Mathematics at Dartmouth

Quick Links Contact Info Calendar of Events Class Schedule Course Web Pages Recruiting Electronic Materials Honors Brochure Newsletter Computing Resources FTP Dropbox Intranet

Dartmouth Home

• Electronic Teaching Materials
  Computing Resources
  WebWorK Resources
  
  
  
• Department Brochure
  Newsletter
  Honors and Recognition
  General Publicity
  Department History
  

Linux Resources

• Secure Access
• VPN Connections
• Email Clients
• Backups
• Printing
• Condor
• Kerberos
• Oracle Calendar
• Dartmouth Certificates
• Dartmouth Secure Wi-Fi

Secure Connections

Your Linux distribution should have OpenSSH prepackaged and, quite likely, already installed. This should make ssh and scp availabe on the command line. You may also want to check rsync, which is a command line utility to copy or synchronize entire directory trees.

Filezilla is a GUI program for both FTP and secure-FTP file transfers. Use your distribution's package manager to install or download from filezilla-project.org. Lauch the program, choose File > Site Manager > New Site. Configure secure FTP connection to gauss:

Host: math.dartmouth.edu
Servertype: SFTP - SSH File Transfer Protocol
Logontype: Ask for password
User: your username on gauss

Click OK to save configuration or Connect to save and connect at once.

VPN Connections

Dartmouth VPN

In 2009 Dartmouth switched to Juniper VPN. It works fine on 32-bit Linux. It does not work on 64-bit systems (Oct. 2009). VPN can be started at gateway.dartmouth.edu. It uses web browser's Java applet. (Test your browser's Java here).

Note: On Ubuntu you'll want to enable root password before connecting for the first time:

$ sudo passwd root

This is only needed for the first connection when software is installed to ~/.juniper_networks/. Afterwards root password can be disabled again:

$ sudo passwd -l root

Math VPN

Math VPN was created as an alternative to Dartmouth VPN, which, prior to 2009, didn't work well with certain firewalls.

Below is a “quick start” guide for setting up and using Math VPN (extended instructions are also available).

1. Install OpenVPN:

   # apt-get install openvpn

2. Have the following in place:
   /etc/openvpn/mydccert.pem — your Dartmouth certificate,
   /etc/openvpn/mydckey.pem — your corresponding private key,
   /etc/ssl/certs/collegeca.pem — Dartmouth Certificate Authority certificate.
3. Get Math VPN client configuration file mathvpn.conf and place it in /etc/openvpn/.
4. Start/stop:

   # /etc/init.d/openvpn start

   # /etc/init.d/openvpn stop

Configuring Email Clients and the DND

This section provides instruction for how to set up various email clients to access your IMAP mail account (including a BlitzMail account), and also how to integrate the use of the DND to perform an automatic lookup of email addresses. Full details are here.

Backing up your files

Your workstation's home directory can be backed up nightly to Math Dept. backup volume. Contact linuxhelp@math.dartmouth.edu for assistance.

Printing

All public Math printers are shared using network printing service CUPS. Printer names and locations are listed at http://math.dartmouth.edu:631/printers. Printing service runs on math.dartmouth.edu, which is the server name if you use one of the graphical system configuration tools in Gnome, KDE etc.

If you prefer to edit configuration files directly, CUPS browsing has to be enabled in /etc/cups/cupsd.conf by setting 'Browsing on'. You may also want to set 'BrowseAllow 129.170.28.37' in order to see only the Math Dept. printers. Available printers can be checked with 'lpstat -t'. The department-wide default printer is set on gauss and may be not what you want. You can set your local default by 'lpoptions -d printer_name'.

NB: 1. Math printers are only visible on wired network in Kemeny Hall.
2. CUPS uses UDP on port 631, which has to open in case there is a network firewall enabled on your machine.

Condor

Installation

You'll have to work at the command line (Applications | Utilities | Terminal) and you'll need superuser privileges. Depending on your preference, either use `sudo <command>` or become root.

1. Download Condor package for Linux from http://www.cs.wisc.edu/condor/downloads (free registration required) and put it into /usr/local/.


2. Add user, untar, run configuration script, make links etc.:

   host# adduser --disabled-login --shell /bin/false condor
   host# cd /usr/local
   host# tar vxzf condor-<version>.tar.gz
   host# ln -s /usr/local/condor-<version> /usr/local/condor
   host# ./condor_configure --install --type=submit,execute --owner=condor --central-manager=math-01.grid.dartmouth.edu
   host# mkdir /etc/condor
   host# ln -s /usr/local/condor/etc/condor_config /etc/condor/condor_config
   host# cp /usr/local/condor/etc/examples/condor.boot /etc/init.d/condor
   



