Chapter 6. Network applications

Table of Contents

6.1. Web browsers
6.1.1. Browser configuration
6.2. The mail system
6.2.1. Modern mail service basics
6.2.2. The mail configuration strategy for workstation
6.3. Mail transport agent (MTA)
6.3.1. The configuration of exim4
6.3.2. The configuration of postfix with SASL
6.3.3. The mail address configuration
6.3.4. Basic MTA operations
6.4. Mail user agent (MUA)
6.4.1. Basic MUA — Mutt
6.5. The remote mail retrieval and forward utility
6.5.1. getmail configuration
6.5.2. fetchmail configuration
6.6. Mail delivery agent (MDA) with filter
6.6.1. maildrop configuration
6.6.2. procmail configuration
6.6.3. Redeliver mbox contents
6.7. POP3/IMAP4 server
6.8. The print server and utility
6.9. The remote access server and utility (SSH)
6.9.1. Basics of SSH
6.9.2. Port forwarding for SMTP/POP3 tunneling
6.9.3. Connecting without remote passwords
6.9.4. Dealing with alien SSH clients
6.9.5. Setting up ssh-agent
6.9.6. Troubleshooting SSH
6.10. Other network application servers
6.11. Other network application clients
6.12. The diagnosis of the system daemons

After establishing network connectivity (see Chapter 5, Network setup), you can run various network applications.

6.1. Web browsers

There are many web browser packages to access remote contents with Hypertext Transfer Protocol (HTTP).

Table 6.1. List of web browsers.

package popcon size description
iceweasel V:33, I:54 3736 Web browser (X) (unbranded Mozilla Firefox, )
iceape-browser V:2, I:3 35288 Web browser (X) (unbranded Mozilla browser, removed due to security concerns bug#505565)
epiphany-browser V:7, I:40 32 Web browser (X) (GNOME HIG compliant browser, Epiphany)
galeon V:1.2, I:1.9 1748 Web browser (X) (GNOME browser, Galeon was superseded by Epiphany)
konqueror V:10, I:19 3652 Web browser (X) (KDE browser, Konqueror)
w3m V:21, I:84 1964 Web browser (text) (w3m)
lynx V:2, I:25 48 , ,
elinks V:2, I:6 1444 , ,
links V:3, I:9 1372 , ,
links2 V:0.9, I:4 3280 , ,

6.1.1. Browser configuration

You may be able to use following special URL strings for some browsers to confirm their settings.

  • "about:"
  • "about:config"
  • "about:plugins"

Debian offers many free browser plugin packages in the main component which can handle not only Java (software platform) and Flash but also MPEG, MPEG2, MPEG4, DivX, Windows Media Video (.wmv), QuickTime (.mov), MP3 (.mp3), Ogg/Vorbis files, DVDs, VCDs, etc. Debian also offers helper programs to install non-free browser plugin packages as contrib or non-free components.

Table 6.2. List of browser plugin packages.

package popcon size component description
icedtea-gcjwebplugin V:0.6, I:0.8 204 main Java plugin using Hotspot JIT
sun-java6-plugin I:9 52 non-free Java plugin for Sun's Java SE 6 (i386 only)
swfdec-mozilla V:11, I:24 244 main Flash plugin based on libswfdec
mozilla-plugin-gnash V:0.5, I:1.8 108 main Flash plugin based on Gnash
flashplugin-nonfree V:1.3, I:10 128 contrib Flash plugin helper to install Adobe Flash Player (i386, amd64 only)
mozilla-bonobo V:0.18, I:0.4 168 main Mozilla plugin support for GNOME Bonobo components
mozilla-plugin-vlc V:3, I:5 140 main Multimedia plugin based on VLC media player
totem-mozilla V:22, I:39 268 main Multimedia plugin based on GNOME's Totem media player
gecko-mediaplayer V:0.2, I:0.3 680 main Multimedia plugin based on (GNOME) MPlayer
nspluginwrapper V:1.6, I:2 472 contrib A wrapper to run i386 Netscape plugins on amd64 architecture

[Tip] Tip

Although use of above Debian packages are much easier, browser plugins can be still manually enabled by installing "*.so" into plugin directories (e.g., "/usr/lib/iceweasel/plugins/") and restarting browsers.

Some web sites refuse to be connected based on the user-agent string of your browser. You can work around this situation by spoofing the user-agent string. For example, you can do this by adding following line into user configuration files such as "~/.gnome2/epiphany/mozilla/epiphany/user.js" or "~/.mozilla/firefox/*.default/user.js":

user_pref{"general.useragent.override","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"};

Alternatively, you can add and reset this variable by typing "about:config" into URL and right clicking its display contents.

[Caution] Caution

Spoofed user-agent string may cause bad side effects with Java.

