Thursday, November 25, 2010

Server is Baremetal or VMWare?

Usually you can type one of the following commands to see if the server you are in is VMWare VM.

[root@VM001 ~]# /sbin/lspci | grep -i vmware
00:0f.0 VGA compatible controller: VMware SVGA II Adapter
[root@qypprdestws03 ~]# grep -i vmware /proc/scsi/scsi
Vendor: VMware Model: Virtual disk Rev: 1.0
Vendor: VMware Model: Virtual disk Rev: 1.0
[root@VM001 ~]# dmidecode | grep -A4 "System Information"
System Information
Manufacturer: VMware, Inc.
Product Name: VMware Virtual Platform
Version: None
Serial Number: VMware-50 00 6e c3 df 0c 97 f1-3e 99 9d 8b 66 a0 8e 24
[root@VM001 ~]#


Thursday, October 28, 2010

Forgot to use sudo?

Has it happened to you before that - you run a command and forgot to 'sudo' - and hence the commnd fails and now you need to re-run the command all over again? Well in that case this is how you can save some time.

[debu@DebaTestBox ~]$ sudo !!

Forgot 'sudo' before editing a file:

Believe me this is the most frustrating one, and it happens to me a lot to me. You edited quite a few in the file and when try to save&xit( :wq!) you see an error as below

E212: Can't open file for writing
Press ENTER or type command to continue

Well, the below is a savior un this kind of scenario

:w !sudo tee %

this will ask your password the there in, and you are done. All your edits are now recorded by Vim editor.


Hope it helps!


Monday, October 25, 2010

ssh client for BlackBerry!

I have been using BlackBerry for quite sometime now - and recently someone asked whether I can have any ssh client there.

Yes! We can. I use MidpSSH, which is a ssh client for MIDP 1.0 / 2.0 (J2ME) devices such as Java capable cellphones and other mobile devices released and distributed under GPL.

So far no issues - and its cool. Here is the link to download -

You will need to convert .jar/.jad to .alx files


Sunday, October 24, 2010

\'el\ dot

$l. (To be read as \'el\dot )

This is a very infamous but handy and quick command which lists all the hidden files and folders in your current directory. Works both with RHEL4 and RHEL5 as well.

[Debu@DebuTestBox ~]# l.
. .bash_history .bash_profile .cshrc .redhat .swp .Trash .bash_logout .bashrc .ssh .viminfo

Now you probably don't have to use both your hands to press keystrokes for this task :P


telnet UDP port

Wondering how to telnet a UDP port? Use this -

[deba@prodWeb100 ~]$ nc -vvzu 1434

Connection to 1434 port [udp/ms-sql-m] succeeded!


Saturday, October 23, 2010

Start a new shell from Vi editor in emergency !!

Have you ever faced a situation where you unfortunately edited a Read-only file and later realized that either you need to start a duplication putty session to make that file chmod +w or come out from vi editor without saving the data.

If you know this probably you can handle this situation better that to very fast in efficiently!


While being on the bash Vim editor itself go to the command mode and type -


sh will look up the user's default shell (e.g. the Bourne shell or the C shell) and starts a new shell. In that shell change the permission of the file, type exit(ctrl+d), you will be in the same vi session; now save your file.


Reading passwords in shell script

Today One BE final year student just asked me this one on IM, for his benefit and anyone who might want to have a password wrapper(if at all!!) here it is how to do the same via a shell script,

###This is a simple bash screipt to read password###
######without echoing the same on console#####

while [ $failed -le 3 ]
read -s -p "Password: " userpasswd
echo ""
if [ "$userpasswd" == "$actual" ]
echo "Password accepted"
exit 1
echo "Sorry! Wrong password, Try again..!!"
failed=$(( $failed + 1 ))

Please remember - 'stty' can also do the trick as below:

stty -echo
read password
stty echo


'Script' utility to record your terminal session

Today I was installing something and the ask from my friend at the other end was to let him know how I was doing that. First I thought I will share my screen with him, but wait ! will not a recording of my bash session should suffice his request?

