How to reset a terminal service connection for Windows server

Jephe Wu -

Objective: reset Windows terminal service connection for remote Windows servers
Environment: Windows 2003 servers

1. run qwinsta command to query remote windows login session
From Windows command prompt, run command:
qwinsta /server:
rdp-tcp#471 Jephe 2 Active rdpwd

2. reset sessions for remote Windows server
rwinsta /server: 2

a.  What do the qwinsta and rwinsta stands for?
qwinsta = Query WINdows STAtion
rwinsta = Reset WINdows STAtion

3. how to disconnect a session in Windows 2000
The following information is from Microsoft website - How to Disconnect a Terminal Services Session

This is an example of how to use the tsdiscon command to disconnect a session on the current Terminal Services server:

  1. In a Terminal Services session, click Start, and then click Run.
  2. Type cmd, and then click OK.
  3. Determine the name or ID of the session that you want to disconnect. To do so, type query session, and then press ENTER. You see a list of information about the sessions on the current Terminal Services server. The list may be similar to:
     console      administrator       0   active   wdcon   
     rdp-tcp                      65536   listen   rdpwd
    >rdp-tcp#1    user1               1   active   rdpwd
     rdp-tcp#2    user1               2   active   rdpwd
     rdp-tcp#3    user2               3   active   rdpwd
     rdp-tcp#4    user3               4   disc     rdpwd  
     rdp-tcp#5    user1               5   disc     rdpwd
                                      6   idle
                                      7  idle
    Note that in this example, the name of the current session is rdp-tcp#1, the session ID is 1, and it is owned by user1.
  4. To disconnect the current session, type the following line at the command prompt, and then press ENTER:
  5. To disconnect session 2 by using the session ID, and to display information about the disconnect operation, type the following line at the command prompt, and then press ENTER:
    tsdiscon 2 /v
    You see the following line and session 2 is disconnected:
    Disconnecting sessionID2 from sessionname rdp-tcp#2
  6. To disconnect session 5 by using the session name, type the following line at the command prompt, and then press ENTER:
    tsdiscon rdp-tcp#5

X Windows port forwarding with sudo and ssh

Jephe Wu -

Objective: use X Windows port forwarding with sudo and ssh
Background: user jephe needs to sudo as another application user, and use sudosh shell, after switching to user application user, needs to run X application. CentOS 5.5, sudosh, websphere application server running as user was1

Concepts: user jephe will need to ssh -X into websphere application server first, then run 'sudo -u was1 sudosh' to switch to user was1 and use sudosh. After that, jephe needs to startup Websphere application server with username and password.


1. Refer to to install sudosh

2. ssh into websphere application server with -X from a client X windows Linux server

To turn on X forwarding over ssh, use the command line switch -X or write the following in your local ssh configuration file:

    ForwardX11 yes
$ ssh -X jephe@appserver
$ env | grep DISPLAY

3. use sudosh and configure DISPlAY variable for was1 user

$ sudo -u was1 sudosh
$ export DISPLAY=localhost:10.0
$ scp jephe@localhost:.Xauthority /home/was1/

note: If you need to run 'sudo application' as root user, you need to copy /home/jephe/.Xauthority to /root first and check the DISPLAY environment variable. 

or this way:

$ ssh -X jephe@appserver
$ env | grep DISPLAY
$ xauth list  MIT-MAGIC-COOKIE-1  32characterstring

$ sudo -u was1 sudosh
$ export DISPLAY=localhost:10.0
$ xauth
xauth> add .  32characterstring(same as above)
xauth> exit
Writing authority file /home/was1/.Xauthority 
$ xterm (test it first) 

4. start up websphere application server

$ cd websphere_directory
$ ./ server1
it will prompt username and password in jephe's ssh client X windows Linux PC.

