Increase the maxiumum number of windows in Windows!

I tend to keep a lot of windows open on my main desktop (Windows XP). Right now I have 21 windows -- that's a low number for me actually, because I had to reboot recently after a software install.

As time goes by, I accumulate more and more windows. Eventually, when I try to open a new window, I find that either 1) nothing happens or 2) the window opens, but it's missing vital elements (menu bar, icons, etc.).

It turns out that this is due to Windows running out of space in the "desktop heap" (If I understand correctly! See this MSDN article). The default size of the heap is 3072 KB in XP (the default is larger in Vista and Windows 7). Obviously this is not enough for me, so I edited the registry as described in the MSDN article (here's another article with more explicit instructions). I changed 3072 to 8096. (note: you must reboot for changes in the heap size to take effect; logging out and back in is not sufficient)

Now I can open more windows without any of the interface issues I was seeing before. At least, I haven't run into any issues again since I made the registry edit.

For the intensely curious, you can see the current size of your desktop heap using a debugging tool from Microsoft called "Desktop Heap Monitor"

After you unzip the download, you have to install it manually from the CMD prompt:

C:\dheapmon8.1\x86>dheapinst.exe -y %SYSTEMROOT%\Symbols
  dheapinst - Desktop Heap Monitor installed successfully

(The installer seems to copy the necessary files to %SYSTEM32%\kktools)

Then, load the heap driver with "dheapmon -l"

Now you can see your heap:

C:\WINDOWS\system32\kktools>dheapmon
Desktop Heap Information Monitor Tool (Version 8.1.2925.0)
Copyright (c) Microsoft Corporation.  All rights reserved.
-------------------------------------------------------------
  Session ID:    0 Total Desktop: ( 10848 KB -    8 desktops)

  WinStation\Desktop            Heap Size(KB)    Used Rate(%)
-------------------------------------------------------------
  WinSta0\Default                    8096             29.1
  WinSta0\Disconnect                   64              4.5
  WinSta0\Winlogon                    128             17.8
  Service-0x0-3e7$\Default            512             29.6
  Service-0x0-3e4$\Default            512              6.3
  Service-0x0-3e5$\Default            512             10.8
  SAWinSta\SADesktop                  512              0.5
  Service-0x0-2a22a$\Default          512              2.5
-------------------------------------------------------------

using pam_tally2 with dovecot

I recently configured some RHEL4 systems to use pam_tally2 to lock an account temporarily after several unsuccessful logins. This seems to work fine just by adding it to the "auth" section:

auth        required      /lib/security/$ISA/pam_tally2.so deny=5 unlock_time=900

However, I later found that if you're running dovecot (version 0.99.11-9 -- maybe it's been fixed since then), it doesn't reset the tally on a successful login; i.e. it does not call pam_setcred. So, if the user is only logging in via dovecot, and they are checking mail at an interval less than your reset time, eventually the account will get locked out!

To fix this, you have to call pam_tally2 in the "account" section to reset the tally. You can do this in either the "system-auth" file, or in the "dovecot" file:

account    required     /lib/security/$ISA/pam_tally2.so

openssl s_client with POP3 connections

Troubleshooting an email checking issue, I decided to connect to the mail server from the command line and try it manually to see what was going on. I connected with openssl's s_client, and tried to read one of the messages:

openssl s_client -connect mailserver.domain.com:995
...
+OK DBMAIL pop3 server ready to rock
USER username
+OK Password required for username
PASS password
+OK username has 45 messages (103973 octets)
RETR 1
RENEGOTIATING
...

A quick search revealed that any command starting with "R" will result in renegotiation. To prevent it, simply add the -ign_eof switch:

openssl s_client -connect mailserver.domain.com:995 -ign_eof

Apache Tomcat - changing password stored in a MySQL database

One of the websites at work runs an Apache Tomcat server for a data trending application. I have been using a DataSourceRealm for authentication, with a MySQL database setup as Tomcat requires it; i.e. a "users" table with two columns -- username and password, where the stored password is an MD5 digest/hash of the user's password.

The docs for setting authentication up weren't great, but that's another story... In any case, the docs don't provide any way for you to change the stored password for a user. Up until recently, I've had to change the passwords by "manually" updating the database.

I just spent the better part of two days figuring out how to allow the users to change their own passwords, through a webpage served by Tomcat. This basically consisted of a few pieces I had to string together:

• Configuring MySQL
• Accessing MySQL via JSP
• Generating MD5 hashes in JSP
• Configuring the Tomcat application

Configuring MySQL
For security reasons, we don't want everyone in the world being able to read the whole user database, nor do we want them writing to entries that don't belong to them. I already had a read-only user setup for Tomcat so that it could do authentication. Granting additional privileges to that user would be a mistake -- what we want here is that the authentication process is read-only. Only after a user is authenticated to we want them to be able to write to the database.

Therefore, I created a separate MySQL user, with SELECT and UPDATE privileges. Tomcat of course must be configured appropriately, using a separate JDBC resource (see the "Accessing MySQL via JSP" section).

Accessing MySQL via JSP
There are a ton of web pages showing you how to embed Java code that accesses MySQL in your JSP. But it is actually a lot more simple if you use the JSTL tag library -- specifically, the sql tag. Basically, you do two things: 1) Configure the JDBC Resource in the "context.xml" file for your Tomcat application (alternatively, create a new XML file in conf/Catalina/localhost/) , and 2) use "sql" tags to query or update the database.

