linux magazine uk 25

FireworksCOMMENTWelcome

3www.linux-magazine.com November 2002

Dear Linux Magazine Reader,

November is here and fireworks abound not just in organized displays but inthe world of Linux and computing.

The Fritz chip is causing one of the biggest bangs. Named after the USsenator Fritz Hollings of South Carolina. It is already on sale in the form ofAtmel’s secure processor, the AT90SP0801. This is the Palladium in action.This is still one to watch as the dominant market players try to lock out allfree and open source technologies.

The Indian Times reports that the Indian Department of InformationTechnology is in talks with IBM and HCL over setting Linux as the standardwithin all of the sub-continent’s educational institutions. While this may justbe a ploy to gain a better Microsoft licencing deal for the Department ofEducation, if true and they follow through Linux could become as dominantas in China. Having the majority of Asia’s software and hardware engineers developing Linuxcould only lead to more innovation and better products for the community as a whole.Development in China is now so advanced that they can aim for other markets. RedFlag Linuxof China is now aiming at partnering multimedia providers to produce set top boxes and carvoice systems. Soon – Linux in an appliance near you.

On a lighter side Transgaming has not made much noise about its ongoing achievments. Asyou may remember, Transgaming is developing a version of Wine and aims at getting all MSWindows games running on Linux. By subscribing you get to vote each month on the nextimprovements that the team will work on. Certainly this caters for their paying users. Now atversion 2.2 the number of games working is advancing at a rapid pace. It is quickly turning oneof my Linux boxes into a dedicated games console, which is very embarrasing when it issupposed to be for serious development.

Knoppix 3.1 is certainly a bright light. A single CD Debian based distribution is availableeither by download if you have the bandwidth or from one of the usual vendors. Put the CD inthe machine and reboot. Running from the CD it detects all of your hardware and leaves yourunning a KDE desktop so quickly and without any intervention that you will wonder why allOperating Systems cannot do this.

Once you get over the shock of the easy setup you can start to explore all the softwaresupplied on the single disk. My favourite use is as acheck for hardware. Throw in the disk and if it worksyou know it is your own configuration files that arewrong. If it does not work then the chances are it is thehardware and not the setup. It isgreat for copying configurationfiles for your own systems.

Happy Hacking,

John SouthernEditor

We pride ourselves on the originsof our publication, which comefrom the early days of the Linuxrevolution.Our sister publication in Germany,founded in 1994, was the firstLinux magazine in Europe. Sincethen, our network and expertisehas grown and expanded with theLinux community around theworld.As a reader of Linux Magazine,you are joining an informationnetwork that is dedicated to distributing knowledge and technical expertise.We’re notsimply reporting on the Linux and Open Source movement,we’re part of it.

An international jury has recentlychosen the winners of the Linux New Media Awards 2002.

The winners are:Mobile Devices – Sharp ZaurusNetwork Hardware – Axiom AX 6113Hardware – Pioneer DVR-104Distributions – DebianDevelopment Software – GCCOffice Packages – Open OfficeInternet Applications – MozillaDatabases – PostgreSQLNewcomer of the Year Linux – GentooLinux Companies – IBM

For the full story, see page 88.

Linux New Media Awards 2002

8 November 2002 www.linux-magazine.com

Software News

NEWS Software

Geeko, the green SuSE mascot, starts itsWorld conquest tour with the new 8.1release. The latest distribution comeswith KDE 3.0.3 and the new GNOME 2.0 desktop. OpenOffice 1.0.1 offersTrueType support and improved importfilters – the right way to convince peoplethat an office suite can provide access toall functionality and data without havingto cost a fortune. In themultimedia sectionyou’ll find the newGPhoto 1.2 and the OggVorbis 1.0 encoder andplayer.

It is YaST2 (“Yetanother Setup Tool”)that really makes SuSE.This core administrationcomponent includesmany functions that help with installing andconfiguring the OS. SuSEclaim that even first-timeLinux users should beable to “complete the

GIMP 1.3.9 releasedThe GIMP (“GNU Image ManipulationProgram”) project has announcedanother release in their developmenttree, GIMP 1.3.9. It introduces mostlyminor bugfixes and some new functions.But be warned: The GIMP 1.3 series isfor developers only and is not intendedfor end users. The development team saythat all work on GIMP 1.4 (the futurestable version) is done on the 1.3 seriesand that it’s therefore mainly made fordevelopers who want to work on thesoftware. If you want to install a workingversion of GIMP, you should stay withthe latest stable release, 1.2.3.

The latest release is available viaanonymous CVS. ■

http://www.gimp.org/devel_cvs.html

Listen to the Music!Version 1.3 of the GTK+ based FM Radiotuner is out. It works with every radiocard that is supported by video4linux(http://www.exploits.org/v4l/). You canuse remote controls via (optional) LIRC(Linux Infrared Remote Control, http://www.lirc.org/) and record radio as wavor mp3. The user interface is available inseveral languages including English,Danish, German, French, Spanish, andItalian. The main changes to the newversion are the use of GConf instead of a gnome1-style configuration file andadditional translations into Belarussian,Czech, and Brazilian Portuguese. ■

http://mfcn.ilo.de/gnomeradio

KDevelop – Picture perfectThe KDevelop Project was founded in1998 to build an Integrated DevelopmentEnvironment. Available under the GPL,it supports KDE/Qt, GNOME and C++projects. Now the team have released thefirst Alpha Release of the 3.0 version,codenamed “Gideon”. “This versionfeatures a rewritten code base utilizingplug-ins”, claim the people behind thescenes. New in this release is support forother languages such as Java and C.Other highlights are an applicationwizard for easy creation of KDE 2&3, Qt 2&3, GNOME, and terminal C/C++projects. An internal debugger, anHTML-based helpsystem and CVSsupport complete the picture.

KDE’s own news site http://dot.kde.org writes: “Gideon brings out the best in what an Integrated Development

installation in less than 30 minutes”. Itsupdated hardware detection handlesUSB 2.0 and Firewire devices. Using anew service called YOU (“YaST OnlineUpdate”), you can install updates fromFTP, HTTP and other sources. ■

http://www.suse.com

See also p32 for our review of SuSE 8.1.

The Chameleon strikes back

Environment should be”. The newKDevelop requires KDE greater than3.0.2 (or 3.1) and Qt greater than 3.0.3(or 3.1) and can be downloaded from theproject’s homepage. ■

http://www.kdevelop.org


Software NEWS

Like a Phoenix from theFlames

The Mozilla-based stripped downbrowser, Phoenix, has reached releaseversion 0.3, “Lucia”. The idea is to havea reduced browser without the mail,news, composer and IRC functions. Ontheir website the developer state in theFAQ that they “want to have fun andbuild an excellent, user-friendly browserwithout the constraints.” Phoenix usesless memory than Mozilla and is there-fore a lot faster, especially on startup.

To try it out, the project providebinaries for Windows and Linux. Inaddition you can download the latestnightly builds, which are intended fortesting purposes and may have bugs. Forupcoming features, take a look at http://www.mozilla.org/projects/phoenix/phoenix-roadmap.html. There is helpwith the installation at http://www.mozilla.org/projects/phoenix/phoenix-release-notes.html#install. As the websitesays: “Use at your own risk”, to explorestrange new websites, to seek out newbugs and new features, to boldly gowhere no one has gone before… ■

http://www.mozilla.org/projects/phoenix/

sophisticated patterns. After identifyingthe mail as spam it is tagged for laterfiltering. SpamAssassin works perfectlywith Procmail. Using a Procmail rule,incoming mail is piped through theSpamassassin program, and then alltagged messages can be filtered into aseparate folder. Even if you use a graphi-cal mail client like KMail you don’t haveto do without the spam killer. The website http://kmail.kde.org/tools.htmlprovides help with the configuration.

If you upgrade from a version previousto 2.40 you should read the release notescarefully, since SpamAssassin no longercomes with code to handle local maildelivery. Other changes include somebugfixes, some updates to the spamddaemon and new documentation. SpamAssassin’s website offers usefultips & tricks, documentation, FAQs andHOWTOs for setting up SpamAssassinunder various environments. ■

http://spamassassin.org

Privacy for the MassesThe GnuPG team proudly presentsVersion 1.2.0 of the GNU Privacy Guard,a new stable release of GNU’s tool forsecure communication and data storage.This complete and free replacement of PGP can be used for encrypting dataand for creating digital signatures.GnuPG comes with an advanced keymanagement facility and is said toimplement “most of OpenPGP’s optionalfeatures, has somewhat better inter-operability with non-conformingOpenPGP implementations and improvedkeyserver support.”

You can download GnuPG 1.2.0 or a patch to upgrade from version 1.0.7from one of the mirror sites http://www.gnupg.org/mirrors.html#ftp. To check the integrity of the version, the teamrecommend either verifying the suppliedsignature (if you already have a trustedversion of GnuPG installed), or checkingthe MD5 checksum. ■

http://www.gnupg.org/gnupg.html

Just in time for the second birthday ofthe project, a new release sees the lightof the world – OpenOffice 1.0.1 is out.The OpenOffice team claim that onlyminor bugfixes made their way into therelease. If you have had problems usingOpenOffice.org 1.0 or if your problemsare not mentioned as fixed in the release

This mail filter consists of a set of Perlmodules and uses a wide range of teststo identify spam, including header andtext analysis. In addition, some well-known blacklists like http://www.mail-abuse.org/ and http://www.ordb.org/ are supported.

The spam detection works like this:Typical advertising expressions like “Try it out for FREE!” or “To be removedfrom our list please reply with…” arerecognised and there is a big set of more

SpamAssassin 2.42 set loose

notes, there is no need to upgrade. Thenew documentation now contains adetailed guide in pdf format which helpswith the single user or network installa-tion. French, German and Italiantranslations are available and otherlanguages are in preparation. ■

http://www.openoffice.org

Happy Birthday, OpenOffice


Business News

NEWS Business

Linux Minicluster by Sandia National Labs

By replacing its back-end ITinfrastructure with open source software,a London-based construction firm hasgained huge benefits in reliability,scalability and performance, plus morethan halved its annual Microsoftlicensing fees – saving over £200,000 thisyear and about £100,000 each year fromnow on.

Sirius IT, who implemented thesolution, states that by running OpenSource Software on Linux, yet keepingMicrosoft Office on each desktop, itsclient, Killby & Gayford Group, has notonly radically increased its businesscompetitiveness but has also drasticallylowered its operational costs. Killby &Gayford Group now use an entirely opensource solution to run their complexnetwork, spread over two sites.

Sirius IT claims Killby & Gayford is oneof the very few examples of a fullyintegrated open source server/Microsoftdesktop infrastructure anywhere in theworld. Measured benefits Killby &Gayford have gained are: Massivereduction in software licensing costs dueto the replacement of Microsoft serversoftware with open source alternatives.Zero user retraining costs – end userscontinue to use the familiar MicrosoftOffice suite on their desktop. Simple,powerful, secure, single sign-on – staffcan now logon to the network, from anydesktop, using any operating system,and use any service. Vastly increasedsecurity, plus total back-end immunity toviruses. Radical improvements in fileaccess and print serving speeds, acrossthe network. Rock solid network stability– uptimes now measured in years, ratherthan weeks. ■

http://www.siriusit.co.uk/technical/casestudies/kg.html

Virtual Servers aid Travellers

Parvus Corporation has helped SandiaNational Laboratories to develop aportable Linux cluster computer systembased on commercial-off-the-shelf(COTS) PC/104 technology.

While cluster computers typicallycombine multiple desktop-sized PCs to work in parallel on problems too large for a single computer, Sandia’sMinicluster makes use of embedded PC components to achieve a high-performance, low-cost parallelprocessing system.

Computers such as the Miniclustercould potentially be used to demonstratea wide variety of scientific and businessapplications, including weather pre-diction, human genome analysis,pharmaceutical design, aircraft andautomobile design, seismic exploration,artificial intelligence, data mining, andfinancial analysis, among others.

“By utilizing parvus Corporation’scomponents, packaging, and systemsintegration services, Sandia was able to quickly complete the Miniclusterproject,” said Mitch Williams, engineerat Sandia’s Embedded ReasoningInstitute (ERI). “Our design successfullyintegrates all standard features ofnormal-sized rack-mounted clusters,

including individual keyboard, video and mouse access to every node, whileminimizing size to barely over a foot talland five inches wide.”

The unit incorporates a Linux OS, four PC/104 processor nodes, a 10BaseTprivate network, power supply, KVMswitch, and an external PCMCIAwireless connection. ■

http://www.parvus.com/parvemp/LinuxC.htmhttp://eri.ca.sandia.gov

Mobil Travel Guide has picked IBM. Theywill provide the Mobil Travel Guide withlarge-scale mainframe computing andstorgae infrastructure on-demand overthe Internet.

Under a 5-year agreement, IBM willprovide the travel guide service with on-demand access to Linux-based serverprocessing, storage and networkingcapacity from IBM e-business hostingcenters in the United States. Instead of the physical Web, database andapplication servers they currently relyon, the guide will tap into “virtualservers” on IBM zSeries mainframes andEnterprise Storage Servers running SuSELinux, paying only for the computing

power and capacity that they require andso match costs with revenues asseasonal demand changes.

The guide will utilize the IBMcomputing resources to support theexpansion of a new Web-based service –Mobil Companion – which offerscustomized service for travelers. TheMobil Companion travel program targetsupscale leisure travelers with benefitsthat include state of the art Web-basedtravel planning, 24-hour enroute travelsupport services, preferred rates fromhotels, restaurants and other travelservice providers. ■

http://www.ibm.com/news/us/2002/10/042.html

Huge Benefits throughOpen Source

UK Free Software Network

UKFSN is an ISP with a difference – allof the profits from the operation will bedonated to fund Free Software projects inthe UK. Profits from the service will bepaid to the Association of Free softwarewho has agreed to distribute all themoney raised. ■

http://www.ukfsn.org/

“SmartCertify Direct’s Linux™ Certification course gave me the hands-on training I needed to get Linux certified fast!”

— Steve Rossi, Linux Engineer

Preparing You for a Successful IT Career

“I Found the Answer toIT Success!”

ULXM

SmartCertify Direct’s Linux Course Includes:• Money-back Certification

Guarantee*

• In-depth Course ManualsWritten by Experts

• Digital Video Lessons

• Hundreds of Practice Questions

• Self-paced Study Format

• The Latest LinuxDistributions

Call Now for a Limited DiscountOffer On Our Linux Course!UK Freephone

0800 279 2009www.smartcertify.co.ukSmartCertify Direct, 6-8 Wicklow Street, Dublin 2, Ireland Freephone (Irl): 1800 66 00 11 • Tel: +353 1 670 3177

• Fax: +353 1 679 3624 • www.smartcertify.co.ukCopyright © 2002, SkillSoft. SmartCertify Direct, the SmartCertify Direct logo and SmartCertify’s ClassWare are trademarks of SkillSoft.

All other trademarks are property of their respective owners. * Call for full details on our money-back guarantee.

Discover foryourself why IT pro-

fessionals throughout theindustry praise SmartCertify

Direct’s interactive certificationtraining. Our courses combine the

personal attention of traditional instructor-ledtraining with the convenience and affordability of self-paced courseware to get you certified... guaranteed.

Visit our Web Site!www.smartcertify.co.uk• Try Our Courses FREE!

• On-line IT SkillsAssessment

• IT Job Search

• FREE CertificationNewsletter

• IT Industry News

• FREE Tools and Utilities

MCSE, Cisco®,A+®, CIW,

.NET, Lotus®

and more!

Also Available:

Multiple Languages Available!


NEWS Business

Instant Offices chooses Rackspace

SuSE plays in the SAP League

Rackspace Managed Hosting has beenchosen by Instant Offices to host its on-line business community for the servicedoffice space marketplace. Instant Officesis an on-line network of serviced officeoperators providing a comprehensivedirectory and database of serviced officespace throughout Europe.

This allows users to view propertiesfrom their desks, make comparisonsbetween office space and negotiatebetter deals. The service is free becausethe serviced office operators, inpartnership with Instant Offices, pay acommission for the successful intro-duction of new business through thenetwork.

Growth in demand for Instant Office’soffering and the introduction of new

services like virtual tours, 360 degree on-line tours of available office space andfacilities, meant that Instant Officesneeded to ensure it had high levels ofInternet connectivity to support itsgrowing business community.

Instant Offices’ server is managed by Rackspace at its Data Centre in West Drayton, near Heathrow. The DataCentre offers customers burstable band-width to address rapid or continuingincreases in the demand for data fromtheir housed server. Rackspace providesround-the-clock monitoring, security andtechnical support, backup power supplyand high-speed and redundant networkconnectivity to ensure uninterruptedhigh performance and data integrity. ■

http://www.instantoffices.co.uk/

HP announced that HP ProLiant servershave delivered the first Linux TPC-Cbenchmark results running Oracle 9iReal Application Clusters using Red HatLinux Advanced Server.

Demonstrating the cost andmaintenance benefits of running Linuxbased hardware and software inenterprise operating environments, an 8-node cluster of HP ProLiant DL580servers using Intel Pentium III Xeonprocessors and HP StorageWorksksMSA1000 storage system achieved138,362.03 tpmC (transactions perminute) at a cost of just$17.21/tpmC with Red Hat LinuxAdvanced Server.

TPC is a non-profit corporationfounded to define transaction

Opera firstFollowing on from last month’s newsitem about Mozilla and the Optimozproject, we have been contacted byOpera who point out that they have hadmouse gestures in their web browser fora long time, both on Windows and mostimportantly, in the Linux version. ■

http://www.opera.com/whyopera/

SuSE Linux has become a SAP AGtechnology partner. This allows SuSE’slarge enterprise customers like SiemensBusiness Services who run severalmySAP Web Application Servers tobenefit from this partnership with SAP.

This partnership enables companiesall over the world to use mySAP.com onSuSE Linux Enterprise Server whiletaking advantage of services and supportfrom SAP. Since May 2002, mySAP.comhas been available on SuSE Linux

MontaVista increaseProtocol Support

MontaVista Software has formed apartnership with Hughes SoftwareSystems in which the SS& protocol stackand wireless GPRS/3G will be ported totheir Carrier Grade Edition. This will give

MontaVista support for more networkequipment providers including the 3G and 2.5G mobile phone networkmarkets. The range of supportedprotocols is broad and should helpMontaVista in dominating the market. Allthe HSS protocol stacks are available bothin portable source code or binary form ona variety of hardware platforms, alongwith API documents and user manuals. ■

http://www.hssworld.com

Qtopia UpgradeTrolltech have announced the release ofQtopia 1.6 Beta. Qtopia is based on theembedded port of Qt. Version 1.6 hadbetter intergration for Microsoft Outlooksyncronisation and an improved mediaplayer allowing skinning and better songcontrol.The development environmenthas upgrade support for Asian characterinput and backup facilities using TCP. The product is still free to Open Sourcedevelopers and can be found on SharpZaurus SL-5500 and SL-A300 PDA’s. ■

http://www.trolltech.com/products/qtopia/index.html

Enterprise Server for IBM eServerzSeries. This is the first certified offer ofa scalable and reliable e-businesscollaborative 64-bit solution that can run in an LPAR (logical partition) or onz/VM (virtual machine). Additionally,engineers of both companies areworking together to integrate mySAP.-com into the new 64-bit ItaniumProcessor Family (IPF). ■

http://www.suse.de/us/company/press/press_releases/archive02/suse_sap.html

processing and database benchmarksand to disseminate objective, verifiableTPC performance data to the industry.The complete benchmark results and testdetails are available to read at http://www.tpc.org.

Information about additional HPProLiant servers certified for Red HatLinux Advanced Server is available athttp://hardware.redhat.com/hcl/.

HP set the Benchmark


Insecurity News

NEWS Insecurity

Dvipsdvips contains a flaw allowing print usersto execute arbitrary commands. Thedvips utility converts DVI format intoPostScript(TM), and is used in Red HatLinux as a print filter for printing DVIfiles. A vulnerability has been found indvips which uses the system() functioninsecurely when managing fonts. Sincedvips is used in a print filter, this allowslocal or remote attackers who have printaccess to craft carefully a print job thatwould allow them to execute arbitrarycode as the user ‘lp’. A work around forthis vulnerability is to remove the printfilter for DVI files. The following com-mands, run as root, will accomplish this:rm -f /usr/share /printconf/mf_ rules/mf40-tetex_filters rm -f /usr/lib/rhs/ rhs-printfilters/dvi-to-ps.fpi However, tofix the problem in the dvips utility as well as removing the print filter werecommend that all users upgrade these errata packages. This vulnerability was discovered by Olaf Kirch of SuSE.Additionally, the file /var/lib/ texmf/ls-Rhad world-writable permissions. ■

Red Hat reference RHSA-2002-192-18

Distributor Security Sources CommentDebian Info: www.debian.org/security/, Debian have integrated current security advisories

List: debian-security-announce, on their web site.The advisories take the form of HTMLReference: DSA-… 1) pages with links to patches.The security page also

contains a note on the mailing list.Mandrake Info: www.mandrakesecure.net, MandrakeSoft run a web site dedicated to security

List: security-announce, topics. Amongst other things the site contains security Reference: MDKSA-… 1) advisories and references to mailing lists.The

advisories are HTML pages,but there are no links to the patches.

Red Hat Info: www.redhat.com/errata/ Red Hat categorizes security advisories as Errata: UnderList: www.redhat.com/mailing-lists/ the Errata headline any and all issues for individual (linux-security and redhat-announce-list) Red Hat Linux versions are grouped and discussed.The Reference: RHSA-… 1) security advisories take the form of HTML pages with

links to patches.SCO Info: www.sco.com/support/security/, You can access the SCO security page via the support

List: www.sco.com/support/forums/ area.The advisories are provided in clear text format.announce.html,Reference: CSSA-… 1)

Slackware List: www.slackware.com/lists/ Slackware do not have their own security page, but do (slackware-security), offer an archive of the Security mailing List.Reference: slackware-security …1)

SuSE Info: www.suse.de/uk/private/support/ There is a link to the security page on the homepage.security/, The security page contains information on the mailingPatches: www.suse.de/uk/private/ list and advisories in text format. Security patches for download/updates/, individual SuSE Linux versions are marked red on the List: suse-security-announce, general update page and comprise a short description Reference: suse-security-announce … 1) of the patched vulnerability.

1) Security mails are available from all the above-mentioned distributions via the reference provided.

Security Posture of Major Distributions

MozillaUpdated Mozilla packages are nowavailable for Red Hat Linux. These newpackages fix vulnerabilities in previousversions of Mozilla. Mozilla is an opensource web browser. Versions of Mozillaprevious to version 1.0.1 contain varioussecurity vulnerabilities. These securityflaws could be used by an attacker to read data off the local hard drive, togain information that should normallybe kept private, and in some cases to execute arbitrary code. All users ofMozilla should update to packagescontaining Mozilla version 1.0.1 which isnot vulnerable to these issues. ■

Red Hat reference RHSA-2002-192-13

HeartbeatHeartbeat is a monitoring service that isused to implement failover in high-availablity environments. It can beconfigured to monitor other systems viaserial connections, or via UDP/IP.

Several format string bugs have beendiscovered in the Heartbeat package.One of these format string bugs is in thenormal path of execution, all theremaining ones can only be triggered ifHeartbeat is running in debug mode.

tkmailIt has been discovered that tkmail createstemporary files insecurely. Exploiting thisan attacker with local access can createand overwrite files as another user. Thishas been fixed in version 4.0beta9-8.1 forthe current stable distribution (woody),in version 4.0beta9-4.1 for the old stabledistribution (potato) and in version4.0beta9-9 for the unstable distribution(sid) of Debian. ■

Debian reference DSA-172-1

bugzillaThe developers of Bugzilla, a web-basedbug tracking system, discovered aproblem in the handling of more than 47groups. When a new product is added toan installation with 47 groups or moreand “usebuggroups” is enabled, the newgroup will be assigned a groupset bitusing Perl math that is not exact beyond2^48. This results in the new group

pamPaul Aurich and Samuele Giovanni Tonondiscovered a serious security violation inPAM. Disabled passwords (i.e. those with‘*’ in the password file) were classified asempty password and access to suchaccounts is granted through the regularlogin procedure (getty, telnet, ssh). Thisworks for all such accounts whose shellfield in the password file does not refer to/bin/false. Only version 0.76 of PAMseems to be affected by this problem.

This problem has been fixed in version0.76-6 for the current unstabledistribution (sid). The stable distribution(woody), the old stable distribution(potato) and the testing distribution(sarge) are not affected by this problem.■Debian reference DSA-177-1

being defined with a “bit” that hasseveral bits set.

As users are given access to the newgroup, those users will also gain accessto spurious lower group privileges. Also,group bits were not always reused whengroups were deleted.

This problem has been fixed in version2.14.2-0woody2 for the current stabledistribution (woody) and will soon befixed in the unstable distribution (sid). ■

Debian reference DSA-173-1

Insecurity NEWS

THE TERAVAULT direct attached storage

servers from Digital Networks provide

direct attached storage of up to 3.8TB

(3840GB) in size.

The Teravault RS312-DAS, pictured left,

features hardware RAID storage with hot-

swap capability and dual Ultra160 SCSI

channels for connection to one or two

host servers.

At Digital Networks, we specialise in

servers, storage, workstations, desktops

and notebooks designed specifically for

Linux use. Unlike our competition, we

offer Linux pre-installed on all our

hardware – completely free of charge. We

offer Red Hat, Mandrake and SuSE, plus

Microsoft Windows as well.

Visit www.dnuk.com and find out why

corporate customers, small and medium

businesses and most UK universities

choose us for their IT requirements.

2.4TB for less than £9000

Digital Networks

TERAVAULT RS312-DAS

• DAS (Direct Attached Storage)

Two Ultra160 SCSI channels for connection to one or two hosts

12 ATA hard disks

PowerPC 750 RISC processor with 1MB L2 cache

Drive hot-swapping and automatic background rebuild

960GB: £5811 + VAT

1440GB: £6519 + VAT

2400GB: £8739 + VAT

3840GB: due end of November 2002

Prices correct as of 21/10/02. Please check www.dnuk.com/store

for current prices.

•

•

•

•

apacheA number of vulnerabilities were dis-covered in Apache versions prior to1.3.27. The first is regarding the use ofshared memory (SHM) in Apache. Anattacker who is able to execute code asthe UID of the webserver (typically“apache”) is able to send arbitraryprocesses a USR1 signal as root.

Using this vulnerability, the attackercan also cause the Apache process tospawn continuously more childrenprocesses, thus causing a local DoS.Another vulnerability was discovered by

tarA directory traversal vulnerability wasdiscovered in GNU tar version 1.13.25and earlier that allows attackers tooverwrite arbitrary files duringextraction of the archive by using a “..”(dot dot) in an extracted filename. ■

Mandrake reference MDKSA-2002:066

HylaFAXHylaFAX is a client-server architecturefor receiving and sending facsimiles. Thelogging function of faxgetty prior version4.1.3 was vulnerable to a format stringbug when handling the TSI value of areceived facsimile. This bug could beused to trigger a denial-of-service attackor to execute arbitrary code remotely.

Another bug in faxgetty, a bufferoverflow, can be abused by a remoteattacker by sending a large line of imagedata to execute arbitrary commands too.Several format string bugs in local helper

drakconfErrors were discovered in the MandrakeControl Center that prevents any usersusing the nl_NL, sl, and zh_CN locales from starting the program. The errorgenerated would be shown as “cannotcall set_active on undefined values” online 423. ■

Mandrake reference MDKA-2002:012

Since Heartbeat is running with rootprivilege, this problem can possibly beexploited by remote attackers, providedthey are able to send packets to the UDPport Heartbeat is listening on (port 694by default).

Vulnerable versions of Heartbeat areincluded in SuSE Linux 8.0 and SuSELinux 8.1. As a workaround, make surethat your firewall blocks all traffic to theHeartbeat UDP port. ■

SuSE reference SuSE-SA:2002:037

Matthew Murphy regarding a cross sitescripting vulnerability in the standard404 error page. Finally, some buffer over-flows were found in the “ab” benchmarkprogram that is included with Apache.All of these vulnerabilities were fixed inApache 1.3.27. ■

Mandrake reference MDKSA-2002:068

applications were fixed too. These bugscan not be exploited to gain higherprivileges on a system running SuSELinux because of the absence of setuidbits. The hylafax package is not installedby default. A temporary fix is notknown. Please download the updatepackage for your distribution. Then,install the package using the usual rpmcommand “rpm -Fhv file.rpm” to applythe update. ■

SuSE reference SuSE-SA:2002:035

NEWS Kernel

16 October 2002 www.linux-magazine.com16 November 2002 www.linux-magazine.com

The Kernel Mailing List comprises the core ofLinux development activities.Traffic volumesare immense and keeping up to date with theentire scope of development is a virtuallyimpossible task for one person. One of the fewbrave souls that take on this impossible task isZack Brown.Our regular monthlycolumn keeps you up to date on the latestdecisions and discus-sions, selected andsummarized by Zack.Zack has been publishing a weeklydigest, the Kernel Traffic Mailing List for severalyears now, reading just the digest is a timeconsuming task.Linux Magazine now provides you with thequintessence of Linux Kernel activities straightfrom the horse’s mouth.

INFOZack’s Kernel News

HyperthreadingRecently, there has been a big push tosupport hyperthreading in 2.4 and 2.5kernels. Hyperthreading is a bit like theopposite of Symmetric Multiprocessing.Instead of using multiple CPUs as one, hyperthreading treats a single CPUas many, with some interesting per-formance boosts.

Currently the only processor thatofficially supports hyperthreading is thePentium 4 XEON, but it is rumored thatother P4s can turn on hyperthreading intheir BIOS.

Hyperthreading made its firstappearance in the Linux kernel inNovember of 2001 in kernel 2.4.14,under the name SMT (SymmetricMultithreading). At the time, very fewdevelopers knew what to make of it, andthere was much speculation. Intelclaimed a 30% performance boost undertheir unreleased, proprietary bench-marks, but this was taken generally witha pinch of salt.

At the time, no available hardwaresupported hyperthreading. Only whenthe P4 XEON came out was there apossibility of wide-scale testing anddevelopment of this feature.

In recent weeks, many large patcheshave appeared, and seem to be makingtheir way into the main kernel tree. IngoMolnar made a big splash with his patchto integrate hyperthreading with his newscheduler code. One problem with SMP

systems is that if more than one OOPSoccurs simultaneously, they could over-write each other, destroying the evidenceneeded to debug them. David Howellshas been working on a patch to force allOOPS output to wait its turn beforedumping to the screen. There is stillsome question as to whether hisimplementation is quite right; but itseems clear that he is on the right track,and that this code will be a welcomeaddition to the main tree.

OOPS reports contain essentialinformation about what the system wasdoing just before a crash. When decodedby the ksymoops program, an OOPS canprovide developers with a valuable cluein the hunting down and fixing of anelusive bug.

There are a number of problems with trying to capture OOPSes, anddevelopers are always trying to expandtheir possible options. The main problemis that the system has crashed, and so there are only a limited number ofbehaviors that can be counted on. TheOOPS code must do its best to generate auseful OOPS report in an environment inwhich much of the system may not beoperational. There have previously beenpatches to dump OOPS output to a file,to send it over a serial port or evenacross the network; now there arepatches to deal with multiple simul-taneous OOPSes. ■

User mode linux in kernelsJeff Dike’s User-Mode Linux has finallymade it into the official 2.5 kernel tree. UML is a patch to allow the Linuxkernel to run as a user process, creating one or more virtual computers runningsimultaneously on a given system. UMLrecently became self-hosting, meaningthat users may run UML from within arunning UML process. Kernel version2.5.35 is the first to contain the fullincorporated UML patch.

There are many uses for this feature.Because UML is a user process, it nowbecomes possible to test each new kernelversions as UML invocations, withoutthe risk of crashing the whole system.This saves the developers time thatwould otherwise be wasted by having toreboot the computer system after eachfailed test.

Another use for UML is in clustering. It has long been recognized by topdevelopers that extending SMP to morethan a few processors will result intremendous complexity of the kernel’slocking mechanisms. To avoid this, anumber of alternatives have beenactively pursued for some time.

One is the idea of SMP clusters, widelypromoted by Larry McVoy; another isthat UML may be a natural way to bridgemultiple systems. Jeff has reported somesuccess with his initial experiments, butthe final direction of Linux clusteringbeyond SMP remains to be seen. ■

Replacement for TCPLinux 2.5 will soon support SCTP(Stream Control Transmission Protocol),a general purpose networking protocolthat attempts to solve some problemsencountered with standard TCP(Transmission Control Protocol). DavidS. Miller recently promised to merge theexisting SCTP patch into the main kernelsource tree.

There are several reasons why usershave been looking for a replacement forTCP. While TCP controls the order ofdata transmission, some applications

that do not require strict data orderingmust suffer unnecessary delays as TCPblocks to ensure proper ordering. Inaddition, TCP is more vulnerable todenial-of-service (DoS) style attacks.SCTP attempts to answer these and someother drawbacks.

SCTP was originally developed by theIETF (Internet Engineering Task Force)SIGTRAN (signal transport) workinggroup to transport SS7 (SignallingSystem 7) over IP, but it may also beused as a general purpose protocol. ■

The journaled filesystem XFS has finallymade it into the official 2.5 kernel tree.This has been a controversial project,with many folks arguing for XFSinclusion for a long time, and otherssaying the code was not ready yet.Kernel 2.5.36 is the first to contain XFS.SGI has been the main developer of XFS,and has been pushing for inclusion inthe main tree for some time. Linuxdistributions such as Mandrake, SuSEand Slackware, have come bundled withthe XFS patch for some time as well.

Linus Torvalds had refused to do themerge in the official tree because he feltthere were certain implementation detailsthat would have a negative impact on therest of the system, and he wanted SGI tofix those details before he’d accept theirpatch. Ext3, ReiserFS, and JFS (fromIBM), are examples of other journalingfilesystems that have previously beenaccepted into the main kernel tree.

Journaling filesystems track all diskwrites, and make sure that the filesystemis never in an inconsistant state. Thismeans that a system crash will notrequire running fsck to bring thefilesystem back into a usable state.Assuming all user data has beensynchronized to disk, it is possible, witha journaling filesystem, to turn off thepower, without fear of losing data.

While the ext2 filesystem remains thedefault on most Linux systems, it is onlya matter of time before a journalingfilesystem supplants it. ■

khttpd webserver is outThe controversial khttpd web server hasbeen removed from the 2.5 kernel tree.Khttpd was written in response to the1999 Mindcraft benchmarks that showedMS Windows serving web pages fasterthan Linux under certain conditions.

Although most Linux developersdismissed the benchmark as highlyslanted, they were forced to admit thatunder the conditions of the test, MSWindows did out-perform Linux. Tocounter this, Linus Torvalds accepted thekhttpd web server into the main kerneltree. This caused much violent protest,as a web server does not properly belongin kernel space.

Linus felt that it was important to beatthe Mindcraft benchmark, however, andso the patch stayed. In recent months,however, a new user-space web server,Tux2, has consistantly out-performedkhttpd, making the khttpd’s presence inthe kernel superfluous. Khttpd has alsobeen unmaintained for some time,making the decision to eventuallyremove it somewhat easier.

Unfortunately, Tux2 is plagued byintellectual property disputes that no oneseems inclined to fight over. Amongother things, these disputes prevent theTux2 web server from replacing khttpd inthe kernel.

Some may argue that this is not a badthing, but the fact remains that there arestill many open questions surrounding aviable Linux webserver. One thing iscertain: khttpd is gone. ■

Timpanogas, a long-time contributor tothe Linux kernel, has sold its intellectualproperty, including the Netware File-system, to the Canopy Group. Jeff V.Merkey, head of Timpanogas, would notspecify which Timpanogas Linuxproject, if any, would continue under thenew management.

Jeff and his company have been fairlycontroversial since they first becameinvolved in Linux kernel developmentyears ago. For a long time Jeff wasregarded by many as something of acrackpot, but he managed to gain some measure of recognition for his

technical skill and his ability to gainuseful information from recalcitrantcompanies.

Andre Hedrick, the Linux kernel IDEmaintainer, worked for him briefly atTimpanogas, but left after an apparentfalling out between them.

The Canopy Group appears to be somesort of incubator of open source andInternet infrastructure companies. Theirlist of companies includes LinuxNetworx and Trolltech. It remainsunclear how the Canopy Group intendsto make use of the Timpanogasintellectual property. ■

XFS journaling filesystem

Netware filesystem sold to the Canopy Group

SELLINGOUT FAST!For information on how toorder, please see page 87 orwww.linux-magazine.com/Backissues

provides details on a fewselect WLAN components for which wewere able to locate Linux drivers, or thatprovide browser based configurationfacilities. This section also features aglobal first, a combination of networkstorage, 4 port switch, wireless accesspoint and DSL router.