5. useful commands and references:

xhost +
xhost -
xauth -v

Remote X Apps mini howto -

How to configure timezone for Linux server

Jephe Wu -

Objective:  configure timezone for Linux server for all kinds of situations.
Environment: RHEL 5, CentOS 5, ssh users are from different time zone

1.  Configure BIOS time and /etc/sysconfig/clock to set the timezone of the system (most important)
The /etc/sysconfig/clock file controls the interpretation of values read from the system hardware clock.
Configure BIOS time correctly first, if you used localtime in BIOS, then set UTC=false in /etc/sysconfig/clock.

You should set BIOS as GMT time and set UTC and ARC as true when it's under the following situations:
a. server observes daylight saving time
b. the users of the server will be from the different timezone

You  can use one of the following command to configure the timezone for the system:
setup (choose timezone configuration)


UTC stands for the Universal Time, Coordinated, also known as Greenwich Mean Time (GMT).
ARC line has no effect on Linux OS, leave it and ignore it.

2.  For server itself to display the correct timezone when issuing command 'date', you have to configure /etc/localtime to point to the correct compiled timezone file under /usr/share/zoneinfo/ directory

ln -sf /usr/share/zoneinfo/Asia/Singapore /etc/localtime
cp /usr/share/zoneinfo/Asia/Singapore /etc/localtime

3. For those users in different timezone with the server itself, you can configure TZ environment variable for the user's shell session:

To configure a different time zone from the system-wide default for an individual user, add the following line to the .bashrc in that user's home directory:

export TZ="/usr/share/zoneinfo/<timezone_directory>/<timezone_file>" 
You can add above line to the .bashrc file under user home directory.

4.  What's the RPM package for timezone and dump timezone information in /usr/share/zoneinfo/
# rpm -qf /usr/share/zoneinfo/Asia/Singapore

[root@oracle ~]# zdump -v -c 2010,2012 Australia/Sydney  | more
Australia/Sydney  Fri Dec 13 20:45:52 1901 UTC = Sat Dec 14 06:45:52 1901 EST isdst=0 gmtoff=36000
Australia/Sydney  Sat Dec 14 20:45:52 1901 UTC = Sun Dec 15 06:45:52 1901 EST isdst=0 gmtoff=36000
Australia/Sydney  Sat Apr  3 15:59:59 2010 UTC = Sun Apr  4 02:59:59 2010 EST isdst=1 gmtoff=39600
Australia/Sydney  Sat Apr  3 16:00:00 2010 UTC = Sun Apr  4 02:00:00 2010 EST isdst=0 gmtoff=36000
Australia/Sydney  Sat Oct  2 15:59:59 2010 UTC = Sun Oct  3 01:59:59 2010 EST isdst=0 gmtoff=36000
Australia/Sydney  Sat Oct  2 16:00:00 2010 UTC = Sun Oct  3 03:00:00 2010 EST isdst=1 gmtoff=39600
Australia/Sydney  Sat Apr  2 15:59:59 2011 UTC = Sun Apr  3 02:59:59 2011 EST isdst=1 gmtoff=39600
Australia/Sydney  Sat Apr  2 16:00:00 2011 UTC = Sun Apr  3 02:00:00 2011 EST isdst=0 gmtoff=36000
Australia/Sydney  Sat Oct  1 15:59:59 2011 UTC = Sun Oct  2 01:59:59 2011 EST isdst=0 gmtoff=36000
Australia/Sydney  Sat Oct  1 16:00:00 2011 UTC = Sun Oct  2 03:00:00 2011 EST isdst=1 gmtoff=39600
Australia/Sydney  Mon Jan 18 03:14:07 2038 UTC = Mon Jan 18 14:14:07 2038 EST isdst=1 gmtoff=39600
Australia/Sydney  Tue Jan 19 03:14:07 2038 UTC = Tue Jan 19 14:14:07 2038 EST isdst=1 gmtoff=39600

5. useful commands and references:
clock --systohc

How to use configure Squid proxy to access both Internet and internal websites.

Jephe Wu -

Environment: company ( LAN ( is connected to Internet through lease line, the proxy server, which is also firewall, running Squid 2.6 for LAN users to access Internet. Another proxy( the LAN, which is also firewall, connected to company headquarter office through lease line for users to access some internal websites.