Yes, lets not forget that we have this cool freaking awesome UNIX tool which records and makes a typescript of everything printed on your terminal. Its very popular amongst project students as POC of what and how did they run and tested various scenario;and really helpful for students who need a hardcopy record of an interactive session.

Very easy to use, you can call it a no-brainer to use. When you are ready to record any I/O session just type 'script'.

[root@DebuTestBox ~]# script
[root@DebuTestBox ~]# script -a MyInstallSession_23Oct2010

Now that the recording has started, everything you type, as well as everything that returns as output, will be saved into the filename you chose to output to. If a name is not given, it will store all the I/O of that bash session in a default file viz. typescript on the current folder.

Once done, type ctrl+d or Exit to end your recording session.

[root@DebuTestBox ~]# exit
Script done, file is typescript

And your are done with the recording of the session!! Pass on the typescript whosoever is interested to know what you did in that bash session or rather how in installed that complicated software!! :P


Friday, October 22, 2010


Very catchy name ain't it ? :P Hold on, don't raise high expectation out if this post, its just a handy Linux command. Go on reading further....

Linux man page says: 'namei' - follow a path name until a terminal point is found.

This is a very useful commands I came across recently - which can definitly be of a great help if you have a very complex environment with "too many levels of symbolic links".
It has two switch:

namei -x : show mount points wit 'D' and dir with 'd'
namei -m : shopws mode bit

For ex:

[root@DebuTestBox ~]# namei -x python
f: python/

l python -> /usr/local/Python-2.5
d /
D usr
d local
d Python-2.5

[root@DebuTestBox ~]# namei -m python
f: python/
lrwxrwxrwx python -> /usr/local/Python-2.5
drwxr-xr-x /
drwxr-xr-x usr
drwxr-xr-x local
drwxr-xr-x Python-2.5


Wednesday, October 20, 2010

'ls' command alternatives

Just keep aside as a handy option, if at all your system has gone so bad and your ls command itself is not working - here is this crude method of displaying directory contents by using echo which is a shell built-in and not an executable:

[root@DebaTestBox /]# echo *
bin boot dev etc home lib lost+found media misc
mnt net opt proc root sbin selinux srv sys tmp usr var
cd too a shell built-in, that can also be used to display the same.

All the best -


Tuesday, October 12, 2010

Solaris: How to get global zone information from non-global zone

Due to a variety of reasons like integration with monitoring, asset management, some notion that knowing the real box name will make things better :-) or a need to do something from the global zone like run dtrace, adjust resource allocations etc. you might sometime would like to know what is the Global Zone' where this container resides or the physical servers's IP address where this virtual container resides.

Just see if you can do a 'prtdiag' ; if so you are on a physical server else you are on a non-global zone.

Step 1: Log into the virtual container or non-global zone in question

Step 2 : NonGZ02# arp -a | grep NonGZ02 (grep the hostname/ ip address)
e1000g0 NonGZ02 SPLA 00:14:4f:0e:9f:b8

step 3 : NonGZ02## arp -a | grep 00:14:4f:0e:9f:b8

It will list you a set of arp entries matching that MAC address.

After this to save time either naming convention/ experience with the environment usually help.

If it is in Veritas, I also do a -

cat /etc/VRTSvcs/.vcshost , to get somewhat closer.

step 4: I logged in to

And I find it in that list :

GlobalZone01# zoneadm list -iv | grep running
0 global running / native shared
1 NonGZ02 running /zones/NonGZ02 native shared
2 Proxy02 running /zones/Proxy02 native shared

And I see my non-global host running from there.

Hope it helps!!


Tuesday, October 5, 2010

My First Wedding Anniversary !!

Today October 5th 2010, is my very first wedding anniversary. I still can't quite believe it's been a whole year! Probably sign of a healthy and successful marriage! Ah! someone rightly said in office, probably it is too early to go for this bold declaration!

