I use these notes to remember various Linux commands and procedures. When I learn something new, a section gets appended to the document. Maybe you will find something useful. I appreciate hearing about errors.

~~Making a Linux cheat sheet is a popular activity. The following link will give you an up-to-date list:~~

If you know where you want to go, you can enter the section name as part of the browser URL. The browser will adjust the view to show the proper part of the document. Example:

If you want to display, print, or link to a section as a stand-alone document (no other sections will be shown) you can use:
ServerName myHost.myDomain.com DocumentRoot /var/www/html/myDirectory You must have a CNAME entry for myHost in your zone file or a definition for myHost.myDomain.com in your /etc/hosts file. ]]> ]]> AuthType Basic AuthUserFile /etc/httpd/users.htpasswd AuthName "Access to private stuff is restricted" require valid-user The AuthName message gets displayed by the client's browser when it pops up a dialog window requesting the username and password. The directive "Require valid-user" allows access to anyone who appears in the htpasswd file. Alternatively, you can allow access for selected users: require user bevis mary Creating a password file: htpasswd -c /etc/httpd/users.htpasswd aUserName The program will prompt for the password. The password file SHOULD NOT be located under any Directory section controlled by the server. Adding a user to the password file: htpasswd /etc/httpd/users.htpasswd aUserName The program will prompt for the password. Deleting a user from the password file: htpasswd -D /etc/httpd/users.htpasswd aUserName ]]> AuthType Digest AuthName Administrators AuthUserFile /etc/httpd/users.htdigest AuthDigestDomain /thisLocation /someOtherLocation ... require valid-user The AuthName has a specialized meaning here: it names a "realm". Realms are an abstraction used to group one or more locations on the server you want to protect as a unit. Each line in the AuthUserFile contains a username, password, and realm name. This allows the administrator to have one AuthUserFile for all the authentication rules. Realms control access to the path named in the Location directive and all "sub paths" relative to that location: In the example above, a path such as "/thisLocation/here" is also part of the realm. Most browsers allow users to "Remember my password" when they are prompted to enter credentials. The AuthDigestDomain directive lists other paths protected by the same credientials so the user won't have to enter them again. The browser quietly submits the previously used credentials when any of the other paths are used. To construct the parameter list for AuthDigestDomain, simply list all the path expressions used in Location and Directory sections names that have the same realm. Creating an digest password file: htdigest -c /etc/httpd/users.htdigest aRealm aUserName Adding a user to the password file: htdigest /etc/httpd/users.htpasswd aRealm aUserName The program will prompt for the password. Deleting a user: The htdigest command doesn't have a delete option. Just edit the file and delete the line with the username you want to remove. ]]> ! Let anyone read Satisfy Any ! All other requests need authentication Satisfy All ]]> ServerName www.yourPlace.com DocumentRoot /var/www/html DAV on AuthType Digest AuthName "yourRealm" AuthUserFile /etc/httpd/davusers.digest Require valid-user Create the digest authentication file: htdigest -c /etc/httpd/davusers.digest "yourRealm" yourUserName You will get a prompt for a password and the file will be created. Adding more users to the realm is similar, but leave out the -c switch, which creates a new file erasing the old one. As the syntax suggests, htdigest can store many users with multiple realms all in the same file. On the Windows XP side, open "My Network Places" and double-click "Add Network Place". Hit "Next", then select "Choose another network location" and hit "Next" again. Enter a url for the virtual host in this form: http://www.yourPlace.com:80 The wizard will grind away and then prompt for the username, password, and a name for the shortcut. The new shortcut will be added to the "My Network Places" folder. Note the appended port number: It is important. It somehow short-circuits Microsoft's attempt to discourage the use of the WebDAV protocol.]]> DAV on Satisfy all Order deny,allow Allow from all AuthType Digest AuthName "webdav" AuthDigestDomain /webdav AuthUserFile davusers.digest Require valid-user SSLRequireSSL Configure the digest file as described in the previous section. When you specify the url on the Windows side, you don't need the port number mumbo-jumbo: https://www.yourPlace.com/webdav Clearly, the SSL certificate must be created to exactly match the server name. You can also use this method inside a virtual host if the name matches the certificate. A word about AuthDigestDomain: the list of parameters consists of path expressions used in all Location directives that are protected by the same realm. For example if you used the "webdav" realm to protect the location /webdav as shown above and another location /website, the two locations should look like this: DAV on ... AuthName "webdav" AuthDigestDomain /webdav /website ... DAV on ... AuthName "webdav" AuthDigestDomain /webdav /website ... Windows XP and Vista clients need a patch to fix webdav bugs. (This is still true for XP SP3 and Vista SP1.) ]]>