The main problem with wirelessnetworks is the fact that they are soeasy to sniff. An experienced hackermay need only a few minutes to crack the hardware based encryptionfacilities. This prompted us to include astep-by-step guide to secure communi-cations in wireless LANs (page 28) withtips on protecting yourself againstattacks. ■


If you are looking for stress and drillfree networking, wireless LAN is themagic word. Insert a few cards, set up

a couple of access points and yournetwork is up and running – no need toask the landlord or the owners’committee. Whether you need to coverjust your own flat or the whole floor,bridge the network to the house nextdoor, or even to the corner of the street,the range will depend on your location,aerial, the data rate, and frequency –page 19 and the following pages will giveyou an overview of the currentstandards, interoperability issues, andpotential gains.

Setting up a wireless LAN for Linux isnot as easy as one might wish.Manufacturers fail to provide driversupport, and there are no Linux basedadministration tools for access points oraccess routers. It is a familiar scenario –the community once again has toproduce drivers with little help from theindustry. Refer to the article starting onpage 25 for details on the driverrequirements for your cards and tips onthe installation procedures.

There is an alternative to drilling holes in walls, fitting hundreds of yards of cable duct and crimping network cables:

Wireless networks can be set up to connect desktops and laptops throughout the whole house to the internet without

all that expensive building work. BY DANIEL COOPER AND BENEDIKT HEINZ

Focus on Wireless Networking

Wireless LANs

Technology Review..............19

Read all about the wireless protocols andtechnologies involved.

Wireless LAN Hardware ....21

If you want to know what the requirementsfor a wireless LAN are, then read on.

Wireless Drivers.....................25

A guide to the configuration work you needto get a wireless LAN card up and running.

OpenVPN....................................28

Use an encrypted tunnel to protect yourdata and provide a secure solution.

Cover Story

Wireless LAN IntroCOVER STORY


Hannes Keller,visipix.com

same frequency into consideration. Thatmeans not only unintentional WLANdisruptions due to other users in thesame waveband, but also intentionalmisuse of the WLAN by outsiders. Thecurrent encryption services are easilyexploited, and if you do not enableencryption at all, the network is available to anyone within range.

License-free radio transmissions areonly possible within the so-called ISM wavebands (Industrial, Scientific, Medical). The ISM frequencies 900 MHz,2.4 GHz and 5 GHz are relevant to ourdiscussion. The 900 MHz wavebandwould provide the best range due to itscomparitively low frequency, however, itis not commonly available for use, havingalready been assigned to mobile radiocommunications in Europe. There arevery few products available, as mobiletelephones dominate this frequency rangein the USA.

The higher the frequency, the worsethe propagation characteristices of anelectromagnetic wave. Although you donot explicitly need visibility between twonodes at WLAN frequencies, even thininternal walls can subject the GHz frequencies to noticable attenuation.Theoretical ranges of several hundredmeters thus tend to drop to 20 or 30meters if walls or other obstacles are inthe way. However, distances of up to 50km can be bridged using directive antennas and avoiding obstructions.

You will need to pay attention to thephysical environment when positioningyour access points – an access point in

the cellar will not be much use to you ifyou are on the second or third floor,especially if reinforced concrete wasused for flooring. Instead, you might prefer to look for a position in the centerof your house or appartment, even if thismeans some additional wiring to reachthis point. If you intend to use the wireless LAN in the open, you shouldposition your access point on the roof orin a window to provide maximum range.Access points are normally configured tobe omnidirectional – that is they transmitin every direction. However, you can usespecial antennas to provide a directiveelement, although you might prefer tohave this work done by a specialist whohas access to the measuring equipmentrequired to achieve maximum perfor-mance. If you are the do-it-yourself type,you should at least make sure that thecable used to attach the antenna is asshort as possible.

StandardsThe 802.11 protocol family has beenstandardized by the IEEE, the Institute ofElectrical and Electronics Engineers (say:“i triple e”). The original 802.11 standardthat dates back to 1997 can be regardedas a predecessor to today’s WLANs. Itenvisaged data transfer rates of 1 or 2Mbit/s in the 2.4 GHz frequency range,and replaced many of the older proprietory technologies.

However, as wired networks were stilla lot quicker, the market demandedhigher data transfer rates and got them – although this meant a return

Wireless data transmission is certainly nothing new. The first morse code was

exchanged between two stations at theend of the 18th century, and morse codeis generally regarded as the oldestknown data encoding technique.Although at the time usage was restrictedby fragile technology and immense run-ning costs, which meant that thetechnological potential was exploitedmainly for military purposes, today’sinexpensive equipment makes wirelesscommunications a real prospect for homeuse.

Although a few years have passedsince wireless LANs were introduced to the consumer market, the race for an exclusive standard is still on, with various technologies competing for custom and bandwidth. While Bluetoothhas more or less established its positionas a kind of wireless USB, with lowtransmitting power, range, and band-width, with some careful planning “real”WLAN solutions can be used to covergreater distances and are approachingthe bandwidths normally expected inwired environments.

Wireless – but how?The advantages of wireless solutions areself-evident – no need to install wiring,laptops can access the network directly,wherever they are..The disadvantagesare not quite as obvious: Wiring allowsexclusive communication between thenodes on a network, but wireless solutions need to take other users of the

Wireless data communication comes in all shapes and sizes – some of

the technologies are over a hundred years old. Read on to learn all about

the protocols and technologies involved. BY HOLGER LUBITZ

Wireless Networking

The WirelessJungle

COVER STORYWireless Technology Review


Wireless Technology ReviewCOVER STORY

to proprietory solutions. To avoiduncontrolled developments, two newstandards, 802.11a and 802.11b, wereintroduced in September 1999.

Products based on 802.11b work in thesame waveband as 802.11, but use a different modulation technique toachieve data transfer rates between 5.5and 11 Mbit/s. But where the USA allowsa maximum transmitter power of 1 watt,a restriction of 100 milliwatts applies inEurope – that is enough for LANs, butfairly ineffective if you need to bridgegreater distances.

There was some delay before the firstproducts for 802.11a were introduced.This standard means an excursion to the5 GHz frequency range (5.15-5.35 and5.725-5.825 Ghz). But again, only theUSA allowed the use of this range forwireless LANs. ETSI, the standards bodyresponsible for Europe, had insteadreserved this range for the HiperLan andHiperLan/2 (High Performance LAN)technologies. These frequencies hadalready been assigned in many nationalfrequency usage plans and had to bereassigned. Market restrictions and lowdemand meant that the first 802.11aproducts did not have any noticableimpact on the market until this year.

Bandwidth for the MassesSome European countries have started toliberalize the market for 802.11a products. In Germany, the RegulatingAuthority for Telecommunications andPost (RegTP – similar to the RA in theUK) now permits use of the 5150-5350and 5470-5725 MHz frequency ranges,without explicitly restricting these wave-bands to a specific technical standard.However, transmitter power is restrictedto 200 milliwatts at the lower end of thescale (indoors) and to 1 watt at thehigher end of the scale (including out-door use). Although HiperLan/2 doesoffer lower latency as a wireless ATM,and has superior facilities for guaranteedbandwidth, the protocol overheads aretoo high for use in pure IP environments.Also, it is cheaper to produce hardwarefor 802.11a than for HiperLan/2.

The bandwidth available in the 5 GHzwaveband allows for a larger number ofindependent channels, and OFDM modulation permits higher data transferrates. 802.11a provides eight different

data rates between 6 and 54 MBit/sdepending on reception quality. Thedisadvantage is that the higher frequency means a shorter range andconsequently a higher concentration ofaccess points. This concentrationincreases if you intend to use all theavailable channels, as you will need toresort to lower powered antennae in thiscase. However, research indicates anapproximately 300 % improvement inbandwidth for 802.11a installations compared to 802.11b.

The 802.11g standard is new and hasnot yet been ratified. It envisages a combination of the old 2.4 GHz wave-band with OFDM (which was notpermissible in the original standard),and is thus capable of achieving up to 54MBit/s, although the restriction to threeindependent channels still applies. Ifmultiple users require improved datatransfer rates, 802.11a still seems to bethe better solution. But 802.11g comes toits own when existing indivdual nodes inan existing 802.11b installation requireincreased performance. It might makesense to combine both technologies –look out for dual band access points thatsupport both standards.

One further advantage of 802.11a isthe fact that the 5 GHz waveband hasnot noticably been occupied by otherproducts, so far. 2.4 GHz standards canexpect interference from Bluetooth, and even microwave ovens, that transmissions in the 5 GHz wavebandare not currently subject to.

The proprietory protocols of the earlydays continue to lose ground. Onenotable example is OpenAir by Proximthat goes back to pre-802.11 days.OpenAir uses a frequency hopping protocol and simple modulation tech-niques to achieve data tranfer ratesbetween 0.8 and 1.6 MBit/s. Cheap toimplement, but the performance couldhardly be described as earth shattering.

HomeRF by Diamond is also aimed atproviding low-cost hardware, but haslost out to 802.11b with far inferior performance at only slightly lower pricesin the States with virtually no impact onthe European market.

InterferenceAs previously mentioned, the frequencyranges are available for public use, and

interference due to microwaves is commonplace in the 2.4 GHz waveband.WLAN cards thus implement variouserror avoidance and correctiontechniques to guarantee error free transmission despite interference.

A WLAN card does not transmit at afixed frequency, instead using multiplewavelengths or continually changing frequency within a waveband. Thistechnique, referred to as spread spectrum, allows the transmitter to avoidfrequency ranges suffering from interfer-ence, or at least mitigate the effect. Thereare two variants: Direct sequence modulates the data with a high frequency code. This requires morebandwidth but makes it easier to filterout interference in individual rangeswhen the same code is used to de-modulate the transmission. Frequencyhopping divides a waveband into multiple narrow channels and switcheschannels continually. If there is interference on one channel, you wouldnot normally expect similar interferencewhen hopping to the next channel.

Error correction takes care of anyremaining mistakes. Although there arenumerous error correcting encoding procedures, they are inefficient withinthe context of wireless transmissions.Instead error recognition is the key, anddefective packets are simply re-transmitted. Of course this will have anoticable effect on the available band-width if a large number of errors occurs.The bandwidths quoted for WLAN products should thus be understood asreferring to the maximum gross band-width in perfect conditions – practicalexperience shows that these values arealmost impossible to achieve.

The FutureIEEE 802.11b is the de facto standard fortoday’s wireless networks, although thenext few years may see it being replacedby 802.11a at 54 MBit/s – the equipmentis already on the manufacturers’ shelves.However, the introduction of 802.11xshould prove to be a more significantinnovation for home users. This means devices that adhere to the 11MBit/s 802.11b standard but provide far superior encryption than WEP-128.Expect the first generation of equipmentat the end of this year. ■


COVER STORYWireless LAN Hardware

There are two basic methods ofimplementing wireless networksbased on IEEE 802.11: Ad hoc

mode means that the computers willcommunicate directly, but they must beable to talk to each other constantly toavoid disruptions. You can connect amaximum of 16 computers in this way.The hardware requirements are alsoquite simple – in fact you only need aWLAN card in each computer.

In access point mode (AP mode), alsoreferred to as a managed infrastructure,one or more access points are used ashubs: The wireless computers transmitdata to the access point which in turnwill relay the data to the intended recipient. This means that the computersonly need to connect to the next accesspoint to log on to the wireless LAN. Theaccess point assumes a role similar tothat of an Ethernet switch. Only a coupleof years ago access points really couldnot do anything more fancy that movingdata from one WLAN card to another,but now there are devices with integrated network ports, Ethernetswitches, or even DSL routers.

AttenuationYou will need to invest a lot more moneyin hardware to implement an AP network in comparison to an ad hoc network. Of course, each wireless hostwill still need a WLAN card, but youhave the added expense of an accesspoint or access router. For large houses,or houses that are well screened, youmay even require multiple access points.

The farther two WLAN computers areapart and the more walls or buildingsthere are in the way, the poorer andslower the connection will be – until itfinally collapses. Even the temperature,humidity, and the weather can affect theconnection quality. And so any statement on possible distances wouldbe inconclusive, and this led to our decision to avoid this area. As a basicguideline, access points should bemounted in a high and unobstructedposition in the middle of the area youintend them to service.

Illusions of SecurityBasically anybody in the proximity ofyour premises can sniff your wirelessLAN, and even log on to your network.

It is so practical to be able to use laptops all over the house without a tangle of

cables, or simply not needing to wire up your childrens’ bedroom to get them

on the net. If you want to know what the requirements for a wireless LAN are,

read on. BY DANIEL COOPER

Stepping Up to a Wireless LAN

A LAN Solutionfor Major Tom

NASA


Wireless LAN HardwareCOVER STORY

The WEP (Wireless Equivalent Privacy)encryption standard was thus introducedto prevent misuse. Originally, a 40 bitkey (WEP-40) was used, althoughtoday’s devices nearly all use 128 bit(WEP-128) keys. However, WEP-128uses 24 bits for the so-called initialization vector (IV), which is simplyincremented for each packet, and thatleaves only 104 bits for the secret key.

That does not mean you should disable WEP-128 – at least it will keepthe script kiddies at bay. Choose yourkey carefully – the sequence should berandomly generated, if possible. You willneed 13 bytes (104 bits) for WEP-128.You will definitely want to avoid using apassword for a Windows client as yourWEP key. The password is not useddirectly but truncated to 24 bits in thecase of WEP-40, which corresponds to amere 16.8 million combinations. Considering the fact that a laptop with a1 GHz CPU can try out about 170,000keys per second, you do not need to be agenius to work out that your networkwill be compromized in a matter of minutes. It is preferable to generate the40 or 104 bits randomly. The followingcall will provide you with 14 bytes inhexadecimal notation. Now all you needto do is choose 13 of them and use themas your WEP-148 key:

dd if=/dev/urandom bs=14 U

count=1 | hexdump | cut -c 9-

Control MechanismsIf you want to set up another hurdle forthe attacker to take, you can implemement an access conrol list (ACL)on your access point – in our test, theonly box offering this feature was theTellus TWL-R410. This wouldmean that instead of anycard being allowed access,only the hardware addresses(MAC addresses) in the listare allowed to log on to theaccess point.

Unfortunately, this mecha-nism is also relatively simpleto sidestep, as some card dri-vers (albeit only via patchesin some cases) allow you toedit the MAC address of thecard. The attacker only

needs to sniff theaddress of a card withaccess privileges andspoof that card’sMAC address.

We tested a selection of today’swireless LAN products. You canrefer to the article“Driver Safari” on page 19 for adescription of installing the driversand details on the configuration of thecards in our test.

Actiontec Wireless USBAdapter 802UI3The Wireless USB Adapter by Actiontecis particularly useful for desktops orservers. It saves you sacrificing a valuable PCI slot for the adapter youwould otherwise require to run laptopcards on your desktop, and even thenthe position of the wireless LAN card –i.e. under your desk or somewhere in thecorner – would not be ideal.

You can use a USB extension lead toattach Actiontec’s USB adapter at a distance of up to six meters from the lastUSB hub and even wall-mount theadapter using the brackets supplied. Ifyou do not feel like drilling holes in thewall, you can always use the sticky padsthat complete the package.

The USB adapter is the same size as astandard PC extension card, about onecentimeter high and is attached to theUSB port by means of a special lead. Thedevice speaks IEEE 802.11b, uses 128 bitencryption and requires the prism2_usbmodule from the “Next-Generation” driver package (see page 19).

There is one issue with the USBadapter: If you remove theprism2_usb module withoutremoving usbcore, and thendetach the USB adapter, youcan expect your kernel tocrash. You should also avoidunloading the prism2_usbmodule and reloading it without reloading usbcore.Practically speaking thismeans first detaching thedevice itself, and then removing the drivers –although this is the opposite

of what you would normally do.This driver quirk is no big deal in a

static environment as you will not bedetaching the USB adapter regularly. The“Driver Safari” on page 19 describes howto add the Actiontec Wireless Adapter toyour boot scripts without risking anykernel lockups.

At around £71 the Actiontec wirelessUSB adapter is cheaper than the price ofmost other laptop WLAN cards with aPCI adapter, but it is far more flexible forboth desktop or server use, because ofthe USB connectivity. That is why thisproduct gets the Editor’s choice award.

D-Link DWL-500 PCI Adapter(Elito-Epox EWL-PCA)If you want to use a WLAN laptop cardin a normal PC, you need a PC cardadapter for the PCI bus. The answer is toadd a typical laptop CardBus controller –in the case of the DWL-500 by D-Link(around £115) that means the RicohRL5c475. Running this device on Linuxis simple, as the PCMCIA Card Servicessupport almost all the known chipsets ofthe WLAN cards.

If you have not already installed the pcmcia package, you will need to do so.There are no further configuration steps,as any cards inserted (wireless LAN, or acompact flash module on an adaptercard) are recognized and configured byyour laptop.

However, do not be surprised whenyou install your next Linux distribution –Linux will assume that your computer isa notebook, if a CardBus controller isdetected, and this can cause SuSE toinstall a modified KDE desktop with abattery display.


COVER STORYWireless LAN Hardware

3Com X-Jack Wireless LAN CardThe 3Com 3CRWE62092A Wireless LANCard with X-Jack antenna is the smallestcompetitor in our test. The retractableantenna is this card’s strong point. Thismakes the 3Com X-Jack, as the card isnormally referred to despite the complexmodel code, just the same size as a standard Type IIcard.

The X-Jacksupports IEEE 802.11b

with 128 bit encryption, just likethe other candidates in our test.

The advantage is self-evident: You donot need to remove the card while transporting your laptop in a bag or case– on the contrary, the card will still workwith the antenna retracted, althoughreception may be poor in this position.

Take care not to bend the antennawhen retracting it – only the outsideedges of the card lid have been

Figure 1: Cigar cutter included: The upper andlower halves of the lid are so sharp that they stripthe plastic coating off the antenna – you canplainly see the plastic shavings and cuts

smoothed, the inside edges are razor-sharp and shave the plastic coating offthe antenna. You can plainly see theplastic shavings and cuts in Figure 1.

The 3Com card uses the Poldhuchipset – the driver installation isdetailed on page 19. The WLAN cardcosts somewhere in the region of £100,depending on your dealer, so do yourhomework before you buy – but that stillmakes it 20 percent more expensive thanits competitors. The extremely practical(and patented) antenna makes this cardstand out from the field and is a must fornotebooks in daily use. And that’s whythe 3Com product also gets the Editor’schoice award.

Linksys WPC11The Linksys WPC11 card is based on thePrism 3 chipset, which requires the“Next Generation” driver package.Installing the card was no problem. TheLinksys was also the only card in the testwith two LEDs on top, one for the transmit and a second LED for the linkstatus. If you are working in access pointmode, the LED flashes on and off to indicate that the access point is out ofrange. The Linksys is a solid workhorseand the price, £70, is reasonable.

ZcoMax AirRunner XL325HThe AirRunner from ZcoMax is based onthe Intersil Prism 2.5 chipset and as suchrequires the use of “Next-Generation”drivers. With the option for an additionalantenna. We found this a good qualitybuild product. The transmit power was a respectful 100mW although theXL325HP is reported to be 200mW. Theexternal anntena connected via one ofthe reverse MMCX sockets. Again withtwo LEDs for power and transmit. Cost: £90.

Tellus TWL-R410 WirelessAP SOHO Router. (Elito-Epox EWL-R410)The TWL-R410 by Tellus is a combined DSL router, 4 portswitch, wireless access pointand modem interface. Thedevice, which costs over£200, to attach a laptop witha wireless card to the inter-net via DSL and / or

external modem. The TWL-R410’snetwork ports allow you to attach up to four computers or networkprinters, and depending on theconfiguration, the access router can beused for seamless access from thewireless to the wired LAN – or it can beused to masquarade easily between thetwo environments.

The TWL-R410 is easy to configure viathe Web frontend provided (Figure 2).One interesting feature is the fact thatyou can attach a serial modem, besidesDSL or network access, thus permitting Internet access if the DSL link fails.

The access router can be secured via alist of permitted or denied hardwareaddresses and by means of 128 bitencryption.

Of course hardware addresses canalways be spoofed, but at least it is anadditional hurdle for the attacker totake.

The Tellus TWL-R410 seems to be an extremely well-engineered product.We particularly liked the idea of using an external modem as a backup line for a DSL connection – without the administrator needing to get involved, of course.


Wireless LAN HardwareCOVER STORY

Howtos and drivers:http://www.hpl.hp.com/personal/Jean_ Tourrilhes/Linux

Actiontec cards:http://www.actiontec.com/UK/

D-Link PCI Adapter:http://www.mobtech.co.uk/ecbmob/itm00959.htm

3Com XJack card:http://www.dabs.com/3com/3com.asp?s=404

Linksys card:http://www.dabs.com/linksys/linksys.asp

ZcoMax card:http://www.zcomax.co.uk

Tellus Router:http://www.uk2.21store.comNAS router:http://www.iei.com.twhttp://www.nasgenie.com

INFO

Figure 2: The Web frontend for Tellus’TWL-R410 provides access to awide range of settings, without being too cluttered

Figure 3: The Web frontend for the NAS-101RW is well-structured. If configured correctly, this allrounder can completely replace a server

IEI NAS-101RW Wireless NASAccess RouterShortly before this issue went to print, abrand-new product arrived at our offices,IEI Electronics’ NAS-101RW. This devicecan do more or less everything apartfrom making the coffee and sandwiches:It is at the same time a 4 port switch, awireless access point, a DSL router, anetwork bridge, and a network storagedevice, and has a small footprint to boot.In other words, the NAS-101RW

can assume the role of aserver in small network.

A Web frontend (Figure 3)is supplied for configurationtasks, just like the Elito-EpoxEWL-R410. You can eitheranswer ten questions, or takea more modular approach viaa complex menu. The front

panel contains a display and various buttons that allow you to query thedevice’s status and perform simple network configuration tasks.

The network drive can be assigned to various user groups, Windows clients,Macs, Novell and of course Linux clientsvia NFS, HTTP, and FTP.

The NAS-101RW even provides a com-plete user management module – by theway a look inside the router revealed anEmbedded Linux system.

Unfortunately, the NAS-101RW’s onlyprotection against attackers is 128 bitencryption – a list of permitted hardwareaddresses is sadly lacking. However,access to the Web frontend is not as permissive as the R410 router by Elito-Epox – you need a password for more orless everything.

We appreciated the ease of con-figuration and the intuitive frontendprovided by the NAS-101RW. The price(over £650) and the two fans were less to

our liking. But still, the NAS-101RW isa viable alternative to providing

support for a traditional server insmall network environments.

ConclusionToday’s wireless LANs comein all shapes and sizes. Purchasing prices rangefrom £150, for two simpleWLAN cards, to £1000 for anaccess point with network

drives and a handfull of WLAN cards.You can take an easy entry approach towireless networking – start off with twoWLAN cards, one in your desktop andthe other in your notebook, and then addaccess points or access routers as yourbudget allows, until all your computersare on the wireless LAN. By standardizing on using the IEEE802.11b protocol it should ensure thatwireless LAN devices will have noproblem talking to one another now or in the future. ■


It would seem that the major Linux distributors have never heardof wireless networks. Nobody is

currently offering configuration or setupprograms, not to mention actually recognizing wireless LAN cards duringthe installation procedure.

Driver support is in a sorry state, toowith SuSE restricted to the PCMCIA CardServices ([1]) and the PCMCIA and PCcards included in the 2.4.18 kernel.Unfortunately, the drivers do not supportcommon chipsets such as Prism 2.5 or 3,and even 3Com cards normally requireupdated drivers. Enter the driver safariacross your system and back, if you wantto use a current card.

Drivers for the 3Com X-JackThe Poldhu chipset, which is used forthe 3Com X-Jack card (amongst others)requires a separate driver, which is available from [2], although it only runson the new 2.4 version of the Linux kernel. As is the case for Next-

Generation modules, you will need thesources for the current kernel, althoughyou can do without the sources for thePCMCIA Card Services.

After expanding the package, launchthe ./Configure program (with a capital Cfor a change). You are then prompted forthe kernel and module directories, aswell as the configuration directory forthe PCMCIA Card Services.

You can use the defaults options inmost cases. You can then type make alland make install to compile the sources.Finally, store the finished modules at thedesignated locations and copy the newlycreated configuration file poldhu.conf to/etc/pcmcia.

3Com ConfigurationThe /etc/pcmcia/wireless.opts file is usedto configure the cards – as it is for PCMCIA Card Services drivers. The fileassigns values to variables, as in variable=val or variable=“val” and isloaded when the card is inserted.

If you want to use multiple cards, youcan restrict a configuration block byreferring to the hardware address (MACaddress) of a wireless LAN card or series(or part of it). The hardware address(which you can display in hex or otherformats by typing ifconfig) is an ID witha length of 6 bytes. The first three or fourbytes are usually sufficient to specify themanufacturer and series.


The distributors still have not discovered wireless LAN – most distribution CDs

include tried and trusted PCMCIA Card Services. So that means a lot of manual

configuration work to get modern wireless LAN cards up and running.

BY DANIEL COOPER

Drivers for Wireless LAN Cards

Driver Safari

COVER STORYWireless Drivers


Wireless DriversCOVER STORY

thus providing an actual key length ofonly 104 bytes.

Next Generation WirelessYou will normally need the “Next Generation” driver package (linux-wlan-ng, [3]) from [4] to operate morerecent wireless LAN cards. As mostmajor distributions do not automaticallyinclude this package at present, you willprobably need to perform a time-consuming manual installation.

We used the current stable version0.1.14 ([5]) for our test. You will also require the sources for your kernelwhich will at least need to be set upusing make xconfig or make menuconfig.

In SuSE’s case the kernel sources arenot the same as the distribution kernel,so that will mean recompiling the kernelin most cases – but don’t expect that towork if you use /boot/vmlinuz.config,the configuration file for the default kernel.

For SuSE 8.0 you will need to enablesupport for WAN devices (Wide AreaNetwork is located under “Networkdevice support”, “Wan interfaces”), anddisable the emulation of other processorarchitectures (under “Binary emulationof other systems”).

If you have the time and skill, youmight like to take this opportunity tomodify the kernel to suit your require-ments. Type the following to startre-compiling the kernel:

make dep modules modules_Uinstall bzlilo

The finished kernel is then automaticallyinstalled and launches LILO.

In the case of PC Card (PCMCIA) wireless cards you will definitely requirethe sources for the PCMCIA Card Services from [6] or the source codepackage provided by your distributor.Type make config to configure the CardServices and preferably make all torecompile, followed by make install toperform the installation.

After completing these preliminarysteps, you can setup the linux-wlan-ngpackage using make config. You canselect drivers for the PCMCIA CardServices, PCI adapters, PCI cards, andUSB adapters. The cards discussed inthis article require either Card Services

drivers or USB adapter drivers. You canaccept the defaults for the remainingprompts in the configuration dialog.

Now launch the compiler by typingmake all. Unfortunately, there is no single solution if something happens togo wrong. We performed tests with the2.2.20, 2.4.18 and 2.4.19 kernels, andversion 3.1.33 of the Card Services, withPCMCIA support disabled at kernel level. Providing no errors occur on compilation, you can install the modulesand configuration files by typing makeinstall. You will then want to call depmod -a.

Card ConfigurationCard Services drivers are configured viathe /etc/pcmcia/wlan-ng.opts file, anyother drivers via /etc/wlan.conf. The format of both files is similar, and both contain variable assignments, justlike /etc/pcmcia/wireless.opts. To assign various blocks for different hardwareaddresses, follow the procedure detailedfor the 3Com card. The files areadequately documented, so let’s con-centrate on other points.

The configuration files are loadedimmediately on inserting or attaching awireless LAN card. Ensure that the variable WLAN_ENABLE is set to “y” toallow the card to be set up.

The “WEP” section contains the en-cryption settings. To enable encryption,you will need to set dot11PrivacyUInvoked=true, and dot11ExcludeUUnencrypted=true, which ensures thatyour WLAN card will always useencryption.

To enable the 128 bit encryption, andthis is strongly recommended even if justin SOHO environments, you need to setPRIV_KEY128=true and enter the key inhexadecimal notation for the dot11WEPU

DefaultKey0 variable. The key mustcomprise exactly 13 bytes in hexadeci-mal notation, as in 01:02:03:04:05:06:U07:08:09:0a:0b:0c:0d , for example.

The last three sections allow you tochoose the type of network. If you setIS_ADHOC=n, you will need an accesspoint (AP) to connect the wireless computers. To use an access point youwill need to enter the name of yourSOHO network as the variableDesiredSSID in the “Infrastructure Station Start” section.

Let’s take a look at the hardwareaddress 00:04:DB:A5:72:E0 as an example, where the first three bytes (i.e.00:04:DB) provide sufficient ID. The configuration block for a card in/etc/pcmcia/wireless.opts starts with theentry “*,*,*,*)”, where the end of theline is terminated by a double semicolon“;;”.

You can copy this block to a positiondirectly below the line with the doublesemicolon and then edit the upper block:The four comma-separated asterisksmatch any hardware address of any card,so this block will be executed for anycard – unless another block has beenprocessed previously. So let’s change the beginning of the upper block to“*,*,*,00:04:DB*)”, taking care to usecapital letters for all of the hexadecimal characters where necessary.

The upper block is now processed forany card whose hardware address startswith 00:04:DB. As a maximum of oneblock can be processed, the second blockwill only be used for hardware addressesoutside of this range, as a kind of standard configuration. We can now setvariables within the blocks.

ESSID contains the name of your wire-less LAN – put some careful thought intochoosing this name as wireless deviceswith the same (E)SSID autotmaticallybelong to the same network. You mightwant to use your own phone number orpart of your name.

Use MODE to select the operatingmode: “Ad hoc” refers to a network without access points that provides adirect connection, “Managed” meansthat the nodes in the wireless LAN connect to a access point and use the APas a kind of wireless hub (or switch).

You can use the FREQ variable to setthe channel frequency, although – as thisis somewhat complex – you will probably prefer to use the CHANNELvariable and simply choose a channelbetween 1 and 14.

The KEY variable contains the encryp-tion key for WEP as a hexadecimalsequence, such as “0102-0304-0506-0708-090a-0b0c-0d”. If you are implementing128 bit encryption, you will need toenter 13 bytes of this type – the three“missing” bytes are used for the “Initialization Vector” (IV), which isthen used for every packet transmitted,

Ad hoc mode (IS_ADHOC=y) is normally the cheaper variant and allowsyou to connect up to 16 computersdirectly without an access point. The dis-advantage is that all of these computersneed to “talk” to each other, i.e. the twocomputers furthest apart will still need adirect wireless connection. The networkname (SSID) is also used to identify thenetwork in ad hoc mode. You can alsouse the CHANNEL variable to select one of the 14 available channels. Since the upper channels may be partially occupied by Bluetooth devices, you willwant to select channel 7 or lower.

You may need to reduce the data trans-fer rate (from the maximum 11 mbit/s)for computers working in ad hoc modethat are some distance apart – the lowerthe data transfer rate, the greater themaximum transmission distance. Youcan use the OPRATES to define the various transfer rates in units of 500kbits/s – i.e. 22 means 11 mbit/s,whereas 2 means a rate of 1 mbit/s.

Troubleshooting DriverConflict IssuesThe driver packages store a list of allsupported PC Card and Wireless chipsetsin a separate configuration file under/etc/pcmcia/*.conf. Unfortunately, somecontradictory entries may lead to obsolete drivers being loaded on occasions. You can type

grep -e manfid -e version U

/etc/ppp/config /etc/ppp/*.Uconf | sort +2 -3 -d | less

to sort the entries in the configurationfile by manufacturer ID, displaying thefilename at the start of each line. If a card does not work properly with the loaded driver, despite it having been correctly recognized and despite apparent support, you should look fordoubles. Just comment out the offendingline to quickly find the right entry, butnote that the PCMCIA Card Services willneed to be relaunched after every changeby typing /etc/init.d/pcmcia restart.

Network ConfigurationSo far, we have concentrated on configuring WLAN cards themselves,and not looked at the network settings,which are defined for all network PC

Cards in the centrally held /etc/ppp/net-work.opts file. As we have seen in thecontext of /etc/pcmcia/wireless.opts, youcan also create blocks for individualcards or models in network.opts byassigning values to variables – follow thesame scheme here.

You can leave the INFO variable blank,although a sensible value will not do anyharm. If there is a DHCP server on yournetwork, you can set DHCP=“y” to havethe card set the required network environment automatically – dependingon your server, you may need to setDHCP_HOSTNAME to the domain namefor your network.

In case of static IPs, set DHCP=“n”,type an IP address for the card for theIPADDR variable (“192.168.2.2”, forexample), then enter the subnet maskNETMASK, and the base address of thenetwork NETWORK (“255.255.255.0”and “192.168.2.0” in our case), finallyenter the broadcast address (“192.168.U2.255”), and, if required, the IP addressof your DSL router or Internet gatewayas GATEWAY.

You may not have access to the samename server on your wireless LAN as ona wired Ethernet; in this case you canuse the variables DNS_1 through DNS_3to specify the addresses of the nameservers responsible for your wireless network. These variables are set immediately on inserting the wirelessLAN card. Any other variables are not ofinterest for normal network operations.

USB Adapters – a Special CaseIn the case of USB adapters, such as theActiontec Wireless 802UI3 for example,the configuration file /etc/wlan.conf isused for basic device configuration,however, the applicable script, /etc/Uinit.d/wlan, is not automatically launchedwhen you attach or enable the wirelessdevice.

There is an easy workaround for thisissue, if you change the order of the bootscripts in /etc/init.d. For SuSE 7.3 this means renaming the symbolic links S06hotplug to S05hotplug and K17hotplug to K18hotplug, and alsorenaming S05network to S06network andK18network to K17network – all of whichcan be found in the /etc/init.d/rc3.d and/etc/init.d/rc5.d directories. You will alsoneed to create two new links by typing ln

-s ../wlan S05wlan and ln -s ../wlanK17wlan in both directories. Thisensures that the network configuration islaunched after loading the USB HotplugManager and the WLAN setup – i.e. thewireless adapter is configured just likeany other network device via the distribution tools, the only differencebeing that the wireless adapter is called“wlan0” instead of “eth0”. The order isreversed when you shutdown the system; first switch off the network, andthen unload USB. You also need to addthe line alias wlan0 prism2_usb to thefile /etc/modules.conf. We would also recommend adding the sleep 1 commandto line 2 of the /etc/init.d/wlan file.

The USB Hotplug Manager had not completely initialized on our test system,and so this led to the driver setup for theWLAN failing. We found that this issuewas successfully resolved by adding thesleep command.

FutureSetting up wireless LAN is a task thatinvolves a lot of manual steps at present,as none of the major distributorsprovides the required modules or evenconfiguration tools for the job in hand –and that can be a big issue for newbies.We can only hope that futuredistributions will be better equipped,and not simply continue to ignore wireless LANs. ■

27www.linux-magazine.com November 2002 27www.linux-magazine.com November 2002

COVER STORYWireless Drivers

[1] PCMCIA Card Services Homepage:http://pcmcia-cs.sourceforge.net

[2] Poldhu Driver 0.1.12 for 3Com X-Jack:http://www.xs4all.net/~bvermeul/Uswallow/poldhu-0.2.12.tar.gz

[3] Linux WLAN Project:http://www.linux-wlan.org

[4] “Next Generation”Driver Packages:ftp://ftp.linux-wlan.org/pub/linux-wlan-ng

[5] linux-wlan-ng-0.1.14 Driver Package:ftp://ftp.linux-wlan.org/pub/linux-Uwlan-ng/linux-wlan-ng-0.1.14.tar.gz

[6] PCMCIA Card Services 3.1.33:http://pcmcia-cs.sourceforge.net/ftp/Upcmcia-cs-3.1.33.tar.gz

[7] Homepage for Swallow/Poldhu Drivers:http://www.xs4all.net/~bvermeul/Uswallow/

[8] Howtos and Drivers: http://www.hpl.Uhp.com/personal/Jean_ Tourrilhes/Linux

INFO

WLAN, but looks like an additional network – a virtual one – from theclient’s point of view. Figure 1 demonstrates this principle using theOpenVPN[1] VPN package. The laptopand the desktop are connected via aWLAN and can reach each other’s trueIP addresses on the wireless LAN.

The VPN assigns an additional IPaddress to both the laptop and the desktop. The VPN encapsulates any datasent to the virtual addresses and trans-

mits it to the real address of the host atthe other end of the connection. Thehost on the receiving end will thendecapsulate this traffic and treat it asthough it had arrived via its virtual IP,thus creating a tunnel between the laptop and the desktop.

Additional firewall rules allow bothcomputers to receive any data arrivingthrough the tunnel. So, any packages anattacker inserts into the WLAN have nochance of getting through.


Wireless LANs allow attackersto war drive their victims’premises and grab all the data

packages travelling across the networkwith a little help from the WLAN cardsinstalled in their lap tops. You cancompare this with a victim installing anetwork socket at the nearest bus stopand hoping nobody will bother pluggingin to it.

In urban areas the risk is extremelyhigh even for private users. Wardriversconstantly search for WLANs that allowthem to gatecrash internet accounts,snarf data or hack into large enterprisefile servers possibly causing denial ofservice conditions.

Whereas an attacker would needaccess to a network socket or the wire to hack a wired LAN, a WLAN pays little attention to walls and fences. Toprovide a modicum of protection eventhe earliest wireless LANs used the “Wireless Equivalent Privacy” approach.