Objective: Users only use as Internet proxy to access both external and internal websites, for internal websites, the will use as parent proxy to access it.

company external websites: * except for and
company internal websites: *, and

1. configure Squid on as follows:


cache_peer parent 8080 3130 no-query
acl internal  dstdomain
never_direct allow internal 

Now you can only use proxy to access both Internet and all internal websites. 

1.  According to,
One important concept that must be understood is that of parents and siblings. A sibling is a cache that your proxy, when it receives a request for a URL, sends a query to to see if it has a copy of it. The sibling then sends back either ``Yes, I have it'' or ``No, I don't have it''. The proxy then decides if it should retrieve this object from a sibling, or go get it from the source directly. A parent is a proxy that, if none of the siblings have a copy of the object you want, your proxy opens a request to and asks the parent to go get a copy for it, rather than fetching it directly.

2. never_direct directive means it will go through parent proxy for both http and https request for those internal domains. Otherwise, if the http request for internal websites are redirected to https request, will try to fetch those https request directly from itself without going through parent again. If configured 'never_direct', then it will go through parent proxy for https request after redirection as well.

3. no-query is a ICP options to disable ICP queries to this cache.

Cloning a physical RHEL 5 server to vmware virtual server

Jephe Wu -

Objective: Cloning a physical RHEL 5 server to vmware virtual server from scratch
Environment: RHEL 5.1 (physical server HP Proliant DL360), CentOS 5.5 (vmware host server)


1. Setup the vmware server 2.0 under CentOS 5.5
Please refer to another article at

2. Clone physical RHEL 5.1 to vmware virtual server

a. create a vmware virtual environment, use sda as hard disk and boot it up from system rescue CD iso image
You can download iso file from

b. make a tar ball from the original RHEL 5.1 physical server
login as root
cd /
tar --exclude root --exclude sys --exclude proc -cvpzf - . | ssh intermediate_server 'cat > rhel.tar.gz'

c. configure IP address, make partitions and change root password
ifconfig eth0 netmask up
passwd root
fdisk /dev/sda (make sda1 as /boot(100M), sda2 as swap(2xRAM size), sda3 as /)
mkfs -t ext3 /dev/sda1
mkfs -t ext3 /dev/sda3
mkswap /dev/sda2

d. start to clone the whole OS

cd /mnt
mkdir sda
mount /dev/sda3 sda
cd sda
mount /dev/sda1 boot

scp  root@original_server:/etc/passwd /etc/

scp root@original_server:/etc/group /etc/

note: above scp commands to copy original server /etc/passwd and /etc/group file to the rescue CD environment so that untaring the rhel.tar.gz will keep the correct owner and permission for all files systems later on. Otherwise, you will notice /var/spool/clientmqueue directory will not be owned by smmsp, as well as the group permission for /usr/sbin/sendmail.sendmail, and so on.

logout then login again

 cd /mnt/sda
ssh root@intermediate_server 'cat rhel.tar.gz' | tar xvpzf - 

if on the same LAN,use
tar --exclude root --exclude sys --exclude proc -cvpf - . | ssh intermedia_server 'cd /mnt/sda; tar xpf -'

 Note: if you use RIP 12.3 non-X version, vi /etc/hosts.deny to comment out the last line which only permit localhost to ssh into RIP server, also you might need to vi /etc/ssh/sshd_config to enable root login by using password.

e. modify configurations after cloning OS

cd /mnt/sda
chroot .
modify /etc/sysconfig/network-scritps/ifcfg-eth0 and ifcfg-eth1 if necessary
modify /etc/sysconfig/network
modify /etc/fstab
modify /etc/grub.conf
cp /etc/blkid /etc/blkid.bak
rm -f /etc/blkid/*
cp /etc/mtab /etc/mtab.bak
vi /etc/mtab (to correct the / and /boot line to have the correct partition name)
vi /boot/grub/ to something like '(hd0)  /dev/sda'
cd /dev