This is actually demonstrated nicely on the Tomcat Wiki for using DataSources, specifically, in the war file attached to that topic. Of great importance are two files included in the datasourcedemo.war -- jslt.jar and standard.jar. Supposedly you can get these directly from Sun, but I wasn't able to find them on Sun's web site. If you know where to get them, please comment!

Of course, getting a demo of MySQL access working is a far cry from having an application that changes a password. First, the simple stuff -- an HTML form to allow the user to input the old and new password (plus a confirm field for the password). There's no SQL code in this first page.

Note that I'm not asking the user for their username -- I'm using request.getRemoteUser() to get user's login name from the server.

Download password.jsp

And below, the code which the above page calls when submitting the form. This is the code for actually changing the user's password. Note again that I'm using request.getRemoteUser() for the user's login name. We should NOT trust the user's form submission to tell us the correct username. So, even if some malicious person submits their own form data for the username, the server will ignore it (I think...). Along similar lines, note the use of parametrized SQL queries, to prevent SQL injection attacks.

Also note the code at the top for including the JSTL tag library, and for importing the java security and io libraries.

The code for generating the MD5 hash I got from this page.

The code first uses an SQL query to get the row matching the user and hashed password. If the query returns a row, the c:forEach structure (from the JSTL core) executes the sql:update code to change the password.

I use a counter variable to decide whether to display a success or error message. The counter only increments if it enters the forEach loop -- which it only does if the SQL query is successful (i.e. the user entered the right old password).

Download change_password.jsp

Configuring the Tomcat application
I basically took the datasourcedemo.war and added my two JSP pages, then deployed the application on my Tomcat server to /changepass. I had to add security stuff to the WEB-INF/web.xml file, so that the changepass application was protected via the authentication already defined on my site. Of course, I had to edit META-INF/context.xml so that the MySQL resource was defined correctly for my system.

I think the most interesting/frustrating thing here was that I originally had the url-pattern in the security-constraint section wrong. Instead of just putting "/*", I had the name of the application -- "/changepass/*". This turned out to be a Bad Thing! Not only did it fail to protect the application -- it also somehow prevented the SQL code from working!

Download web.xml

All in all, two full days of work for me. Most of that was figuring out JSP syntax (which I had never done), and braving the horrible tangled mess that is Tomcat.

UNIX sort by multiple columns

Sometimes the "obvious" stuff isn't so obvious (at least to me...)

I had a text file with multiple columns of numbers. I wanted to sort it by the first column, then the second, then the third. It wasn't immediately obvious to me how to do it. The man page for 'sort' of course does not mention that you can specify the '-k' option multiple times, and I didn't have the GNU 'info' utility installed:

sort -k1n -k2n -k3n file

Windows File and Settings Transfer (FAST) Wizard

So, despite being a system administrator for Windows systems for many years, I had never used the Windows File and Settings Transfer (FAST) Wizard to transfer files from one computer to another. I've always done it manually. Manual transfer takes more time and thought, but I believed it to be less error-prone.

My first experience with it has both good and bad points.

The Good

• I didn't have to babysit the thing
• You can use a folder on an external hard drive instead of a painfully slow serial cable
• The wizard compresses the data

The Bad

• The total amount of time was probably the same. Perhaps because the user had 70 GB of data
• All that compression takes time. I'd prefer a performance-increasing option to copy the data without compression. I had plenty of space on the HD.
• There's no option to turn off copying of applications. I didn't want to clutter up the new system with applications the user didn't actually need anymore. The user was in the Administrators group on the old system, but not on the new one. So, the wizard failed on copying a bunch of items to Program Files.

The Ugly

• Instead of just restoring the data from the folder I specified, it copied everything from the external hard drive onto the target system! I know I selected the folder containing the old system's image. So it ended up copying about 300 GB of data that had nothing to do with the user's original system (software installers, backups from other systems, etc.)

I'll probably use it again next time. Or perhaps I'll try the much more complicated User State Migration tool (USMT).

Word and Excel 2007 slow to open documents

One of my users had this apparently common problem -- opening either Word or Excel documents in Office 2007 was taking a long time (about 1 minute). Opening the document from within the application was fine.

This was the solution:
http://excel2007-slow-open-file.blogspot.com/

Basically, installing the "Analysis Toolpak" addin "fixed" the excel problem, but Word was still slow. So I installed "Lookup Wizard" (in Excel) and the Word problem was also fixed. Awesome, yes? I LOVE MICROSOFT!!!11!

Replace Cygwin command prompt with Puttycyg

I install Cygwin on every Windows machine that I have to use regularly. By default, Cygwin uses the Windows Command Prompt for its terminal. Gross!

I much prefer putty -- to the point that I would open putty and SSH to localhost, just so that I can use a real terminal!

With puttycyg, there's no need to SSH in. Donwload puttycyg and extract the ZIP. Then copy the two executables (putty.exe and cthelper.exe) into C:\cygwin (or wherever you have it installed).

Then, modify your cygwin.bat shortcut to run this target instead:

C:\cygwin\putty.exe -cygterm -

(yes that is a dash at the end!)