 |
|
- What are the various Authentication options?
- Why is NFS disabled?
- WHy is autofs disabled?
- How do I re-enable NFS?
- How do I re-enable autofs?
- What is AFS?
- How do I enable AFS?
- How do I disable AFS?
- What is Kerberos?
- What is SSH?
- Who do I email for support?
- Is there a sulinux-help list archive?
- Why does libsafe make program (insert name here) coredump?
- What is libsafe?
- How can I retrieve my mail from the leland servers?
- How do I install Zephyr?
- Why did /usr/pubsw disappear when I updated via apt-get?
- How do I upgrade a SULinux 1.x-7.1 or RedHat 6.x-7.1 system to SULinux 7.2?
- How do I upgrade to SULinux 7.3 from a previous release of SULinux or RedHat Linux?
- I get an RPM dependency error when I try to install apt. How do I fix it?
- Why is NFS slow?
- What are the various authentication
methods?
There are two main authentication methods:
a) local passwords - Do not use "AFS" passwords.
b) AFS (kerberos) passwords
Both are controlled via pam. When installing SULinux, you'll be asked if you want to use AFS passwords. This means that in /etc/pam.d/system-auth a line will be inserted that gives the following logic for login:- Does the account name exist? If no, you will not be able to log in
- Is the login name "root"? If so, prompt only for local password
- Prompt for "AFS Password", which is the kerberos password for the given ID. Note that if you duplicate a SUNeT ID on your machine, that SUNeT ID will be able to log into your system. AFS passwords are "sufficient" in the PAM sense, so if this password is correct, the person can log in
- If the AFS password is wrong, prompt for local password.
This may not be what you want. If you only want to use local passwords, do not use the AFS auth mechanism. Suppose you want to allow all SUNeT ID's to log in. You again use the PAM module, buth also run "authconfig" and configure hesiod support (just check it, the values should be filled in automatically). Hesiod will act as an addition to your /etc/passwd, mapping user names to home directories (AFS directories, mind you). Please see the hesiod documentation in redhat for more information on how hesiod works.
Another possibility is you want the local users to auth using *both* their local ID and their SUNeT ID. To do this, you must edit the PAM configuration. I personally have not done this, but I believe all you should have to do is change the word "sufficient" for the PAM AFS module to "necessary". If you can confirm this, please email sulinux-help and let me know.
The last possibility is you want leland system cluster solaris style auth, i.e. AFS passwords but reading .klogin to map user names to SUNeT IDs. Notice the subtle difference. In the default scheme, the username in /etc/passwd maps directly and automatically to a SUNeT ID for normal users. In this scheme, the username in /etc/passwd doesn't correspond to a SUNeT ID, but any principle (SUNeT ID) listed in the home directories .klogin file can log in. To enable this, replace /bin/login with /etc/leland/login.krb. NOTE: login.krb doesn't work with MD5 shadow files, so please make sure you use the old style "crypt()" passwords. Please make sure you know what you are doing, as you can mess up your system so you can only log in in single user mode until you fix it.
- Why is NFS/NIS disabled?
NFS and other RPC based programs are a big security risk for several reasons. First, they have a less than admirable record. Most Linux compromises on campus come from users who have enabled NFS and other RPC services and forgot to patch them. Second, NFS and other RPC services have horrendous logging, which makes it difficult to track what is going on. Third, NFS has traditionally been hard to set up properly, though Linux is making strong in-roads in this department. Last, NFS just plain isn't needed by most people. You need not run the service if you only want to mount other hosts filesystems. You only need to run NFS if you absolutely must export one of your filesystems. Redhat (not us) by default disables NFS and their Medium or High Level firewall settings disable all RPC services, including NFS and NIS - Why is autofs disabled?
See the NFS answer above and substitute the word NFS for AutoFS. - 2. How do I re-enable NFS?
The most important step to re-enable NFS is to apply all updates to your system as detailed in the Installation/Update section.After installing the updates, run as root:
# /sbin/chkconfig portmap on # /sbin/chkconfig nfs on # /etc/rc.d/init.d/portmap start # /etc/rc.d/init.d/nfs start
You'll also need to make sure you are using the Stanford Default firewall setting in the /usr/sbin/sulinux configuration program. RedHat's settings disable inbound RPC packets by default and you must override this in /etc/sysconfig/ipchains or use the sulinux program to do this for you. - How do I re-enable AutoFS?
Again, the most important step to re-enable AutoFS is to apply all updates to the system.After installing the updates, run as root:
# /sbin/chkconfig portmap on # /sbin/chkconfig autofs on # /etc/rc.d/init.d/portmap start # /etc/rc.d/init.d/autofs start
The same issues associated with NFS firewall rulesets apply to autofs - What is AFS?
AFS is a distributed filesystem that enables co-operating hosts (clients and servers) to efficiently share filesystem resources across both local and wide area networks. AFS is provided and supported by Transarc Corporation.At Stanford, Leland Systems uses AFS to provide and maintain a campus-wide distributed filesystem -- the ir.stanford.edu AFS cell. This cell currently consists of twenty AFS servers, geographically distributed across campus, and one Terabyte of available diskspace, which is backed up nightly.
Leland Systems uses this AFS cell to provide home directories for all Leland Accounts, many Stanford classes, and many Stanford University departments and campus organizations. Our AFS cell is also the home for our /usr/pubsw campus software service, which allows AFS client machines (for a variety of supported architectures) to access and use software compiled and maintained by Leland Systems personnel.
Over a thousand machines on the Stanford campus run AFS client software, giving their users local access to their Leland Account home directory, all the software available in /usr/pubsw, and hundreds of other AFS cells worldwide.
