From UGCS

(Difference between revisions)

Latest revision as of 19:37, 7 June 2011

FAQs about UGCS 4.0

General Questions

Where is UGCS?

UGCS is in the basement of Winnett, room 2C. It has a South Master lock on it. To get to the basement, go down the stairs on the west side of the building. Go down the corridor and go through the door that's half-way down, and then you'll see the door to UGCS.

Am I allowed to do <something> on UGCS?

Depends what <something> is. Use of UGCS is subject to our Acceptable Use Policy. If you have any questions about it, please ask a sysadmin about your use before you try it.

I forgot my password

See our Password Reset help page

How can I get an account?

See New Account

I get "Permission denied" when trying to access files I should (and used to earlier) have permissions on

Your Kerberos auth expired. Log out and back in again, or run 'kinit && aklog'. To keep your tokens from expiring, run kinit -R && aklog BEFORE they expire. If this is related to screen sessions, see the section on screen below.

Email

How can I create a Mailman mailing list?

Log into the cluster and run "mailman create listname". See Mailman documentation for more information.

Can I forward my email elsewhere?

Yes. Log in to the cluster and run mail_forward. It will ask you questions, and use your answers to update your ldap delivery settings.

What settings should I use for POP / IMAP / SMTP?

See Email Server Settings

How do I access Webmail?

SquirrelMail (simple, fast, light interface): https://webmail.ugcs.caltech.edu/squirrelmail/

Roundcube (more complex, drag-and-drop, desktop style interface): https://webmail.ugcs.caltech.edu/

How can I make Pine/Alpine work?

See Pine setup

How can I make Mutt work?

Mutt should work out of the box. If not, make sure you mail directory is set to ~/Maildir.

How do I process my mail using procmail?

We do not currently support procmail. If you want, you can run this script as a cron script Note: use this script at your own risk.

#!/bin/sh

# ensure that .procmailrc targets are of the format ~/Maildir/<directory>/
# rather than ~/Maildir/<file> in order to ensure delivery in Maildir format
# which will result in availability via IMAP.

cat ~/Maildir/new/* | formail -s procmail

Shell

How can I connect to UGCS?

You can come in the lab and login at a machine, or SSH to to.caltech.edu (you can just use "to" if you're on campus )

How do I get out of the job listing screen when I first connect?

Type 'q'

Where can I find ssh utilities for Windows?

We recommend Putty for getting a shell (ssh), and WinSCP or FileZilla for transfering files.

There are other programs as well, some will even let you pay for them. Lucky you;)

How can I connect to UGCS from unix machines (Mac OS X, BSD, Linux, etc)?

Just open a terminal and type ssh username@to.caltech.edu

Can I use UGCS as a network disk?

On Linux, you can install the program sshfs, then type sshfs username@to.caltech.edu: mountpoint. If you get permission denied, try sudo adduser <your local username> fuse and restarting X.

When you're done, fusermount -u mountpoint will unmount it.

You can also set up your computer to access AFS remotely

There are AFS clients for Windows and OS X

How can I leave a job running in screen and retain filesystem permissions?

To prevent your screen sessions from losing filesystem permissions as soon as you logout, run "kinit -r 1d" in the screen BEFORE detaching and logging out. Use this with caution, as it will allow the screen session to keep your credentials for up to a year. Note that changing your password will invalidate all current tokens (this is a feature, not a bug).

Webhosting

Where's my website?

/afs/ugcs/user/<username>/public/html, or at http://www.ugcs.caltech.edu/~username

What about SQL Databases?

Every UGCS account comes standard with a Postgresql 8.3 database. See Postgres on UGCS for more information.

We have a MySQL server running on poseidon. As we do not have an automated MySQL database creation system, you must ask us for a MySQL database.

How can I set up MediaWiki/Wordpress/Drupal/etc

We fully support mediawiki and have some tools to help work with it- see UGCS Mediawiki support

Wordpress does not support Postgres, so you will need a MySQL database- ask us for to get one set up.