3. Edit /usr/local/condor/local.<hostname>/condor_config.local making sure it has:

   LOWPORT = 9600
   HiGHPORT = 9700
   RESERVED_SWAP = 0
   
   FILESYSTEM_DOMAIN = $(FULL_HOSTNAME)
   UID_DOMAIN = $(FULL_HOSTNAME)
   MEMORY = 1024      # 1GB of RAM
   START = TRUE       # Comment out all other uninitialized parameters!
   HAS_MATH = TRUE    # If Mathematica is installed
   HAS_MAPLE = TRUE   # If Maple is installed
   HAS_MATLAB = TRUE  # If Matlab is installed
   HAS_GP = TRUE      # If PARI/GP is installed
   STARTD_EXPRS = HAS_MATH HAS_MAPLE HAS_MATLAB HAS_GP
   NETWORK_INTERFACE = aaa.bbb.ccc.ddd   # When using static IP address only
   



4. Open up network firewall for TCP and UDP ports 9600--9700. For Netfilter (a.k.a. iptables):

   iptables -A INPUT  -p tcp -m state --state NEW --destination-port 9600:9700 -j ACCEPT
   iptables -A INPUT  -p udp -m state --state NEW --destination-port 9600:9700 -j ACCEPT
   



5. Start Condor:

   host# /etc/init.d/condor start
   Starting up Condor
   host# ps ax | grep condor
    4904 ?        Ss     0:00 /usr/local/condor/sbin/condor_master
    4905 ?        Ss     0:00 condor_schedd -f
    4906 ?        Ss     0:04 condor_startd -f (execute node only)
    4926 pts/1    S+     0:00 grep condor
   
   

   If Condor did not start, check /usr/local/condor/local.<hostname>/log/ for clues.


6. Check communication with the pool:

   host$ /usr/local/condor/bin/condor_status
   The response should be similar to this:
   Name          OpSys       Arch   State      Activity   LoadAv Mem   ActvtyTime
   
   vm1@mlab02.ki LINUX       INTEL  Claimed    Busy       1.000  1024  0+02:47:17
   vm2@mlab02.ki LINUX       INTEL  Unclaimed  Idle       0.040  1024  0+01:05:05
   vm1@math-01.g LINUX       x86_64 Unclaimed  Idle       0.000  1024  0+02:05:04
   vm2@math-01.g LINUX       x86_64 Unclaimed  Idle       0.010  1024  0+02:05:09
   mlab-cauchy   WINNT51     INTEL  Unclaimed  Idle       1.630  2048  0+02:48:03
   mlab-germain  WINNT51     INTEL  Unclaimed  Idle       0.110   512  0+03:15:01
   ... ... ...
   
   

Job Submission

Jobs are submitted by preparing a so-called “submit” file and then issuing a command:

    c:\condor\bin\condor_submit <submit-file>

Here are some examples of job submission files.

Gnokart (Kerberos authentication helper for WWW browsers) et al.

To access Kerberos-controlled network services at Dartmouth, like licensed databases, you need to install the Kerberos software on your computer. For more on Kerberos at Dartmouth please refer to Computing at Dartmouth. Here we show how to install and configure Kerberos utilities on Linux.

Start by downloading gnokart-dnd package from gauss:

$ cd /usr/local/src
$ scp you@gauss:/usr/local/src/gnokart-dnd.tgz .
$ tar xzvf gnokart-dnd.tgz

gnokart-dnd/dnd and gnokart-dnd/gnokart directories contain sources AND precompiled 32-bit binaries. There is a good chance that precompiled binaries will just work.

Kerberos

Install Kerberos libraries (libkrb5*) and utilities (krb5-user, krb5-config). Copy krb5.conf, krb.conf and krb.realms to /etc/. As a test you now should be able to get Kerberos ticket by

$ kinit "Firstname M Lastname"

Note there is no dot after "M". klist lists active tickets and kdestroy --- destroys them.

Gnokart

Change into gnokart-dnd/gnokart-0.5/ and do `make install`. If you need to recompile, do `./configure && make && make install`. You will need GTK and Kerberos headers (libgtk2.x-dev, libkrb5-dev) installed in order to compile. Subdirectory scripts/ contains convenient start-stop scripts for gnokart. Select one, for example, gnokart-debian and copy it to /etc/init.d/gnokart. Make a symbolic link to start gnokart automatically when system boots:

# ln -s /etc/init.d/gnokart /etc/rcS.d/S90gnokart

The latter can also be managed with rcconf utility. gnokart communicates via TCP port 913. Open up your firewall accordingly. For iptables it's:

iptables -A INPUT -p tcp -m state --state NEW --dport 913 -j ACCEPT

Start gnokart:

# /etc/init.d/gnokart start

DND utilities

Change into dnd_gnokart/dnd/ and do `make install`, `make install-dnd` and `make install-docs`, which will install binaries and manual pages into appropriate locations. If you need to recompile, you have to do `make clean` before `make install` steps. Edit /etc/services adding line:

dnd 902/tcp  # Dartmouth Name Directory

Test by issuing `dndlookup your_lastname` --- DND should respond with all the matching records.

