo"

Decrypting again: "pgpv foo" and you'll be challenged for the passphrase.

IX.102.4 Malekh - SuSE 6.1

Reinstalled from /Kassandra_Data/AdditionalRPM/... Also copied pgp.cfg and keyrings from /Kassandra_Data/AdditionalCONFIG into /root/.pgp . Now wouldn't it be nice to have a GUI interface? Check out the 'Geheimniss' thing from SuSE.

IX.102.5 Avina - SuSE 6.4

SuSE 6.4 now comes with PGP 2.6.3i. According to the doc, the expects configuration information in your homedirectory, in "/.pgp". Trying to use the old keyring from Malekh - no success. OK, Malekh used PGP 5.Oi, from an additionally downloaded rpm. So I have to remove the "standard" PGP that came with SuSE, and reinstall PGP 5.0i from /Kassandra_Data/Additional_RPM. Hence I removed packages pgp and gpg via YaST. Then installed pgp 5.0i through YaST. This did not work (no pgp executable to be found) but did not return an error msg. Do a manual install "rpm -ivv etc...": failed dependencies:

  1. is needed by pgp-5.0i-1

  2. is needed by pgp-5.0i-1

Libaries are found in various places:

Hence need to install these two libs. Help from SuSE: install package shlibs5 from series a. This resolved the dependence, rpm still complains for However, 'ldconfig -p' shows there is '/usr/i486-linux-libc5/lib/', which is a symlink to '....5.0.9'. So what? Alternative: downloaded PGP 6.5.1i. Installed it in /pgp6 and below. Created /root/.pgp containing config & keyfiles. OK. Lot's of documentation, as well as the sources are available now...

IX.102.6 imagine - PGP

Might be provided by SuSE, but is a commercial product with license etc.

IX.102.7 imagine - GPG

GPG (Gnu Privacy Guard) is compliant with the OpenPGP implementation proposed in RFC 2440. It does not use any patented algorithms (IDEA, ex-RSA, ...).

Symmetric algorithms are: 3DES, Blowfish, CAST5 and Twofish (GnuPG does not yet create Twofish encrypted messages because there is no agreement in the OpenPGP WG on how to use it together with a MDC algorithm)

Digest algorithms available are MD5, RIPEMD160 and SHA1. GPG 1.0 is included in SuSE 7.0 together with "GPGaddons". Documentation is /usr/share/doc/packages/gpg. All files are mentioned at the end of "man gpg".

GPG. User-specific files: /root/.gnupg/... . Remember, previous versions of PGP keyring went in /Kassandra_Data/AdditionalConfig. Import via "gpg --import" (ref below). As a result, the trustdb is created, and those keys for which a "user id" is found (internal PGP/GPG user id I assume) are imported alright. Others are processed but not imported. Use:

GPGaddons. Check /usr/share/doc/packages/gpgaddon.

Package and encrypt:


The OpenSSL toolkit essentially includes: Documentation: See also the cookbook.

You can test an SSL server with the ssltest.

Displaying certs and keys

Use openssl x509 -in filename.

RSA key generation

Change to "/usr/local/ssl/bin". Run "./openssl" puts you in commandline mode.

You find source in "/openssl-0.9.2b/crypto/rsa/rsa_gen.c". Here p and q are generated as large primes. Next n is calculated (p*q), then d. Sounds reasonable.

Now look in "/openssl-0.9.2b/doc/ssleay.txt", search for "=== rsa.doc ===". Here you read that the RSA structure used internally can contain both private & public keys. A public key is determined by the fact that RSA-> d value is null. It is explained that rsa_generate_key should only be used to generate initial private keys.

Note that you can find a source: "/openssl-0.9.2b/crypto/rsa/rsa_gen.c". Have a look...

Be your own mini-CA

Use "req" to create key pairs and certificates. Check out the configuration in "usr/local/ssl/lib/openssl.cnf".

SSL clients & servers

Have a look in "/openssl-9.2b/apps". Here you find the source code of e.g. an SSL client (s_client.c) and server (s_server.c). Source code contains lots of explanation.


SSH basics

There is a set of specifications. There are various implementations, OpenSSH is the de facto standard implementation. Essential components:

SSH client

By default client 'ssh-agent' is installed, which holds private keys for authentication of eg logins or X-session.

SSH client config

Explained at man page and man page.

ssh obtains configuration data from the following sources in the following order: For each parameter, the first obtained value will be used. The configuration files contain sections separated by Host specifications, and that section is only applied for hosts that match one of the patterns given in the specification. The matched host name is usually the one given on the command line (see the CanonicalizeHostname option for exceptions).

Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end.

SSH normally does print out error messages. There are two ways to disable it:

SSH client keygen

Explained at keygen page. The key type is indicated with -t. If invoked without any arguments, ssh-keygen will generate an RSA key.

Normally each user wishing to use SSH with public key authentication runs this once to create the authentication key in ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, ~/.ssh/id_ed25519_sk or ~/.ssh/id_rsa. Additionally, the system administrator may use this to generate host keys, as seen in /etc/rc.

Ed25519: Source: Uses an elliptic curve signature scheme which offers better security than RSA, ECDSA and DSA.

ecdsa-sk (secret key): Source: Hardware backed keys can be generated using "ssh-keygen -t ecdsa-sk" (or "ed25519-sk" if your token supports it). Many tokens require to be touched/tapped to confirm this step. You'll get a public/private keypair back as usual, but the private key file does not contain a highly-sensitive private key but instead holds a "key handle" that is used by the security key to derive the real private key at signing time. So, stealing a copy of the private key file without also stealing your security key (or access to it) should not give the attacker anything. Once you have generated a key, you can use it normally - i.e. add it to an agent, copy it to your destination's authorized_keys files (assuming they are running -current too), etc. At authentication time, you will be prompted to tap your security key to confirm the signature operation - this makes theft-of-access attacks against security keys more difficult too.

ssh-keygen will by default write keys in an OpenSSH-specific format. This format is preferred as it offers better protection for keys at rest as well as allowing storage of key comments within the private key file itself. In the past the PEM format was used for private keys. This can still be specified using the -m flag.

SSH client usage

To start it, just enter ssh in a terminal. To get feedback about what's happening, make sure error messages are not supressed in the config (ref above). And specify -vvv.


PuTTY uses a different key file format. It comes with tools to convert between its own .ppk format and the format of OpenSSH. Info at earthli's putty doc and at Converter guide:

SSH server

You can install sshd manually. With it comes: How to configure this? The sshd reads configuration data from /etc/ssh/sshd_config.

How to start/stop? After installation, the sshd is started automatically.

How to generate keys? Use ssh-keygen....on client or server side.

Windows PC Install cygwin from From Windows to Angkor2Start ssh client on Windows. Test ssh with "ssh marc@". If you supply marc's password on Angkor2, you are in. Now to get the ssh challenge/response to work, you need to copy the file (containing the public key) into the file /marc/.ssh/authorized_keys (for info see man sshd).
Legacy SCP client and server seems commonly installed. Copy from iMacky to Angkor via "scp marc@".