So, today’s blog post will be short and sweet it will be off the topic but I just want to take this opportunity to greet my lovely wife 'Nandita'. This is true in my case - she has been so caring, supportive all the way even in the time when I have no time to keep my wet towel out to dry, and I see that pleasing confident eyes in her which says “keep doing what you are doing, I am there beside you, and everything will be just fine!”. So my wife deserves all this recognition for being such a wonderful wife, she is my best buddy now. I am very blessed to have you as my wife and couldn’t ask for more I thank GOD for you again.

Yeah during this period I could learn some tricks as well. I felt wives needs a lot of your attention(at all time?!) As someone rightly said - 'you should be taller, older, heavier, uglier, hoarser than your wife' ! Yes, I am paying proper attention to her. And I must say, every husband should.

She also is very sweet. I thought, after marriage( our one was a arranged marriage!) she wont allow me to drink at all. But I somehow accumulated so much of courage one day, that around my 3rd month of marriage, I told her very clearly that - I need to drink at least 1 bottle of beer every week. :-) and yeah, she agreed. I was very confused though, whether she actually wanted me to do so or test , but nay! she actually meant it. That day and today, I never actually dared or felt like to take any more permission as the show must go on. Be your own mentor! Same will happen in tonight's dinner party as well, which begins in a short while from now, no more permission ;-)

Anyway, thanks to everyone who has been wishing me through out the day. Love you all. It really means a lot to me...


Sunday, October 3, 2010

Trouble Uninstalling IE9?

Just couple of days back I wrote a post on IE9 beta release. I saw it buggy and was wondering if some of you has problem uninstalling this buggy piece from your PC. Let me tell you that - you can't simply go to Add/Remove program and uninstall it easily, like you have been doing it for other piece of software. Well, here is how to do it -

  1. Start -> Run -> appwiz.cpl
  2. Here you won't see any entry for IE9 in the main program list. Click on the 'View installed updates link' in the sidebar to see the installed updates.
  3. Scroll down till you see a section for Microsoft Windows and find "Windows Internet Explorer 9" in it.
  4. Right click on the entry and click on the 'Uninstall' button.
  5. After the update is removed you will be reverted to the last installed version of Internet Explorer on your PC.

This above steps are what I tested in Windows 7 .

Enjoy your earlier favorite(!) version of IE browser!!


Saturday, October 2, 2010

Script written in Win is not working in *nix environment?

Have you ever copied a bash or any other script written your favorite windows editor to UNIX environment and saw it does not work?

Yeah? Well its a Line terminator issue between windows and Linux environment. The enter key, in windows appends a CR and LF code into the end of the line; where in *nix only CR is appended at the end of the line.

Check the script with cat -v, if it display something ^M at the end of the line, that means this text file was created under windows environment. And CR LF is causing the execution of bash script to fail.

$cat -v

Once identified, this issue can easily be fixed with the dos2unix command.

$chmod +x

That's it !!


Friday, October 1, 2010

du and df -h confusing stats?

Just now explained someone with example, thought to put it in my blogs as well -


If someone is running an application with a file open in a directory and the open file is removed, the du output reflects a reduced size for this directory. However, df does not show a reduced size.

..and the confusion begins becuase 'df' and 'du 'are showing contradictory stats.

We must know that - du reports the space used by files and folders--even this is more than the file size. df reports the space used by the file system. This includes the overhead for journals and inode tables and such.The difference is that whenever an application has an open file, but the file is already deleted, then it is counted in the df output (because the space is certainly not free) but not in du (because it is not being used by a file). All blocks in the file system remain allocated until the application that has the file open itself closes the file. And only after the file closure, df will show the reduced usage for the file system.

Below is the exercise to reproduce and understand it better -

[root@DebuTestBox ~]# dd if=/dev/zero of=/tmp/duTest.txt bs=1024 count=500000

When this is going on - from another terminal, remove the file duTest.txt

[root@DebuTestBox ~]# rm /tmp/duTest.txt
rm: remove regular file `/tmp/duTest.txt'? y

Now check -

[root@DebaTestBox ~]# lsof | grep "deleted"
java 4579 root 285u REG 253,0 0 3670130 /tmp/ (deleted)
dd 16516 root 1w REG 253,0 106242048 3670125 /tmp/dutest.txt (deleted)

Hope it helps.