Testing

Start your web browser and go to the Dartmouth Kerberos test page and click on Test Kerberos. When prompted, enter your DND (a.k.a. Blitz name) and password. If everything goes well, you should see a GnoTicket pop-up with your name on it. Please note, that this won't work when running web browser as root.

Oracle Calendar

Download Oracle Calendar client software from Computing Services.

Unpack the downloaded archive and run ./text_install.sh as root. Enter /usr/local/OracleCalendar for install destination. Installation will create a /usr/local/bin/ocal symlink. This is the application you have to run. Just type ocal at the command line; or add it to your Gnome/KDE/XFCE/etc. menus; or make a shortcut on a desktop/launchpad/deskbar.

Upon first start you will have to create a Connection to Dartmouth Calendar. Server name is corptime.dartmouth.edu. Your login credentials are the same as for Blitzmail. If you don't have Oracle Calendar account, send ane email to help@dartmouth.edu to request one.

Once logged in you can import your other calendar(s) into Oracle. Several import formats are supported, including iCalendar (.ics), which is used by Mozilla/Sunbird/Evolution/iCal etc. To import you have to have your .ics file locally.

Dartmouth PKI Certificates

Accessing certain resources on Dartmouth network requires digital certificates issued by the Dartmouth Certificate Authority (CA). Two certificates are needed: Dartmouth CA's root certificate and your personal Dartmouth certificate. Both can be obtained at collegeca.dartmouth.edu. Certificates will appear in your web browser's certificate store. For Firefox as of version 3.5 it's in
Preferences - Advanced - Encryption - View Certificates.
Dartmouth CA certificate will be listed under Authorities; your personal --- under Your Certificates.

Certificates can be exported to disk files using Backup in View Certificates - Your Certificates. Select your certificate and click Backup to save it in PKCS12 file (extension .p12). You will be asked to create “Certificate backup password”. In addition to your personal certificate the PKCS12 file will also contain your private key and the Dartmouth CA certificate.

(Optional) Convert from PKCS12 to PEM

PKCS12 file contains Dartmouth CA cert., your personal cert. and your private key in one compound format. In some cases certificates/keys have to be presented as separate files. Use OpenSSL commands below to convert PKCS12 to individual PEM files.

CA's root certificate:

    openssl pkcs12 -in mydccert.p12 -cacerts -nokeys -out collegeca.pem    

Personal certificate:

    openssl pkcs12 -in mydccert.p12 -clcerts -nokeys -out mydccert.pem    

Private key:

    openssl pkcs12 -in mydccert.p12 -clcerts -nocerts [-nodes] -out mydckey.pem    

As a result, collegeca.pem will contain Dartmouth CA's root certificate, mydccert.pem --- your personal Dartmouth certificate, mydckey.pem --- private key, associated with your personal certificate. Optionally -nodes will output your private key unencrypted, i.e. not protected by a password --- please make sure, that it's kept securely!.

Connecting to Dartmouth Secure Wireless Network

Using Network Manager

Have your Dartmouth certificate ready as .p12 file (see exporting from Firefox above). Use Network Manager's taskbar applet to configure new wireless connection with:

SSID: Dartmouth Secure

Mode: Infrastructure

Wireless Security:

Security: WPA & WPA2 Enterprise

Authentication: TLS

Identity: your name as in DND

User certificate: leave empty

CA certificate: leave empty

Private key: mydccert.p12

Private key password: password created while saving to .p12 from Firefox

Using wpa_supplicant from the command line

This should work independently of Network Manager and/or Linux distribution. Running wpa_supplicant from the command line console can also be helpful in debugging a problematic connection.

• Prepare PKI certificates and your private key as three separate PEM files (see above).
• Create /etc/wpa_supplicant.conf for Dartmouth Secure. Use your DND name for "identity" and a full path to .pem files:

  # /etc/wpa_supplicant.conf
  network={
  	ssid="Dartmouth Secure"
          proto=WPA2
  	key_mgmt=WPA-EAP
  	eap=TLS
  	identity="..."
  	ca_cert="/home/.../ssl/dcca.pem"
  	client_cert="/home/.../ssl/mydccert.pem"
  	private_key="/home/.../ssl/mydckey.pem"
  	private_key_passwd="..."
  }
  

• Run wpa_supplicant in non-daemon mode to test the connection:

  # wpa_supplicant -c /etc/wpa_supplicant.conf -d -i eth0
  

  Use -dd for even more debug info. Replace eth0 with your wireless interface (run iwconfig to figure it out).
• If there are no errors, run 'dhclient eth0' from another terminal to obtain an IP address for the wireless interface.
• If all went well, wpa_supplicant can subsequently be run as a daemon by adding a -B switch to the invocation.