After that, create root, sys and proc directory for cloned virtual server.
cd /mnt/sda
mkdir proc sys root

f. generating new initrd image and install grub

modify /etc/modprobe.conf to have the correct scsi driver, for vmware using sda hard disk, change that file to the follows:

root@jephe # more /etc/modprobe.conf
alias eth0 pcnet32
#alias scsi_hostadapter mptspi
#alias scsi_hostadapter1 mptfc
#alias scsi_hostadapter2 mptsas
alias scsi_hostadapter3 mptbase
alias scsi_hostadapter4 mptscsih
alias scsi_hostadapter5 ata_piix
alias scsi_hostadapter6 usb-storage

then generate new initrd image based on the above scsi drivers (no need to use --preload options to load scsi modules)
root@jephe # mkinitrd -f /boot/initvm.img kernelnumber
error opening /sys/block: No such file or directory
error opening /sys/block: No such file or directory
Note: ignore above errors.

note: you can use commands below to check new initrd content:
mkdir /tmp/initrd
cd /tmp/initrd;gzip -dc /boot/initrd- | cpio -id

Lastly, install grub: (install it again everytime you modify file /etc/grub.conf)
# grub-install hd0

Or after reboot, at grub prompt:

root (hd0,0)
setup (hd0)

g. reboot
# rm -f /etc/mtab  (already backed up as /etc/mtab.bak at section e)
# reboot

Note: if you encountered issue such as getting grub> prompt only , you need to boot into Windows partition, use command 'chainloader  (hd0,0)+1' to boot into Windows

# more /etc/grub.conf

title windows
   chainloader (hd0,0)+1

How to setup VMware server 2.0.2 under CentOS 5.5 and CentOS 5.6

Jephe Wu -

Update: Tested on CentOS5.6 64bit also on 20th May 2011

Objective: use VMware server 2.0.2 under CentOS 5.5 for installing virtual servers
Environment: CentOS 5.5 64bit, VMware server 2.0.2 for Linux 64bit


1. Installation of VMware server
register and download VMware server, get the free license key through email after registeration.
After installation, there will be vmware service created, you can use 'service vmware stop/start' to stop/start service.

2. Configuration of VMware server
run /usr/bin/ to answer yes all the way to the end. It will setup vmnet0(bridge), vmnet8(NAT) and vmnet1(host only).

3. Connect to VMware server through IE
I used IE 6.0 to test, firefox seems having some issues.

Problem 1: vmware-hostsd issue caused by newer glibc since CentOS 5.4
Solution: use old libc for vmware-hostd as follows:

According to, you can follows steps below:
login as root into vmware host server
# mkdir /usr/lib/vmware/lib/
# wget
# wget (for 32bit CentOS 5.5)
# rpm -Uvh --root=/tmp/ --nodeps glibc-2.5-34.x86_64.rpm
# cd /usr/lib/vmware/lib/
# mv /tmp/lib64/
# vi /usr/sbin/vmware-hostd
to add the following line before the last line.
export LD_LIBRARY_PATH=/usr/lib/vmware/lib/$LD_LIBRARY_PATH
# service vmware restart

Update:  According to my test, CentOS5.6 64bit has no issues with this, you don't have to do above for Vmware 2.0.2 to work with CentOS5.6 64bit

Problem 2: Failed to power on newly created vmware virtual server, the error message on the 'event' tab inside IE browser(https://ipaddress:8333) is:
The virtualization capability of your processor is already in use. Disable any other running hypervisors before running VMware Server.
Failed to initialize monitor device.   
Failed to power on: A general system error occurred:

Solution: disable kvm kernel module

[root@jephe ~]# lsmod | grep kvm
kvm_intel              86920  0
kvm                   226336  2 ksm,kvm_intel
[root@jephe ~]# rmmod ksm
[root@jephe ~]# rmmod kvm_intel
[root@jephe ~]# rmmod kvm
[root@jephe ~]# lsmod | grep kvm
[root@jephe ~]#