Security

Where can I find the UGCS CA key/SSL cert/SSH Hostkeys/PGP keys?

http://ca.ugcs.caltech.edu

Why does my mail client/browser complain that your certificate can't be trusted

Most browsers and mail clients ship with a "preapproved" list of certificate authorities that can be used to validate sites. In addition to being critically flawed due to its reliance on a central (corporate) authority, signing standards vary from company to company. The only constant is that it costs a lot of money for a site to get signed, and this does nothing to assist the security of the user.

To this end, UGCS publishes its own CA key. If you care enough about security, you can verify it as being legitimate through the PGP web of trust through the sysadmin's keys. If you are not willing to put forth the effort, you should download it now and be very concerned should it ever change without a good explanation. (For example, we might have to issue a new certificate if part or all of UGCS were to be compromised.)

Acceptable Use Policy and Copyright Infringement

What is the UGCS acceptable use policy?

Don't break the law, don't violate IMSS's policies, don't violate others' privacy, don't monopolize limited resources, don't crack our systems (though if you know a way, we'd love to have you let us know). Official wording: UGCS Acceptable Use Policy

How does UGCS deal with claims of copyright infringement?

Those making the claim are required to provide us with all the usual information, and sufficient proof that a particular user is responsible. Since UGCS is a multiuser environment, a timestamp and IP address alone are not sufficient proof of infringing behavior. We provide encrypted hashes with all incoming and outgoing connections that we can use to identify the user responsible. Unfortunately, without this information there is no proof of infringing behavior and we are not able to take action. For our official policy, or to report a violation, please see our Copyrighted Material and DMCA Policy.

How does UGCS protect users from frivolous IP lawsuits?

As noted above, in addition to all the other information required we additionally require an identd hash to trace activity back to the user. If claimants fail to provide this information, we cannot necessarily determine which of the users on the machine at that time was responsible for the activity.

