This chapter is from the book
This chapter is from the book
This chapter is from the book
Network Utilities
To make use of a networked environment, it made sense to extend certain tools, some of which have already been described. Networks also created a need for new utilities to control and monitor them; this led to ideas for new tools that took advantage of network speed and connectivity. This section describes concepts and utilities for systems attached to a network; without a network connection, they are of little use.
Trusted Hosts
Some commands, including rcp and rsh, work only if the remote system trusts your local computer (that is, the remote system knows your local computer and believes that it is not pretending to be a system that it is not). The /etc/hosts.equiv file lists trusted systems. For reasons of security, Superuser account does not rely on this file to identify trusted Superusers from other systems.
Host-based trust is largely obsolete. The rcp, rlogin, and rsh commands15 are deprecated in favor of ssh (page 374) and scp (page 376). Because there are many ways to subvert trusted host security, including subverting DNS systems and IP spoofing (page 1474), authentication based on IP address is widely regarded as insecure and obsolete. In a small homogeneous network of machines with local DNS control, it can be "good enough." The ease of use in these situations may outweigh the security concerns.
SECURITY: Do Not Share Your Login Account
You can use a .rhosts file to allow another user to log in as you from a remote system without knowing your password. This setup is not recommended. Do not compromise the security of your files or the entire system by sharing your login account. Use ssh and scp instead of rsh and rcp whenever possible.
ssh: Logs in or Runs a Command on a Remote Computer
You can use the secure ssh utility to log in on a remote system over the network. You might choose to use a remote system to access a special-purpose application, use a device that is available only on that system, or because you know that the remote system is faster or not as busy as your local computer. While traveling, many people use ssh on a laptop to log in on a system at headquarters. From a GUI you are able to use many systems simultaneously by logging in on each, using a different terminal emulator window.
You can log in on a remote machine that is running the sshd daemon and that you have an account on. For information on configuring ssh, see page 1029. All communication under ssh, including your name and password, is encrypted. When your login name is the same on the local and remote machines, give the command ssh hostname, where hostname is the name of the machine that you want to log in on:
[bravo]$ ssh kudos alex@kudos's password: Last login: Sat Sep 14 06:51:59 from bravo Have a lot of fun... You have new mail. [kudos]$ ... [kudos]$ logout Connection to kudos closed. [bravo]$
After you supply your password, you are running a shell on the remote machine. When you log out, the connection is broken, and you resume using your local computer. To log in with a user name different from the one you are using on the local machine, give the command ssh user@hostname, where user is your login name on the remote machine named hostname:16
[bravo]$ ssh watson@kudos watson@kudos's password: ... [kudos]$
The ssh utility also allows you to run a command on a remote system without logging in on that system. When you need to run more than one command, it is usually easier to log in and run the commands on the remote machine. The next example runs ls on the memos directory on the remote system kudos. The example assumes that the user running the command has a login on kudos and that memos is in the user's home directory on kudos:
[bravo]$ ssh kudos ls memos alex@kudos's password: memo.0921 memo.draft [bravo]$
Suppose that a file named memo.new is on your local machine and that you cannot remember whether it contains certain changes or whether you made these changes to the file named memo.draft on the system named kudos. You could copy memo.draft to your local system and run diff (page 67) on the two files, but then you would have three similar copies of the file spread across two systems. If you are not careful about removing the old copies when you are done, you may be confused again in a few days. Instead of copying the file, you can use ssh:
[bravo]$ ssh kudos cat memos/memo.draft | diff memos.new –
When you run ssh, standard output of the command run on the remote machine is passed to the local shell as though the command had been run in place on the local machine. Unless you quote characters that have special meaning to the shell, they are interpreted by the local machine. In the preceding example the output of the cat command on kudos is sent through a pipe on bravo to diff (running on bravo), which compares the local file memos.new to standard input (–). The following command line has the same effect but causes diff to run on the remote system:
[bravo]$ cat memos.new | ssh kudos diff – memos/memo.draft
Standard output from diff on the remote system is sent to the local shell, which displays it on the screen (because it is not redirected). Refer to page 1321 in Part III for more information on ssh.