SSH client seems commonly installed, but server may need manual install eg via Synaptic. Then you have:

Cross platform, on Mac, on Windows

I installed the server, then ran ssh-keygen in the homedir of marc3. This saved RSA keypair in marc3sshrsakeypair1. On the Apple, then do a 'ssh marc3@'. Give the logonpsw and you're in. Alternatively do 'sftp marc3@' and you can ftp. Use So a simpe solutions is


Downloaded .tar.gz file from Anderson's Serpent page. The original file is kept in /Kassandra_Data/AdditionalRPM. Unpacked in / and moved all resulting files into /serpent. What do we have:


What is it - see

Apparently comes in at least two flavours:

Very interesting are the source code examples, the tests and the utils such as SCAR - a crypto-secure archive tool.

IX.105.2 HISTORY - Cryptix installation on Malekh

1) Installing the class files (starting from the source code): follow the README:

  1. download zipfile with sources into /Kassandra_Data/AdditionalNonRPM/Cryptix3JCE1.1-src/Cryptix-src...

  2. extract into /Cryptix3

  3. 1.1 install provider in three steps: "cd /Cryptix3/src/cryptix/provider", then "javac", finally execute it:

  4. 1.2 compile: from the top directory, run the make_snap or build shellscripts residing in "/Cryptix3/util" What do we already have: "src", "util(shell scripts)", "doc", "guide (quite nice on crypto & security)", "images", "license", i.e. preparatory stuff. What will be added by compiling: "/build" and the class files below. So I ran "cd /Cryptix3", "sh util/". This resulted in 1 warning (deprecated APIs).

  5. 1.3 test: sources in /Cryptix3/src/cryptix/test, and they include a statement "package cryptix.test", class files in /Cryptix3/build/classes, hence:

2) Installing the documentation:

IX.105.3 HISTORY - Cryptix installation on Avina - SuSE 6.4

/Cryptix3 directory copied over from Malekh. Running 'ExamineSecurity' obviously responds that the cryptix provider is not (yet) installed. Hence:

You can see what Install does by peeking into /Cryptix3/src/cryptix/provider/ it installs Cryptix in the / file (actually '/usr/lib/java/lib/security/').

Feedback from Install: ---Examining the Java installation at /usr/lib/java The following lines were added to /usr/lib/java/lib/security/ # Added by Cryptix V3 installation program: security.provider.2=cryptix.provider.Cryptix To uninstall Cryptix, remove these lines manually----

Try to run my old programs in /Cryptix3/build/classes such as modinverse1: OK. I assume this works since the executables were copied over and the provider is re-installed... Demos are discussed in JTK1.

IX.105.4 HISTORY - Cryptix32 installation on tux

Downloaded Cryptix32. You get:

How to proceed: check out the website: 1) "Add the JARs to your classpath...": First "CLASSPATH=/Cryptix32/cryptix32.jar:/CryptixSources", then "export CLASSPATH". Check with "echo $CLASSPATH". You can read out the jar with "jar tvf cryptix32.jar". 2) Install provider:

  1. cd Cryptix32/src/cryptix/provider

  2. javac

  3. cd /Cryptix32/src

  4. java cryptix.provider.Install =>

Compile (in the previous version /util contained the compilation scripts ... what happened here?) => WRONG ASSUMPTION. Since you can specify the classfiles in jar format through the CLASSPATH (refer to point "1)" above) there is no need to compile. You can execute right away.

Next steps: start working with certificates (part of Java2 - at least for the basic stuff, without the extensions), and try Rijndael (ref below).

IX.106 Cryptix ASN1


Software that allows you to:


STEP-1. Installed in CryptixASN1. Test/demo sources in /CryptixASN1/jar/src/cryptix/asn1/test. Execute tests via:

TRY AGAIN. Move to /Java02Security, and removed the "package" statement inside. Copied cryptix.asn there too. Now fails since parser is not found... CLASSPATH=/CryptixASN1/jar/cryptix-asn1-19991128-a6.jar:/CryptixASN1/jar/cryptix/asn1/lang:/CryptixASN1/jar/cryptix/asn1/encoding:/Java02Security: STEP-2. Wait a moment - prerequisite: needs javacc and jmk. Install those first... into /Java53MetaCC (javaCC_0.class,, jmk.jar ...) .


IX.107 Rijndael

Rijndael java code is included in Cryptix, use the cryptix32 provider. Start by using "":

Next step is to use Rijndael in a program. This is done via the Cryptix provider. Check out the test and util programs.

IX.108 Baltimore KeyTools

Downloaded them into /Baltimore. Also downloaded the Sun xml parser and api into /Java52XML/....

  1. safeguarded a copy of /usr/lib/jdk1.2.2/jre/lib/security/ (because it currently contains the Cryptix provider)

  2. "CLASSPATH=/Baltimore/libs/jpkiplus.jar:/Baltimore/libs/jcrypto_1.1.jar:/Baltimore/libs/jce.jar:/Java52XML/jaxp1.0.1/jaxp.jar:/Java52XML/jaxp1.0.1/parser.jar"

  3. "export CLASSPATH" "echo $CLASSPATH"

  4. "javac"

  5. xxx

IX.109 Mathematica

IX.109.1 Initial installation

Installed from Berkeley's CD. After installation comes with following error message:

xset: bad font path element (#38), possible causes are: Directory does not exist or has wrong permissions Directory missing fonts.dir Incorrect font server address or syntax

Solution: X server's font path may need updating. Probably via "xset fp+ ....". OK problem was that the X server's path referred to /cdrom/.... . Restarting the X server seems to resolve the problem already.

IX.109.2 Reinstall after upgrade

Modifications to your platform result in a new MathID, which requires a new password. Even insertion/removal of PCMCIA card leads to "missing password".

IX.109.3 Use

Create new notebook. Use shift-enter to calculate.

Factoring integers: FactorInteger[n]. There is also Lenstra's FactorIntegerECM. This extends Mathematica's factoring up to approximately 40 digits. Prime digits are approximately 18 digits long then. Very nice help available.

Modular: Mod[k, n].

Modular inverse: you can use PowerMod (a, b, n). This returns a^b mod n. E.g. 25 mod 6 can be done as PowerMod[5, 2, 6]. This can then be used to find modinv by taking b=-1. To find the modinv of 3 mod 7: PowerMod [3, -1, 7]. You can also calculate beyond the simple modinv -1. You can do -2 etc. also.

IX.110 FLINT - Michael Welschenbach

Copied from CD in /flint (rijndael not copied yet). Software is the FLINT/C function library (functions for large integers in number theory and cryptograph). The library contains a number of modules for arithmetic, number theory, tests, RSA and Rijndael.

For testrand.c: try make:

For testrand.c: try manual gcc.

If you get msgs that libflint is not found, you can compile with the following flags: "gcc ... -lflint -L/flint/lib" For rsademo.cpp (C++ Nice overview of C++ at

Suse packages such as libgpp contain C++ libraries such as libg++ and libstdc++, both the header files and the actual libraries. Doing a "locate libstd" finds a list of /usr/lib/libstdc++... libraries. They seem to be shared and static libs. They include:

Remember you can do "ldconfig -p" for an overview of existing libraries. You can do "ldd" to find out what a program needs. Problem on imagine/tecra780DVD: compiling results in "gcc installation problem - cannot execute cc1plus" However, on the Satellite2060CDS compile goes OK. Guess I should reinstall the tecra from scratch (Yast2 doesn't work either).

IX.111 EJBCA Beta2

Requires Ant and Jboss/Tomcat as prerequisites. Then deploy into Jboss.