Now to resolve this issue - we need to figure out what those files are, its importance and relevance in your work space and if found fit to delete them , go ahead and fire the following command -

#lsof | grep "deleted" | awk '{print $2}' | xargs kill -9


Sunday, September 26, 2010

IE9 Beta Release

Peoples are more familiar of the concept of Beta Release in the open-source world. Idea was - it can be tested by scores of real-world users, each using their own computer systems with varieties of Hardware and Software. And the conflict with the various programs or hardware gets reported real fast. I am not sure from when exactly Microsoft started doing that; anyway, Microsoft did a Open(!) Beta release of IE9 on last Wednesday.

I was actually very excited to see this release as it was much hyped on 'Chakra' javascript engine(uses multicore and hence faster than other java script engines), faster browsing, more web surface and some other features along with HTML5 and CSS3 support. Another interesting development is that IE9 will now support SVG, which it has shunned for years. This is a really huge leap forward. Does it mean that Microsoft wants to put their foot forward along with the web standard rather than its own?

I was always excited to see - when Microsoft will get their browser right, so that web developers can create better sites!! I downloaded and and installed it on my Windows7 PC, it installed fine. But whenever I tried to open it up, it displays this message saying " Internet Explorer has stopped working , windows is checking for a solution to the problem" and it goes in an infinite loop because of the tab recovery feature. I couldn’t even give it a spin because it stopped working automatically. And If my stats ae right, it crashed 5 times in that span of 10-15 mins.

I still have one of my desktop which runs XP, but unfortunately, IE9 is not available for Windows XP. (I guess there won’t be), probably because of the security model and XP now nearly 10 years old! Another reason is that graphical core on Windows XP works in a different way, so IE9 hardware acceleration just cannot work there.

Late Review; sheer disappointment!! But yeah, I look forward to see these catchy features when Microsoft releases it finally for the public as a stable product.

Ah! Happily back to my favorite Mozilla browser again!!


Friday, September 24, 2010

SSL cert on windows IIS

I was taken aback yesterday when I got this request. Good to know stuff for *nix guys, never know when you get a similar request. :-)

1) Download new Trusted Root Cert.

2) Move the new certificate mynew.crt to server that needs update


You can NOT simply double click on the cert once it is on the server as that will install the cert to the currently logged in users Trusted Authorities. Use the instructions below to install the cert for the entire server

  • Log into the server
  • Start run, type mmc on run line and hit enter
  • In the MMC Console click on File -> Add/Remove Snap-In
  • In Add/Remove Snap in window click on Add
  • In Add Standalone Snap-in window select Certificates and click on Add
  • In the Certificates snap-in window make sure Computer Account is selected and click on Next
  • In the select Computer window verify Local computer is selected and click on Finish, that window will close
  • Back in the Add Standalone Snap-in window click on Close, that window will close
  • Back in the Add/Remove Snap-in window click on Ok
  • In the MMC console left pane, expand Certificates
  • Expand Trusted Root Certification Authorities
  • Right click on Certificates and select All Tasks -> Import…
  • In the Certificate Import Wizard click on Next
  • At the next screen click on browse and browse to the location of mynew.crt and click on Next
  • Verify that it will be installing the cert to Trusted Root Certification Authorities and click on Next
  • Verify info on screen and click on Finish
  • From a command prompt, recycle IIS by running “iisreset /restart”
  • After IIS has been cycled test the web site

Wednesday, September 22, 2010

Simple File Sharing with Python SimpleHTTPServer

Have you ever come across a situation where you quickly need to share a file and you lack that quick expertise to setup FTP/Apache or Websphere. Python has this in built SimpleHTTPServer which can solve this and help you share any file in seconds.

For ex. you want to share some files in /appsData.