Optional
The ssh utility can tunnel other protocols. You can secure protocols including POP, X, IMAP, and WWW using ssh as a virtual private network (VPN) between the two systems. Assume that you have a POP client on your local machine, the POP server is on a remote network that is protected by a firewall, and that you can access the remote network only using ssh. You can tunnel the POP protocol, which uses port 110, through an ssh tunnel. In this example, kudos is the firewall gateway machine, pophost is the POP server, and 1550 is a local port that you selected to use on your end of the tunnel.
$ ssh -N -L 1550:pophost:110 kudos
The –N option causes ssh not to execute any remote commands: ssh works only as a private network to forward ports. You can forward ports in either direction and in combination by using the –L and –R flags. See the ssh man page for details.
Once you are authenticated, you can set your POP client so that the POP server is localhost and the POP port is 1550. Then, when the client fetches e-mail, it makes a connection to port 1550 on the local machine which is forwarded through the ssh tunnel to kudos and then to pophost port 110 where the real daemon is running.
scp: Copies a file from/to a Remote Computer
The scp (secure copy) utility copies a file from one computer to another on a network. Using ssh to transfer files, scp uses the same authentication mechanism as ssh and therefore provides the same security. The scp utility asks you for a password when it is needed for security. The format of an scp command is
scp [fromhost:]source-file [tohost:][destination-file]
You can copy from or to your local machine or between two remote machines. When you specify a simple, or relative, filename, it is assumed to be relative to your home directory on a remote machine and relative to your working directory on your local machine. An absolute pathname describes a path from the root directory on any machine. Make sure that you have read permission to the file you are copying and write permission for the directory you are copying it into. In the following example, Alex uses scp to copy rain.jpg from his working directory on bravo (which happens to be his home directory) to his home directory on kudos:
[alex@bravo alex]$ scp rain.jpg kudos: alex@kudos's password: rain.jpg 100% |***********************| 30161 00:00
As the transfer progresses, the percent and number of bytes transferred increase and the time remaining decreases. The asterisks provide a visual representation of the progress of the transfer.
Use the –r option to copy a directory recursively. See the scp man page for more information.
telnet: Logs in on a Remote Computer
You can use the TELNET protocol to interact with a remote computer. The telnet utility, a user interface to this protocol, is older than ssh and is not secure but may work where ssh is not available (there is more non-UNIX support for TELNET access than there is for ssh access). In addition, many legacy devices, such as terminal servers and network devices, do not support ssh.
[bravo]$ telnet kudos Trying 130.128.52.2... Connected to kudos.tcorp.com Escape character is '^]'. Welcome to SuSE Linux 7.3 (i386) - Kernel 2.4.10-4GB (2). kudos login: watson Password: You have old mail in /var/mail/watson. Last login: Mon Feb 25 14:46:55 from bravo.tcorp.com watson@kudos:~> . . . watson@kudos:~> logout Connection closed by foreign host. [bravo]$
When you connect to a remote UNIX or GNU/Linux system through telnet, you are presented with a regular login: prompt. Unless you specify differently, the ssh utility assumes that your login name on the remote system matches that on the local system. Because telnet is designed to work with non-UNIX/Linux systems, it makes no such assumptions.
SECURITY: telnet Is Not Secure
Whenever you enter sensitive information, such as your password, while you are using telnet, it is transmitted in cleartext and can be read by someone who is listening in on the session.
Another difference between these two utilities is that telnet allows you to configure many special parameters, such as how RETURNs or interrupts are processed. When using telnet between two UNIX/Linux systems, you rarely need to change any parameters.
When you do not specify the name of a remote host on the command line, telnet runs in an interactive mode. The following example is equivalent to the previous telnet example:
[bravo]$ telnet telnet> open kudos Trying 130.128.52.2... Connected to kudos.tcorp.com Escape character is '^]'. ...
Before connecting you to a remote system, telnet tells you what your escape character is; in most cases it is ^] (the ^ represents the CONTROL key on your keyboard). When you press CONTROL-], you escape to telnet's interactive mode. Continuing the preceding example:
[kudos]$ CONTROL-] telnet> ?