[root@jephe ~]# echo "rmmod ksm;rmmod kvm_intel;rmmod kvm" >> /etc/rc.local

4. FAQ
a. Applications running in a Windows guest experience screen drawing issues

5. References:

Change oracle default passwords for sys, system, dbsnmp and sysman

Jephe Wu -

Objective: change oracle default passwords for users such as sys,system,sysman and dbsnmp for auditing purpose
Environment: Oracle 64bit, RHEL 5.4 or Windows server

1. make sure dbconsole is stopped
login as oracle
emctl stop dbconsole
emctl status dbconsole

2. Change passwords for above users from sqlplus prompt

alter user sys identified by "passwordstring";
alter user system identified by "passwordstring";
note: changing sys and system password is straight forward, that's done for sys and system.

however, for sysman and dbsnmp, there are a bit complicated.
alter user sysman identified by "passwordstring";
alter user dbsnmp identified by "passwordstring";

3. confirm passwords have been changed

sqlplus sys
sqlplus system
sqlplus dbsnmp
sqlplus sysman

If sysman or dbsnmp account is locked, unlock it:
alter user sysman account unlock;

For sysman user, there are different approach for database version less than or equal/above

4.  Set a new repository password after changing sysman password

4.1 since Oracle, use this new method 'setpasswd'
[oracle@jephe]$ emctl setpasswd dbconsole
Oracle Enterprise Manager 11g Database Control Release
Copyright (c) 1996, 2007 Oracle Corporation.  All rights reserved.
Please enter new repository password:
Repository password successfully updated.

4.2 If the database version is less than
  • Go to $ORACLE_HOME/host_sid/sysman/config
    1. Save the file to
    2. Edit the file
      1. Search for the line beginning with:
        Replace the encrypted value by the new password value
      2. Search for the line:
        Replace TRUE by FALSE

5. startup dbconsole and login as sys or system to check if it can connect to database instance

emctl start dbconsole

5.1  After emctl start dbconsole, Check that the password has been encrypted if the version is less than
  • Edit the file $ORACLE_HOME/host_sid/sysman/config/
    1. Search for the line beginning with:
      Check that the password is encrypted
    2. Search for the line beginning with:
      Check that the value is TRUE

6. For dbsnmp user password change, approach is the same for 10g and 11g database.

On Unix - DB Control Release 11.2.x and higher

$ export ORACLE_SID=<database_sid>
$ export ORACLE_UNQNAME=<value of the DB_UNIQUE_NAME database parameter>
$ emctl stop dbconsole

SQL> alter user dbsnmp identified by <new dbsnmp password> ;
sqlplus dbsnmp  # double check if you can login;

  1. Go to $ORACLE_HOME/host_sid/sysman/emd
    1. Save the file targets.xml to targets.xml.orig
    2. Edit the file targets.xml with your favorite text editor
      1. Search for the line:
        <property name="password" value="<encrypted_string>" encrypted="TRUE">
      2. Replace the encrypted value by the new password value
      3. Replace TRUE by FALSE
    3. Restart the standalone dbconsole
On Unix - DB Control Release 11.2.x and higher

$ export ORACLE_SID=<database_sid>
$ export ORACLE_UNQNAME=<value of the DB_UNIQUE_NAME database parameter>
$ emctl start dbconsole

Check that the password has been encrypted
Edit the file targets.xml
Search for the line: <property name="password" value="<encrypted_string>" encrypted="TRUE">
Check that the password VALUE is encrypted
Check that the value of ENCRYPTED is TRUE

Note: In case of RAC DB, the dbsnmp password should be changed in targets.xml not only for instances(oracle_database), but also for rac_database target. The file targets.xml needs to be updated on all the RAC Cluster nodes.

