Dynamically change title of FreeBSD terminal windows in SSH sessions

For a while I have been working on a FreeBSD 10 desktop, and one thing I missed from my Mac OS X Terminal was the ability to have the title bar of my terminal window change when I connect via SSH to a remote host. With a lot of SSH session in different windows opened at the same time, it becomes difficult to know what server you are sending commands to. Thus I solved this little annoyance by creating this alias in the .cshrc script:

alias remote 'printf \\033]0\;\%s\\007 "\!^" && ssh "\!*"'

I’m using the urxvt terminal, but I guess the solution can works well on any other UNIX terminal emulator for X11 out there.

At the same time, I found useful to have replicated in the title bar the same info I have in the prompt, thus I added the following lines to same configuration file, under the section that (in the default FreeBSD setup) checks if this is an interactive shell:

if ($?prompt) then
  ...
  if ( $?TERM ) then
   set prompt="%{\033]0;%N@%m:%~\007%}%N@%m:%c3 %# "
   endif
endif

(In bold the code I added).

Dynamically change title of Mac OS X Terminal in SSH sessions

I have been using Termina.app since I started using Mac OS X several years ago. In general I feel pretty comfortable by using it and I didn’t need to look for alternatives. Obviously, the command I run most often on the command line is the ssh(1) client, which I think is among the most used tool by Unix server administrators.

This terminal emulator offers a wide range of customizations, including the possibility to assign a custom title to each tab or window you open, but I’d like to make the name of the host I connect to appear as custom title automatically, as soon as I connect to it, then changing back after I disconnect to whatever it was before.

I thought it was a pretty trivial task to accomplish, but it has shown to be not so easy as I supposed. The best method I found is to create a simple shell script to manage this tricky operation. Thus I’m now posting the solutions for anyone who might found it useful or could suggest a simpler approach… here it is:

#!/bin/sh
#
# This script changes the current Terminal window title and starts
# an ssh session with the host indicated in the argument
#
if [ $1 ] ; then
 oldtitle=`arch -i386 osascript -e 'tell application "Terminal" \
           to get custom title of front window'`
 newtitle=`echo $1 | sed -e 's/.*\@\(.*\)/\1/'`
 echo "\033]0;$newtitle\007"
 ssh $1
 echo "\033]0;$oldtitle\007"
else
 echo "ERROR: you must enter a valid host name as argument."
 echo "\033]0;Terminal\007"
fi

If you save this lines in a file called ~/bin/remote and chmod it to 755, you can use the following string to connect to your SSH server:

% remote user@server.domain

The custom title of the current window will be set by getting the hostname part of the command argument before you connect, and will be set back to whatever was after you disconnect from the SSH session. If, for same reason the script would exit before setting the title back, you’ll only need to launch it without arguments, and it will set the name to the default “Terminal” title.

Broken board on HP LaserJet P2015

Several weeks ago our network printer started to expose an odd behavior: a couple of minutes after each reboot the firmware was crashing, simply putting the printer offline. Any try to upgrade the firmware or reinstall it was useless, since the printer become unresponsive before the procedure was able to complete. A couple of days ago, I found this post: “HP Laserjet P2015 Error Lights (LED’s) Stuck On“.
It seems unbelievable, but putting the formatter board in a oven at about 180 Celsius degrees for 8-10 minutes solved the problem. This because of the poor assembly by the manufacturer: the chip was not correctly knitted to the board!! Thanks to this simple procedure we saved about 220 Euros the HP customer service would have been charged us because the warranty period was over.

We have experienced a long sequence of troubles with poor quality server products from HP, but after this last minor issue, I think this has been actually the last object we’ll ever buy from HP.

Upgrade pfSense cluster to 2.0-RELEASE

During the weekend we have migrated our main firewall system to the latest release of pfSense. Although we had spent some hours testing in a pilot environment, a couple of minor issues were encountered in the process, as outlined below.

We upgraded the main node at first (as suggested by the “Redundant Firewalls Upgrade Guide“. Then the secondary node was not syncing immediately after its upgrade, because the old webConfigurator SSL certificate was not selected by default. Selecting the right certificate and rebooting the 2nd node solved the problem.

