Project

General

Profile

Setting up ds50ws

This machine is the host for the private network.

install squid proxy server

  • yum install squid
  • chkconfig --level 345 squid on
  • service squid start
  • iptables -A INPUT -s 192.168.0.0/16 -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
  • iptables -A INPUT -s 192.168.1.0/24 -p udp -m state --state NEW -m udp --sport 123 --dport 123 -j ACCEPT

host definitions

/etc/hosts:

192.168.1.1 ds50wsp.private.net ds50wsp
192.168.1.6 dsfr6.private.net dsfr6
192.168.1.8 dseb8.private.net dseb8

/etc/hosts.equiv:

dsfr6
dseb8

ssh tunnel

ds50ws needs to run an sshd listening to port 22 on the private network which accepts PubKeyAuthentication.

  • edit /etc/ssh/sshd_config
    ListenAddress 131.225.52.71
    
  • edit /etc/ssh/ssh_config
    Host 192.168.* ds50wsp dseb* dsfr*
            GSSAPIAuthentication no
            GSSAPIDelegateCredentials no
            PasswordAuthentication no
            PubKeyAuthentication yes
            ForwardAgent yes
            ForwardX11Trusted yes
            ForwardX11 yes
    
  • mkdir /etc/ssh-private
  • create /etc/ssh-privat/sshd_config
    PidFile /var/run/sshd-private.pid
    ListenAddress 192.168.1.1
    SyslogFacility AUTHPRIV
    RSAAuthentication yes
    PubkeyAuthentication yes
    RhostsRSAAuthentication yes
    HostbasedAuthentication yes
    IgnoreUserKnownHosts no
    IgnoreRhosts no
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    KerberosAuthentication no
    KerberosOrLocalPasswd no
    KerberosTicketCleanup no
    GSSAPIAuthentication no
    GSSAPIKeyExchange no
    GSSAPICleanupCredentials no
    UsePAM yes
    X11Forwarding yes
    UsePrivilegeSeparation yes
    
  • cd /usr/local; scp -pr root@cluck:/usr/local/cet-chg .
  • check for references to cluck and edit as necessary
  • cd /etc/init.d; ln -s /usr/local/cet-chg/unix-admin/sshd-private
  • chkconfig sshd-private on
  • /etc/init.d/sshd-private start
  • create /root/.ssh/authorized_keys2 with public keys from dsfr6 and dseb8

Adding users

  • yum install krb5-appl-clients (for telnet)
  • we will use the utilities in /usr/local/cet-chg/unix-admin
    cd /usr/local/bin
    ln -s /usr/local/cet-chg/unix-admin/obtain 
    ln -s /usr/local/cet-chg/unix-admin/smushuid 
    ln -s /usr/local/cet-chg/unix-admin/smushgid 
    ln -s /usr/local/cet-chg/unix-admin/dsuser
    
  • make sure the database is up to date
    cd /usr/local/share/obtain
    obtain uid
    obtain gid_id
    
  • finally, add a user
    cd
    dsuser --id-lists=/usr/local/share/obtain --no-scratch username
    

03-Oct-2014, KAB: Yesterday, Ron disabled NetManager on the new ds50ws to get the private network interface to work.