Sun 2900 Strategy Guide: Difference between revisions
(installing openbsd with root on software raid) |
(openbsd openssh krb5 rebuilding) |
||
Line 60: | Line 60: | ||
Now reboot. |
Now reboot. |
||
== Get Kerberos Working == |
|||
You probably want to allow other members of the CSC to log in to the machine. It turns out that setting this up is extremely difficult, because the stock OpenSSH binaries do not include support for Kerberos. The following is probably the one place on the Internet that actually explains how to do this for OpenBSD 5.6. If you figure out a better way, please test it and then contact the Systems Committee. We would appreciate never having to do this again. |
|||
* You need access to the OpenBSD ports tree, which allows packages to be built from source. |
|||
* "cd /tmp; ftp mirror.csclub.uwaterloo.ca". Access "OpenBSD/5.6/". Get "ports.tar.gz", then logout. |
|||
* "cd /usr" then "tar xzf /tmp/ports.tar.gz". After that, "rm /tmp/ports.tar.gz". |
|||
* Heimdal is OpenBSD's fork of MIT-Kerberos. To build it, "cd /usr/ports/security/heimdal ; make install". Wait a while for this to finish. |
|||
* Now you will recompile OpenSSH from source to include support for Heimdal/KRB5. To begin, download the latest version of the OpenSSH source tarball from your local mirror (e.g. mirror.csclub.uwaterloo.ca/OpenBSD/OpenSSH/openssh-X.Y.tar.gz) and extract it somewhere. |
|||
* The following instructions are correct for OpenSSH 6.7; if a new version has come out, these aren't guaranteed to work but will probably help a lot. All paths are relative to the base of the extracted source directory. |
|||
** In gss-serv.c: add the line "#include <netdb.h>" somewhere near the top of the file. |
|||
** In lib/Makefile: remove the '#' signs from every line between, but not including, "#.if (${KERBEROS5:L} == 'yes')" and "# .endif # KERBEROS5"; then change the line you just uncommented that begins "CFLAGS" to look like "CFLAGS+= -DKRB5 -I/usr/local/heimdal/include -I/usr/local/include". |
|||
** In servconf.h: add the line '#include "misc.h"' somewhere near the top of the file. |
|||
** In sshd/Makefile: change the line "KERBEROS=no" to "KERBEROS=yes", then change the nearby line that begins "CFLAGS" to look like "CFLAGS+= -DKRB5 -I/usr/local/heimdal/include -I/usr/local/include -DGSSAPI"; then change the nearby line that begins "LDADD" to look like "LDADD+= -lgssapi -lkrb5 -lasn1 -L/usr/local/heimdal/lib -L/usr/local/lib". |
|||
* Run the command "ldconfig -m /usr/local/heimdal/lib /usr/local/lib" to add these directories to the library search path. |
|||
* Build OpenSSH: "make obj ; make cleandir ; make depend ; make ; make install" |
|||
* Edit /etc/ssh/sshd_config and add the line "GSSAPIAuthentication yes" at the bottom. |
|||
* Restart sshd: "/etc/rc.d/sshd restart". If this fails for any reason, re-run with "/etc/rc.d/sshd -d restart" and fix errors manually. |
Revision as of 22:23, 31 January 2015
This guide is intended to explain the process of setting up an operating system (OpenBSD 5.6) on a Sun Fire E2900 machine (such as potassium-nitrate).
Booting an Operating System
The recommended way to load an operating system onto the E2900 is network boot. From any CSC machine, access the management console (telnet potassium-nitrate-alom and enter password), then hit Enter a few times.
- If you see a login prompt, or nothing, push the two keys "#." consecutively to get to the Lights-Out Management console. Then follow the next step.
- If you see a prompt like "lom>", you are at the Lights-Out Management console. Enter "break", then "yes". This suspends the operating system and enters the debugger.
- If you see a prompt like "ok", you are in the debugger and can control the boot sequence.
From the debugger, typing "boot net" causes the following to take place:
- If there is an operating system running, a system reset will be performed.
- The machine performs a reverse-ARP (RARP) lookup to determine its IP address based on its MAC address. The RARP daemon is running on dextrose, and configuration can be changed in /etc/ethers and /etc/hosts.
- The machine then sends a broadcast TFTP GET request for a file whose name corresponds to its IP address encoded as an eight-character string. For example, potassium-nitrate gets the IP address 129.97.134.45, so it asks for the file "8161862D" over TFTP. (Hint: 'printf "%02X%02X%02X%02X\n" 129 97 134 45')
- atftpd doesn't answer broadcast TFTP requests correctly, so you need to find another way. There is a script in dextrose:/root called tftp.py that acts as a very simple TFTP server, and it handles broadcast requests fine.
- This file is loaded into memory and executed.
For OpenBSD/sparc64, this file is "ofwboot" (but renamed or symlinked so the machine can find it).
- ofwboot sends a broadcast BOOTPARAMS request to find out how to load the next part of the installer. The bootparamd software is running on dextrose, and essentially tells the system to mount a certain directory over NFS and then load from there. The NFS mount in question is exported from dextrose.