(displays help information)
telnet> close Connection closed. [bravo]$
When you enter a question mark in response to the telnet> prompt, telnet displays a list of its commands. The close command ends the current telnet session, returning you to your local system. To get out of telnet's interactive mode and resume communication with the remote system, press RETURN in response to a prompt.
It has been possible to use telnet to access special remote services at sites that have chosen to make such services available. However, many of these services, such as the U.S. Library of Congress Information System (LOCIS), have moved to the Web, so you can now obtain the same information by using a Web browser.
ftp: Transfers Files over a Network
You can use the ftp17 (file transfer protocol) utility to transfer files between systems on a network. This interactive utility allows you to browse through a directory on the remote system to identify files you may want to transfer:
[kudos]$ ftp bravo Connected to bravo.tcorp.com. 220 bravo.tcorp.com FTP server (Version wu-2.6.1-20) ready. Name (bravo:alex): watson 331 Password required for watson. Password: 230 User watson logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> bin 200 Type set to I. ftp> cd memos 250 CWD command successful. ftp> put memo.921 local: memo.921 remote: memo.921 200 PORT command successful. 227 Entering Passive Mode (192,168,0,1,225,45) 150 Opening BINARY mode data connection for memo.921. (8401 bytes) 100% |***************************| 8401 3.38 KB/s 00:00 ETA 226 Transfer complete. 8401 bytes received in 00:02 (3.38 KB/s) ftp> quit 221-You have transferred 56064 bytes in 1 files. 221-Total traffic for this session was 56485 bytes in 1 transfers. 221-Thank you for using the FTP service on bravo.tcorp.com. 221 Goodbye. [kudos]$
The remote system prompts you for a login name and password. By default the system expects that your login name is the same on both systems; just press RETURN if it is. In this case it is not, so Alex enters watson before pressing RETURN. Then he enters his password.
Although it is not necessary in this case, Alex gives a bin (binary) command as a matter of habit; he always establishes binary transfer mode as soon as he logs in.18 With ftp in binary mode, you can transfer ASCII and binary files. ASCII mode can guarantee the successful transfer of ASCII files only.
Binary mode transfers an exact, byte-for-byte image of a file. ASCII mode performs end-of-line conversions between different systems and is consequently slower than binary mode. DOS/MS Windows, Macintosh, and UNIX/Linux each use different characters to indicate the end of a line of text. For example, Microsoft operating systems use a RETURN (CONTROL-M) followed by a NEWLINE (CONTROL-J) to mark the end of a line, whereas UNIX/Linux uses a NEWLINE by itself. Use ASCII mode to transfer plain text files (sometimes indicated by a .txt filename extension) only. Transfer Microsoft Word and other word processing documents in binary mode, as they are not plain text files. Unless you specifically need to convert the end-of-line characters, use binary mode.
Before transferring the file, Alex uses ftp's cd command to change directories on the remote system (use lcd to change directories on the local system). Then the put command, followed by the filename, transfers the file to the remote system in the remote working directory (memos).
The ftp utility makes no assumptions about filesystem structure, because you can use ftp to exchange files with non-UNIX/Linux systems (whose filenaming conventions may be different).
Anonymous FTP
Systems often provide ftp access to anyone on a network by providing a special login: anonymous (you can usually use the login name ftp in place of anonymous). The anonymous FTP user is usually restricted to a portion of a filesystem that has been set aside to hold files that are to be shared with remote users. Traditionally any password is acceptable for anonymous FTP; by convention you are expected to give your e-mail address. Some sites reject your connection if they cannot identify the name of your computer or if you supply a password that doesn't match the name of your site. Alex can enter alex@tcorp.com in response to the password prompt.
