HOWTOs
Account
You can find RIT's offical password policy here.
Changing your DCS password
You must be logged on to one of the Linux machines in the department. You must use the 'cspasswd' program found in /usr/local/dcs/bin. (this will be in your default path if you have not changed your dot-files)
If you can not remember your CS password you must visit the System Admin office found in room 70-3590.
We WILL NOT give you passwords over the phone or through email.
Any problems or questions you have can be sent to problems@cs.rit.edu
Password Strength
At this time the Department of Computer Science requires you password to be:
- At least 8 characters long, 12 or more is recommended.
- Passwords must be made up of 3 of 4 character types (first and last characters do not count towards the total):
- uppercase letters
- lowercase letters
- numbers
- punctuation characters
- not containing any dictionary words if it is less than 12 characters long.
Remote Connections
Getting PuTTY
PuTTY is a free SSH client available from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html From that page you can download either just the putty.exe program or a full set of SSH utilities including file transfer and key generation. Note that PuTTYtel will not work to connect to the CS department, as we do not support telnet connections.
Quick Connection
When you launch the PuTTY.exe program, it shows a configuration screen with many options. However, most of them can be left at their defaults. To connect to a CS department computer, enter the fully qualified domain name (example: newyork.cs.rit.edu
) in the text box labeled "Host Name (or IP address)". You can then click the "Open" button to connect. The first time you connect to a host, it will display a security alert. You can usually click "Yes" and it will remember the host key and not prompt the next time you connect (see below for more details). After it connects, it will prompt for your username and password.
When connecting to a host for the first time or for the first time after a host's SSH keys (these are not your personal keys, but the keypair that identifies a particular computer system) have been rebuilt, you will be prompted with a message similar to:
The server's host key is not cached in the registry. You have no guarantee that the server is the computer you think it is. The server's rsa2 key fingerprint is: ssh-rsa 1024 03:90:56:97:64:e4:e3:24:12:ed:f8:a8:7e:04:1f:46 If you trust this host, hit Yes to add the key to PuTTY's cache and carry on connecting. If you want to carry on connecting just once, without adding the key to the cache, hit No. If you do not trust this host, hit Cancel to abandon the connection.
In general it is perfectly safe to hit Yes at this prompt. If you know the SSH keys on a host have not changed (this is most applicable to users running Unix at home) but you are being prompted with a message similar to the above, please contact the Admins immediately.
Saving a Session
To avoid having to type in a host and your user name every time, you can save the settings as a session. To do so, enter in a host name and set any additional settings (such as username under the "Connection/Data" category), then enter a name under "Saved Sessions" (in the main "Session" category) and press "Save". From then on, you can simply double-click the session name in the list to connect to that machine. You can use the "Load" button to bring up the settings in order to change them and then save them again under the same name or a new one.
Generating SSH Keys
PuTTY also comes with a program named PuTTYgen to generate SSH public and private keys. You can use these keys to authenticate instead of using your password.
General Disclaimer
This is not a guide on how to use SSH/SCP/SFTP or any mail or news programs. There are far too many programs to write a comprehensive guide on each. Instead, this will serve as a general usage and configuration primer for the programs most readily available in the Department of Computer Science at R.I.T. All systems in the Computer Science Department are configured to use SSH2 only. There are a number of well-documented security vulnerabilities of SSH1 that SSH2 is immune to, so fallback to SSH1 has also been disabled.
Valid machines for general use are all student labs (ICLs 1-4) and the general access SMPs. When you are in a lab you will see name tags on each system; simply append '.cs.rit.edu' to the name for the fully-qualified DNS name. For example, the host idaho is really idaho.cs.rit.edu.
One machine not in labs that is a valid connection point is glados. This is a larger system available for general computing use, living in the Computer Science machine room.
When connecting to a host for the first time or for the first time after a host's SSH keys (these are not your personal keys, but the keypair that identifies a particular computer system) have been rebuilt, you will be prompted with a message similar to:
The authenticity of host '{hostname} ({host IP address})' can't be established.
RSA key fingerprint is 03:90:56:97:64:e4:e3:24:12:ed:f8:a8:7e:04:1f:46.
Are you sure you want to continue connecting (yes/no)?
