• Common Maintenance Tasks
• Clubifying a machine

Here is how you clubify a machine.

## Enable CClub packages
echo "deb http://debian.club.cc.cmu.edu/debian/ wheezy-cclub contrib" >> /etc/apt/sources.list
apt-get update
# Trust the CClub signing key for packages (as well as the CClub CA)
# this is mildly insecure, but this package is from the local network, and we trust the local network
apt-get install cclub-keyring && apt-get update

## Preseed debconf with club-specific settings for several packages, which take effect when those packages are installed
apt-get install cclub-debconf-settings

## Install LDAP so the machine knows about club users, and Kerberos for authentication of those users
## also sudo, to run things as root
apt-get install libnss-ldapd heimdal-clients libpam-heimdal sudo

echo "GSSAPIAuthentication yes" >> /etc/ssh/sshd_config

## Install sudoers.d snippet to allow wheel group to sudo
## TODO make this a Debian package
echo "%wheel  ALL=(ALL:ALL) ALL" > /etc/sudoers.d/wheel

## [OPTIONAL] Enable SSH login with Kerberos tickets
# if the machine's time is off then ticket authentication will mysteriously fail
apt-get install ntp
# get kadmin tickets (requires manually typing in /admin password)
kinit -S kadmin/admin $CCLUB_USER/admin
# create a Kerberos principal for this machine (accept all defaults)
kadmin ank -r host/$HOSTNAME.club.cc.cmu.edu
# add the secret key for that Kerberos principle to this machine's keytab
kadmin ext_keytab host/$HOSTNAME.club.cc.cmu.edu
# restart ssh
service ssh restart
# if it doesn't work, compare /etc/ssh/sshd_config to a working machine

## [OPTIONAL] Install AFS and get AFS homedirs for users
apt-get install openafs-client libpam-afs-session

You can now log in with your club credentials.