6.2. The mail system

[Caution] Caution

If you are to set up the mail server to exchange mail directly with the Internet, you should be better than reading this elementary document.

6.2.1. Modern mail service basics

In order to contain spam (unwanted and unsolicited e-mail) problems, many ISPs which provide consumer grade Internet connection are implementing counter measures:

  • The smarthost service for their customers to send message uses the message submission port (587) specified in rfc4409 with the password (SMTP AUTH service) specified in rfc4954.
  • The SMTP port (25) connection from their internal network hosts (except ISP's own outgoing mail server) to the Internet are blocked.
  • The SMTP port (25) connection to the ISP's incoming mail server from some suspicious external network hosts are blocked. (The connection from hosts on the dynamic IP address range used by the dial-up and other consumer grade Internet connections are the first ones to be blocked.)

When configuring your mail system or resolving mail delivery problems, you must consider these new limitations.

In light of these hostile Internet situation and limitations, some independent Internet mail ISPs such as and offer the secure mail service which can be connected from anywhere on the Internet using Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) :

  • The smarthost service for their customers to send message uses the SMTP/SSL port (465) or the message submission port (587) with the password (SMTP AUTH service).
  • The incoming mail is accessible at the TLS/POP3 port (995) with POP3.
[Caution] Caution

It is not realistic to run SMTP server on consumer grade network to send mail directly to the remote host reliably. They are very likely to be rejected. You must use some smarthost services offered by your connection ISP or independent mail ISPs. For the simplicity, I will assume that the smarthost is located at "smtp.hostname.dom", requires SMTP AUTH, and uses the message submission port (587) in the following text.

6.2.2. The mail configuration strategy for workstation

The most simple mail configuration is that the mail is sent to the ISP's smarthost and received from ISP's POP3 server by the MUA (see Section 6.4, “Mail user agent (MUA)”) itself. This type of configuration is popular with full featured GUI based MUA such as icedove(1), evolution(1), etc.. If you need to filter mail by their types, you use MUA's filtering function. For this case, the local MTA (see Section 6.3, “Mail transport agent (MTA)”) need to do local delivery only.

The alternative mail configuration is that the mail is sent via local MTA to the ISP's smarthost and received from ISP's POP3 by the mail retriever (see Section 6.5, “The remote mail retrieval and forward utility”) to the local mailbox. If you need to filter mail by their types, you use MDA with filter (see Section 6.6, “Mail delivery agent (MDA) with filter”) to filter mail into separate mailboxes. This type of configuration is popular with simple console based MUA such as mutt(1), gnus(1), etc., although this is possible with any MUAs (see Section 6.4, “Mail user agent (MUA)”). For this case, the local MTA (see Section 6.3, “Mail transport agent (MTA)”) need to do both smarthost delivery and local delivery.

6.3. Mail transport agent (MTA)

For normal workstation, the popular choice for Mail transport agent (MTA) is either exim4-* or postfix packages. It is really up to you.

Table 6.3. List of basic mail transport agent related packages for workstation.

package popcon size description
exim4-daemon-light V:60, I:66 928 Exim4 mail transport agent (MTA: Debian default)
exim4-base V:62, I:68 1660 Exim4 documentation (text) and common files
exim4-doc-html I:0.8 5756 Exim4 documentation (html)
exim4-doc-info I:0.4 596 Exim4 documentation (info)
postfix V:16, I:19 3436 Postfix mail transport agent (MTA: alternative)
postfix-doc I:2 3332 Postfix documentation (html+text)
sasl2-bin V:2, I:6 448 Cyrus SASL API implementation (supplement postfix for SMTP AUTH)
cyrus-sasl2-doc I:3 284 Cyrus SASL - documentation

Although the popcon vote count of exim4-* looks several times popular than that of postfix, this does not mean postfix is not popular with Debian developers. The Debian server system uses both exim4 and postfix. The mail header analysis of mailing list postings from prominent Debian developers also indicate both of these MTAs are as popular.

The exim4-* packages are known to have very small memory consumption and very flexible for its configuration. The postfix package is known to be compact, fast, simple, and secure. Both come with ample documentation and are as good in quality and license.

There are many choices for mail trasport agent (MTA) packages with different capability and focus in Debian archive.