WEP aims to provide a level ofsecurity equivalent to that available in wired environments and uses its own encryption algorithms to do so. Key lengths or 40 bits were originally envisaged, but today’s devices use 128bits. Unfortunately, the algorithm usedhere is quite weak: 40 bit keys can becracked in a matter of minutes, and even128 bit keys will tumble within a fewdays. In other words WEP provides verylittle protection.

EncryptionA Virtual Private Network (VPN) thatreceives the traffic, encrypts it, transmitsit across the wireless LAN, and decryptsit on the other side is normally the bestsolution. A VPN uses the traditional

Wireless networks may be practical but they are also quite dangerous. Integrated WEP encryption is no real problem for

attackers who can snarf and manipulate data or even inject packets. An encrypted tunnel that uses OpenVPN to protect

your data provides a secure solution. BY ACHIM LEITNER, DANIEL COOPER, OLIVER KLUGE

Secure WLAN Networks via Encrypted OpenVPN Tunnels

Secure Tunnels

OpenVPNCOVER STORY

The VPN uses cyptographic tech-niques to protect the tunnel. In contrast to the insecure WEP technology,tried and tested algorithms are used toprovide a high level of security here. Thetunnel thus protects any data sentthrough it from uninvited guests, at thesame time ensuring that nobody canspoof a legitimate laptop and transmitdata through the tunnel – the tunnelwalls are solid.

OpenVPNThe VPN principle has been implementedin various protocols, products, andprojects. OpenVPN is a stable and simpleimplementation that does without mani-pulating the kernel or the IP stack.

At both ends of the tunnel it collectstraffic destined for the other end,encrypts this data using a locally storedkey, and transmits the packages securedin this way through to the other end ofthe tunnel.

The receiving end decapsulates thetransmission and checks its origin. Onlydata secured with the correct key (i.e.the secret common to both ends) will bedecapsulated and forwarded – any otherdata is rejected. This allows you to tunnel data packed in secure containersthrough a maze of insecurity.

The following example assumes thatthe wireless network is attached towlan0. The desktop is also equippedwith a traditional, wired network interface card, referred to as eth0. Thisnetwork provides access to other computers in the local network and tothe Internet.

First StepsIf you have not already installed it, you

will need to install the OpenVPN package first (see the “Installation” box).The simple procedure described belowassumes a static IP address – so yourcomputers will need fixed addresses thatdo not change after every reboot.

The procedure is more complex if youuse a DHCP server to assign dynamicaddresses. OpenVPN does not modifythe kernel, instead using the TUN/TAPdriver [2] to ensure the forwarding ofdata packages.

This step is quite simple as therequired kernel module has been part of the major distributions kernel trees for some while now. The next step is toload the module. Ensure that you have

superuser (root) privileges and type thefollowing command:

modprobe tun

In order to provide secure functionalityOpenVPN will need keys. The simplestcase assumes that both computers willbe working with a shared secret. Thecommand is then

openvpn --genkey -secret U

secret.key

will create a key and store it in thesecret.key file. Only the two computersinvolved should know this key, whichshould be readable for root only –anyone who knows the key can easilycrack the tunnel.

The key also needs to be copied to thesecond computer – make sure that thisstep is secure. Somebody might alreadybe listening in on your wireless network,so why not use a floppy, which youwould then reformat. If you have alreadyinstalled a program such as OpenSSH,PGP, GnuPG, or similar, you can also usethis program.

Digging the TunnelNow let’s get that tunnel up andrunning. For this step OpenVPN willneed the (static) IP address of the targetcomputer, the name of the tunnel device(tun0 by default), and both virtual IPaddresses for the VPN.


COVER STORYOpenVPN

Figure 1: The Virtual Private Network is tunneled along a path that starts and ends at the real IPaddresses of the laptop and desktop computers

Notebook

Virtual Address Virtual Address

Virtual Private Network

Real Address Real Address

Desktop

WLANWLAN

To install OpenVPN you will probably wantto download the source package, openvpn-1.3.1.tar.gz, from [1], and then unzip andinstall it (you need root priveleges).

tar -xvzf openvpn-1.3.1.tar.gzcd openvpn-1.3.1../configure --disable-lzomakemake installNote that we used the --disable-lzo flag withconfigure in order to disable compression.However, you can optionally install the LZOlibrary[3].You will definitely need theOpenSSL library and developer files. SuSEusers require two separate packages, forexample: openssl and openssl-devel.

Installation is easier for Debian users – justtype the following to install OpenVPN:

apt-get install openvpnThe OpenVPN developers also provide RPMpackages for Red Hat 7.2 and 7.3.

Installation

The tunnel device is available in the currentkernel, and from [2] for older versions. If youwant to compile the current kernel yourself,you will find the TUN module under“Universal TUN/TAP device driver support”in the “Network device support”section ofmake xconfig.

You can compile and install this moduleindividually at any time without needing toreplace the entire kernel. After configuringthe kernel simply type:

make modulesmake modules_installYou will now need to create the device file,/dev/net/tun. If the /dev/net/ does not exist,type mkdir /dev/net/ before creating thedevice:

mknod /dev/net/tun c 10 200

TUN Device

And for the desktop:

openvpn --dev tun0 U

--remote 172.16.0.1 U

--ifconfig 10.0.0.2 10.0.0.1 U

--secret secret.key

You can then use ping to test theconnection. On the laptop ping 10.0.0.2should do the job, and demonstrate thatthe virtual IP address of the desktop isthen reachable.

If everything turned out ok, you cannow launch the OpenVPN daemon,allowing OpenVPN to run in thebackground and use Syslog for logging.Use the --daemon flag when you launchOpenVPN to do so, but make sure thatyou supply the absolute pathname forthe file containing the secret key.

On the Right TrackThe tunnel is up and running, and trafficis travelling happily back and forth – butyour laptop and desktop still need toknow what types of packages you wantto allow through the tunnel. If you usethe virtual IP address of the other end ofthe tunnel for the commands involved,this should be no problem. TheOpenVPN call will define the route to

use exactly this address. Any otheraddresses will be routed past the tunnel,just like they were previously.

The route from the desktop to thelaptop will work perfectly, provided you use the new virtual address whenyou want to talk to the laptop. The real addresses assigned to the WLANadapters in the laptop and the desktoponly serve one useful purpose now: theyare the endpoints of the tunnel.However, they will no longer be accessedby normal connections.

You will need to put a few finishingtouches to the route from the laptop tothe desktop and thence to the othercomputers on your local network and theInternet, as the default route needs to beredefined. The following commandallows the laptop to direct all of its trafficthrough the tunnel:

route del defaultroute add default gw 10.0.0.2

Of course, the default route does notapply to packets destined for the realWLAN IP address of the desktop(172.16.0.2). And this is a good thing, asthe tunnel is bound to this address. Sonow the desktop just needs to know thatit may need to forward some of thepackets that it decapsulates. Use thefollowing command:

echo "1" > /proc/sys/net/ipv4/ U

ip_forward

FireproofThat nearly completes the job at bothends. Both the laptop and the desktopare using the tunnel, your traffic is


And don’t forget the file with the key,of course. The commands on the laptopare as follows:


--remote [Real_DesktopIP] U

--ifconfig [Virtual_LaptopIP] U

[Virtual_DesktopIP] U

--secret secret.key

You need to be superuser (root) to runthis and any following commands. Thecommands for the desktop are as follows(the IP addresses just need to berearranged, of course):


--remote [Real_LaptopIP] U

--ifconfig [Virtual_DesktopIP] U

[Virtual_LaptopIP] U

--secret secret.key

You can use more or less any IPs for thevirtual addresses, however, they willneed to be private addresses. Yourvirtual addresses should be in a differentblock from your real addresses to allowsimpler routing – the real networkshould be easy to distinguish from thevirtual network.

Address AssignmentsAs a practical example, let’s assume thatthe real IP address 172.16.0.1 has beenassigned WLAN adapter in the laptop,and that the desktop answers to172.16.0.2. The VPN will need to useaddresses in the private address space,for example 10.0.0.1, as the virtual IPaddress for the laptop, and 10.0.0.2 forthe desktop. In this case, the commandfor the laptop is as follows:


--remote 172.16.0.2 U

--ifconfig 10.0.0.1 10.0.0.2 U

--secret secret.key

OpenVPNCOVER STORY

Private address: Normal, public IP address are globally unique, and need to be so, for packages tofind their way to a target. In contrast, private IP addresses are valid only on local networks and arenot routed on the public Internet.This allows multiple networks to use the same private addresses.Various IP address blocks have been reserved for this purpose: 10.x.x.x and 192.168.z.z, and 172.16.y.ythrough 172.31.y.y.Routing: Path selection for IP packets. Linux uses a routing table to select an interface that willpermit a packet to get closer to its final target. Stand alone computers do not have many options:127.0.0.1 uses the loopback device, lo, and everything is transmitted via the default route, eth0, orsimilar. Routers with multiple network adapters need to make more complex decisions.

GLOSSARY

Figure 2: Firewall rules can prevent outsiders entering your WLAN. Only the OpenVPN tunnel is allowedto transmit on the WLAn interface

Notebook Desktop

public IP address

UDP port 5000 UDP port 5000

tun0tun0

wlan0wlan0

secure and nobody can listen in.However, it is still possible to injectpackets, and this would allow anattacker to hijack your desktop’s Internetconnection.

Even if you have a flat rate, you willprobably want to avoid giving band-width away. Network services providedby clients and servers (such as Web, SSHor FTP servers), are vulnerable fromwithin the WLAN. And if you run aninternal network there is another dangerto consider: Any packages injected intoyour WLAN will sidestep a firewall posi-tioned between the Internet and yourinternal network. However, you canmodify your firewall configuration [4] toremedy this situation.

The OpenVPN distribution also con-tains a sample script for your firewall.However, you will need to add a fewadditional rules for your WLAN tunnelcombination. Figure 2 shows where youshould apply these rules.

OpenVPN uses UDP to transmitencrypted packets to port 5000 at theother end of the tunnel, and uses theWLAN to do so. This means you willneed to allow UDP port 500 on yourwlan0 interface. The following commandallows you to receive data:

iptables -A INPUT -i wlan0 -p U

udp --dport 5000 -j ACCEPTiptables -A INPUT -i wlan0 U

-j DROP

The last line prevents the computer fromreceiving any other data via the WLAN.The first ingress rule could be evenstricter and use -s real_IP to define the IPaddresses from which traffic is allowedto originate. This would be the real IP address of the other end of theconnection in this case, that is -s172.16.0.2 on the laptop.

You will also need to restricttransmitting and forwarding of traffic:

iptables -A OUTPUT -o wlan0 U

-p udp --dport 5000 -j ACCEPTiptables -A OUTPUT -o wlan0 U

-j DROPiptables -A FORWARD -i wlan0 U

-j DROP

The endpoints of the tunnel only forwardpackages that originate from known

partners who have access to the correct(secret) key.

This means you can trust packets that originate from a tun device, andwill want to accept and handle them.You will also want to enable trafficthrough the tunnel. Use the followingcommands to enable incoming andoutgoing traffic:

iptables -A INPUT -i tun0 U

-j ACCEPTiptables -A OUTPUT -o tun0 U

-j ACCEPT

This completes the configuration foryour laptop. The laptop is not attachedto any other networks, and thus does notneed to forward any traffic. The desktopwill still need a forwarding rule andshould also use masquerading to allowthe laptop to send its data onward to theoutside world:

iptables -A FORWARD -i tun0 U

-j ACCEPTiptables -t nat -A POSTROUTING U

-o eth0 -j MASQUERADE

LimitationsOne hitch with the method described inthis article is the fact that you can onlyuse it to secure PCs and laptops. It willnot work for a network printer with aWLAN interface.

WLAN aware printers only provideWEP encryption, and often only WEP-40. At first sight, it might seem fairlyuseless to misuse a printer, as attackerswould have no way of collecting theirprinted output. But it is still a chink inyour security armour.

The network is only as secure as the computers attached to it. If an un-authorized person can access theOpenVPN laptop, she automatically hasaccess to the key, and thus to your LAN.

Wireless devices are thus particularlyprone to theft.

The passwords you select for theservices on offer in your WLAN are alsoimportant. You might find it annoyinghaving to type those passwords, buthaving an intruder is definitely a lotmore troublesome. ■


COVER STORYOpenVPN

[1] OpenVPN:http://openvpn.sourceforge.net

[2] TUN/TAP drivers:http://vtun.sourceforge.net/tun/

[3] LZO library:http://www.oberhumer.com/opensource/lzo

[4] Marc André Selig: Paketfilter-Firewall,LinuxUser 05/2002, S. 30.

INFO

Access Control List (ACL): (in this context) Alist containing the non-editable hardwareaddresses (MAC addresses) of the cardsallowed to log onto the network – normallystored on access points and access routers.However, there are some techniques thatallow you to spoof other hardware addresses,and this prevents the ACL from providing anyreal protection for your network – although itcertainly is another hurdle the attacker willneed to take.Station (STA): Any WLAN device, i.e cards,access points or access routers.Wired Equivalent Privacy (WEP): Usingencryption technologies to achieve a securitystandard equivalent to the standardachievable in “wired”networks for datatransferred via wireless LAN that canotherwise be sniffed by anybody interested indoing so.The WEP-40 (40 bit key length), andWEP-128 (104 bit key length) algorithms aresomewhat trivial, however, and can becracked within minutes.This means payingparticular attention to security measures inwireless networks, such as ACLs, for example.Access Point (AP): A central node in a wirelessnetwork. A participating node will transferdata to the AP which relays it to the receiver.Today’s APs normally have an Ethernet portallowing them to be connected to a wirednetwork.Basic Service Set (BSS): A group of stations(STA) with the same identification (BSSID).Independent Basic Service Set (IBSS): Alsoreferred to as an ad hoc network where theparticipating hosts transmit data directly toeach other without accessing a central node.There is no easy way of connecting a wirelessad hoc network to a wired network.Distribution System: Connects multiplewireless (BSS) and/or wired networks to forman ESS.Extended Service Set (ESS): A groupcomprising multiple wireless networks (BSS)with the same (E)SSID that together comprisea larger, logical network (BSS).(Extended) Service Set ID ((E)SSID): The ID orname of a network.Basic Service Set ID (BSSID): The hardwareaddress (MAC address) of the central node in anetwork. In the case of ad hoc networks, this isthe address of any given participant, in net-works with access points (APs) the address ofthe AP.

General Terms

Windows 95, 98 or Me you will findnothing complicated to do. Users of XP,or anything else that has left them withan NT file system will have slightly morework to do.

In an ideal world, XP will not havebeen installed on your machine. Younow have the chance to reserve some,maybe lots, of space for your SuSEinstall, using tools like fdisk of PartitionMagic. If this is not the case, the easiestoption would be to add a new hard driveto your machine. Some of the latestpartitioning applications, like PartitionMagic 7 will allow you to resize NTFSpartitions, but since this is not includedwith the SuSE package, the extra cost insoftware would have nearly bought youthe new hard drive in any case.

Once you have selected your language,the installation procedure takes a look atyour hardware and creates a proposal,listing section headings like Timezone,Partitioning and Software. Selecting oneof these section headings now allowsyou to amend some of the proposalsmade for that part. So, if you were toselect the Partition label, you would nowhave the chance to change from SuSE’sdefault configuration, of having justsome swap space and a single LinuxReiserFS partition for ‘/‘, ‘/home’, ‘/var’and everything else! I very much like tokeep a separate ‘/home’ partition, butthen I get to play with lots of differentdistributions, so it makes my life mucheasier to tinker with the settings. Shouldyou still be finding your Linux feet,sticking with the defaults should get youa running system, but, at some point,you must give in and have a tinker too!

Installation of SuSE 8.1 can be veryquick, maybe no more than 30 minuteson a modern machine, but you reallyshould put aside 2-3 hours to do this for

the first time. This is not because it iscomplex to do, you will want the extratime just to go through the thousands ofsoftware packages that you might wantinstalled on your system, which are notincluded by default!

By selecting the Software heading from the proposal screen you will get the chance to control the amount andtype of software installed. The defaultsystem will give you a graphical desktopcourtesy of Xfree86 version 4.2 and KDEversion 3.0.3. which will leave you witha fine, workable system, but how willyou know what you are missing if youdon’t go looking?

Hidden treasureThe Software Selection screen allowsyou to view the numerous applicationsby ‘Selection’ groups like Games andMultimedia or by ‘Package’ groups likeDocumentation and Productivity. Themost important ‘Package’ group must be all where you will be able to see all of the packages included with thedistribution.

Not all of these packages can beinstalled at the same time, some willconflict with others. To help you throughthis you there is the ‘AutomaticDependency’ checking utility, which isswitched on by default.

This does add 2-3 seconds to theselection of a package, each time youselect a package the utility will consultits dependency database. This is fine forthe odd package that you might want toadd, but a real pain if you are addinglots, or nearly all. Luckily this functioncan be turned off and you are givenanother button with which to check forproblems when you want. Should therebe problems you can resolve themthrough a series of check boxes.


Whole version number releasesare often frowned upon,because they will usually

contain new technology still trying tobed itself in comfortably to a distri-bution, which is why it is always a reliefto find version x.1 released.

SuSE 8.1 is everyone’s chance to seehow their technological developmentshave managed to settle in.

So, what do you get?A boxed set of SuSE Linux will give youa complete, easy to use desktop system.The professional package will also giveyou access to a wide range of server sideapplications like Apache.

SuSE take delight in holding the usershand throughout the installation process,which, in the simplest of cases meansthat you only have to touch the keyboardtwo or three times throughout the wholeof the install procedure.

Walkthrough of an installSuSE will automatically shrink the sizeof a FAT 32 files system, so, for anyonedoing their first Linux install from

Making it’s break for stability, SuSE have released their Linux version 8.1.

Read on to see what goodies await, for both new and seasoned hands.

BY COLIN MURPHY

The latest from SuSE

SuSE Linux 8.1

SuSE 8.1 reviewREVIEWS

Personal Box set £39.99

3 CDROMs, 1 quickinstall poster,1 manual (User Guide), 60 days of installation support

Professional Box Set £59.00

7 CDROMs, 1 DVD, 2 manuals (Administration Guide, User Guide),1 quickinstall poster, 90 days of installation support

Professional Upgrade £39.00

SuSE Linux 8.1

Once you are happy with the proposedinstall, you are just a couple of mouseclicks away from making it happen. Theonly thing left now is to swap the CD’s inthe drive, and the installation screengives you an approximate countdown forboth the entire install and for when thenext CD will be called for. Now youknow if you will only have time to makesome tea or make an entire lunch beforethe next CD is required. Of course, if youare using the DVD that comes with theProfessional boxed set then you will besaved even from this.

You are now prompted for a rootpassword for your system and then giventhe chance to create some less godlyusers for everyday use.

The ‘graphical interface’ section of theYaST installation tool now kicks in,allowing you to set up your monitor andgraphics card to the resolution you preferto run at. You also get the chance to con-figure the keyboard and mouse, as youwould expect, but more of a surprise isthe oppertunity to set up graphics tabletsand touch screen monitors, should youhave them. You can now configure yourLCD monitor to run in portrait mode ifyou so wish, see Figure 1.

The rest of the hardware now gets agoing over, like sound cards, printers,modems and other network devices,scanners and digital cameras. Hardwarewas once a big burden with Linuxinstalls, but, so long as your equipmentis neither too old or bang up to datebleeding edge then you shouldn’t have aproblem. Once this is out of the way youcan consider yourself installed. This newversion now supports USB 2.0 andfirewire devices

SuSE have decided to move to grub astheir boot loader, which should not

cause anyone any problems. Grub is a modern boot loader, and anyone who has compiled their own kernel but forgotten to update their liloconfiguration, the older boot loadersystem, then you might very wellappreciate grub, which won’t let youdown in this way.

Some of the other changesThe SuSE Professional box set comeswith 7 CD’s and 1 DVD, two books, the‘User Guide’ and the ‘AdministratorsGuide’ and 90 days of installationsupport by e-mail/fax and phone.

The Personal box set has just 3 CD’s,the ‘User Guide’ and 60 days ofinstallation support. If you chose thePersonal box set you will also miss outon the features such as Project Manage-ment, Scientific Software and theintegrated IP video telephony.

Apart from now using Grub, SuSEhave moved over to CUPS, moving awayfrom LPRng for its default printerspooler. You can easily opt out of usingCUPS via the YaST2 installation tool,which is the recommended way ofchanging the system configuration andfor keeping your system up to date, withYOU, the Yast Online Update.

The other important change to thedistribution is SuSE’s decision to dropStarOffice 5.2 in favour of OpenOffice1.0.1, now a mature product which hasjust celebrated its 2nd birthday, asshown in figure 2.

The value of having some documen-tation on paper can not be highlightedenough for the new user, which is why Ialways advise someone trying Linux forthe first time to go for a boxed set, evenif it is not the most up to date version.The books act as a shield as you journeyinto the unknown.

The ‘User Guide’ runs to 360 pageswith a third of that devoted to theinstallation and configuration of yourLinux system. The remainder of theguide goes on to introduce the user tothe KDE and Gnome desktops and someof the other applications that come onthe disk, like Kmail, Evolution, Galeonand the Gimp. Without some form ofintroduction the user might never get tolearn about what is available, unlessthey spend ages playing. The ‘Adminis-tration Guide’ runs to nearly 500 printed

pages and goes into much greater detailexplaining how to administer the vitalservices that keep a Linux system tickingover. While this manual is only availablein printed form with the professionalboxed set, it is included in electronicform on the CD with the Personal set.

SuSE 8.1 is built on Kernel 2.4.19 anduses glibc 2.2.5 and gcc 3.2 in thecompilation of its software. Apart fromthe default choice of ReiserFS, you canalso select from Ext3, JFS and XFS foryour choice of journalised file systems.

SuSE is now optimised for IntelPentium and AMD Duron and Athlonprocessors, so 8.1 is no longer going tobe of help to you to build a firewall onthat old x486 in the loft. Memory isalways a crunch point with Linux, themore the merrier, and SuSE recommendhaving 128MB available.

You could get a minimal system onto a400MB drive, but this would be a shame,because you have as much as 6GB ofsoftware to choose from. You can spendages just going through the games.

If you are a regular SuSE Linux user,you will know of this, what you may notknow is that you also have the option ofupgrading your SuSE 8.0 Professionalboxed set with the SuSE upgradepackage. With this, you get all of thedisks from the 8.1 Professional boxed setbut no manual.

SuSE makes for an excellent allencompassing Linux system, giving you all of the server applications neededto handle email and other internet tasks,if you take the Professional boxed set. If your needs are not quite so high, then the Personal set will give you adesktop system with a very capableoffice suite. ■


REVIEWSSuSE 8.1 review

Figure 2: OpenOffice 1.0.1 now takes the place ofStarOffice 5.2

Figure 1: Now you can configure graphics tabletswithin the YaST configuration tool

Calculations with anArbitrary Degree of PrecisionNumeric languages will tend to trun-cate the results radically after everyprocessing step to achieve a specific or the maximum available level ofprecision. Rounding or truncation errorscan add up to produce completelymisleading results. Although it must besaid that this will hardly affect problemswith an average level of complexity. TheMaple worksheet in Figure 1 provides anexample showing the kind of processingsteps that will lead to issues withfloating point numbers.

The ability to perform calculations onthe basis of symbols is another

important feature: The results of acalculation can be symbols (user-definable parameters, for example) andneed not necessarily contain onlynumbers. Symbols are often critical tointerpreting the results. They provide uswith deeper insight into fundamentaltheories than a purely numeric programever could. Over the years a number ofCA systems have emerged to form twodistinct groups.

Large and SmallSmall-scale CA systems are oftendesigned for special areas and will work quickly and efficiently within these areas. Additionally, they are

mostly freeware or sharewareby-products of university research – or at least not too expensive. This group -includes MuPAD [1], Fermat,Cocoa, Singular, Form, andReduce, although MuPAD is aborderline case, as regards itsfunctionality and marketing.

Large, universal CAsystems often provide usefulnumeric functions and professional graphics as wellas symbolic (algebraic)processing features. Theyare also capable of creatingquality documentation, andcan make best use of webtechnologies. Developerswill commonly refer tothese products as systems


Computer algebra systems (CAS)are amongst the most interestingand sophisticated programs

around – and not only in the eyes of themathematician. CAS are completelydifferent from numerical programminglanguages, such as Fortran, C/C++, orPascal/Delphi. The latter are designed towork with numbers as solutions toequations or relationships, and use exactcalculated procedures or approximationsto this end.

The precision of the results willdepend both on the procedure and thetype of number you are working with(an integer, or a floating point). Thus,the results of a procedure involvingfloating point numbers willcommonly be an approximation,with speed being the mainadvantage of this kind ofcomputational processing.

CA systems use both symbolsand numbers and are capable ofrepresenting numbers to anygiven degree of accuracy. 1/3 isnot simply 0.333333333… to aCAS, but the fraction 1/3. Thishas far-reaching consequencesfor solving algebraic problems,and an equally dramatic effecton processing times. Fractionsof this type prove a headache inthe case of algorithms whereenumerators and denominatorscan reach considerable dimen-sions. But at least the resultswill be accurate.

Whether you need to perform calculations to a specific degree of accuracy, or without numbers based purely on

symbols, computer algebra systems are capable of both tasks. They display the results in numeric formats, as formulae

or 3D graphics. Modern programs, such as Maple 8, which we will be discussing in this article, are well-suited for

technical computing tasks. BY HOLGER PERLT

Computer Algebra and Technical Computing with Maple 8

The Mathematician’sApprentice

Maple 8REVIEWS

for technical computing, rather thanComputer Algebra Systems.

Products of this kind are normallybeyond the scope of university groups. Atsome stage in product development abusiness enterprise is formed to take careof development and coordination. Maple,Mathematica, Macsyma, or Axiom areexamples of large-scale CAS. Maple(Waterloo Maple) in particular, and also Mathematica (Wolfram Research)have achieved a high level of marketpenetration thanks to their well orga-nized marketing and sales structures.

The target groups for these softwaresytems are universities, colleges andtechnological enterprises, with a largerange of applications. Prices at the topend of the scale tend to prevent use inschools, although this is where systemsof this type could be most useful. Theuser base figures for Maple in Germanyand Austria show this situation clearly(see Table 1).

Maple 8 Feature OverviewUniversal CA systems have been movingtowards more complete solutions inrecent years, with development workconcetrating on numeric operations andgraphics, in addition to symbolicoperations. The aim is to allow the userto solve a complex problem using thefollowing steps, and without needing toswitch to another program:• Draft an algorithm• Test the algorithm• Apply the algorithm to a problem• Document the solution professionallyThe requirements for these steps differ.The first two depend on a high level of flexibility and transparency, sincesophisticated algorithms and functionsare involved. The user will probablywant to test the draft algorithm in everyimaginable scenario possible – and this is often impossible with purelynumerical procedures.

The third step requires enormousprocessing power, and is often theachilles heel of the CAS. Since a CAS isnot a compiler language its numericprocessing speed will be slower than thatof C/C++ or Fortran. The last pointrequires the features of a top-notch wordprocessor – and a lot of work has goneinto this area over the last few years.

This concept becomes evident whenyou consider the fact that a user canspend a whole session within a sheet ornotebook, using these formal pages toauthor program code and documents,and perform calculations.

This is also where the symbolic,numeric, and graphic results will beavailable. You could write whole bookswith this user interface. Purists may tendto stick to the command-line version –especially if they only need to computesome results.

Central FeaturesMaple’s central features include thesymbolic (algebraic), numeric, andgraphic modes. However, assessmentsshould be based on the symbolic mode,as this is the primary benchmark for aCAS. Symbolic mode can be furtherbroken down into the following:• Basic operations, substitutions and

simplifications• Analysis (Calculus)Maple 8 offers the standard you wouldexpect from other CA systems in thisarea. Let’s look at the simplification of expressions as an example: The function has aset of algorithmsthat have beenenhanced over the years. Usingefficient routinesfor simplificationare critical tosolving complexproblems.

Maple is specifi-cally capable oftaking assump-tions concerningvalue ranges andother conditionsinto considerationwhen performingthe simplificationtasks.

Calculus is concerned with solvingequations and (partial) differentialequations (DE), integrating and solvingproblems involving limiting values. Thisis the core issue for a large number ofscientific and technical users. Almostany problem you look at within these fields will produce a differentialequation. If you have access to a genericsymbolic solution, you can investigatethe problem at hand from various view-points – and this is ideal for technicians,scientists, or students.

Numeric ModeProviding a numeric mode cannot beconsidered a traditional task of symboliccalculation. The idea of developing a sys-tem for universal use in various areas ofscience and technology certainlyprovided ample incentive for thedevelopment of this mode. Mapleentered into a strategic alliance withNAG to avoid losing out to tried andtested numeric routines. All the mostimportant routines providing numericsolutions for problems in the area oflinear algebra derive from the well-known NAG program library. This allowsthe CA system to solve standardproblems involving vectors or matricesat an acceptable speed.

Maple differentiates betweeen twotypes of decimals: Software floatingpoint numbers refers to the standardrepresentation of decimals, and allowsan arbitrary level of precision fornumerical tasks, independently of the


REVIEWSMaple 8

Figure 1: This Maple worksheet demonstrates the difference between exactand approximate representation of numbers. Rounding of preliminaryresults often impacts the final result

Target Groups Per cent

Universities and Colleges 60%

Industry 20%

Research Institutes 10%

Schools 10%

Source: Scientific Computers, Aachen, Germany

Maple Users

The counterpart for hardware floatingpoint calculations is evalhf. However,this command has several restrictions incomparison to evalf. A numerical solverfor partial differential equations wasintroduced to Version 8. This involvedconsiderably enhancing the functionalityof the pdsolve function.

GraphicsMaple 8 offers a variety of graphicdisplay features to suit all needs.However, if a feature you really needdoes happen to be missing, you can addyour own Maple code to customize theprogram. The graphic routines include:• Basic library routines, such as plot or

plot3d• Special graphic routines in the plots

and plottools packages, includinganimated graphics

• The DEtools package for solutions todifferential equations

• stats for statistical dataThe last two packages are particularlyvaluable if you are required to completecomplex tasks. If you have ever had toprogram variable graphic objects, youwill appreciate the ease with whichMaple can display high quality results:Figure 2 shows a Mandelbrot set,constructed using one of Maple’s basicgraphic routines.

Version 8 includes a new package thatdemonstrates the concept of a unifiedapproach to problem solving with Maplein the context of a large documentationbase: Student Calculus1 is aimed at firstyear students. The package includes awealth of problems and solutions basedon the analysis of the functions of avariable, prepared and presented to suit


computer involved. Precision is definedby the Digits variable. In contrast,hardware floating point numbers dependon the machine’s internal facilities.Calculations with this type of notationare often quicker, however, theiraccuracy depends on the processor used.

Floating point calculations are invokedby the evalf instruction, which causesMaple to perform the operation insoftware floating point mode. Addi-tionally, Maple uses different keywordsfor some symbolic and numericfunctions that basically solve the sameproblem. As different routines need to beaccessed, it often does not make sense torun a symbolic calculation for a purelynumeric problem, and to then substitutenumbers when the result is known. It isa lot quicker to use equally efficient,numeric algorithms.

Maple 8REVIEWS

Figure 2: Maple 8 can display complex 3D graphics: plot3d shows aMandelbrot set for a given set of values

Pictures 3a to 3c demonstrate Maple’s uniform approach. Each picture shows a worksheet, where the user can enter texts, and define the problem to besolved. Sheets are extremely informative, interactive documents that can be exchanged across platform boundaries. Other users can repeatcalculations at any time, and add their own modifications.This is useful for engineers wanting to exchange ideas, and of course for teachers andlecturers wanting to map out complete maths or physics courses.

Figure 3a shows how a basic differential equation is defined and solved algebraically.The code that needs to be run is shown in red, and Maple’s answerin blue. Entries are made just like a user would make them on paper – the only exceptions being the cases where statements are terminated or thevalues substituted.

This display principle makes using the program a lot easier – and Maple always attempts to display the results in a fashion that allows for themaximum in readability.

Figure 3b shows two manipulations intended to characterise the behavior of the symbolic solution, one for smaller periods and the other for largertime values. Complex results will often prohibit a simple evaluation of their outcome.

Finally, Figure 3c shows a numerical solution to the differential equation in Figure 3a. Here, Maple allows the user to display the results as a graph,which is extremely useful.To do so, you simply add the routine from the DEtools package and let Maple take care of the rest.

Technical Computing in Action

Figure 3a: A mass attached to a spring is pushed. How will the mass react?Maple finds the general, symbolic solution

the requirements of a student enteringhigher education.

Maple’s StructureMaple comprises three components: thekernel, the program library and the userinterface. The kernel was programmed inC and is responsible for low-leveloperations. These include arithmetic, fileinput and output, executing the Mapleprogramming language, and the efficientexecution of basic mathematical ope-rations (for example, the derivation ofpolynomials).

The program library comprises ofalmost every mathematical function. It iswritten in the Maple language and partsof it are loaded by the kernel, whenneeded. The user interface comprises ofboth a GUI and a command-line version.

Third-party programs can also use the Maple routines and provide theirown user interfaces. The technologicalprogram, Matlab, is a good example of

this. A recent addition, Maplets, evenallow you to program a GUI of your own.

Maple distinguishes five internalfunctional groups:• Evaluators• Algebraic functions• Algebraic auxiliary functions• Data structure manipulators• General auxiliary functionsEvaluators are responsible for variouskinds of calculations. These include state-ments, algebraic expressions, booleanexpressions, naming conventions, floatingpoint calculations with arbitrary precisionor hardware floating point arithmetic.

The algebraic functions include basicfunctions, such as diff (derivations),divide (division of polynomials) andcoeff (which calculates the coefficients ofpolynomials).

The algebraic auxiliary functions cannot usually be called directly, but areinstead referenced by functions of thetwo preceding groups. They include sim-

plifications of expressions and arithmeticpackages.

Data structure manipulators can beapplied both to mathematical objectsand to data structures.

They include op (selects the operandsfor an expression), and length (whichascertains the length of an expression).The final group – general auxiliaryexpressions – is at the base of thehierarchy. It takes care of storage,internal input/output management, andprogram exceptions.

The Maple user has access to morethan 3000 commands, from Mapleroutines, through auxiliary functions, toevaluators. This makes Maple’s feature


REVIEWSMaple 8

Figure 3b: The generic solution for an oscillating spring is quite clear.However, Maple can reduce the formula even further

Figure 3c: The spring’s behavior becomes more apparent, when Mapledisplays the motion as a graph. This requires a numeric solution

One area of application for CAS is the theory of elementary particles.The complex rules ofperturbation theory can be described in the programming language of a CAS.This allowsphysicists fundamental insight into the complex world of subatomic interaction.This fieldprovided considerable impulses toward the development of CAS in the 70s.

The Dutch physicist, J.Vermaseren, has made considerable contributions towards the develop-ment of an efficient CAS geared to the requirements of investigations into the perturbationtheory.This program is FORM. Stephen Wolfram and Mathematica are also prominent examplesfor the symbiosis between physics and CAS.

At the same time mathematicians have been working on developments to allow the use ofcomputer algebra for applied research in the fields of Group Theory and differential equations.

Physics and Computer Algebra

Adept Scientific plcStand Alone Commercial Version:approx £1,300Student Version:approx £125Special licenses for research, universities, andschools are availabe; individual pricing onrequesthttp://www.adeptscience.co.uk

Maple 8

for beginners. Procedures, modules andpackages are some of the central aspactsof the Maple language. This kind ofstructuring is essential to more complexapplications. But Maple leaves virtuallynothing to be desired. Modules and pro-cedures are even platform independent.Packages are sets of procedures and datathat permit calculations in specific fields.Figure 2 shows a simple example of aprocedure in the Maple programing lan-guage.

Open for Other LanguagesIt often makes sense to combine Maplewith other programming languages –and this is possible in both directions.You can use the CodeGeneration functionto translate native Maple code to itscounterpart in the numeric compilerlanguages C, Fortran, or Java.

Maple can also process code compiledin other languages, provided it isaccessible as a library. You will need aShared Library for Linux: libXYZ.so. Youcan then use the Maple define_externalfunction to call the external routine justlike you would call a native Mapleprocedure. This may allow quickerprocessing or permit the use of specialnumeric algorithms. Maple 8 sees theintroduction of a new feature – theMaplet.

Maplets are graphic user interfacesthat run within a Maple session. Theyallow the user to combined packagesand procedures with interactivewindows and dialogs, thus producing atailor-made desktop. Unfortunately, thisfeature is only available within a Maplesession. As the name suggests, theMaplet package is based on the Java

Runtime Environment. Version 8 intro-duces enhancements for processing XMLfiles with more flexible functions. Usersmust bear in mind that Maple uses itsown conventions.

User CommunityAs Maple has been around for severalyears now, a large user community hasgrown. Also, a large number of booksdealing with special interest topics inscience and technology have beenpublished – not to forget the numerousprocedures and packages that users candownload on the Internet free of charge.

