Sidebar image

Linux Resources

Secure Connections

    Your Linux distribution should have OpenSSH prepackaged and, quite likely, already installed. This should make ssh and scp availabe on the command line. You may also want to check rsync, which is a command line utility to copy or synchronize entire directory trees.

    Filezilla is a GUI program for both FTP and secure-FTP file transfers. Use your distribution's package manager to install or download from filezilla-project.org. Lauch the program, choose File > Site Manager > New Site. Configure secure FTP connection to gauss:

    Host: math.dartmouth.edu
    Servertype: SFTP - SSH File Transfer Protocol
    Logontype: Ask for password
    User: your username on gauss

    Click OK to save configuration or Connect to save and connect at once.



VPN Connections

    Dartmouth VPN

    In 2009 Dartmouth switched to Juniper VPN. It works fine on 32-bit Linux. It does not work on 64-bit systems (Jan. 2010). VPN can be started at gateway.dartmouth.edu. It uses web browser's Java applet. (Test your browser's Java here.)

    Math VPN

    Math VPN was created as an alternative to Dartmouth VPN, which, prior to 2009, didn't work well with certain firewalls.

    Gnome 2.x

    1. Install OpenVPN and Network Manager packages: 
      # apt-get install openvpn network-manager-openvpn network-manager-openvpn-gnome
    2. Have your Dartmouth certificate available as a .p12 file (help).
    3. Add Math VPN connection:
      1. Click on Network Manager's deskbar applet > VPN Connections > Configure VPN.
      2. Choose Add > OpenVPN > Create....
      3. Connection name: Math VPN.
      4. Gateway: 129.170.28.43.
      5. Type: Certificates (TLS).
      6. User certificate: point to your .p12 file
      7. Private key password: password used while creating .p12
      8. Apply.
    4. To connect click on Network Manager's applet, VPN Connections > Math VPN. Upon successful connection a padlock sign should appear in applet's icon.
    5. To disconnect use Disconnect VPN in the same applet.

    KDE

    Have certificates available as in instructions for Gnome above. Download mathvpn.conf. Install KVpnc, start it and import mathvpn.conf as new “profile”. Select the new profile and Connect. Enter your private key password.

    Terminal

    Connection to Math VPN can also be established using a command line, without the need for Network Manager. Get Math VPN client configuration file mathvpn.conf and follow these instructions in PDF.


Configuring Email Clients and the DND

    If you have a Math Dept. user account (AKA “gauss username”), you also have an Math email account. Your Math email arrives at and can be sent from math.dartmouth.edu server. It can be accessed instantly and globally via Webmail. Most email client applications, including mobile, can be configured to use your Math account using these generic settings:

    • Mail server type: IMAP
    • Incoming server: math.dartmouth.edu, port: 143
    • Connection type/encryption: TLS
    • Username: your Math Dept. username
    • Password: for the username above
    • Outgoing/SMTP server: math.dartmouth.edu, port: 25

    Below are step-by-step instructions on how to add your mathusername@math.dartmouth.edu account to Thunderbird.

    Thunderbird

    Tested with Thunderbird 3.1.8

    1. EditAccount Settings…Account ActionsAdd Mail Account…
      Your name: Your real name
      Email address: mathusername@math.dartmouth.edu
      Password: password for the above
      Continue — Thunderbird will probe servers and should detect correct connection settings:
          Incoming: math.dartmouth.edu  IMAP  143  STARTTLS
    Outgoing: math.dartmouth.edu  SMTP  25   STARTTLS
      If settings were detected correctly — click Create Account.
      Otherwise click Manual Setup and enter correct settings under Server Settings and Outgoing Server (SMTP).
    2. EditAccount Settings…
      Server Settings: Advanced: IMAP server directory: mail
      Composition & Addressing: Uncheck “Compose messages in HTML format”.
    3. (Optional — Darmouth directory lookups)
      EditPreferencesCompositionAddressing
      Click Edit Directories, Add
      General tab:
      Name: Dartmouth Directory
      Hostname: ldap.dartmouth.edu
      Base DN: dc=dartmouth, dc=edu
      Port number: 389
      Back in the Preferences window select “Dartmouth Directory” for Directory Server.


Vacation Autoreply

Autoreply message for your Math mail is in .vacation.msg in your home directory on gauss.