@@ Line 1: / Line 1: @@
-FAQs about UGCS 4.0=
+=FAQs about UGCS 4.0=
 __TOC__
-==Security==
+==General Questions==
-===I noticed your certificate changed recently/my mail client complained, why?===
-Due to the Debian SSL vulnerability, all cryptographic material generated with SSL on a Debian system(including hostkeys and SSL certs) had to be regenerated. PGP keys are not affected.
-===Why does my mail client/browser complain that your certificate can't be trusted===
-Most browsers and mail clients ship with a "preapproved" list of certificate authorities that can be used to validate sites. In addition to being critically flawed due to its reliance on a central (corporate) authority, signing standards vary from company to company. The only constant is that it costs a lot of money for a site to get signed, and this does nothing to assist the security of the user.
-To this end, UGCS publishes its own CA key. If you care enough about security, you can verify it as being legitimate through the PGP web of trust through the sysadmin's keys. If you are not willing to put forth the effort, you should download it now and be very concerned should it ever change.
+===Where is UGCS?===
+UGCS is in the basement of Winnett, room 2C.  It has a South Master lock on it.  To get to the basement, go down the stairs on the west side of the building.  Go down the corridor and go through the door that's half-way down, and then you'll see the door to UGCS.
-===Where can I find the UGCS CA key/SSL cert/SSH Hostkeys/PGP keys?===
+===Am I allowed to do <something> on UGCS?===
-http://ca.ugcs.caltech.edu/index.xhtml
+Depends what <something> is.  Use of UGCS is subject to our [[Website:Acceptable_Use_Policy|Acceptable Use Policy]].  If you have any questions about it, please [[Website:Contact|ask a sysadmin]] about your use before you try it.
+===I forgot my password===
+See our [[Documentation:Password_Resets|Password Reset]] help page
+===How can I get an account?===
+See [[Documentation:Create_Account| New Account]]
+===I get "Permission denied" when trying to access files I should (and used to earlier) have permissions on===
+Your Kerberos auth expired. Log out and back in again, or run 'kinit && aklog'. To keep your tokens from expiring, run kinit -R && aklog BEFORE they expire. If this is related to screen sessions, see the section on screen below.
 ==Email==
 ===How can I create a Mailman mailing list?===
-Log into the cluster and run create_mailinglist. Enter the listname when prompted. We will send you an email with your list password and admin link within a minute (may take longer to deliver depending on the series of tubes). Note that you, the account owner, will not be put on the created list by default, just set as its owner.
+Log into the cluster and run "mailman create listname".  See [[Documentation:Mailing_Lists|Mailman documentation]] for more information.
 ===Can I forward my email elsewhere?===
-Yes. Log in to the cluster and run [[Website:Utility_mail_forward| mail_forward]].  It will ask you questions, and use your answers to update your ldap delivery settings.
+Yes. Log in to the cluster and run [[Documentation:Email_Forwarding| mail_forward]].  It will ask you questions, and use your answers to update your ldap delivery settings.
-===What settings should I use for POP?===
-See [[Website:Email_Server_Settings#POP| POP Server Settings]]
-===What settings should I use for SMTP?===
-See [[Website:Email_Server_Settings#SMTP| SMTP Server Settings]]
-===What settings should I use for IMAP?===
+===What settings should I use for POP / IMAP / SMTP?===
-See [[Website:Email_Server_Settings#IMAP| IMAP Server Settings]]
+See [[Documentation:Email_Basics| Email Server Settings]]
 ===How do I access Webmail?===
 SquirrelMail (simple, fast, light interface):
-https://hermes.ugcs.caltech.edu/squirrelmail/src/login.php
+https://webmail.ugcs.caltech.edu/squirrelmail/
 Roundcube (more complex, drag-and-drop, desktop style interface):
-https://hermes.ugcs.caltech.edu/roundcube/
+https://webmail.ugcs.caltech.edu/
 ===How can I make Pine/Alpine work?===
-See [[Website:Pine| Pine setup]]
+See [[Documentation:Alpine| Pine setup]]
 ===How can I make Mutt work?===
-Mutt should work out of the box. If not, make sure you mail directory is set to ~/Maildir. At the moment, you cannot send mail from Mutt. We know what the problem is, but it's surprisingly complex. We're working on a fix, but this is lower priority than many critical services. Rest assured that Mutt will be supported.
+Mutt should work out of the box. If not, make sure you mail directory is set to ~/Maildir.
 ===How do I process my mail using procmail?===
-Because of the fact that the mail daemon has unlimited read/write privileges on users' mail directories but does not have access to user home directories, automatic invocation of procmail upon delivery of each piece of mail is both a security risk as well as being inefficient.  However, you may add something like the following to your .bashrc or similar script run on login to rearrange your mail using your own AFS tokens and permissions.