Some bits of the OpenVPN configuration (we have been running a couple of site-to-site VPN) was not retained correctly: tun(4) interfaces disappeared in favour of the new “ovpns” interfaces, so a reassignment was needed. After a couple of clicks all was working again flawlessly.

A little more work is planned to polish the configuration (for example, the FTP proxy is now implemented in a different way, and there is no need to allow port TCP 21 to external WAN addresses), but all the main functions are here, and the performance of the webConfigurator interface seems to be drastically improved.
In conclusion, we are very satisfied by this new version, which we have been running in production since it was released a few weeks ago, for some customer’s new firewalls.

High availability of services with ZABBIX and DNS failover

This blog was born only for testing WordPress some years ago, thus there is no reason to maintain it, but from time to time I like to post here about some change I make in our infrastructure, or about some product or technology I discover to be interesting, more to remind me when I did or read something than to actually inform someone out there, so please excuse me for the fuzzy style of the contents!

Today I put in production a procedure to make inbound Internet traffic automatically fail over a secondary ISP link, by using the strong-tested ZABBIX monitoring platform.

Our primary NOC uses two independent and full-redundant links (two-node firewall, two routers, etc.) in order to access the Internet, and all production-grade services (DNS, mail, IM, web, etc.) are continuously accessible on the public IP addresses of both the links.

Until today, when a connection failure occurred, all clients in our internal networks were immediately able to continue browsing by using the failover link, thanks to a simple source-based routing rule applied by our pfSense cluster, whereas all clients from the Internet couldn’t access the services through the secondary path until the RRs in our DNS zones were manually changed to reply the resolvers with the public IP address in the range of our secondary ISP.

I evaluated a couple of good external DNS failover services: Dynect Active Failover, DNS Made Easy’s service. The first was too expensive for our needs and the second was missing the ICMP ping check we wanted to use.
Then I gave a try to the failover host support of the TinyDNS package for pfSense. It works pretty well, but it would need two public IPs (one from each ISP range) to publish the djbdns service for the dynamic-updating zone, and at this time the range from our secondary provided is exhausted.

So it come the idea to run the dynamic zone on the same DNS servers we use for our public zones, but who might update the RRs in a reliable way? I was pretty confident in the link failure detection of pfSense, which I still use to redirect outbound Internet traffic, but I didn’t like the idea of trusting any other link failure detection script or daemon runnig inside my network… until I had a flash: ZABBIX has been reliably notifying me link failures and recoveries for several months by now. Maybe I could configure it to run the nsupdate(1) command against our primary DNS server each time such an event is triggered!

In fact it has been pretty trivial to configure a new custom media type “script” (named “nsupdate_HA“) and execute it as an “operation” from the action performed when the trigger “link failure” is generated, as shown in this screenshot.

From now on, the hostname of each server publishing a “mission-critical” service can be stored as a CNAME pointing to an A-type record in the ha.valsania.it zone, which is automatically set to the right available public IP address. I measured that the reaction time to a link state change is around 40 seconds: this will definitely make me sleep better at night!


UPDATE:
maybe it can be useful for someone to take a look at the simple shell script I wrote to accept input from ZABBIX, or maybe someone can suggest some improvements!
Three arguments are expected (the recipient, the subject and the body of the message), but we only read the 2nd to know what’s happening, in order to execute proper failover and failback actions.

Corporate Subversion server

After a couple of days spent in studying and testing, today the first SVN server was put in the development stage. A test repository is available for anonymous checkout and ViewVC browsing at http://svn.valsania.it. Commit privilege is granted only to selected accounts, defined both in Active Directory and htpasswd file.

This first deployment still has some rough corners, but the main goals are targeted:

  • simple anywhere access to the repository both for read and write access (via WebDAV and ViewVC);
  • secure transmission of credentials and data (enforced SSL offloading was activated);
  • integrated authentication with corporate directory service (thanks to the auth_ldap Apache module).

During the next days I’ll be committed to put this service in the hands of all the developers which have the potential to be involved in any sort of collaboration with our company in the future!