~~archive.cpio ]]>~~ yourfile.raw The above command will display the sample rate and the number of channels. (Mono or Stereo) The output is 16 bit, signed pcm, little endian. No header. sox -c 2 -w -s -r xxx yourfile.raw yourfile.wav The xxx value must be the sample rate displayed by mpg123. You can pipeline mpg123 into sox. Use a - for the sox input. An easier way to do both steps: lame --decode yourfile.mp3 yourfile.wav ]]> myPath/myFile <<- 'EOF' line1 line2 ... lineN EOF ]]> 0 -w Is writable -x Is executable Example: if [ -e ] ; then # Do this if file exists fi if [ ! -d ] ; then # Do this if it's not a directory fi ]]> # Length of string is zero -n # Length of string is non-zero ]]> -nt ] ; then Do this if file1 is newer than file2 (or file2 does not exist) fi ]]> ]]> stdout 2> stderr &> both stdout and stderr Add stderr to stdout for subsequent redirection 2>&1 combines stderr with stdout Examples: Assume the current directory contains a file: exists And assume that this file does not exist: nosuch A command that partly succeeds: ls -l exists nosuch Console will show the exists listing and an error about nosuch. Send stdout to a file: ls -l exists nosuch > Demo Console shows exists listing and error about nosuch. Demo contains only the exists listing. Send stderr to a file: ls -l exists nosuch 2> Demo Console shows only the exists listing. Demo contains only the error message about nosuch. Add stderr to stdout and redirect to a file: ls -l exists nosuch 2>&1 1> Demo Console shows the error about nosuch. Demo contains only the exists listing. Note the precidence: First stdout goes to Demo. Then stderr replaces stdout and goes to the console. Add stderr to stdout and pipeline result to another program: ls exists nosuch 2>&1 | grep exists Add stderr to stdout and ignore stdout: ls -l exists nosuch 2>&1 1> /dev/null Console will still show stderr. This form is often used to discard information about normal command execution from a script. Combine all outputs and send to null: ls -l exists.txt nosuch.txt &> /dev/null The last example is often used to quiet down scripts. ]]> 0 echo "scale=3; 7/2" | bc echo "scale=0; 7/2" | bc Show how long a bc calculation takes (p to 1000 places) time echo "scale=1000; 4*a(1)" | bc -l -q ]]> ~~$file # Erase the contents of a file ]]> ]]> ]]> > ]]> ]]> ]]> ]]> ]]> ]]>~~ password /etc/dhcp/dhcpd.conf # Configure dhcp server /etc/dhcp/dhclient.conf # Configure dhcp client /etc/xinetd # Configure sub-servers (telnet, tftp, etc) /etc/bashrc # Global functions and aliases /etc/localtime # Link into a /usr/share/zoneinfo file /etc/named.conf # Configuation for named DNS (bind) /etc/resolv.conf # IP names and config for DNS /etc/securetty # Terminals that are allowed to be root /etc/DIR_COLORS # Colors used by color ls /etc/modprobe.conf # Configure module loader /etc/printcap # One entry per printer /etc/profile # Global environment and startup /etc/profile.d/*.sh # Modular global environ additions /etc/ppp/options # Contains lock for ppp (Remove lock!) /etc/ppp/ip-up.local # Things to do after connecting /etc/ppp/pap-secrets # Username-password entries /etc/ppp/resolv.conf # Created by ppp with usepeerdns option /etc/pcmcia/config.opts # Used to exclude IRQ 12 for PS/2 mouse /etc/pcmcia/network.opts # Configure and start pcmcia ethernet /etc/securetty # List terminals allowed to login as root /etc/sysconfig/pcmcia # Use this to turn on pcmcia /etc/sysconfig/network # Start networking, set def gateway /etc/sysconfig/network-scripts # ifcfg-xxx files for each interface /etc/sysconfig/clock # Vars used in rc.sysinit to set the clock /etc/sysctl.conf # Kernel settings for /proc/sys boot /etc/rc.d/init.d # Start/stop scripts for system services /etc/rc.d/rc.sysinit # Boot time configuration script /dev/null 2>&1 || : pre-remove sound-slot-0 /bin/aumix-minimal \ -f /etc/.aumixrc -S >/dev/null 2>&1 || : alias usb-controller usb-uhci alias char-major-180 usbcore alias cdrom sr_mod alias cdram sr_mod above sr_mod ide-scsi alias char-major-195 NVdriver alias net-pf-1 unix alias net-pf-17 af_packet ]]> ~~/dev/input/mice modem -> /dev/ttyS0 cdrom -> /dev/hdc cdrom1 -> /dev/hdd ]]>~~ d ]]> 25 ehlo mail from: rcpt to: data Type your message here and end with a dot: . quit ]]> 110 USER PASS STAT RETR n DELE n QUIT ]]> 143 a login a select inbox a fetch full a fetch body[header] a fetch body[text] a logout ]]> password Both pop & imap will use this file to avoid transmitting clear-text passwords. After editing, the file permissions should be changed: chmod a-rwx,o+r /etc/cram-md5.pwd ]]>
To really see what's going on, you need to study this