a. Use OEM interface to change user password.
If when you try to access Enterprise Manager at, it prompts you the sysman,mgmt_view and dbsnmp passwords are going to expiry and ask you to change it, you can change it through OEM interface, after that, the blank screen will come out and with 'done' appear at the bottom of the page, you can close the page and login to Oracle database server as oracle to stop dbconsole (emctl stop dbconsole), after that ,you can run 'emctl setpasswd dbconsole' to change repository password. Change repository password same as sysman password.

a. How To Change the Password of the Database User Sysman (DB Control Repository Schema) [ID 259379.1] 
b. How to Change DBSNMP Password in Database 10g and 11g Monitored by DB Control [ID 259387.1] 

Disable the excessive logging of snmpd for RHEL 5

Jephe Wu -

Problem: on RHEL 5 server, /var/log/messages logs too many logs such as the following:

snmpd[1901]: Received SNMP packet(s) from UDP: []:50736
snmpd[1901]: Connection from UDP: []:50736

Objective: suppress above logs.
Environment: RHEL 5.1

Concept: in order to suppress above logs, you need to remove -a (in /etc/sysconfig/snmpd.options) for snmpd sysconfig options (to suppress 'Received SNMP packets' line) and use dontLogTCPWrappersConnects option (only available since net-snmp which in RHEL 5.3 update) in /etc/snmpd.conf (to suppress 'Connection from UDP' line)

You can run 'man snmpd' to search dontLogTCPWrappersConnects, you can only find in net-snmp version.

1. Firstly, you need to upgrade net-snmp rpm to the which is included in RHEL 5.3 according to the RHEL 5.3 release notes at  (search 'snmp trap' or 'dontLogTCPWrappersConnects', you will find it says:

Net-SNMP has been re-based to upstream version This update adds Stream Control Transmission Protocol (SCTP) support and introduces two new configuration options ( to be used in /etc/snmpd.conf)

  • dontLogTCPWrappersConnects - suppresses logging of connection attempts
  • v1trapaddress - enables administrators to set an agent's IP address inside outgoing SNMP traps
 In order to upgrade to RHEL 5.3 update so that you will have version of net-snmp, you can do:
yum install net-snmp   (assuming you registered redhat subscription for yum update, it will update 3 packages: net-snmp, net-snmp-utils, net-snmp-libs)

2. After upgrading net-snmp, make sure /etc/sysconfig/snmpd.options contains the following options:

OPTIONS="-Lsd -Lf /dev/null -p /var/run/"

-a means "Log the source addresses of incoming requests" according to snmpd man page

3. edit /etc/snmp/snmpd.conf to include this line, check man page of snmpd for the meaning:
dontLogTCPWrappersConnects 1

4. restart snmpd daemon
service snmpd restart

5. check again
ps ax | grep snmpd 

you should see something like this:
/usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/ 

6. check /var/log/messages to confirm the reduced log output


a. knowledge base search 'DOC-3466' and 'DOC-25144' for
How to disable the excessive logging of snmpd in Red Hat Enterprise Linux System?
How do I reduce the verbosity of SNMP logging?

setting bash shell limits for oracle user

Jephe Wu -

Objective: understand the concept of ulimit nofile and nproc settings for oracle under ssh environment
Environment: RHEL 5, CentOS 5, Oracle 11g

Bash shell can set maximum allowable number of open file descriptors (handles) or the maximum number of processes available to a user.

To see all limits settings for a current user under bash shell, login to CentOS 5, run 'ulimit -a' to check.

1.  Setting file descriptors/handles for entire Linux operating system
The maximum number of file handles denotes the maximum number of open files on a Linux system.
to see the setting , run
cat /proc/sys/fs/file-max

to check the current usage: run
cat /proc/sys/fs/file-nr
1154 133 65536

it shows the total allocated file handles, the number of currently unused file handles, the maximum file handles that can be allocated (also found in /proc/sys/fs/file-max).