EJBCA builds on EJB 1.1, and relies on:

Building EJBCA

Building EJBCA #1: start-up:

Building EJBCA #2: JBoss:

Downloaded jboss 2.4.3, the "current stable version", extracted into /JBoss-2.4.3_Tomcat-3.2.3, with a jboss and a tomcat subdirectory. Jboss provides a basic EJB container. Furthermore:

Building EJBCA #3: Tomcat:

TOMCAT is the servlet container with a JSP environment. A servlet container is a runtime shell that manages and invokes servlets on behalf of users. It is used in the official reference implementation for the Java Servlet and the JavaServer Pages. Tomcat is Servlet API 2.2 and JSP 1.1 compliant container (remember JServ was only Servlet API 2.0 compliant). It was originally intended to be deployed under Apache, IIS, Enterprise Server or the like. Howeverm it can be used stand-alone also. Tomcat is part of Tomcat documentation is available in /JBoss-2.4.3_Tomcat-3.2.3/tomcat/doc. The two main config files are server.xml and web.xml (defining your servlets and other components) .
Web applications live in "web application archives" which exist in two formats:

The top-level directory is the application root, where html and JSP pages are located. At the moment of deployment, a context indication will be added. If tomcat is started, you can access its default homepage on There is an admin page at (but what's the password?) So for EJBCA:

Building EJBCA #4: starting JBoss:

Starting jboss: "/JBoss-2.4.3_Tomcat-3.2.3/jboss/bin/"

Restarting jboss: "/JBoss-2.4.3_Tomcat-3.2.3/jboss/bin/" or "" now calls JDK 1.3. Better. Jboss started 46 services.... How do you stop it? Cntl-C works of course. Then:

In /ejbca/dist you find both the .jar and .war files. It's the .war files which provide the html/servlets/JSP's.

Building EJBCA #5: user/manager views:


  1. 1 Applying for a certificate

    Cert types: from CA to end user, ref source (ejbca.admin) Requesting a cert via the browser fails if Tomcat does not find the javac. That's why you must set JAVA_HOME.

  2. 2 Checking out other certs via If you download a cert into e.g. /root/john.cer, you can check it with Sun's keytool: "keytool -printcert -file /root/john.cer"

  3. 3 You can use /Java03dmf/cmf002list to get a more detailed view.

  4. 4 Sampleauth via Authentication is performed against database: /ejbca/src/sampleauth/database/dbUsers.txt


You use the ca / ra shellscripts. Find a user:

Add a user: ". adduser theo oeht "CN=theo,O=AnaTom,C=SE" 1" - carefull with the syntax here, no space in CN=etc...

Certificate type

Can be obtained via ". adduser". The possible values are:


Can be obtained via ". setuserstatus". The possible values are:

IX.112 OpenSC smartcards

IX.112.a Prereq: openssl and pcsc-lite

Since PCSC Lite won't install without openssl in place, first installed that in / . Then install pcsc-lite.

IX.112.b OpenSC - libopensc

libopensc is a library for accessing SmartCard devices using PC/SC Lite middleware package. It is also the core library of the OpenSC project. Basic functionality (e.g. SELECT FILE, READ BINARY) should work on any ISO 7816-4 compatible SmartCard. Encryption and decryption using private keys on the SmartCard is at the moment possible only with PKCS#15 compatible cards, such as the FINEID (Finnish Electronic IDentity) card manufactured by Setec. First attempt to install failed due to lack of library lpcsclite - hence first install this. Second attempt goes better but make fails on lacking OpenSSL. Downloaded and installed OpenSSL under /OpenSC. Still fails. Reinstall OpenSSL and OpenSC both straight under "/". OK. Now fails on lack of "-lfl" I guess that is a library. Resolved by installing package flex. We have:

Does not work with Towitoko reader. According to godot, have to download latest version from CVS, then run the bootstrap script. Which fails due to lack of tools: autoconf, automake and libtool. Downloaded autoconf and automake, apparently libtool is already installed with SuSE 7.2. Make sure to install in / rather than in /root. Each of them has to be installed via ./configure /make etc... check the INSTALL. Autoconf has a make check possibility, quite some checks did fail (but aclocal passed). I did not install libtool since that was already present. Tried /opensc/bootstrap which failed. Installed libtool from Then back to /opensc. Tried bootstrap again - OK. Tried configure again OK. But the make install fails. Next round after re-installing pcsc-lite (now the older version 1.0.1). Do a bootstrap....a make....still fails....back to godot. Tried again to download latest version 070,,,, configure/make/make install goes ok. Now how to configure the readers....

IX.112.c PCSC Lite

APPARENTLY have to get PCSC Lite from first. This provides (use kpackage):

Since the configure of opensc fails - ref effort together with Godot - he suggested to downgrade to pcsc-lite-1.0.1. Downloaded from pcsc-lite-1.0.1,tar.gz . Unpacked into /pcsc-lite-1.0.1 . Then do a configure, make, make install . OK, you can start the daemon via "pcscd".

IX.112.d Towitoko driver

This library provides a driver for using Towitoko smartcard readers under UNIX environment, serial and USB interfaces. It requires PCSC Lite, a smartcard and a reader. Smartcard API's provided: * CT-API 1.1 and CT-BCS 0.9. * PCSC Lite. See for download and documentation (pretty unclear ... is it provided or is it a prerequisite?) Installation:

First round apparently went smooth, but the doc states the files go into /usr/local/bin and there is nothing there.... Ooops this is a mistake in the doc. You find it all in /usr/local/towitoko. The main thing seems to be a shared library. There are man pages but they do not seem to work. There are:

Mind you, there also useful info in /towitoko-2.0.7/doc ... even on design... Using the "tester", you learn the I2C cards are memorycards, 256 bytes. Their ATR (Answer To Reset) is A2 13 10 91. However, the card also contains 2 KBit EEPROM. How to write there? /etc/reader.conf Config: /usr/local/towitoko/lib COM1 = CHANNELID 0x0103F8

IX.112.e PCSC-tools

Via Danny De Cock.

IX.112.f Musclecard PKCS11 framework - DROP FOR TIME BEING

Requires: pcsc-lite-1.1.1 or higher This framework works on nearly all platforms and provides a pluggable architecture for smartcards and cryptographic tokens. Send and receive signed and encrypted email, authenticate to SSL sites all using your smartcard. With tools like XCardII and MuscleTool, manage your card, and personalize it to suite your needs. To install, first make sure pcsc-lite-1.1.1 is installed. Then install each of the plugins for MuscleCard and Cryptoflex. Then install the PKCS11. Once this is installed you will have a /usr/local/lib/ In Netscape or Mozilla simply use this path and the name "Muscle PKCS#11" and you are ready to begin.

IX.113 XML signing - XMLSIG

TRY1 - FAILED - Download binary into Java62MXLSEC

Start with Apache's software, downloaded into /. Extract with Karchiveur, put it in /Java62XMLSEC. According to the INSTALL, it includes implementations of W3C recommendations "Canonical XML" and "XML Signature Syntax and Processing". Basically, this means that you can create and verify digital signatures expressed in XML and sign both XML and/or arbitrary contents. Whether you choose the binary or the source version it seems you need to run ANT - hence first fix the path statement for ANT. -1- I started with downloading the binary version and running ANT. Then you get an error since the classfile for ant.md5task is not found. Original statement in BUILD.XML: Wrongly updated statement in BUILD.XML: Rightly updated statement in BUILD.XML: this results in successful built. From now on you can run 'ant' and you get an explanation of what you can do. However, you seem to need the sources to run e.g. the examples. -2- Now download sources but be carefull not to overwrite existing stuff - download in other dir.