Table 6.4. List of choices for mail transport agent (MTA) packages in Debian archive.

package popcon size capability and focus
exim4-daemon-light V:60, I:66 928 full
postfix V:16, I:19 3436 full (security)
exim4-daemon-heavy V:1.8, I:2 1040 full (flexible)
sendmail-bin V:2, I:2 2080 full (only if you are already familiar)
nullmailer V:0.6, I:0.8 452 strip down, no local mail
ssmtp V:0.9, I:1.4 0 strip down, no local mail
nbsmtp V:0.19, I:0.2 120 ?
courier-mta V:0.2, I:0.2 4000 very full (web interface etc.)
xmail V:0.18, I:0.2 824 light
masqmail V:0.04, I:0.06 556 light
esmtp V:0.11, I:0.2 156 light
esmtp-run V:0.08, I:0.13 8 light (sendmail compatibility extension to esmtp)
msmtp V:0.2, I:0.6 324 light
msmtp-mta V:0.08, I:0.11 32 light (sendmail compatibility extension to msmtp)

6.3.1. The configuration of exim4

For the Internet mail via smarthost, you (re)configure exim4-* packages as follows:

$ sudo /etc/init.d/exim4 stop
$ sudo dpkg-reconfigure exim4-conf
  • Chose "mail sent by smarthost; received via SMTP or fetchmail".
  • Set "IP address or host name of the outgoing smarthost:" to "smtp.hostname.dom:587".
  • Reply to "Keep number of DNS-queries minimal (Dial-on-Demand)?" as:

    • "No" if the system is connected to the Internet while booting, or
    • "Yes" if the system is not connected to the Internet while booting.
$ sudo vim /etc/exim4/passwd.client
  • Create password entries for the smarthost.
$ cat /etc/exim4/passwd.client
$ sudo /etc/init.d/exim4 start

The host name in "/etc/exim4/passwd.client" should not be the alias. You check the real host name with:

$ host smtp.hostname.dom
smtp.hostname.dom is an alias for smtp99.hostname.dom.
smtp99.hostname.dom has address

I use regex in "/etc/exim4/passwd.client" to work around the alias issue so even if the ISP moves host pointed by the alias, SMTP AUTH will likely be working.

[Caution] Caution

You must execute update-exim4.conf(8) after manually updating exim4 configuration files in "/etc/exim4/".

[Caution] Caution

Starting exim4 will take long time if "No" (default value) was chosen for the debconf query of "Keep number of DNS-queries minimal (Dial-on-Demand)?" and the system is not connected to the Internet while booting.

[Note] Note

Please read the official guide at: "/usr/share/doc/exim4-base/README.Debian.gz" and update-exim4.conf(8).

[Tip] Tip

Local customization file "/etc/exim4/exim4.conf.localmacros" may be created to set MACROs. For example, Yahoo's mail service is said to require "MAIN_TLS_ENABLE = true" and "AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = yes" in it.

6.3.2. The configuration of postfix with SASL

For the Internet mail via smarthost, you should first read postfix documentation and key manual pages:

Table 6.5. List of important postfix manual pages

command function
postfix(1) Postfix control program
postconf(1) Postfix configuration utility
postconf(5) Postfix configuration parameters
postmap(1) Postfix lookup table maintenance
postalias(1) Postfix alias database maintenance

You (re)configure postfix and sasl2-bin packages as follows:

$ sudo /etc/init.d/postfix stop
$ sudo dpkg-reconfigure postfix
  • Chose "Internet with smarthost"
  • Set "SMTP relay host (blank for none):" to "[smtp.hostname.dom]:587"
$ sudo postconf -e 'smtp_sender_dependent_authentication = yes'
$ sudo postconf -e 'smtp_sasl_auth_enable = yes'
$ sudo postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd'
$ sudo postconf -e 'smtp_sasl_type = cyrus'
$ sudo vim /etc/postfix/sasl_passwd
  • Create password entries for the smarthost.
$ cat /etc/postfix/sasl_passwd
[smtp.hostname.dom]:587     username:password
$ sudo postmap hush:/etc/postfix/sasl_passwd
$ sudo /etc/init.d/postfix start

Here the use of "[" and "]" in the dpkg-reconfigure dialogue and "/etc/postfix/sasl_passwd" ensures not to check MX record but directly use exact hostname specified. See "Enabling SASL authentication in the Postfix SMTP client" in "usr/share/doc/postfix/html/SASL_README.html".

6.3.3. The mail address configuration

There are a few mail address configuration files for mail transport, delivery and user agents.

Table 6.6. List of mail address related configuration files.

file function application
/etc/mailname default host name for (outgoing) mail Debian specific, mailname(5)
/etc/email-addresses host name spoofing for outgoing mail exim(8) specific, exim4-config_files(5)
/etc/postfix/generic host name spoofing for outgoing mail postfix(1) specific, activated after postmap(1) command execution.
/etc/aliases account name alias for incoming mail general, activated after newaliases(1) command execution.

The mailname in the "/etc/mailname" file is usually a fully qualified domain name (FQDN) that resolves to one of the host's IP addresses. For the mobile workstation which does not have a hostname with resolvable IP address, set this mailname to the value of "hostname -f". (This is safe choice and works for both exim4-* and postfix.)

