In 2006, SIPB completed a new Debian-Athena project, which offers almost all Athena services as Debian packages, so that one does not have to do the configuration work described below. That should make most of this page obsolete. This page is intended to document to process of integrating an Ubuntu or Debian GNU/Linux machine into the Athena environment. This will NOT make a true Athena workstation. However, most of the critical Athena services (Kerberos, AFS, Zephyr) have been ported to Debian. This document assumes a basic familiarity with Ubuntu or Debian, the GNU Toolchain, and Athena. Also, dependencies are not listed. The original Docbook XML for this document can be found here. Text like this contains instructions, explanations and comments. Text like this is meant to be executed. It generally can be copied as a block and pasted into a command prompt. Some times you may want to copy them into a text editor and edit them first. Text like this is meant to be inserted into a file. Use your favorite text editor. In Ubuntu, you may need to add the universe repository to your /etc/apt/sources.list file by uncommenting the appropriate lines. The Kerberos 4 protocol has several well documented cryptographic vulerabilites. apt-get install ssh-krb5 krb5-user krb4-config On Ubuntu: dpkg-reconfigure krb5-config krb4-config Use ATHENA.MIT.EDU as your Kerberos realm. To enable passwordless SSH using Kerberos tickets, add the following lines to your /etc/ssh/ssh_config file: GSSAPIAuthentication yes GSSAPIDelegateCredentials yes For users who have local accounts, it's possible to set up your system to get Kerberos tickets and AFS tokens on login. apt-get install libpam-krb5 libpam-openafs-session Edit /etc/pam.d/common-auth so that it contains: auth sufficient pam_unix.so nullok_secure auth sufficient pam_krb5.so use_first_pass forwardable Edit /etc/pam.d/common-session to: session required pam_unix.so session optional pam_krb5.so session optional pam_openafs_session.so After making these changes, restart ssh-krb5 by running /etc/init.d/ssh-krb5 restart You can now login with either your Kerberos password or your local password. If you use your Kerberos password, you will get both Kerberos tickets and AFS tokens automatically. If you want to be able to login to your machine using Kerberos ticket forwarding, then you should request a keytab from Athena Accounts and put it at /etc/krb5.keytab You will not get Kerberos 4 tickets on login, since there is no PAM module to get them. There are a few ways to deal with this, depending on your situation. One is to add krb524init to your login dotfiles (~/.profile or ~/.login, or the corresponding system-wide files /etc/profile or /etc/csh.login). AFS installation requires building kernel modules. If you wish to use a Debian stock kernel (recommended), run the following commands, and then proceed to the section on the AFS client. apt-get install module-assistant build-essential gcc-3.4 openafs-modules-source module-assistant prepare module-assistant auto-install openafs-modules depmod -a If you instead wish to compile your own kernel, run the following commands. Substitute in the version of the kernel source you wish to use. apt-get install kernel-package build-essential \ linux-source-2.6.12 openafs-modules-source cd /usr/src ; tar -xzf openafs.tar.gz tar -xjf linux-source-2.6.12.tar.bz2 ln -s linux-source-2.6.12 linux cd linux ; make menuconfig Configure the kernel as you like, and then run following commands. Feel free to change foo1 to any other valid revision name. make-kpkg --rev foo1 kernel_image make-kpkg modules_image cd .. ; dpkg -i *foo1*.deb Reboot and make sure your kernel works and the openafs modules are installed correctly. In order to use AFS, you will also need ot install and configure the client packages. apt-get install openafs-client openafs-krb5 On Ubuntu: dpkg-reconfigure openafs-client Use athena.mit.edu as your cell. Dynroot, encrypted traffic, fakestat and DNS lookups are all recommended. apt-get install ntp-simple ntpdate Edit /etc/ntp.conf and add the following line before any other timeserver listings. server time.mit.edu apt-get install libzephyr3-krb zephyr-clients Enter neskaya.mit.edu arilinn.mit.edu as your zephyr servers. If you are behind a firewall or router using Network Address Translation (NAT), Zephyr will not work. The Zephyr protocol is known to be incompatible with NAT. apt-get install hesiod Edit the line in /etc/hesiod.conf that starts with rhs= to: rhs=.athena.mit.edu apt-get install lprng Copy Athena's /usr/athena/libexec/get_hesiod_pcap to /usr/local/bin. Edit get_hesiod_pcap so the path line reads as follows. PATH=/usr/bin:/bin If possible, paste the following commands as a block into the command prompt. mv /etc/lprng/lpd.conf /etc/lprng/lpd.conf.orig cat > /etc/lprng/lpd.conf << "EOF" force_localhost@ kerberos_service=daemon printcap_path=/etc/printcap:|/usr/local/bin/get_hesiod_pcap reuse_addr use_date@ retry_econnrefused@ EOF touch /etc/printcap /etc/init.d/lprng restart apt-get install autofs autofs-hesiod Add the following line to /etc/auto.master. /mit hesiod /etc/init.d/autofs restart If you plan on traveling outside of MIT with this computer, you will need to make changes in order to have web, student, and other abbreviations of MIT domains still resolve to the MIT sites. If you are using DHCP, add the following line to /etc/dhclient.conf. supersede domain-name "mit.edu"; If you are using a static IP while away from MIT, add the following line to /etc/resolv.conf. search mit.edu In order to run several programs kept in AFS lockers you must have the script afslocker in /usr/bin. . Because of the way the automounter works, /usr/bin/afslocker does not need to do anything, and could also be a dummy script that does nothing. Questions, comments, or suggestions? Contact sipb-debian@mit.edu.