In general it is perfectly safe to accept this prompt. If you know the SSH keys on a host have not changed (this is most applicable to users running Unix at home) but you are being prompted with a message similar to the above, please contact the Admins immediately.
Authentication with SSH
Using Password Authentication
Using Public/Private Keys for Authentication
Note that this method is generally not available for Windows systems. The password authentication technique is sufficient.
The command ssh-keygen should already be in your path.
The default behavior of the SSH key generator is to build 1024-bit RSA keys for SSH verison 2.
Building & Using SSH Keys
- At the Unix shell, enter the following command:
$> ssh-keygen -b [1024 | 2048] -t rsa {enter}
where you choose either 1024- or 2048-bit key length (longer keys = greater security at cost of greater computation time and effort).When prompted for a passphrase, it is important that you not leave this blank. It is also best to not make this passphrase the same as your password. Using your password as the key passphrase is essentially identical to using password authentication.
This will create a file pair ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub. The id_rsa.pub file is your public key, the file without the extention is your private key.
- At the Unix shell, enter the following command:
$> ssh-keygen -b [1024 | 2048] -t dsa {enter}
where you choose either 1024- or 2048-bit key length (again, longer keys = greater security at cost of greater computation time and effort). Also, note the algorithm difference (the first invocation generated RSA keys, this builds DSA keys).When prompted for a passphrase, it is important that you not leave this blank. It is also best to not make this passphrase the same as your password. Using your password as the key passphrase is essentially identical to using password authentication. For simplicities sake, this can be the same as your RSA keypair, but additional security is gained (in the sense that for full compromise of your keypairs it would require crack two passphrases, not just one) by making the two passphrases different.
This will create a file pair ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub. The id_dsa.pub file is your public key, the file without the extention is your private key.
- In the CS department, all systems have a common filesystem. This means that in effect, for every two CS systems you move between, your SSH keys are already distributed.
- File system permissions on both the public and private keys should be 0600 (readable and writable by you only).
- If you want to connect to the CS systems from home, generate keys at home the same way as above, and simply copy your public key file to the CS systems. This is not a simple copy; it is important to follow these directions:
- Say on the CS systems you have your public/private keypairs. When importing a new public key, save the new public key as a separate file.
- Enter the following command to import a new public key:
$> cat {new public key file name} >> ~/.ssh/authorized_keys {enter}
- You should now be able to hop between hosts and authenticate using your SSH passphrase.
So, Instead of My Password I Have a Passphrase -- Why Bother?
General Notes on Authentication
Connecting to a Machine Via SSH from OS X/Unix
$> ssh {username}@{machine name} {enter}
or
$> ssh -l {username} {machine name} {enter}
If you're connecting two systems on which you have the same username, (ie, between two CS systems) you may ommit the {username} field; it defaults to the username you are currently using.
Use the default SSH port (TCP port 22) when connecting.
This technique works equally well for any other Solaris, Linux, or other Unix variant Operating System.
Connecting to a Machine Via SSH from Windows
- CS account
- SSH client for your version of Windows; suggested clients are:
Configure your client to connect using your CS username to a valid CS Department host. As with the Unix variants, your host specification is either a fully qualified DNS name (eg newyork.cs.rit.edu) if you're connecting from outside the department, or just the hostname (eg newyork) if you're connecting from within.
Use the default SSH port (TCP port 22) when connecting (there may be an option to change this value; leave it as is).
Getting a Windowing Environment -- When a Shell Isn't Enough
- Using xming HOWTO for GUI connections on Windows.
- Using X11 HOWTO for GUI connections on OSX.
- linux machines recommend you use 'ssh -X username@hostname' to connect.
- OS OX machines need to use 'ssh -Y username@hostname' instead.
Using SCP and SFTP
One Important Caveat About SCP and SFTP:
If excessive information is echoed to the terminal during login (from the .login or .bashrc/.cshrc files), these two programs will not work. RationalRose, as used in CS4 and CS for Transfer classes, also causes these programs to fail as they echo information to the terminal window.
Simply commenting out the appropriate lines in these files will allow SCP and SFTP to operate cleanly.
In your .cshrc or .bash_profile file, a line similar to:
exists; inserting a pound sign (#) before this line will comment it out and prevent its execution.