Waterloo Maple provides a lot ofsupport here (of course, it is in their owninterest to do so): The company has setup a so-called Application Center. Thewebsite at [7] provides users withhundreds of sample solutions, Mapleworksheets, and program code fordozens of fields. You will also find linksto innumerable books, reports, andarticles that refer directly, or indirectly toMaple. This makes life easier fornewcomers, but even experienced userscontinually discover new applications. ■


list one of the fullest amongprogramming systems of this kind.

Programming with MapleMaple’s own programing languageallows the user to write complexprograms, with a clear structure. If youare familiar with C, Fortran, orPascal/Delphi, you should have nodifficulty in mastering Maple. The Maplelanguage is even educative forbeginners: If you are familiar withMaple, you will soon come to terms withnumeric programing languages. AsMaple is not a compiler language, youcan test your program code immediatelyafter writing it. This is particularly useful

Maple 8REVIEWS

It is not easy to evaluate the capability of aCA system, and the reviewer’s subjectiveviewpoint is often apparent. But expertsfrom various universities have put somethought into this matter and come up withthree major benchmarking areas:

• Solution of algebraic and transcendentalequations

• Solution of differential equations

• Calculation of integrals

Nearly every research task will boil down toone of these areas sooner or later. Currentversions are occasionally benchmarkedalong these guidelines and the results areavailable on the Web. CAS developers dotake this seriously. Michael Wester [2],Laurent Bernardin [3], Hans-Gert Graebe [4],and Stefan Steinhaus [5] are probably themost highly regarded benchmarkers.

Without looking at each of the test resultsindividually, one can still say that Mapleperforms extremely well in all tests.This istrue of the major problem areas. Mapleusers have access to a state-of-the-art toolthat will allow them to solve the mostcomplex of problems in a majority of cases.

Kamke’s Manual of Ordinary DifferentialEquations provides an almost classic testsuite for ordinary differential equations. Itcomprises nearly every kind of standardDEQ occurring in applied mathematics. As E.S. Cheb-Terrab [6] reported, Maple 7 wascapable of solving 1273 of the 1316 examples– that is, a grand total of 96.7 per cent.

Maple has always played a leading role asregards solutions for standard and partialdifferential equations and this also appliesto algorithms for solving equations.

Tests and Benchmarks

[1] MuPAD 2.0 : http://www.mupad.de

[2] Michael Wester,“A Critique of the Mathematical Abilities of CA Systems”:http://math.unm.edu/~wester/cas_review.html

[3] Laurent Bernardin,“A Review of Symbolic Solvers”:http://www.inf.ethz.ch/personal/bernardi/solve/

[4] Hans-Gert Graebe,“About the Polynomial System Solve Facility of Axiom,Macsyma,Maple,Mathematica,MuPAD and Reduce”:http://dol.uni-leipzig.de/pub/1998-11/en

[5] Stefan Steinhaus,“Comparison of mathematical programs for data analysis”:http://www.scientificweb.de/ncrunch/

[6] E. S. Cheb-Terrab,“Comparison of Performances in solving ODEs using Maple 7 andMathematica 4.1”: http://lie.uwaterloo.ca/odetools/comparison.html

[7] Maple Application Center: http://www.mapleapps.com

INFO

Dr. Holger Perlt is aphysicist who hasworked in the field oftheoretical,elementary particlephysics. Dr. Perltstarted usingcomputer algebra in the late 70s. Hehas spent the past few years workingon the implementation of modernapproaches to self-learningoptimization in software for complextechnological processes.

TH

E A

UT

HO

R

configure script familiar to anyoneinstalling software directly from source.As mentioned earlier, m4 allows us toeasily define our own macros, and this isthe feature we will focus on. We willlearn how to hide layout specifics, long-winded code or arcane syntax behindour own simple macros.

How m4 can help you writeHTMLThere are no (to the author’s knowledge)ready-made macros for writing HTML,so we we will have to write them ourself.

At this point you may ask “What’s thepoint then? I may as well be writing theHTML code in the usual way, instead ofusing this m4 mumbo-jumbo!” Theastute reader would, of course, be 100%correct in this observation. However,read on as the benefits will be explainedin the next couple of paragraphs. Consider a snip of HTML you write a lot;a simple example is the code for creatinglinks. Chances are it will be like this:

<a href="http://www.w3.org">Uwww.w3.org</a>


We will cover the basics of m4by separating out content andlayout of HTML web pages.

The techniques shown are not by anymeans restricted to HTML, but areapplicable elsewhere as well.

Before we begin…Very basic knowledge of HTML would bebeneficial, but should not be necessary toread and comprehend the material covered in this article. It is m4’s capabilities as a macro processor language the author wishes to communi-cate; HTML was chosen because it issomething most people should be at leastvaguely familiar with.

What is m4?m4 is a macro processor used bySendmail and GNU Autoconf, etc.Sendmail relies on m4 for creating its(in)famous sendmail.cf configuration filewhile Autoconf uses m4 to create the

m4 is a macro language used for text processing. It simply copies its input to its output, while expanding built-in or

user-defined macros. It can also capture output from standard Linux commands. BY STIG BRAUTASET

GNU m4

Creating HTML pages

GNU m4KNOW HOW

When splitting the content from the layout of web pages, the author prefers to call the commonmacro file for html.m4.The content of each page goes in a file with the ending “.mac”, e.g.index.mac and so on.When explaining this, however, we develop our macro and .mac files bit bybit, so we need to refer to several different files.Thus it is convenient to name them first.m4,first.mac and so on.

See the sidebar “Joining the content and layout”how to create the resulting HTML file from themacros and the content.

Naming conventions

Now, what if we instead define a simplemacro that will allow us to write

__elink(www.w3.org)

and let m4 do the tedious job of filling inthe necessary bits? That’s less than halfthe number of characters already. Additionally, observe that we only had towrite the link name once, so there is lesschance of us spelling it wrong.

Another example is if we have a noteon our page telling visitors the date ofthe last update. It is tedious work searching through all the files you havechanged, searching for and updatingdate stamps. Instead we can simplydefine a macro named, say, __today thatwill expand into today’s date. Thesearch-and-replace business will then betaken care of for us automatically. Howto do this will be shown later; we need totake care of the basics first.

Getting your hands dirtyAs mentioned earlier, m4 allow us todefine our own macros with ease. Thecommand to let us do this is cunninglynamed define. Here’s how to define amacro to let us use the link shorthandabove:

define(__link, U

<a href="http://$*">$*</a>)

The part before the comma (but insidethe parentheses) is the macro name, andthe part after the comma is the macro

body. We will refer to the whole line asthe macro definition. The definition lineabove in English: “Define a new macronamed __link. Everywhere where thismacro occurs, substitute the macro namefor the body of the macro, but substitutethe macro’s arguments (whatever isinside the parentheses following themacro name) for “$*” wherever “$*”occurs in the macro body.”

We will store the macros we write ourselves, such as the above, in a filecalled html.m4. Se sidebar “Comments:documenting our macros” for detailsabout how we can mix comments andmacros in this file.

It’s worth noting that macro names donot have to start with two underscores. Itis just a convention, because we need tomake sure that we do not pick a stringthat naturally occurs in the text. Otherwise we may get spurious replacements of the macro.

Multiple arguments andquotingThe define command we used aboveexpects two arguments; the new macroname, and what to replace the macroname with. Considering again the example with the __link macro above,what should we do if we don’t want touse the URL as the visible, “clickable”link? We could simply create a newmacro that takes several arguments, andinvoke it thus (in context this time, justto show that it is possible): “Here is__link2(www.w3.org, a link to w3.org).It is an informative website.” Here’s howto define such a beast:

define(__link2, U

<a href="http://$1">$2</a>)

The only change is that we now have“$1” and “$2” instead of “$*”. “$1” and“$2” refer to the first and the secondargument of our macro. The argumentsare separated by the comma character.

So, Sherlock, what now if we want tocreate a macro that can take an argument with a comma in it? That, mygood Watson, is simple. We just have toput quote the argument. When youquote something, everything betweenthe quote-characters will be treated as asingle argument, even if it consist inentirety of a string of, say, 90 commas.The default opening quote is a “`” (back-tick) and the default closing quoteis a “‘” (single quote). We can nowinvoke __link2 with a comma in the second argument thus:

__link2(www.gnu.org, U

'www.GNU.org, the home of much U

software')

The second comma is now quoted, sothe macro is indeed invoked with onlytwo arguments. Note that only one layer


KNOW HOWGNU m4

Here’s how you create the resultingindex.html from the macro definitions inhtml.m4 and the content in index.mac:

$ m4 html.m4 index.mac >index.htmlThis invokes the m4 processor with two arguments.The m4 command will take themacro definitions it finds,do the necessarysubstitutions and output the result on itsstandard output.However,we make use ofthe shell’s redirection facilities to make theoutput go to a file instead of the screen (ifthis makes no sense to you,just tag alongand follow the directions,but you shouldconsider reading up on shell basics).Nowopen first.html in a browser,and voil! Wehave a web page!

Joining the content andlayout

If a macro is not self-explanatory, we wouldlike to put an explanatory comment alongside the macro definition. m4 naturallyallows us to do this; it provides the built-indnl which reads and discards all characters,up to and including the first newline.

dnl I am an example comment.dnl I am highly unhelpful,dnl but 100% correct.Using dnl as part of a string does not exhibitthis behaviour.

Comments: documentingour macros

<html><head><meta http-equiv="Content-Type"Ucontent= "text/html; charset=iso-U8859-1"><meta name="description" U

content="Sample HTML page"><meta name="keywords" U

content="gnu m4 html"><meta name="author" content="UStig Brautaset"><title>sample html page</title></head><body><p>Hello, World</p></body></html>

Listing 1: sample.html

__title({Hello World, HTML U

version})<h1>Hello World</h1><p>Look at this link: U

__link(www.w3.org)</p><p>Last updated: __today</p></body></html>

Listing 2: first.mac

and can even be called several timesfrom the same file. The effect is immediate, but only for thisinvokation of m4. The author stronglyadvocates that you stick to one set ofquotes, as it quickly becomes ratherhairy having to remember which quotesgo where.

The quoting “characters”, by the way,need not be single characters; you mayuse “{([whoopee->” as your openingquote if you wish. Neither is there anyneed for the closing quote to correspondlogically to the opening quote. It is just aconvention, and makes the macros easier to read 3 months hence.

changequote({,}) dnl change U

quote characterdnl create a link with the U

link name specified specificallydefine(__link2, U

<a href="http://$1">$2</a>)

With a html.m4 containing the definitions shown above we can invokeour __link2 macro thus:

__link2(www.w3.org, {w3.org, U

a site well worth reading})

Enough basics, let’s do some real workWith HTML, there’s always a lot of

stuff that needs to be set up at the top ofeach page. If you have more than, say, 2-3 pages that have a similar layout (butwith optionally different <title> tagsetc.) then you will probably want to create a macro for all this stuff. We willconsider the sample HTML page shownin listing 1, and see how we can get asimilar result using our newfoundmacro-skills.

After creating the necessary macros,listing 2 shows the content of the file first.mac. This is the mixture ofHTML and macro calls that together with our macro definitions enables us to

produce the resulting HTML in listing 1.We already know how to create the__title and the __link macros, the onlynew addition is the macro __today mentioned above. This macro uses m4’s


of quotes (the outermost) are stripped bym4, so the apostrophe in the followinginvokation will not yield an error:

__link2(www.gnu.org, U

'GNU, RMS's pet hobby-horse')

The author usually changes the defaultquote characters into “{” and “}” forreadability and ease of typing. The command for changing the quote characters, with an appropriate com-ment attached (see the “Comments:documenting our macros” sidebar), is:

changequote({,}) dnl U

change the quote characters

changequote takes two arguments, thenew opening and closing quotes respectively. It can be called at any time,

GNU m4KNOW HOW

changequote({,}) U

dnl change quote characterdnl two macros for link-creation.define(__link, U

<a href="http://$*">$*</a>)define(__link2, U

<a href="http://$1">$2</a>)dnl abstract away all the layout U

cruft at the beginning.define(__title, {<html><head><meta http-equiv=U

"Content-Type" content="text/html; charset=U

iso-8859-1"><meta name="description" U


content="gnu m4 html"><meta name="author" U

content="Stig Brautaset"><title>$1</title></head><body>}) dnl the __title macro U

ends herednl use built-in 'esyscmd' to call thestandard Linux 'date'dnl utility and have its outputreplaced with the '__today'dnl macro name. The date will be onthe form "Sun 16 Jun 2002"define(__today, esyscmd(date '+%a %d%b %Y'))

Listing 3: first.m4

__title2({Hello World, U

HTML version}, {<h1>Hello World</h1><p>Look at this link: U

__link(www.w3.org)</p><p>Last updated: __today</p>

})

Listing 4: second.m4

changequote({,}) U

dnl change quote characterdnl two macros for link-creation.define(__link, U


<a href="http://$1">$2</a>)dnl abstract away all the U

layout cruft at the beginning.define(__title, {<html><head><meta http-equiv=U





content="Stig Brautaset"><title>$1</title></head><body>$1</body></html>}) dnl the __title macro U

ends herednl use built-in ‘esyscmd’to call the standard Linux ‘date’dnl utility and have itsoutput replaced with the ‘__today’dnlmacro name.The date will be on the form“Sun 16 Jun 2002”define(__today,esyscmd(date ‘+%a %d %b %Y’))

Listing 5: second.m4

define(__index) dnl allows U

conditional processing of the U

page__title2({Hello World, HTML U

version}, {<h1>Hello World</h1>__menu<p>Look at this link: U

__link(www.w3.org)</p><p>Last updated: __today</p>

})

Listing 6: third.mac,25

capability to call standard Linux tools,and puts the output of the said command (“date” in this case) into thetext. Listing 3 shows the full content offirst.m4. This contains all the macro definitions required by first.mac which isfound in listing 2.

More abstractionLooking at the code in listing 2, you maynot want to write the closing </body>

and </html> tags either, and indeedyou don’t have to. m4 allows macros tobe nested, thus we can use a macrowithin another macro. The result isshown in listing 4. Witness that the__title2 macro takes two arguments, thefirst being the page title and the secondbeing the full page body. Be carefulwhen you go to these lengths of abstraction though, as it is easy to missout the closing “})” at the end of the fileif you do extensive updates.

The change to listing 3 to facilitate thisis shown in listing 5.

More advanced macrosUp till now, we have only looked at fairlysimple search-and-replace macros. Thesework fine, but consider if we have a collection of pages, with a commonmenu. We could put the whole menu ina macro of the type we have used before,but then the pages would include a linkto itself as well as all others, and this isnot very elegant. A solution, of course, isto just cut-and-paste the menu in to theindividual files and change each file tonot make a link to itself. This, however,is very tedious. The solution? Use m4’sbuilt-in conditionals.

In each source file we define a macrothat identifies that file. In index.mac wedefine, say, __index. The built-in conditional “ifdef” can then use thesemacro definitions to decide whether totake special actions on this file. Themenu could then be something like this:

define(__menu, {<p>MENU<br>ifdef({__index}, index, U

__rlink(index.html, index)) <br>ifdef({__pics}, pictures, U

__rlink(pics.html, pictures))</p>

})

The two ifdef lines are new to us. Theyfirst check whether a certain macroname is defined (observe that the firstargument of ifdef has to be quoted). Ifthe macro name is undefined, the thirdargument will be input into the text, andthe second argument will be ignored.The use of the __menu macro is shownin listing 6.

The __rlink macro is also new. Itsname stands for relative link in that itdoes not prepend http:// to the link. It isshown in listing 7, which is the finalmacro listing file.

SummaryWe have seen how to use m4 to createmacros to help us maintain HTML pages.We went from very simple one-line substitution macros, like __link and__link2, to bigger but still very simplemacros of the same type, like __title.From there, we went on to using m4’sbuilt-in ability to capture the output ofsystem commands when we created the__today macro. Lastly we used m4’sbuilt-in conditionals to create a __menumacro that expands into a differentmenu on each page. ■


KNOW HOWGNU m4

changequote({,}) U

dnl change quote characterdefine(__link, U


<a href="http://$1">$2</a>)define(__rlink, U

<a href="$1">$2</a>)dnl abstract away all the U

layout cruft at the beginning.define(__title2, {<html><head><meta http-equiv=U





content="Stig Brautaset"><title>$1</title></head><body>$2</body></html>})dnl use built-in ‘esyscmd’to call the standard Linux ‘date’dnl utility and have itsoutput replaced with the ‘__today’dnlmacro name.The date will be on the form“Sun 16 Jun 2002”

define(__today, esyscmdU

(date '+%a %d %b %Y'))define(__menu, {<p>ifdef({__index}, index, U

__rlink(index.html, index)) <br>ifdef({__pics}, pictures, U

__rlink(pics.html, pictures))</p>

})

Listing 7: third.m4

If you’ve opened any of the HTML files you’vecreated from the macro and content files,you’ve probably found that there’s a lot ofunnecessary white-space in them.This is OK,since excessive white-space is simply ignoredby web browsers. If you’re a pedantic zealotlike the author,you’ll want your source to bebeautiful on its own as well.

Enter “tidy”, an HTML validating, correctingand pretty-printing program. Simply invoketidy on your HTML files thus: tidy -imfirst.html and the file will be audited andprinted prettily. See the sidebar “Links andresources”for where to get tidy.

Using tidy to clean up themess

[1] GNU m4: more information about the m4 macro processor can be found athttp://www.gnu.org/software/m4/m4.html

[2]HTML tidy: get your HTML cleaned up and validated http://www.w3.org/People/Raggett/tidy/

INFO

Stig Brautaset, born inNorway, is thefounder of the LinuxSociety at theUniversity ofWestminster. He iscurrently in his lastyear of a BSc Artificial Intelligencedegree. His interests largely revolvesaround computer programming –from e-mail spam filters to games.Regularly spending much time on IRChe can be found there under the nick“Skuggan”or “Skugg”.

TH

E A

UT

HO

R


Pixel based graphic formats havebeen around for some years. Consequently, there has been a

similar demand for suitable conversionprograms. If you want tackle this problem Unix style, that is using individ-ual filter programs for the command line,you will need to write exactly (n-1)*nfilters for n graphic formats. If youdecide to use an interim format instead,you will only need n filters to convertvarious graphic formats into the interimformat and another n to convert theinterim format back to an originalgraphic format.

Jef Poskanzer started working on pbmtools in 1989 with this in mind. Up until 1994 new formats and effectfilters for the interim format were added

step by step to the collection now known as netpbm. Since 2000 the Netpbm project has seen a return to more active development and this is now hosted bythe Sourceforge project.

Bit, Grey or Pix?To be more exact, Netpbm does not offera single interim format but three:“Portable Bitmap” (PBM), “PortableGreymap” (PGM) and “Portable Pixmap”(PPM). The PBM format recognizes onlyoccupied (black) and vacant (white) pixels and thus requires one bit perpixel. The PGM format can store onlygreyscales and will normally requireeight bits per pixel (256 greyscales). ThePPM format requires 24 bits per pixel(eight bits each for the base colors red,green, and blue), allowing 16.7 millioncolors (“true color”). “Portable Anymap”(PNM) refers to any interim format.

tgatoppm, giftopnm, or g3topbm areexamples of the filters used to convertexternal formats to the interim format.ppmtogif, pnmtotiff, or pnmtops areexamples of formats for the oppositedirection. Additionally, there are someformats that are applied only to the

interim formats. ppmtopgm convertsimages to greyscales, pnmsmooth appliesa soft focus effect and pgmnorm is usedfor normalizing greyscales.

Source MaterialOf course, raw material is required forcommand-line based image processing.But your computer can also take care ofthis task using the freeware raytracer,Povray. The scene description fileglass.pov from Listing 1 causes the program to trace an image with five glassballs on a checkered background. Youcan use the clock variable to move thebackground and in turn produce a simple animation.

Now let’s feed this to Povray version3.0 or 3.1. We want the program to create a 320 by 240 pixel image usinganti-aliasing, and creating output inPPM format:

povray +i glass.pov +w320 +h240U+a0.1 +fp +v

Figure 1 shows the results as stored inthe glass.ppm file.

Filters in ChainsThe following steps show how to use filter commands to modify an image.The following command converts theimage to greyscale:

ppmtopgm glass.ppm > glass.pgm

Just like the filters in the Netpbm

Editing images does not mean you

will automatically need a mouse.

The filters included in the Netpbm

package and similar tools can be used

in shell scripts to automate various

steps. BY CHRISTIAN PERLE

Netpbm Tools and Shell Scripts

Animation on Demand

Graphic ScriptingKNOW HOW

Sourceforge: A Web service for Open Sourceprojects including developer forums, versioncontrol, download areas, and various otherresources at http://sourceforge.net/.

Povray: A freeware raytracing (3D graphics)program that runs on various operating systems – such as Linux.The Povray home-page is available at http://www.povray.org/;the subscription CD includes a tutorial inHTML format.

Anti-aliasing: Automatic smoothing of linesin high contrast images. Prevents an imagefrom appearing “over-pixeled”and simulatesa higher resolution.

GLOSSARY

Figure 1: Glass balls as a test image


apply the oil effect to fields measuring 5by 5 pixels.

To bring back some color to the image,we now add another filter to the chain.pgmtoppm converts the greyscales toblue and white, as is shown in figure 3.

Learning to RunOf course, there is nothing wrong withcalling individual filters in the command-line, but you will probablyneed a shell script to make use of thepower of most command-line tools. Shellscripts allow you to send a whole collection of image files through thesame chain of filters, or simply convertthem to a different format.

So now all we need is a whole bunchof images to experiment on. Let’s ask ourold friend Povray to help us out with thatanimation feature we just talked about.

You can use the following command:

povray +i glass.pov +w240 +h180U+fp +a0.1 +kfi00 +kff49 +kc

to have the raytracer produce an anima-tion sequence with 50 images. Theimages are stored as glass00.ppm,glass01.ppm, through glass49.ppm. Correspondingly, the options +kfi and+kff refer to the numbers of the first andlast images. The option +kc shows thatthis is a cyclical animation.

The next task is to create an animatedGIF image from the individual images

package, ppmtopgm sends the results toyour standard output, which can beredirected to an new file called glass.pgmusing a greater than sign “>”. Figure 2shows the results.

In order to avoid creating additionaltemporary files for the following filteringsteps, we now make use of the fact thatthe Netpbm tools can read from standard input. This allows us to link aseries of filters using pipes in the shell:

ppmtopgm glass.ppm | pgmoil U

-n 5 | pgmtoppm Blue-White > U

oil.pgm

The output from ppmtopgm is sentdirectly to pgmoil. This filter adds aneffect to the image, making the conturesappear to melt just like in an oil painting.The pgmoil option -n 5 tells the filter to

KNOW HOWGraphic Scripting

Listing 1: glass.pov01 // Glass ball animation02 // (C) 11/2002 Christian Perle

(POVaddict) / Linux Magazine0304 // Camera05 camera {06 location <0, 0, -10>07 direction <0, 0, 4>08 look_at <0, 0, 0>09 }1011 // Lighting12 light_source { <10, 10,

-10> color rgb<1, 1, 1> }1314 // Declaration of glass ball15 #declare GBall = sphere {16 <0, 0, 0>, 0.517 scale <1, 1, 0.5>18 finish { phong 0.7

reflection 0.1 refraction1 ior 1.33 }

19 }

2021 // Five colored glass balls22 object {23 GBall24 translate <-1, -0.6, 0>25 pigment { rgbf<1, 0.7,

0.7, 0.7> }26 }27 object {28 GBall29 translate <0, 0, 0>30 pigment { rgbf<.7, 1,

.7, .7> }31 }32 object {33 GBall34 translate <1, 0.6, 0>35 pigment { rgbf<0.7, 0.7,

1, 0.7> }36 }37 object {38 GBall39 translate <1, -0.6, 0>

40 pigment { rgbf<1, 0.7,1, 0.7> }

41 }42 object {43 GBall44 translate <-1, 0.6, 0>45 pigment { rgbf<0.7, 1,

1, 0.7> }46 }4748 // Checkered pattern in

background49 plane {50 <0, 0, -1>, -451 pigment {52 checker color rgb<0.5,

0.5, 0.5>, rgb<1, 1, 1>53 translate <-clock, -

clock, 0>54 scale 0.455 }56 finish { ambient 0.4 }57 }

Standard input, standard output: Manycommand-line programs allow you to omitthe name of the input file. In this case theprogram reads from standard input, whichwill normally mean the keyboard. If you omitthe name of the output file, most programswill use standard output, that is display theresults on your terminalPipe: The pipe character “|”(representing astylized pipeline) connects the standard out-put of a program to the standard output ofanother program.This allows you to use multiple programs in a single processing step.Shell script: A file containing shell commandsthat are processed automatically. Repetitivetasks are often best accomplished using automated shell scripts.

GLOSSARY

Figure 3: Blue and white colouring with oil effectFigure 2: Everything turned grey all of a sudden

and incorporate the GIF in a website. Toprevent the GIF image from becomingtoo large you might decide to scale downthe image to 100 by 75 pixels. The shellscript mkgifanim (Listing 2) takes care ofthis task and goes on to call the whirlgiftool that assembles the individual GIFimages to an animated GIF.

In the for loop, the variable f parsesany file names that match the shellexpression (see box below) glass??.ppm.Within the filter chain pnmscale is usedto scale down the individual images to awidth of 100 pixels. The height is calculated automatically to retain theoriginal proportions. In the next stepppmquant reduces the number of colors

in the GIF to a maximum of 256. Finally,ppmtogif writes the GIF image itself. Thescript uses the current value of the variable f to construct a file name,removing the .ppm suffix and adding .gifas the new suffix.

The following whirlgif call will run theanimation, g_anim.gif, in an infiniteloop (using the -loop option), with aninterval of 8 milliseconds between theimages -time 8. Figure 4 shows the animation – of course you can only runthe animation, if you purchased the flip-book plug-in for this issue. But seriouslyfolks, check out the subscription CD forthe file, which you can view in your webbrowser or xanim.

Animated EffectsIn addition to GIF there are a fewpatented animation formats, such asMPEG and FLI. You can use xanim toview the latter. The mkedge animation inListing 3 requires ppm2fli, which is not aNetpbm tool.

This script also processes all the individual images in the glass ballsequence, converting them to greyscale(ppmtopgm) and creating lines for theedges in the image (pgmedge) and normalizing the brightness (pgmnorm).

The resulting images are namedglass00.pgm through glass49.pgm. Sinceppm2fli expects a list of the individualimages in a file, you will need to run ls tocreate this list, before you launchppm2fli. You will also need to use theoption -g to tell the tool the image formats in use.

You can use the ffmpeg tool to create afurther animation – as the name wouldsuggest, an MPEG. You can apply the

filter chain used for mkedge first, however, you will need an additionalstep (pnmarith) to add the originalimage glass00.ppm pixel by pixel. Thiscreates an interesting overlay effect.When ffmpeg is called in mkedge (Listing4), the expression for the input file(glass%02d.overlay.ppm) is expanded byffmpeg itself.

You might like to perform some experiments of your own, and read theman pages, to familiarize yourself withthe range of filters provided by theNetpbm tools. The man pages for pbm,pgm, ppm, and pnm contain anoverview. ■


The shell recognizes various expressions for file and directory names, and expands them beforerunning the current command.The most important examples are

• the question mark ?, which represents exactly one character.

• the asterisk *, which is a wildcard for any number of random characters (even zero).

• character counts in square brackets []. Exactly one character of the type in the brackets mustoccur at this position.There are various notations as is evidenced by the following examples:The expression lx[acE].txt matches the names lxa.txt, lxc.txt, and lxE.txt.

graph[a-z][0-9][0-9].jp? matches the names graphi50.jpg, grapho01.jpg, and graphx55.jpe(amongst others).The dash within the brackets indicates that a complete character set is to bematched, for example lower case letters a through z, or numbers between 0 and 9.

The expression [^abc][xyz].b* matches both wy.b and 3x.ball (amongst others), but does notmatch cz.bmg or rx.img.The ̂ character after the opening bracket indicates a negation, meaningany characters apart from those listed.

Shell Patterns

#!/bin/bashfor f in glass??.ppmdoppmtopgm $i | pgmedge | U

pgmnorm > ${i%.ppm}.pgmdonels glass??.pgm > frames.listppm2fli -g240x180 frames.list U

edge_anim.fli

Listing 3: mkedge

#!/bin/shfor i in glass??.ppmdoppmtopgm $i | pgmedge | U

pgmnorm > temp.ppmpnmarith -add temp.ppm glassU00.ppm > ${i%.ppm}.overlay.ppmdoneffmpeg -an -iglass%02d.overlay.ppm -b 768 U

g_overlay.mpg

Listing 4: mkoverlay#!/bin/bashfor f in glass??.ppmdopnmscale -w 100 $f | ppmquant U

256 | ppmtogif > ${f%.ppm}.gifdonewhirlgif -o g_anim.gif -loop U

-time 8 glass??.gif

Listing 2: mkgifanim

Figure 4: Animation

Graphic ScriptingKNOW HOW


LyX WorkshopKNOW HOW

was exactly what Knuth was aiming for.The typesetting package provided theauthor with the potential to add commands to the text to produce anattractive appearance.

Unfortunately, the commandsinvolved are complex, and can prove tobe too much of a challenge to the average writer [3]. This motivated LeslieLamport to create the TeX add-on LaTeXin 1985. Like HTML, LaTex instructionscomprise a markup language – that is adescriptive language that shows theinterpreter how to portray a document.

In contrast to HTML, the interpreter isnot a browser in this case, but DonaldKnuth’s layout system, that formats thetext on the guidelines of LaTeX macros,

and creates a DVI file as a result. If youhave installed the LaTex package, youwill normally find an introductory file onthis subject, called l2kurz.dvi on yourhard disk.

The macro command set developed byLeslie Lamport may have simplifiedworking on the text itself but the userstill needed to be familiar with LaTeXsyntax. In 1995, ten years after Lamportcreated his add-on, Matthias Ettrich produced a frontend that enhanced theuser-friendliness of the layout program,and LyX was born.

Matthias Ettrich originally designedthis program within the context of a student project. At first sight, LyX lookslike yet another editor with its menu bar,

LyX’ roots reach back way downthrough the years of computer history. In March 1978 Donald E.

Knuth [1] wrote the first lines of a typesetting program called TeX. This program was actually designed toimprove the layout of his book “The Artof Programming”, as the layout was asource of concern to the esthete, Knuth.

The name of the layout system itselfindicates the author’s desire for perfection and art within a program. TeXrepresents the Greek letters Tau EpsilonChi, and is thus pronounced tech and notthe expected tecks [2].

The ancient Greeks, and Aristotle inparticular, understood “techne” asartistry and applied knowledge, and this

LyX provides comfortable word processing features for the LaTeX typesetting system allowing even beginners to create

high-quality documents. BY ANDREAS KNEIB

LyX Workshop, Part 1

Taking it Easy


KNOW HOWLyX Workshop

but on closer inspection you will see thatEttrich has managed to combine the easeof use of a modern word processor withthe perfection of TeX layouts – and thatis no mean feat. In 1997, working withMatthias Kalle Dalheimer [4], Ettrichported his program to the KDE environ-ment, and decided to name this branch,Klyx. Ever since then work on the program code for LyX has been theresponsibility of Lars Gullik Bjønnes.

The primary difference between LyXand Klyx is the user interface. While LyXis based on the GUI toolkit Xforms, Klyxuses the QT library. Both versions arewidely compatible to one another. If youare interested in downloading the latestversion of LyX, try http://www.lyx.org.

LyX the EditorYou will discover all the options a traditional text editor offers you in LyX.For example, you can search and replacewords, insert tables, perform spell checking or cut and paste with yourmouse. But there are many features ofprograms, such as Microsoft Word & Co,that you will not need when workingwith the LaTeX frontend.

For example, the program does not usetabs or additional newlines to increasethe whitespace between words and paragraphs respectively. The editor doesnot show line or page wrapping and willnot try to influence you with regard tohyphenation.

LyX is a visual word processor, thatuses LaTeX as a print system, and is thusrestricted to the limitations of the macropackage. This is one of the reasons whyyou should not expect the WYSIWYG

behavior of other editors. For example, ifyou want to know what your documentwill look like in the finished version, youwill have to view the DVI.

These limitations are at the same timethe program’s greatest advantages:While you are writing you can concentrate entirely on the content ofyour document, leaving the typographicniceties of paragraphs, headlines or footnotes to your computer system. Youonly need to tell the editor what paragraphs to indent, or format as footnotes or lists. So there are noheadaches as regards the layout.

If you tell the frontend what part of thetext you would like to format as numbered headline, it will then choosethe correct font, typeface, and number.Complicated manual text formating procedures, such as “bold, 16 point, centered”, are a thing of the past.

And this is why Matthias Ettrich refersto his program as a WYSIWYM editor.WYSIWYM is the acronym for “Whatyou see is what you mean”. That is, youwill not see an exact representation ofyour text as the printer will output it.What you will see is the logical structureof the document as you intended it, withhighlighting, headings, or lists.

LyX also includes a whole range ofadditional features, allowing you notonly to view the current document inDVI format, but also to convert it toeither ASCII or HTML. The program alsoallows you to create tables of content aswell as glossaries.

For authors who use mathematicalexpressions, LyX offers a WYSIWYMstyle formula editor that you will not

need a mouse to use. Additional featuresworthy of note include allowing you toincorporate and scale postscript graphicsto and in your documents and providethe author with almost unlimitedUndo/Redo functionality.

Documentation and HelpBefore we take our first look at the userinterface, let’s first take a moment toinvestigate the Help button at the end ofthe menu bar. The Help option providesaccess to a wide range of LyX documents. The help texts start with anintroduction, includes a tutorial withexercises, and culminate with a reference manual.

Life is made easier by the Contentmenu, which allows you to performsearches in the documentation. If youwould prefer to start with an introduction, you might like to try theIntroduction, Tutorial and FAQ section.

The InterfaceWhen you launch the program for thefirst time, a menu with the items File,Edit and Help appears – not many itemsso far. But after creating a document bychoosing File/New, additional menuitems are added to the list, such as

DVI: DVI: (Device Independent).The con-tent of this file is composed in a deviceindependent language.You will need aprogram like xdvi or kdvi to display the file.WYSIWYG: WYSIWYG:What You See IsWhat You Get – i.e. the printer will outputwhat you see in the program window.

GLOSSARY

Figure 1: A document in the DVI preview Figure 2: The document from Figure 1 in the WYSIWYM view of the editor


LyX WorkshopKNOW HOW

browser. If a document has been modi-fied, it is reloaded by the viewer. TheTable of Contents menu is also quite useful, and provides you with anoverview of the images, content, algorithms, or tables in your document.

The next option in the menu barallows you to navigate your document.You can navigate the body of your text,the notes it contains or the errors. As wehave already paid a visit to the LyX helpmenu, our last port of call is the Document menu. This provides quickaccess to the documents that you currently have opened, allowing you totoggle the current document.

The toolbar underneath the menu barallows you to call commonly used functions with just a single click. A smallbubble help window shows you the titleof the button when you move the mouseover it. Several key functions, such asPrint, Select or the Math Editor can befound here.

The pull-down box at the left end ofthe toolbar allows you to select paragraph environment types. The environment list depends on the docu-ment class defined in Layout/Document.For example, if you choose the articleclass, you have access to paragraph formats for the title, headings, andauthor that are not available in the letterclass. Instead the letter comprises entriesfor the address, telephone number, andreferences, that are not available for articles. We will taking an in-depth lookat paragraph environments in the nextpart of our workshop.

TemplatesThe /usr/share/lyx/templates directorycontains a range of LyX files that you canuse as templates. The quickest way toaccess a template is to choose File/Newfrom template. This is your opportunityto test what you have learnt about wordprocessing with LyX so far. Start byselecting the dinletter.lyx template fromthe templates directory.

A sample letter appears in the editingarea of the program. Use data of yourown to replace the default text, includingthe angled brackets. The arrows at theend of the first lines in the Letterheadand Address environments indicate twoparagraphs without any vertical whitespace between them. Press

[Ctrl+Return] to use this format.If your letterhead contains more than

the three lines allotted in the template,you can adapt it to suit your needs. Aftercompleting the letter you can now preview the finished item. To do so, usethe View, as previously described. If youare satisfied with the results, and wouldlike to keep this document as a templatefor future letter writing, the right place tosave templates of your own making is inthe ~/.lyx/templates directory. Makesure that you use a descriptive name thatwill allow you to find the template easilyin the future.

Quo vadis?In part two of this workshop we will betaking a closer look at the configurationfile, ~/.lyx/lyxrc, getting to grips withparagraph environments and textclasses, and looking into commandshortcuts. Additionally, we will beanswering a few questions, such as“How do I create a table of contents?”,and “What are margin notes, references,or footnotes?” ■

Insert, Layout, Display, Navigateand Documents.

The File menu provides exactly whatyou would expect: various items thatallow you to create, open and save files.The Version control item is new, andallows you to identify and select severalversions of the same document. TheImport and Export items are used to convert ASCII, LaTeX, or PDF documentsto and from LyX format. LyX documentsare easily identified by the .lyx file suffix.However, the editor will not convert documents itself, preferring to delgatethat task to external programs.