[Tip] Tip

The contents of "/etc/mailname" is used by many non-MTA programs for their default behavior. For mutt, set "hostname" and "from" variables in ~/muttrc file to override the mailname value. For programs in the devscripts package, such as bts(1) and dch(1), export environment variables "$DEBFULLNAME" and "$DEBEMAIL" to override it.

When setting the mailname to "hostname -f", the spoofing of the source mail address via MTA can be realized by:

  • "/etc/email-addresses" file for exim4(8) as explained in the exim4-config_files(5), and
  • "/etc/postfix/generic" file for postfix(1) as explained in the generic(5).

For postfix, the following extra steps are needed:

# postmap hash:/etc/postfix/generic
# postconf -e 'smtp_generic_maps = hash:/etc/postfix/generic'
# postfix reload

You check filters using:

  • exim(8) with -brw, -bf, -bF, -bV, … options.
  • postmap(1) with -q option.
[Tip] Tip

Exim comes with several utility programs such as exiqgrep(8) and exipick(8). See "dpkg -L exim4-base|grep man8/" for available commands.

6.3.4. Basic MTA operations

There are several basic MTA operations. Some may be performed via sendmail(1) compatibility interface.

Table 6.7. List of basic MTA operation.

exim command postfix command description
sendmail sendmail Read mails from standard input and arrange for delivery. (-bm)
mailq mailq List the mail queue with status and queue ID. (-bp)
newaliases newaliases Initialize alias database. (-I)
exim4 -q postqueue -f Flush waiting mails. (-q)
exim4 -qf postsuper -r ALL deferred; postqueue -f Flush all mails.
exim4 -qff postsuper -r ALL; postqueue -f Flush even frozen mails.
exim4 -Mg queue_id postsuper -h queue_id Freeze one message by its queue ID.
exim4 -Mrm queue_id postsuper -d queue_id Remove one message by its queue ID.
--- postsuper -d ALL Remove all messages.

[Tip] Tip

It may be a good idea to flush all mails by a script in "/etc/ppp/ip-up.d/*".

6.4. Mail user agent (MUA)

If you subscribe to Debian related mailing list, it may be a good idea to use such MUA as mutt and gnus which are the de facto standard for the participant and known to behave as expected.

Table 6.8. List of mail user agent (MUA).

package popcon size type
iceweasel V:33, I:54 3736 X GUI program (unbranded Mozilla Firefox)
evolution V:22, I:40 10260 X GUI program (part of a groupware suite)
icedove V:10, I:14 38040 X GUI program (unbranded Mozilla Thunderbird)
mutt V:21, I:83 5996 character terminal program probably used with vim
gnus V:0.09, I:0.5 6272 character terminal program under (x)emacs

6.4.1. Basic MUA — Mutt

Use mutt as the mail user agent (MUA) in combination with vim. Customize it with "~/.muttrc". For example:

# use visual mode and "gq" to reformat quotes
set editor="vim -c 'set tw=72 et ft=mail'"
# header weeding taken from the manual (Sven's Draconian header weeding)
ignore *
unignore from: date subject to cc
unignore user-agent x-mailer
hdr_order from subject to cc date user-agent x-mailer
set from="First Last <>"

Add the following to "/etc/mailcap" or "~/.mailcap" to display HTML mail and MS Word attachments inline:

text/html; lynx -force_html %s; needsterminal;
application/msword; /usr/bin/antiword '%s'; copiousoutput; description="Microsoft Word Text"; nametemplate=%s.doc

6.5. The remote mail retrieval and forward utility

Although fetchmail(1) has been de facto standard for the remote mail retrieval on GNU/Linux, the authour likes getmail(1) now. If you want to reject mail before downloading to save bandwidth, mailfilter or mpop may be useful. Whichever mail retriever utilities are used, it is good idea to configure system to deliver retrieved mails to MDA, such as maildrop, via pipe.

Table 6.9. List of remote mail retrieval and forward utilities.

package popcon size description
fetchmail V:2, I:6 1812 mail retriever (POP3, APOP, IMAP) (old)
getmail4 V:0.3, I:0.7 632 mail retriever (POP3, IMAP4, and SDPS) (simple, secure, and reliable)
mailfilter V:0.01, I:0.07 332 mail retriever (POP3) with with regex filtering capability
mpop V:0.01, I:0.06 364 mail retriever (POP3) and MDA with filtering capability

6.5.1. getmail configuration

getmail(1) configuration is described in getmail documentation. Here is my set up to access multiple POP3 accounts as user:

