This FAQ has been retired and replaced by the PUG FAQ Wiki, which should have all of the same information, except updated regularly to match current reality.
Current Maintainer: Jamie Faris (and the Princeton Unix Group)
Version $Id: index.html,v 1.11 2009/04/19 14:49:29 pug Exp $
Do NOT run a dhcp SERVER: This makes it impossible for anyone in your building to log onto the network, and will get CIT very angry. They will then shut off network access to your computer and it will be a pain to get it back. The best thing to do is to make sure that it isn't installed - if it is, make sure it doesn't start automatically (try the ntsysv program for controlling which services get started at boot time)
Are you tired of DOS? Bored with Windows? Looking for something more exciting than OS/2? Then try Linux! Linux is a copy-lefted 32-bit version of Unix for the Intel x86 architecture (IBM PC's and compatibles). It is completely free, and released under the GNU License.
Developed from scratch by Linus Torvalds, with the assistance of a loosely-knit team of hackers from across the 'Net, it aims towards POSIX compliance. Linux is a "full-fledged" implementation of Unix, with all the expected features, including true multitasking, virtual memory, shared libraries, demand loading, shared copy-on-write executables, proper memory management, and TCP/IP networking. For more information on Linux, read the FAQ.
The purpose of this HOWTO is to help anyone at Princeton to configure their Linux system to take advantage of Dormnet. This assumes (a) you have a Dormnet compatible machine, and (b) you already have Linux installed, or are going to do so.
If you're looking for information on installing Linux, check out the Installation HOWTO and Matt Welsh's Linux Installation and Getting Started. There are other sources on installing Linux available on the 'net, but these are the big two.
For more info on all things Linux, check Linuxdoc.org. They are the authoritative source of all the (mainstream) HOWTOs and guides.
This Howto was originally compiled by Mark Woon, and has been maintained by David Menestrina (1998-2000) and Victor Shnayder (2000-2003). The current maintainer is Jamie Faris (firstname.lastname@example.org). PUG would like to thank all those who have contributed to the howto, including:
Everybody is more than welcome to contribute to the faq. Suggestions, ideas, error reports, anything at all, just send them in to me! And before I forget, I'd like to thank all those that have already helped out.
This document is not gospel. Nobody is responsible for what happens to your machine but yourself. If doing anything suggested in this faq causes your computer to go up in flames, destroy all your hard won data, or otherwise do something unpleasant, I'm not responsible. But do mail me about it so I can warn others...
The first step is easy enough: make sure you're registered with CIT. You must have a Dormnet account if you intend to access the net with your Linux box. There are two ways to accomplish this. The easiest is through the World Wide Web; just follow the links from http://www.princeton.edu/Dormnet. You can also do it in person by showing up at CIT headquarters at 171 Broadmead.
Next, you'll have to register your ethernet address. You can do this through the World Wide Web at http://heymon.princeton.edu/hostmaster/ or by e-mailing email@example.com with your name, userid, and your ethernet address.
The easiest way to get your ethernet address is to run 'ifconfig -a' (you have to be root) and look for the HWaddr field of your network card - it will most likely be device eth0.
You might also want to register your alias while you're at it (see section 2.4 below).
It seems that most of this is no longer needed: you should be able
to use DHCP to set up everything automatically. In RedHat, run
linuxconf, go to the Networking/Client tasks/Basic host info/Adaptor 1
tab , and just set the Config mode to DHCP. You will still have to specify the
correct Net device (almost always eth0), and the correct kernel module
for the card (which you need to know-it should be in
/etc/conf.modules). If you get an alias, then enter it in the hostname
field in the host name tab in the same dialog.
If you have a different distribution, look at the docs that came with it for info on setting up DHCP. (Most current install programs should have an option to automatically set up DHCP - all you have to do is input your hostname)
I've left the rest of this section in for now in case the above doesn't work for some reason (it should, and before you give up, triple check everything - do you have the correct module/device, does the card actually work, etc...)
There are several important bits of information that you must know before your Linux box can connect to the network: your IP address, your netmask, your gateway address, and your name server address.
Once you have all these handy-dandy numbers, you're all ready to roll. All distributions I'm familiar with have a script to automatically configure all necessary files. For Red Hat, it's the "Network Configuration" module in control-panel (an X Windows program). For Slackware, it's netconfig. This will start up a program that prompts you for the numbers above. (It will also ask you for some other names - see below.)