The Edit menu also provides most ofthe functionality you would expect froma normal text editor. One exception is theTable item that allows you to edit tables.The Math Panel popup contains thewhole gamut of non-standard charactersfrom Greek letters to root signs; just clickon a symbol to easily insert it into your new document.

You can select Spellchecker to let theIspell program loose on your document,and use Floats & Insets to open and closefootnotes, margin notes, and tables. Thelast two items in this menu, Preferencesand Reconfigure are used to define settings the editor’s preferences file,which is normally stored in ~/.lyx/lyxrc.

The Inset button provides access to alist of text markers that you can add toyour document, allowing you to insertmargin notes, images, and whole files.

The Layout menu is somewhat moreadvanced. You can use Fonts to specifythe typeface and emphasis of theselected text. The Paragraph Layoutpopup is used to select the alignment ofthe text or specify page breaks. You canuse the Document option to define theappearance of the whole docment. Fiveregisters are available for use in this section, allowing you to specify the doc-ument class (various classes areavailable, ranging from letter to book),the language for automatic hyphenationor the paper size.

View opens a menu that allows you toview your text as a PDF document, inPostscript or HTML format. This menualso allows you to launch the DVIviewer, which will show you what theprinted version of your document willlook like. The Update function does whatyou would expect from a WWW

Figure 3: The Layout/Document Window

[1]http://www-cs-faculty.stanford.edu/U~knuth/index.htm

[2] Donald E. Knuth.Tau Epsilon Chi, a systemfor technical text

[3]http://www.ibiblio.org/pub/packages/UTeX/info/german/texbuch/

[4]http://www.linux-magazin.de/ausgabe/U1998/06/KLyx/klyx.html

[5]http://www.linux-user.de/ausgabe/U

2000/10/085-klyx/klyx.html

INFO


The man in the middle of a networkwill normally be a proxy. Proxieselevate traffic to the application

level where they verify, cache and manipulate it. If you do not need thisextended functionality, you might consider using a simple redirector, suchas rinetd [1]: Rinetd accepts connectionson a specified port and relays them to apre-defined port on another host. Sincethere is no need to elevate the traffic toapplication level, this method is quickand easy on your resources.

Rinetd is available for Linux and Windows; the Linux version is a tarballthat weighs in at a mere 35 Kbytes, andcan be easily extracted, using the typical»make; make install« procedure. Theredirection rules are stored in the»/etc/rinetd.conf« file, which is notinstalled automatically – you will have totake care of that yourself.

To provide a simple example, let’s construct a redirector for a web server.We want to redirect the server with theIP 10.0.0.1 to the server at IP 10.0.0.2.The web server is listening on port 80 onboth systems. The line in »rinetd.conf«will read:

10.0.0.1 80 10.0.0.2 80

Of course, you can use names instead ofIP addresses. If the server at 10.0.0.1 has

more than one IP address, and I want theredirection to apply to port 80 for any ofthe other IPs, there is no need to add aredirection rule for each IP. Instead youcan simply type

0.0.0.0 80 10.0.0.2 800.0.0.1

This redirects port 80 for every IPaddress the server owns to 10.0.0.2.

Allow and Deny RulesTo prevent every connection being redi-rected, I can use the »allow« and »deny«rules to specify the customers allowed ornot allowed to use the redirector. Therules preceding the first redirection rulein »rinetd.conf« are global, that is theyapply to all the redirections defined inthe file. For example:

allow 192.168.0.*

10.0.0.1 80 10.0.0.2 8010.0.0.1 22 10.0.0.2 221.1.1.1 3128 1.1.1.2 8080

This configuration allows redirection ofconnections that originate in the192.168.0.* network. However, if youwant to apply this restriction to the firstrule only, you must insert the »allow«rule after the redirection rule:

10.0.0.1 80 10.0.0.2 80allow 192.168.0.*10.0.0.1 22 10.0.0.2 221.1.1.1 3128 1.1.1.2 8080

In this case the last two rules apply toconnections from everywhere, but thefirst rule rejects any connection attemptsthat do not originate in the 192.168.0.*network.

If you want to know what »rinetd« isup to, you will have to convince the program to write to a logfile, by addinganother entry to »rinetd.conf«. The entrywill be as follows:

logfile /var/log/rinetd.log

The additional »logcommon« line makes»rinetd« write its logs in Common LogfileFormat (CLF) that is also used byApache and Squid (if so configured).This has the added advantage that manyprograms designed for evaluating logfilescan be used here, since practically anyreporting tools can handle CLF files.

While the first report is being generated, you could always watch amediocre spy film. Who knows – youmight learn something. ■

No matter if you’re talking about the protagonist in a mediocre spy movie or

a server, you will probably prefer to use a man in the middle, rather than look

danger in the eye. BY CHARLY KÜHNAST

The Sysadmin’s Daily Grind: Rinetd

Man in the Middle

Charly Kühnast is aUnix SystemManager at a publicdatacenter in Moers,near Germany’sfamous River Rhine.His tasks includeensuring firewallsecurity and availability and takingcare of the DMZ (demilitarized zone).Although Charly started out on IBMmainframes, he has been workingpredominantly with Linux since 1995.

THE

AUTH

OR

[1] Rinetd home page:http://www.boutell.com/rinetd

INFO

OpenSSH Part II .....................52Creating tunnels for TCP connections canbe achieved with SSH. Find out the pitfallswhen configuring a firewall.

LDAP Clients .............................57LDAP directories will be heading for chaoswithout suitable admin tools. We take alook at the best freeware solutions.

SYSADMIN

SYSADMINCharly’s column

and the corresponding subnet mask asarguments when launching the tool. Thesyntax for a single host is as follows:

scanssh 192.168.10.3/32

Figure 1 shows an example for acomplete subnet, where the outputcontains the version number of theinstalled servers.

Figure 2 shows scanssh investigatingindividual hosts and shows thatOpenSSH and Ssh.com both use theirown software on their webservers.Scanssh does not require root priveleges– our only quibble is the fact that thetool does not use host or domain names,and can only locate SSH servers listeningon port 22.

How long does an RSA keyneed to be?There was a big scare with respect to thesecurity of SSH and other crypto-programs in the middle of March this

year. Surprisinglyenough, it was notcaused by a soft-ware vulnerability.It is claimed that

1024 bit RSA keys can be broken within areasonable period and using affordableresources. To be more precise, the targetwas a PGP key, but the problem alsoaffects SSH. Dan Bernstein, the author ofthe Qmail mail server, published hisresearch into highly specialized parallelcomputers, designed for factoring inte-gers, in the autumn of 2001 [3].Afterwards, a discussion on the possiblerequirement to withdraw 1024 bit PGPkeys ensued in the Bugtraq mailing list.Crypto guru Bruce Schneier added a fewclarifying statements to settle this issue([4],[5]). According to Bruce, thefollowing key lengths can be consideredas secure until the year 2005:• Private persons: 1280 bit• Corporate: 1536 bit• Government: 2048 bitLonger RSA keys are just a waste of time,according to Schneier. If you want totake Schneier’s advice, but have beenusing a default 1024 bit RSA key for SSHso far, you will need to update your key.The following command creates a newRSA key for Version 2 of the protocol:

ssh-keygen -b 1280 -t rsa U

-f ~/keynew/id_rsa U


The Secure Shell, SSH, – the namepromises safety, and has everyright to do so. We introduced you

to several secure services in the first partof this series [1]. One of the mostinteresting features is the facility toprovide secure tunneling for any TCPprotocol. We will be concentrating onthat aspect of SSH in this part of theseries.

First a word of warning to underlineour statement in the intro: The SSHpackage is only secure if you use an upto date software version – vulnerabilitieshave been discovered time and again inOpenSSH. The developers have alwaysresolved them in a timely fashion seehttp://www.openssh.com/security.html,but obsolete SSH servers are still asecurity risk.

You can use the scanssh[2] tool tosearch for obsolete SSH servers. The toolwill scan individual hosts or completesubnets for SSH servers, and output theversion number. Just pass the IP address

The Secure Shell protocol is not only used to provide secure shells, but also to

forward other types of TCP connection through a safe tunnel. But you need

to get the key length and software version right, to ensure that SSH is really

safe – and there are quite a few pitfalls to watch out for when using SSH across

firewalls. BY ANDREW JONES

OpenSSH from the Administrator’s Perspective – Part II

Tunnel Vision

OpenSSH: Part IISYSADMIN

Figure 1: The scanssh tool searches for SSH servers, here in the129.168.10.0/24 subnet, and outputs the exact version

Figure 2: Scanssh investigating the SSH versions installed by the OpenSSHProject and SSH Communications Security on their own web servers

-C "1280 bit key for webmaster"

The RSA keypair (id_rsa and id_rsa.pub)with a key length of 1280 bits is writtento the ~/keynew/ directory. You can usethe -f flag to specify a target directory, ifyou want to avoid overwriting theexisting keys under ~/.ssh/. The -Coption adds a comment to the PublicKey, however, this is used only todistinguish the key more easily, and hasno influence on functionality.

Tunneling: Forwarding TCPPortsIn addition to its original task of allowingsecure remote logins, SSH can be used tosecure almost any other protocol. Portforwarding allows you to relay TCP portsthrough the secure SSH connection. Inthis scenario SSH plays a similar role to aproxy, receiving connections at one endof the SSH channel and relaying them tothe servers at the opposite ends.

SSH can perform two port forwardingvariants: Local port forwarding andremote port forwarding. Local portforwarding is what you will need in mosttypical circumstances.

In this case, a connection that reachesa local (client-side) port, is forwardedacross the secure SSH channel to a porton a remote server. You could alsodescribe this technique as an egresstunnel. The syntax for this command isquite simple:

ssh login@remote_host U

-L local_port:Uremote_host:remote_port

You can use forwarding to open up asecure POP3 connection to yourmailbox, for example – in Part 1 of ourseries on OpenSSH[1] we alreadymentioned the potential vulnerability ofPOP3. After all, the POP client transmitsthe POP password to the server in theclear, which makes it easy to steal thepassword off the wire. To avoid this, youcan of course tunnel the POP3connection through SSH, even if yourprovider does not offer POP SSL:

ssh [email protected] -C U

-L 25025:pop.remote.com:110

Now, if we are so bold as to telnet local-host 25025, we can view the bannerissued by the remote POP3 server. Itworks – and you don’t need to be root.All you need to do now, is to set the POPclient to localhost and port 25025, toallow it to poll mail as usual.

Figure 4 illustrates this procedure: TheSSH command opens a normal SSHconnection to the server, pop.remote.com, and also opens the tunnel. Thisforward will then remain active whileyou are logged on.

If a POP3 client (or a telnet command)now requests port 25025 on the client(i.e. on localhost), the SSH client will

answer the connection request. SSHopens port 110 server-side and forwardsany data.

You can also use a similar forward tosecure the connection to a Webminserver (see the Boxout “WebminConfigures SSH Server”):


-L 33337:admin.remote.com:10000

Now the browser can talk to the Webminserver via the tunnel on https://localhost:33337/.

Lots of TCP based services can beforwarded and tunneled in this way –SMTP, IMAP, LDAP, or NNTP, but notFTP. FTP uses both a control channeland a data channel, whose ports arenegotiated within the control channel.So, although it is trivial to secure thecontrol channel, the data channel willstill be in the clear. SSH provides scp andsftp as replacements.

Forwarding for ArbitraryHostsThe kind of forwarding we have lookedat so far relied on the hosts at both endsof the SSH connection having theapplication client and server softwareinstalled. But all of the programsinvolved, the application client, the SSHclient, the SSH server and the applicationserver could equally run on a host of itsown. So forwarding can involve up tofour hosts for a single instance.

This kind of off host forwarding can be used to create unusual networkconnections, and SSH tunnels, however,keep security in mind, when you areplanning practical implementations. Forone thing, only the connection betweenthe SSH client and the SSH server issecured, and an attacker with access tothe local port, but not to the target porton the server, can always use the tunnelto access a service that would normallybe inaccessible.

To mitigate this danger, OpenSSH bydefault only allows connections from thelocal host to the forwarded port,although you can use the -g switch tochange the default behavior. A sensible,practical application for off host forward-ing would be a connection to a serverwhere the user does not have an SSHaccount. In this case the user will need


SYSADMINOpenSSH: Part II

Figure 3: The Web-based administration program, Webmin, provides a module for configuring SSHserver. However, you will need to put some thought into this (see boxout)

scenario from the viewpoint of the TCPclient application. If the TCP clientapplication is local to the SSH clientmachine, local forwarding is the rightoption. If it is running on the remote SSHserver machine, you should opt forremote port forwarding.

Not Always All PortsOpenSSH permits TCP forwarding bydefault, and allows any free local andremote ports above 1024. Root isadditionally permitted to forward localprivileged ports below 1024.

A user with a genuine SSH login canalso achieve the same goal without anysupport from SSH, using Netcat, (nc), forexample. To do so, the user would needto connect a Netcat server and a Netcatclient via an SSH shell pipe. TheAllowTcpForwarding no directive in theserver configuration file, sshd_config, isthus only partially effective.

Through the FirewallOne of the more interesting tasks for TCPforwarding involves transparently tun-neling protocols through a firewall whichpermits SSH. A homeworker might needaccess to data stored on an Intranet webserver, for example, although the serveris only accessible on the company’sinternal LAN. A firewall prevents accessfrom outside, but permits SSH logins onthe gateway. Let us assume that thefollowing computers are involved:• Home desktop hd• Office desktop od• Gateway gw• Internal web server wsThe user runs the following commandon his home desktop:

ssh gw_login@gw -L 2001:ws:80

This opens an SSH session to gw, and atthe same time forwards the local port2001 to TCP port 80 (HTTP) on theinternal web server ws via the SSHchannel. This assumes that port 2001 onthe local machine has not already beenassigned to another service. Now theLAN web server can be accessed fromthe home desktop using the followingURL: http://localhost:2001.

This variant is risky. Any user loggedon to hd can use the open port, providedthe tunneled session to gw is active. Ifthe user also used the -g flag, port 2001on hd will also be accessible to otherhosts. If you cannot trust your users, youshould be careful here, otherwise youmight find them poking holes in yourfirewall. But it would be wrong to blameSSH for this: Any connection that goesthrough your firewall can be misused totunnel other protocols.

SSH on SSHKeeping to our home office example,let’s assume that an employee would liketo be able to log on to her office desktop


an SSH server with a secure connectionto the POP3 server in the vicinity of thetarget server. This might be the case ifboth servers are in the demilitarizedzone behind a firewall, but the userrequires remote access to the network:


-L 25025:pop.remote.com:110

The forward is illustrated in Figure 5: AnSSH tunnel is established between theclient and ssh.remote.com. The mailclient connects to its local port 25025.This connection is accepted by the SSHclient, and the SSH server then providesthe counterpart on port 110 betweenssh.remote.com and pop.remote.com.Only the connection between the clientand the SSH server is encrypted; astandard TCP connection is establishedbetween the SSH server and the POP3server. From the viewpoint of the POP3server, the connection originates fromssh.remote.com and not the client.

Reverse ForwardingRemote port forwarding is the exactopposite of local port forwarding: Theconnection request is for a port on thehost running the SSH server. Data isforwarded via the SSH channel to theclient, where it is sent to an arbitrary port.You could also regard this as an ingresstunnel. The syntax is as follows:

ssh login@remote U

-R remote_port:Ulocal_host:local_port

To determine what kind of port forwardyou need, you need to look at the


Figure 4: Local forwarding means that SSH will forward a connection that enters the client on port25025 through the tunnel to the server, where it reaches its target, port 110

pop.remote.com

Mail Client POP3 Server

Port 25025 Port 110

ssh -C -L 25025:pop.remote.com:110 \[email protected]

SSH Tunnel

Client

01 # SSH-Port02 export SSH="22"03 [...]04 # Drop-Policy05 $IPTABLES -P INPUT DROP06 $IPTABLES -P OUTPUT DROP07 $IPTABLES -P FORWARD DROP08 [...]09 # Rules for SSH access to thegateway10 $IPTABLES -N ssh_gate11 $IPTABLES -A INPUT -p tcp -mstate --state NEW -d $EXT_IP --dport $SSH -j ssh_gate12 # Gate should permit outgoingand ingoing SSH (to the LAN)13 $IPTABLES -A OUTPUT -p tcp -mstate --state NEW --dport $SSH -jssh_gate14 $IPTABLES -A ssh_gate -jACCEPT15 [...]16 $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -jACCEPT

Listing 1: Allowing SSH tothe Firewall

using her home office desktop. An SSHconnection in an SSH tunnel provides anelegant and secure solution:

ssh gw_login@gw -L 2002:od:22ssh od_login@localhost -p 2002

The first command opens up a tunnelfrom the local port 2002 to the gatewaygw, which forwards this connection tothe SSH port, 22, on od. The secondcommand uses this tunnel to connect toport 2002 on localhost (option -p), thuscreating an SSH on SSH connection.

Alternatively, the homeworker couldlog on to gw and move on to od fromthere. This solution would mean the userstoring her SSH key on the gateway,enabling a forwarding agent, or using anormal password. The SSH on SSHmethod avoids this. The gateway has noaccess to the data being forwarded: hd isdirectly connected to od via the tunnel,and this means that user will be workingwith her account on od.

From the viewpoint of the tunneledconnection it does not matter whetherNAT (Network Address Translation) isinvolved, even multiple NAT will notcause any problems.

A Backdoor to Your OwnNetworkLet’s look at another example that seemsto be more complex at first: The userdoes not have a login on the gateway,and the firewall prevents her from con-necting to the internal network. In thiscase remote port forwarding can providea backdoor to the corporate network.The home desktop will need access tothe Internet, and must be able to acceptexternal SSH logins. The user must know

the external IP address of her homedesktop, but this should not be toodifficult to determine, even for adynamic IP address, in the light ofservices such as DynDNS. The user thenenters the following command on heroffice desktop:

ssh hd_login@hd -R 2003:od:22

Instead of terminating this login, theuser then leaves the tunnel open (seeFigure 6). When home, she can use thetunnel to log on to her office desktop:

ssh od_login@localhost -p 2003

If the corporate gateway does not permitoutgoing SSH connections for somereason, the user can simply have herSSH server on hd listen to a permittedport; port 80 looks promising in thiscase. This just goes to show how easy it is for users to poke holes in yourfirewall, if they really want to, of course.As soon as you open any port, users

can tunnel through it. Of course, thisnormally means contravening corporateregulations, so if you want to keep your job, you should be very careful abouttunneling, and seek prior authorizationfrom your admin.

In the context of port forwarding theoptions -N and -f can be quite useful: -Nprevents SSH from running commandsserver-side, and allows only the specifiedports to be forwarded. -f sends the SSH client into the background, afterauthentication has been completed, i.e.after the user has entered her passwordor passphrase.

Special Cases: X11X11 forwarding involves a special kind ofSSH port forwarding. X11 always uses anetwork protocol. Even if the graphicoutput of a program running on the localmachine is displayed on a local monitor,data have to be transferred between theclient and the server.

The X11 server is responsible for thescreen display in this case, and it also


SYSADMINOpenSSH: Part II

Figure 5: SSH can alsorelay TCP connectionsto a server running on amachine without theSSH daemon. Theconnection betweenssh.remote.com andpop.remote.com is notsecure in this case.

ssh.remote.com pop.remote.com

Mail Client

Port 25025 Port 110

POP3 Server

ssh -C -L 25025:pop.remote.com:110 \[email protected]

SSH Tunnel

Client

The first article on OpenSSH [1] discussed the configuration of sshd amongst other things. If youprefer GUI based admin tools, you can use the corresponding Webmin module [6].Webmin writesmodified settings directly to the server configuration file /etc/ssh/sshd_config. Figure 3 shows youwhat Webmin’s SSH module looks like.

If you intend to use Webmin, you should be aware that this tool consists of a large number of PerlCGI scripts, that are accessible on port 10000 (TCP und UDP) of the Webmin server.To achieve amodicum of security, you will need to enable SSL encryption in your Webmin configuration, thiswill ensure that your login, password, and the changes you make in Webmin are not transmittedin the clear.

Also be aware that the Webmin distribution uses a 512 bit RSA key and a self-signed certificate forSSL. Of course, the certificate is not assigned to your own server. But the fact that anybodydownloading the package will be aware of the purportedly secret key is probably worse. In otherwords, it does not really matter that the key length is insufficient.You would need your own SSLkey and your own server certificate, or an SSH tunnel, to provide genuine security.

Configuring SSH Servers via Webmin

~/.bashrc can prove to be anotherpitfall. Some of these scripts attempt toset the $DISPLAY variable, without beingaware of SSH. They may even overwritethe correct settings and this could causesome surprises if the X11 client talksdirectly to the X11 server, and simplyignores the tunnel, although SSH andX11 forwarding have been enabled.

After fulfilling the conditions for X11 forwarding, you can run any X11program on the remote computer. TheSSH tunnel forwards the display to thelocal display and encrypts the datatransmission. When dealing with SuSEservers with Yast 2, or Mandrake hostswith DrakConf, admins can use thismethod for secure remote administrationvia an SSH tunnel.

Configuring a Firewall for SSHWe have already mentioned how a usercan undermine a firewall using a tunnel.But no security conscious admin wouldwant to attach her computer to theInternet without a firewall. The firewallis often the Internet gateway for aninternal LAN configured with private IPnumbers (RFC 1918).

Our task is to configure the firewall toallow an SSH login on the firewall host,and to provide access to the servers in aDMZ or on the LAN from that point.Listing 1 shows how you can use thefirewall subsystem of the Linux 2.4kernel to do so; it illustrates only therelevant sections of the iptables rules.

This set of rules uses a DROP policy forINPUT, OUTPUT and FORWARD. Bydefault, the kernel will not permit any IP

packages to enter or leave the computer,and will not forward any IPs. Interfaces,IPs and Ports must be specified explicitly– i.e. the basic principle, “anything notexplicitly permitted is denied”, applies.This policy will not even allow con-nections to a host loopback devicewithout explicit permission.

An INPUT rule allows SSH connectionsto the gateway via the external interface.An OUTPUT rule allows SSH logins viathe Gateway to computers on the LAN orin the DMZ. These rules do not permityou to log on directly to any internalcomputer. The last line in Listing 1allows the kernel to recognize thepackets belonging to a permitted con-nection and also permit them. This kindof statefulness became available with thenetwork stack of the 2.4 kernel.

For more detailed information youmight like to refer to the commentediptables scripts produced by Bob Sully[7], or to man iptables, and the iptablesHOWTOs [8]. ■


reads keyboard and mouse input. X11clients are programs that use X11 fortheir input and output. X11 serversnormally listen on port 6000. If acomputer has more than one screen,keyboard, and mouse, additional X11servers will use ports 6001 upward. Theclient program reads the environmentvariable $DISPLAY to discover whatserver it should display on.

If you can access an X11 server, youcan display an X11 client on that server,however, you can also grab screenshotsor sniff keyboard events. So withoutadditional security measures X11 wouldbe a security nightmare.

But rest assured, X11 uses anauthentication system of its own. MITMagic Cookies are the most commonimplementation in this area. Since youneed authentication, a port forwardalone is not sufficient for X11. So SSHprovides a mechanism that allows you torelay the graphic output of a remotecomputer to your local display. Thismechanism handles X11 authentication,sets the $DISPLAY variable when you logon, and forwards the connection throughthe tunnel.

Several conditions must be met. Theconfiguration file for the remote SSHserver, sshd_config, must contain thelines X11Forwarding yes and a directiveof the type X11DisplayOffset 10.

On the SSH client side, you will needto run an X11 server and enable X11forwarding, for example, by using theSSH option -X or ForwardX11 yes in/etc/ssh/ssh_config or ~/.ssh/config.

The profile files on the remotecomputer, for example, ~/.profile or


Figure 6: SSH tunnel: od first connects to hd and then opens a tunnel via reverse port forwarding, allowinghd to open a second SSH connection in the opposite direction to od

odhd

FirewallSSH Server SSH Client

Port 22 Port 2003

ssh hd_login@hd -R 2003:od:22

SSH Tunnel

Client

[1] “Out of Sight: OpenSSH from theAdministrator’s Perspective”, LinuxMagazine Issue 24

[2] Scanssh: http://www.monkey.org/~provos/scanssh/

[3] Daniel J. Bernstein:“Circuits for IntegerFactorization: A Proposal”:http://cr.yp.to/papers/nfscircuit.ps

[4] http://www.counterpane.com/crypto-gram-0204.html#3

[5] http://www.counterpane.com/crypto-gram-0203.html#6

[6] Webmin SSH module:http://www.webmin.com/download/modules/sshd.wbm

[7] IPtables scripts by Bob Sully:http://www.malibyte.net/iptables/scripts/fwscripts.html

[8] HOWTOs for IPtables:http://www.digitaltoad.net/docs/iptables-HOWTO-1.html

INFO

Andrew Jones is a contractor to theLinux Information Systems AGhttp://www.linux-ag.com in Berlin.He has been using Open SourceSoftware for many years.Andrew spends most of his scarceleisure resources looking into Linuxand related Open Source projects.

TH

E A

UT

HO

R


You will also need to decide who willmanage what records in the LDAP directory. One possibility would be toallow the users to keep their own recordsup to date. However, the administratorcould just as easily assign this task totrained staff, possibly from the personneldepartment. Whatever approach youtake, you will need to ensure that theprocedures you implement allow you tomaintain consistency for new and existing data.

A toolkit is no improvement if it allowsusers to let the LDAP directory to gohaywire, preventing even the administra-tor from keeping track of the status of therecords. And this is why the introductionof an LDAP toolkit should be modelledon your administrative processes. If not,the introduction of an interface for datamaintenance is doomed to failure. Itshould be obvious that models of thiskind do not lend themselves to quickand dirty implementations.

After setting up an LDAP directoryin a productive environment one of the first questions that

arises will probably concern options for effective management. As a system administrator you may soon findyourself demoted to the personneldepartment’s gopher when user phoneextensions or addresses need to be modified. That is definitely not what youhad in mind when you applied for theadmin job – and probably not what youremployer had in mind either.

You will often find admins purchasingexpensive toolkits in order to cope withthe administration of a directory service,but why buy tools if you are workingwith an Open Source directory servicesuch as OpenLDAP [1]? This is the question we will attempting to answer inthis article using several Open Sourcesolutions as examples.

Toolkits must be able to provideseveral fundamental capabilities:• Delegation: The tools will need the

ability to delegate management of thedirectory service, and any tasks thisinvolves to administrative roles.

• Usability: The toolkit must be useableby inexperienced users. You shouldnot need to be an expert to change arecord.

• Management: The solution must beeasily maintainable for the sysad andprovide understandable core functions.

Without a well planned

management concept and suitable

administration tools any LDAP

directory is surely heading for chaos.

This article investigates the options

for optimizing administrative

approaches using only freeware

tools. VOLKER SCHWABEROW

Comparison of LDAP Clients under Practical Conditions

Admin’s Little Helpers

SYSADMINLDAP-Clients


LDAP-ClientsSYSADMIN

Web InterfacesThe Web interface is a typical method foradministration, the advantage being thatusers can access their own records, nomatter what platform they use, Webinterfaces provide a similar level of functionality to native applications, sincethe functionality of a fat client can beimplemented almost entirely using Webprogramming languages.

Gonicus – a company that rose like atiny phoenix from the ashes of ID-Pro –recently placed a tool called Gosa ontheir website [3]. Gosa is a Web application based on the PHP [2] programming language.

Although you can transfer the administration of multiple network services to a directory service, you maynot be able to use a common interface.This is the gap that Gosa attempts to fill.

Gosa was developed as an add-on toGonicus’ own thin client project, Goto.Gosa’s strength is user and group management for Posix accounts, Samba,Squid and Qmail. If you are not usingSamba or Qmail in a given network, itdoes not make much sense to install andrun Gosa. Additionally, an nss_ldapserver link should be in place.

Installation andConfiguration of GosaAfter downloading the current Gosapackage from the FTP server, you willprobably want to use the /opt directory toexpand the package. You will find a tar-gzip file containing schema for Gonicus’

own applications in/opt/gosa/contrib. Youwill also need toexpand the schemaand copy the Gonicusdirectory that thisaction creates to/etc/openldap/schema.

The qmail .schemafile contains theschema for the Qmail-LDAP interface thatalso needs to be movedto the /etc/openldapU

/schema directory. At this point the

*.schema files need tobe imported into yourOpenLDAP server’s schema. To do so,use an include statement in the slapd.conf file. Listing 1 shows you the orderin which to add the schemas. If you areadding additional schemas to your LDAPserver, you will probably want to changethis order.

The next step is to define the AccessControl Lists recommended for Gosa(see Listing 2) in the slapd.conf file. Payattention to the comments in the linesstarting with hash signs. The ACLs mustreference the distinguishing name of theLDAP admin account.

Finally, you will need to set up a Posixaccount for the administrator of yourdirectory. If you have already set upsome Posix accounts on your directoryserver, you can simply point to the distinguishing name of an existingaccount. If not, use a short LDIF file to

set up the Posix account on your directory server, as follows:

dn: uid=myadmin,dc=myname,dc=comobjectClass: topobjectClass: posixAccounthomeDirectory: /rootuserPassword: secretloginShell: /bin/falseuid: admincn: adminuidNumber: 501gidNumber: 501

Use ldapadd -x -D “cn=Manager,Udc=domain,dc=com” -W -f filename.Uldif to add this to the directory and complete the configuration steps for yourdirectory server.

Our last step is to install the PHPscripts that will install Gosa on the web

Figure 1: Gonicus’ freeware tool, Gosa, immediately following installation

01 include /etc/openldap/schema/core.schema02 include /etc/openldap/schema/cosine.schema03 include/etc/openldap/schema/inetorgperson.schema04 include /etc/openldap/schema/nis.schema05 include /etc/openldap/schema/misc.schema06 include /etc/openldap/schema/qmail.schema07 include/etc/openldap/schema/gonicus/gohard.schema08 include/etc/openldap/schema/gonicus/goto.schema09 include/etc/openldap/schema/gonicus/goaccount.schema10 include/etc/openldap/schema/gonicus/gofirewall.schema11 include/etc/openldap/schema/gonicus/gofax.schema

Listing 1: Schema File Order

Figure 2: The Gosa user interface from the viewpoint of the administrator



procedure which we were only able toresolve by modifying the PHP scripts.

Work is still in progress on improvingthe universal appeal of the project.According to Linux Magazine sources, anew version is due to be released shortlyand the folks at Gonicus claim that it willbe easier to adapt to third-party tasksthan the current version.

Using Webmin Plugins toorganize LDAPThe well-known Webmin [4] tool offers a variety of administrative functions for Linux servers. Several third-party modules are available to enhance thefunctionality of Webmin and one of themis the LDAP Users Admin Module [5].The ldap-users module is easy to install

server. You can either create a relativelink in the Apache configuration file,httpd.conf, or copy your Gosa root to theroot directory of your web server. Now,Gosa should really be ready to go at thispoint – if it wasn’t for those pesky bugsand issues.

First Impressions Spoilt byWeaknessesFor example, when you modify a user,the corresponding LDAP record is firstdeleted, and then reinstated. This is byno means a perfect solution, because anerror could mean losing the accountentirely. The PHP programming languageactually includes a statement for justsuch a task, ldap_modify, but Gosa doesnot use it.

The Gosa developers’ solution forchecking privileges is also slightly cumbersome. To check the role assignedto a user, the program attempts to add auser account called admincheck to thedirectory when the user logs on. If thisworks, the user is an administrator fromGosa’s point of view. If it does not work,possibly because the account alreadyexists, you may find your admin accountbeing degraded to a normal user – this isan unnecessarily complicated and dangerous system. Conclusion: Gosa isheaded in the right direction, but theproject itself is tied to other projectsunder development by Gonicus.

Users who prefer modular softwaremay be disappointed by this product, asit can hardly be classified as a stand-alone toolkit. There are severalissues involving the Gosa installation

Figure 3: It is easy to install an additional Webmin module Figure 4: A sample ldap-users configuration

01 # DN must reference the DN of the Directory Management02 # Account.03 access to attribute=deliveryMode04 by dn="cn=Manager,dc=myname,dc=com" write05 by self write06 by * read0708 # DN must reference the DN of the Directory Management09 # Account.10 access to attribute=mailForwardingAddress11 by dn="cn=Manager,dc= myname,dc=com" write12 by self write13 by * read1415 # DN must reference the DN of the Directory Management16 # Account17 access to attribute=mailReplyText18 by dn="cn=Manager,dc= myname,dc=com" write19 by self write20 by * read2122 # The DN can point to an existing23 # POSIX object in this case, Admin for example.24 # This DN is used to manage the Gosa solution itself.25 access to *26 by dn="uid=myadmin,dc= myname,dc=com" write27 by * read

Listing 2: ACLs for Gosa


LDAP-ClientsSYSADMIN

Traditional: Native LDAPClient ProgramsBesides the Web browser based administration you can also opt for thetraditional method and try a nativegraphic interface. Native tools may bequicker in comparison to generic solutions, but you will have the disadvantage of having to select a singleoperating system. (Neither of these statements applies to Java programs, ofcourse.) There are several Linux applications of this type that permitmore or less professional administrationof your LDAP directories.

Figure 6: The LDAP Browser/Editor by JarekGawor provides a range of features comparableto commercial LDAP-Clients

via the active Webmin interface. To doso, just run Webmin Configuration in themain menu and then call Webmin Modules (see Figure 3). After selectingInstall Module from File you can thenconfigure the module – configurationnormally takes place immediately afterselecting the new module.

You can start using the user interfaceimmediately after these steps (seeFigure 4). The interface provides quickand easy access to the attributes of anyPosix object, and also allows you tocreate new users, although thesefeatures are unfortunately not availablefor groups.

In addition to the LDAP user administration you can also use Webminto administer the OpenLDAP server. Theplug-in is called OpenLDAP, for want of abetter name, and is available from [6].The module is also available for olderOpenLDAP versions. The module for version 2 is called openldap2-X_X.wbm.The installation procedure is similar tothe one used for the LDAP Users AdminModule, and can be accessed via Webmin’s Servers menu. In addition toconfiguring Access Control Lists you willhopefully be able to modify and createobject classes in future versions. Anoption for maintaining server attributesis now available.

Conclusion: It is easy to configure anOpenLDAP server using Webmin andLDAP modules. You can also delegatedaily administrative tasks. If you alreadyuse Webmin, you will immediately feel atease with the LDAP modules, as the lookand feel of other modules is apparent.

One important pre-condition for all the programs described in this article isthe ability to delegate administrative functions via Access Control Lists on the directory server itself. In the case of OpenLDAP the access rule is recommended for this purpose, as it canbe defined for any user attribute. The following listing provides an examplebased on OpenLDAP:

# All users are allowed to# maintain their own records# Other users have read-only# access.access to *by self writeby * read

LDAP Browsers/EditorsIf users in large companies are to beallowed to maintain their own data, auser client platform dependent interfacecan cause you headaches. Java basedGUIs are one solution. Although the language is not exactly famous for itsgraphic output speed, it will at least runon most platforms. The LDAP Browser/Editor [8] by Jarek Gawor, who works forChicago University, is just one exampleof a Java program. The current versionof the tool, 2.8.1, requires the JavaRuntime Environment 1.2.2 or newer,and is fairly stable on systems with atleast 128 mbytes of RAM. The flexibilityof the Java GUI is comparable to that ofcommercial LDAP clients – which makesthis tool a must for people who normallyuse native LDAP client software (seeFigure 6).

Figure 5: OpenLDAP Webmin modules for administering OpenLDAP servers Figure 7: The Gnome Directory Administrator Tool includes wizards



on initially launching the program (Figure 7) and can be used to create aconnection profile. If everything worksout okay, you will be able to view theusers and groups stored in your directory(Figure 7). The interface can also perform tasks such as assigning users togroups, and it is extremely flexible withrespect to storing user accounts andgroups in OU hierarchies.

Conclusion: If you are managing theusers and groups of a department in anorganizational structure, the DirectoryAdministrator is a good choice. The toolwill perform tasks such as creating users,or defining a user’s Samba shares,quickly and easily.

GQ and KdirAdmThere are numerous alternatives to the tools already discussed. GQ [9] forexample, an LDAP client for the Gtkenvironment which is comparable to theLDAP browsers already discussed inmost respects as it allows you to managethe objects in your directory. Anotherlookalike is KdirAdm [10].

Conclusion: useful for simplecasesDepending on their quality and the individual application you have in mind,the Open Source directory managementtools that we have introduced in this article may (or may not) be useful to an administrator. Many of the tools tend tointroduce too many levels to what are ineffect simple administrative concepts.

The interface allows easy moving,manipulation and copying of directoryobjects. In addition to standard functionality, the LDAP Browser/Editorcan also export data to the LDAP DataInterchange Format, LDIF. This allowsyou to export a complete LDAP tree in amatter of seconds.

This approach is useful for creatingbackups and equally so for migrationtasks. The interface uses templates tocreate new entries. The administratorcan use a simple template to define therequired attributes, and that can be a bighelp if you are defining custom objects.