  • Create "/usr/local/bin/getmails" as:
set -e
for file in $HOME/.getmail/config/* ; do
  rcfiles="$rcfiles --rcfile $file"
exec $rcfiles $@
  • Execute as follows:
$ sudo chmod 755 /usr/local/bin/getmails
$ mkdir -m 0700 $HOME/.getmail
$ mkdir -m 0700 $HOME/.getmail/config
$ mkdir -m 0700 $HOME/.getmail/log
  • Create configuration files "$HOME/.getmail/config/pop3_name" for each POP3 acconts as:
type = SimplePOP3SSLRetriever
server =
username =
password = secret

type = MDA_external
path = /usr/bin/maildrop
unixfrom = True

verbose = 0
delete = True
delivered_to = False
message_log = ~/.getmail/log/pop3_name.log
  • Execute as follows:
$ chmod 0600 $HOME/.getmail/config/*
  • schedule "/usr/local/bin/getmails" to run every 15 minutes with cron(8) by executing "sudo crontab -e -u <user_name>" and adding following to user's cron entry:
5,20,35,50 * * * * /usr/local/bin/getmails --quiet
[Tip] Tip

Problems of POP3 access may not come from getmail. Some popular free POP3 services may be violating the POP3 protocol and their SPAM filter may not be perfect. For example, they may delete messages just after receiving RETR command before receiving DELE command and may quarantined messages into Spam mailbox. You should minimize damages by configuring them to archive accessed messages and not to delete them. See also "Some mail was not downloaded".

6.5.2. fetchmail configuration

fetchmail(1) configuration is set by "/etc/default/fetchmail", "/etc/fetchmailrc" and "$HOME/.fetchmailrc". See its example in "/usr/share/doc/fetchmail/examples/fetchmailrc.example".

6.6. Mail delivery agent (MDA) with filter

Most MTA programs, such as postfix and exim4, function as MDA (mail delivery agent). There are specialized MDA with filtering capabilities.

Although procmail(1) has been de facto standard for MDA with filter on GNU/Linux, author likes maildrop(1) now. Whichever filtering utilities are used, it is good idea to configure system to deliver filtered mails to a qmail-style Maildir.

Table 6.10. List of MDA with filter.

package popcon size description
procmail V:18, I:86 360 MDA with filter (old)
mailagent V:0.5, I:6 1688 MDA with Perl filter
maildrop V:0.4, I:0.8 1040 MDA with structured filtering language

6.6.1. maildrop configuration

maildrop(1) configuration is described in maildropfilter documentation. Here is a configuration example for "$HOME/.mailfilter":

logfile $HOME/.maildroplog
# clearly bad looking mails: drop them into X-trash and exit
if (    /^X-Advertisement/ ||\
        /^Subject:.*BUSINESS PROPOSAL/ ||\
        /^Subject:.*URGENT.*ASISSTANCE/ ||\
        /^Subject: *I NEED YOUR ASSISTANCE/ )
    to "$HOME/Maildir/X-trash/"

# Delivering mailinglist messages
if (    /^Precedence:.*list/ ||\
        /^Precedence:.*bulk/ ||\
        /^List-/ ||\
        /^X-Distribution:.*bulk/ )
    if (    /^Resent-Sender.*
        to "$HOME/Maildir/debian-user/"
    if (    /^Resent-Sender.*
        to "$HOME/Maildir/debian-devel/"
    if (    /^Resent-Sender.*
        to "$HOME/Maildir/debian-announce/"
    to "$HOME/Maildir/mailing-list/"
to "$HOME/Maildir/Inbox/"
[Warning] Warning

Unlike procmail, maildrop does not create missing maildir directories automatically. You must create them manually using maildirmake(1) in advance.

6.6.2. procmail configuration

Equivalent configurartion can be done with procmail(1) with "$HOME/.procmailrc" as:

# clearly bad looking mails: drop them into X-trash and exit
* 1^0 ^X-Advertisement
* 1^0 ^Subject:.*BUSINESS PROPOSAL
* 1^0 ^Subject:.*URGENT.*ASISSTANCE

# Delivering mailinglist messages
* 1^0 ^Precedence:.*list
* 1^0 ^Precedence:.*bulk
* 1^0 ^List-
* 1^0 ^X-Distribution:.*bulk
* 1^0 ^Return-path:.*

* ^Resent-Sender.*

* ^Resent-Sender.*

* ^Resent-Sender.*



6.6.3. Redeliver mbox contents

You need to manually deliver mails to the sorted mailboxes in your home directory from "/var/mail/<username>" if your home directory became full and procmail(1) failed. After making disk space in the home directory, run:

# /etc/init.d/${MAILDAEMON} stop
# formail -s procmail </var/mail/<username>
# /etc/init.d/${MAILDAEMON} start

6.7. POP3/IMAP4 server

If you are to run a private server on LAN, you may consider to run POP3 / IMAP4 server for delivering mail to LAN clients.