Depending on which distribution you use, the configuration script may or may not ask you for the broadcast address. If it doesn't ask you for one, it may have automatically calculated it for you. Check your rc.inet1 file in /etc/rc.d to see that the broadcast address value is set correctly.
You can use more than one name server in the resolv.conf file located in /etc. I would suggest using gambit as the main one and any of the others as backups. This way, machines on Dormnet can resolve their addresses (allowing name lookup, printing, news reading, etc.) even when dormgate, the gateway for dormnet, goes down. UPDATE (01/08/2001): It seems that this machine no longer exists, and that 184.108.40.206 is now printserve.princeton.edu
Note that netconfig only asks for one name server, but you can add additional ones later by editing /etc/resolv.conf .
Here's an example resolv.conf:
domain Princeton.EDU search Princeton.EDU student.Princeton.EDU nameserver 220.127.116.11 # a dormnet nameserver Not anymore it seems nameserver 18.104.22.168 # a princeton nameserver nameserver 22.214.171.124 # an outside nameserver
You can add multiple nameservers directly in Red Hat's "Network Configuration" module in control-panel without messing with resolv.conf.
Now for the fun part - naming your computer! While the name for your computer on Dormnet is always userid.student, you're allowed to have it aliased to something else. For example, if you decide to name your computer Zorro, both userid.student and Zorro now refer to your computer.
The easy part is teaching your computer what it's name is. When running the aforementioned netconfig, it will prompt you for a name. Enter it. When it prompts you for a domain, use princeton.edu. Your computer's full name is now zorro.princeton.edu. For Red Hat's "Network Configuration" module in control-panel, it will ask for both your computer's real name (userid.student.princeton.edu) and any aliases (alias.princeton.edu). You can also use the command /bin/hostname to set the hostname - check the manpage for details.
And what's the hard part, you ask? Well, not so much hard as slow. You'll have to tell the PU hostmaster the name you've given to your computer. This used to take days, but I hear the turn around time is pretty quick now (a day or so - sometimes even less). You can do this through the World Wide Web at http://heymon.princeton.edu/hostmaster/, or by e-mailing firstname.lastname@example.org with your name, userid, the alias you want for your computer.
Here is the basic information needed to configure an email client. Detailed instructions follow for some common email clients, but if yours isn't listed this should be able to figure it out from this.
This section has some specific instructions with screenshots for some popular email programs.
These instructions are for KMail version 1.5.4, but they should work for other versions.
First, open the settings dialog by choosing Configure KMail from the Settings menu. Select the Network button on the left. In the Sending tab, click on Add... and when asked, choose SMTP as the transport. Fill in the dialog box as shown in figures 3.1 and 3.2.
In the Receiving tab, click on Add... and choose IMAP as the account type. Fill in the settings as shown in figure 3.3. For the security settings you want Encryption: Use SSL and Authentication Method: Clear Text.
This needs to be filled in.
This needs to be filled in.
This needs to be filled in. KDE Address Book, others?
I'm not sure how up to date this info is, because I just use netscape when I need to use news - the server is news.princeton.edu.
The news server at Princeton is news.princeton.edu (an alias for cnn.princeton.edu).
Some of the most important things as far as news reading is concerned is to make sure you're posting correctly. Check the headers in your posts, especially the "FROM:" line. If it doesn't say userid@machine_name.princeton.edu, you have something misconfigured somewhere. Here are some likely culprits:
If you run into trouble, I recommend reading the Linux Printing HOWTO and the Printing Usage HOWTO. The former is much more useful for actually setting up printing services on your Linux box, while the latter mainly deals with how to print (programs, etc.).
First go to www.princeton.edu/clusters/printers.shtml and find the printer you want to add. You need to know the Printer Model and the Unix Queue. To print single-sided, replace the last 'd' with 's', for example 'xe_pyne_d' becomes 'xe_pyne_s'. You can add these as two separate printers.
Install the packages cupsys, cupsys-bsd, and
cupsys-client (as root, apt-get install cupsys
cupsys-client cupsys-bsd) . Go to http://localhost:631. Click "Do
Administration Tasks". Click "Add Printer". Enter a short, memorable
name into "Name" (it's the one you'll use on the command line, as in
lpr -Pprintername foo.ps, so you don't want any spaces in
it). Enter whatever you want into "Location" and "Description". Hit
continue. From "Device", pick "LPD/LPR Host or Printer". In "Device
URI", enter, lpd://
Open the Control Center and go to the Printers section under the Peripherals category. Right click on the background of the printers list and select "Add Printer/Class". This will start the Add Printer Wizard. Click next to start.