Conclusion: A universal and OSindependent interface, such as thebrowser programmed by Jarek Gawor isa good thing to have around for thosedaily maintenance tasks, althoughperformance could be better. Mostadministrators will appreciate a qualitytool such as this – especially as it comesfor free.

Directory AdministratorA number of LDAP GUIs are available forthe Gnome desktop. One of them is theDirectory Administrator, which is mainlysuitable for user administration. Thewebsite [9] offers RPM binary archivesfor Mandrake 8.2 and Red Hat Linux 7.3,so you will need the source archives forany other OS. After expanding thearchive you can follow standard procedure to compile and install thesources: ./configure; make; make install.

A wizard is available to the admin user

Figure 8: Making the Administrator’s life simple: All the groups and users arevisible at a single glance with Directory Administrator

Volker Schwaberow isa technology consultant for RAGINFORMATIK GmbHin Gelsenkirchen, Ger-many, and startedlooking into Linuxand associated topicsin 1995.The author’s hobbies are read-ing, listening to music andprogramming in C/C++, Java, Perl, andPHP.

TH

E A

UT

HO

R

It is also vital that you restrict access to the directory via ACLs. As an administrator you can base your choiceof tool on the task in hand, although this may make life difficult for you whenyou first attempt to draw up an implementation plan.

Statistical evaluation is probably the best way to handle this. Statisticswill help you determine whether you can safely delegate a wide range of administrative tasks.

As in many other cases the approach,and the results, will only be as good asyour advanced planning. Your onlyoption at this stage will normally be tocreate a list of mandatory administrativetasks and check whether one of the toolswe discussed is suited to them.

A combination of tools may evenprove to be your best option for simplifying your daily workload. Youmight consider using a Web interfacethat allows your users to modify theirown personal data and passwords, butprovide a native graphic frontend for theadministrator. ■

[1] OpenLDAP: http://www.openldap.org[2] PHP: http://www.php.net[3] Gonicus: http://www.gonicus.de[4] Webmin: http://www.webmin.com[5] LDAP Users Admin: http://ldap-users.sourceforge.net[6] OpenLDAP Webmin Module: http://gaia.anet.fr/webmin/openldap[7] Directory Administrator: http://diradmin.open-it.org/index.php[8] LDAP Browser/Editor: http://www.iit.edu/~gawojar/ldap[9] GQ for Gtk: http://biot.com/gq/[10]KDE Directory Administrator: >http://www.carillonis.com/kdiradm[11] RFC1779 – A String Representation of Distinguished Names: ftp://ftp.

isi.edu/in-notes/rfc1779.txt[12] RFC1778 – The String Representation of Standard Attribute Syntaxes:

ftp://ftp.isi.edu/in-notes/rfc1778.txt[13] RFC1777 – Lightweight Directory Access Protocol: ftp://ftp.isi.edu/

in-notes/rfc1777.txt

INFO

you would want to rebuild those sourcefiles to reflect the changes. A makefile(by default called Makefile – the capitalM is important!) describes each com-ponent of the project, how they shouldbe built, and what constitutes thembeing ‘out of date’. The watchword hereis dependency.

If we have a two file project whereconverter.c includes converter.h, then wecan say converter.c is dependent onconverter.h. If converter.h changes, itstands to reasons that converter.c mustalso have changed in some way, and soneeds to be re-built. We can build a make-file to describe this. We can then buildthis program by typing:

make

If you had not named your file ‘Makefile’but listing1make, for example, then youwill need to use the -f flag.

make -f listing1make

Line 1 describes a target. The text to theleft of the colon dictates what we want toproduce (an executable file calledconvunit in this case), whilst the righthand side lists the dependant files wehave to use in order to build it. Ourmakefile is effectively saying that shouldconverter.c or converter.h change, then‘convunit’ will be out of date and needsto be rebuilt.

Each subsequent line after a target that begins with a tab (and only a tab!) holds the command, or commands,that we must execute in order to producethe target file. It stands to reason, there-fore, that those commands must producethe target file in some manner. You caninclude as many commands as you need;


In preparing this section, I askedtwelve different programmers for the best way to write a make file. I

got twelve different answers! Writingmakefiles, like code, novels or music is auniquely individual experience. There isno right or wrong way – whatever works(and is readable!) can considered a‘good makefile’! The method we’re usinghere is fairly ‘traditional’ and shall bedeveloped from first principles, so youcan see each step in the process.

MakeSo first off; what is a makefile? And whatis make? Well, make is a utility thathelps reduce development time byallowing us to only rebuild parts of theproject (using gcc) that need it; if youhave not changed ‘converter.c’ orincluded header files, why would youwant to spend time compiling it whenthe result will be the same as it was lastweek?! Conversely, if you’ve changed aheader file that is used in four places,

Following on from last month’s article, Steven Goodwin, looks at how the make utility can be used to improve the

development process. BY STEVEN GOODWIN

C: Part 12

Language of the ‘C’

C Tutorial: Part 12PROGRAMMING

1 convunit: converter.c U

converter.h2 gcc converter.c -o Uconvunit

Listing 1: Makefile

semi-colons let you put two or morecommands a line, while the backslash isavailable for line continuation ifrequired. This is sometimes necessary,since each line executes in its own shell,and you might need to include severalcommands. The following would fail if each instruction was placed on adifferent line.

main: source/converter.c Ucd source; gcc converter.c

make will execute each command insequence until none is found (i.e. the linedoes not begin with a tab) or an erroroccurs. At this point it will stop trying tobuild that target and exit. To suppressthese errors, start each command with aminus sign and it will continue with thenext instruction (we’ll see where that isused later). Also, as each command isechoed to the screen you may wish tostop this by using the @ prefix.

convunit: converter.c U

converter.h@echo "Now compiling U

converter.c ..."gcc converter.c -o convunit

Temporary Like AchillesThis makefile can be improved howeverby building object files, and notexecutables. Object files are compiledversions of source code (it can consist ofone or more ‘C’ files), which lack theessential ingredients that make themexecutable (like access to glibc, and aplace to start, for instance!). This notonly makes them smaller, but also doesnot tie them in to any particularexecutable.

They can be built individually, andthen linked together with other objectmodules to make one executable. For

projects with several source files, thisalso means that updates can be builtwith just one compile and one link,which is much more efficient thanseveral compiles, and one link. Objectfiles (by convention) use the .o exten-sion, which is usually pronounced “dotoh!”.

Here, we are nesting targets. In this example, convunit is dependant onconverter.o (an object file), which in turnis dependant on the two files converter.cand converter.h.

Should any of these files change, convunit will be re-built. We can placethe targets in any order we choose,however, the first target given (convunit)is the one built by default and so shouldbe the main executable.

Looking to the bigger picture, we havealready split our project into modules(see last month’s Linux Magazine issue24) and have five ready-made targets(core, config, process, output and debug)that map nicely onto five object files.From this we can build a completemakefile for the project.

These last two examples make uses ofthe ‘-c’ option of GCC, which indicateswe want to only build an object file, andnot a complete executable.

Our first invocation of make will buildfive object files (the .o files from lines4,7,10,13 and 16) and one executable(line 1); our second will build none! Itwill spot that the file convunit is newerthan all its dependencies (converter.o

and config.o process.o output.o debug.o)and report that it is “up to date”.Whenever a file changes, only thenecessary dependencies will be rebuilt.This is determined by looking at the datestamp of the files in question. You cantest this by typing:

touch output.hmake

This will then build core.o and output.o(since they are the only targets thatdepend on output.h) and re-link a newexecutable with the 3 old, and 2 new,object files. It is very rare to includeheader files like stdio.h and stdlib.h inthe dependencies list.

This is because they are standardheaders, and changing the functionprototypes or macros here would requirea change in the glibc libraries also. Thatlast happened many years ago with theswitch from version 5 to 6, and requireda complete recompile of all system anduser software.

Showroom DummiesTo ease the task of maintenance, makesupports macro substitutions which you can use to save re-typing repe-titive command line switches. This is -especially useful for changing compilerand linker options as one macro canreplace everything in one go.

Macros are, by convention, alwaysupper case and defined as a ‘name=


PROGRAMMINGC Tutorial: Part 12

1 convunit: converter.o2 gcc converter.o -o U

convunit34 converter.o: converter.c U

converter.h5 gcc -c converter.c -o U

converter.o

Listing 2: Makefile

1 convunit: converter.o config.o process.o output.o debug.o2 gcc converter.o config.o process.o output.o debug.o -o convunit34 converter.o: converter.c converter.h config.h output.h process.h U

debug.h5 gcc -c converter.c -o converter.o67 config.o: config.c converter.h config.h process.h8 gcc -c config.c -o config.o910 process.o: process.c converter.h process.h11 gcc -c process.c -o process.o1213 output.o: output.c converter.h output.h process.h14 gcc -c output.c -o output.o1516 debug.o: debug.c converter.h debug.h process.h17 gcc -c debug.c -o debug.o

Listing 3: Makefile

Notice that the equals sign is usedwithout spaces as it helps distinguishbetween a macro definition and targetname. For other examples of CFLAGS,see the BOXOUT: Useful compiler flags.

College Girls Are EasyAnother one of make‘s many features toimprove the quality of life are implieddependencies. Make knows that a C filegenerates a .o object file, and that it mustuse gcc to do so; the dependency of the .o on the .c is implied and so makecan perform the compile operationautomatically! This allows you to reducea typical line to:

config.o: config.c converter.h U

config.h process.h

On the surface, it might appear that wehave lost the means to use macros andapply special compile flags to gcc. Notso! By using the CFLAGS macro (whichis common) we can add warnings,compiler optimisations, or any numberof switches we want, and they will getused within the implied dependency.

Notice, however, that line 3 providesan explicit build instruction becausemake doesn’t understand that a col-lection of .o files need to be built into anexecutable. This is because it can notmake the connection between theexecutable (convunit) and the objectfiles. By changing line 2 and calling ourELF ‘converter’ instead, we can dowithout line 3.

2 converter: converter.o U

config.o process.o output.o U

debug.o

The implied dependencies of an exe-cutable (converter, in the case above) isits equivalent .o file, and anything elsegiven on the right hand side of the colon.That is – its usual dependencies.

For advanced work, it is possible tocreate your own implied dependencies;they are called suffix rules.

Time After TimeIn addition to macros, there are anumber of special variables with asimilar appearance to macros, as bothstart with a ‘$‘ symbol. When buildingmake files they can be used to enhanceerror messages, or to provide parametersto other programs. They also work insidequoted strings.

converter.o: converter.c $$converter.h


substitution’ pair. They are used with the$(NAME) syntax and are substitutedautomatically before executing any buildcommand. This way, any errors areexplained with real commands andparameters, instead of macro names thatmay be quite complex and obtuse.

CC = gccCFLAGS = -Wall

converter.o: converter.c U

converter.h$(CC) $(CFLAGS) converter.c

A number of macros exist by default(type “make -p” in a shell to find outwhich) but these can still be changed ifnecessary. There are also a number ofstandard macros that you will see, soyou should become at least comfortablewith them (see tables 1 & 2).

Macros can also be set from the shell,by giving the ‘name=substitution’ pairas an argument to make.

make CFLAGS=-Wall

C Tutorial: Part 12PROGRAMMING

Macro Description ExampleCC Name of the C compiler GCCMAKE The make utility makeAS Assembler asLD Linker ldFC Name of the Fortran compiler (really!) f77

Table 1: Conventional Macros

Macro DescriptionTARGETS The names of the targets being

compiledSOURCES Those files to be compiledLIBS Directories for other librariesINC Directories for other headers

filesCFLAGS Compiler flagsLFLAGS Linker flags

Table 2: Common Macros

$@ Name of the current target$$@ As $@, but only available on

dependency line$? Files that are newer than the

target, and so need building$% ?Member files of library files?$< $? for suffix rules$* $@ for suffix rules.The files

suffix is omitted, however.

Table 3: Special Variables

.SILENT: Does not echo any command executed. Equivalent to prefixing each command with an @

.IGNORE: Ignore any errors from the commands. Equivalent to - on each command.

.PRECIOUS Does not remove the target file being removed after an error.

.DEFAULT Tries to build this if the given target doesn’t exist.

.PHONY Indicates that these targets do notreally compile into programs.Used for cases like ‘clean’and ‘install’, in case there’s a file called (say) ‘clean’in the current directorythat could confuse the situation.

Box 1: Targets

-D_DEBUG_FLAGS Automatically defines the macro ‘_DEBUG_FLAGS’to the source code.

-g Include GNU debugging information into the executable.This allows you to use gdb to step through the program one line at a time.

-c Compile and assemble,but don’t link. i.e. create the object file

-o converter Specify the output file-Wall Specifies the warning

level.‘All’ is best.-O3 Specify the optimisation

level.0 is off (debug),3 is the highest. Using -Os will optimize for space,instead of speed.

-fPIC Switch specific flag options. Here, PIC tells gcc to produce position independent code (if possible).The option name is case insensitive.Used to produce librariesthat would work in morethan one place.

-I /usr/local/apache2/include Also search the named directory for header files.Same the INC common macro.

Note:There is no space between the flags switch andthe parameter, except with ‘I’.

Box 2: Useful compiler flags

@echo "Trying to build $@ U

(because $? are too new!)"$(CC) $(CFLAGS) converter.c

For a list of these special variables,please refer to table 3.

Shoot That Poison ArrowWhen make is run without arguments it will look for the first target in themakefile and try to build it. If themakefile contains more than one project,you should create an extra target namedall, which is dependent on each of theother targets. This way, every project willget built with a single call to make. Youcan also build a specific target byincluding it as an argument.

make testbedmake config.o

Now, most Linux users who build fromsources are familiar with the trio of ./con-figure, make, make install. If both the

above sentences are true, then ‘install’must be the name of a target. Funnilyenough, it is! The ‘install’ target oftenincludes commands to copy configurationand executable files to the appropriateplace. These targets, however, are phony– they don’t really produce a file – and assuch need to be indicated by adding a.PHONY line to the make file (see listing3 and BOXOUT: Targets)

We can use this knowledge to enhanceour makefile by adding clean and install.Notice that in the case of clean we ignoreall errors, and with install we suppressthe echo command; and will requiresuperuser privileges. In these cases nodependencies are given, meaning theinstructions are executed every time thatparticular target is called. This producesa complete makefile, ready for use!

There’s a guy works downthe chip shop?As time goes on, and projects change,the makefile will become outdated. We’ll

need to add more targets, changedependencies, or remove old files. Doingthis manually can become a bind, so there are a number of tools to helpyou, such as mkdepend, mkmkf andmakedepend. We shall look at this latter.

As the name suggests, makedependwill build a list of dependencies for thefiles specified on its command line. So,assuming all our source files in the samedirectory (and it contains no rogue filesfrom other projects), we can type:

makedepend *.c

And a complete list of dependencies(including things like stdio.h, andstdlib.h) will be built, stored in themakefile. And in the correct format!

Makedepend does a couple of cleverthings here. First off, it makes a back-upof your original makefile and calls it‘Makefile.bak’. Then it appends thedependency information to Makefile.What is clever here is that a second callto makedepend will not re-append thesame data. Even in a small project suchas ours, makedepend can add 50 or morelines to the makefile. How does it know?Well, it adds a comment marked ‘DONOT DELETE’ before the appended text.If this already exists, makedependremoves the text below it, and adds thenew information.

Naturally, calling makedepend withoutarguments will not find any dependencies and thus produce anempty block at the bottom of the file.This is still useful, as it makes themakefiles small enough to fit in a maga-zine! And as long as we add thedependencies back to the makefilebefore trying to compile, all is well!

With the exception of .DEFAULT, eachcan affect specific targets by including itsname as a dependency. If no target isspecified, then it will affect all targetswithin the makefile. ■


PROGRAMMINGC Tutorial: Part 12

1 # We're now using implied dependencies!2 convunit: converter.o config.o process.o output.o debug.o3 gcc converter.o config.o process.o output.o debug.o -o convunit4 converter.o: converter.c converter.h config.h output.h process.h U

debug.h5 config.o: config.c converter.h config.h process.h6 process.o: process.c converter.h process.h7 output.o: output.c converter.h output.h process.h8 debug.o: debug.c converter.h debug.h process.h

Listing 4: Makefile

01 CFLAGS -Wall0203 converter: converter.o config.o process.o output.o debug.o04 converter.o: converter.c converter.h config.h output.h process.h U

debug.h05 config.o: config.c converter.h config.h process.h06 process.o: process.c converter.h process.h07 output.o: output.c converter.h output.h process.h08 debug.o: debug.c converter.h debug.h process.h0910 clean:11 -rm *.o converter1213 install:14 @echo "Copying conf file to /etc"15 cp convert.conf /etc1617 .PHONY: clean install

Listing 5: Makefile

The language of ‘C’has been broughtto you today by Steven Goodwin andthe pages 62–65. Steven is a leadprogrammer, currently finishing off agame for the Nintendo GameCubeconsole.When not working, he canoften be found relaxing at LondonLONIX meetings.

TH

E A

UT

HO

R

Within the code sample above, the onlyunfamiliar symbol should be the squarebrackets, these are used to denoteanonymous lists. Anonymous lists arearrays without a name. A clue to this isthe square brackets ‘[]‘, usually seenwhen accessing elements of an array:

print "$some_array[4]\n";

So it’s not really counter intuitive thatsquare brackets be used elsewhere forarrays. Using this philosophy can youguess what sigils we use to create ananonymous hash? We use ‘{}‘ curlybraces, as we use curly braces to retrievea value from a hash:

print "$some_hash{four}\n";

Or if you prefer:

print $some_hash{'four'} . "\n";

Returning to our list of users favouritecommands again, when we need to reference the data inside our nested structures, we need a means of specifying the element inside the parentdata structure we want. We can access‘%commands’, in the normal fashion:

#returns a string akin to U

'ARRAY(0x1ab54d0)'print "$commands{'Billy'}\n";

But this returns a string that looks like“ARRAY(0x1ab54d0)” which actuallytells us a lot but not what we wanted.The uppercase ‘ARRAY’ tells us that thereturned value is of an array referencetype and the characters with in theparenthesis tell us where Perl stores thereference. To access the data from the listwithin the hash, we use the arrow

operator ‘->‘, this enables us to accessthe list within the hash:

$commands{Billy}->[0];

This will return the first item from Billy’slist of shell commands. For the purposesof this exercise, we’ll say that the listplaces favourite items first.

We can now make a hash of lists usinganonymous lists, we can make an arrayof hashes too. you may by now be askingyourself if there any other things that canbe made anonymously.

Anonymous SubroutinesIt’s the Perl way, if you’ve got anonymous hashes and anonymous lists,then what about the functions and thescalars? Perl provides them too. Ananonymous function seems like an oddthing to have, until you get sufficientlylazy, then you find yourself using them.

my %func = (stdout => sub { print @_ },log => sub { print LOG @_ },stderr => sub U

{ print STDERR @_ },not_stderr => sub {print @_;print LOG @_;

},not_stdout => sub {print STDERR @_;print LOG @_;},all => sub {print STDERR @_;print LOG @_;print @_;

});# Print to all bar stdout:&$func{not_stdout}( 'hello', U


While the aspects of Perl thathave been covered in thisseries so far are enough to

start you upon your way to becoming yetanother Perl hacker they’ve been thebasics of the language and offer nothingother languages do not, albeit in a lotless lines of code.

Nested Data structuresPerl facilitates complex datastructures inseveral ways, by far the most readilyunderstood are the “hash of hashes” and“list of lists”; these are nested data-structures. It is also possible to have“lists of hashes” and “hashes of lists”.

What we mean when we say a “list ofhashes” is that the data structure is a listthat contains hashes as its elements. Oneexample might be a list of people and foreach person a list of their top fivefavourite shell commands:

Terry: rm -rf*, chmod 777, U

kill -9, ln -s, rebootBilly: vim, df -h, ls -lah, U

ps -eaf, mutt

We could write that very quickly in Perl,using nested data structures. In thisinstance a hash of lists appears to be themost sensible as the user’s names will beunique identifiers and the top five commands have no other significancebut the order in which they occur. Usinga hash structure for the names and a listfor the commands for each user we canaccess the information in an intuitivefashion and pull out details such as thefavourite command used by Billy. We’llshow ways of obtaining this data later.First we’d better store the data. One wayof writing this in Perl would be:

my %commands = (Terry => [ 'rm -rf*', 'chmod U

777', 'kill -9', 'ln -s', U

'reboot' ],Billy => [ 'vim', 'df -h', U

'ls -lah', 'ps -eaf', 'mutt' ]);

This month we introduce some of the more powerful idioms and features of

Perl and show why it’s still one of the hackers languages of choice.

BY DEAN WILSON AND FRANK BOOTH

Perl: Part 6

Thinking in Line Noise

Perl Tutorial: Part 6PROGRAMMING

'world' );# Print lots of times to each:&$func{$_} for keys %func;

The last command seems completely nonsensical as it’s ahash data structure, there is no telling what order the elements will emerge when using the keys command,which could cause problems. If you require order, use anarray. The following example will produce a set of errorlevels, increasing in urgency.

my @warn = (sub { print STDERR @_ },sub { print LOG @_ },sub { print @_ },sub { die "I can't function under these U

conditions: ", @_,"\n" });sub notify {my $error_level = shift || -1;&$func{$_}(@_) for ( 0..$error_level );-1

}

This example will report messages back according to theerror level. If the error level was 1, it would write to‘STDERR’ and the log file. At level 3, it would write to the‘STDERR’, ‘LOG’, ‘STDOUT’ and the finally stop the program with a final message. It does this by loopingthrough the array of anonymous subroutines. There are afew things that happen implicitly, that we’ll examine now:

my $error_level = shift || -1;

When variables are passed into a function they’re passedin as an array ( @_ ). The ‘shift’ operator removes the firstitem from an array, its default is ‘@_’, so if no array isspecified, it defaults to using @_. If the ‘@_’ array is false( it has no contents ) the value -1 is placed in the variableinstead, why will become clear soon.

&$func{$_}(@_) for 0..$error_level;

This line uses Perl’s ‘for’ looping construct to iterate overthe first part of the line. In this instance it will repeat forevery number from 0 to $error_level, the value for the cur-rent iteration will be put into the default variable ‘$_’.Since the ‘for’ loop occurs at the end of the line the loopcondition doesn’t need braces. It is worth noting that therange operator ( ‘..’ ) will not work backwards, it won’tcount from 10 to 1 using 10..1, it will merely skip theentire loop as having failed on the first attempt.

The first part of the line calls the function from the array‘@warn’, the element it references is the value of ‘$_’,and the parameters the function is passed are the remainder of the parameters passed to the notify function.The ampersand ‘&‘ denotes that the thing in the hash is afunction. It is necessary to explain that the contents are a

Putting you in the winners’ circlewith open standards

SuSE Linux 8.1SuSE Linux 8.1

SuSE Linux AGDeutschherrnstr. 15–1990429 NürnbergGermany

For further information visit our websites:www.suse.com www.suse.co.uk www.suse.de/en/

For beginners: SuSE Linux Personal 8.1

• Free MS-Office compatible office suites• Secure Internet and

eMail communication• Easy-to-install desktop solutions• Extensive multi-media support• Graphics manipulation tools for

digital cameras, scanners etc.

For professionals: SuSE Linux Professional 8.1

• Complete small office solution• All you need to run your office network• Configurable security with

SuSE Firewall 2• Additional secure file systems• Numerous development environments

and programming tools

SuSE Linux is celebrating its 10 yearanniversary! We owe our success toyou, thus we would like to thank youfor your loyalty.

NEW

$_ = ref( $reference);/SCALAR/ and return U

$$reference;/ARRAY/ and return join U

(', ',@$reference );/HASH/ and return join U

(', ', keys %$reference );$_

}

This program uses the ‘ref’ function todetermine the data type of a reference.‘ref’ returns one of a number of possiblevalues including the more common:SCALAR, ARRAY, HASH or ‘’. The lastvalue indicates that the parameter sentwas in fact not a reference at all.

What the code does is define theresponse taken when passed differentdata types: Here is a list of the input typeand result output. ‘ref’ is extremely usefulwhen using generic datastructures thatcan nest any type of data and have no defined limit of depth to which it is nested as it allows fully automatic determination of the references type. Youmay want to create a reference to anexisting structure, to enable access from afunction, or to link to a dynamicallystructured list. We use the ‘\‘ backslashoperator to dereferrence a value:

# Makes a reference to a scalarmy $foo_ref = \$foo;# Makes a reference to @foo U

called $foo_arrrefmy $foo_arrref = \@foo;# Make an array of references.my @list_of_arrays = U

( \@foo, \@bar, \@baz );# this can also be written:@list_of_arrays = U

\( @foo, @bar, @baz );

Here be DragonsClosures are one of the more complexfeatures of Perl in that they build uponprevious knowledge and require a graspof a number of the language basics suchas scope and pass by reference beforethey become readily comprehensible.However like most magic, you don’tneed to understand it to wield it.

A closure is a function that exploitsboth the lexical scope it is declared inand Perl’s garbage collection algorithmto preserve a variable beyond its ex-pected lifetime.

We’ve not yet discussed Perl’s garbagedisposal routine in any depth as it isunobtrusive and rarely falls to the programmer to know or care what itdoes and how it works. It tidies up afterus and ensures that the memory nolonger used in our programs is released.

The garbage collector in Perl works ona very simple (in theory) principleknown as reference counting. Whenevera new variable is created it starts off witha reference count of 1 and each time areference to that variable is taken thecount increases by one.

Each time a reference to the variablefalls out of scope the reference countdecreases by one and when no more references point to it (IE the referencecount is zero) the variable is ‘reaped’ by Perl’s garbage collection and the memory it used is released automaticly,no explicit ‘malloc’ and ‘free’ for us! Toclarify how closures work let’s look atwhat we know. We know that a variabledeclared in the scope of a block onlyexists for that block…

{my $count;print "$count\n";

}# this line fails compilation# as $count is not visibleprint "$count\n";

We also know that a function is globalregardless of where it is defined:

{sub phrase {return U

' I can be called anywhere ';}

}print phrase(); # this works.

So what happens when we mix the two?

{my $count = 0;sub set($){ $count = shift }sub incr(){ $count++ }sub getcnt() { $count }

}set(5); # sets the count to 5incr; # adds 1 to count.#this prints 6print getcnt(), "\n";


function, otherwise Perl would expect anormal scalar value and would interpretthe function as such.

ReferencesReferences are scalar variables used topoint to anonymous data types and functions. In all the above exampleswe’ve relied on the containing datastructure to ensure we look at the datawe meant to or call the function weintended. We can just as easily use ascalar variable to do the same task.

my $array_reference = U

[ 1, 2, 3, 4, 5 ];my $hash_reference = {beef => 'corned',cabbage => 'over-cooked'

};

We refer to the elements within the refer-ence using the arrow operator ‘->‘:

$array_reference->[0];@$array_reference[0];$hash_reference->{beef};%$hash_reference{beef};

We can refer to anonymous functions:

$func = sub { print "foo\n" };&$func;

We can refer to scalar values too:

$func = \'3.14';print $$func;

Here we’ve prefixed the variable we’reapplying with a data type constraint.Putting the wrong type in a data typeconstraint will result in the program concluding rather sooner than you’dhoped, if you don’t know what type ofdata to expect try something like this:

sub handleref ($) {my $reference = U

shift or return;


Type ActionSCALAR Return the value.HASH Return a joined list of keys.ARRAY Return a joined list of values.NOT A REF Return the value itself.

DATA TYPES

We get a variable named ‘$count’ thatexists only for the functions ‘set’, ‘incr’and ‘getcnt’ any other attempt to reference the variable will fail. This givesus a “tamed” global variable that haslimited ways of being altered while alsoproviding some data encapsulation; Aglobal variable we can manage.

There are instances when global variables need to be used and there areinstances when you can use a closureinstead to make the code a little saferand avoid another global. If you thinkthis looks a little like very primativeObject Orientation (OO) then you maynot be surprised to know that these principles will hold you in good steadwhen we get to Perl’s OO facilities.

While the above is a useful applicationof a closure, it is not the most commonuse of closures. In the example below weuse an anonymous subroutine to create abespoke function. This is probably themost popular and often seen use of closures within Perl.

sub hello($) {my $message = shift;return sub U

{ print "Hello $message\n";}

This is a customisable function. A closure can be created by calling thefunction like so:

my $std = hello('world');my $song = hello('dolly');my $phrase = hello('nurse!');

We can call all the separate closuresusing the ampersand symbol to signifyits a function and the variable that holdsthe reference to the anonymous subroutine. So:

&$std #will print: Hello world.&$song #will print: Hello dolly.&$phrase # will print: U

Hello nurse!

These rather trite examples serve only toillustrate the basics of how closureswork but hopefully they will whet yourappetite for the advanced potential usesthey provide once you have made it pastthe initial hurdle and understand howthey work.

Data::DumperOnce you’ve started to use more complex references you’ll inevitablywant to view the contents of a complexdata structure.

While your first instinct may be to ‘unroll’ the structure with a number of loops, a better approach would be touse a module from the Perl core (it’sinstalled by default) called ‘Data::UDumper’. We’ll show uses of Data::UDumper here without explaining all thedetails behind using modules as a gentleintroduction.

A full explanation will be covered in a future column. ‘Data::Dumper’ is amodule that is capable of serializing Perldata structures so they can be printed toscreen or even written to a file whileremaining valid Perl code.

The last point is an important one thatwarrants a deeper explanation, thestringified version of the data structure isstill valid Perl code, this allows it to beused in an ‘eval’ to recreate the structures in the current application andeven to be read in from a file and used asa simple persistence layer.

The example ‘simple_dump.pl’ belowshows a rudimentary use of ‘Data::UDumper’ to print a hash containing hashreferences. Although the example maylook slightly contrived the principles canstill be applied to larger code such as a function passing back a complexhash ref of configuration settings such as for example an ‘ini’ file style con-figuration.

#Example: simple_dump.pluse Data::Dumper;my (%config, $config_ref);%config = (

email => {workdir => U

'/home/dwilson/work',logdir => '/var/log/U

perlapps/examples/email'},news => {workdir => U

'/home/dwilson/work',logdir => '/var/log/U

perlapps/examples/news'}

);$config_ref = \%config;print Dumper($config_ref);

This example shows a simple use ofData::Dumper’s procedural interface toprint the representation to the console.The first line imports the ‘Data::Dumper’module and allows any of its exportedfunctions to be called. We then createboth a hash and a scalar and immedi-ately put some sample data in the hash.It’s useful to note how the hash of hashes is built up manually as the ‘Data::Dumper’ representation isremarkable similar.

The row following should now be familiar as we take a reference to the hash. Finally we make use of Data::Dumper with the exported‘Dumper’ function. If you run the codeyou’ll see how closely the output resembles the original code.

The ‘Data::Dumper’ module itself canbe used in either a procedural or objectorientated (OO) fashion allowing it to fitinconspicuously in to the surroundingcode as all good third party modulesshould. The example below uses the OOinterfaces and requires only minimalchanges:

#Example: simple_dump_oo.pl#above here we would create U

the hashmy $dumper = Data::Dumper->Unew([$config_ref]);print $dumper->UDump($config_ref);

We start the ‘simple_dump_oo.pl’ example with the same set up code usedin the ‘simple_dump.pl’ example. Thecode changes begin in the last few linesas we create an instance of theData::Dumper class and pass in the reference we would like to have it workon, notice the use of braces to force listcontext, Data::Dumper’s constructorexpects its first argument (A secondoptional argument is allowed) to be anarray ref.

Once we have a variable holding the object we then call the ‘Dump’method and get the same on screeninformation we did with the proceduralversion.

Now that the basic use of Data::UDumper has been shown we move on tosome useful options that can be config-ured to customize how Data::Dumperrepresents its output. These options are


PROGRAMMINGPerl Tutorial: Part 6

While the default settings are oftenenough you may occasionally need to tweak the settings to suit the use the module is put to. Two modified settings are $Data::Dumper::Indent and$Data::Dumper::Useqq or in OO parlance$OBJ->Indent and $OBJ->Useqq

The first of these two ‘$Data::UDumper::Indent’, controls the generalhuman readability of the output struc-ture. From the minimum value of ‘0’which strips out all but the essentialwhite space leaving the output as validperl code but not easily human readablethrough to a maximum value of ‘3’. Thedefault value is ‘2’ and this causes theoutput to have newlines, nicely lines upentries in hashes and similar and sensible indentation.

While a value of ‘2’ is often enough ifyou are dealing with a large number ofwith complex arrays then it is worth atleast considering a value of ‘3’ as itsmain benefit is to put out the array indexalong with the data allowing quickvisual look-ups at the cost of doublingthe output size. In practical terms it isoften enough to leave the setting at itsdefault value but if you are usingData::Dumper to serialize the structuresto disk then you can get away with alower level as it only needs to bemachine readable.

The second of the more useful optionsis the ‘$Data::Dumper::Useqq’ optionwhich causes the data to be put out in amore normalized form which includeswhite space represented as meta-characters ([\n\t\r] instead of literalwhite space) characters that are considered unsafe (Such as the ‘$‘ willbe escaped and non-printable characterswill be printed as quoted octal integers.

#Example: multi_oo_escape.pluse Data::Dumper;my %chars;%chars = (#one tab and one spacewhitespace => ' ',unsafe => '$',#literal carriage returnunprintable => '^M'

);my $dumper = Data::Dumper->Unew([\%chars]);$dumper->Useqq(1);print $dumper->Dump(%chars);

In the ‘multi_oo_escape.pl’ exampleabove we have a one of each type ofcharacter used as values in a hash thatwe then pass as a reference to theData::Dumper constructor. We then setthe ‘Useqq’ to a positive value to turn iton and then call the Dump getting anoutput like this:

$VAR1 = {"unsafe" => "\$","unprintable" => "\r","whitespace" => "\t "

};

Notice that the unprintable carriagereturn (generated in vi using CTRL-Vand then return) is printed as ‘\r’ the tabis printed as ‘\t’ and the single dollar isescaped to prevent it from having anyspecial meanings. The downside to theadditional functionality of ‘Useqq’ is thatit will incur a performance penalty dueto the fact that most of Data::Dumper isimplemented in C (Using XSUB) whereasthis function is implemented in pure Perlwhich has a performance hit.

Now we have covered the basic andmore useful of the features Data::UDumper provides if you want to carry onexperimenting with it you should look atperldoc Data::Dumper

They think it’s all over…The use of references is often the difference between an easy to follow andmaintainable piece of code and a tangledmess of line noise and remains one ofthe more important areas of Perl 5 syntaxto understand. Fortunately the best documentation on references (althoughthe examples are quite terse) areincluded in the Perl distribution itself:

A good place to start is with ‘perlreftut’, its a lighter read than theothers and has a number of easy to follow examples. perldoc perlreftut

Once you have the basics down youcan either go for the in-depth detailswith perldoc perlref or go for more example code and explanations in perldoc perllol which focus’s on arrays ofarrays. More varied examples in the datastructure cookbook in perldoc perldsc

A good final note is the reference pagefor Data::Dumper itself, possibly the bestway of viewing or debugging referencesperldoc Data::Dumper. ■


set differently depending upon the wayin which you are using the module, forthe moment don’t worry about theirpurpose but rather how they are set. Forthe procedural version:

$Data::Dumper::Useqq = 1;$Data::Dumper::Varname = 'foo';

These configuration settings are globalso it is prudent to limit the scope thechanges affect by using them within aseparate often anonymous block, this isbest done using ‘local’:

{ #start anonymous blocklocal $Data::Dumper::Useqq U

= 1;local $Data::Dumper::Varname U

= 'foo';} # changes are lost when the U

code reaches here.

The options are set using methods in theOO style of use and look like this:

$dumper->Useqq('1');$dumper->Varname('foo');

When the settings are changed via methods they do not need require thejumping through hoops to limit thescope of the change as any changeapplies only to the one object:

my $dumper_cust = Data::DumperU->new([$config_ref]);$dumper_cust->Varname('foo');print $dumper_cust->UDump($config_ref);my $dumper_raw = Data::Dumper->Unew([$config_ref]);print $dumper_raw->UDump($config_ref);

When the second Data::Dumper instance(‘$dumper_raw’) prints its output it willuse ‘VAR’ instead of ‘foo’. Now we havecovered setting the values it is useful toknow that the methods also act as accessors and if you call one with noparameters it returns the current value:

my $prefix = $dumper_cust->UVarname();#prints 'default prefix is VAR'print "default prefix is U

$prefix\n";


shows the current time and date on theleft, the coordinates in the middle andthe current geographic location on theright. KStars uses the status bar at thebottom of the screen to display additionally the name of the object youhave just selected, and the coordinates ofthe current mouse cursor position.

Where am I?The standard home position is Greenwichin England, the site of the Royal Observatory, which is well-known as theprime meridian. If you want to look at thenight sky above your home town, selectLocation / Geographic… in the menu toopen a configuration window just like theone in Figure 2.

The developers provide a list with thelongitude and latitude of over 2000towns in the top right corner. If yourhome town happens not be on the list,you can always try a city close by. Everycity is representedby a dot on theworld map, andimmediatelymarked by a redcrosshair whenyou select a listentry.

