2 # This script turns a fresh server with password-based root access to
3 # one of only key-based access and only to new non-root account plom.
5 # CAUTION: This is optimized for a *fresh* setup. It will overwrite any
6 # pre-existing ~/.ssh/authorized_keys of user plom with one that solely
7 # contains the local ~/.ssh/id_rsa.pub, and also any old
8 # /etc/ssh/sshd_config.
10 # Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub
13 # Ensure we have a server name as argument.
15 echo "Need server as argument."
20 # Ask for root password only once, sshpass will re-use it then often.
22 printf "Server root password: "
26 export SSHPASS="$PW_ROOT"
28 # Create user plom, and his ~/.ssh/authorized_keys based on the local
29 # ~/.ssh/id_rsa.pub; ensure the result has proper permissions and
30 # ownerships. Then disable root and pw login, and restart ssh daemon.
32 # This could be a line or two shorter by using ssh-copy-id, but that
33 # would require setting a password for user plom otherwise not needed.
34 sshpass -e scp ~/.ssh/id_rsa.pub root@"$server":/tmp/authorized_keys
35 sshpass -e ssh root@"$server" \
36 'useradd -m plom && '\
37 'mkdir /home/plom/.ssh && '\
38 'chown plom:plom /tmp/authorized_keys && '\
39 'chmod u=rw,go= /tmp/authorized_keys && '\
40 'mv /tmp/authorized_keys /home/plom/.ssh/'
41 sshpass -e scp sshd_config root@"$server":/etc/ssh/sshd_config
42 sshpass -e ssh root@"$server" 'service ssh restart'