In order to be able to clear your print jobs through the Pharos print stations, you must print from a user account on your computer with the same name as your netid.
ADSM is a backup program that allows you to backup your hard drive through the 'Net onto the OIT servers. To start backing up your Linux partitions, follow this link to the TSM website, which provides installation instructions.
[From the man page:]
NFS (Network File System) allows a client to perform transparent file access over the network. Using it, a client can operate on files that reside on a variety of servers, server architectures, and across avariety of operating systems.
[suggested by Hui-Hui Hu]
[from Leszek Mazur]
Good options to specify are:
This will give you 8kB reads and writes and a timeout value of 15 seconds, so if you're hard mounting cnn and it goes down, your machine won't freeze on boot.
There have been a few problems of late with people trying to run routed. Why they would need to, I have no idea, but they try, and inadvertantly screw up their local network by sending out bogus routing information.
There is a simple solution for this: don't run routed. According to OIT, if you really want to run it, please use the -q option. Slackware's commented out call to routed in /etc/rc.d/rc.inet2 uses the -s flag (which causes the problem), so please delete the flag if you uncomment the line!
While OIT has said that they have changed the system such that a crazy routed will not bring down and entire subnet, let's not tempt fate, ok?
The easiest way to do this is if you have SMBFS (samba file system) support in the kernel (either as a module or compiled in). As far as I know, most distributions have it included by default. If it is, create the directory where you want your UNIX files. (Ex: mkdir /home/user/netID)
mount -t smbfs -o username=netID,password=foobar //smbserve/netID /home/user/netID
If you don't want to put the password on the command line, omit it and you should be prompted for it.
Note: Al Hammell sent me the following instructions for some newer distributions:
I hadn't been able to mount my unix directory according to the howto with newer Linux distributions (Red Hat 7.1,7.2 and Mandrake 8.1,8.2). I was finally able to do it by first editing smb.conf according to this page, http://helpdesk.princeton.edu/kb/display.plx?id=8986, and then mount it with regular user by.
$ chmod a+s smbmount
then as regular user,
$ smbmount //smbserve/userid /home/directory/smb -o username=userid
This worked on Mandrake 8.2, samba 2.2.4 and I assume it would work on other newer distributions as well.
If the above doesn't work for you, try these older instructions. They have been known to work on various older distributions.
To mount your UNIX directory under Linux, you need the SAMBA package, which is universally available. There are many HOWTOs and other documents available which describe how to do this. On a Red Hat system it is as easy as installing the samba RPM. Once this package is properly installed, set the suid bit for the programs smbmount and smbumount, which are probably located in /usr/bin. This is accomplished with the following commands (run as root).
$ chmod a+s /usr/bin/smbmount
$ chmod a+s /usr/bin/smbumount
Now, as a normal user, create the directory where you want to mount your UNIX directory (say /home/user/userid). Now, to mount your directory there, logged in as user, run the following command:
smbmount //smbserve/userid -c 'mount /home/user/userid' -U userid
Type in your NT password when it asks, and your home directory will be mounted at /home/user/userid. You can simply add the above command to your .login file and it will automatically mount your UNIX directory every time you log into your computer.
Note: Some distributions hack the smbmount command to make its command line slightly easier to type. If the above command doesn't work for you, try the following command instead:
smbmount //smbserve/userid /home/user/userid -U userid
Yet Another Note: If that still doesn't work, get the latest version of Samba (2.2.5 as of 06/19/2002), and read the documentation. (not the manpage though - it was hopelessly out of date last time I checked. Your best bet is to just run the program with no options, which makes it spit out usage info (or of course check the website)) If you get a different version to work, please send me mail and tell me what you did. Also, newer kernels have smbfs as a supported filesystem, so support for that needs to be compiled in (Mine doesn't for some reason - I guess I screwed up my config when I last recompiled, which is why I can't give better info here)
> Error returning browse list: NT_STATUS_ACCESS_DENIED
when trying to list shares?
smbclient -L dormprint -U netid -W PRINCETON
smbclient //dormprint/Forbes -U netid -W PRINCETON
First of all, there isn't anywhere near enough info here - I will just give some general suggestions and provide some links to (much) more detailed info.