+We do not currently support procmail.   If you want, you can run this script as a [[Documentation:Cron|cron script]]
 Note: use this script at your own risk.
 <pre>
@@ Line 59: / Line 58: @@
 ===How can I connect to UGCS?===
-You can come in the lab and login at a machine, or SSH to to.caltech.edu (you can just use to if you're on campus)
+You can come in the lab and login at a machine, or SSH to to.caltech.edu (you can just use "to" if you're on campus )
-===Where can I find ssh utilities for Genuine(r) Microsoft(tm) Windows(tm) Vista Home, Vista Business, Vista Ultimate, Vista Starter, Vista Business 64, XP Home, XP Professional, XP Home SP3 and XP Professional SP3?===
+===How do I get out of the job listing screen when I first connect?===
-Putty, for getting a shell (http://www.chiark.greenend.org.uk/~sgtatham/putty/)
+Type 'q'
-WinSCP, for transfering files (http://www.google.com/search?q=winscp&ie=utf-8&oe=utf-8&aq=t&rls=com.ubuntu:en-US:official&client=firefox-a)
+===Where can I find ssh utilities for Windows?===
+We recommend [http://www.chiark.greenend.org.uk/~sgtatham/putty/ Putty] for getting a shell (ssh), and
+[http://winscp.net/eng/download.php WinSCP] or [http://filezilla-project.org/ FileZilla] for transfering files.
-There are other programs as well, some will even let you pay for them.
+There are other programs as well, some will even let you pay for them. Lucky you;)
 ===How can I connect to UGCS from unix machines (Mac OS X, BSD, Linux, etc)?===
@@ Line 71: / Line 73: @@
 ===Can I use UGCS as a network disk?===
-On Linux, you can install the program sshfs, then type sshfs username@to.caltech.edu: mountpoint. If you get permission denied, try sudo adduser <your local username> fuse and restarting X
+On Linux, you can install the program sshfs, then type sshfs username@to.caltech.edu: mountpoint. If you get permission denied, try sudo adduser <your local username> fuse and restarting X.
 When you're done, fusermount -u mountpoint will unmount it.
-Unfortunately, windows and os x do not support filesystems in userspace, though programs do exist to simulate it (I believe)
+You can also set up your computer to [[Documentation:AFS#Accessing AFS from home|access AFS remotely]]
-===How do I get out of the job listing screen when I first connect?===
+There are AFS clients for [http://www.openafs.org/windows.html Windows] and [http://www.openafs.org/macos.html OS X]
-q
+===How can I leave a job running in screen and retain filesystem permissions?===
+To prevent your screen sessions from losing filesystem permissions as soon as you logout, run "kinit -r 1d" in the screen BEFORE detaching and logging out. Use this with caution, as it will allow the screen session to keep your credentials for up to a year. Note that changing your password will invalidate all current tokens (this is a feature, not a bug).
 ==Webhosting==
@@ Line 85: / Line 89: @@
 /afs/ugcs/user/<username>/public/html, or at http://www.ugcs.caltech.edu/~username
-===My website uses data files that only that site should be able to access. How do I set this up?===
-It's actually pretty simple. Each user has an additional principal associated with them of the form username_cgi. All cgi scripts you run actually run as this principal. If you give that principal the requisite access to your files, your webapp should work. In general, you probably want to give the principal read, write, but not admin, so you would issue:
-fs setacl data_folder username_cgi write
-See [[Website:AFS#ACLs| AFS ACL's]] for more information
-===I'm sure the permissions are right, but my site still doesn't work.===
-The most common error we've seen after the permissions is that people used absolute paths from old ugcs which don't carry over. Specifically, where in old ugcs an absolute path to your home directory was /home/username, it is now /afs/ugcs/user/username. Please change your absolute paths accordingly.
-If your website still fails to work, and did before, contact sysadmins@ugcs.caltech.edu, as usual.
-===My CGI doesn't work===
-You probably have your perl interpreter set to /usr/ug/bin/perl.  We no longer have /usr/ug, so perl is where it should be in /usr/bin/perl.  Please update your scripts accordingly. See [[Website:Webhosting#Scripting| webhost scripting]] for more information.
 ===What about SQL Databases?===
-Every UGCS account comes standard with a Postgresql 8.2 database.  The host name is poseidon, and the database name is the same as your username.  You can use it with your CGI scripts without using a password; you can use Kerberos authentication to connect to your Postgres database from the cluster or elsewhere.  More information is available [[Website:Postgres|here]]
+Every UGCS account comes standard with a Postgresql 8.3 database.  See  [[Documentation:Postgres|Postgres on UGCS]] for more information.
