We provide club members to access to shell servers. Many folks enjoy the fact they do not reboot every night, unlike the Andrew Linux shells. This is useful for folks that, e.g., want to maintain a long-lived connection to an IRC channel.

Contents

  1. General Notes
  2. Current Shells
  3. Preview Shells
    1. Features
      1. Newer Software
      2. Better Support for Club Mail
    2. Known Issues
      1. Alpine
      2. GNU Mailutils
      3. MariaDB/MySQL
      4. Mutt
      5. OpenSSH
      6. OpenSSL
      7. Perl
      8. Python
  4. Footnotes

General Notes

User home directories are located in the club's AFS cell. A user must have valid AFS tokens (obtained via Kerberos tickets) in order for AFS to authenticate their accesses to the file system. Typically AFS tokens are automatically obtained on login. However, they have a limited lifetime. To obtain new tokens (and Kerberos tickets), use the kinit command.

Passwords and authentication are handled by club Kerberos. If you would like to change your password, use the kpasswd command.

Current Shells

Our current general purpose user shells are:

At this point they are fairly outdated. They were both originally built with Debian 7, and have since been upgraded to Debian 8.

We also provide shells that can only be used by Cclub administrators:

Bromine runs Debian 8 and has a relatively large /scratch partition containing artifacts important to certain club members.

Conch runs Debian 11.

Preview Shells

We are working to provide new shells running the current stable release of Debian (13 at this time).

Current there are two preview shells that can only be used by Cclub administrators:

Features

Newer Software

Better Support for Club Mail

Alpine, GNU Mailutils, and Mutt have been configured to work with qmail delivery to ~/Maildir/ by default, with no user configuration or customization required.

Known Issues

Alpine

If you've used Alpine previously, the changes we've made to the global configuration might interfere with your personal configuration. You can see our global configuration settings in /etc/pine.conf. You should be able to override anything that is problematic by overriding/clearing those settings in your ~/.pinerc.

If you access Club Mail via IMAP and set IMAP keywords (e.g., user-defined tags or labels) on messages, you may want to avoid using Alpine. Changing message attributes in Alpine can strip the messages of all their IMAP keywords.

GNU Mailutils

If you access Club Mail via IMAP and set IMAP keywords (e.g., user-defined tags or labels) on messages, you may want to avoid using GNU Mailutils for any operations that modify the state of non-new messages. Changing message attributes with GNU Mailutils can strip the messages of all their IMAP keywords.

MariaDB/MySQL

The MariaDB Connector/C library by default disables authentication of passwords that are using the old MySQL password hash. Unfortunately, most, if not all, MySQL users on club-db.club.cc.cmu.edu and contrib-db.club.cc.cmu.edu are still using the old hash. There does not appear to be any easy way to re-enable this authentication mechanism for all library users.

We will continue investigating to see if we can up with a general solution.

But for now it can be re-enabled in the following application-specific ways:

Client Tools (mysql, mysqldump, etc.)

Provide a connection string in place of a hostname, and within the connection string include a restricted_auth key that includes mysql_old_password as an allowed authentication plug-in.

E.g., if I'd normally connect to my database as follows: 

mysql -D contrib_kbare -h contrib-db.club.cc.cmu.edu -u kbare -p

I can work around the compatibility issues with the old password hash, as follows: 

mysql -D contrib_kbare -h 'host=contrib-db.club.cc.cmu.edu;restricted_auth=mysql_native_password,mysql_old_password' -u kbare -p

Perl DBD::MariaDB

The Perl MariaDB driver for DBI can be made to read a file with library options, which can then set a restricted_auth option including all of the authentication plugins. 

my $dbh = DBI->connect("MariaDB:database=$db;host=$host;" .
                       "mariadb_read_default_file=/etc/mysql/compat.cnf",
                       $user, $password);

Perl DBD::mysql

The Perl mysql driver works similarly, but uses a different option in its connection string. 

my $dbh = DBI->connect("mysql:database=$db;host=$host;" .
                       "mysql_read_default_file=/etc/mysql/compat.cnf",
                       $user, $password);

Mutt

If you've used Mutt previously, the changes we've made to the global configuration might interfere with your personal configuration. You can see our global configuration settings in /etc/Muttrc.d/cclub.inc. If they are not to your liking, you can prevent them all from being applied by exporting MUTT_DISABLE_CCLUB_RC=1 as an environment variable. Alternatively, you can override/clear things on a setting-by-setting basis in your personal ~/.muttrc.

OpenSSH

Newer versions of the ssh client have started disabling support for algorithms that are no longer considered secure. This can cause an issue when connecting to other hosts running older versions of sshd. This problem manifests as follows: 

kbare@gold:~$ ssh something-old
Unable to negotiate with 128.237.157.42 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

To work around, you can enable a supported older algorithm. This can be handled be adding an option to your command line: 

kbare@gold:~$ ssh -o HostKeyAlgorithms=+ssh-rsa something-old
Linux something-old 2.6.32-5-xen-amd64 #1 SMP Mon Feb 29 01:05:38 UTC 2016 x86_64
...
kbare@something-old:~$

Alternately, you can include the relevant directive in your ~/.ssh/config file; in this case, you can utilize Host or Match sections to limit enablement of the algorithm(s) to hosts that require them.

OpenSSL

Newer OpenSSL libraries default to a security level of 2, which prohibits the use of parameter sizes, key sizes, algorithms, and protocols that are no longer considered secure by default. This results in failures similar to the following: 

kbare@gold:~$ curl --head https://something-old/
curl: (35) TLS connect error: error:0A000102:SSL routines::unsupported protocol

The specific details of the limitations, taken from the OpenSSL 3.3 documentation1 are:

Applications utilizing OpenSSL often provide some means for specifying a cipher preference/priority list. Adding @SECLEVEL=N entry within the preference list will change the security level to N.

E.g., for the curl tool, we can connect to the host above by adding a --ciphers option that includes @SECLEVEL=0: 

kbare@gold:~$ curl --ciphers 'DEFAULT:!eNULL:@SECLEVEL=0' --head https://something-old/
HTTP/1.1 200 OK
...

Perl

A change was made starting from Perl 5.26.0 removing . (the current working directory) from the @INC module search path. This is most commonly a problem if you have a script that assumes it can simply require or use a module located in the same directory as the script. In this case, you can use FindBin to identify the script's parent directory and add it to @INC from a BEGIN block.

Python

The /usr/bin/python executable is now a Python 3 interpreter (on the Debian 8 shells it was Python 2). Typical Python 3 vs Python 2 compatibility issues will apply.

Currently there is not a Python 2 interpreter available on the preview shells. We might eventually end up providing one for the user shells only.

Footnotes

  1. https://docs.openssl.org/3.3/man3/SSL_CTX_set_security_level/#default-callback-behaviour (1)

Services/Club Shells (last edited 2025-11-16 17:18:28 by kbare@CLUB.CC.CMU.EDU)