Blogging on the road

This is the first post I can write without being in front of a computer: I’m using my new iPhone to write these lines while I’m “on the go”! 🙂
I must admit that I never thought to blog in that way, but this mobile device seems a very powerful platform, not only because of it’s builtin functions, but mainly because of the possibilities it can offer by the development point of view. This post is a little example of what I mean: I wrote it using a thirdt party application developed by the WorPress team who made it available on the Apple online App Store.

First WPMU upgrade

Today I got the time to upgrade the WordPress MU platform which is running the Valsania Corporate Blogs collection from version 1.5.1 to the release 2.6 (which is based on WordPress 2.6). It has been the first time I upgrade a WPMU instance in a production envirnoment. The upgrade procedure has been extremely straightforward, and I must say I’m quite impressed by that, since my WPMU configuration is very complex (many plugins and customizations were made, but all of them should have been made consistently with the architecture). At the same time I got all the others WP-based blogs I manage upgraded to the 2.6.1 release.

wpDirAuth 1.4 patch

Today I had to login into one of my WP powered weblogs, running the wpDirAuth 1.3 plugin which I wrote about in this previous post. Surprisingly, it returned me the error message “No directory server available for authentication”. No change was made in the last few days in my infrastructure, and I soon discovered that all user accounts in my Active Directory were able to succesfully authenticate with the only exception of mine!

A few minutes have been necessary to understand that the problem was lying in the password I changed yesterday, which was including an apostrophe (‘). It seems that the function parsing this variable in WordPress automatically puts a backslash (\) escape character before the apostrophe, in order to pass it correctly to the builtin authentication function. The matter was the way the ldap_bind() PHP function was sending the password to my domain controllers, including the unnecessary (in this case) escape character.

I’m not a developer, but I think I resolved this issue, simply by adding the line in bold to the wpDirAuth_bindTest() function in the file wpDirAuth.php:

function wpDirAuth_bindTest(&$connection, &$username, &$password)
{
    $password = strtr($password, array(“\'”=>”‘”));
    if ( ($isBound = @ldap_bind($connection, $username, $password)) === false ) {
        // @see wpLDAP comment at http://ashay.org/?page_id=133#comment-558
        $isBound = @ldap_bind($connection,”uid=$username,$baseDn”, $password);
    }
    return $isBound;
}

Since the returned error message was also incorrect (it should be a “check credentials” warning, not a “server unreacheable” error), I’ve also included the change suggested by Clint in the last part of his message “I have a bug fix for 1.3…“.

I’ve also succesfully tested this modified wpDirAuth plugin against different Active Directory instances on WordPress 2.6 and I’ve genereted two patch to upgrade from both 1.2 and 1.3 version. Here are the links:

If you prefer to use directly the 1.4 release I’ve also prepeared a pre-patched copy that you can download it here.

Since that’s not my job, I’m not sure to have done a good thing by defining this as the new 1.4 release, and I’ll be glad to receive any suggestion about it.

wpDirAuth

I finally got the time to make the wpDirAuth plugin function both on WordPress 2.5.1 and WordPress µ 1.5.1. My need is to migrate to the WPMU platform from Telligent’s Community Server as soon as possible, since I’m planning to port my entire corporate infrastructure from MSFT to the more dependable BSD Unix technology.

Unfortunately the 1.2 version of this plugin simply didn’t work on the latest versions of WP, so I had to apply the Patch for WordPress 2.5 compatibility kindly published by Adam Yearout. As now, I’ve only got the time to test it against Microsoft Active Directory LDAP servers, but I plan to try it in an Apple Open Directory environment before put it in production. The pilot blog collection can be accessed at the well-known Valsania Corporate Blogs WMPU instance.

UPDATE:
I’ve just tried to bind against an Apple Open Directory LDAP service, and the process is quite straightforward: the only real difference is the user object’s attribute to search for to identify the user who is logging in (sAMAccountName for AD, uid for OD), ad shown in the following image.

Click to enlarge

As you see, in this example we have an OD domain named mydomain.local, and we are using the unprivileged user named dsquery to bind to the LDAP service.

NOTE: remember to populate the EMailAddress attribute of your users in Open Directory, if you whish to the required E-mail field in WordPress user profile to be automatically filled upon the first logon.