Instead of spen-ding time scrollingthrough the list,you can type thefirst letter of yourhome town in the filter box, re-ducing the searchscope.

If your homesite is missing

from the list, you can always add thecoordinates in the lower area of the coordinate window. All the fields in this window, except State/Province, aremandatory, and must be filled in beforeyou can click on Add to List.

Late for an important date?When you launch the program, it synchronizes its internal clock with your system clock in order to displayyour chosen constellation in realtime. However, you can select Stop Clockunder the Time item to stop the programclock or make it run more quickly orslowly. You can use Time / Set Time… orclick on the timer in the toolbar tochange the date and time.

Wandering StarsSo, who needs Star Trek to explore thefinal frontiers, when you can boldlyclick, or press the arrow keys? If you also


Twinkle, twinkle little star… Ofcourse everyone knows this lullaby, but do you know the exact

positions of Mars, Saturn, or Jupiter?No? In that case, you are either a candidate for your neighborhood observatory, or you might like to tryKStars, KDE’s desktop planetarium.

KStars is included in the kdeedupackage. To launch the program, justclick on Educational / KStars (the Desktop Planetarium) in the K menu ofKDE 3. You will be rewarded with a topnotch astronomy program that identifiesover 40,000 stars and 13,000 otherobjects, and is capable of displaying thenight sky as visible at any point on theglobe. This may take a while to load, butKStars does at least let you know whatprogress it is making.

The program design and content arequite intuitive. Figure 1 shows the nightsky in the Cassiopeia constellation.KStars displays the stars in realistic colors and with their true relative luminosity. The developers have alsolabeled the brightest stars. Deep skyobjects (that is, objects more distantthan the nearest stars, such as galaxies,nebulae and star clusters) are indicatedby colored symbols.

The info-bar at the top of the screen

No need for a trip into hyperspace, when the KDE planetarium brings the stars

to your living room. Take your computer on a trip through the night skies of the

indian summer with KStars! BY STEFANIE TEUFEL

KStars

The Sun, the Moonand the Stars

KToolsLINUX USER

In this column we present tools, month bymonth, which have proven to be especiallyuseful when working under KDE, solve aproblem which otherwise is deliberatelyignored, or are just some of the nicer thingsin life, which – once discovered – youwouldn’t want to do without.

KTOOLS

Figure 1: Visiting Cassiopeia

hold down the [Shift] key, you can double your warp…, oops, your scrollingspeed. Should you happen to stumbleacross an interesting bit of the heavens,you can use the plus and minus keys tozoom in or out. As an alternative, youcan also click on the “Zoom In” and“Zoom Out” buttons in the View menu.

You can use [-] to zoom out until yousee a green arc like the one shown in Figure 3. This represents your local earth horizon.

The curved white line in Figure 3 represents the celestial equator, an imaginary line that divides the skies intothe northern and southern hemispheres.The brown line, which is almost invisible in Figure 4, represents the ecliptic, that is, the path the sun appearsto follow in the course of the year.

KStars shows you the whole spectrumof celestial objects – stars, planets, planetary nebulae, and galaxies. You canclick on a specific object to identify it –the name immediately appears in thestatus bar. If you then right click withyour mouse, you can use the menu that

then appears (Figure 4) to query theobject type, and download a razor sharpimage of the object from the celestialatlas, The Digitized Sky Survey, by clicking on Show 1st/2nd Gen DSSImage. You can see an image of the star,Ras Alhague of the constellation AlphaOphiuchus, in the opener.

You can use the Add Link… option toadd websites with more information orinsert additional images. KStars evenallows you to verify links by clicking onthe Check URL button. The programautomatically loads your additions whenlaunched, saving in the myimage_url.dat

and myinfo_url.dat files in the~/.kde/share/apps/kstars directory.

If you become tired of just aimlesslyroaming around the virtual heavens, youcan use the Location / Find Object…menu item to search for a specific object.The “Find Object” window (Figure 5)includes a list of all the named objects inthe KStars database. Many of them arelisted by their catalog entry only, such asNGC 3077, but you will also find somewell-known names, such as Cassiopeia.

On Board InformationSourcesOf course, not everybody is a naturalborn astronomer. So do not panic, if theterms used in this article are a mystery toyou. The makers of KStars have alsogiven this issue some thought. “TheAstroInfo Project”, a useful feature of theKStars manual, provides you with aseries of short articles that explain themost important concepts and terms inthe field of astronomy. Some articleseven include exercises that can be completed using KStars. The developersare keen on expanding this section andactively encourage interested users tocontribute to the scientific database. ■


LINUX USERKTools

Figure 3: Somewhere Beyond the HorizonFigure 2: The Night Sky above Cologne

Figure 5: Seek and You Will Find

[1] KStars:http://kstars.sourceforge.net

[2] Fixed Stars:http://www.winshop.com.au/annew

[3] AstroInfo Project:http://astroinfo.sourceforge.net

INFO

Figure 4: Identifying Celestial Objects

tar -xzvf GWhere-0.0.25.tar.gzcd GWhere-0.0.25./configuremakecheckinstall

If checkinstall [1] is not available, youcan use make install instead. If you wantto define the root directory for the instal-lation yourself, you can call configurewith the --prefix=directory flag.

First Things First…Type GWhere & (paying attention to the case) in an X terminal session, andthen wonder what to do about the moreor less empty window that you areconfronted with at this point. Neither theHelp nor the File menu give you anyclues as to what to do with the heap ofCDs that you wanted to index.

Users who require menus in anylanguage apart from English will need toset the Locale correspondingly:

export LANG=fr_CA; GWhere &

will use French Canadian, for example. Ifyou want to define French Canadian asthe target language for GWhere, but notfor the shell, you can put this commandin parentheses:

(export LANG=fr_CA; GWhere &)

The main indexing function turns out to be accessible via a tab labelledManagement (Figure 1). You can use thedrop-down menu Choose Volume tolocate the mount point for the CD, insertthe CD, and then click on the BrowseVolume button at the bottom of thewindow. If the medium is not mountedat this point, GWhere will return an error

message. To avoid this, you can checkthe Automount checkbox under Optionsbefore clicking on the browse button.

GWhere prompts you for a CatalogName at first. This name has nothing todo with the CD and is simply a generalheading for all the CD indices stored in asingle file.

As GWhere can only display andmanipulate a single index file in thecurrent version, this heading is not reallyimportant – just enter mycds, or cdindexor something similar.

However, you will want to put somethought into answering the next prompt,which refers to the Volume Name (Figure1). This should ideally provoke areaction such as “Oh yes, that’s the CDwith…” from the user. All that fancysearch functionality is useless if you areunable to physically locate the CD thatthe GWhere search results refer to.

GWhere zooms through the indexingprocess in next to no time, and if youhave additionally selected Eject Volume if


Twenty subscription CDs, a heap ofMP3 disks, and a backup of yoursecond computer – that’s quite an

impressive collection of CDs, but if youdo not remember what disk the file xyzis stored on, you have a problem: Insertthe CD, launch find, remove the CD ifyou draw a blank, and start again… Youwould not want to have to repeat allthose steps, unless you are looking for areally important file.

“Where there’s a will, there’s a way”,Sébastien Lecacheur thought and so he wrote GWhere, (http://www.gwhere.org/), a little GUI tool that indexes dataCDs, floppies, or Zip disks. Allowing youto search the file tree without needing tosign up for a degree in diskjockeying. Ifyou know what medium the required fileis stored on, you merely need to locatethat particular medium.

The current version of GWhere 0.0.25 isavailable as a binary for RPM based distri-butions, but you might prefer to compilethe source code stored in GWhere-0.0.25.tar.gz. Version 1.2.0 or better ofGTK, and the matching gtk-dev(el) pack-age must be pre-installed to do so:

The GWhere CD Indexer is just what the doctor ordered for those of you

suffering from the “can’t quite remember what Linux Magazine subscription

CD the xyz tool was on” syndrome. BY PATRICIA JUNG

GWhere

A Break for the Disk-Jockey

Out of the boxLINUX USER

There are thousands of tools and utilities forLinux.“Out of the box”takes a pick of thebunch and each month suggests a littleprogram, which we feel is either absolutelyindispensable or unduly ignored.

OUT OF THE BOX

Figure 1: The Volume Name is important to thesuccess or failure of a search operation

possible, will automagically open yourCD-ROM tray after finishing the index.

Categorized and DescribedIf you have had more than your fairshare of CD diskjockeying, you willprobably want to save the index usingFile/Save in the main menu. While youare waiting, you might like to definesome keywords for your CD collectionunder Action / Edit Categories (Figure 2).Type the keyword in Category Name, and add a few explantory comments in Description, before clicking on Addto add the entry to the Category List.Editing categories you entered previouslycan be more challenging.

To do so, you first select the list entryand then click on the Update button.

This toggles the Add button in Figure 2to Update. Click on this button when youhave finished editing the keyword file.

Clicking on the Catalog tab not onlyreveals the current collection of indexedCDs, allowing you to navigate them, but you can also add metadata. Rightclick with the mouse to open a menu,allowing you to add a keyword and adescription for every directory and filevia the Properties dialog box (Figure 3).

The Joy (and Pain) of SearchOpsDon’t forget the program’s current stateof development before you get tooenthusiastic about entering metadata.Although the Search tab (Figure 4)theoretically allows you to search bydescription only, this feature does notseem to be available at present – neitherare the functions for searching by medianame (Disk), or by keyword (Category).

If you prefer not to search by full name,you can activate the Regular Expressionfeature. This allows GWhere to find anyfiles containing the png string, such aslibpng.so.2 or top-bg.png.

If you are only interested in PNGimages with the png or PNG suffix, you

can use a dollar sign to indicate the endof the string and search for png$. If youalso select Upper/Lower Case, GWherewill respect the case of your searchstring: In this case a capital letter willfind only those files that have a capitalletter at the appropriate position in theirnames.

The program has an annoying habit ifa search op fails to find a result: it has noprogress indicator, no status messageand no way of knowing whether thesearch op is still in progress or has failed.

This kind of inconsistency in the userinterface certainly keeps you on yourtoes, but in our opinion GWhere isindispensable for anyone just starting tolose track of their CD collection. It is apity that GWhere can only maintain asingle index file, as you really do needtwo catalog files to avoid mixing up yourMP3 collection and your Linux MagazineCDs. But on the upside, you can alwaysrun multiple parallel GWhere processes ifyou require. ■


LINUX USEROut of the box

[1] Christian Perle:“Say Hello WaveGoodbye”, Linux Magazine Issue 22, p78.

INFO

Figure 3: If required, you can add a description and a keyword to every file

Figure 2: The dialog for adding keywordcategories is not exactly intuitive

Figure 4: Searching for PNG files

; (Semicolon): A semicolon between two commands in the command line has the same effect aspressing [Enter]: After processing the first command, the second is processed.This allows you to entera series of short commands in quick succession.Parentheses: Commands in parentheses are not processed by the current shell, but call a newsubshell (which is automatically closed after processing).This allows you to use environmentvariables to provide a command with its own environment. In our example, the value for LANG onlyaffects the subshell in which GWhere was launched, but not the current working shell. So, in thiscase, only GWhere would be expected to speak French; other programs called in the current shell(and the shell itself) will continue to use the default setting for LANG.

GLOSSARY

incapable of imagining that they couldoperate the system.

However, there are still some userswho are open to change, and since youwould seem to be one of them – after allyou are a Linux geek who readsdeskTOPia – I would like to introduceyou to a radically different concept fromthe one you are used to the major playersproviding. I’m talking about UWM, the slightly different Window-Managerof the “Unix Desktop Environment”UDE. The documentation starts with the words: “Starting UWM for the firsttime you might recognize that it doesn’tonly look different from other windowmanagers but also behaves not quite theway most of you would first expect sucha system to do. This fact alone might bea reason for some people to throw UWMaway and go back to a conventionalwindowing user interface. Others mightstart thinking – Some of them might getused to it.“

Mice for Power UsersUWM was not developed with the aim ofattracting users on account of its ease ofuse, but aims to provide more power tothe user after you have mastered the firstfew steps. After all, you do not stay a

newbie for ever, and as a power user willsoon be looking for ways of making yourlife simpler.

In contrast to other Window Managersalso designed with this clientele in mind,UDE is clearly mouse oriented. If you arelooking for a keyboard driven GUI, thecurrent version of UDE is not where youwant to be .

From the ArchivesInstallation should be fairly painless onany Linux distribution. The developersprovide both RMPs and Debian package,as well as the normal source archives, athttp://udeproject.sourceforge.net/. Thepackages available from this site are alsoon this issue’s subscription CD.

You will definitely need to resort to thesources, if the pre-compiled packages donot work for you. This should not provetoo much of an obstacle: UDE merelyuses your X servers functionality and


Once upon a time the world wasfull of competing computersystems. Some of them lived in

the land of Atari, others were friends ofthe Commodore, and another little groupkept a big Apple company. All of themwere convinced they were doing theright thing – and you know what? Theywere right.

But one fine day, Bill, the demagoguetook a journey. He visited numerouscountries, on his way collecting a fewsubjects who had made life worth livingin their old homelands, from eachcountry. He invited them to perfect hisown country. And finally in 1995, thegates to the country of “Windows 95”were opened. The lure of this countrywas heard in countries far afield, andthus more and more users rushed in tosee this country’s promise for them-selves. And the applause was so loudthat they stayed.

Strange LandsOf course, there were consequences: Theinhabitants of this country have beenconditioned ever since. If a system doesnot offer known elements, such as ataskbar or start menu, window buttonsor desktop icons, these poor users are

And the last will be first – as we

learned from the Bible. With this in

mind a new desktop environment

has wended its way to Linux land,

and its patron saint, the “Ultimate

Window Manager”, is now ready for a

test run on your desktop.

BY JOACHIM MOSKALEWSKI

Jo’s alternative Desktop: UDE

All together

Only you can decide how your desktoplooks.With deskTOPia we regularly take youwith us on a journey into the land of window managers and desktop environments, presenting the useful andthe colorful viewers and pretty toys.

DESKTOPIA

Friedrich Keller,visipix.com

deskTOPiaLINUX USER

thus does not require any specializedpackages. Users of older distributionsmay need to install a separate package tosupport XPM images. You will need themake tool, the gcc compiler, and thedeveloper package for the X WindowSystem (but you will probably alreadyhave installed these items, if youoccasionally need to install graphicssoftware off the Internet).

Starting BlocksBefore you can really profit from the UDE that you install, you will firstneed to take another hurdle: Launchingyour X Window System instead of your original Window Manager uwm.Unfortunately, the way to do that differsfrom distribution to distribution.

As a rule of thumb: If you launch thegraphic interface manually, by typing thestartx command, the ~/.xinitrc file isparsed. If you log on in graphic mode,this will be the ~/.xsession file. If youcan’t find these files, you can simplycreate them. Then contents of both files are identical. Since the WindowManager, UWM, is a core component ofthe UDE environment, you simply need a

single call to uwm – theprogram will take careof everything else itself.

The Listing (p78)shows an example ofan X start file.

Don’t forget to setthe access privilegeswith chmod 700 .xinitrcor chmod 700 .xsession.Otherwise, the scriptwill not run on somedistributions. The nexttime you start your XWindow System, you can expect to seethe Unix Desktop Environment.

CleanUDE displays a completely emptydesktop at first. No buttons, no menus,and no icons saying “Click me!”. TheUDE developers insist that this isintentional, as your desktop shouldnormally be filled with applications andnot with a Window Manager.

UDE’s control elements are hiddenbehind your mouse buttons, so lookforward to some finger fuddlingexercises. You simply press the rightmouse button to open the start menu(Figure 1) and release the button, whenyou have found the application you wantto launch.

The option for launching multipleapplications with a single mouse actionis neat: Keeping the middle button onyour mouse held down, click on anapplication you want to to launch. Thenmove to the next entry and again leftclick to run it.

Windows are not surrounded byframes – there is merely a heading inside(!) the program window (Figure 2). Ifyou move the mouse to the area with theheading, the heading will simplydisappear, reappearing only when thewindow drops out of the mouse focus.

In Focus or in theForeground?When multiple applications begin to fillup your available desktop, you willnotice that the interface provides foronly “sloppy focus” behavior.

This is where the window you lastmoved the mouse across will auto-matically react to any keypresses (focus),but the window will remain in the back-

ground – hidden by other applications –until you raise it into the foreground.Focus and raising are two separate con-cepts in UWM.

A window is raised if you left click itsframe, and the focus automaticallyswitches to that window. If you use the middle mouse button instead, thewindow disappears behind all the otherwindows – without losing the focus.

The following approach is slightlymore complex, but more comfortable inthe long run. Click on the window youwant to modify with the center key andhold the key down. Now click on the leftkey to raise the selected window abovethe others.

If you simply press the center or rightmouse key, the window drops down theorder. It often makes more sense to“lower” the current, and undesired,window than to raise the desiredwindow. (If your mouse does not have acenter button, you will not be able to usethis function – and many others; UDEdefinitely requires a three-key mouse).

Push!While you hold down the middle mouseand change the order of your windows,


LINUX USERdeskTOPia

Window Manager: This program isresponsible for window dressing and windowfunctionality – in short for anything thatneeds to drawn around an application.Window Managers often include a Startmenu or allow you to set the desktop back-ground. In contrast, a Desktop Environmentnot only contains a Window Manager butalso influnces your applications.X Window System: Provides Linux systemswith a graphical user interface. Even desktopenvironments such as KDE or GNOME run asapplications on this interface.

GLOSSARY

It is not as if the creators of UDE think thatmouseless operations are entirely irrelevant.There is even supposed to be a rudimentary– albeit non user definable – keyboardlayout. But the author’s attempts to get thisrunning on his own system were amiserable failure. But still, if you want to tryyour luck, you can refer to doc/ude-0.2.8/html/node11.html for the theoreticalkeyboard layout.

Keyboard Shortcuts

Figure 1: A Start menu, but not a bar

Figure 2: The Title Inside

visible and minimized applications theworkspace contains. Besides the virtualdesktops the Windows menu alsocontains an entry for Sticky Windows.This submenu contains the applicationsthat you have designated as stickywindows via the Honeycomb. If youswitch to an application on anothervirtual desktop, the sticky windowsimply stays with you. In other wordsthese windows are omnipresent in allyour workspaces.

UDE à la CarteIf you want to configure your desktop,you should copy the files under/usr/local/share/ude/config/* to ~/.ude/config/*:

mkdir -p $HOME/.ude/configcp /usr/local/share/ude/Uconfig/* $HOME/.ude/config/

(The path refers to astandard installation of thesource code). UWM willfirst try to locate itsconfiguration files in~/.ude/config/uwmrc. If itcannot locate them, theWindow Manager thenqueries the global settingsin usr/local/share/ude/config/uwmrc. You can editthe copies in your own

home directory to suit your needs.However, an error in the configuration

file can lead to UWM refusing to launch.To remedy that situation, (temporarily)change to another Window Manager, orrepair the configuration file on thecharacter based console. If you don’thave a lot of modifications to lose, youcan simply remove the damaged fileand/or copy it again.

The copies represent a complete anddocumented basic configuration: Thedevelopers have added a helpfulcomment for each entry in these files.

The supplied uwmrc comprises onlyof links to other configuration files. Ifyour prefer to do so, you can type thecontent of the external configurationfiles here, however, it does make sense tosort the configuration parameters bytopic and store them in separate files,when you consider the sheer number ofavailable options.

VirtualityThe default configuration first calls theuwmrc-ws.hook file, which configuresthe virtual desktops – three are definedby default. Each workspace is thenprocessed individually. By the way theworkspace numbers start at 0 and not at1. The last valid workspace is always thedefault workspace, that is number 2 inthe original configuration.

Workspace specific colors aresomewhat daunting at first glance. theynormally take the form 113;140;118, thatis a numeric RGB values between 0 and255 for the colors red, green, and blue.However, instead of this notation, you can also use the hexadecimal valuesyou may recognize from HTML (such as #667788), or even choose self-explanatory colors such as black orplum4 using the xcolorsel tool.

BackgroundIf you want to prevent UDE installing amonochrome desktop background, youcan comment out the ScreenColor line byplacing an % at the start of the line, tomake UWM ignore this entry. If youchange your mind later, all you need todo is remove the comment character.

To place an image on your desktop you


you can simultaneously rearrange them.You automatically drag the window aslong as you hold the mouse key down.All this functionality certainly takessome getting used to …

When you are placing applications onthe desktop, it is quite useful to dockwindows by moving one window soclose to another that it snaps to thewindow frame pixel for pixel. UWMpositions new windows wherever thereis enough room for them: If there is notenough room on the desktop, you areasked where to place the new window.

SweetIf you left click a windowframe, the Honeycomb,which comprises a rangeof functions becomesavailable (Figure 3). Yourmouse pointer issurrounded by six iconsthat replace the normalwindow buttons. Thetable on the right providesyou with details on theirassignments. So to close awindow, you just left click a windowframe, move the mouse up a bit, andthen let go.

So that just leaves the function of theright mouse key when you click awindow frame: You can change thewindow size by right clicking.

Variety of FeaturesAfter using the Honeycomb to shrink anapplication window, you will certainlymiss the program icon to restore thewindow. Well.., there really are no icons!But, you will be okay, if you rememberto use the left and center mouse keys onthe desktop. Press the center key to openthe so-called Windows menu (yes, theyreally do spell it with an s…).

At this point it is fairly obvious thatUWM can handle virtual desktops, likethe majority of X11 Window Managers:Each workspace provides a submenuthat allows you to view and activate the

deskTOPiaLINUX USER

Figure 3: Window buttons inthe honeycomb

Comb FunctionUp Close Window (regular)Upper right Kill window (kill including

safety prompt)Lower right Sticky Window, also opens the

Workspace menuDown Maximize window or reset to

original sizeLower left Lower window – hide it behind

other windowsUpper left Shrink window

Honeycomb Assignments

Virtual Desktop: If your desktop is full ofapplications, you may have to resort to avirtual desktop, or workspace. Only oneworkspace is visible on the desktop at anytime. If you switch to another desktop, theapplications in the original desktop are keptand reappear when you switch back.Xresources: The traditional method ofconfiguring an application’s appearance.Thisonly works if the toolkit the application isbased on respects this method (which Qt andGTK+ do not); multi-applicationconfigurations are also possible.

GLOSSARY

#!/bin/sh

LANG=en_US; export LANGexec uwm

.xinitrc/.xsession

can simply use one of theinnumerable Linux tools forthis purpose. One example is display, which belongs tothe ubiquitous ImageMagickpackage. The command

display -geometry U

1280x1024! -window U

root image file &

will zoom your image to1280x1024 Pixel and place iton the desktop background.However, this will not permityou to display differentbackgrounds for yourindividual workspaces.

You can add this command toStartScript, the autostart file for yourUnix Desktop Environments. Make sureyou terminate every command in this filewith an &, as UWM will otherwise waitfor the command to complete… Bydefault the file contains a call to xtermwith an informational text. If this startsto get on your nerves, you might like todelete the offending line. The counter-part of the StartScript is the StopScript,which is run when you quit the desktopand unmounts a number of standarddevices in the default configuration.

FramesThe next configuration file, uwmrc-layout.hook, is responsible for theappearance of the windows and menus:You can adjust frame widths, 3D effects,and fonts. This area also includes theappearance of your applications, and forthis reason you will find a reference to

urdb in this file. This “UDE ResourceDatabase” contains workspace specificXresources (and thus the first clearindication that UDE is intended by be anEnvironment). If you have defined Xresources of your own, or prefer to useyour system’s settings, you can disablethis line by prepending a % sign.

appmenu is also called in uwmrc-lay-out.hook. This file describes the startmenu available via the right mousebutton. Entries take the form

ITEM "Name";"Command";

You can use uwmrc-behaviour.hookto influence your desktop’s behavior. For example, if you set TransientMenusto 0, your start menu will not simplydisappear if you forget to hold down the mouse button. You can additionallyadjust automatic window positioning inthis file.

Cancelleduwmrc finally refers to uwmrc-user.hook – a non-existantfile, as it is reseverd for the(few) variant settings requiredby individual users. But, asyou have already stored awhole set of configurationfiles in your home directory,you will not need this entry.

After saving the changesyou made to the configurationfiles or the start menu, youcan restart UDE – withoutneeding to terminate anyapplications – using theRestart UDE entry in thecontext menu for the left

mouse button.UDE respects some, forgotten Unix

concepts. It utilizes the three mousebuttons, supports and uses Xresources,and allows use of a text editor forconfiguration tasks. The developers arestill capable of developing an innovativeconcept. The mouse jockeying involvedis definitely revolutionary. ■


LINUX USERdeskTOPia

Figure 4a--c: Workspace specific themes by courtesy of urdb

Jo Moskalewskimissed out on the purporteddebauchery ofstudent life and isnow a mastercraftsman. He spendsmost of his free timetrying to save the world, or justmeeting up with friends and sunworshiping. On those rare occasionswhen he takes time out to relax, youwill normally find him basking in theeuphonic experience of a loudspeakersystem that he built himself.

TH

E A

UT

HO

R

100% guarantee that the file is error free,only that you have a working copy ofwhat was available.

So-called loop devices can be used bythe superuser, root, to insert files such ashard disks or floppies into the directorytree. You can use mount with the -o loopoption to do so. Make sure that youchange the syntax in the following example to reflect your own directorystructure names!

perle@linux:~/iso> su rootPassword: Your_Root_Passwordlinux:/home/perle/iso # mount U

-o loop -t iso9660 /this/is/Umy.iso /mnt/

SuSE users tend to mount in /media or a

subdirectory below this level:

mount -o loop -t iso9660 /Upath/to/my.iso /media/

The complete content of the ISO image isnow available below the directory supplied in the last argument, the mountpoint, exactly like it would be if youburned and mounted a CD with this content later. After verifying the files youcan remove the image from the directorytree by typing umount mountpoint andthen drop your superuser status by typing exit.

If you want to ensure that an ISO fileyou downloaded to your home PC iserror free, you can compare the checksum of the original file with the

Before burning the ISOs I justdownloaded off the Internet toCD, I would like to check whether

the files are 100% error free. What Linuxprogram can I use to do so?

Dr. Linux: One possible way of verifying an ISO image is to mount thefile. If this works, you can assume thatthe data was transferred correctly duringdownload, but this does not give you a

Is your CD image file or floppy in good working order? Doctor Linux can help you find out.

BY MARIANNE WACHHOLZ

Dr. Linux

Safe and Sound

Dr. LinuxLINUX USER

Complicated organisms, which is just whatLinux systems are, have some little complaints all of their own. Dr. Linuxobserves the patients in the Linux newsgroups, issues prescriptions here forthe latest problems and proposes alternative healing methods.

Doctor Linux


checksum of the file you downloaded.The checksum is a numerical value calculated by an algorithm with reference to the total sum of the bits thatthe file contains.

There are various programs for calculating checksums, such as sum orcksum. As they all use different algorithms, the checksums created bythem are not compatible, so you willneed to use the same tool to create yourchecksum as was used to create thechecksum for the original file.

At present you will almost always discover that the MD5 algorithm [1] hasbeen used to checksum a downloadablefile. The md5sum program is included asa standard component of any knownLinux distributions. md5sum creates a128 bit value for any file.

Checksums are typically stored in filesending in .md5 or .md5sum on FTP orweb servers (Figure 1):

ddee9456051785ebdd92f3d28a033e61Ugentoo-ix86-1.2.iso

MD5 checksum files thus contain only afew bytes – in contrast to ISO images –and it makes sense to save them in thesame directory as the file used to createthem. Sometimes administrators will collate several checksums to a single fileor add them to files, such as Readme.txtor the like.

It is more or less impossible to generate the same checksum for two different files with md5sum. Even theslightest change to a file – and this couldbe caused by a transmission error – will immediately lead to a different checksum as the sum of the bits willnow be different.

The uniqueness of checksums, whichare often referred to as fingerprints, isused by administrators to discover system manipulations caused by filesthat have been injected or exchanged.

How can you verify a checksum thatyou have just downloaded? To see howthis works let us look at this processusing an ISO file from Gentoo Linux [2]as an example:

perle@linux:~/iso> ls -linsgesamt 16540-rw-r--r-- 1 perle users U

16908288 Jun 23 13:48 U

gentoo-ix86-1.2.iso-rw-r--r-- 1 perle users U

54 Jun 23 13:49 U

gentoo-ix86-1.2.iso.md5

The ISO image and the correspondingMD5 file are both stored in the currentworking directory (in this case, /iso). Wenow want to pass the checksum file tothe /usr/bin/md5sum program with the -c (“check”) flag set. If everything turnsout okay, the answer will be a single ok:

perle@linux:~/iso> md5sum U

-c gentoo-ix86-1.2.iso.md5gentoo-ix86-1.2.iso: Ok

If the file, however, fails the test,md5sum issues a warning:


-c gentoo-ix86-1.2.iso.md5gentoo-ix86-1.2.iso: Errormd5sum: Warning: 1 of 1 U

calculated checksums did U

NOT match


LINUX USERDr. Linux

ISOs: Popular expression for files whose filesystem reflects the system independent ISO9660 standard, which is used for burning CDROMs.Mount: Storage media are inserted into theLinux file system tree by means of the mountcommand, which requires root access. Beforeremoving a mounted CD or floppy from thedrive, you will need to issue the umountcommand. Access to hard disk partitions canalso be disable in this way on Linux.Thesysadmin can use the /etc/fstab file to allowunprivileged users to insert or remove certainmedia, such as CD ROMs for example.su: You can use the “su username”commandto assume the identity and rights of theselected user in the shell. After entering thecorrect password, you are returned to the current directory, but with the privileges of asuperuser, for example, and can carry onworking with root privileges.e2fsck: This command-line tool verifies, and ifneeded (and possible), repairs Extended 2 filesystems.This was the standard file systemtype for most Linux hard disk partitions,although many distributors have nowswitched to more modern file systems, suchas the successor Ext3 or ReiserFS.

GLOSSARY

Figure 1: Knoppix ISO files [3] and their md5sum files

If your distribution happens not toinclude md5sum, you can download itfrom [4]; type md5sum as a search key.The program is part of the Text utilitiespackage. Additional information is available from the GNU project at [5].

Error Free?I have a few older floppies that I wouldlike to use as “single floppy Linux”

versions or boot disks. How can ensurethat there are no bad blocks hiding onthese disks?

Dr. Linux: You would normally wantto use the /sbin/badblocks tool to ensurethat there are no bad blocks on the disk.This tool is part of a collection designedfor verifying, maintaining and creatingfile systems on (almost) any Linux system. Maintenance programs, such ase2fsck, can process the output from badblocks. As you would normally onlywant to use floppies that are free fromerrors (although there might be somestrange reason for using a damageddisk), we are not going to look into possible repair procedures in this article.

If you want to test a floppy with badblocks, you cannot mount it in theLinux directory tree. As superuser privileges are required to access thefloppy, you may need to prefix the badblocks call with a call to su using the-c flag. This ensures that only the ensuing command, which must beenclosed in quotes, will be executed withroot privileges.

You can use the badblocks option -s(“show”) to show which block the program is currently processing. The -vflag (“verbose”) will keep you up to dateon the program’s activity. But you arestill on the safe side if you leave outthese options as a message is givenwhen a bad block is found.

According to the man page, you needto specify the number of blocks to check, but since floppies are verified by reference to the corresponding devicefile, you can leave this parameter out:

perle@linux:~> su -c "/sbin/Ubadblocks -s -v /dev/fd0"Password:Your_Root_PasswordChecking for bad blocks in U

read-only mode>From block 0 to 1440Checking for bad blocks (read-Uonly test): 16/ 1440

In our example the program is currentlytesting blocks 16 through 1440. If theresult is negative, for example, whenthere are no bad blocks, the program willreport back to us with

Pass completed, 0 bad blocks U

found.

If the MD5 value is included in a readmefile, you therefore need to create a check-sum yourself before you can compare it,pass the name of the ISO file to md5sumand verify the results visually:


gentoo-ix86-1.2.isoddee9456051785ebdd92f3d28a033e61 U

gentoo-ix86-1.2.iso

Dr. LinuxLINUX USER

01 perle@linux:~> su -c "/sbin/badblocks -s -v /dev/fd0 1722"02 Password: Your_Root_Password03 Checking for bad blocks in read-only mode04 >From block 0 to 172205 Checking for bad blocks (read-only test): 1440 1408/ 172206 144107 144208 [...]09 172010 172111 done12 Pass completed, 282 bad blocks found.

Listing 3: Ostensible bad blocks due to an incorrect floppy device

01 perle@linux:~> su -c "/sbin/badblocks -s -v /dev/fd0"02 Password:Your_Root_Password03 Checking for bad blocks in read-only mode04 >From block 0 to 144005 Checking for bad blocks (read-only test): 12 0/ 144006 13 13/ 144007 1408 15 15/ 144009 done10 Pass completed, 4 bad blocks found.

Listing 1: 1.44 MB Floppy with Bad Blocks

perle@maxi:~> ls -al /dev | less[...]brw-rw---- 1 root disk 2, 0 Jun 6 17:13 fd0brw-rw---- 1 root disk 2, 36 Sep 24 2001 fd0CompaQbrw-r--r-- 1 root root 2, 60 Jun 28 14:28 fd0H1722brw-rw---- 1 root disk 2, 4 Sep 24 2001 fd0d360brw-rw---- 1 root disk 2, 8 Sep 24 2001 fd0h1200[...]

Listing 2: Major and Minor Numbers for Floppy Devices

perle@linux:~> su -c "/sbin/badblocks -v /dev/fd0H1722"Password:Your_Root_PasswordChecking for bad blocks in read-only mode>From block 0 to 1722Pass completed, 0 bad blocks found.

Listing 4: Checking a 1722 kb floppy with badblocks


(provided you specified the -v option). Incase of positive results, the bad blockswill be listed – refer to Listing 1, whereblocks 12-15 are reported. In this casethe program will report:: Pass completed,4 bad blocks found..

The Floppy Format OdysseyMy floppies have been through it all – allthose attempts to increase their capacityby using different formats. But badblocksalways shows an incredible number ofbad blocks in this case, although they are

not displayed if I stickto the standard 1440kb format.

Dr. Linux: If thedevice file you supplydoes not match thelow level format of thedisk, badblocks willreturn with gibberish. Additionally, assigningthe wrong device filecan endanger yourhardware. Avoid usingdevice files that areinappropriate for yourhardware type!

Various floppy drivescan be accessed via the

device files in the /dev directory. They allhave the major device number 2. Theminor device number represents afloppy format for this type of hardware(see Box 1). If you list the directory /dev,you are shown the major and minornumbers of the devices instead of filesizes. Listing 2 shows an example, youshould not assume that it will be similarto the device files on your own system.

The kernel relies on this information torecognize the format when a floppy isopened and passes this information onto the relevant programs.

Let’s look at an example to see howbadly a verification with badblocks cango wrong if you supply the wrong devicefile: A floppy has been low level formatted using the fdformat program,and now has a capacity of 1722 kB:

perle@linux:~> su -c U

"fdformat /dev/fd0H1722"Password:Your_Root_PasswordDouble sided, 82 tracks, 21 U

sectors/track, total capacity: U

1722kB.Formating ... doneChecking ... done

Now you take the floppy out of the driveand insert it again to suggest to the kernel that a new medium has beeninserted. When verifying the disk withbadblocks, you mistakenly refer to thedevice as /dev/fd0, although you supplythe correct number of blocks to beprocessed.

As a result 282 bad blocks are shown –blocks 1440 through 1721. That is, theblocks that exceed the capacity of/dev/fd0 (1440 blocks in the case of highdensity floppies) (Listing 3).

If you now choose the right device file,the floppy passes the test, as you wouldexpect – refer to Listing 4 for details. ■


LINUX USERDr. Linux

[1] RFC 1321: http://www.fourmilab.ch/md5/rfc1321.html

[2] Gentoo Linux: http://gentoo.org/

[3] Knoppix Download: http://download.linuxtag.org/knoppix/

[4] GNU Software: http://www.gnu.org/directory/

[5] Text Utilities: http://www.gnu.org/software/textutils/textutils.html

INFO

The manpage for fd-(“floppy disk”-)devices specifies over 30 different device files that can be usedto access floppy drives, including some fairly obscure 5.25 inch drives.The following short excerptshows just a few of the various possibilities:

In the following list n refers to the drive number: 0 for the first drive, 1 for the second, and so on:3.5 Inch High Density Devices:

Name Capac Cyl Sect Heads Minor Base #

fdnH360 360K 40 9 2 12

fdnH720 720K 80 9 2 16

fdnH820 820K 82 10 2 52

fdnH830 830K 83 10 2 68

fdnH1440 1440K 80 18 2 28

fdnH1600 1600K 80 20 2 124

fdnH1680 1680K 80 21 2 44

fdnH1722 1722K 82 21 2 60

fdnH1743 1743K 83 21 2 76

fdnH1760 1760K 80 22 2 96

fdnH1840 1840K 80 23 2 116

fdnH1920 1920K 80 24 2 100

Box 1: Floppy Disk Device Types

Figure 2: Gentoo Linux desktop

Low level format: This does not mean writing a file system (minix, msdos) to the disk, but definingtracks and sectors. Disks with “raw”formats of this type can be written to using tar or dd.