TRY2 - FAILED - Download sources into Java62MXLSEC2

Specify the classpath as described above for /Java62XML2. Do a full ant compile. Problem with the import statements. Need a way to specify the prefix /Java62XMLSEC2

TRY3 - FAILED - Download sources into /

Fails with 'cannot resolve symbol' for sources which are indeed not yet present such as XpathAPI. Looked into the INSTALL file:

TRY4 - OK - Download sources and binaries into /

Run ant compile. OK. Run ant doc - problem (why?). Run ant javadoc - OK but warnings. Full API doc in /build. Main info found in / at:

Using it: see jtk1.html.

IX.114 Encryption file system encfs

IX.114.1 Installation of encfs

as per marcsel@marcsel:~$ sudo apt-get install encfs [sudo] password for marcsel: Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: librlog1c2a The following NEW packages will be installed: encfs librlog1c2a 0 upgraded, 2 newly installed, 0 to remove and 15 not upgraded. Need to get 297kB of archives. After this operation, 1274kB of additional disk space will be used. Do you want to continue [Y/n]? y Get:1 hardy/universe librlog1c2a 1.3.7-1 [26.3kB] Get:2 hardy/universe encfs 1.3.2-1-1 [270kB] Fetched 297kB in 0s (350kB/s) Selecting previously deselected package librlog1c2a. (Reading database ... 100262 files and directories currently installed.) Unpacking librlog1c2a (from .../librlog1c2a_1.3.7-1_lpia.deb) ... Selecting previously deselected package encfs. Unpacking encfs (from .../encfs_1.3.2-1-1_lpia.deb) ... Setting up librlog1c2a (1.3.7-1) ... Setting up encfs (1.3.2-1-1) ... Processing triggers for libc6 ... ldconfig deferred processing now taking place marcsel@marcsel:~$ THEN: add the module fuse in etc/modules (ok, was already there) sudo adduser fuse (ok, same) sudo chmod +x /usr/bin/fusermount (fails, no such file or directory)

IX.114.2 Use of encfs

Create encrypted directory: 'encfs ~/securestorage ~/visible' (AES 192 selected) Work in /visible. When finished 'cd ..' Then remove /visible by 'fusermount -u ~/visible' Later to reaccess: 'encfs ~/securestorage ~/visible' You can use 'encfsctl' later to change your password. DOES NOT SEEM TO WORK - go for alternative.

IX.115 GPG and Seahorse

IX.115.1 GPG-GPA or Seahorse

GPG and GPA (GnuPrivacyAssistant) installed manually - later found Seahorse is similar. GPG CLI via terminal. Basics >marcsel@BlackBetty:~$ gpg --version >gpg (GnuPG) 1.4.6 >Supported algorithms: >Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA >Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH >Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 >Compression: Uncompressed, ZIP, ZLIB, BZIP2 So: AES is supported. There's also 'gpg -h', 'man gpg' and 'gpg --dump-options'. Using GPG Consider: --cipher-algo AES192 --encrypt-files to allow multiple files -c for encrypt -d for decrypt -w for wipe Syntax: gpg [options] [files] GPA via GUI marcsel@marcsel:~$ sudo apt-get install gpa [sudo] password for marcsel: Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: gpa 0 upgraded, 1 newly installed, 0 to remove and 15 not upgraded. Need to get 203kB of archives. After this operation, 840kB of additional disk space will be used. Get:1 hardy/universe gpa 0.7.0-1.1ubuntu1 [203kB] Fetched 203kB in 0s (328kB/s) Selecting previously deselected package gpa. (Reading database ... 100327 files and directories currently installed.) Unpacking gpa (from .../gpa_0.7.0-1.1ubuntu1_lpia.deb) ... Setting up gpa (0.7.0-1.1ubuntu1) ... USE GPA via Dell Launcher. Seahorse / Passwords and encryption settings Via GUI: 'System / Preferences / Encryp‭tion and key‌rings'. This allows you to define eg keyring settings and caching. Seahorse is a Gnome front end for GnuPG. Data encryption and digital signature creation can easily be performed through a GUI and Key Management operations can easily be carried out through an intuitive interface. In addition it includes a Gedit plugin, can handle files using Nautilus, an applet for manging stuff put in the clipboard and an agent for storing private passphrases, as well as a GnuPG and OpenSSH key manager.

IX.116 Truecrypt

Seems to work fine, cross-platform.

IX.117 Erase, shred, wipe

No erase. Linux shred and wipe commands ... what does danny use? Shred and wipe. According to man page of shred: it does not work on file systems such as ext3 ... so no use? Installed 'wipe' via 'sudo apt-get install wipe'. So: options 1 edit - encrypt - decrypt - reencrypt to new file - 'wipe' plaintext 2: simply reencrypt the decrypted file so it becomes unusuable...this will not work since it does leave the plaintext intact. Ref email danny

IX.118 Opencryptoki - PKCS#11

Ref to '/usr/share/doc/opencryptoki'. OpenCryptoki version 2.2 implements the PKCS#11 specification version 2.11. This package includes several cryptographic tokens, including the IBM ICA token (requires libICA, which supports zSeries CPACF and LeedsLite hardware) and an OpenSSL-based software token. For execution refer to Further: openCryptoki defaults to be usable by anyone who is in the group ``pkcs11''. In this version of openCrypoki, the default SO PIN is 87654321, and the default user PIN is 12345678. These should both be changed to different PIN values before use. You can change the SO PIN by running pkcsconf: % pkcsconf -I You can change the user PIN by typing: % pkcsconf -u You can select the token with the -c command line option; refer to the documentation linked to above for further instructions.

IX.119 ACR 38 and middleware for BeID

At a glance

You'll need:

There is

BeID on Angkor (after update to Lucid)