Table 6.11. List of POP3/IMAP4 servers.

package popcon size type description
qpopper V:1.2, I:5 644 POP3 Qualcomm enhanced BSD POP3 server
courier-pop V:1.5, I:2 232 POP3 Courier mail server - POP3 server (maildir format only)
ipopd V:0.12, I:0.2 204 POP3 The University of Washington POP2 and POP3 server
cyrus-pop3d-2.2 V:0.17, I:0.3 856 POP3 Cyrus mail system (POP3 support)
xmail V:0.18, I:0.2 824 POP3 ESMTP/POP3 mail server
courier-imap V:3, I:4 1604 IMAP Courier mail server - IMAP server (maildir format only)
uw-imapd V:0.9, I:5 272 IMAP The University of Washington IMAP server
cyrus-imapd-2.2 V:0.5, I:0.7 2636 IMAP Cyrus mail system (IMAP support)

6.8. The print server and utility

In the old Unix-like system, the BSD Line printer daemon was the standard. Since the standard print out format of the free software is PostScript on the Unix like system, some filter system was used along with Ghostscript to enable printing to the non-PostScript printer.

Recently, Common UNIX Printing System (CUPS) is the new de facto standard. The CUPS uses Internet Printing Protocol (IPP). The IPP is now supported by other OSs such as Windows XP and Mac OS X and has became new cross-platform de facto standard for remote printing with bi-directional communication capability.

The standard printable data format for the application on the Debian system is the PostScript (PS) which is a page description language. The data in PS format is fed into the Ghostscript PostScript interpreter to produce the printable data specific to the printer. See Section 11.3.1, “Ghostscript”.

Thanks to the file format dependent auto-conversion feature of the CUPS system, simply feeding any data to the lpr command should generate the expected print output. (In CUPS, lpr can be enabled by installing the cups-bsd package.)

The Debian system has some notable packages for the print servers and utilities:

Table 6.12. List of print servers and utilities.

package popcon size port description
lpr V:3, I:3 440 printer (515) BSD lpr/lpd (Line printer daemon)
lprng V:0.9, I:1.2 3020 , , , , (Enhanced)
cups V:30, I:40 11156 IPP (631) Internet Printing CUPS server
cups-client V:10, I:42 440 , , System V printer commands for CUPS: lp(1), lpstat(1), lpoptions(1), cancel(1), lpmove(8), lpinfo(8), lpadmin(8), …
cups-bsd V:7, I:38 180 , , BSD printer commands for CUPS: lpr(1), lpq(1), lprm(1), lpc(8)
cups-driver-gutenprint V:8, I:33 1264 Not applicable printer drivers for CUPS

[Tip] Tip

You can configure CUPS system by pointing your web browser to "http://localhost:631/" .

6.9. The remote access server and utility (SSH)

The Secure SHell (SSH) is the secure way to connect over the Internet. A free version of SSH called OpenSSH is available as openssh-client and openssh-server packages in Debian.

Table 6.13. List of remote access server and utilities.

package popcon size tool description
openssh-client V:53, I:98 2084 ssh(1) Secure shell client
openssh-server V:66, I:78 812 sshd(8) Secure shell server
ssh-askpass-fullscreen V:0.12, I:0.5 92 ssh-askpass-fullscreen(1) asks user for a pass phrase for ssh-add (GNOME2)
ssh-askpass V:0.6, I:4 156 ssh-askpass(1) asks user for a pass phrase for ssh-add (plain X)

[Caution] Caution

See Section 4.7.3, “Extra security measures for the Internet” if your SSH is accessible from the Internet.

[Tip] Tip

Please use the screen(1) program to enable remote shell process to survive the interrupted connection (see Section 9.1, “The screen program”).

6.9.1. Basics of SSH

[Warning] Warning

"/etc/ssh/sshd_not_to_be_run" must not be present if one wishes to run the OpenSSH server.

SSH has two authentication protocols:

Table 6.14. List of SSH authentication protocols and methods.

SSH protocol SSH method description
SSH-1 "RSAAuthentication" RSA identity key based user authentication
, , "RhostsAuthentication" ".rhosts" based host authentication (insecure, disabled)
, , "RhostsRSAAuthentication" ".rhosts" based host authentication combined with RSA host key (disabled)
, , "ChallengeResponseAuthentication" RSA challenge-response authentication
, , "PasswordAuthentication" password based authentication
SSH-2 "PubkeyAuthentication" public key based user authentication
, , "HostbasedAuthentication" "~/.rhosts" or "/etc/hosts.equiv" based host authentication combined with public key client host authentication (disabled)
, , "ChallengeResponseAuthentication" challenge-response authentication
, , "PasswordAuthentication" password based authentication

[Caution] Caution

Be careful about these differences if you are using a non-Debian system.