While using ftp, you can type help at any ftp> prompt to see a list of commands. For using Mozilla to perform an anonymous FTP transfer, see "Downloading a File" on page 408. Refer to page 1180 in Part III for more information on ftp.
ping: Tests a Network Connection
The ping19 utility (http://ftp.arl.mil/~mike/ping.html) sends an ECHO_REQUEST packet to a remote computer. This packet causes the remote system to send back a reply. This is a quick way to verify that a remote system is available, as well as to check how well the network is operating, such as how fast it is or whether it is dropping data packets. The protocol ping uses is ICMP (Internet Control Message Protocol). Without any options ping tests the connection once per second until you abort the execution with CONTROL-C.
[kudos]$ ping tsx-11.mit.edu PING tsx-11.mit.edu (18.86.0.44) from 10.0.1.5 : 56(84) bytes of data. 64 bytes from TSX-11.MIT.EDU (18.86.0.44): icmp_seq=0 ttl=48 time=500.199 msec 64 bytes from TSX-11.MIT.EDU (18.86.0.44): icmp_seq=1 ttl=48 time=518.703 msec 64 bytes from TSX-11.MIT.EDU (18.86.0.44): icmp_seq=2 ttl=48 time=516.304 msec 64 bytes from TSX-11.MIT.EDU (18.86.0.44): icmp_seq=3 ttl=48 time=95.807 msec CONTROL-C --- tsx-11.mit.edu ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/mdev = 95.807/407.753/518.703/180.243 ms
In this example the remote system named tsx-11.mit.edu is up and available to you over the network.
By default ping sends packets containing 64 bytes (56 data bytes and 8 bytes of protocol header information). In the preceding example four packets were sent to the system tsx-11.mit.edu before the user interrupted ping by pressing CONTROL-C. The four-part number in parentheses on each line is the remote system's IP address. A packet sequence number (called icmp_seq) is also given. If a packet is dropped, a gap occurs in the sequence numbers. The round-trip time is listed last, in microseconds; this represents the time that elapsed from when the packet was sent from the local system to the remote system until the reply from the remote system was received by the local system. This time is affected by the distance between the two systems, as well as by network traffic and the load on both computers. Before it terminates, ping summarizes the results, indicating how many packets were sent and received, as well as the minimum, average, maximum, and mean deviation round-trip times it measured.
TIP: When ping Cannot Connect
If unable to contact the remote system, ping continues trying until you interrupt it with CONTROL-C. There may be several reasons why a system does not answer: The remote computer may be down, the network interface or some part of the network between the systems may be broken, there may be a software failure, or the remote machine may be set up, for reasons of security, not to return pings (try pinging www.microsoft.com or www.ibm.com).
traceroute: Traces a Route over the Internet
The traceroute utility, supplied with Red Hat Linux, traces the route an IP packet follows, including all the intermediary points traversed (called network hops), to its destination (the argument to traceroute—an Internet host). It displays a numbered list of host names, if available, and IP addresses, together with the round-trip time it took for a packet to get to each router along the way and an acknowledgment to get back. You can put this information to good use when you are trying to determine where a network bottleneck is.
The traceroute utility has no concept of the path from one host to the next; it simply sends out packets with increasing TTL values. TTL is an IP header field that indicates how many more hops the packet should be allowed to make before being discarded or returned. In the case of a traceroute packet, the packet is returned by the host that has the packet when the TTL value is zero. The result is a list of hosts that the packet travels through to get to its destination.
The traceroute utility can help you solve routing configuration problems and routing path failures. When you cannot reach a host, use traceroute to see what path the packet follows, how far it gets, and what the delay is.
The next example is the output of traceroute following a route from a local computer to www.linux.org. The first line tells you the IP address of the target, the maximum number of hops that will be traced, and the size of the packets that will be used. Each numbered line contains the name and IP address of the intermediate destination, followed by the time it takes a packet to make a round-trip to that destination and back. The traceroute utility sends three packets to each destination; thus there are three times on each line. Line 1 shows the statistics when a packet is sent to the local gateway (under 3 ms). Lines 4–6 show it bouncing around Mountain View (California) before it goes to San Jose. Between hops 13 and 14 the packet travels across the United States (San Francisco to somewhere in the East). By hop 18 the packet has found www.linux.org. The traceroute utility displays asterisks when it does not receive a response. Each asterisk indicates that traceroute has waited three seconds.