To configure it:
# echo 65536 > /proc/sys/fs/file-max
# sysctl -w fs.file-max=65536

To make it permanent:
echo "fs.file-max=65536" >> /etc/sysctl.conf

2.  set Maximum Number of Open File Descriptors for the Oracle User:
 There's still per user limit after above file-max. It is not recommend to set hard limit for nofile for the oracle user equal to /proc/sys/fs/file-max, otherwise, once oracle user used up the file handles, the whole system also used up the file handles, so, the system cannot assign any more file handles for login process.

Modify the /etc/security/limits.conf file as root and make it like this: (use 63536 instead of 65536)

oracle soft nofile 63536
oracle hard nofile 63536

In order to make it work, pam_limits should be configured in the /etc/pam.d/
system-auth as follows, or in /etc/pam.d/sshd for ssh, /etc/pam.d/su for su, or /etc/pam.d/
login for local access and telnet

session required
session required

Same thing we can use for the number of processes:
oracle soft nproc 16384
oracle hard nproc 16384

3.  How many file descriptors are being used in your Linux system

File Descriptors

File descriptors are allocated dynamically by the kernel for performance reasons. use
sysctl fs.file-nr 
to check all 3 values.

Open Files
lsof | wc -l
This tells you that there are 8124 files by applications on the system. The same file opened by two applications will be counted twice. Normally, this value is bigger than fs.file-max.

lsof lists all open files, including files which are not using file descriptors - such as current working directories, memory mapped library files, and executable text files.

How to check file descriptors and open files for pid 1234:
file descriptor: 
ls -l /proc/1234/fd/

open files:
 lsof | grep 1234

4. FAQ:
a. I tried to setup the soft and hard nofile limits for root. But when I
 tried to ssh as root user, the limits set do not take into effect. Why?
According to redhat knowledge base you can 
specify the nofile ulimit values in /etc/init.d/sshd init script such as ulimit -n 4096 

For other similiar issues, you might need to disable
Why it happens? some openssh version has problem like below:
Due to the manner in which SSH logins are implemented. 
When a user logs in via SSH, the SSH daemon process forks a separate 
process to handle that specific connection. As such, the context this 
forked process runs in is owned by the user who logged in. Since regular
 users are not allowed to modify their ulimit upwards, the higher value 
specified in /etc/security/limits.conf fails to take effect.
This is because the calling program, i.e. the forked sshd process, 
lacks the permissions to perform the upward modification.

Enable password age and complexity for production Linux servers for auditing

Jephe Wu -

Objective: Enable password age and complexity for production Linux servers for auditing
Environment: CentOS 5

1. modify /etc/login.defs

PASS_MIN_DAYS    7 (days between password change)

2. make sure the following appears in /etc/default/useradd

note: this will disable password inactivity settings, INACTIVATE sets the number of days of inactivity after a password has expired before the account is locked. Normally, we don't set it by useradd or chage.

3. change the existing user password ages
chage -m 7 -M 60 -W 28 jephe
chage -m 7 -M 60 -W 28 user1

note: some other useful commands:
chage -l jephe
chage -d 0 jephe
(to immediately make the password expire so that the user has to change password upon login next time,
chage -d -1 jephe (to make password not expired)

If you encounters the following issues after password expiry, you might need to change ssh configuration

UsePrivilegeSeparation from yes to no, seems openssh 3.8 and above has already fixed 
this issue

$ ssh jephe@servername
jephe@servername's password:
You are required to change your password immediately (password aged)
Your password has expired, the session cannot proceed.
Connection to localhost closed.

passwd -l jephe (lock user)
passwd -u jephe (unlock user)
usermod -L jephe
usermod -U jephe

note: How do I force users to change their passwords upon the first login?