 We have a MySQL server running on poseidon.  As we do not have an automated MySQL database creation system, you must [[Website:Contact| ask us]] for a MySQL database.
 ===How can I set up MediaWiki/Wordpress/Drupal/etc===
-If you want to use PostGres, you will need to select Kerberos authentication. If your application doesn't support this, you likely could patch it by changing the pg_connect in the code to not send a password.
+We fully support mediawiki and have some tools to help work with it- see [[Documentation:Mediawiki|UGCS Mediawiki support]]
-Alternatively, most of these applications support MySQL, so email sysadmins@ugcs.caltech.edu to get a MySQL database set up for your account, then use your username as the database name and username, and poseidon.ugcs.caltech.edu for the server. When we create the database we will create a file .mysqlpw in your home directory containing the MySQL database's password.
+Wordpress does not support Postgres, so you will need a MySQL database- [[Website:Contact|ask us]] for to get one set up.
-==Other==
+==Security==
+===Where can I find the UGCS CA key/SSL cert/SSH Hostkeys/PGP keys?===
+http://ca.ugcs.caltech.edu
-===Where is UGCS?===
+===Why does my mail client/browser complain that your certificate can't be trusted===
-UGCS is in the basement of Winnett, room 3.  It has a South Master lock on it.
+Most browsers and mail clients ship with a "preapproved" list of certificate authorities that can be used to validate sites. In addition to being critically flawed due to its reliance on a central (corporate) authority, signing standards vary from company to company. The only constant is that it costs a lot of money for a site to get signed, and this does nothing to assist the security of the user.
-===Am I allowed to do <something> on UGCS?===
+To this end, UGCS publishes its own CA key. If you care enough about security, you can verify it as being legitimate through the PGP web of trust through the sysadmin's keys. If you are not willing to put forth the effort, you should download it now and be very concerned should it ever change without a good explanation. (For example, we might have to issue a new certificate if part or all of UGCS were to be compromised.)
-Depends what <something> is.  Use of UGCS is subject to our [[Website:Acceptable_Use_Policy|Acceptable Use Policy]].  If you have any questions about it, please [[Website:Contact|ask a sysadmin]] about your use before you try it.
-#How_can_I_make_Pine.2FAlpine_work.3F
-===I get "Permission denied" when trying to access files I should (and used to earlier) have permissions on===
-Your Kerberos auth expired. Log out and back in again, or run 'kinit && aklog'. To keep your tokens from expiring, run kinit -R && aklog BEFORE they expire.
-===I forgot my password===
-See our [[Website:PasswordReset|Password Reset]] page
-===How can I get an account?===
-See [[Website:New_Account| New Account]]
-===I don't own my files===
-Your home directory is on an [[Website:AFS| AFS]] volume. The ownership does not matter - you have full read/write/administer [[Website:AFS#ACLs| AFS ACL's]] on your public directory.
-In AFS, with a few limited exceptions, file ownership does not matter; the ACL on the directory governs file access.
-If you're getting permission denied errors, make sure that you've either logged on recently, or that you've refreshed your AFS tickets using
-kinit and then aklog.
 ==Acceptable Use Policy and Copyright Infringement==
 ===What is the UGCS acceptable use policy?===
 Don't break the law, don't violate IMSS's policies, don't violate others' privacy, don't monopolize limited resources, don't crack our systems (though if you know a way, we'd love to have you let us know). Official wording: [[Website:Acceptable_Use_Policy| UGCS Acceptable Use Policy]]
 ===How does UGCS deal with claims of copyright infringement?===
 Those making the claim are required to provide us with all the usual information, and sufficient proof that a particular user is responsible. Since UGCS is a multiuser environment, a timestamp and IP address alone are not sufficient proof of infringing behavior. We provide encrypted hashes with all incoming and outgoing connections that we can use to identify the user responsible. Unfortunately, without this information there is no proof of infringing behavior and we are not able to take action. For our official policy, or to report a violation, please see our [[Website:Copyright|Copyrighted Material and DMCA Policy]].
 ===How does UGCS protect users from frivolous IP lawsuits?===
 As noted above, in addition to all the other information required we additionally require an identd hash to trace activity back to the user. If claimants fail to provide this information, we cannot necessarily determine which of the users on the machine at that time was responsible for the activity.

Website:FAQs