2 # This script turns a fresh server with password-based root access to
3 # one of only key-based access and only to new non-root account plom.
5 # CAUTION: This is optimized for a *fresh* setup. It will overwrite any
6 # pre-existing ~/.ssh/authorized_keys of user plom with one that solely
7 # contains the local ~/.ssh/id_rsa.pub, and also any old
8 # /etc/ssh/sshd_config.
10 # Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly
11 # configured sshd_config file in reach.
14 # Location auf a sshd_config with "PermitRootLogin no" and
15 # "PasswordAuthentication no".
16 system_path_sshd_config='/etc/ssh/sshd_config'
17 config_tree_prefix='~/config/all_new_2018/linkable_etc_files/server/'
18 local_path_sshd_config="$config_tree_prefix""$system_path_sshd_config"
20 # Ensure we have a server name as argument.
22 echo "Need server as argument."
27 # Ask for root password only once, sshpass will re-use it then often.
29 printf "Server root password: "
33 export SSHPASS="$PW_ROOT"
35 # Create user plom, and his ~/.ssh/authorized_keys based on the local
36 # ~/.ssh/id_rsa.pub; ensure the result has proper permissions and
37 # ownerships. Then disable root and pw login by copying over the
38 # sshd_config and restart ssh daemon.
40 # This could be a line or two shorter by using ssh-copy-id, but that
41 # would require setting a password for user plom otherwise not needed.
42 sshpass -e scp ~/.ssh/id_rsa.pub root@"$server":/tmp/authorized_keys
43 sshpass -e ssh root@"$server" \
44 'useradd -m plom && '\
45 'mkdir /home/plom/.ssh && '\
46 'chown plom:plom /tmp/authorized_keys && '\
47 'chmod u=rw,go= /tmp/authorized_keys && '\
48 'mv /tmp/authorized_keys /home/plom/.ssh/'
49 sshpass -e scp "$local_path_sshd_config" root@"$server":"$system_path_sshd_config"
50 sshpass -e ssh root@"$server" 'service ssh restart'