This is a rough recipe to install a clean Debian GNU/Linux system which includes NoCatAuth and all of the necessary software to turn a NewCloneArmyBox (or, actually, any spare machine with two network interfaces) into a powerful node.

This document is based on a set of rough notes taken by JeffWillard and DarrinEden during a couple of installations in a lab environment, directed by KeeganQuinn.

Debian Installation

The first part of the installation is nothing special; install Debian GNU/Linux by any means. This procedure is well-documented:

http://www.debian.org/releases/stable/i386/install

While it may seem intimidating, that guide is very complete and effective.

The rest of this document refers specifically to procedures that apply to Debian GNU/Linux version 3.0, codename "woody".

On NewCloneArmyBox hardware, we recommend using the 'bf24' kernel for installation, which is accomplished by simply entering 'bf24' at the very first 'boot:' prompt. Also, to configure the Ethernet interfaces on NewCloneArmyBox hardware, during the "Configure Device Drivers" stage of installation, navigate to the 'devices/net' section and choose the 'de4x5' driver.

Debian 'unstable'

KeeganQuinn often uses the 'unstable' distribution of Debian GNU/Linux, described here:

http://www.debian.org/releases/sid/

Using this distribution is not necessary to get a fully working NewCloneArmyBox! It can, however, provide you with more up-to-date software in situations which require it. The procedure for installing 'unstable' used to be documented here, but has been removed, as it should not be attempted by users who are not familiar with the potential issues.

After the Base Installation

After working through base-config, you are left at a login: prompt. Log in with the user account you created, then use the 'su' command to gain superuser rights. At that point, you should install some basic system software:

apt-get install lynx ssh sudo ssmtp

For PTP nodes, be sure to allow only SSH protocol 2; for SSMTP, have the configuration files automatically overwritten, send mail to 'postmaster', use "mail.personaltelco.net" as a mail hub, and masquerade as "personaltelco.net". It is safe to accept the defaults for any other questions.

You may want to add additional user accounts with the 'adduser' command, and give yourself or other users superuser access with the 'visudo' command.

At this point, it is safe to remove the console and CD-ROM drive from the machine, and continue the configuration "headless." This is often useful if you are configuring a batch of machines at one time.

Software installation

You'll want to get a couple of packages to get started.

apt-get install grub wget

Next, install a configuration file which will be recognized by the Debian kernel packages:

cd /etc
wget http://rune.thebasement.org/~ice/kernel-img.conf

Until KeeganQuinn's NoCatAuth packages for Debian are available in the main tree, you'll need to add a secondary APT source.

echo "deb http://rune.thebasement.org/~ice/debian keegan main" >> /etc/apt/sources.list
apt-get update

At this point, we're ready to install all of the necessary packages.

apt-get install kernel-image-2.4.18-1-k6 snmpd dhcp nocatauth-gateway aide dnsmasq
apt-get clean

There, that wasn't so bad, was it?

Now, we can remove some unnecessary things. Of them, only lilo is potentially harmful if kept around.

dpkg -P lilo libpcre3 libident libldap2 libsasl7 setserial base-config \
manpages man-db groff-base modconf tasksel pppconfig pppoeconf pppoe \
ppp gettext-base syslinux nano ed info libpcap0

Last, but certainly not least, we need to GRUB set up, and clean out the remnants of LILO and the original installer kernel.

rm /vmlinuz /vmlinuz.old /boot/boot.* /boot/map /boot/*-bf2.4
rmdir /cdrom /initrd /lost+found /mnt /opt
rm -rf /lib/modules/2.4.18-bf2.4
grub-install /dev/hda # (sometimes this is required twice)
update-grub # (enter 'y' at the prompt)
vi /boot/grub/menu.list # (change hd0,0 to hd0,1 and hda1 to hda2)
update-grub

System Configuration

Finally, you will need to configure any secondary network interfaces, the DHCP server, and NoCatAuth. The relevant configuration files are usually /etc/modules, /etc/network/interfaces, /etc/dhcpd.conf, /etc/nocatauth/gateway/nocat.conf, /etc/default/dhcp, and /etc/default/nocatauth-gateway. The values you need to change vary between installations, but the relevant configuration files are fairly self-explanitory.

Good luck, and have fun!

Integrity checking

Our current approach uses SSMTP and AIDE to transmit nightly integrity check reports

Leftover notes

All of this needs to be cleaned up and much of it is obsolete. YMMV -- KeeganQuinn

The NoCat Install

Installing the PTPnet Node Files

/usr/local/nocat/nocat.conf

###### gateway.conf -- NoCatAuth Gateway Configuration.
#
# Format of this file is: <Directive> <Value>, one per
#   line. Trailing and leading whitespace is ignored. Any
#   line beginning with a punctuation character is assumed to
#   be a comment.