With Lucid came beid-tools and beidgui. You see this under Synaptic. The ACR38 reader is recognized, the beidgui tool starts, but reading a card fails with "wrong root certificate". According to "", this is because the Ubuntu reposiroty for Lucid contains beid software that is too old, version is "2.6.0-7ubunt1" for both. The solution: download deb package from "". I stored it in "/home/marc4/Downloads", it's called "eid-mw_4.0.0r925_amd64_tcm147-132618.deb". This raises the question: what is inside this deb package? Do: "dpkg -c packagename". This displays all the files, but nothing comparable to "2.6.0-7ubunt1". How will it interact with the old beid-tools and beidgui? Let's try. RUN1 "sudo dpkg -i eid-mw_4.0.0r925_amd64_tcm147-132618.deb" results in Selecting previously deselected package eid-mw. dpkg: considering removing libbeidlibopensc2 in favour of eid-mw ... dpkg: no, cannot proceed with removal of libbeidlibopensc2 (--auto-deconfigure will help): libbeid2 depends on libbeidlibopensc2 (>= 2.6.0) libbeidlibopensc2 is to be removed. dpkg: regarding eid-mw_4.0.0r925_amd64_tcm147-132618.deb containing eid-mw: eid-mw conflicts with libbeidlibopensc2 libbeidlibopensc2 (version 2.6.0-7ubuntu1) is present and installed. dpkg: error processing eid-mw_4.0.0r925_amd64_tcm147-132618.deb (--install): conflicting packages - not installing eid-mw Errors were encountered while processing: eid-mw_4.0.0r925_amd64_tcm147-132618.deb RUN2 "sudo dpkg -i eid-mw_4.0.0r925_amd64_tcm147-132618.deb --auto-deconfigure" Problem persists. Now did a manual remove via Synaptics of all installed beidlibs and related. RUN3 same as RUN2 but now with OK ending. Check in Synaptics: beidstuff in "old" repositories is visible but not installed. Manually installed deb package is apparently not visible. However, as I uninstalled beidgui and beid-tools - these were not included in the .deb package. So they are no longer present. TRY sudo apt-get install beidgui, which results in terrifying messages: The following extra packages will be installed: beid-tools libbeid2 libbeidlibopensc2 The following packages will be REMOVED eid-mw The following NEW packages will be installed beid-tools beidgui libbeid2 libbeidlibopensc2 So this would reinstall what I just removed etc etc. Not a good plan. TRY Info from Download "eid-viewer_4.0.0r52_amd64.deb" from Then "sudo dpkg -i eid-viewer_4.0.0r52_amd64.deb". Goes ok. To run "eid-viewer". Documentation in /usr./share/eid-viewer. Viewer works fine. TaxOnWeb fails with "SSL peer was unable to negotiate an acceptable set of security parameters.(Error code: ssl_error_handshake_failure_alert)" What do I need to do more to register the PKCS11 device? From /usr/share/doc/eid-mw's README: To use the Belgian eID in Firefox, we recommend the Firefox extension to handle configuration automatically. The extension will be installed on Linux and OSX. The default install locations: - Linux: DATADIR/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384} (DATADIR is by default PREFIXDIR/lib - PREFIXDIR is by default /usr/local) Google points to: "". Install and restart firefox.

BeID on Angkor (legacy info from Karmic Koala)


After installation of these two packages, 'lsusb' results in 'Bus 007 Device 003: ID 072f:9000 Advanced Card Systems, Ltd ACR38 AC1038-based Smart Card Reader'. The 'beidgui' is callable from from the KDE launcher but fails with 'unknown errorcode'. But: 'Please read the README.Debian file in the 'libbeidlibopensc2' package for information on setting up your system so that it can read from smartcards.' This points to installing libacr38u and pcscd.


Originally, most utilities result in 'cannot connect to X server'... so try to natively login as root and startx. However, reboot system, and the CLI-tools works under marc3.

Tried to register '/usr/lib/' under 'preferences/advanced/security device'. PROBLEM: still not possible to register my own certs.

The beidgui (accessible via KDE launcher) still gives 'wrong root certificate'. This according to is due to using too old middleware.


Installing smart card support on BlackBetty

On BlackBetty - pcscd and pcsc-tools installation

On BlackBetty, only libpcsclite1 (essentially '/usr/lib/') was already installed wrt pcsc. So I added pcscd and pcsc-tools (which depended up libpcsc-perl).

Installation ok. sr/lib/pcsc/drivers/ACR38UDriver.bundle

Let's check: pcscd is normally started at boot time from /usr/etc/init.d/pcscd. But even without rebooting, 'ps -ef' shows me there is a pcscd up and running.

Debian has the 'start-stop-daemon' tool, so you can:

Use the GUI tool system / administration / logviewer to see that indeed the daemon was killed/started.

The toolset pcsc-tools contains:

Ref to

reader driver for ACR38

Installed package libacr38u. This is reflected in a driver under pcsc ('usr/lib/pcsc/drivers/ACR38UDriver.bundle').

You can now plug in the reader, insert a card, and run pcsc_scan. OK.


Doc in '/usr/share/doc/opensc/index.html'.

Depending upon its libopensc2 libraries ...


Quick diagnostic: insert reader and eid. Then 'pkcs15-tool -D' to dump PKCS15 objects visible. Then

So 'openssl pkcs12 ....' might help. Do 'man pkcs12'. for example 'openssl pkcs12 -export -in file.pem -out file.p12 -name MyCertificate in practices: 'openssl pkcs12 -export -in 001-belgianroot.pem -out file.p12 -name 001-belgianroot': 'unable to load private key'. Sure, I don't have that in a pem cert....

Oddly enought: openssl doc states quote -in filename The filename to read certificates and private keys from, standard input by default. They must all be in PEM format. The order doesn't matter but one private key and its corresponding certificate should be present. If additional certificates are present they will also be included in the PKCS#12 file. unquote

So BUT ONE PRIVATE KEY AND ITS CORRESPONDING CERT SHOULD BE PRESENT. Seems odd to me, so you can't simply convert a root cert in pem to a root cert in pkcs12. Does this mean the content is changing too much to maintain the structure/signature?

Peek inside .pem cert: 'openssl x509 -in 001-belgianroot.pem -noout -text' You can also convert from pem to der with openssl x509....

So the final wayforward may be:

IX.120 SageMath


On Angkor, simple use Synaptic. On BlackBetty, it seems to be not available (may have to do either with the processor type or with the Ubuntu repository...). Password for administrator: fdjk123



IX.121 JonDo


On Angkor, use the manual instructions from etc.... You have to add the repository to your /etc/apt/sources.list, then download and check the pubkey, and do an aptitude install. There are two components:

After the install, you need to "sudo jondo" to complete the installation. You can find all files and docpointers in Synaptics.

IX.122 TOR


On Angkor2, in /home/downloads/tor-browser_en_US subdir. To start: dolphin, cd to that directory, cd to subdir tor-browser_en-US, doubleclick. Apparently manually executing "./start-tor-browser" does not always work.

When you select a magnet from piratebay, Firefox has by default no protocol handler for magnets. In Firefox, you can enter "about:config" as url, and then you can add "network.protocol-handler.expose.magnet" ... but it does not work for me. So: just open the magnet in another tab, copy it, paste it in Ktorrent.

On Windows: from torproject website. TOR browser available from the menu.

Where to go - onion sites

List with onion sites: separate file.

IX.123 I2P


On Angkor, use the manual instructions from You have to add the repository to your /etc/apt/sources.list, etc. On Windows ... Then

Locate torrent as magnet in Postman or Welterde, copy it over to I2PSnark and start the torrent there. Downloads are shown in the applicationwindow, rightmouseclick to save them.

Finding eepsites: installation is in var/lib/i2p, where you find i2p-config, eg an addressbook and doc.

Applications - graphics

X.101 Xv

In order to display e.g. PowerPoint slides:
- save them as JPEG
- transfer them to Linux
- start Xv & load the JPEG
- use shift-space to move to the next slide
- use shift-backspace to move back to the previous one
- use < and > to increase/decrease screen size.

Remember the Visual Schnauzer (cntl-v) gives you the 'thumbnails'.

Documentation can be found in /usr/doc. This is in PostScript format, so you can use GhostView to read it.

X.102 Gimp

Automatically installed with SuSE 5.3 or later.

X.103 GhostView

GhostView can be used to view PostScript, Microsoft Documents, ...

X.104 xpdf / Acrobat Reader

Prior to SuSE 6.4, xpdf needed to be installed to view files in Acrobat reader format (*.pdf). If xpdf does not come up with a menu use the right mouse button, or run it "xpdf /filename.pdf".