[root@DebaTestBox debu]# cd /appsData
[root@DebaTestBox appsData]# python -m SimpleHTTPServer 18000 &

Now you can see that your SimpleHTTPServer is running on port 18000

[root@DebaTestBox appsData]# netstat -lntp | grep 18000
Active Internet connections (only servers)
tcp 0 0* LISTEN 16889/python

[root@DebaTestBox appsData]# ps -ef | grep HTTP
root 16889 16861 0 05:48 pts/0 00:00:00 python -m SimpleHTTPServer 18000

Now go to any web browser and try to see the files as below:


Yay!! That's it !!!! You are now sharing your files without setting up a dedicated weblogic or apache or any FTP Server and it did not really ask for any prior hardcore knowledge of system administration.

Network ACL check whether a port is open or not:

This can even be used to test whether a port is open between two servers when the respective services on them has NOT yet been started. Run this server on the port which you want to check on the first server and do a telnet from the other box. This is one of way how you can test a Network ACL port open or not, probably in less than 10 sec ! Yeah? Enjoy!


Tuesday, September 21, 2010

Best Free Online Scanner

You can keep a bookmark of the below free online scanners -

McAfee’s Freescan,
Trendmicro’s HouseCall, and
Symantec’s Security Check.

I have also come across Eset's scanners as well. Eset is a trusted name; their antivirus solutions have been a gold standard in security for many years now.


Sunday, September 19, 2010

See last modified File in UNIX

I strongly suggest installing a File Integrity checker like Tripwire on your server. Even if you don't have that we can always use 'stat' command of UNIX to see these stats on suspected file or file in question.

But there is less popular version of find command which can quickly check and list the set of files ordered by last modified time , that too in a matter of seconds. Not "what Got Changed" though! Just try it out :-)

find /etc -type f -printf "%T+ %p \n" | sort -n


Check a bash script without executing

This is really essential sometime, we want to check the syntax and validate our script rather then running it upfront.

Available Options:

Debugging Options set -o Option Command-line Option Action
noexec -n Don't run commands; check for syntax errors only
verbose -v Echo commands before running them
xtrace -x Echo commands after command-line processing


$bash -n
$/bin/sh -nv


Skip Linux History

Have you ever felt... you want to quit your bash session without saving your history? I am not sure for what good reason, but yes there are ways -

$ kill -9 $$

Here, $$ is the pid of the current bash instance.


This way you can skipfast from being you session recorded in Bash History!!

PS. But I have usually seen this behavior specially amongst Freshers, trying to hide their mistakes out of panic, which is wrong. You should NOT hide it, rather report them actively. Error is inevitable in every sphere of human activity. Just we need to be sure about what we do and a bit careful while doing the same, that's it !!


Wednesday, September 15, 2010

My Favorite netcat(nc) combinations

Netcat(nc) has always been referred to as the legendary Swiss Army Knife of Networking. It is a single binary, which takes up about some KB of space of space on your disk, but yet so handy!! Below are some of my netcat favorite I use time to time.

See which ports are open on a particular server.

#nc -v -w 2 -z 1-65535

Checking disk status of a set of server mentioned in a text file wslist.txt

#for i in `cat wslist.txt`; do echo $i; ssh -q $i df -h|grep /data$|awk '{ if($5>=90) {print $5 "->Disk Danger"} else { print "Disk OK"}}' ; done

Check if port 22 is open a list of server mentioned in wslist.txt

#for i in `cat wslist.txt`; do nc -v -w 1 -z $i 22 ; done

Transfer a file from Server A to Server B on a specified port.

Server B
nc -l 1337 > dk.txt

Server A
nc 1337 <>

[rick@TestBox ~]# nc -l 1337
Hey Debu,did you know we can chat on the console like this?
@Rick, yeah! It's so cool man..

[debu@c00000005221 ~]$ nc 1337

Hey Debu,did you know we can chat on the console like this?
@Rick, yeah! It's so cool man..


Network Scan:

range="172.16.80."; port=80; for host in $(seq 1 255); do multi_task=$(result=$(nc -zv $range$host $port 2>&1 | grep succeeded); if [ -n "$result" ]; then echo $range$host":"$port >> "/tmp/pscan"; fi;) & done



Sunday, September 12, 2010

How To Copy Windows CMD Output!!