Major and Minor Numbers: When a program accesses a device file, two numbers are passed to thekernel to indicate the request.The major number typically refers to a particular kernel driver and theminor number to the device for which access is required.This is why all the device files for the serialport have the same major number, but different minor numbers. In short, the kernel uses the majornumber to pass the request to the appropriate driver, and the driver uses the minor number todetermine the device that needs servicing.There are a few exceptions but normal Linux users willnormally not come across them.

GLOSSARY

lifeforms, no less. To this end, theSETI@Home client analyzes a 100 second recording with a bandwidth of 10kHz from a radio-telescope in PuertoRico seeking signs of intergallactic radio transmissions. As the telescoperotates in relation to possible extra-terrestrial radio sources, the clientsearches for a signal that matches aGaussian beam pattern. Additionally, thesoftware has to consider doppler effects,recognize pulsed signals, and come to terms with the increasing number of terrestrial transmissions. Due to the enormous amount of volunteers,SETI@Home can evaulate each packagemore than once, and thus eliminate

errors or attempted manipulation. Andthanks to the sheer bulk of data evaluated, it is also possible to filter outradio signals that occupy constant positions in the sky – unfortunately mostof these permanent signals turn out to beterrestrial. The SETI software normallyruns in character-based mode on Linux,but you can stipulate the -graphicsoption to relay your results to the GUIversion, xsetiathome. If you want to runSETI@Home permanently as a back-ground task, you might like to try the-nice 19 option, which reduces the clientprogram’s priority. Why “nice”? Well theprogram gets out of the way if other programs need more CPU cycles. Apart


Even though the daily blurb from various computer and chip manufactures might suggest that

your computer needs even more power,you will in fact very rarely need to taxyour CPU to the limit. The average PChas only a moderate load most of thetime. In addition to CPU cycles most PCshave some bandwidth to spare, allowingthem to coordinate processing tasks withother PCs. In this way, millions of PCscan be linked up to work in parallel onjobs that would normally require a supercomputer at an exorbitant asking price.

Nearly all of the distributed computingprojects discussed in this article areavailable for Linux in the form of tar.gzarchives and can be unpacked in theusual way.

tar -zxvf archive.tar.gz

Since the client source code is typicallynot included, there is no need to compileit – just launch the client instead. Butyou could even leave that task to anotherprogram called cron – refer to the CronSetup inset for more information.

Cylon RadioProbably the most famous distributedcomputing project with over 3.9 millionusers is SETI@Home, [1]. SETI@Homehas set itself the daunting task of searching for intelligent, extraterrestrial

A variety of projects with completely

different goals are currently compet-

ing for the use of the latent

processing power of home PCs. This

article provides an overview of the

more interesting efforts.

BY BJÖRN GANSLANDT

Distributed Computing on Linux

Hertz Donors

Distributed ComputingLINUX USER

from xsetiathome there are a variety ofother programs that convert the resultsto graphics, allowing you to insert theminto the KDE panel. Try Freshmeat, ifyou are interested in finding a few [2].

Crack the CodeDistributed.net [3] are currently workingin parallel on several mathematicaltasks, and in contrast to SETI@Homethey can point to a number of problemsthey have solved in the past. The projectwas able to crack DES and/or CSCencrypted messages in a record time.Currently Distributed.net are taking partin the RC5-64 competition – in contrastto other competitions, the participantsare required to test a maximum of 264

keys, compared to 256 previously, andthat certainly requires an enormousamount of processing power. You aremore likely to be struck by lightningwhile winning the national lottery thanfind the right key with your first guess.However, you do get to keep US $2,000 of the prize money, if you are the luckyfinder. The rest of the prize money –which was sponsored by RSA – will go to Distributed.net, which is a non-profitorganization, and if you are a member,to your local Distributed.net group.

The second active project at Distributed.net is the search for an Optimal Golomb Ruler with 24 or 25integers, where the integers must benon-negative such that no two distinctpairs of numbers from the set have thesame difference. An Optimal Golomb

Ruler is the shortest Golomb Ruler possible for a given number of marks.OGR’s have many applications, including combinatorial functions, andin the field of interference phenomena.

Distributed.net also offers a consolebased client that does not impact yourbandwidth or CPU cycles as heavily asSETI@Home. You can either configurethe program after first launch or use themanual -config option. The configurationoptions allow you to set the priority forvarious projects and change the size ofthe work packages. You can also use the-install option to automatically add theprogram to /etc/init.d/ and assign theappropriate runlevel, allowing it to belaunched whenever you start your computer – until you remove it, with the-uninstall option, that is.

More Maths: Prime NumbersGIMPS [4] is another mathematical project, and they are looking for primenumbers this time – prime numbers ofthe form 2p-1, where p is also a primenumber, to be more precise. This type ofprime number is referred to as aMersenne prime number, named afterthe French monk and mathematician.The Electronic Frontier Foundation hasput up a prize for the first prime numberwith at least 10 million digits, but GIMPSis not the only project seeking largeprime numbers, and you need a lot ofCPU cycles to find, or verify one.

The ECCp-109 project [5] has enteredyet another cryptography competition

with slim chances of prize money. Incontrast to RC5-64 this competition isnot about symmetrical algorithms but anasymmetrical (Public Key) algorithmbased on elliptic curves, where both aPublic and a Private key exist. Encodingalgorithms based on elliptic curves havethe advantage of shorter keys and higherspeeds when compared with traditionaltechniques like RSA or Elgamal, as usedby PGP or GPG, however, more researchis required on this subject.

Power Chess with ClustersThe success of computers such as DeepBlue or Deep Fritz (who has beenbattling it out with the reigning (BGN)


LINUX USERDistributed Computing

Figure 1: Xsetiathome visualizes the search for extraterrestrial radio signals

Figure 2: Any possible distances between twonumbers on a Golomb Ruler must be of a0different length

Cron can be used to launch and terminateother programs at pre-defined times.Youcan use crontab -e to define tasks for thedaemon.This command will load the editordefined in your $VISUAL or $EDITOR environment variable – use exportEDITOR=editor, if you want to change thissetting.The following entry launches a program at 8.00 pm every day and termi-nates the program at 9.00 am.The 2>&1>/dev/null string sends the program’s output to the null device; cron would otherwise want to email this output to theuser. If you use the “@reboot”parameterinstead of specifying a schedule, cron willlaunch the designated program when youreboot your system – you can type man 5crontab for additional information on thecrontab format.

00 20 * * * cd mydirectory;./CLIENT 2>&1 >/dev/null

00 9 * * * killall CLIENT

Cron Setup

of genetic research, such as the quest todecrypt the human genome. Researchinto proteins and corresponding geneticsequences is the aim of two partner projects: Folding@Home [7] andGenome@Home [8], which recentlyunited to form a single client. Folding@Home is specifically concernedwith the folding process of proteins,whose encryption could mean a break-through both in medicine and innanotechnology. Genome@Home workswith known protein structures andattempts to calculate appropriate, synthetic genetic sequences that allowgenetic researchers to gain a betterunderstanding of natural geneticsequences. Although Genome@Homehas been integrated in the Folding@U

Home-Client, you can specify aGenome@Home team number (over100.000) to work exclusively on the former project. Additionally, the originalclient is still available as Genome@U

Home Classic. However, before you canrun the integrated client, youwill need to make it executableby typing:

chmod +x FAH3Console-Uv312-Linux.exe

Another project working onproteins is Distributed Folding[9]. The procedure here is different to that followed byFolding@Home – the focus ofDistributed Folding is on predicting protein structures,rather than folding. The foldingprocess is particularly relevantto diseases such as Alzheimeror Creuzfeldt Jacob, that mayoccur in the context of proteinswhose folding characteristicsdeviate from the norm.

Although most of the projectsdiscussed so far are available as (more or less attractive) Windows screensavers, Linuxusers normally have to be content with boring text basedinterfaces that only occasion-ally issue a cryptic comment onthe progress they are making.The Electric Sheep screensaver[10], which was inspired byPhilip K. Dick’s book “Do

Androids Dream of Electric Sheep” – aswas the movie “Blade Runner” – is anotable execption. Of course computersdon’t count normal sheep, but insteaduse their processing power to create animated, fractal flames. In contrast tothe other projects discussed, ElectricSheep provides both the source code andRPMs, allowing you to install the screen-saver directly to your GNOME controlcenter. If you do not use GNOME, youcan type the following line to add Electric Sheep to the “programs:” sectionof “~/.xscreensaver”:

"ElectricSheep"electricsheep \n\

The animations are sent to a centralserver that then returns the animation asan MPEG video to Electric Sheep screen-savers all over the globe. Unfortunately,the volume of traffic involved restrictsuseage to those fortunate enough to havea DSL flat rate or similar Internet link. ■


Chess world champion WladimirKramnik in October, assisted only by ateam of eight professors) has shown thatcomputers with a certain amount ofprocessing power are extremely difficultto beat. The Chessbrain project, which isquite recent, is looking into the prospectof a powerful chess computer (see [6])and has recently reached the first of four designated development stages. Chess-brain will not become a really powerfulcompetitor until it reaches phase 3 – thework currently in progress primarily con-cerns the distributed infrastructure. Oneof the most fascinating aspects of thisproject is the use of the SOAP protocol totransfer data to the clients, or so-calledPeerNodes. As SOAP can now beprocessed by FlashMX, Chessbrain notonly offers the PeerNode software, butalso various viewers based on Flash orPHP, for example, that allow you to viewthe current game. However, you willneed a flat rate if you intend to sign upfor this project, as the PeerNode continually accesses the server.

ProteinsSuper computers are also important tomedicine and play a vital role in the field

Distributed ComputingLINUX USER

Figure 4: Electric Sheep calculates fractal flames

[1] http://setiathome.ssl.berkeley.edu

[2] http://freshmeat.net

[3] http://distributed.net

[4] http://www.mersenne.org/prime.htm

[5] http://www.nd.edu/~cmonico/eccp109/

[6] http://chessbrain.net

[7] http://folding.stanford.edu

[8] http://gah.stanford.edu

[9] http://www.distributedfolding.org

[10] http://www.electricsheep.org

INFO

Figure 3: Predicting protein structures from distributedfolding.org

BY ANNETTE MERISTE

timers” like IETF’s Harald Alvestrand,Stig S. Bakken of The PHP Group orGNUS-guru Lars Magne Ingebrigtsen aswell as young DeCSS-hacker Jon LechJohansen and Qt-company Trolltech AS.Exemplarily, coding wasnot the only reputationthat counted: three of the 34 nominees, namelyGaute Hvoslef Kvalnes(who is also a member ofSkolelinuxprosjektet),Kjartan Maraas and Roy-Magne Mo, have beentranslating KDE andGNOME, respectively, intoeither Bokmål or Nynorsk.

Last but not least, theNorwegian Secretary ofLabor, Victor D. Norman,

was nomininated due to his decision of no longer extending the state’s purchasing deal with Microsoft. ■

http://www.nuug.no/prisenhttp://skolelinux.no


Scandinavia’s Open Source scene has anew prize to celebrate: For the first time,the Norwegian Unix Users Group(NUUG) and Oslo University College“Høgskolen i Oslo” awarded theNorwegian Free Software Prize. After aceremony held in Norway’s capital Osloon October 7th, the lucky winner“Skolelinuxprosjektet” took home acheque for NOK 30,000 (approximatelyEUR 4,115).

The winning project brings togethercontributors from all over Norway anddevelops a Linux distribution forNorwegian schools aiming at easyinstallation and maintainance as well asavailability in the two Norwegian literarylanguages (Bokmål and Nynorsk) andthe Saami language. Amongst thenominees were well-known Unix “old-

Norwegian Award for Linux in schools BY PATRICIA JUNG

Second Luxembourg LinuxDays

Norwegian Award / Luxembourg LinuxDaysCOMMUNITY

The second Luxembourg LinuxDaystook place at the beginning of October,this year’s venue being the IST (InstituteSuperiéur de Technologié). The con-ference was organized by a group ofscientists from the Henry Tudor Institutein cooperation with the Linux UserGroup for Luxembourg and sponsored,among others, by the Ministery ofEconomy and Linux Magazine.

Luxembourg’s Minister of the Eco-nomy, Mr. Henri Grethen, opened theseries of lectures comprising a total of six

topics. The Cluster Trackincluded a numberof interestingtalks with HubertFeyrer fromNetBSD giving a lec-ture on a clusterproject for rendering video material, andthe sight of a cluster comprising 45 com-puters was quite impressive.

As usual, the Debian booth attractedquite a lot of attention. Andreas Tillefrom Debian also held two talks on the

Project Track, oneof which – Debian-Med – having beeninitiated to pro-mote the use ofOpen SourceSoftware in thearea of medicine.But the highlight ofthe first day had tobe the social eventthat took place subsequently inLuxembourg citycenter.

The second day saw the focus switchto security, embedded Linux andprojects. The Security Track pro-vided a platform for topics such

as penetration testing, kernelsecurity as well as high speed

packet filtering.The LinuxDays culminated in a

footnote by Jon ‘Maddog’ Hall, thePresident of Linux International. Inaddition to a look back at the annals ofhistory, Jon also presented a number ofprojects that relied on Open SourceSoftware to guarantee cost-efficiency anddiscussed the potential for integratingfree software into business models. He placed particular emphasis on thedistribution of Open Source Software ingovernment and provided some usefulinsights on putting the advantages of itacross to a government audience.

One thing is for certain, the organizersdefinitely achieved their goal of promoting Linux amongst Luxembourg’senterprises while simultaneouslykeeping track of the latest Open Sourceprojects. ■

http://www.linuxday.lu

The 9 and 10 October saw London’sOlympia exhibition hall once againplaying host to Linux Expo UK,

sponsored in part by Linux Magazine.The Linux market is still in a state of

flux, the same state it was to be found inlast year. But last year Linux had muchhype to live up to and the Linux Expoevent failed to draw the crowds most hadhoped for.

This years event was smaller, takingthe 1st floor of Olympia hall 2, and wasrun in conjuction with WebSolutionsExpo taking the ground floor. This wasan interesting combination because itwent on to highlight the growing numberof Web Application providers that arestarting to use Linux for their day to daybusiness, with some even consideringthemselves to be on the wrong flooronce the expo had started.

One such company was Jool Ltd,whose MD, Anjula Perera, took time totell me about his range of Linux poweredservers and the success they had usingtheir smallest server to power a majorapplication, running the networkservices of the Labour Party conferencein Blackpool. Their Kwartz servers,which stand out from the crowd becauseof their unusual 270x190x160mm formfactor and brushed Aluminium andPerspex finish, was able tocope with over 2,500 trans-actions through the Oracleapplication it was handling.

While the event wassmaller, there was a definitebuzz of excitement for thetwo days. As was the caselast year, space was set asidefor the Open Source andcommunity element thatLinux relies on so heavily.The Debian team must havegiven away lots of Knoppix3.1 disks, which will prove tobe an excellent introductionto those who wanted to seesome of the power that aLinux distribution can put

forward with the minimum of fuss, as itis able to boot and run completely fromthe CD-ROM, no installation to a harddisk is necessary.

Sharp had pitched in with the GreaterLondon Linux User Group to help passon their new Linux PDA, the SL-5500 ata considerable discount, while the guyson the Lonix stand showed off their truecolours by spending most of the twodays playing Unreal Tournament 2003and inviting passers by to join them fordrinks after the show.

The developers from the Rosegardenproject were on hand, showing howLinux was capable of making it in themusic studio with their composition andsequencing applications.

Helping friendsThe show had attracted some of thebiggest players in the IT industry, withSun and HP both showing off theirranges of Linux servers and applications.Their large stands helped to accom-modated some of the other vendors. Sunhad given over room for people like SuSEand SCO. Some people may find it hardto imagine why competing companies, atleast for the moment, are prepared toshare stand space together. I see it in anopposite light and find it refreshing that

partnerships and strategic alliances canstand together.

Enterprise Management Consultingtold us about their new development of‘The Linux Centre’, a purpose built callcentre to house up to 40 technicalsupport staff. Technical support is one of the major issues that seem to holdback prospective migration. Initiativeslike ‘The Linux Centre’ must add weight to the total solutions that corporatebusiness demand from their systems,proving that Linux really can beconsidered as an alternative.

Business caseThe Expo organisers had a fiendish planfor a rolling conference talks which fellinto three tracks, the first of these trackswas to take part in the ‘Enterprise LinuxCase Study Theatre’, which allowed the senior IT decision makers, those with the cheque books, to evaluate thepossibilities Linux might offer theirbusiness operations.

The ‘Product Education Theatre’, thesecond of these tracks gave vendors the chance to speak to groups of inter-ested punters, pitching their products.Practical, hands on advice and help was available from the third track, made up of the user groups and developer

community. This seemed towork well, but many of thebig name vendors also had setup facilities for their closepartners to do the same, aspart of their own stands. This made it difficult to catchall of the presentations onemight have wanted to, but itdid alleviate the desperatecrushes experienced last yearin the all too small theatre.

No one seemed disappoin-ted to have attended theevent, there was a real buzzand people thought they wereon the crest of something big.I’m looking forward to thenext expo. ■


BY COLIN MURPHY

UK’s largest Linux Exhibition and Conference

A chance to meet

COMMUNITYLinux Expo UK

Given that development on GpsDriveonly began in August 2001, making the project just one year old, the list of features is quite amazing. One of themost unusual ones is clearly the“friendsd” server, which allows friendsto share their positions, allowing todisplay also the positions of the others.

GpsDrive was written in C with theGTK+ toolkit and even though it isalready quite stable, it is still underdevelopment. Points of interest for futuredevelopment are a real street navigationand also speech input.

It works with all Garmin GPS receiverswhich allow for serial output, as well asGPS receivers supporting the NMEAprotocol and is usually being used onlaptops, where it has been tested underGNU/Linux and FreeBSD.

But of course especially PDAs wouldbe interesting platforms for such appli-cations and owners of the Compaq iPAQand the Yopy may be happy, becauseGpsDrive has been used successfully on those. Although GpsDrive has already been localized for 10 languages,especially translation into otherlanguages is an area in which Fritz seekshelp to make his project accessible to asmany people as possible.

GNU SpaceChartGNU SpaceChart [3] by Migual Coca, a relatively new package of the GNUProject, also helps keeping the orienta-tion, although its practical applicationwould be planning of intergalactic by-pass roads. In fact it was the interest inscience fiction stories and their “originallocations” that made Miguel work on SpaceChart. GNU SpaceChart is aprogram for star cartography that is not

restricted to displaying two-dimensionalimages of the nightly sky or someconstellations, it rather visualizes theposition of stars in the sky, as can beseen in the screenshot to the right. Theuser can look at the sun or another starfrom a large distance and throughtunably filters determine, which kinds ofstars are being displayed. To increase the3-D impression, stars can be connectedwith lines and rotated.

For Miguel, this is one of the majoradvantages of SpaceChart compared toother Free Software programs, becausethey do not give him the same threedimensional feeling.

Programming language used forSpaceChart is C with the GNOMElibraries and it is published under theterms of the GNU General PublicLicense. This choice makes it fast, andmakes it, for instance, possible to displayall stars within 50 light years of the sunand rotate them smoothly in real time.

Other components of GNU SpaceChartare data files created automatically fromastronomical catalogs by a Perl script,and documentation, most of which hasbeen contributed by Robert Chassell,who is also the most active beta testerand who (according to Miguel) has anever-ending supply of new ideas forfurther improvement.

The main audience for this projectwould be readers and authors of sciencefiction stories, who would like to have abetter idea of how stars are distributedrelatively to each other. But he wouldalso like feedback by “real” astronomersto tell him how GNU SpaceChart mightbecome more useful to them. Help iswelcome in form of code, testing anddocumentation, of course.

In this monthly column we bring you the news from within the GNUproject. In this issue we will look at

mapping both on earth and in spacealong with on-line archiving.

GpsDriveAs the name suggests, GpsDrive [1] byFritz Ganter is a Free Software navigationsystem under the GNU General PublicLicense, which uses the satellites of the“Global Positioning System” (GPS).

Through a GPS receiver, GpsDrive getsthe current position and displays it on anautomatically chosen map in a user-selected scaling. Loading the maps caneither be done directly off the internet orthrough a proxy; even from map serverslike Expedia or Mapblast.

GpsDrive supports route planningthrough way points, which can be readfrom a file or entered dynamically withthe mouse. Routes can also be recordedand played back, so it is possible torecord ways you have taken and passthem on to friends, which is alreadybeing used for bicycle tours, for instance.

To avoid having to stare at the screenall the time, GpsDrive also supportsspoken output in English, German andSpanish through the Festival [2] speechsynthesis software.

Welcome to another issue of Georg’s Brave

GNU World. Although earth may be mostly

harmless, sometimes it is quite easy to get lost on it.

But fortunately there is GpsDrive. BY GEORG C. F. GREVE

The monthly GNU Column

Brave GNU World


Brave GNU WorldCOMMUNITY

Figure 1: GPSDrive running on an iPAQ

GNU EPrintsChristopher Gutteridge of the Universityof Southampton is working on GNUEPrints [4], a project to create online-archives, with support by Mike Jewell.

Especially in the scientific field, litera-ture research is an incredibly importantpart of the work and publications areonly useful if they can be found. Makingthis easier is the goal of GNU EPrints,although it can theoretically be deployedin any situation where articles ordocuments of a research area, project orinstitution are to be archived.

Professor Stevan Harnad, who is thepolitical force behind GNU EPrints, drewhis motivation for the project from the idea to reestablish unencumberedaccess of science to its results and also to give financially weaker institutes andcountries the chance to participate in thescientific exchange.

Despite being Free Software under theGNU General Public License (GPL), GNUEPrints also offers the advantage ofbeing geared towards supportingdifferent languages from the start. Webpages can be provided in different lan-guages and it is also possible to selectlanguages per field. This has alreadyfound practical application when someFrench archives were required to haveabstracts in English and Frenchsimultaneously. EPrints isn’t restricted toEuropean languages, thanks to Unicode,almost anything should be possible.

EPrints was written with an object-oriented approach in Perl, keeping it asunderstandable as possible, because thedesign philosophy assumes that it cannever be perfect, so it will requirechanges to adapt it to the local situation.To do this, EPrints employs the concept

of “Hooks,” which call custom scriptsthat do useful things.

This makes for a highly customizablesystem, which sometimes creates theproblem of finding the right option orunderstanding the different functions. Inorder to help new users on the right waywith this, HOWTOs are provided forfrequently arising questions and needs.

In real-life practical deployment, the technical side is the minor problem,as far as the experience of the author is concerned. Getting to a solution for archive policy or agreeing on thestructure is much more difficult.

There are places, where it took severalmonths and committees to determine thestructure of an archive that now contains20 entries. This once more demonstratesthat social problems cannot be solvedwith technology. In these cases,Christopher Gutteridge uses “carrots andsticks” as the adequate tools.

But once there is agreement on thestructure and once users have beeneducated to provide sufficient amountsof metadata, GNU EPrints can provide anextremely valuable tool.

Since it fulfils the Open ArchivesInitiative (OAI) [5] standard version 1.1and 2.0, it is even possible to sharearchive metadata with other archives, soentries can be searched over multipleonline archives simultaneously.

According to Christopher Gutteridge,he doesn’t really need help at themoment. The code base seems to besufficiently stable and thanks to externalfunding, good documentation iscurrently under development.

GCronGCron [6] will replace the currently used

Vixie Cron within theGNU System, because theVixie Cron has not beenmaintained since the earlynineties and has devel-oped several securityproblems, which thedifferent GNU/ Linuxdistros try to address withtheir own house patches.Thanks to gcron, this willhopefully soon becomeunnecessary. Even thoughcron is clearly one of the“classics” of any Unix sys-

tem, some readers may not have heardabout it yet – a brief introduction might beuseful:

Cron is a program which allowsexecution for programs i.e. scripts atspecific times (week days, times, dates,and so on). This allows automating theperiodically necessary tasks, for instance.Cron is being used for system main-tenance tasks on almost all installationsof Unix-like systems.

Ryan Goldbeck now works on gcron, asecurity-aware new implementation,which will then be used on allGNU/Linux distributions.

First goal is completing support of thePOSIX standard and make the filesbackwards-compatible to Vixie Cron toallow for a painless migration.

Afterwards GNU/Hurd specific exten-sions and additions for better informationabout the executed programs such as therunning time or resource usage areplanned. It would also be possible toinclude a better means for controllingsystem resource usage by the executedprograms.

It is not very surprising that gcron ispublished as Free Software under theGNU General Public License; C is beingused as the programming language.Goodbye, and thanks for all the fish!

That’s it with the “A Tribute to DouglasAdams” issue, who died too young, littlemore than a year ago.

And as usual, I’m asking everyone tonot be shy in providing ideas, comments,questions, inspiration, opinions andinformation about interesting projects tothe usual address. [7] ■


[1] GpsDrive home page http://gpsdrive.kraftvoll.at

[2] Festival home page http://www.cstr.ed.ac.uk/projects/festival/

[3] GNU SpaceChart home page http://www.gnu.org/software/spacechart/

[4] GNU EPrints home page http://www.eprints.org/

[5] Open Archives Initiative (OAI) home pagehttp://www.openarchives.org

[6] GCron home page http://www.gnu.org/software/gcron/

[7] Home page of Georg’s Brave GNU Worldhttp://www.brave-gnu-world.orgSend ideas, comments and questionsto Brave GNU [email protected]

INFO

COMMUNITYBrave GNU World

Figure 2: SpaceChart showing constellations

UDEThe UDE-Project is creating a new WM which will be acomplete GUI in future. The project does not use any specialGUI-Libraries such as QT or GTK+. It just uses the standardXlibs (which also make UDE faster).

GWhereGWhere allows you to manage a database of your CDs andothers removable media. With GWhere it’s easy to browse yourCDs or to make a quick search without needing to insert all ofyour CDs in the drive.

RinetdRinetd redirects TCP connections from one IP address and portto another. This makes it practical to run TCP services onmachines inside an IP masquerading firewall.

LyxLyX is an advanced opensource document processorthat encourages an approachto writing based on thestructure of your documents,not their appearance.

Graphic ScriptingFrom our article starting onpage 44 we have included thetest graphic so you can workthrough the examples alongwith the utility to make theFLI/FLC animation files.

DistributedComputingFrom the article starting onpages 84 we have includedthe files for the Distributedfolding project as well as theMarsennes prime and ECCPprojects. Last but by no meansleast is the Electric Sheepproject which can producestunning fractal animationsand still images.

Subscribe & SaveSave yourself hours of downloadtime in the future with theLinux Magazine subscriptionCD! Each subscription copy ofthe magazine includes a CD like the one described here freeof charge.

In addition, a subscription willsave you over 16% compared tothe cover price, and it ensuresthat you’ll get advanced LinuxKnow-How delivered to yourdoor every month.

Subscribe to Linux Magazinetoday!

Order Online:www.linux-magazine.com/Subs

Or use the order form betweenp66 and p67 in this magazine.


KDE 3.0.4KDE 3.0.4, the third generation of KDE’s free, powerful desktopfor Linux. KDE 3.0.4 is available in 51 languages – includingthe addition of Basque for the first time. KDE 3 – ships with thecore KDE libraries, the base desktop environment, andhundreds of applications and other desktop enhancementsfrom the other KDE base packages (PIM, administration,network, edutainment, development, utilities, multimedia,games, artwork, and others).

KDE 3.0.4 provides various service enhancements over KDE3.0.3, which shipped in mid-August 2002, as well as twosecurity corrections (the personal web server (KPF) may permita remote user to retrieve any file readable by the local KPF user,and the PostScript / PDF viewer (KGhostview) may executearbitrary code placed in a PS or PDF file).

KDE, including all its libraries and applications, is availablefor free under Open Source licenses. Features included:• Konqueror is KDE’s next-generation web browser, file

manager and document viewer. Widely heralded as atechnological break-through for the Linux desktop, thestandards-compliant Konqueror has a component-basedarchitecture which combines the features and functionalityof Internet Explorer/Netscape Communicator and WindowsExplorer.

• Konqueror supports the full gamut of current Internettechnologies, including JavaScript, Java, HTML 4.0, CSS-1and -2 (Cascading Style Sheets), SSL (Secure Socket Layer forsecure communications) and Netscape Communicator plug-ins (for playing Flash, RealAudio, RealVideo and similartechnologies).

• In addition, KIO’s network transparency offers seamlesssupport for accessing or browsing files on Linux, NFS shares,MS Windows SMB shares, HTTP pages, FTP directories andLDAP directories. The modular, plug-in nature of KDE’s filearchitecture makes it simple to add additional protocols(such as IPX or WebDAV) to KDE, which would thenautomatically be available to all KDE applications.

• Besides the exceptional compliance with Internet and file-sharing standards, KDE achieves exceptional compliancewith the available Linux desktop standards. KWin, KDE’snew re-engineered window manager, complies to the newWindow Manager Specification. Konqueror and KDE complyto the Desktop Entry Standard. KDE generally complies withthe X Drag-and-Drop (XDND) protocol as well as with theX11R6 session management protocol (XSMP).

Subscription CD

LINUX MAGAZINESubscription CD

On this month’s subscription CD we start with the latest distribution to hit the servers.

Included along side the full distribution we have all the files that we mention in the

magazine, in convenient formats.

1999) won the award for the bestdevelopment software. As in 2000,OpenOffice won an award. In the “OfficePackages” category, the office suiteprevailed against the other competitorswith a sensational vote of 47.8%.

Mozilla conquers allMozilla triumphed over the email client Mutt and Konqueror browser in the group “Internet Applications”. Inthe “Databases” category, PostgreSQLovertook MySQL for the first time. Theswap may have come around due toMySQL lacking some features.

The “Special Award” for “Newcomerof the Year” goes to Gentoo Linux,followed by Ogg Vorbis. Gentoo Linux isa BSD-style ports-based distribution thatallows you to build all packagesspecifically for you machine. Ogg Vorbisis a completely patent unemcumberedlossy audio codec, with an excellentpsycho-acoustic model.

In the “Linux Companies” category, no specific product was nominated.Instead, the achievements (financial orconceptual) of a particular product orcompany, were open to selection. IBMwon the first prize as the company whohas done the most to promote Linuxduring the last year. ■


For the first time the Awards weren’ta “Reader’s Choice” selection, butrather an “Editor’s Choice”. In

addition to the editors of the GermanLinuxUser, the German Linux-Magazinand Linux Magazine, a jury of widelyknown and respected people participatedthe voting.

Everything was handled by email:First, the jury collected the nominationsfor several categories, such as “NetworkHardware”, “Distributions”, “OfficePackages”, “Development Software”,“Internet Applications” etc. A few days later the jury members selectedtheir personal top three choices fromeach of the groups. After collation and calculations it is now time tocongratulate and award the winners.

The Winner takes it allIn the hardware section the SharpZaurus, Axiom AX 6113 and PioneerDVR-104 hit the top spot. For thedistributions, it is no surprise thatDebian won the race. The jury honouredthe work of several key developers whohave worked so hard on the freeoperating system over the past numberof years.

The GCC (“GNU Compiler Collection”,renamed from “GNU C Compiler” in

During the last year there has been

lots of movement in the Linux

Community. Linux New Media AG

invited several editors, a jury of

authors, developers and leading

members of the Open Source

Community to choose the most

significant Linux products and

projects of the year 2002.

Linux New Media Awards 2002

Simply the Best

Linux New Media Awards 2002COMMUNITY

HardwareMobile Devices1. Sharp Zaurus 44%2. Compaq iPAQ 31%3. Gmate Yopy 25%Network Hardware1. Axiom AX 6113 34.9%2. Itranator 30.9%3. Equiinet 23.3%Hardware 1. Pioneer DVR-104 23.9%2. ATI FireGL 4 23.1%3. Fujitsu Siemens Memorybird 14.6%SoftwareDistributions1. Debian 28.8%2. Knoppix 25.7%3. SuSE 13.1%Development Software1. GCC 25.5%2. KDevelop 15.2%3. Eclipse 13.6%Office Packages1. Open Office 47.8%2. KOffice 11.3%3. Star Office 10.1%Internet Applications1. Mozilla 29.4%2. Mutt 17.2%3. Konqueror 16.7%Databases 1. PostgreSQL 39.6%2. MySQL 33.7%3. DB2 9.5%SpecialNewcomer of the Year Linux1. Gentoo 24.4%1. Ogg Vorbis 24.4%2.Video Disk Recorder 17.2%Linux Companies1. IBM 33.5%2. O’Reilly 15.6%3. Red Hat 11.0%

2002 Winners

The 2002 Jury


Bernhard Bablok, Javaexpert, has been writingfor Linux-Magazin forseveral years. He’s asoftware developer at the

Allianz Insurance Company.Fionn Behrens is a true game junkie,and writes about his experiences with the Linux gaming arena forLinux Magazine and LinuxUser.Frank Bernhard is a security expert.He was one of the first people whodealt with dedicated firewall systemsusing Linux.

Simon Budig is one ofthe people behind theGIMP (GNU Image Mani-pulation Program). He isa passionate supporter of

Open Source.You may not be able tounderstand 90% of whathe says, or even hiskernel code, but you’lldefinitely recognize Alan

Cox as one of the first and mostactive hackers in the community.Matthias Kalle Dalheimer, foundingmember of the KDE project, now lives in his favourite country Swedenand works at his own companyKlarälvdalens Datakonsult AB.Mirko Dölle dismantles everycomputer he can get his hands on,and publishes his confessions as thehardware expert for Linux Magazineand LinuxUser.Michael Engel is a Power PC expert,in particular on running Linux onthat platform.

Hans-Georg Eßer, as theeditor-in-chief, has beenresponsible for LinuxUsersince its first days. Healso is the author of

several Linux books.Nils Färber writes articles for Linux-Magazin from time to time, and likesdealing with Linux on non-X86-platforms.Björn Ganslandt is a fan of GNOMEand takes an active interest in thesoftware available for it. He regularlypublishes articles about hisexperiences in LinuxUser.

Bdale Garbee works for HewlettPackard, where he is developing a Linuxdistribution for them. Also, he holds theposition of Debian Project Leader.Johnny Graber helps run http://www.linux-community.de, and moderatesarticles on that site.Georg C. F. Greve is the president ofthe Free Software Foundation Europe(FSFE), and writes our monthlycolumn “Brave GNU World”.Andreas Grytz works as a newsresearcher for Linux-Magazin. Also, hewrites articles for LinuxUser and thecommunity forum http://www.linux-community.de.

The “Linux Evangelist”Jon “maddog” Hallpreaches for the free OS all over the world. He’sthe Executive Director of

Linux International and one of thecommunity’s most outspoken voices.Andreas Huchler works as a freelancer for Linux-Magazin andLinuxUser. He writes mostly aboutnew software.Patricia Jung is the deputy editor-in-chief of LinuxUser. In her free time sheruns a Linux mailing list for women([email protected]).Jan Kleinert is the editor-in-chief ofLinux-Magazin.

Harald König is one of theXFree86 developers andlikes to work miracles onexotic hardware, preferablysplit over multiple displays.

Michael Kleinhenz helps organizeLinuxTag, one of Europe’s largestLinux events.Michael Kofler works as a full-timewriter for Addison Wesley and haspublished several books about Linux,MySQL and Maple. Some of his workshave been translated into severallanguages. He’s the author of one ofthe standard Linux books: “Linux –Installation, Configuration, Use”.

Charly Kühnast takes care of the servers at the KRZN computer centreand publishes his usefulsysadmin tips & tricks

in Linux Magazine.

Achim Leitner, head of Linux NewMedia’s competence center “Network& Security”, oversees all articles inthis field.Sebastian Raible just finishedschool. He helps run the http://www.linux-community.de/ website.Christian Reiser enjoys testing theLinux compatibility of various hard-ware and publishes articles to sharehis experiences.

Daniel Riek is a boardmember of the LIVE(“Linux-Verband e.V.”)organisation and speaksout against the dangers of

software patents.Michael Schilli is a Perl guru and regular contributor to Linux-Magazin, with columnson Perl programming. He

currently lives in America.Tom Schwaller, nowLinux IT architect &Linux evangelist at IBM, was editor-in-chiefof Linux-Magazin for

several years.Tim Schürmann, office softwareexpert, frequently writes reviews forLinuxUser of the latest Office suitesfor Linux.

John Southern, is editor-in-chief of LinuxMagazine and one of theorganizers of the GreaterLondon Linux User

Group (GLLUG).Marianne Wachholz is areal free softwareenthusiast and writesarticles on that topic forLinuxUser.

Max J. Werner moderates threads on the forum http://www.linux-community. de/.Ulrich Wolf, is deputy editor-in-chiefof Linux-Magazin and a regularcontributor of Linux Magazine.

Oliver Zendel ischairman of LinuxTag,one of the first largeLinux events organizedby the community.

COMMUNITYLinux New Media Awards 2002

linux magazine uk 25

Documents

linux boxes

setting linux

world of linux

reader of linux magazine

dear linux magazine

hardware engineers

mswindows games

dedicated games console