Autoreply is enabled by uncommenting the following two lines in .procmailrc:

#:0c
#|/usr/bin/vacation username
To stop autoreply, comment both lines out again, by inserting # as the first character on each line.

.vacation.msg and .procmailrc can be edited with any text editor while on gauss terminal or with a variety of GUI tools from a remote Linux desktop as long as they can make a SSH/SFTP connection to gauss, for example, Filezilla, Nautilus, Dolphin etc.



Backing up your files

    Your workstation's home directory can be backed up nightly to Math Dept. backup volume. Contact linuxhelp@math.dartmouth.edu for assistance.

Printing

    Math printers are accessed via network printing service CUPS running on gauss. With CUPS browsing enabled on a local machine and while on the wired network in Kemeny Hall, all Math printers should be automatically available. Appropriate drivers are already installed on the server — there is no need for individual printer configuration on a client.

    CUPS browsing can be enabled by navigating to http://localhost:631:
    Administration: Server Settings: enable Show printers shared by other systems.

    A similarly named setting is likely available in system preferences menu in Gnome, KDE, XFCE etc.

    Alternatively, CUPS browsing can be enabled by editing /etc/cups/cupsd.conf and setting: 

    Browsing on
    To limit the list of available printers to those served by gauss (i.e. Math printers only) set 
    BrowseAllow 129.170.28.37
    To access Math printers from Dartmouth Secure wireless network add 
    BrowsePoll 129.170.28.37
    Restart CUPS for changes to take effect: 'service cups restart'.
    Check for available printers: 'lpstat -t'.



Condor Installation

  1. Add system user “condor”: 
    adduser --disabled-login --shell /bin/false condor
  2. Download Condor package from www.cs.wisc.edu and put it into /usr/local/.
  3. Unpack, install: 
    cd /usr/local
tar vxzf condor-version.tar.gz
ln -s /usr/local/condor-version /usr/local/condor
./condor_configure --install --type=submit --owner=condor \
    --central-manager=math-01.grid.dartmouth.edu
mkdir /etc/condor
ln -s /usr/local/condor/etc/condor_config /etc/condor/condor_config
  4. Adjust local configuration file /usr/local/condor/local.hostname/condor_config.local by adding: 
    FILESYSTEM_DOMAIN = $(FULL_HOSTNAME)
UID_DOMAIN = $(FULL_HOSTNAME)
ALLOW_WRITE=*.dartmouth.edu, 127.*
ALLOW_READ=*.dartmouth.edu, 127.*
RESERVED_SWAP = 0
  5. Copy start/stop script to /etc/init.d/: 
    cp /usr/local/condor/etc/examples/condor.boot /etc/init.d/condor
  6. Start Condor: 
    /etc/init.d/condor start
  7. Check communication with the pool: 
    /usr/local/condor/bin/condor_status
    The response should be similar to this: 
    Name               OpSys  Arch   State     Activity LoadAv Mem   ActvtyTime
slot1@math-01.grid LINUX  X86_64 Unclaimed Idle     0.020  1024  0+03:25:04
slot2@math-01.grid LINUX  X86_64 Unclaimed Idle     0.000  1024  5+23:27:12
slot1@math-02.grid LINUX  X86_64 Unclaimed Idle     0.000  1024  0+03:05:04
slot2@math-02.grid LINUX  X86_64 Unclaimed Idle     0.000  1024  6+00:41:04
slot1@math-03.grid LINUX  X86_64 Unclaimed Idle     0.000  1024  1+03:05:24
slot2@math-03.grid LINUX  X86_64 Unclaimed Idle     0.030  1024  0+03:05:05
... ... ...
    Condor log files are in /usr/local/condor/local.hostname/log/.
  8. If firewall is in use, configure Condor to use port range of 9600-9700 and then open firewall for incoming and outgoing TCP and UDP in that port range. Add to condor_config.local: 
    LOWPORT = 9600
HIGHPORT = 9700
    iptables rules may look like this: 
    iptables -A INPUT -s 129.170.0.0/16 -p tcp -m state --state NEW --dport 9600:9700 -j ACCEPT
iptables -A INPUT -s 129.170.0.0/16 -p udp -m state --state NEW --dport 9600:9700 -j ACCEPT

