Cosmos Journal |
| Cosmos Index, Eric, Universe |
Made some changes to /etc/inetd.conf so that at next boot in.talkd, in.fingerd and in.uucpd will be blocked at the service/inetd level (in addition to at IP Filter level and router level).
For details see Security Journal.
-- require both motd and usage-conditions to appear at login on cosmos
and eric, but this will be about two screens worth so half will scroll
past and never be read;
-- original status: cat was used (in /etc/.login and
/usr/local/etc/profile.local) to display /usr/local/etc/motd;
-- a one line (only) banner can be put up via the BANNER field in
/etc/default/telnetd so this is no help;
-- for ssh, problem solved: put the usage-message in
/etc/ssh2/ssh_banner_config which appears above the login prompt and
therefore only the motd need appear after login;
-- solution for telnet: put both motd and usage-message in motd and
use more rather than cat and stick necessary control-L characters in
the motd text file;
-- problem: this breaks eXceed which means eXceed is crap, nevertheless
we have to work around this;
-- solution: use /etc/issue which can be more that one line and is
used by telnet (but not ssh);
In stalled tcpdump from sunfreeware binary to investigate problems. It complained that libcrypt0.so.??? was missing. Google showed that this was part of openssh/openssl. Investigation of the OpenSSH and OpenSSL binaries on sunfreeware.com contained said library and that it was already installed on Cosmos (but not Eric) --- the OpenSSL package, which installs itself in /usr/local/ssl contained it, so adding /usr/local/ssl/lib to LD_LIBRARY_PATH solved the problem and had a good play with tcpdump.
Edited /etc/syslog.conf on and restarted (kill -HUP) syslogd on both Cosmos and Eric so logs are now copied to Gresh's logserver. Added this
# gresh's log server :
*.info @130.88.???.???
to /etc/syslogd.conf. N.B. that whitespace consists of tabs,
not blankspaces --- use the wrong one and an error message appears in
/var/adm/messages (cf.
eric syslogd: line 44: unknown priority name "info @130.88.120.194"
which clearly shows that syslogd is getting its knickers in a
twist...
See this for details.
First steps of plan developed to get IP Filter on Cosmos and Eric with default-deny; also replace telnet and ftp with ssh and scp. For details of the evolving plans see this.
Sorted out /etc/dfs/dfstab so that all users' dirs shared with Eric.
Shared /export/u06 with eric for mpciish2 (see /etc/dfs/*) --- stuck entry in dfstab and typed
share -F nfs -o rw=cosmos:eric.umist.ac.uk -d "test for mpciish2" \
/export/u06
Started moving "dead" accounts' files to /export/u09/__DELETED_ACCOUNTS. After each mv the files are tarred up and gzipped.
Downloaded, built from scratch and installed Gnome 1.4.
Wrote and installed new account admin scripts suite.
Paul, Darren,
Cosmos: the story so far
-------------------------
0. More detailed notes and draft Web pages can be found at
http://talby.csu.umist.ac.uk/~isd/_cosmeric/
1. Account Clear Out
As detailed in my previous email of this week I believe I have identified
several hundred dead accounts on Cosmos. The remaining accounts have,
where necessary, been changed to have eUMIST usernames.
Status: awaiting one month from term start to archive the accounts. They
are currently disabled.
2. LDAP Authentication
After an epic fight with the Solaris "documentation", with Solaris 7 and with
Netware "documentation", Cosmos can now authenticate users via LDAP,
local NIS and local flat files (/etc/).
Status: accounts were being moved from NIS to LDAP/eUMIST department-by-dept,
but this process has stalled as Cornelis is busy.
3. Account Creation and Management
I have completely re-written the account creation and management software
on Cosmos. This was prompted by the authentication change (to LDAP). The
software should now be much more easily extendable and maintainable.
Status: done, working. The URS now contains Cosmos accounts and will drive
account creation on Cosmos (details to be worked out with Cornelis).
4. Applications
I have installed, amongst other things: a non-stoneage editor (gedit) which
should, I believe, be the ISD supported editor on Cosmos (and Eric) --- for
reasons which I cannot fathom the supported editor is currently vi; and
up-to-date web browser; gnuplot (data plotting gizmo).
Status: Star/OpenOffice seem to require Solaris 8 or 9.
5. SSH
An ssh2 daemon is running on Cosmos --- that from SSH Communications, rather
than OpenSSH (given the recent problems with OpenSSH). This works with
PAM on Cosmos and therefore needs "keyboard_interactive" authentication
to be configured on the client. Only the newer ssh clients support this.
(See notes via above link.)
Status: working. Documentation needs publishing.