###### General settings.
#
# See the bottom of this file for options for logging to syslog.
#
# Log verbosity -- 0 is (almost) no logging. 10 is log
#   everything. 5 is probably a safe middle road.
#
Verbosity       10

##### Gateway application settings.
#
# GatewayName -- The name of this gateway, to be optionally displayed
#   on the splash and status pages. Any short string of text will do.
#
GatewayName     Personal Telco Project

##
#
# GatewayMode -- Determines the mode of operation of the gateway. Possible
#   values are:
#   
#   Captive     - Allow authentication against an auth service. LEGACY.
#   Passive     - Like Captive, but YOU MUST USE THIS if your gateway 
#                   is behind a NAT. Will work anyway if not. *RECOMMENDED*.
#   Open        - Simply require a user to view a splash page and accept 
#                   a use agreement.
#
# If Captive or Passive Mode is set, you will need to have values set for
#   AuthServiceAddr, AuthServiceURL, and LogoutURL. You will want to leave a
#   short value for LoginTimeout (probably <600).
#
# If Open Mode is set, you will need to have values set for SplashForm,
#   HomePage, and possibly DocumentRoot (or provide an absolute path for
#   SplashForm).  Also, you will want to set a large value for LoginTimeout
#   (probably >3600).
#
GatewayMode     Open

##
# GatewayLog -- Optional.  If unset, messages will go to STDERR.
#
GatewayLog      /var/log/nocat.log

##
# LoginTimeout - Number of seconds after a client's last
#   login/renewal to terminate their connection. Probably
#   don't want to set this to less than 60 or a lot of 
#   bandwidth is likely to get consumed by the client's
#   renewal attempts. Defaults to 300 seconds.
#
# For Captive Mode, you want to set this to something
#   fairly short (like 10 minutes) to prevent connection
#   spoofing.  
#
# LoginTimeout  600

# For Open Mode portals, you probably want to comment out
#   the preceding and set LoginTimeout to 
#   something large (like 86400, for one notification
#   per day).
#
LoginTimeout    86400

###### Open Portal settings.
#
##
# HomePage -- The authservice's notion of a default
#   redirect.
#
HomePage        http://personaltelco.net/

# DocumentRoot -- Where all of the application templates (including
#   SplashPage) are hiding. Can be different from Apache's DocumentRoot.
#
DocumentRoot    /usr/local/nocat/htdocs

# SplashForm -- Form displayed to users on capture.
#
SplashForm      splash.html

# StatusForm -- Page displaying status of logged in users.
#
StatusForm      status.html


###### Active/Passive Portal settings.
#
##
# TrustedGroups - A list of groups registered with the auth server
#   that a user may claim membership in order to gain Member-class
#   access through this portal. The default magic value "Any" indicates
#   that a member of *any* group is granted member-class access from
#   this gateway.
#
# TrustedGroups NoCat NYCWireless PersonalTelco
#
TrustedGroups Any

##
# Owners - Optional.  List all local "owner" class users here, separated 
#   by spaces.  Owners typically get full bandwidth, and unrestricted
#   access to all network resources.
#
# Owners rob@nocat.net schuyler@nocat.net

##
# AuthServiceAddr - Required, for captive mode. Must be set to the address of
#   your authentication service. You must use an IP address
#   if DNS resolution isn't available at gateway startup.
#
# AuthServiceAddr 208.201.239.21
#
#AuthServiceAddr        auth.nocat.net

##
# AuthServiceURL - HTTPS URL to the login script at the authservice. 
#
#AuthServiceURL  https://$AuthServiceAddr/cgi-bin/login

##
# LogoutURL - HTTP URL to redirect user after logout.
#
LogoutURL       https://$AuthServiceAddr/logout.html

### Network Topology
#
# ExternalDevice - Required if and only if NoCatAuth can't figure it out
#   from looking at your routing tables and picking the interface
#   that carries the default route. Must be set to the interface
#   connected to the Internet. Usually 'eth0' or 'eth1'
#   under Linux, or maybe even 'ppp0' if you're running
#   PPP or PPPoE.
#
ExternalDevice  eth0

##
# InternalDevice - Required if and only if you have ethernet devices
#   on your gateway besides your wireless device and your 'Net connection.
#   Must be set to the interface connected to your local network, normally
#   your wireless card. In Linux, some wireless devices are named 'wvlan0'
#   or 'wlan0' rather than 'ethX'.
#
InternalDevice  br0

##
# LocalNetwork - Required if and only if NoCatAuth can't figure out
#   the network address of your local (probably wireless) network,
#   given your InternalDevice(s). Must be set to the network
#   address and net mask of your internal network. You
#   can use the number of bits in the netmask (e.g. /16, /24, etc.)
#   or the full x.x.x.x specification.
#
# LocalNetwork  10.0.1.0/24

##
# DNSAddr - Optional. *If* you choose not to run DNS on your internal network,
#   specify the address(es) of one or more domain name server on the Internet
#   that wireless clients can use to get out. Should be the same DNS that your
#   DHCP server hands out. If left blank, NoCatAuth will presume that you
#   want to use whatever nameservers are listed in /etc/resolv.conf.
#
# DNSAddr 111.222.333.444