SCP
scp works like the unix 'cp' command, except it copies from between hosts.A simple syntax (man scp for more options):
scp [ [user@]host1:]file1 []... [ [user@]host2:]file2If user or host is omitted, it assumes your userid and local host.
example:
scp file1 username@holly.cs.rit.edu:/full-path-to-home/file2This will copy file1 from your current machine and directory to /full-path-to-home/file2 through the machine holly. You will be required to authenticate as username for the process to succeed.
SFTP
SFTP works the same as traditional ftp, except over a secure connection. To use it, just connect to any of the lab machines.Example:
sftp newyork.cs.rit.eduAfter authenticating, you will be connected to your home directory. See the man page for sftp for more details.
Advanced: Using ssh-agent from OSX/Unix
Using ssh-agent can greatly increase automation when working on a distributed project while continuing to be secure. It allows you to use a passphrase protected ssh generated key without having to type in the password each time. This is done by starting a process that will act as a password proxy for your current shell session. This process is separate from the shell you invoke it from: it will be important that you kill that process before you close the shell. Otherwise, you will leave orphaned ssh-agent processes behindTo get ssh-agent to work for you, you must already have ssh keys generated (see Using Public/Private Keys for Authentication ).
- Open up a shell window on your Unix machine.
- Depending on what your default shell is, you will need to start ssh-agent
- If using bash, dash, or sh, eval 'ssh-agent -s'. (the ' is important here)
- If you use csh, tcsh, eval 'ssh-agent -c'
- You will be able to now add an ssh key to the agent for proxy. ssh-add ~/.ssh/id_rsa (or id_dsa, or whatever name you gave your ssh keys). It will ask you for the passphrase. Type this in to unlock the key and add it to the agent.
- You can now use ssh to reach other machines with that key, and not require you to type in that passphrase each time.
- NOTE: When you are done with the current shell and logging off, please kill the process of the agent. It can be found typing echo $SSH_AGENT_PID
- NOTE: Only the shell that has the SSH_AUTH_SOCK and SSH_AGENT_PID variables set will have access to the agent. Unless you chose to add them by hand to other shell sessions, only the shell session you ran eval 'ssh-agent -s' will have a connection to the agent.
Installing X11
How to intall X11 depends on what version of OS X you have installed:
- 10.2 and earlier
- No official versions of X11 exist for these versions.
- 10.3 (Panther)
- X11 is available from Apple's website
- 10.4 (Tiger)
- X11 is an optional installation from the Tiger DVD.
- 10.5 (Leopard) and later
- X11 is installed by default.
Running X11
Recent versions of OS X will automatically launch X11 when a program attempts to connect to the X server. Open Terminal.app and try running xterm
. If that doesn't work, you'll need to start X11 manually. It can be found in /Applications/Utilities
.
Using X programs from the CS machines
Using the Terminal or an xterm, use ssh -Y username@hostname
to connect to a CS machine. Once logged in, you may use programs as normal. For example running emacs
should open the emacs window on your computer.
Before going any further, you should have downloaded Putty already. Documentation on getting Putty is available here.
Getting Xming
- Go to straightrunning.com/XmingNotes to download Xming.
- Scroll down to Releases and under Public Domain Releases, click on Xming to download.
- Run the .exe setup file
- If you run into firewall problems, click “Allow access” to continue
- Continue through the installer until “Finish”
Configure Xming for the first time
- First, type and click XLaunch from the start menu to launch Xming
- Choose display setting and display number and click Next
- Click “Start a program” and Next
- Chose “Run Remote” “Using Putty (plink.exe)”
- Enter the IP address of the machine to which you want to connect. For Glados, for example, enter 129.21.30.38 or glados.cs.rit.edu
- Enter your RIT username in “login as user” box
- Enter your CS password in “Password” box
- Click Next and Next
- Under “Configuration Complete” Click on “Save configuration” so you don't have to launch xming each time you want to connect to the same machine
- Click Finish
Configure Putty with Xming
- Now, run Putty
- Under Putty configuration window, select “Connection” on the left panel
- Under SSH click on X11 on the left hand side menu
- check “Enable X11 Forwarding”
- Now, click “Session” at the very top of the left hand side menu. Scroll to the top if necessary
- Fill in “Host name” box: IP address of machine
- Makes sure the “Port” number is 22
- Enter a name for this session under “Saved Session” box
- Click on “Save” to save session – Refer here for more info
- Then click Open to connect
- You will be then prompted to enter your computer science username and password
- Enter the name of Linux app you want to use, for example, libreoffice
General Notice
pine is available on the Solaris machines.
alpine is the replacement mail tool and currently is only found on the Ubuntu machines.