Pipe the command to windows clipboard with the command ( | clip) and then paste(ctrl+v) it anywhere you want. yes! This example is something that your network admin asks the most. They need prove...always!!

Anyway - who says, tricks in *nix only makes the geeks rock!! After all Bill is still my trusted Gateway to reach Torvald !!! :-)

Saturday, August 28, 2010

e For eject

One of the idea to start this blog was to have my own space of rant n' rave. Just to make things clear - none of the things I say on here represent the views of any particular company who stands my 'ex or current employer!!. But sometimes, there are things that come along that really make me smile and of-course an opportunity to make an effort to work on those as part of process improvement.

Once we suffered a mismanaged tagging# blues of our servers in one of the data center. Reboot request sometimes rebooted a wrong server. Now imagine if that server was serving live -that too business critical traffic! Well, preferring NOT to explain the post episode here. Now any guess how do we make it sure that the DC engineer is actually standing in front of the right server, if he had a reboot request to address a server hang or server shifting etc.? :-)

Yes! You are right - 'e' for eject was the savior that time. If he is close by somewhere in the grid or rack one eject should be enough and if it is NOT visible to him - get some scripting in place!

while [ true ]
#eject CDROM

#pull CDROM tray back in
eject -t

He will definitely locate your server, believe me!

Knock Knock!! Now who says disabling/removing CD-ROM from my server should be a part of DC physical security checklist!!?


Thursday, August 26, 2010

URL response time via curl

These stats are easily visible by any integrated HTTP sniffer available in the market like HttpWatch/Fiddler etc. for our popular web browser like Mozilla/IE. But if you need to do that quickly from command line, we can use cURL to do the same -

Determine response times of a URL with cURL:

# echo "`curl -s -o /dev/null -w '%{time_starttransfer}-%{time_pretransfer}'`"|bc

A bit deeper:

$curl -w '\nLookup time:\t%{time_namelookup}\nConnect time:\t%{time_connect}\nPreXfer time:\t%{time_pretransfer}\nStartXfer time:\t%{time_starttransfer}\n\nTotal time:\t%{time_total}\n' -o /dev/null -s

Lookup time: 2.221
Connect time: 2.541
PreXfer time: 2.589
StartXfer time: 2.862

Total time: 3.587

To get the amount of time between when a connection is established and when the data actually begins to be transferred:

$echo "`curl -s -o /dev/null -w '%{time_starttransfer}-%{time_pretransfer}'`"|bc

Hope it helps!


Wednesday, August 25, 2010


Just heard someone discussing on this 'Fork Bomb'. Folks from core SA background who spend much of their time hardening their server, making it fit and strong enough to withstand the live raw traffic as well as (D)DoS proof might already know it why prank like this exists. For me when I discuss topics like Fork Bomb I rightly say - "It's NOT there, it's needed - that's why it exists!" Even though I don't know if it was a intentional or accidental discovery -computer pranks and some viruses like this(wabbit) I would say, helps us making us aware of our current strengths and weaknesses - but definitely with right spirit and following all safety measures. Fork-bomb can be lethal sometimes and may loose unsafe data too. But at the same time on a newly build server can be one of the point in checklist for kernel 'ulimit' parameter.

Just to touch upon the subject line a bit, A Fork bomb is considered to be the (deadliest) smallest writable virus code in the batch language and it is capable of being annoying and if launched on a computer or server will probably result in a crash.

This is how this forkBomb piece of code looks like:

:(){:|: &};:

- looks like smiley puking? Probably, who wrote this first was a bit humorous cum creative guys who wanted to make it look funny and then attack . Funny earthlings!!!! But don't you dare to underestimate it, even-though it looks like a set of smileys. The below will work fine too, and can prove lethal equally.

nix|nix &

Now to complete this story I must also tell you how to defend against this. For that you need to read and understand all the parameters around this file /etc/security/limits.conf, a bit of PAM, and some ulimit parameters and see you are done!! I am sure doing this, you will also discover so many new dimension on your server hardening mission.

Jai Ho!!