SuSE 6.4's KDE's browser allows you to read pdf files (but less than perfect). Acrobat Reader is enclosed as commercial software and it runs nicely.

X.105 POVray

POVray and x-povray (provided in /usr/X11R6/bin/... - /usr/lib/povray ... )

X.106 Blender

Refer to BTK1.html

X.107 thumbnail

Simple command to create tiff thumbnails.

Applications - security


Refer to history log. xxx


Cfr CD or Key prerequisites include:

Key ISS files include:


From Check out /usr/doc/packages/nmap/docs. Usage includes:

Nice demo: 'nmap -sT localhost' - crosscheck output with /etc/inetd.conf, modify the inetd.conf, rerun the 'nmap'. Allows 4 stealth modes: SYN (SYN flag set), FIN (FIN flag set), XMAS (FIN, URG, PUSH flags set and NULL (all flags off). Allows "decoy" mode: e.g. "nmap -s5 -P0,ME,,".

nc netcat

Apparently originally written by (remember CACA...). Documentation in /usr/doc/packages/netcat/README or /usr/share... See Simplest use is 'netcat host port'. Unlike e.g. telnet, netcat will not interfere with or interpret the data stream in any way. Also:


From "". Identifies about 100 OS's.


4g8 for traffic capturing in a switched environment

Linux as a packet filter

Various elements evolved over time:

The Linux kernel can be instructed to do packet filtering, if you compile in the right options. Forwarding and logging will then be managed via ipfw and ipfwadm. Refer to the man pages. Later, IPchains was a rewrite of the firewalling code, and of ipfwadm.

You can also run a proxy server on Linux, using e.g. SOCKS (a single utility to cover all protocols, one daemon and one config file) or the TIS fwtk (one utility per protocol).

IPchains on malekh

Check out: As the IPchains HOWTO explains, you have ipchains if you find /proc/net/ip_fwchains. I do have this on malekh, and the content reads: How does this work? Read: Issuing "ipchains -L" (for list) reveals the current set-up.

Kismet - DROPPED

On BlackBetty

From Ubuntu hardware tests determine network hardware:

Broadcom Corporation BCM4312 802.11b/g (rev 01) Realtek Semiconductor Co., Ltd. RTL8101E PCI Express Fast Ethernet controller (rev 02)

So /etc/kismet/kismet.conf should have 'bcm43xx' or 'b43' or 'b43legacy' as capture source. But then: marcsel@BlackBetty:~$ sudo kismet_server Suid priv-dropping disabled. This may not be secure. No specific sources given to be enabled, all will be enabled. Non-RFMon VAPs will be destroyed on multi-vap interfaces (ie, madwifi-ng) Enabling channel hopping. Enabling channel splitting. Source 0 (mlsbbitf): Enabling monitor mode for bcm43xx source interface eth1 channel 6... FATAL: Failed to set monitor mode: Invalid argument. This usually means your drivers either do not support monitor mode, or use a different mechanism for getting to it. Make sure you have a version of your drivers that support monitor mode, and consult the troubleshooting section of the README. marcsel@BlackBetty:~$

Tried via 'system' 'administration' 'hardware drivers' to activate a proprietary broadcom driver.... Does not solve the problem....


To find out which interfaces you can capture: ifconfig, or 'sudo wireshark -D'. Results eg in 1. sms 2. eth0 3. eth1 4. any (Pseudo-device that captures on all interfaces) 5. lo Ifconfig will show that eth1 is active. Start-up: can only be run by root, hence "sudo wireshark -D" to display available itfs. And "sudo wireshark" to start. Documentation Doc and FAQ in "/usr/share/wireshark/wireshark/help". Man pages in "/usr/share/wireshark/wireshark/wireshark.html" Working with wireshark Wireshark's native capture file format is libpcap format, which is also the format used by tcpdump and various other tools. Use "capture - options" or control-K to capture in promiscuous mode. Run "ifconfig" to identify your own IP address. My MAC is according to ifconfig for eth1: 90:4c:e5:1a:ad:85. Sample captures saved on BlackBetty in MLS-wireshark.


Nessus 2.2.9 (current is 4.2) - client/server Executables: in /usr/bin Documentation: /usr/share/doc/nessus - mainly about installing and starting /usr/share/doc/nessusd Plugins: /usr/share/doc/nessus-plugins - some contents on plugin structure Downloadable pdf usermanual on website How to start using Nessus? * Set up the server certificate with `nessus-mkcert': OK * Set up a user with `nessus-adduser' : ok "nexus", psw = * Set up the client certificate with `nessus-mkcert-client': ok msg: >>>Your client certificates are in /tmp/nessus-mkcert.5883 >>> You will have to copy them by hand >>>mls: to where?>>>mls: ok seems not necessary. * Run `nessusd -D' in order to start the daemon. * Change back from root to normal user, run X and start `nessus' (or select it from the menu, it's in Apps/System submenu). Tell the client to connect to localhost. It will ask you for a username and password. Enter the user/password you set up with nessus-adduser, and off you go. Registering Nessus: Registered as Got activationcode back via email. Registration OK. Updating plugins is manually, via "nessus-update-plugins" command. Using Nessus Website provides documentation for version 4.2, but what installs on BlackBetty is an old 2.2.9.


Pristine sources: Installed as per instructions. Bootable copies on USB and CD. Wireless interface works on old PwC Compaq, and not on Dell Inspiron Mini BlackBetty. Reason is documented on website: the Broadcom wireless chipset of the Dell is not supported.

Network is not started automatically (stealth). This does not stop the capturing radiotools etc to work. Use "lshw" to learn HP EliteBook 8440p has a wireless Centrino Advanced-N 6200, called wlan0. Supports IEEE 802.11abgn, promiscuous, driver is iwlagn. Try also "nm-tool" on Ubuntu. Further:


Radiotools include:

LEGACY If you want explicit networking, start it with: "/etc/init.d/networking start". This results in DHCPrequests on eth0 i.e. the ethernet LAN itf. How about starting the wireless? Try iwconfig.

First kill LAN using "ifdown eth0" etc. Then "ifup eth1" which is wireless. Running "iwconfig" will then illustrate that if there are no DHCP offers, the inteface will go from "radio off" to "unassociated". Which I interprete as "on" but "no IP address". If you do "iwlist wlan0 scan" you can see the ESSID and the RF quality info.

If you see the ESSID but cannot get an IP address, that may be due to protection such as WPA.



On Kali. See also burp basics.

Getting started


Confirm your proxy listener is active

Configure your browser to use the proxy listener

Installing Burp's CA Certificate in your browser

By default, when you browse an HTTPS website via Burp, the Proxy generates an SSL certificate for each host, signed by its own CA certificate. This CA certificate is generated the first time Burp is run, and stored locally.

To use Burp Proxy most effectively with HTTPS websites, you will need to install Burp's CA certificate as a trusted root in your browser.

If you have not already done so, configure your browser to use Burp as its proxy, and configure Burp's Proxy listener to generate CA-signed per-host certificates (this is the default setting). Then use the links below for help on installing Burp's CA certificate in different browsers: .

With Burp running, visit http://burp in your browser and click the "CA Certificate" link to download and save your Burp CA certificate. Import in Firefox CA certs. It will appear as PortSwigger, not as Burp.

