Cosmos Journal


Cosmos Index, Eric, Universe

2003 May : /etc/inetd.conf

Made some changes to /etc/inetd.conf so that at next boot in.talkd, in.fingerd and in.uucpd will be blocked at the service/inetd level (in addition to at IP Filter level and router level).

For details see Security Journal.


2003 February : motd/usage-message/issue/ssh_banner_config

 -- require both motd and usage-conditions to appear at login on cosmos
    and eric, but this will be about two screens worth so half will scroll
    past and never be read;
      
 -- original status:  cat was used (in /etc/.login and 
    /usr/local/etc/profile.local) to display /usr/local/etc/motd;

 -- a one line (only) banner can be put up via the BANNER field in
    /etc/default/telnetd so this is no help;

 -- for ssh, problem solved:  put the usage-message in 
    /etc/ssh2/ssh_banner_config which appears above the login prompt and 
    therefore only the motd need appear after login;

 -- solution for telnet:  put both motd and usage-message in motd and 
    use more rather than cat and stick necessary control-L characters in
    the motd text file;

 -- problem: this breaks eXceed which means eXceed is crap, nevertheless
    we have to work around this;

 -- solution:  use /etc/issue which can be more that one line and is 
    used by telnet (but not ssh);


2003 January : tcpdump

In stalled tcpdump from sunfreeware binary to investigate problems. It complained that libcrypt0.so.??? was missing. Google showed that this was part of openssh/openssl. Investigation of the OpenSSH and OpenSSL binaries on sunfreeware.com contained said library and that it was already installed on Cosmos (but not Eric) --- the OpenSSL package, which installs itself in /usr/local/ssl contained it, so adding /usr/local/ssl/lib to LD_LIBRARY_PATH solved the problem and had a good play with tcpdump.


2003 January : syslogd

Edited /etc/syslog.conf on and restarted (kill -HUP) syslogd on both Cosmos and Eric so logs are now copied to Gresh's logserver. Added this

    # gresh's log server :
    *.info						@130.88.???.???
to /etc/syslogd.conf. N.B. that whitespace consists of tabs, not blankspaces --- use the wrong one and an error message appears in /var/adm/messages (cf.
    eric syslogd: line 44: unknown priority name "info        @130.88.120.194"
which clearly shows that syslogd is getting its knickers in a twist...


2002 Dec 02: Got IP Filter Properly Configured

See this for details.


2002 Nov 26: Security Plan for Cosmos and Eric

First steps of plan developed to get IP Filter on Cosmos and Eric with default-deny; also replace telnet and ftp with ssh and scp. For details of the evolving plans see this.


02/11/21

Sorted out /etc/dfs/dfstab so that all users' dirs shared with Eric.


2002 Nov 15

Shared /export/u06 with eric for mpciish2 (see /etc/dfs/*) --- stuck entry in dfstab and typed

    share -F nfs -o rw=cosmos:eric.umist.ac.uk -d "test for mpciish2" \
        /export/u06


2002 November

Started moving "dead" accounts' files to /export/u09/__DELETED_ACCOUNTS. After each mv the files are tarred up and gzipped.


2002 October: Gnome 1.4

Downloaded, built from scratch and installed Gnome 1.4.


2002 September: Admin Objects

Wrote and installed new account admin scripts suite.


2002 Aug 28: Summary Sent to Paul and Darren


Paul, Darren,

    Cosmos:  the story so far
    -------------------------

0. More detailed notes and draft Web pages can be found at

       http://talby.csu.umist.ac.uk/~isd/_cosmeric/


1. Account Clear Out

As detailed in my previous email of this week I believe I have identified 
several hundred dead accounts on Cosmos.  The remaining accounts have,
where necessary, been changed to have eUMIST usernames.  

Status:  awaiting one month from term start to archive the accounts.  They
are currently disabled.  


2. LDAP Authentication

After an epic fight with the Solaris "documentation", with Solaris 7 and with
Netware "documentation", Cosmos can now authenticate users via LDAP, 
local NIS and local flat files (/etc/).  

Status: accounts were being moved from NIS to LDAP/eUMIST department-by-dept,
but this process has stalled as Cornelis is busy.  


