Making your Ubuntu or Debian box Athena-ish

Table of Contents

About this document
How to use this document
Making your Ubuntu or Debian box Athena-ish
Ubuntu Repositories
Kerberos Login
/mit Automounter
A Few Suggestions


In 2006, SIPB completed a new Debian-Athena project, which offers almost all Athena services as Debian packages, so that one does not have to do the configuration work described below. That should make most of this page obsolete.

About this document

This page is intended to document to process of integrating an Ubuntu or Debian GNU/Linux machine into the Athena environment. This will NOT make a true Athena workstation. However, most of the critical Athena services (Kerberos, AFS, Zephyr) have been ported to Debian.

This document assumes a basic familiarity with Ubuntu or Debian, the GNU Toolchain, and Athena. Also, dependencies are not listed.

The original Docbook XML for this document can be found here.

How to use this document

Text like this contains instructions, explanations and comments.

Text like this is meant to be executed. It generally can
be copied as a block and pasted into a command prompt.
Some times you may want to copy them into a text editor
and edit them first.
Text like this is meant to be inserted into a file. Use
your favorite text editor.

Making your Ubuntu or Debian box Athena-ish

Ubuntu Repositories

In Ubuntu, you may need to add the universe repository to your /etc/apt/sources.list file by uncommenting the appropriate lines.



The Kerberos 4 protocol has several well documented cryptographic vulerabilites.

apt-get install ssh-krb5 krb5-user krb4-config
On Ubuntu:
dpkg-reconfigure krb5-config krb4-config

Use ATHENA.MIT.EDU as your Kerberos realm.

To enable passwordless SSH using Kerberos tickets, add the following lines to your /etc/ssh/ssh_config file:
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Kerberos Login

For users who have local accounts, it's possible to set up your system to get Kerberos tickets and AFS tokens on login.
apt-get install libpam-krb5 libpam-openafs-session
Edit /etc/pam.d/common-auth so that it contains:
auth    sufficient nullok_secure
auth    sufficient use_first_pass forwardable
Edit /etc/pam.d/common-session to:
session         required
session         optional
session         optional
After making these changes, restart ssh-krb5 by running
/etc/init.d/ssh-krb5 restart
You can now login with either your Kerberos password or your local password. If you use your Kerberos password, you will get both Kerberos tickets and AFS tokens automatically. If you want to be able to login to your machine using Kerberos ticket forwarding, then you should request a keytab from Athena Accounts and put it at /etc/krb5.keytab You will not get Kerberos 4 tickets on login, since there is no PAM module to get them. There are a few ways to deal with this, depending on your situation. One is to add
to your login dotfiles (~/.profile or ~/.login, or the corresponding system-wide files /etc/profile or /etc/csh.login).


AFS Kernel Module

AFS installation requires building kernel modules.

If you wish to use a Debian stock kernel (recommended), run the following commands, and then proceed to the section on the AFS client.

apt-get install module-assistant build-essential gcc-3.4 openafs-modules-source
module-assistant prepare
module-assistant auto-install openafs-modules
depmod -a

If you instead wish to compile your own kernel, run the following commands. Substitute in the version of the kernel source you wish to use.

apt-get install kernel-package build-essential \
linux-source-2.6.12 openafs-modules-source
cd /usr/src ; tar -xzf openafs.tar.gz
tar -xjf linux-source-2.6.12.tar.bz2
ln -s linux-source-2.6.12 linux
cd linux ; make menuconfig

Configure the kernel as you like, and then run following commands. Feel free to change foo1 to any other valid revision name.

make-kpkg --rev foo1 kernel_image
make-kpkg modules_image
cd .. ; dpkg -i *foo1*.deb

Reboot and make sure your kernel works and the openafs modules are installed correctly.

AFS Client

In order to use AFS, you will also need ot install and configure the client packages.
apt-get install openafs-client openafs-krb5
On Ubuntu:
dpkg-reconfigure openafs-client

Use as your cell. Dynroot, encrypted traffic, fakestat and DNS lookups are all recommended.


apt-get install ntp-simple ntpdate

Edit /etc/ntp.conf and add the following line before any other timeserver listings.



apt-get install libzephyr3-krb zephyr-clients

Enter as your zephyr servers.

If you are behind a firewall or router using Network Address Translation (NAT), Zephyr will not work. The Zephyr protocol is known to be incompatible with NAT.


apt-get install hesiod
Edit the line in /etc/hesiod.conf that starts with rhs= to:


apt-get install lprng

Copy Athena's /usr/athena/libexec/get_hesiod_pcap to /usr/local/bin.

Edit get_hesiod_pcap so the path line reads as follows.


If possible, paste the following commands as a block into the command prompt.

mv /etc/lprng/lpd.conf /etc/lprng/lpd.conf.orig

cat > /etc/lprng/lpd.conf << "EOF"

touch /etc/printcap
/etc/init.d/lprng restart

/mit Automounter

apt-get install autofs autofs-hesiod

Add the following line to /etc/auto.master.

/mit     hesiod

For autofs5, use the following line instead.

/mit     hesiod:
/etc/init.d/autofs restart

A Few Suggestions

If you plan on traveling outside of MIT with this computer, you will need to make changes in order to have web, student, and other abbreviations of MIT domains still resolve to the MIT sites.

If you are using DHCP, add the following line to /etc/dhclient.conf.

supersede domain-name "";

If you are using a static IP while away from MIT, add the following line to /etc/resolv.conf.


In order to run several programs kept in AFS lockers you must have the script afslocker in /usr/bin. . Because of the way the automounter works, /usr/bin/afslocker does not need to do anything, and could also be a dummy script that does nothing.


Questions, comments, or suggestions? Contact