$ /usr/sbin/traceroute www.linux.org
traceroute to www.linux.org (198.182.196.56), 30 hops max, 38 byte packets
1 gw.localco.com. (204.94.139.65) 2.904 ms 2.425 ms 2.783 ms
2 covad-gw2.meer.net (209.157.140.1) 19.727 ms 23.287 ms 24.783 ms
3 gw-mv1.meer.net (140.174.164.1) 18.795 ms 24.973 ms 19.207 ms
4 d1-4-2.a02.mtvwca01.us.ra.verio.net (206.184.210.241) 59.091 ms d1-10-0-0-200.a03.
mtvwca01.us.ra.verio.net (206.86.28.5) 54.948 ms 39.485 ms
5 fa-11-0-0.a01.mtvwca01.us.ra.verio.net (206.184.188.1) 40.182 ms 44.405 ms 49.362 ms
6 p1-1-0-0.a09.mtvwca01.us.ra.verio.net (205.149.170.66) 78.688 ms 66.266 ms 28.003 ms
7 p1-12-0-0.a01.snjsca01.us.ra.verio.net (209.157.181.166) 32.424 ms 94.337 ms 54.946 ms
8 f4-1-0.sjc0.verio.net (129.250.31.81) 38.952 ms 63.111 ms 49.083 ms
9 sjc0.nuq0.verio.net (129.250.3.98) 45.031 ms 43.496 ms 44.925 ms
10 mae-west1.US.CRL.NET (198.32.136.10) 48.525 ms 66.296 ms 38.996 ms
11 t3-ames.3.sfo.us.crl.net (165.113.0.249) 138.808 ms 78.579 ms 68.699 ms
12 E0-CRL-SFO-02-E0X0.US.CRL.NET (165.113.55.2) 43.023 ms 51.910 ms 42.967 ms
13 sfo2-vva1.ATM.us.crl.net (165.113.0.254) 135.551 ms 154.606 ms 178.632 ms
14 mae-east-02.ix.ai.net (192.41.177.202) 158.351 ms 201.811 ms 204.560 ms
15 oc12-3-0-0.mae-east.ix.ai.net (205.134.161.2) 202.851 ms 155.667 ms 219.116 ms
16 border-ai.invlogic.com (205.134.175.254) 214.622 ms * 190.423 ms
17 router.invlogic.com (198.182.196.1) 224.378 ms 235.427 ms 228.856 ms
18 www.linux.org (198.182.196.56) 207.964 ms 178.683 ms 179.483 ms
host and dig: Queries Internet Name Servers
The host utility looks up an IP address given a name or vice versa. This utility is easy to use and replaces nslookup in its simplest case. The following example shows how to use host to look up the domain name of a machine, given an IP address:
$ host 140.174.164.2 2.164.174.140.in-addr.arpa. domain name pointer ns.meer.net.
You can also use host to determine the IP address of a domain name:
$ host ns.meer.net ns.meer.net. has address 140.174.164.2
The dig (domain information groper) utility queries DNS servers and individual machines for information about a domain. A powerful utility, dig has many features that you may never use. It is more involved than host and replaces nslookup in its complex cases. The following dig command uses the keyword any to get any available information about the upstate.edu domain.
# dig any upstate.edu ; <<>> DiG 9.1.3 <<>> any upstate.edu ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30224;; flags: qr rd ra; QUERY: 1,ANSWER: 11, AUTHORITY: 5, ADDITIONAL: 7 ;; QUESTION SECTION: ;upstate.edu. IN ANY ;; ANSWER SECTION: upstate.edu. 74567 IN NS dns.duc.upstate.edu. upstate.edu. 74567 IN NS dns.eng.upstate.edu. upstate.edu. 74567 IN NS dns.acesag.upstate.edu. upstate.edu. 74567 IN NS dns.upstate.edu. upstate.edu. 74567 IN NS nr01.netmgt.upstate.edu. upstate.edu. 83413 IN SOA dns.upstate.edu. bailebn.noc.upstate.edu.