Tuesday, August 24, 2010


Below are some of my favorite lsof combination which I found so handy and proves savior in critical moment. Just an effort to put them in this single page.

lsof -d mem Programs loaded in memory and executing
lsof -i :25 Who is using this port
lsof -i lists all processes with open Internet sockets (TCP and UDP)
lsof -c httpd listing of files for processes whose name begins with apache(httpd)
lsof -N Listing of NFS mounted files
lsof -u ^root| grep debu List all open files by a user exclude root user.
lsof -p 3030 list by pid, you can supply more than one with a comma separated list
lsof /tmp/funky.lock To find the processes that have the /tmp/funky.lockfile open.
lsof -u only for specified uid
lsof -t `which httpd` List the PIDs of running httpd processes
lsof -i@ To see connection to a specific host
lsof -i| grep LISTEN What ports are listening for connection
lsof -i| grep ESTABLISHED Current Active connections
lsof /var/log/messages Which processes are interacting with this file
lsof +L1 Security context. This means something fishy. Read man page/google
lsof -i -P | grep -i "listen" List all open ports and their owning executables

There are some good resources too on how to recover deleted files with the help of lsof.
Paste below if you some more interesting lsof combination.


Sunday, August 22, 2010

man page inside VIM editor

I am NOT sure how it can help you. But Yes! a very handy one. From inside a VIM editor we can open man page of any command we want. Being in command mode -put the cursor over the keyword which you want to look up, and press shift+K

BTW, did you all get a chance to check what's new with new VIM release?


Sunday, August 15, 2010

Happy Independence Day

“Long years ago, we made a tryst with destiny and now the time comes when we shall redeem our pledge... At the stroke of the midnight hour, when the world sleeps, India will awake to life and freedom.” -Jawaharlal Nehru.

Today India is Celebrating it's 64th Independence Day - Yes! Its really a very auspicious moment for all of us. Each and every corner of India is under the magic of the "Tiranga" - the Tri-Color. Every where you can just see Saffron,White and Green. I was passing by the road and as expected I saw the same extra excitement in the air, and the exquisite decorations everywhere.

Yes this was this fateful morning of 15th August 1947 when, India was declared independent from "British Raj" of 200 years, and finally the reins of control were handed over to the leaders of the Nation. India’s gaining of independence was a tryst with destiny, as the struggle for freedom was a long and tiresome one, which witnessed the sacrifices of many brave freedom fighters, who laid down their lives on the line.

Congratulation To all my friends and followers and I Wish You All A Very Happy Independence Day!!

Jai Hind.

Debajit Kataki

Saturday, August 14, 2010

Restricted SSH key access

I am NOT going to discuss here how we generate a SSH key pair and setup a pass-phraseless access between two computer systems - rather a very less known , yet very strong access restriction facility that is available with authorized_keys file.

A simple distribution of public key allows any remote host where the private key is known to make any kind of ssh connection (login, remote command execution, port forwarding, etc.) to the computer. But there are a number of restrictions that can be implemented in an authorized_keys to further restrict the access. The $HOME/.ssh/authorized_keys file on the client not only provides a means for public key authentication, but can also impose certain restrictions. The syntax or format of the file is:

It has four phrases -

options - keytype - encoded-key - comment

Host Access Restriction:

from="pattern list"


from="*," ssh-rsa ...


-This will allow access only from the mentioned host or domain, and other clients will still unable to access this host even though they posses a valid private key.

Forced command:

This method helps to execute the mentioned "command" whenever this key authenticates, and will ignore whatever command the remote user has supplied. This is one of the most powerful uses of SSH public key authentication, and usually is used to create task-specific key pair.

from=" ",command="/usr/local/bin/command", no-port-forwarding ssh-rsa AAAA

Other options:

Well there exists some other ssh facilities too which can be used to suppress by adding any of the following options to the options section -


In an environment where passphraseless access is a must and where entirely automated remote connections keeps on flowing , it is generally a good idea to apply these options unless they actually needs one of these facilities.



CICD Assessment

( A story on -  how we formulated a process around measuring and achieving CICD, and  how these journey lines has now become a means t...