Joining Condor pool as “execute” node

    Instructions above are for configuring Condor as a submit-only node. With only minor changes in configuration this can be changed into submit and execute node. Please consider adding your workstation as an execute node, especially if it's a fairly capable 64-bit machine. In your local configuration file condor_config.local replace the line 

    DAEMON_LIST = MASTER, SCHEDD
    with 
    DAEMON_LIST = MASTER, SCHEDD, STARTD
    Restart Condor. After a few moments your workstation should appear in condor_status listing. If you have Mathematica, Maple, Matlab or PARI/GP installed, add the relevant lines 
    HAS_MATH = TRUE
HAS_MAPLE = TRUE
HAS_MATLAB = TRUE
HAS_GP = TRUE
    and then the following line as well: 
    STARTD_EXPRS = HAS_MATH HAS_MAPLE HAS_MATLAB HAS_GP



Gnokart (Kerberos authentication helper for WWW browsers) et al.

    To access Kerberos-controlled network services at Dartmouth, like licensed databases, you need to install the Kerberos software on your computer. For more on Kerberos at Dartmouth please refer to Computing at Dartmouth. Here we show how to install and configure Kerberos utilities on Linux.

    Start by downloading gnokart-dnd package from gauss:

    $ cd /usr/local/src
$ scp you@gauss:/usr/local/src/gnokart-dnd.tgz .
$ tar xzvf gnokart-dnd.tgz
    gnokart-dnd/dnd and gnokart-dnd/gnokart directories contain sources AND precompiled 32-bit binaries. There is a good chance that precompiled binaries will just work.

    Kerberos

    Install Kerberos libraries (libkrb5*) and utilities (krb5-user, krb5-config). Copy krb5.conf, krb.conf and krb.realms to /etc/. As a test you now should be able to get Kerberos ticket by 
    $ kinit "Firstname M Lastname"
    Note there is no dot after "M". klist lists active tickets and kdestroy --- destroys them.

    Gnokart

    Change into gnokart-dnd/gnokart-0.5/ and do `make install`. If you need to recompile, do `./configure && make && make install`. You will need GTK and Kerberos headers (libgtk2.x-dev, libkrb5-dev) installed in order to compile. Subdirectory scripts/ contains convenient start-stop scripts for gnokart. Select one, for example, gnokart-debian and copy it to /etc/init.d/gnokart. Make a symbolic link to start gnokart automatically when system boots: 
    # ln -s /etc/init.d/gnokart /etc/rcS.d/S90gnokart
    The latter can also be managed with rcconf utility. gnokart communicates via TCP port 913. Open up your firewall accordingly. For iptables it's: 
    iptables -A INPUT -p tcp -m state --state NEW --dport 913 -j ACCEPT
    Start gnokart: 
    # /etc/init.d/gnokart start

    DND utilities

    Change into dnd_gnokart/dnd/ and do `make install`, `make install-dnd` and `make install-docs`, which will install binaries and manual pages into appropriate locations. If you need to recompile, you have to do `make clean` before `make install` steps. Edit /etc/services adding line: 
    dnd 902/tcp  # Dartmouth Name Directory
    Test by issuing `dndlookup your_lastname` --- DND should respond with all the matching records.

    Testing

    Start your web browser and go to the Dartmouth Kerberos test page and click on Test Kerberos. When prompted, enter your DND (a.k.a. Blitz name) and password. If everything goes well, you should see a GnoTicket pop-up with your name on it. Please note, that this won't work when running web browser as root.


Oracle Calendar

    Download Oracle Calendar client installer (“fixed”) from Math web site.

    Unpack the downloaded archive and run ./text_install.sh as root. Enter /usr/local/OracleCalendar for install destination and /usr/local/bin for symbolic links.

    Client depends on 32-bit libstdc++.so.5. This is no longer available in Ubuntu since v.9.10 (Karmic Koala). You can download libstdc5_32bit.tar from Math web site. Untar the downloaded file and move the two files to /usr/lib/ (32-bit systems) or /usr/lib32/ (64-bit systems).

    To run calendar type ocal at the command line. Use /usr/local/bin/ocal if you'd like to add an entry to your Gnome/KDE/XFCE/etc. menus or a shortcut on desktop/launchpad/deskbar.