3. Account Creation and Management

I have completely re-written the account creation and management software
on Cosmos.  This was prompted by the authentication change (to LDAP).  The
software should now be much more easily extendable and maintainable.

Status:  done, working.  The URS now contains Cosmos accounts and will drive
account creation on Cosmos (details to be worked out with Cornelis).


4. Applications

I have installed, amongst other things:  a non-stoneage editor (gedit) which
should, I believe, be the ISD supported editor on Cosmos (and Eric) --- for
reasons which I cannot fathom the supported editor is currently vi;  and
up-to-date web browser;  gnuplot (data plotting gizmo).

Status:  Star/OpenOffice seem to require Solaris 8 or 9.


5. SSH

An ssh2 daemon is running on Cosmos --- that from SSH Communications, rather
than OpenSSH (given the recent problems with OpenSSH).  This works with
PAM on Cosmos and therefore needs "keyboard_interactive" authentication
to be configured on the client.  Only the newer ssh clients support this.
(See notes via above link.)

Status:  working.  Documentation needs publishing.


6. rexec

The r-commands are a real pain.  rsh and rlogin have been stopped (apart from
certain hosts) by use of TCP Wrappers, but rexec remains.  This is a security
nightmare --- not only are the r-commands bad in themselves, but the
rexec daemon on Cosmos (the Solaris-supplied) on does NOT log anything --- this
includes connections through eXceed!  I experimented with an open-source 
rexec daemon, but this does not understand PAM authentication (which is
necessary for LDAP/eUMIST).  

Status:  rexec remains.  Given than eXceed can use telnet rather than rexec
(not sure if it can use ssh) there is no reason to keep rexec.  (Nick 1 did 
try to eliminate rexec some time ago, but was pressured into putting it back.)


7. Logging and Data Protection Act

Have re-jigged logging on Cosmos to maintain logs for 13 weeks.  

Status:  If this is acceptable for the Data Protection Act then I'll do the
same for Eric (and Kenny?)


8. Unix Printing

Unix printing is handled by the Unicon gizmo on prn1.umist.ac.uk.  Unicon
maintains a NIS database in which lists of trusted hosts and registered
users live.  Unicon accepts jobs from unix print queues and sends them to
Netware queues but does nothing re choosing printer tray, setting duplex, etc.

I have therefore written a set of printer drivers which wrap 
generic-postscript sent to queues on Cosmos with suitable PJL/PCL.

Status:  tested, works for A0, A3 colour, A3 b/w, A4 colour, b/w, transparency
and duplex on Cosmos.  Awaiting time from Lee to populate the NIS database
with Cosmos eUMIST usernames so that users can print!   


9. System Monitoring --- Part One

I have written and installed some system monitoring software on Eric.  It
works and is in the "tweaking" stage.  I happily note that it picked up 
todays (Wednesday, 28 Aug) problems in C7 at 00:22 this morning (multiple 
SCSI problems on Eric) and Paul Hills (at my prompting) had called Estates 
re the air-conditioning by 09:15 this morning.  

Status:  it works!  I plan to do a little more work on this: install on
Cosmos;  write a simple client (something that takes up less screen-space 
than multiple xterms doing "tail -f <given fifo>".  


10. System Monitoring --- SNMP

I have downloaded, compiled and installed SNMP on Cosmos.  Am configuring 
and experimenting with this with Nick 2.  

Status:  early stages!


11. Documentation, Handbook Entry, Web Pages

I have written a new Handbook entry of Cosmos and Eric, and also some new
Web pages describing our Unix service, e.g., available apps, printing...

Status:  awaiting time from Andrea to "publish" on the ISD web site.


-------------------------------------------------------------------------------

    Proposals
    ---------

a. Get rid of rexec

See above.


b. Upgrade Cosmos to Solaris 9 after Eric becomes a general-purpose machine.

Neither StarOffice nor OpenOffice appear to run under/over Solaris 7.  I am
increasingly finding support for Solaris 7 is being dropped.  Time
to eat that bullet?


-------------------------------------------------------------------------------

    For Discussion/To Be Determined?
    --------------------------------

i.  Eric CPU management --- Solaris 9 ?

ii. Licence issues with upgrade 7 --> 9 ?