##
# AllowedWebHosts - Optional.  List any domains that you would like to
#   allow web access (TCP port 80 and 443) BEFORE logging in (this is the
#   pre-'skip' stage, so be careful about what you allow.)
#
# AllowedWebHosts       nocat.net

##
# RouteOnly - Required only if you DO NOT want your gateway to act as a NAT. 
#   Uncomment this only if you're running a strictly routed network, and
#   don't need the gateway to enable NAT for you.
#
# RouteOnly     1

##
# IgnoreMAC - Set this if and only if the NoCat gateway isn't directly
#   connected (or bridged at Layer 2) to your internal (usually wireless)
#   network. In that event, the gateway won't be able to match clients based
#   on MAC address, and will fall back to using IPs only. This is 
#   theoretically less secure, as IP addresses are usually easier to spoof
#   than MAC addresses, so don't use this unless you know what you're doing.
#
# IgnoreMAC     1

##
# MembersOnly - Optional.  Uncomment this if you want to disable public
#   access (i.e. unauthenticated 'skip' button access).  You'll also want to
#   point AuthServiceURL somewhere that doesn't include a skip button (like
#   at your own Auth server.)
#
# MembersOnly   1

##
# IncludePorts - Optional.  Specify TCP ports to allow access to when 
#   public class users login.  All others will be denied.
#
#   For a list of common services and their respective port numbers, see 
#   your /etc/services file. Depending on your firewall, you might even
#   be able to specify said services here, instead of using port numbers.
#
# IncludePorts    22 80 443

##
# ExcludePorts - Optional.  Specify TCP ports to denied access to when
#   public class users login.  All others will be allowed.
#
#   Note that you should use either IncludePorts or ExcludePorts, but not
#   both.  If neither is specified, access is granted to all ports to
#   public class users.
#
#   You should *always* exclude port 25, unless you want to run an portal
#   for wanton spam sending. Users should have their own way of sending
#   mail. It sucks, but that's the way it is. Comment this out *only if*
#   you're using IncludePorts instead.
#
# ExcludePorts 23 25 111
#
ExcludePorts    25

####### Syslog Options -- alter these only if you want NoCat to log to the
#        system log!
#
# Log Facility - syslog or internal.  Internal sends log messages
#    using the GatewayLog or STDERR if GatewayLog is unset.  Syslog
#    sends all messages to the system log.
#
# LogFacility   internal

##
# SyslogSocket - inet or unix.  Inet connects to an inet socket returned
#    by getsrvbyname().  Unix connects to a unix domain socket returned by 
#    _PATH_LOG in syslog.ph (typically /dev/log).  Defaults to unix.
#
# SyslogSocket unix

##
# SyslogOptions - Zero or more of the words pid, ndelay, cons, nowait
#    Defaults to "cons,pid". 
#
# SyslogOptions cons,pid

##
# SyslogPriority - The syslog class of message to use:  In decreasing importance,
#    the typical priorities are EMERG, ALERT, CRIT, ERR, WARNING, NOTICE, INFO, 
#    and DEBUG.  Defaults to INFO.
#
# SyslogPriority INFO

##
# SyslogFacility - The facility used to log messages.  Defaults to user.
# SyslogFacility user

##
# SyslogIdent - The ident of the program that is calling syslog.  This will
#    be prepended to every log entry made by NoCat.  Defaults to NoCat.
#
# SyslogIdent NoCat

###### Other Common Gateway Options. (stuff you probably won't have to change)
#
# ResetCmd, PermitCmd, DenyCmd -- Shell commands to reset,
#   open and close the firewall. You probably don't need to
#   change these.
#
# ResetCmd      initialize.fw
# PermitCmd     access.fw permit $MAC $IP $Class 
# DenyCmd       access.fw deny $MAC $IP $Class 

##
# GatewayPort - The TCP port to bind the gateway 
#   service to. 5280 is de-facto standard for NoCatAuth.
#   Change this only if you absolutely need to.
#
# GatewayPort     5280

##
# PGPKeyPath -- The directory in which PGP keys are stored.
#   NoCat tries to find this in the pgp/ directory above
#   the bin/ parent directory. Set this only if you put it
#   somewhere that NoCat doesn't expect.
#
# PGPKeyPath    /usr/local/nocat/pgp

##
# MessageVerify -- Shell command to verify a PGP signed
#   message. The actual message is delivered to the
#   command's standard input. NoCat tries to find gpg
#   and gpgv in your path. Set these only if you need to find 
#   them elsewhere.
#
# GpgvPath      /usr/bin/gpgv
#
# MessageVerify $GpgvPath --homedir=$PGPKeyPath 2>/dev/null

##
#
# IdleTimeout -- How often to check the ARP cache, in seconds,
#   for expiration of idle clients.
#
# MaxMissedARP -- How many times a client can be missing from
#   the ARP cache before we assume they've gone away, and log them
#   out. Set to 0 to disable logout based on ARP cache expiration.
# 
# MaxMissedARP  2
#
# IdleTimeout   300

### Fin!   

Discussion