The dig utility displays a lot of information.
The Authority Section specifies the primary name servers, and the Additional Section specifies the IP addresses that correspond to the names in the Authority Section.
The SERVER line (toward the end) specifies the name and IP address of the DNS server that the local system uses: This is where dig gets its information.
The second column specifies the TTL (page 1499) in seconds.
IN in the third column is the query class and indicates that this is an Internet class query.
NS, SOA, MX, NS, or A in the fourth column specifies the type of information (DNS query type) that the row holds:
The NS (name server) record(s) specify name servers that upstate.edu uses. An NS record is meaningful only when you query a domain.
The MX (mail exchanger) record(s) specify a mail server for the domain you are querying. The upstate.edu domain has several mail servers. The lower the preference value (the number before the mail server domain in the right column), the higher the priority (ducserv6b is always tried before ducserv3).
There is one SOA (start or zone of authority) for a given domain. The SOA
Is the authoritative primary DNS for the domain.
Defines who the point of contact is for the domain.
Controls the TTL for records from the DNS.
Controls how often another name server will retry the domain's name server.
Controls when another name server will timeout when trying to contact the domain's name server.
The A (network Address) record specifies in the last column the IP address that corresponds to the domain name in the first column.
The dig utility has many query types. The any type is used in the preceding example. You can also use mx, ns, soa, and others. Refer to the dig man page for more details.
whois: Looks Up Information about an Internet Site
The whois utility queries a whois server for information about an Internet site. This utility returns site contact and InterNIC or other registry information that can help you track down the person responsible for a site: Perhaps that person is sending you or your company spam (page 1493). Many sites on the Internet are easier to use and faster than whois. Use a browser to search on whois or go to www.netsol.com/cgi-bin/whois/whois or www.ripe.net/perl/whois to get started.
When you search by name, whois may return more than one entry. In the following example, whois returns SOBELL.NET and SOBELL.COM when queried for sobell:
$ whois sobell [whois.crsnic.net] Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. SOBELL.NET SOBELL.COM To single out one record, look it up with "xxx", where xxx is one of the of the records displayed above. If the records are the same, look them up with "=xxx" to receive a full display for each record. >>> Last update of whois database: Tue, 26 Feb 2002 05:22:08 EST <<< The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and Registrars.
When you do not specify a whois server, whois defaults to whois.crsnic.net. Set the NICNAMESERVER or WHOISSERVER shell variables, or use the –h option to whois to specify a different whois server.
To obtain information on a domain name, specify the complete domain name as in the following example:
$ whois sobell.com
[whois.crsnic.net]
Whois Server Version 1.3
Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: SOBELL.COM
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Name Server: NS.MEER.NET
Name Server: NS2.MEER.NET
Updated Date: 05-nov-2001
>>> Last update of whois database: Tue, 26 Feb 2002 05:22:08 EST <<<
The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.
Registrant:
Sobell Associates Inc (SOBELL-DOM)
PO Box 1089
Menlo Park, CA 94026
US
Domain Name: SOBELL.COM
Administrative Contact, Billing Contact:
Sobell, Mark (MS989) sobell@MEER.NET
Sobell Associates Inc
PO Box 1089
Menlo Park, CA 94026
[No phone]
Technical Contact:
meer.net hostmaster (MN85-ORG) hostmaster@MEER.NET
meer.net
po box 390804
Mountain View, CA 94039
US
+1.888.844.6337
Fax- +1.888.844.6337
Record last updated on 09-Apr-2000.
Record expires on 08-Apr-2004.
Record created on 07-Apr-1995.
Database last updated on 26-Feb-2002 01:57:00 EST.
Domain servers in listed order:
NS.MEER.NET 140.174.164.2
NS2.MEER.NET 216.206.136.2
Several top-level registries serve various regions of the world. The ones you are most likely to use are
North American Registry: whois.arin.net
European Registry: www.ripe.net
Asia-Pacific Registry: www.apnic.net
American Military: whois.nic.mil
American Government: www.nic.gov