- ofwboot then asks for a kernel to run. If you are installing OpenBSD (or upgrading), enter "bsd.rd". This is the OpenBSD RAM-disk kernel and contains a minimal environment that can be loaded into memory without a full root filesystem present. The kernel to be loaded is, as mentioned, exported and loaded over NFS.
Following these steps should give you an OpenBSD installation prompt over the management console. Select 's' for (S)hell.
Doing the Install
Set up software raid
We assume here that you would like your root filesystem to be set up on RAID1. Suppose the (OpenBSD) names of your drives are sd0 and sd1.
There are good instructions for this setup that were taken from ([1]).
- Prepare the first disk: 'disklabel -E sd0'
- Show the partition table: 'p'
- Delete each partition: 'd [char]', for each partition listed
- Create a boot partition: 'a a', offset (hit enter), size (100M), FS type (4.2BSD)
- Create a swap partition: 'a b', offset (hit enter), size (pick a number), FS type (swap)
- Create a root RAID partition: 'a d', offset (hit enter), size (hit enter), FS type (raid)
- Save and quit: 'q', 'y'
- Save the disklabel: 'disklabel sd0 > protofile'
- Load the disklabel onto the second disk: 'disklabel -R sd1 protofile'
- Create a software RAID device: 'bioctl -c 1 -l sd0d,sd1d softraid0'
- This command will print out something like "sd2 at scsibus2" -- remember the "sd2" part, this is the device name you will be using later in the install.
Hit Control-D to return to the installation menu, then choose 'i' for (I)nstall.
Install OpenBSD
Choose sensible values for all the settings in the installer. When it comes time to install things to disk, select 'sd2' (or whatever you had from before) and leave the other disks alone. Set up the disk, making sure to leave lots of room in /usr.
When the install finishes, you will be returned to a shell. Do not reboot.
- Create new filesystems on the boot partitions: "newfs /dev/rsd0a", "newfs /dev/rsd1a"
- "mount /dev/sd0a /mnt2"
- "mkdir /mnt3"
- "mount /dev/sd1a /mnt3"
- "cd /mnt ; cp bsd* ofwboot /mnt2 ; cp bsd* ofwboot /mnt3"
- Install the bootloader: "installboot -v /mnt/user/mdec/bootblk sd2"
Now reboot.
Get Kerberos Working
You probably want to allow other members of the CSC to log in to the machine. It turns out that setting this up is extremely difficult, because the stock OpenSSH binaries do not include support for Kerberos. The following is probably the one place on the Internet that actually explains how to do this for OpenBSD 5.6. If you figure out a better way, please test it and then contact the Systems Committee. We would appreciate never having to do this again.
- You need access to the OpenBSD ports tree, which allows packages to be built from source.
- "cd /tmp; ftp mirror.csclub.uwaterloo.ca". Access "OpenBSD/5.6/". Get "ports.tar.gz", then logout.
- "cd /usr" then "tar xzf /tmp/ports.tar.gz". After that, "rm /tmp/ports.tar.gz".
- Heimdal is OpenBSD's fork of MIT-Kerberos. To build it, "cd /usr/ports/security/heimdal ; make install". Wait a while for this to finish.
- Now you will recompile OpenSSH from source to include support for Heimdal/KRB5. To begin, download the latest version of the OpenSSH source tarball from your local mirror (e.g. mirror.csclub.uwaterloo.ca/OpenBSD/OpenSSH/openssh-X.Y.tar.gz) and extract it somewhere.
- The following instructions are correct for OpenSSH 6.7; if a new version has come out, these aren't guaranteed to work but will probably help a lot. All paths are relative to the base of the extracted source directory.
- In gss-serv.c: add the line "#include <netdb.h>" somewhere near the top of the file.
- In lib/Makefile: remove the '#' signs from every line between, but not including, "#.if (${KERBEROS5:L} == 'yes')" and "# .endif # KERBEROS5"; then change the line you just uncommented that begins "CFLAGS" to look like "CFLAGS+= -DKRB5 -I/usr/local/heimdal/include -I/usr/local/include".
- In servconf.h: add the line '#include "misc.h"' somewhere near the top of the file.
- In sshd/Makefile: change the line "KERBEROS=no" to "KERBEROS=yes", then change the nearby line that begins "CFLAGS" to look like "CFLAGS+= -DKRB5 -I/usr/local/heimdal/include -I/usr/local/include -DGSSAPI"; then change the nearby line that begins "LDADD" to look like "LDADD+= -lgssapi -lkrb5 -lasn1 -L/usr/local/heimdal/lib -L/usr/local/lib".
- Run the command "ldconfig -m /usr/local/heimdal/lib /usr/local/lib" to add these directories to the library search path.
- Build OpenSSH: "make obj ; make cleandir ; make depend ; make ; make install"
- Edit /etc/ssh/sshd_config and add the line "GSSAPIAuthentication yes" at the bottom.
- Restart sshd: "/etc/rc.d/sshd restart". If this fails for any reason, re-run with "/etc/rc.d/sshd -d restart" and fix errors manually.