Contents
Here is how you clubify a machine.
newmachine script method
Step 1
## Enable CClub packages echo "deb http://debian.club.cc.cmu.edu/debian/ wheezy-cclub contrib" >> /etc/apt/sources.list apt-get update # Trust the CClub signing key for packages (as well as the CClub CA) # this is mildly insecure, but this package is from the local network, and we trust the local network apt-get install cclub-keyring && apt-get update ## Preseed debconf with club-specific settings for several packages, which take effect when those packages are installed apt-get install cclub-debconf-settings ## Install the standard Cclub packages scp $USER@unix.club.cc.cmu.edu:/afs/club/service/etc/skel/wheezy/packages.wheezy.domU . apt-get install `cat packages.wheezy.domU` ## Install LDAP so the machine knows about club users apt-get install libnss-ldapd
Step 2a: Real AFS
*if you want fake AFS, please skip to Step 2b:*
It is highly advisable to create a dedicated afscache volume. Hopefully you did this when you installed the guest.
## Install the AFS client aptitude install openafs-modules-3.2.0-4-amd64 aptitude install openafs-client libpam-afs-session kinit -S kadmin/admin $USER/admin
Step 2b: Fake AFS
Only if you want fake AFS, follow the next steps.
sed -i "s/.*\(GSSAPIDelegateCredentials\).*/\\1 yes/" /etc/ssh/ssh_config scp $USER@unix.club.cc.cmu.edu:/afs/club/system/scripts/sh/newrsync-wheezy.sh . kinit -S kadmin/admin $USER/admin ./newrsync-wheezy.sh
Step 3: Final Clubification
## Create a Kerberos principal for this machine (accept all defaults) ktutil get host/$HOSTNAME.club.cc.cmu.edu /afs/club/system/scripts/sh/newmachine-wheezy.sh --use-ldap
You can now log in with your club credentials, and ksu -l to get root, or ssh directly to root with a /root principal.
No script method
## Enable CClub packages echo "deb http://debian.club.cc.cmu.edu/debian/ wheezy-cclub contrib" >> /etc/apt/sources.list apt-get update # Trust the CClub signing key for packages (as well as the CClub CA) # this is mildly insecure, but this package is from the local network, and we trust the local network apt-get install cclub-keyring && apt-get update ## Preseed debconf with club-specific settings for several packages, which take effect when those packages are installed apt-get install cclub-debconf-settings ## Install LDAP so the machine knows about club users, and Kerberos for authentication of those users apt-get install libnss-ldapd heimdal-clients libpam-heimdal ## Enable SSH login with Kerberos tickets (by creating a host key) # Get Kerberos admin tickets (requires manually typing in /admin password) kinit -S kadmin/admin $CCLUB_USER/admin # Create a Kerberos principal for this machine (accept all defaults) ktutil get host/$HOSTNAME.club.cc.cmu.edu ## Actually enable Kerberos authentication # if the machine's time is off then ticket authentication will mysteriously fail apt-get install ntp # modify ssh configuration to accept Kerberos tickets echo 'GSSAPIAuthentication yes' >> /etc/ssh/sshd_config echo 'GSSAPIKeyExchange yes' >> /etc/ssh/sshd_config echo 'GSSAPIDelegateCredentials yes' >> /etc/ssh/ssh_config service ssh restart # if it doesn't work, compare /etc/ssh/sshd_config to a working machine ## Autopopulate .k5login based on membership of wheel group # This allows people to log in as root via ssh or ksu using their $USER/root principals # note the quotes echo -e '#!/bin/bash\n'"getent group wheel | cut -d : -f 4 | tr , '\\\\n' | sed 's/$/\/root@CLUB.CC.CMU.EDU/' > /root/.k5login" > /etc/cron.hourly/update-root-k5login chmod 755 /etc/cron.hourly/update-root-k5login # Make ksu setuid root, so it can be used like sudo -i to get root privileges dpkg-statoverride --update --add root root 4755 /usr/bin/ksu # TODO make the two sections above into a Debian package ## [OPTIONAL] Install AFS and get AFS homedirs for users apt-get install openafs-client libpam-afs-session openafs-krb5