- How do I enable AFS?
First, verify that afs is installed. If the file /etc/rc.d/init.d/afs
exists, it is installed on your system. If not, install it from
the download page.
To enable AFS, run as root:
# /sbin/chkconfig afs on # /etc/rc.d/init.d/afs start - How do I disable AFS?
Disabling AFS is tricky, as once started it becomes part of the
kernel. Therefore, you must:
- touch /etc/noafs
- reboot
- run
/sbin/chkconfig afs off
- What is Kerberos?
Kerberos is the basis of Stanford's Campus Security Infrastructure. It
provides encrypted communications channels and user and machine
authentication services. The Kerberos authentication servers managed
by Leland Systems keep track of all campus SunetID passwords.
- What is SSH?
SSH (Secure Shell) is a secure telnet-like protocol. It encrypts your
password so that eavesdroppers cannot steal it. More information
on SSH is available at http://www.openssh.org
- Who do I email for support?
If you have questions regarding the installation or use of RedHat
linux, please consult the RedHat website at http://www.redhat.com
If you have questions about the Kerberos, AFS, Security, or LibSafe package or other SULinux-specific question, email sulinux-help@stanford.edu
- Is there a sulinux-help list
archive?
There sure is! It is available in our mail archive section.
- Why does libsafe make program (insert name
here) coredump?
Libsafe protects against buffer overflow attacks. A buffer
overflow is an exploit that executes code on the stack to give an
intruder full access to your machine (usually).
If a program isn't coded correctly, it may resemble an exploit. This is similar to a "segmentation violation" in C. Libsafe will force such a program to exit. Examples are old versions of netscape and adobe acrobat reader. Quite likely if you simply upgrade the package that is core dumping the problem will go away.
- What is libsafe?
Libsafe protects against buffer overflow attacks by preloading certain
dangerous C functions such as strcpy and sprintf. Libsafe will
make programs exit instead of allowing them to be exploited.
More information is available at http://www.avayalabs.com/project/libsafe/index.html
- How can I retrieve my mail from
the leland servers?
First, realize that only mail that is kept on one of the mail servers can be retrieved. Mail that you previous downloaded by running programs such as Eudora and pine will not be available.To get your mail, run:
$ /usr/bin/fetchmail -u (your sunet id) --ssl
The first command gives you the mail server to type in for the second command..pobox.stanford.edu - How do I install Zephyr?
You can use apt-get as per usual to install the Zephyr packages. simply run as root:# apt-get install zephyr-X11
All packages associated with zephyr will now be installed. This can be used for any package in the SULinux-specific and RedHat base repositories.
- Why did /usr/pubsw disappear?
Under certain conditions, the links /usr/pubsw, /usr/newsw, etc are accidentally removed during an upgrade. To restore them, reinstall the package sulinux-afsconfig. The easiest way to do this is to run the following as root:# apt-get remove sulinux-afsconfig # apt-get install sulinux-afsconfig
- How do I upgrade a SULinux 1.x-7.1 or RedHat 6.x-
7.1 system to SULinux 7.2?
An article covering upgrades from SULinux 1.2, 2.0, and 7.1, as well as equivalent RedHat releases, was posted on island.stanford.edu. This was put together by one of the SULinux maintainers on his security site. - How do I upgrade to SULinux 7.3 from a previous release of SULinux or RedHat Linux?
An article covering upgrades from SULinux 7.2 / RedHat 7.2 was posted on island.stanford.edu. This was put together by one of the SULinux maintainers on his security site. If you have an older release of SULinux or RedHat, see the previous question (above). - I get an RPM dependency error when I try to install apt. How do I fix it?
- Why is NFS slow?
This past weekend, the Graphics lab stumbled onto an apparent nfs bug in Redhat 7.3's new 2.4.18 kernel. This is standard on all RedHat (and thus SULinux) 7.3 systems. Apparently, an experimental patch (for 2.4.17) was applied providing NFS v3 over TCP. In that mode, a 32K buffer is a maximum. The default for UDP or TCP should be 4096K. Regardless, the kernel is attempting 32K packets over UDP (not TCP) and a lot of fragments cause the client to go to 100% of its network utilization, and the NetApp becomes unresponsive to other hosts.
Solutions to date are to either force NFS v2 (option "v2" on mounts) and to mount affected file servers with "rsize=8192,wsize=8192". Just specifying 'v2' is not enough.
Another solution that also seems to work wonders (I've tested it with compiles, etc) is to specify "tcp" as the only necessary option. Even at 32K packets, the NetApps work fine without performance issues when v3/tcp/32K is the applied combination.
I'd advise all users to use tcp or enforce some w/rsize limits for NFS connections from RH 7.3 clients until a patch is posted. This is equivalent to a DoS attack.
Update: SULinux 7.3 now provides a new kernel (2.4.18-5) that addresses this problem. Please upgrade to at least that version.
There are some problems with an updated version of RPM provided by RedHat that break dependencies in apt-get. When trying to install apt, you might see this error:
rpm -ivh apt-0.3.19cnc55-1sp_su7x
error: failed dependencies:
librpm-4.0.3.so is needed by apt-0.3.19cnc55-1sp_su7x
librpmdb-4.0.3.so is needed by apt-0.3.19cnc55-1sp_su7x
librpmio-4.0.3.so is needed by apt-0.3.19cnc55-1sp_su7x
To fix this, you will need to install the latest version of apt instead of the default one provided by us. You can ftp it from linux.stanford.edu or run
rpm -ivh ftp://linux.stanford.edu/pub/sulinux-7.2/stanford/apt-0.3.19cnc55-2sp_su7x.i386.rpm