QUOTE Also: Note: If you install a trusted root certificate in your browser, then an attacker who has the private key for that certificate may be able to man-in-the-middle your SSL connections without obvious detection, even when you are not using an intercepting proxy. To protect against this, Burp generates a unique CA certificate for each installation, and the private key for this certificate is stored on your computer, in a user-specific location. UNQUOTE

Trying to read this cert with openssl fails. OK imported in Firefox as trusted CA. Since DER may contain a chain and a private key - anything is possible now!


Firefox now talks to the burp proxy. When i visit (or nothing happens. Is the browser hanging? Is the proxy stopping the request from going out? Start/stop burp...OK.

The tab proxy / intercept has a button: 'intercept is on/off'.


From owasp. Download from Sourceforge 'webscarab-installer-....jar'. Then "exec java -jar webscarab-installer ...". Goes into /home/marc4/WebScarab, start via "java -jar webscarab---.jar".


Will not install on windows unless you deactivate the antivirus. Downloaded the community edition on Angkor and registered it. Then made the installer executable by "chmod +x", and sudo'd it. Create account, ref KTB. To start metasploit: cd /opt/metasploit, "sh start" (or stop). Point your browser to localhost, port 3790.

Applications - Office & Multimedia

XII.101 iPod

XII.101.1 iPod Classic/GTKPOD

You need to format the Classic under Windows. They you can plug it in. Use Rhythmbox to transfer the whole music library via "synchronise" function. Mount the ipod.

Select it in the Rythmbox application, you will see buttons appear for "sync". You can also ask the properties of the ipod.

Legacy: Under Ubuntu 12.04, use Amarok to transfer music. Ubuntu 10.04 LTS (Lucid Lynx): use gtkpod ipod manager to create "repositories", one for the Linux based file system with the mp3's, another one for the iPod. Import files from filesystem to "MusicLibrary". Select files and rightclick to create playlist (NO smart playlist). You can then transfer playlists from the filesystem repository"MusicLibrary" to the iPod repository. However, you can only transfer mp3's, formats such as wma are not transferred. Unmount the iPod with filemanager (Dolphin), or with "umount /dev/sdh1".

XII.101.2 File conversion towards mp3

Should work with Audacity or ffmpeg, but in some cases this fails due to "wma proprietary" format.

XII.101.9 legacy

Legacy: Lucid Lynx: physically connect iPod via USB, and then issue "mount" and you get:

Start gtkpod in terminal window. Gtkpod can read the iPod's music but cannot write, since it's mounted read-only. According to various sources mounting in rw is only possible if your iPod is formatted in FAT32 (which mine is not).

XII.102 Amarok

On Ubunt 12.10, or 'Quantal', Amarok performs great. You can also use it to copy music to iPods. Mount the iPod, then in Amarok select the music you want, rightclick and then "copy collection" to iPod. Occasionally hangs but in general it does the job.

Legacy---Seems to have lost MP3 support after upgrade to Lucid Lynx. Installing package "kubuntu-restricted-extras" should do the job. Does not seem logical at first sight since it does not contain any files that make me think about mp3... It seems that "Libxine1-ffmpeg contains MPEG-related plugins used by libxine1, the media player library used by Xine engine, which Amarok and other xine-based players use." Indeed, Amarok uses the Phonon Xine backend. But installing package "kubuntu-restricted-extras" did not solve the problem, Amarok still does not play. Other helpfiles state you need to install "libxine1-ffmpeg". It can be found in Synaptic, but when you install the message is that there are unresolved dependencies that cannot be solved. This includes eg "libavcodec52". You can find this via Synaptics too, but then installing it will remove what looks like a lot of useful other libraries and programs. So what? Synaptics/Settings/Repositories/Ubuntu: here you should select "software selected by copyright (multiverse)".

XII.102 Rythmbox

Rhytmbox is a Gnome media player. Info at It uses the Music directory as default location for its music.

Bottom left there is a + sign that creates new playlists.

Configuration seems to be done automatically, I can't find any preferences or similar. To remove all customisation, remove these folders:

XII.103 Firefox

Flash and video download

Use add-on "Flash and video download" to download videos from YouTube. Download from "". Click in Firefox's status area bottom right to start the download.


Addblock liveheaders Hackbar beid extension

XII.104 xanim

Plays a.o. avi and quick time files. Tried on imagine:

  1. which movie files do we have: "locate *.mov"

  2. try "xanim /Kassandra_Data/Images/Hubble/....."

  3. "XAnim rev 2.80.0"

  4. fails with "video present but not yet supported - video codec Radius Cinepak not supported"

Way forward:

XII.105 KDE applications -kaddress

XII.106 Latex

XII.106.1 Core Latex - TexLive

Install "Tex Live" basic packages via Muom package manager. Files go in /usr/bin, /usr/share and many other locations and subdirs.

XII.106.2 Texworks

Install "Texworks" packages via Muom package manager. Files go in /usr/bin/texworks etc.

Configuration in /home/marc/.config/TUG/TeXworks.conf

Resources in /home/marc/.TeXworks.

XII.106.99 Legacy - Texlipse - Latex on Eclips

Then install Eclipse, and add Texlipse. Configure as per

XII.107 Philips TV

Linking to Philips TV 9604: "". TV is the "MediaRenderer", supporting according to the Philips Website: MP3, WMA versie 2 tot versie 9.2, Diapresentatiebestanden (.alb), JPEG-afbeeldingen, MPEG1, MPEG2, MPEG4, AVI, H.264/MPEG-4 AVC, MPEG-progammastream PAL, WMV9/VC1. Connectivity is Ethernet-UTP5, USB, WiFi 802.11g (ingebouwd). DLNA 1.0-gecertificeerd.

Check it on On this site you can view the DLNA Certificate for every product. For example the 37PFL9604 Certificate can be found here : It supports DLNA 1.0.

Useful discussion on Conclusion IMHO: it should be possible to stream lots of different video formats to the TV via DLNA, even through the network interfaces (wireless/ethernet). Best approach may be to find some formats that are realiably supported on the TV and then convert whatever you have to such format by transcoding on the fly.

XII.108 Mediatomb

XII.108.1 Basics

Angkor2, installed Mediatomb version 0.12.1 (via "sudo aptitude install mediatomb") in July 2013. Mediatomb implements the UPnP MediaServer v1.0 specification according to Should work with any UPnP MediaRenderer. Url: with documentation. After installing you get:

Main config is in .mediatomb/config.xml.


With regard to CLI:

Good basic info in: "".

XII.108.2 Usage

Adding music. Apparently you can add entries via the GUI, or via CLI:

GUI Starting Mediatomb from userterminal results in informationlisting, with pointer to GUI, eg: "2009-12-20 17:34:58 INFO:". In the GUI, use the righthalf screen to navigate the filesystem and add your libraries to the database.


Accessing the music over the network. According to the documentation:"MediaTomb should work with any UPnP compliant MediaRenderer". How do you identify the status of the Mediatomb server? When running MediaServer on Sanne's HP laptop, I can navigate the entire Angkor filesystem.... scary. According to the documentation, this is because MediaTomb is to be used in a friendly home setting. For better security: run under a more restricted user account, or simply disable the GUI entirely (I assume you can then still work locally via the CLI).