6. rexec
The r-commands are a real pain. rsh and rlogin have been stopped (apart from
certain hosts) by use of TCP Wrappers, but rexec remains. This is a security
nightmare --- not only are the r-commands bad in themselves, but the
rexec daemon on Cosmos (the Solaris-supplied) on does NOT log anything --- this
includes connections through eXceed! I experimented with an open-source
rexec daemon, but this does not understand PAM authentication (which is
necessary for LDAP/eUMIST).
Status: rexec remains. Given than eXceed can use telnet rather than rexec
(not sure if it can use ssh) there is no reason to keep rexec. (Nick 1 did
try to eliminate rexec some time ago, but was pressured into putting it back.)
7. Logging and Data Protection Act
Have re-jigged logging on Cosmos to maintain logs for 13 weeks.
Status: If this is acceptable for the Data Protection Act then I'll do the
same for Eric (and Kenny?)
8. Unix Printing
Unix printing is handled by the Unicon gizmo on prn1.umist.ac.uk. Unicon
maintains a NIS database in which lists of trusted hosts and registered
users live. Unicon accepts jobs from unix print queues and sends them to
Netware queues but does nothing re choosing printer tray, setting duplex, etc.
I have therefore written a set of printer drivers which wrap
generic-postscript sent to queues on Cosmos with suitable PJL/PCL.
Status: tested, works for A0, A3 colour, A3 b/w, A4 colour, b/w, transparency
and duplex on Cosmos. Awaiting time from Lee to populate the NIS database
with Cosmos eUMIST usernames so that users can print!
9. System Monitoring --- Part One
I have written and installed some system monitoring software on Eric. It
works and is in the "tweaking" stage. I happily note that it picked up
todays (Wednesday, 28 Aug) problems in C7 at 00:22 this morning (multiple
SCSI problems on Eric) and Paul Hills (at my prompting) had called Estates
re the air-conditioning by 09:15 this morning.
Status: it works! I plan to do a little more work on this: install on
Cosmos; write a simple client (something that takes up less screen-space
than multiple xterms doing "tail -f <given fifo>".
10. System Monitoring --- SNMP
I have downloaded, compiled and installed SNMP on Cosmos. Am configuring
and experimenting with this with Nick 2.
Status: early stages!
11. Documentation, Handbook Entry, Web Pages
I have written a new Handbook entry of Cosmos and Eric, and also some new
Web pages describing our Unix service, e.g., available apps, printing...
Status: awaiting time from Andrea to "publish" on the ISD web site.
-------------------------------------------------------------------------------
Proposals
---------
a. Get rid of rexec
See above.
b. Upgrade Cosmos to Solaris 9 after Eric becomes a general-purpose machine.
Neither StarOffice nor OpenOffice appear to run under/over Solaris 7. I am
increasingly finding support for Solaris 7 is being dropped. Time
to eat that bullet?
-------------------------------------------------------------------------------
For Discussion/To Be Determined?
--------------------------------
i. Eric CPU management --- Solaris 9 ?
ii. Licence issues with upgrade 7 --> 9 ?
-------------------------------------------------------------------------------
The End.
-------------------------------------------------------------------------------
Installed IP Filter on Cosmos to protect SNMP: here.
Installed SNMP on Cosmos --- to work on configuration with Nick G.
Changed how logs are done to help with Data Protection Act
The SSH2 stuff (from SSH Communications, rather than OpenSSH) is installed on Cosmos (/usr/local/sbin and /etc/ssh2):
Since Cosmos uses PAM to do the LDAP authentication SSH clients must use keyboard_interactice as the authentication method:
Installed "new" printer drivers system on Cosmos.
Many of the applications and utilities on Cosmos "print" by exporting to generic Postscript which can either be saved to a file or streamed directly to a printer (or print queue); these apps and utils do not come with drivers suitable for printing transparencies, A3, duplex-A4, etc.
So I wrote suitable drivers --- essentially wrappers for the generic Postscript:
Anyone registered in the Unicon NIS database can print from a trusted host (i.e., a machine registered...). In practice only eUMIST usernames are to be registered.The problem of which machines can actually be trusted remains! A workaround is to use this script on non-trusted machines:
The short version: I installed LDAP on a RedHat box and changed authentication on said box to LDAP (rather than flat, /etc/, files); changed a Solaris 8 box to authenticate as a client of the RedHat box --- this a first step to getting Solaris 7 boxes (Eric and Cosmos) doing the same thing (tried Solaris 8 first as this was reputed to be much easier than Solaris 7); changed a Solaris 7 box to do the same thing --- this was much harder; changed Cosmos to do the same.
This is the long version: eUMISTified Cosmos
-- in short: installed openssh
-- in full:
got openssh pkg for sol7 from sunfreeware.com and downloaded and installed
with <Q>pkgadd -d</Q> --- needed libcrypto so got openssl pkg for sol7
from same place and installed and then still needed a libgcc 3.0 library
so got libgcc 3.0 for sol7 from same place and installed that and
postinstall :
ran a postinstall script to generate the keys and then it worked ok;
put a startup script in /etc/init.d/sshd and put a link into
/etc/rc2.d to ensure the daemon is started always...