1.) Firstly, lock the account to prevent the user from using the login until the change has been made:
# usermod -L jephe
# chage -d 0 jephe  (make password expiry immediately)
# usermod -U jephe   (unlock user account)

According to Redhat knowledge base, you can directly push a encrypted password string to /etc/shadow. 

run command 'python', the salt can be a combination of exactly 2 upper or lower case alphabetic characters, digits, the dot (.) character, or the slash (/) character such as cd or 34
  • import crypt; print crypt.crypt("password","salt")
    The output is the encrypted password similar to 

  • ctrl -d to exit python
  • usermod -p "15CsBd8FAc9DN" jephe

or you might set a empty password:

usermod -p "" jephe 

4. enable password complexity

make sure /etc/security/opasswd exists, otherwise, create it:

touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod 600 /etc/security/opasswd

note: opasswd maintains a list of old passwords for every user prohibiting the reuse of old passwords. The list is located in the /etc/security/opasswd file. This is not a plain text file, but should be protected the same as the /etc/shadow file. This is normally referred to as password history.

vi /etc/pam.d/system-auth to make it looks like this:
password    requisite try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=3
password    sufficient md5 shadow nullok try_first_pass use_authtok remember=6

note: minimum 8 characters, 1 lowercase, 1 upper case, 1 number, 1 special character, the new password must have 3 characters which are different with the previous one, remember the last 6 passwords which cannot be used for new password.

According to my test, you have to use  lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1, not lcredit=1 ucredit=1 dcredit=1 ocredit=1, otherwise, it doesn't actually enforce that which mentioned above.

5. References

a. Securing and Hardening Red Hat Linux Production Systems-
b. Linux Password Policy -
c. redhat acknowledge base -  doc7382

connect to server or router serial console port under Linux or Windows

Jephe Wu -

Please check also this comprehensive article regarding how to login from serial console - How to login from Linux serial console -

Objective: connect to server or route serial console port under Linux or Windows
Environment: CentOS 5, Windows


1. minicom under Linux
run minicom command under CentOS 5, it will firstly try to look  for /etc/minirc.df1, if it doesn't exist, it might prompt you the following warning
minicom: WARNING: configuration file not found, using defaults
Device /dev/modem access failed: No such file or directory.

Then, you can configure the serial port by using command 'minicom -s', save setting as df1, a typical minicom configuration file is below:

$ more /etc/minirc.df1
# Machine-generated file - use "minicom -s" to change parameters.
pr port        /dev/ttyS0
pu baudrate    9600
pu bits        8
pu parity     N
pu stopbits    1

If you are not using modem, you can blank out A B and K for 'modem and dialing' part. So it will become like this:

# Machine-generated file - use "minicom -s" to change parameters.
pr port             /dev/ttyS0
pu baudrate         9600
pu minit          
pu mreset         
pu mhangup       

a. please make sure the serial port setting is correct, you can vi file /etc/minirc.df1 to check.
because sometimes, the screen display will be corrupt.
b. If error comes then you can set hardware flow control to no.

2. Hyperterminal or Putty under Windows

The easist way is to use Putty, choose serial port and baud rate, then connect

3. hardware such as Raritan KVM over IP Switch

4. HP ILO VSP(virtual serial port)

5. References

6. FAQ
a. For Sun machines, if both end is the DB25/ethernet port connector or DB9/ethernet port connector, you might need to use standard network cable to connect both connectors. Otherwise, the ok prompt will not come up.

b.Sometimes, if you are expecting a menu coming up in the minicom console, you might need to enter 'ctrl +L' to get the menu appear before you see anything.

How to effectively shutdown the servers

Jephe Wu -

Objective:  Need to shutdown all servers in office for building power maintenance.
Environment: Linux(CentOS, Redhat, Fedora), Solaris 8, OpenBSD and FreeBSD

1.  If the server is running tomcat, websphere, oracle or db2 databases, login as application user or database user to shutdown them properly first.

2. become root, make the system halt for Solaris, openbsd, freebsd by the following command:
shutdown -h now
For Linux, you might want to power off it directly.
halt -p 
shutdown -p now 

note: for Solaris, you might also use 'init 5' to poweroff.  For openbsd and freebsd, some version of these OS might reboot instead of power off or halt if you try to use above commands.


If for rebooting the server only, try the following commands:
reboot, shutdown -r now