XII.109 ING Homebanking


Op onze download website kunt u bovenaan kiezen of u de Windiws, Mac of Linux versie wilt downloaden. Armin Basiri ING Helpdesk Home'Bank tel. 02 464 60 01


As suggested for Ubuntu, downloaded 'HomeBank333.deb' from ''. Then used KpackageKit on it which said 'installation successful'. ING website says it should go in /opt, and indeed there are a lot of files there.


XII.110 brasero cd burning

As K3b often returns errors on Angkor, installed "brasero". Seems to work better, also on Angkor2. To write mp4 movies, use a data format.

XII.111 legacy

XII.111.1 legacy installation

XII.112 Audacity

XII.112.1 installation

On BlackBetty, via Synaptics. Usage eg via USB Turntable. Help via You need to start and connect the USB Turntable before starting Audacity or it will not be recognized. You can see the USB TT being connected at usb level in /var/log/syslog, with a (rather long) device name. You need to configure the USB TT as an input device for Audacity, via /edit/preference, select it as "ALSA USB Audio CODEC". MP3 support? Under /edit/preferences/audiofiles you will also see "MP3 exporting plugin not found". This seems to be the file "". However: downloading with Audacity's download button fails, and finding it under Synaptics fails too.You can find it via but it is only available for am64 and i386 architecture.But BlackBetty has an Atom processor. No luck. So either get source and compile, or try to export in eg OggVorbis, and convert that on Angkor.

XII.113 mp3 encoding with abcde and lame

XII.113.1 installation

MLS short summary:

The program abcde is actually a long script that manipulates a handful of programs, which I have conveniently added into the Terminal command above. It can actually do a great deal more than simply produce reasonable mp3 files but I will leave you to explore its many other possibilities. The programs that will be used to produce mp3s in this example are:


"A Better CD Encoder" = abcde! Ordinarily, the process of grabbing the data off a CD and encoding it, then tagging or commenting it, is very involved. The abcde script is designed to automate this.


In order to do CDDB (Compact Disc Database) queries over the Internet, you must know the DiscID of the CD you are querying. cd-discid provides you with that information. It outputs the discid, the number of tracks, the frame offset of all of the tracks, and the total length of the CD in seconds, on one line in a space-delimited format.


cdparanoia retrieves audio tracks from CDROM drives. The data can be saved to a file or directed to standard output in WAV, AIFF, AIFF-C or raw format. For the purposes of conversion to mp3 abcde directs cdparanoia to produce WAV files.


LAME is a program which can be used to create MPEG Audio Layer III (MP3) files.


id3 is an ID3 v1.1 tag editor. ID3 tags are traditionally put at the end of compressed streamed audio files to denote information about the audio contents.


id3v2 is an ID3 v2 tag editor. ID3 tags are traditionally put at the end of compressed streamed audio files to denote information about the audio contents. Using this command line software you can add/modifiy/delete id3v2 tags and optionally convert id3v1 tags to id3v2.abcde looks for two files on startup: /etc/abcde.conf and ~/.abcde.conf. The file abcde.conf is a fully commented configuration file that is well worth looking at, if only to copy to your home directory as ~/.abcde.conf (as is most usually done). Or if you are only interested in creating mp3s my gift to you,

Sample 'abcde.conf' Gentle Reader, is my own ~/.abcde.conf file: ---START OF abcde.conf example file--- # -----------------$HOME/.abcde.conf----------------- # # # A sample configuration file to convert music cds to # MP3 format using abcde version # # # -------------------------------------------------- # # Specify the encoder to use for MP3. In this case # the alternatives are gogo, bladeenc, l3enc, xingmp3enc, mp3enc. MP3ENCODERSYNTAX=lame # Specify the path to the selected encoder. In most cases the encoder # should be in your $PATH as I illustrate below, otherwise you will # need to specify the full path. For example: /usr/bin/lame LAME=lame # Specify your required encoding options here. Multiple options can # be selected as '--preset standard --another-option' etc. LAMEOPTS='--preset extreme' # Output type for MP3. OUTPUTTYPE="mp3" # The cd ripping program to use. There are a few choices here: cdda2wav, # dagrab, cddafs (Mac OS X only) and flac. CDROMREADERSYNTAX=cdparanoia # Give the location of the ripping program and pass any extra options: CDPARANOIA=cdparanoia CDPARANOIAOPTS="--never-skip=40" # Give the location of the CD identification program: CDDISCID=cd-discid # Give the base location here for the encoded music files. OUTPUTDIR="$HOME/music/" # Decide here how you want the tracks labelled for a standard 'single-artist', # multi-track encode and also for a multi-track, 'various-artist' encode: OUTPUTFORMAT='${OUTPUT}/${ARTISTFILE}-${ALBUMFILE}/${TRACKNUM}.${TRACKFILE}' VAOUTPUTFORMAT='${OUTPUT}/Various-${ALBUMFILE}/${TRACKNUM}.${ARTISTFILE}-${TRACKFILE}' # Decide here how you want the tracks labelled for a standard 'single-artist', # single-track encode and also for a single-track 'various-artist' encode. # (Create a single-track encode with 'abcde -1' from the commandline.) ONETRACKOUTPUTFORMAT='${OUTPUT}/${ARTISTFILE}-${ALBUMFILE}/${ALBUMFILE}' VAONETRACKOUTPUTFORMAT='${OUTPUT}/Various-${ALBUMFILE}/${ALBUMFILE}' # Put spaces in the filenames instead of the more correct underscores: mungefilename () { echo "$@" | sed s,:,-,g | tr / _ | tr -d \'\"\?\[:cntrl:\] } # What extra options? MAXPROCS=2 # Run a few encoders simultaneously PADTRACKS=y # Makes tracks 01 02 not 1 2 EXTRAVERBOSE=y # Useful for debugging EJECTCD=y # Please eject cd when finished :-) ---END OF abcde.conf example file---

XII.114 ffmpeg/avconv

XII.114.1 installation

On Angkor, via Synaptics. Run "ffmpeg" to find out it is an "FFmpeg video convertor". Run "ffmpeg -formats" to see supported formats. Both ogg and mp3 seem to be present.

XII.114.2 Usage

"man ffmpeg" has sample commands at the end. For ogg to mp3: "ffmpeg -i file.ogg file.mp3". For ape to mp3: "ffmpeg -i file.ape file.mp3". Using in on 29 Aug 2013 resulted in: “This program is deprecated, please use avconv instead. This was already installed, but failed to do the conversion, complaining about codec missing. Although running “avconv -formats” indicates it does support mp3. So what is wrong then? Some form of encryption?

XII.115 xournal - pdf

Pdf annotator.

XII.116 pdftk

The Swiss armyknife for pdfs. Sample command to create a pdf that prevents text copying:

MP3 Sansa player (Sandisk)


Problem: resetting

PROBLEM/SOLUTION from "": if the player is not turning on or charging there may be a fix. there was a know issue where the battery can become overly discharged. the fix is to hold the power button down for 30 seconds (this resets the player) then plug it in and let it charge. the LCD should turn on and it will start charging with in an hour of being plugged in. typically 15 to 20 mins depending on how much power the charging source gives. Oncethe LCD turn on and the device starts charging let it charge for about 3 hours for a full charge.

This issue is suppose to be fixed with the latest version of firmware. After it gets done charging make sure you update to the latest firmware. there is a frimware thread at the top of this board with the download links and installation instructions.

MLS: other posters on the forum report problems updating firmware... so beware.