See "/usr/share/doc/ssh/README.Debian.gz", ssh(1), sshd(8), ssh-agent(1), and ssh-keygen(1) for details.

Following are the key configuration files:

Table 6.15. List of SSH configuration files.

configuration file function
/etc/ssh/ssh_config SSH client defaults. See ssh_config(5).
/etc/ssh/sshd_config SSH server defaults. See sshd_config(5).
~/.ssh/authorized_keys the lists of the default public SSH keys that clients use to connect to this account on this host.
~/.ssh/identity secret SSH-1 RSA key of the user.
~/.ssh/id_rsa secret SSH-2 RSA key of the user.
~/.ssh/id_dsa secret SSH-2 DSA key of the user.

[Tip] Tip

See ssh-keygen(1), ssh-add(1) and ssh-agent(1) for how to use public and secret SSH keys.

[Tip] Tip

Make sure to verify settings by testing the connection. In case of any problem, use "ssh -v".

[Tip] Tip

You can change the pass phrase to encrypt local secret SSH keys later with "ssh-keygen -p".

[Tip] Tip

You can add options to the entries in "~/.ssh/authorized_keys" to limit hosts and to run specific commands. See sshd(8) for details.

The following will start an ssh(1) connection from a client.

Table 6.16. List of SSH client startup examples.

command description
ssh username@hostname.domain.ext connect with default mode
ssh -v username@hostname.domain.ext connect with default mode with debugging messages
ssh -1 username@hostname.domain.ext force to connect with SSH version 1
ssh -1 -o RSAAuthentication=no -l username hostname.domain.ext force to use password with SSH version 1
ssh -o PreferredAuthentications=password -l username hostname.domain.ext force to use password with SSH version 2

If you use the same user name on the local and the remote host, you can eliminate typing "username@". Even if you use different user name on the local and the remote host, you can eliminate it using "~/.ssh/config". For Debian Alioth service with account name "foo-guest", you set "~/.ssh/config" to contain:

    User foo-guest

For the user, ssh(1) functions as a smarter and more secure telnet(1). Unlike telnet command, ssh command does not bomb on the telnet escape character (initial default CTRL-]).

6.9.2. Port forwarding for SMTP/POP3 tunneling

To establish a pipe to connect to port 25 of remote-server from port 4025 of localhost, and to port 110 of remote-server from port 4110 of localhost through ssh, execute on the local host:

# ssh -q -L 4025:remote-server:25 4110:remote-server:110 username@remote-server

This is a secure way to make connections to SMTP/POP3 servers over the Internet. Set the "AllowTcpForwarding" entry to "yes" in "/etc/ssh/sshd_config" of the remote host.

6.9.3. Connecting without remote passwords

One can avoid having to remember passwords for remote systems by using "RSAAuthentication" (SSH-1 protocol) or "PubkeyAuthentication" (SSH-2 protocol).

On the remote system, set the respective entries, "RSAAuthentication yes" or "PubkeyAuthentication yes", in "/etc/ssh/sshd_config".

Then generate authentication keys locally and install the public key on the remote system:

  • "RSAAuthentication": RSA key for SSH-1 (deprecated because it is superseded.)
$ ssh-keygen
$ cat .ssh/ | ssh user1@remote "cat - >>.ssh/authorized_keys"
  • "PubkeyAuthentication": RSA key for SSH-2
$ ssh-keygen -t rsa
$ cat .ssh/ | ssh user1@remote "cat - >>.ssh/authorized_keys"
  • "PubkeyAuthentication": DSA key for SSH-2 (deprecated because it is slow.)
$ ssh-keygen -t dsa
$ cat .ssh/ | ssh user1@remote "cat - >>.ssh/authorized_keys"
[Tip] Tip

Use of DSA key for SSH-2 is deprecated because key is smaller and slow. There are no more reasons to work around RSA patent using DSA since it has been expired. DSA stands for Digital Signature Algorithm and slow. Also see DSA-1571-1.

[Note] Note

For "HostbasedAuthentication" to work in SSH-2, you must adjust the settings of "HostbasedAuthentication" to "yes" in both "/etc/ssh/sshd_config" on the server host and "/etc/ssh/ssh_config" or "~/.ssh/config" on the client host.

6.9.4. Dealing with alien SSH clients

There are some free SSH clients available for other platforms.

Table 6.17. List of free SSH clients for other platforms.

environment free SSH program
Windows puTTY ( (GPL)
Windows (cygwin) SSH in cygwin ( (GPL)
Macintosh Classic macSSH ( (GPL)
Mac OS X OpenSSH; use ssh in the Terminal application (GPL)

6.9.5. Setting up ssh-agent

It is safer to protect your SSH authentication secret keys with a pass phrase. If a pass phrase was not set, use "ssh-keygen -p" to set it.

