From: Christian Heller Date: Tue, 13 Nov 2018 21:41:53 +0000 (+0100) Subject: Extend new setup. X-Git-Url: https://plomlompom.com/repos/%7B%7B%20web_path%20%7D%7D/decks/%7B%7Bdb.prefix%7D%7D/static/blog?a=commitdiff_plain;h=753f7f64a8295dac2ab15cf227396529441870a5;p=config Extend new setup. --- diff --git a/all_new_2018/init_user_and_keybased_login.sh b/all_new_2018/init_user_and_keybased_login.sh new file mode 100755 index 0000000..5fa7831 --- /dev/null +++ b/all_new_2018/init_user_and_keybased_login.sh @@ -0,0 +1,50 @@ +#!/bin/sh +# This script turns a fresh server with password-based root access to +# one of only key-based access and only to new non-root account plom. +# +# CAUTION: This is optimized for a *fresh* setup. It will overwrite any +# pre-existing ~/.ssh/authorized_keys of user plom with one that solely +# contains the local ~/.ssh/id_rsa.pub, and also any old +# /etc/ssh/sshd_config. +# +# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly +# configured sshd_config file in reach. +set -e + +# Location auf a sshd_config with "PermitRootLogin no" and +# "PasswordAuthentication no". +system_path_sshd_config='/etc/ssh/sshd_config' +config_tree_prefix='~/config/all_new_2018/linkable_etc_files/server/' +local_path_sshd_config="$config_tree_prefix""$system_path_sshd_config" + +# Ensure we have a server name as argument. +if [ $# -eq 0 ]; then + echo "Need server as argument." + false +fi +server="$1" + +# Ask for root password only once, sshpass will re-use it then often. +stty -echo +printf "Server root password: " +read PW_ROOT +stty echo +printf "\n" +export SSHPASS="$PW_ROOT" + +# Create user plom, and his ~/.ssh/authorized_keys based on the local +# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and +# ownerships. Then disable root and pw login by copying over the +# sshd_config and restart ssh daemon. +# +# This could be a line or two shorter by using ssh-copy-id, but that +# would require setting a password for user plom otherwise not needed. +sshpass -e scp ~/.ssh/id_rsa.pub root@"$server":/tmp/authorized_keys +sshpass -e ssh root@"$server" \ + 'useradd -m plom && '\ + 'mkdir /home/plom/.ssh && '\ + 'chown plom:plom /tmp/authorized_keys && '\ + 'chmod u=rw,go= /tmp/authorized_keys && '\ + 'mv /tmp/authorized_keys /home/plom/.ssh/' +sshpass -e scp "$local_path_sshd_config" root@"$server":"$system_path_sshd_config" +sshpass -e ssh root@"$server" 'service ssh restart' diff --git a/all_new_2018/init_user_and_keybased_login/init_user_and_keybased_login.sh b/all_new_2018/init_user_and_keybased_login/init_user_and_keybased_login.sh deleted file mode 100755 index 0524a35..0000000 --- a/all_new_2018/init_user_and_keybased_login/init_user_and_keybased_login.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh -# This script turns a fresh server with password-based root access to -# one of only key-based access and only to new non-root account plom. -# -# CAUTION: This is optimized for a *fresh* setup. It will overwrite any -# pre-existing ~/.ssh/authorized_keys of user plom with one that solely -# contains the local ~/.ssh/id_rsa.pub, and also any old -# /etc/ssh/sshd_config. -# -# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub -set -e - -# Ensure we have a server name as argument. -if [ $# -eq 0 ]; then - echo "Need server as argument." - false -fi -server="$1" - -# Ask for root password only once, sshpass will re-use it then often. -stty -echo -printf "Server root password: " -read PW_ROOT -stty echo -printf "\n" -export SSHPASS="$PW_ROOT" - -# Create user plom, and his ~/.ssh/authorized_keys based on the local -# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and -# ownerships. Then disable root and pw login, and restart ssh daemon. -# -# This could be a line or two shorter by using ssh-copy-id, but that -# would require setting a password for user plom otherwise not needed. -sshpass -e scp ~/.ssh/id_rsa.pub root@"$server":/tmp/authorized_keys -sshpass -e ssh root@"$server" \ - 'useradd -m plom && '\ - 'mkdir /home/plom/.ssh && '\ - 'chown plom:plom /tmp/authorized_keys && '\ - 'chmod u=rw,go= /tmp/authorized_keys && '\ - 'mv /tmp/authorized_keys /home/plom/.ssh/' -sshpass -e scp sshd_config root@"$server":/etc/ssh/sshd_config -sshpass -e ssh root@"$server" 'service ssh restart' diff --git a/all_new_2018/init_user_and_keybased_login/sshd_config b/all_new_2018/init_user_and_keybased_login/sshd_config deleted file mode 100644 index 1169f74..0000000 --- a/all_new_2018/init_user_and_keybased_login/sshd_config +++ /dev/null @@ -1,127 +0,0 @@ -# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -Port 22 -Port 443 # used for networks where 22 is banned -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -#RekeyLimit default none - -# Logging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -PermitRootLogin no -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#PubkeyAuthentication yes - -# Expect .ssh/authorized_keys2 to be disregarded by default in future. -#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes -#GSSAPIStrictAcceptorCheck yes -#GSSAPIKeyExchange no - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin yes -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -X11Forwarding yes -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -PrintMotd no -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation sandbox -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /var/run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -# override default of no subsystems -Subsystem sftp /usr/lib/openssh/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server - -ClientAliveInterval 120 -PasswordAuthentication no diff --git a/all_new_2018/limit_packages/99_minimize_dependencies b/all_new_2018/limit_packages/99_minimize_dependencies deleted file mode 100644 index 4aaef79..0000000 --- a/all_new_2018/limit_packages/99_minimize_dependencies +++ /dev/null @@ -1,4 +0,0 @@ -APT::AutoRemove::RecommendsImportant "false"; -APT::AutoRemove::SuggestsImportant "false"; -APT::Install-Recommends "false"; -APT::Install-Suggests "false"; diff --git a/all_new_2018/linkable_etc_files/all/etc/apt/apt.conf.d/99_minimize_dependencies b/all_new_2018/linkable_etc_files/all/etc/apt/apt.conf.d/99_minimize_dependencies new file mode 100644 index 0000000..4aaef79 --- /dev/null +++ b/all_new_2018/linkable_etc_files/all/etc/apt/apt.conf.d/99_minimize_dependencies @@ -0,0 +1,4 @@ +APT::AutoRemove::RecommendsImportant "false"; +APT::AutoRemove::SuggestsImportant "false"; +APT::Install-Recommends "false"; +APT::Install-Suggests "false"; diff --git a/all_new_2018/linkable_etc_files/all/etc/apt/sources.list b/all_new_2018/linkable_etc_files/all/etc/apt/sources.list new file mode 100644 index 0000000..68064c6 --- /dev/null +++ b/all_new_2018/linkable_etc_files/all/etc/apt/sources.list @@ -0,0 +1,4 @@ +deb http://deb.debian.org/debian stretch main contrib non-free +deb http://deb.debian.org/debian-security/ stretch/updates main contrib non-free +deb http://deb.debian.org/debian stretch-updates main contrib non-free +deb http://ftp.debian.org/debian stretch-backports main contrib non-free \ No newline at end of file diff --git a/all_new_2018/linkable_etc_files/server/etc/ssh/sshd_config b/all_new_2018/linkable_etc_files/server/etc/ssh/sshd_config new file mode 100644 index 0000000..b72e311 --- /dev/null +++ b/all_new_2018/linkable_etc_files/server/etc/ssh/sshd_config @@ -0,0 +1,127 @@ +# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Port 22 +Port 443 # used for networks where 22 is banned +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin no +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin yes +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation sandbox +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + +ClientAliveInterval 120 +PasswordAuthentication no diff --git a/all_new_2018/symlink_etc.sh b/all_new_2018/symlink_etc.sh new file mode 100644 index 0000000..238d136 --- /dev/null +++ b/all_new_2018/symlink_etc.sh @@ -0,0 +1,14 @@ +#!/bin/sh +# Symbolically link files to those under linkable_etc_files/$1/, e.g. +# link /etc/foo/bar to linkable_etc_files/$1/etc/foo/bar. Create +# directories as necessary. +# CAUTION: This removes original files at the affected paths. +set -e + +target="$1" +config_tree_prefix="~/config/all_new_2018/linkable_etc_files/" +cd "$config_tree_prefix""$target" +for path in $(find .); do + dest=$(echo "$path" | cut -c2-) + ln -fs "$path" "$dest" +done