-------------------------------------------------------------------------------
The End.
-------------------------------------------------------------------------------


2002 Aug : IP Filter

Installed IP Filter on Cosmos to protect SNMP: here.


2002 Aug : SNMP

Installed SNMP on Cosmos --- to work on configuration with Nick G.


2002 Aug : Logging Changes

Changed how logs are done to help with Data Protection Act


2002 July : sshd

The SSH2 stuff (from SSH Communications, rather than OpenSSH) is installed on Cosmos (/usr/local/sbin and /etc/ssh2):

Since Cosmos uses PAM to do the LDAP authentication SSH clients must use keyboard_interactice as the authentication method:


2002 July : Printing on Cosmos

Installed "new" printer drivers system on Cosmos.

Many of the applications and utilities on Cosmos "print" by exporting to generic Postscript which can either be saved to a file or streamed directly to a printer (or print queue); these apps and utils do not come with drivers suitable for printing transparencies, A3, duplex-A4, etc.

So I wrote suitable drivers --- essentially wrappers for the generic Postscript:

Anyone registered in the Unicon NIS database can print from a trusted host (i.e., a machine registered...). In practice only eUMIST usernames are to be registered.

The problem of which machines can actually be trusted remains! A workaround is to use this script on non-trusted machines:


2002 July : LDAP/eUMIST

The short version: I installed LDAP on a RedHat box and changed authentication on said box to LDAP (rather than flat, /etc/, files); changed a Solaris 8 box to authenticate as a client of the RedHat box --- this a first step to getting Solaris 7 boxes (Eric and Cosmos) doing the same thing (tried Solaris 8 first as this was reputed to be much easier than Solaris 7); changed a Solaris 7 box to do the same thing --- this was much harder; changed Cosmos to do the same.

This is the long version: eUMISTified Cosmos


2002 July : rexec

Played with rexec.


2002 June : Account Cull

Culled Dead Accounts.


2002 Feb : openssh and openssl

 -- in short: installed openssh

 -- in full:  

    got openssh pkg for sol7 from sunfreeware.com and downloaded and installed
    with <Q>pkgadd -d</Q> --- needed libcrypto so got openssl pkg for sol7
    from same place and installed and then still needed a libgcc 3.0 library
    so got libgcc 3.0 for sol7 from same place and installed that and

    postinstall :

    ran a postinstall script to generate the keys and then it worked ok;
    put a startup script in /etc/init.d/sshd and put a link into 
    /etc/rc2.d to ensure the daemon is started always...
              


2000: Fortran Compilers and NAg Libs


The current version of the Sun Fortran 90 (Workshop 5.0) compiler will not 
work with the NAg numerical libraries.  NAg state that they are having 
problems producing an appropriate library.  Instead the previous version 
of the compiler can be used (Workshop 4.2).  

I stuck a link on cosmos to help:  use "oldf90" rather than "f90", 
for example:

  oldf90 my_prog.f90 -lnag

2000: Fortran Compilers and dbx

  -- definite problem with the Workshop 5.0 fortran compilers and W5.0 dbx:
     get a segfault!  This happened for a chemist and a mech-eng with
     separate code;  in both cases switching to the 4.2 compiler AND
     4.2 dbx got rid of segfault;

Sun Workshop Compilers

 -- installed from cd --- remote install (see Sun Workshop 5.0 Quick Install);
    N.B.  Since we have a Scholar Pack and a domain-based license, we do not
          need FlexFM only a file (see Chapter 5 of said book).


2000 August 22 : xv

Got pkg for Solaris 2.8 from sunfreeware.com; pkgadd-d it; fine.


2000 August 22 : xfig

Got pkg for Solaris 2.8 from sunfreeware.com; pkgadd-d it; problem: "app-defaults file older than current version --- you may lose some features" (or words to that effect). Using truss xfig</Q> revealed that
access("/home/mpciish2/Fig", 4)			Err#2 ENOENT
access("/usr/openwin/lib/app-defaults/Fig", 4)	Err#2 ENOENT
access("/usr/lib/X11/app-defaults/Fig", 4)	Err#2 ENOENT
access("/usr/local/lib/X11/app-defaults/Fig", 4) Err#2 ENOENT
i.e., looking for app-defaults files in places that do not exist, so mkdird /usr/local/lib/X11/app-defaults and copied Fig (and Fig-color) from /usr/local/lib/app-defaults. Fine!