The flags are used to match various parts of the IP and/or TCP header. To really see what's going on, you need to study this
/proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o $inetDev -j SNAT --to-source $inetIP iptables -A FORWARD -i $lanDev -j ACCEPT ]]> /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_dynaddr iptables -t nat -A POSTROUTING -o $inetDev -j MASQUERADE ]]>

/etc/sysconfig/iptables Enable the script at boot time using chkconfig --add iptables Other init script operations: service iptables start # Apply /etc/sysconfig/iptables service iptables stop # Admit all packets (remove firewall) service iptables panic # Stop all incomming packets service iptables restart # Reload the tables service iptables save # Does iptables-save for you service iptables status # Display the tables ]]> /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects Alternatively, the /proc settings may be configured in the file /etc/sysctl.conf: net.ipv4.ip_forward = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 At boot time, sysctl.conf is loaded by /etc/rc.d/rc.sysinit ]]> ~~" myfile.jpg]]>~~ ~~You can disable core dumps by putting "ulimit -c 0" in /etc/profile ]]> /proc/sys/kernel/file_max ]]>~~ ~~]]>~~ ~~]]> from where a list of columns or * for all columns select * from pet ]]> backupFile.sql ]]>~~ ifdown These commands are scripts that automatically set up all the ip parameters and take care of special cases such as PPP, PPPoE, DHCP, firewalls and others. In Redhat-like systems, extra implicit parameters go in: /etc/sysconfig/network /etc/sysconfig/network-scripts/ifcfg- ]]> # Show params for a specific interface ifconfig \ # Set params and start the interface address \ netmask \ broadcast