/var/mail is NFS mounted on the Solaris machines, which allows pine to read your inbox without the need for IMAP. This functionality is going to go away as the Solaris machines are phased out. There are no plans to mount /var/mail from the Ubuntu machines which is why you will need to set alpine up to read mail through IMAP
Setting up (al)pine to use IMAP
Once you start alpine, at the main screen hit 'S' then 'C'
(S) Setup -> (C) Config::
User Domain = cs.rit.edu
SMTP Server (for sending) = mailhost.cs.rit.edu:587/tls
Inbox Path = {mailhost.cs.rit.edu/user=username/ssl/IMAP}INBOX
where username is your CS username, ie. abc1234
choose 'E' to exit setup and confirm the changes.
To read your inbox type in your CS password at the promt. Then 'L' Folder List -> 'M' Mail -> INBOX
procmail can be used to filter and forward your cs email. By default new students have their cs accounts set up with procmail to forward email to username@rit.edu.
to use procmail, you first need to
- set up a ~/.qmail file with the following line:
|/usr/local/bin/qmail-procmail
#=====================# # Filter out the spam # #=====================# :0: * ^X-Spam-Status: Yes /your-home-path/mail/caughtspam
That simple example will filter any mail that the system tags as spam and put it into your ~/mail/caughtspam file.
procmail will process your .procmailrc file until it finds a matching rule and then exit after following that rule. If procmail does not find a matching rule by the end of the file, the message will be put into your cs mail folder. So, if what you want to do is send all of your mail somewhere else, you could forward it at the end of your .procmailrc
Forwarding
If you want to forward your mail to another site you can add the following lines to the end of your ~/.procmailrc file:
:0 ! your@email
Don't forget to have your .qmail file process mail through procmail:
|/usr/local/bin/qmail-procmail
Other Resources
This is a very simple procmail set up, but you can get more help from the following resources:
Window Managers
What is Fluxbox:
It is a window manager for X window system. The user interface is very lightweight and simple. More info can be found here.- A right-click on the desktop will open main menu where you can customize the style, select applications, and change configuration. Alternatively, you can go to fluxbox directory, usually it is ./fluxbox/ where you can modify files directly.
- Middle click or Left click on desktop will open workspace menu
- Running programs are by default at the bottom of the screen
- Common shortcut can be found here. Scroll down to “Key Bindings”
- Fluxbox manual page can be found here.
Using Fluxbox
- Go to fluxbox directory and do startfluxbox to start a fluxbox session
- If there is no error message, skip the steps below
- If you get error, you have a running window manager already running, do the below steps
- Log out
- At the login prompt, click options and choose fluxbox from the list of window managers and login as usual
Customization
- Customization is done by editing configuration files in the .fluxbox directory in user home directory.
- Keyboard shortcuts are stored in the ~/.fluxbox/keys file
- Menu layout is in the ~/.fluxbox/menu file
- Everything running at startup is found in ~/.fluxbox/startup
- Configuration file ~/.fluxbox/init
What is VTWM
vtwm is a window manager for the X Window System. It provides titlebars, shaped windows, several forms of icon management, user-defined macro functions, click-to-type and pointer-driven keyboard focus, and user-specified key and pointer button bindings.
Setting up the VTWM window manager:
- Find these two files in home directory: .xinitrc and .Xsession
- Make sure to include this line at the end of both files: vtwm>/dev/null 2>&1
- Change permission of the two files to executable using: chmod u+x .xinitrc and chmod u+x .Xsession
- Log out of current session
- At the login prompt, click option and choose custom
- Go back to the login prompt and login as usual
- Your running program will be listed at the top left corner
- To access main menu, left click and hold on the desktop
- To log out, left click and hold on exit and click quit