Table of Contents
In 2006, SIPB completed a new Debian-Athena project, which offers almost all Athena services as Debian packages, so that one does not have to do the configuration work described below. That should make most of this page obsolete.
This page is intended to document to process of integrating an Ubuntu or Debian GNU/Linux machine into the Athena environment. This will NOT make a true Athena workstation. However, most of the critical Athena services (Kerberos, AFS, Zephyr) have been ported to Debian.
This document assumes a basic familiarity with Ubuntu or Debian, the GNU Toolchain, and Athena. Also, dependencies are not listed.
The original Docbook XML for this document can be found here.
Text like this contains instructions, explanations and comments.
Text like this is meant to be executed. It generally can be copied as a block and pasted into a command prompt. Some times you may want to copy them into a text editor and edit them first.
Text like this is meant to be inserted into a file. Use your favorite text editor.
universe
repository to your /etc/apt/sources.list file by
uncommenting the appropriate lines.
The Kerberos 4 protocol has several well documented cryptographic vulerabilites.
apt-get install ssh-krb5 krb5-user krb4-config
On Ubuntu:
dpkg-reconfigure krb5-config krb4-config
Use ATHENA.MIT.EDU as your Kerberos
realm.
/etc/ssh/ssh_config
file:
GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
apt-get install libpam-krb5 libpam-openafs-session
Edit /etc/pam.d/common-auth so that it contains:
auth sufficient pam_unix.so nullok_secure auth sufficient pam_krb5.so use_first_pass forwardableEdit
/etc/pam.d/common-session to:
session required pam_unix.so session optional pam_krb5.so session optional pam_openafs_session.soAfter making these changes, restart ssh-krb5 by running
/etc/init.d/ssh-krb5 restart
You can now login with either your Kerberos password or your local
password. If you use your Kerberos password, you will get both
Kerberos tickets and AFS tokens automatically. If you want to be able
to login to your machine using Kerberos ticket forwarding, then you
should request a keytab from Athena Accounts and put it at /etc/krb5.keytab
You will not get Kerberos 4 tickets on login, since there is no PAM
module to get them. There are a few ways to deal with this, depending
on your situation. One is to add
krb524init
to your login dotfiles (~/.profile or
~/.login, or the corresponding
system-wide files /etc/profile or /etc/csh.login).
AFS installation requires building kernel modules.
If you wish to use a Debian stock kernel (recommended), run the following commands, and then proceed to the section on the AFS client.
apt-get install module-assistant build-essential gcc-3.4 openafs-modules-source module-assistant prepare module-assistant auto-install openafs-modules depmod -a
If you instead wish to compile your own kernel, run the following commands. Substitute in the version of the kernel source you wish to use.
apt-get install kernel-package build-essential \ linux-source-2.6.12openafs-modules-source cd /usr/src ; tar -xzf openafs.tar.gz tar -xjf linux-source-2.6.12.tar.bz2 ln -s linux-source-2.6.12linux cd linux ; make menuconfig
Configure the kernel as you like, and then run following commands. Feel free to change foo1 to any other valid revision name.
make-kpkg --revfoo1kernel_image make-kpkg modules_image cd .. ; dpkg -i *foo1*.deb
Reboot and make sure your kernel works and the openafs modules are installed correctly.
apt-get install ntp-simple ntpdate
Edit /etc/ntp.conf and add the following line before any other timeserver listings.
server time.mit.edu
apt-get install libzephyr3-krb zephyr-clients
Enter neskaya.mit.edu arilinn.mit.edu as your zephyr servers.
If you are behind a firewall or router using Network Address Translation (NAT), Zephyr will not work. The Zephyr protocol is known to be incompatible with NAT.
apt-get install hesiod
Edit the line in /etc/hesiod.conf that starts
with rhs= to:
rhs=.athena.mit.edu
apt-get install lprng
Copy Athena's /usr/athena/libexec/get_hesiod_pcap to /usr/local/bin.
Edit get_hesiod_pcap so the path line reads as follows.
PATH=/usr/bin:/bin
If possible, paste the following commands as a block into the command prompt.
mv /etc/lprng/lpd.conf /etc/lprng/lpd.conf.orig cat > /etc/lprng/lpd.conf << "EOF" force_localhost@ kerberos_service=daemon printcap_path=/etc/printcap:|/usr/local/bin/get_hesiod_pcap reuse_addr use_date@ retry_econnrefused@ EOF touch /etc/printcap /etc/init.d/lprng restart
apt-get install autofs autofs-hesiod
Add the following line to /etc/auto.master.
/mit hesiod
For autofs5, use the following line instead.
/mit hesiod:
/etc/init.d/autofs restart
If you plan on traveling outside of MIT with this computer, you will need to make changes in order to have web, student, and other abbreviations of MIT domains still resolve to the MIT sites.
If you are using DHCP, add the following line to /etc/dhclient.conf.
supersede domain-name "mit.edu";
If you are using a static IP while away from MIT, add the following line to /etc/resolv.conf.
search mit.edu
In order to run several programs kept in AFS lockers you must have the script afslocker in /usr/bin. . Because of the way the automounter works, /usr/bin/afslocker does not need to do anything, and could also be a dummy script that does nothing.
Questions, comments, or suggestions? Contact sipb-debian@mit.edu.