    Upon first start you will have to create Connection to Dartmouth Calendar. Server name is corptime.dartmouth.edu. Your login credentials are the same as for Blitzmail. If you don't have Oracle Calendar account, send an email to help@dartmouth.edu to request one.



Dartmouth PKI Certificates

    Accessing certain resources on Dartmouth network requires digital certificates issued by the Dartmouth Certificate Authority (CA). Two certificates are needed: Dartmouth CA's root certificate and your personal Dartmouth certificate. Both can be obtained at collegeca.dartmouth.edu. Certificates will appear in your web browser's certificate store. For Firefox as of version 3.5 it's in
    Preferences - Advanced - Encryption - View Certificates.
    Dartmouth CA certificate will be listed under Authorities; your personal --- under Your Certificates.

    Certificates can be exported to disk files using Backup in View Certificates - Your Certificates. Select your certificate and click Backup to save it in PKCS12 file (extension .p12). You will be asked to create “Certificate backup password”. In addition to your personal certificate the PKCS12 file will also contain your private key and the Dartmouth CA certificate.

    (Optional) Convert from PKCS12 to PEM

    PKCS12 file contains Dartmouth CA cert., your personal cert. and your private key in one compound format. In some cases certificates/keys have to be presented as separate files. Use OpenSSL commands below to convert PKCS12 to individual PEM files.

    CA's root certificate: 

        openssl pkcs12 -in mydccert.p12 -cacerts -nokeys -out collegeca.pem

    Personal certificate: 

        openssl pkcs12 -in mydccert.p12 -clcerts -nokeys -out mydccert.pem

    Private key: 

        openssl pkcs12 -in mydccert.p12 -clcerts -nocerts [-nodes] -out mydckey.pem

    As a result, collegeca.pem will contain Dartmouth CA's root certificate, mydccert.pem --- your personal Dartmouth certificate, mydckey.pem --- private key, associated with your personal certificate. Optionally -nodes will output your private key unencrypted, i.e. not protected by a password --- please make sure, that it's kept securely!.



Connecting to Dartmouth Secure Wireless Network

    Using Network Manager

    Have your certificate/key files ready as .pem files. If necessary, convert from .p12 using commands below (.p12 can be obtained by backing-up Dartmouth certificate from Firefox, see above): 

        openssl pkcs12 -in mydccert.p12 -cacerts -nokeys -out collegeca.pem
    openssl pkcs12 -in mydccert.p12 -clcerts -nokeys -out mydccert.pem
    openssl pkcs12 -in mydccert.p12 -clcerts -nocerts -out mydckey.pem

    Use Network Manager's taskbar applet to configure new wireless connection with:

    SSID: Dartmouth Secure
    Mode: Infrastructure
    Wireless Security:
    Security: WPA & WPA2 Enterprise
    Authentication: TLS
    Identity: your name as in DND
    User certificate: mydccert.pem
    CA certificate: collegeca.pem
    Private key: mydckey.p12
    Private key password: password entered while creating mydcckey.pem

    Using wpa_supplicant from the command line

    This should work independently of Network Manager and/or Linux distribution. Running wpa_supplicant from the command line console can also be helpful in debugging a problematic connection.

    • Prepare PKI certificates and your private key as three separate PEM files (see above).
    • Create /etc/wpa_supplicant.conf for Dartmouth Secure. Use your DND name for "identity" and a full path to .pem files: 
      # /etc/wpa_supplicant.conf
network={
	ssid="Dartmouth Secure"
        proto=WPA2
	key_mgmt=WPA-EAP
	eap=TLS
	identity="..."
	ca_cert="/home/.../ssl/dcca.pem"
	client_cert="/home/.../ssl/mydccert.pem"
	private_key="/home/.../ssl/mydckey.pem"
	private_key_passwd="..."
}
    • Run wpa_supplicant in non-daemon mode to test the connection: 
      # wpa_supplicant -c /etc/wpa_supplicant.conf -d -i eth0
      Use -dd for even more debug info. Replace eth0 with your wireless interface (run iwconfig to figure it out).
    • If there are no errors, run 'dhclient eth0' from another terminal to obtain an IP address for the wireless interface.
    • If all went well, wpa_supplicant can subsequently be run as a daemon by adding a -B switch to the invocation.