The current version of the Sun Fortran 90 (Workshop 5.0) compiler will not work with the NAg numerical libraries. NAg state that they are having problems producing an appropriate library. Instead the previous version of the compiler can be used (Workshop 4.2). I stuck a link on cosmos to help: use "oldf90" rather than "f90", for example: oldf90 my_prog.f90 -lnag
-- definite problem with the Workshop 5.0 fortran compilers and W5.0 dbx:
get a segfault! This happened for a chemist and a mech-eng with
separate code; in both cases switching to the 4.2 compiler AND
4.2 dbx got rid of segfault;
-- installed from cd --- remote install (see Sun Workshop 5.0 Quick Install);
N.B. Since we have a Scholar Pack and a domain-based license, we do not
need FlexFM only a file (see Chapter 5 of said book).
Got pkg for Solaris 2.8 from sunfreeware.com; pkgadd-d it; fine.
Got pkg for Solaris 2.8 from sunfreeware.com; pkgadd-d it; problem: "app-defaults file older than current version --- you may lose some features" (or words to that effect). Using truss xfig</Q> revealed that
access("/home/mpciish2/Fig", 4) Err#2 ENOENT
access("/usr/openwin/lib/app-defaults/Fig", 4) Err#2 ENOENT
access("/usr/lib/X11/app-defaults/Fig", 4) Err#2 ENOENT
access("/usr/local/lib/X11/app-defaults/Fig", 4) Err#2 ENOENT
|
Problems with export and save: copied fig2dev, transfig + etc from /usr/local/bin on Galaxy to /usr/local/bin on Cosmos. Next need jpeg libraries (see stderr output of xfig)....
-- needed by xfig, so simply copied .a and .so and soft links from /usr/local/lib/ on Galaxy (and ajusted permissions);
-- installed ghostscript and ghostview from pkg files;
-- libXaw3d: copied v6.1 .a and .so libs to /usr/openwin/lib (I got
the binaries and used it for galaxy some time ago); setup a link
from libXaw3d.so --> libXaw3d.so.6.1; installed .h files too,
in /usr/openwin/include/X11/Xaw3d;
-- gv: downloaded, compiled, build, installed, tested;
-- tarred up NAg F77 Mark 19, its routine-by-routine documentation and
NAg F90 Release 3 from /software1 on galaxy, copied to /software on
cosmos, untarred; added a README to explain what each directory is
and put in two softlinks:
flso619da
fnsol03db
NAGdoc_flso619da
naglib_f77_mark19 -> ./flso619da
naglib_f90_release3 -> ./fnsol03db
README
-- edited nagexample scripts to reflect path on cosmos;
-- updated NAg documentation to reflect that it's now on Cosmos as well
as Galaxy;
-- downloaded netscape for Cosmos and installed it (Netscape install
gizmo with ns-install script and binaries);
-- downloaded and installed teTeX 1.0;
installed in
/software/teTeX_v1.0
/software/teTeX_v1.0_varfiles
/software/teTeX_v1.0_local
and
/var/texfonts
for the user-built font stuff.
Notes On How To Proceed, from the installation are:
- set up your PATH to include the directory containing the just
installed binaries in /software/teTeX_v1.0/bin.
Similarly, MANPATH and INFOPATH to include the relevant newly
installed subdirectories.
- run ``texconfig confall'' to check your setup
- call texconfig to set up a few things: hyphenation, paper size for
printing, printer mode (implies resolution), font generation, etc.
- you need to run texhash after you install new files in
/software/teTeX_v1.0/share/texmf
- There are two mailing list for discussion and announces about the
teTeX. See the FAQ
(/software/teTeX_v1.0/share/texmf/doc/tetex/teTeX-FAQ) for more
about this.
- See CTAN sites (systems/unix/teTeX/distrib/updates) for updates and
corrections to the system. For information about CTAN, see
/software/teTeX_v1.0/share/texmf/doc/help/ctan.
So set up PATH; run "texconfig confall"; and give it a go!
Make /var/texfonts world writable so users can stick built fonts there.
Config:
the main config file is
/software/teTeX_v1.0/share/texmf/web2c/texmf.cnf
dvips config:
% How to print, maybe with lp instead lpr, etc. If
% commented-out, output will go into a file by default.
%o |lpr
in share/texmf/dvips/config/config.ps so that output goes to a file by
default.
REMEMBER: WHILST CONFIG FILES (E.G., THAT FOR DVIPS USED ABOVE) EXIST
UNDER TETEX_V1.0 IT'S THOSE UNDER TETEX_V1.0_VARFILES WHICH ARE THE
ONES READ!!!!!!!
-- tested TeX: works;