Problems with export and save: copied fig2dev, transfig + etc from /usr/local/bin on Galaxy to /usr/local/bin on Cosmos. Next need jpeg libraries (see stderr output of xfig)....


2000 August 22 : jpeg libs

-- needed by xfig, so simply copied .a and .so and soft links from /usr/local/lib/ on Galaxy (and ajusted permissions);

gs, ghostview, xaw3d and gv

  -- installed ghostscript and ghostview from pkg files;

  -- libXaw3d:  copied v6.1 .a and .so libs to /usr/openwin/lib (I got
     the binaries and used it for galaxy some time ago);  setup a link
     from libXaw3d.so --> libXaw3d.so.6.1;   installed .h files too, 
     in /usr/openwin/include/X11/Xaw3d;

  -- gv: downloaded, compiled, build, installed, tested;


2000 August 21: NAg Libraries

  -- tarred up NAg F77 Mark 19, its routine-by-routine documentation and 
     NAg F90 Release 3 from /software1 on galaxy, copied to /software on 
     cosmos, untarred;  added a README to explain what each directory is
     and put in two softlinks:

         flso619da
         fnsol03db
         NAGdoc_flso619da
         naglib_f77_mark19 -> ./flso619da
         naglib_f90_release3 -> ./fnsol03db
         README

      -- edited nagexample scripts to reflect path on cosmos;

  -- updated NAg documentation to reflect that it's now on Cosmos as well
     as Galaxy;


2000 August 17: Netscape

  -- downloaded netscape for Cosmos and installed it (Netscape install
     gizmo with ns-install script and binaries);


2000 August 17: teTeX v1.0

  -- downloaded and installed teTeX 1.0;

     installed in 
        /software/teTeX_v1.0
        /software/teTeX_v1.0_varfiles
        /software/teTeX_v1.0_local

     and 

        /var/texfonts

     for the user-built font stuff.

     Notes On How To Proceed, from the installation are:  

       - set up your PATH to include the directory containing the just
         installed binaries in /software/teTeX_v1.0/bin.
         Similarly, MANPATH and INFOPATH to include the relevant newly
         installed subdirectories.
       - run ``texconfig confall'' to check your setup
       - call texconfig to set up a few things: hyphenation, paper size for
         printing, printer mode (implies resolution), font generation, etc.
       - you need to run texhash after you install new files in
           /software/teTeX_v1.0/share/texmf
       - There are two mailing list for discussion and announces about the
         teTeX.  See the FAQ 
         (/software/teTeX_v1.0/share/texmf/doc/tetex/teTeX-FAQ) for more 
         about this.
       - See CTAN sites (systems/unix/teTeX/distrib/updates) for updates and
         corrections to the system. For information about CTAN, see
         /software/teTeX_v1.0/share/texmf/doc/help/ctan.

       So set up PATH;  run "texconfig confall";  and give it a go!

       Make /var/texfonts world writable so users can stick built fonts there.


       Config:

       the main config file is

           /software/teTeX_v1.0/share/texmf/web2c/texmf.cnf

       dvips config: 

           % How to print, maybe with lp instead lpr, etc. If 
           % commented-out, output will go into a file by default.
           %o |lpr

       in share/texmf/dvips/config/config.ps so that output goes to a file by
       default.

       REMEMBER: WHILST CONFIG FILES (E.G., THAT FOR DVIPS USED ABOVE) EXIST
       UNDER TETEX_V1.0 IT'S THOSE UNDER TETEX_V1.0_VARFILES WHICH ARE THE
       ONES READ!!!!!!!


   -- tested TeX:  works;




About this document:

Produced from the SGML: /home/isd/public_html/_cosmos/_reml_grp/journal.reml
On: 27/5/2003 at 9:21:20
Options: reml2 -i noindex -l long -o html -p multiple