As a matter of fact, if you're at all serious about securing your machine , you might as well just start reading some of these right away, so I'll put the links first (these are in no particular order):
Here are the general idea for making your machine secure:
I'll now cover each point in a bit more detail:
The first point is one which a lot of people seem to completely forget while worrying about hackers on the net - you computer can be unplugged from the network completely, but if someone can walk into your room and walk out with it, it won't help you any if your machine is "hackerproof" (and there's no such thing :). Not much more can be said for this then "use common sense".
Don't run unnecessary services: This is the general principle of getting security - most current distributions have a very unsecure default install. To see what you have running, run ps -aux and look for things like inetd, httpd, nfsd, smbd, nmbd, and other things that end with d :). Most services (but not all) are run from inetd. So basically, what you want to do is comment out everything in /etc/inetd.conf unless you have a good reason to keep it running. Then run killall -HUP inetd. Even better, just don't run inetd at all if you don't need anything from it. Note: As far as I know, Red Hat 7 doesn't use inetd anymore, but something called xinetd instead. Read the docs for info on how to disable services.
Other things to watch for - apache (it will show up as httpd), ftp (this may or may not be run out of inetd), samba (smbd, nmbd), and anything else you don't recognize (Be careful about just killing random processes though - for example, xfs is the X font server, and is needed for X to run). To change whether these servers start up, you can use linuxconf, run ntsysv (at least on redhat), or just change the symlinks in /etc/rc.* by hand.
Don't use telnet/rcp/rlogin... - this is a particular case of the above: all these programs send everything in the session (including the password) over the network in plain text, where it can be sniffed very easily (I've seen it done - the programs out there make it completely trivial). Use SSH instead (see below).
Use SSH - get a free implementation at www.openssh.com. They provide a server as well as a client, and also have scp, which is a replacement for rcp. SSH is very easy to use - it is basically identical to telnet: just use ssh [-l username] hostname to connect to other machines (of course, see the docs for more info :). If you need access to your machine from remote computers, use sshd. It is also very easy to set up, and provides secure connections to your machines. There are also a bunch of free windows clients for ssh, so you can connect to your machine even if you're stuck with a windows machine at home. You can find a list of free ssh programs at www.freessh.org (if I can't install any of these for some reason, and have to connect to a machine that only allows ssh (as it should), I can telnet to phoenix or some other OIT machine, and then use ssh from there - this does of course defeat the point somewhat, but it does give you a way to get to your machine in emergencies without running telnet.)
So to summarize on services... here are the services that I think
constitute a secure system (for a personal workstation):
httpd (If you have a good reason why the web page space on phoenix isn't good enough for you)
And nothing else unless you really need it.
Keep up to date on patches - there are security holes found in different packages all the time - keep a lookout on your distribution's site and keep your machine up to date. An easy way on redhat is to download all the files in the updates directory for your version, and use rpm -Fvh - this will "freshen" everything, so it will only install updated versions of programs that you already have.
Don't give accounts to people you can't trust - getting shell access is the first step to getting root on a machine, and usually the hardest step. Don't give out accounts, and don't do things like giving all your friends a single account with a single password - it will be very likely that soon that info will be given to others (for some reason, people think that if 10 people already know the password, giving it to someone else isn't a big deal).
Firewall - I haven't had time to set one up myself, so I can't say much about it besides the fact that running one is a pretty good idea, especially if are running services beyond those mentioned above, and it isn't too hard. Read the Firewall HOWTO for more info.
Intrusion detection - these can be useful, though they may be a bit of overkill for a personal system. I've personally used Tripwire. It's one of the best ones out there, and is free for linux.
The most important thing however, is to scroll back up and click on a couple of those security links (and then read the pages that come up :) - this is just a brief overview from someone who isn't an expert on security, and shouldn't be taken as being anywhere near all you need to know.
If you have more questions, address them to the mailing list Unix Users' Group of Princeton University. To join, send a blank email containing just the words subscribe unix-list to email@example.com. To post, write to firstname.lastname@example.org.
Comments? Suggestions? Questions?
I really do want suggestions, so please do send email if you have suggestions or comments :)
Mail them to email@example.com.