Place your public SSH key (e.g. "~/.ssh/") into "~/.ssh/authorized_keys" on a remote host using a password-based connection to the remote host as described above.

$ ssh-agent bash
$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /home/<username>/.ssh/id_rsa:
Identity added: /home/<username>/.ssh/id_rsa (/home/<username>/.ssh/id_rsa)
  • No remote password needed from here on, e.g.:
$ scp foo <username>
  • No password requested.
  • Press ^D to terminating ssh-agent session.

For the X server, the normal Debian startup script executes ssh-agent as the parent process. So you only need to execute ssh-add once. For more, read ssh-agent(1)and ssh-add(1).

6.9.6. Troubleshooting SSH

If you have problems, check the permissions of configuration files and run ssh with the "-v" option.

Use the "-P" option if you are root and have trouble with a firewall; this avoids the use of server ports 1 — 1023.

If ssh connections to a remote site suddenly stop working, it may be the result of tinkering by the sysadmin, most likely a change in "host_key" during system maintenance. After making sure this is the case and nobody is trying to fake the remote host by some clever hack, one can regain a connection by removing the "host_key" entry from "~/.ssh/known_hosts" on the local host.

6.10. Other network application servers

Table 6.18. List of other network application servers.

package popcon size protocol description
telnetd V:0.5, I:1.3 156 TELNET TELNET server
telnetd-ssl V:0.15, I:0.4 152 , , , , (SSL support)
nfs-kernel-server V:14, I:23 324 NFS Unix file sharing
samba V:21, I:34 16876 SMB Windows file and printer sharing
netatalk V:6, I:10 2448 ATP Apple/Mac file and printer sharing (AppleTalk)
proftpd-basic V:3, I:5 2148 FTP General file download
wu-ftpd V:0.3, I:0.7 820 , , , ,
apache2-mpm-prefork V:36, I:42 72 HTTP General web server
apache2-mpm-worker V:5, I:7 72 , , , ,
squid V:6, I:7 1812 , , General web proxy server
squid3 V:1.1, I:1.4 2440 , , , ,
slpd V:0.2, I:0.4 228 SLP OpenSLP Server as LDAP server
bind9 V:10, I:18 856 DNS IP address for other hosts
dhcp3-server V:4, I:9 800 DHCP IP address of client itself

Common Internet File System Protocol (CIFS) is the same protocol as Server Message Block (SMB) and is used widely by Microsoft Windows.

[Tip] Tip

Use of proxy server such as squid is much more efficient for saving bandwidth than use of local mirror server with the full Debian archive contents.

6.11. Other network application clients

Table 6.19. List of network application clients.

package popcon size protocol description
netcat V:2, I:54 36 TCP/IP TCP/IP swiss army knife
stunnel4 V:0.5, I:1.7 508 SSL Universal SSL Wrapper
telnet V:15, I:90 200 TELNET TELNET client
telnet-ssl V:0.3, I:1.2 208 , , , , (SSL support)
nfs-common V:52, I:81 504 NFS Unix file sharing
smbclient V:7, I:41 33604 SMB MS Windows file and printer sharing client
smbfs V:5, I:26 5336 , , Mount and umount commands for remote MS Windows file
ftp V:10, I:86 160 FTP FTP client
lftp V:1.3, I:6 1716 , , , ,
ncftp V:1.6, I:8 1212 , , Full screen FTP client
wget V:29, I:99 1968 HTTP and FTP Web downloader
curl V:5, I:20 304 , , , ,
dog V:0.07, I:0.3 NOT_FOUND HTTP Web uploader (cat with URL support)
bind9-host V:46, I:90 176 DNS The host command from bind9. Priority: standard
dnsutils V:13, I:91 392 , , The dig command from bind. Priority: standard
host V:1.5, I:3 NOT_FOUND , , The host command from dnsutils. Priority: extra
dhcp3-client V:46, I:93 604 DHCP Obtain IP address
ldap-utils V:1.6, I:7 696 LDAP Obtain data from LDAP server

6.12. The diagnosis of the system daemons

The telnet program enables manual connection to the system daemons and its diagnosis. E.g.:

$ telnet pop3

The following RFCs provide required knowledge to each system daemon.

Table 6.20. List of popular RFCs.

RFC description
rfc1939 and rfc2449 POP3 service
rfc3501 IMAP4 service
rfc2821 (rfc821) SMTP service
rfc2822 (rfc822) Mail file format
rfc2045 Multipurpose Internet Mail Extensions (MIME)
rfc819 DNS service
rfc2616 HTTP service
rfc2396 URI definition

The port usage is described in "/etc/services".

[Note] Note

For testing TLS/SSL services such as HTTPS, you need TLS/SSL enabled telnet program.