\ metric The ifconfig command directly configures and starts the interface. It is up to you to take care of routing and other issues. ]]> # Add a default route route delete # Remove a route ]]> Only input from the host: tcpdump src When using src or dst, you may also specify a port: tcpdump src port 80 Only ouput to the host tcpdump dst The first parameter to tcpdump can be the name of a protocol: tcpdump icmp host The protocol may be: tcp, udp, or icmp If you run this from a remote session, you will want to ignore your own session: tcpdump -i eth0 not $myAddress You can send output to a file: tcpdump ... -w aFile.txt Youu can play the file back into tcpdump: tcpdump -r aFile.txt The interface will expose more information if it operates in promiscuous mode: ipconfig eth0 promisc You will want to turn this off after debugging: ipconfig eth0 -promisc ]]>
See the section for details.
ping hostName ping ipAddress ]]> and are floating decimal numbers. When creating adjacent partitions, the of the last partition should match the of the next. Use df to see how much space is used if you intend to shrink a working partition. You must take care of shrinking the file system before you attempt to shrink the partition itself. ]]> ~~patchFile -r Perform diff recursively -N Support creating new files ]]>~~ ~~V O ]]>~~ # List source starting at line list l1,ln # List source from l1 to ln list # No continues listing break # Set breakpoint clear # Clear breakpoint run p1 p2 ... # Start program with parameters start # Start program and break at main() step # Step into next # Step over quit # Exit debugger continue # Continue from break print expr # Show value of expression display expr # Print value at each break backtrace # Show the calling stack edit # Edit a file at the location Examples of locations: 234 # A line number myfun # A function myFile.c:234 # A line in a source file myFile.c:myfun # A function in a file ]]> ]]> ]]> ARRAY /dev/md1 level=raid1 num-devices=2 UUID= The MAILADDR specifies where email will be sent when raid problems are detected. To get your own raid arrays mounted at boot time, you have to add entries to mdadm.conf yourself. You can see the right expressions by first mounting the array and then running this command: mdadm --detail --scan --verbose Just pick out the line for your new array and add it to the end of the configuration file: /etc/mdadm.conf ]]> /sys/block/md1/md/sync_action watch cat /proc/mdstat Recheck: echo check >/sys/block/md1/md/sync_action watch cat /proc/mdstat Verify: cat /sys/block/md1/md/mismatch_cnt (Should be zero now...) ]]> ~~Right word boundary ]]>~~ ~~archive.cpio ]]>~~ ]]> ]]> ]]> Sometimes different repositories contain packages with conflicting names or build attributes. It is necessary to resolve this to avoid installing or updating with the wrong package. Repositories can be enabled or disabled by editing their yum.repos.d files. Otherwise, these settings can be overridden on the command line: --enablerepo= --disablerepo= ]]>
Most of the search command use patterns that are described in the section
This is equivalent to "grep -r pattern path" ]]> When using xargs, the file name always appears after the command, so this form is less general than using -exec. Example: Change the permissions on all mp3 files at or below the current directory: find -name *.mp3 | xargs chmod 644 The example above will fail if the file names contains spaces. (Which music files often do.) To deal with that, we pipeline the file names though a sed expression that puts quotation marks around each name: find -name *.mp3 | sed 's/^.*$/"&"/' | xargs chmod 644 ]]> ~~outfile sed 'expression' outfile echo "some text" | sed 'expression' ]]>~~ Typical selectors are: start, stop, restart, status. If you run the command without a selector, it will display a list of possible selectors. ]]> ../init.d/network Networking gets turned off in runlevel 1, so we find this link: /etc/rc.d/rc1.d/K90network -> ../init.d/network When a service is installed, a start or stop link should should be created in every run level directory. Here's a complete example for the web server httpd: Starting: /etc/rc.d/rc3.d/S85httpd -> ../init.d/httpd /etc/rc.d/rc4.d/S85httpd -> ../init.d/httpd /etc/rc.d/rc5.d/S85httpd -> ../init.d/httpd Stopping: /etc/rc.d/rc0.d/S15httpd -> ../init.d/httpd /etc/rc.d/rc1.d/S15httpd -> ../init.d/httpd /etc/rc.d/rc2.d/S15httpd -> ../init.d/httpd /etc/rc.d/rc6.d/S15httpd -> ../init.d/httpd It is important idea to keep the links complimentary: If you create start links on levels 2 and 5, you should create kill links on levels 0,1,3,4, and 6. It is clearly a pain to do all this correctly by hand. ]]> ~~enabled 1 => disabled ]]> multi-user.target runlevel5.target -> graphical.target ]]>~~
Secure Shell (ssh) lets you connect to a remote host and start a shell session just like Telnet. Unlike Telnet, ssh uses cryptography to log in and protect the data flow between you and the remote host.

Setting up ssh access is conceptually involved, but once this is done, ssh is very easy to use. For example: To start a shell session on a remote host you simply type:

SSH can perform many other marvels such as port forwarding: This lets you channel tcp/ip traffic between any selected client and server port through the secure connection. A common use of this feature is to run remote X-Windows programs and have them display on the client automatically.

The following sections deal with understanding and configuring basic ssh access.

SSH supports several encryption mechanisms, but one of the best is based on the RSA public key system.

To use RSA, you need a pair of numerical keys. One key is public: You can pass it out to your friends or publish it in a public directory. The other key is private and must be keep secret.

RSA is a Good Thing™ because it works without ever exchanging private keys over an insecure communication channel, e.g. the internet. It also supports signatures: A person who recieves a message can verify that only you could have sent the message.

First, you need to create a hidden directory in your home directory and set restricted permissions:

Next, run ssh-keygen to create your public and private key files.

The program will propose default filenames for your, public and private key files, which you should accept:

You will also be asked for a passphrase. If you specify a passphrase, you will need to enter it whenever ssh or other programs want to use your private key.

The comment parameter is optional. If you don't supply a comment using "-C", the default is a string derived from your login name and the name of your host formatted like an email address:

The comment appears as plain text in your public key string. When examining an authorization file on a remote server, this text helps you remember who is authorized.

Once you have a key set, you can freely distribute copies of your id_rsa.pub file to anyone who wants to send you secure messages.

The file permissions for private key files must be set correctly or the ssh program will not work. The ssh-keygen program will do this properly, but to set them by hand you would use these expressions:

You must setup your client ssh keys as decribed above. They will be in the hidden .ssh directory in your home directory on the client machine.

Email, ftp or otherwise copy your id_rsa.pub file to your home directory on the remote machine. To avoid confusion, we rename the file "client_rsa.pub". You must append the contents of this file to the authorized_keys file in the .ssh directory at the top-level of your remote home directory.

To do this, you need to log into your remote account by some other means or ask someone who has access to do this for you. This command will append your key to the authorized_keys file:
> .ssh/authorized_keys ]]>
If you're creating a new .ssh/authorized_keys file, you must set the permissions or remote access will be denied:

If some other user such as "root" does this for you, they also need to make sure that you own the file:

Similarly, the remote .ssh directory must have the correct permissions and owner:

Here's a quick check on how the .ssh directory should look:

The above listing shows the known_hosts file, which is automatically created and/or updated whenever remote clients connect to this account.

By adding a "config" file to your .ssh directory, different configuation options and defaults can be set for each host you commonly use. Here is an example .ssh/config file:

By specifying a username as shown above, the command line for remote login becomes very simple:

Most of the options you can specify system-wide for the ssh client in /etc/ssh/ssh_config may alternatively go in your local .ssh/config file, elminating the need to modify the system defaults.

Permissions for the config file should be 644.

An entire host machine may have a key set. The public part of this key is kept on remote servers to authorize access by the entire machine. Many services can be configured to use host-level authorization.

Host keys should be located in:

The automatic installers for many Linux distributions create the host key files in /etc/ssh automatically.

To create them by hand, run ssh-keygen and specify the path names shown above. Passphrases are not normally used with host keys.

The ssh client package is usually bundled with the scp (secure copy) program. This allows you to copy files between hosts using the secure ssh protocol. To use scp, you must have the keys properly configured as described in the previous sections.

The syntax is similar to the regular cp (copy) command, but the source and destination path may have an optional prefix to denote the host and username associated with the access keys.

To copy a local file to a remote host where you have an account with the same username as your local session:

To copy the file to some other user's account:

The general syntax is:

If the path names are not absolute, they are relative to the login directories for the designated users.
~~]]> myBackup.svndump ]]>~~ # Read system time from cmos The may be --localtime or --utc. For localtime, you need to have an /etc/localtime file which can be a copy or link to zoneinfo file. (These are in /usr/share/zoneinfo) ]]> Send a reminder to your cellphone at 6am Mar 17 mail -s "Meeting at 10am in Room 101" 1234567890@attnet.com Don't forget to bring the rats! ^D ]]> /root/listing.txt ]]>
~~Update: This method is obsolete and dangerous. Please see the section for a safe alternative.~~
myXDebug.txt 2>&1 ]]> -display :0 ]]> Put this command in your .xinitrc to make it permanent ]]> :0 -e ]]> fonts.scale mkfontdir chkfontpath --add `pwd` service xfs reload Note: Redhat runs ttmkfdir and mkfontdir on every directory known to xfs in the xfs startup script. These fonts become known when you run chkfontpath. ]]> ]]>
Newer linux distributions are configured to require SSH authorization for remote X clients. In this document, see "SSH access with RSA keys" for details about creating and using keys.

When using RSA, you still need the ip name or number of each client machine in the server's Xaccess file.

The X server has a file that contains the SSH public keys of each user and/or entire client machines that are allowed to connect:

If you create this file, you must set the permissions:

You don't need to authorize the whole client if you only want to allow selected users on that client.

Public keys are copied or mailed from the client machines. A special public and private key set may be created for the whole host. It is kept in:

You append the contents of this file to the server's kdmkeys file to authorized everybody on the whole client.

Public key files for individual users are found in:

Simply append the contents of this file to the server's kdmkeys file to authorize this user.

With all the setup completed, you can login to the remote machine using ssh and run X-Windows programs. The display will be automagically sent back to your machine!

UPDATE: Newer Redhat/Fedora systems need some additional setup on the client side: In the file /etc/ssh/ssh_config you must add these directives:

Without these changes, you would have to login to the server using ssh with the "-Y" switch to enable access by a trusted host.
Cursor right. Cursor left. d Down one page. u Up one page. ]]> Leave insert mode. P Insert last thing deleted. ]]> Delete previous char. J Delete line break. (Join current line with next line) ]]> 'a Indent right from mark "a" to cursor. <'a Indent left from mark "a" to cursor. It's easier to use visual mode followed by < or >. ]]> Read in a file at current location. :w Write everything to current file. :w Write everything to selected file. :w! Overwrite existing file. ]]> Show result of Bash command. :r ! Insert result of Bash command. ]]> s/old/new Inside visual mode selection (V). :*s/old/new Abbreviated visual mode selection. :%s/old/new/g Throughout the whole file Add /g to substitute all instances instead of just the first. Other line number designations: . Current line. $ Last line. /pattern/ Next line that contains pattern. \? Next line with previously used pattern. ]]>