From: Christian Heller Date: Wed, 25 Sep 2024 02:16:14 +0000 (+0200) Subject: Update. X-Git-Url: https://plomlompom.com/repos/%7B%7B%20web_path%20%7D%7D/decks/%7B%7Bprefix%7D%7D/pick_tasks?a=commitdiff_plain;h=211392e1a65fd72fd93c9061296d17d6ea48c54b;p=config Update. --- diff --git a/bookworm/setup_scripts/init_user_and_keybased_login.sh b/bookworm/setup_scripts/init_user_and_keybased_login.sh index 3f73562..ad45834 100755 --- a/bookworm/setup_scripts/init_user_and_keybased_login.sh +++ b/bookworm/setup_scripts/init_user_and_keybased_login.sh @@ -8,20 +8,19 @@ # /etc/ssh/sshd_config. # # Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly -# configured sshd_config file in reach. +# configured sshd_config file in misc.sh:$linkable_files_dir set -e . ./misc.sh . ../../misc.sh expect_n_args 1 "(server)" "$@" server="$1" -linkable_files_dir="${config_tree_prefix}/etc_files/server" -system_path_sshd_config='/etc/ssh/sshd_config' -# has "PermitRootLogin no" and "PasswordAuthentication no". -local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}" + +# If we already knew that host … +ssh-keygen -f "/home/plom/.ssh/known_hosts" -R "${server}" # This will be used to log-in as root from plom account. -echo 'First, enter the old root password; then enter new password twice.' +echo 'First, enter the old root password; then enter new password three times.' ssh root@"${server}" "passwd" # Save root password for sshpass @@ -49,3 +48,4 @@ sshpass -e ssh root@"${server}" \ 'mv /tmp/authorized_keys /home/plom/.ssh/' sshpass -e scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}" sshpass -e ssh root@"${server}" 'service ssh restart' + diff --git a/bookworm/setup_scripts/init_user_login.sh b/bookworm/setup_scripts/init_user_login.sh index a0652eb..a36a5bd 100755 --- a/bookworm/setup_scripts/init_user_login.sh +++ b/bookworm/setup_scripts/init_user_login.sh @@ -1,19 +1,20 @@ #!/bin/sh +# This script turns a fresh server with password-based root access into +# one of only key-based access and only to new non-root account plom. # # CAUTION: This is optimized for a *fresh* setup. It will overwrite any -# old /etc/ssh/sshd_config. +# pre-existing ~/.ssh/authorized_keys of user plom with one that solely +# contains the local ~/.ssh/id_rsa.pub, and also any old +# /etc/ssh/sshd_config. # -# Dependencies: ssh, scp, properly configured sshd_config file in reach. +# Dependencies: ssh, scp, ~/.ssh/id_rsa.pub, properly configured sshd_config +# file in misc.sh:$linkable_files_dir set -e . ./misc.sh . ../../misc.sh expect_n_args 1 "(server)" "$@" server="$1" -linkable_files_dir="${config_tree_prefix}/etc_files/server" -system_path_sshd_config='/etc/ssh/sshd_config' -# has "PermitRootLogin no" and "PasswordAuthentication no". -local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}" # If we already knew that host … ssh-keygen -f "/home/plom/.ssh/known_hosts" -R "${server}" @@ -36,3 +37,4 @@ ssh root@"${server}" 'chown plom:plom /home/plom/.ssh/authorized_keys' # Set up SSH config and remove direct SSH login to root. scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}" ssh root@"${server}" 'rm -rf /root/.ssh && service ssh restart' + diff --git a/bookworm/setup_scripts/upgrade_from_bullseye.sh b/bookworm/setup_scripts/upgrade_from_bullseye.sh index 6a006e0..d7c07bd 100755 --- a/bookworm/setup_scripts/upgrade_from_bullseye.sh +++ b/bookworm/setup_scripts/upgrade_from_bullseye.sh @@ -2,11 +2,11 @@ . ./misc.sh apt update apt -y upgrade -apt --force-yes full-upgrade +apt -y full-upgrade path_sources_list="/etc/apt/sources.list" cp "${config_tree_prefix}/etc_files/all${path_sources_list}" "${path_sources_list}" apt clean apt update apt -y upgrade -apt --force-yes full-upgrade +apt -y -o Dpkg::Options::="--force-confnew" full-upgrade apt -y autoremove diff --git a/bullseye/setup_scripts/init_user_and_keybased_login.sh b/bullseye/setup_scripts/init_user_and_keybased_login.sh index a70c3ee..4fcc062 100755 --- a/bullseye/setup_scripts/init_user_and_keybased_login.sh +++ b/bullseye/setup_scripts/init_user_and_keybased_login.sh @@ -8,7 +8,7 @@ # /etc/ssh/sshd_config. # # Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly -# configured sshd_config file in reach. +# configured sshd_config file in misc.sh:$linkable_files_dir set -e . ./misc.sh . ../../misc.sh @@ -20,7 +20,7 @@ server="$1" ssh-keygen -f "/home/plom/.ssh/known_hosts" -R "${server}" # This will be used to log-in as root from plom account. -echo 'First, enter the old root password; then enter new password twice.' +echo 'First, enter the old root password; then enter new password three times.' ssh root@"${server}" "passwd" # Save root password for sshpass diff --git a/bullseye/setup_scripts/init_user_login.sh b/bullseye/setup_scripts/init_user_login.sh index 35abb90..b63d0d8 100755 --- a/bullseye/setup_scripts/init_user_login.sh +++ b/bullseye/setup_scripts/init_user_login.sh @@ -1,9 +1,14 @@ #!/bin/sh +# This script turns a fresh server with password-based root access into +# one of only key-based access and only to new non-root account plom. # # CAUTION: This is optimized for a *fresh* setup. It will overwrite any -# old /etc/ssh/sshd_config. +# pre-existing ~/.ssh/authorized_keys of user plom with one that solely +# contains the local ~/.ssh/id_rsa.pub, and also any old +# /etc/ssh/sshd_config. # -# Dependencies: ssh, scp, properly configured sshd_config file in reach. +# Dependencies: ssh, scp, ~/.ssh/id_rsa.pub, properly configured sshd_config +# file in misc.sh:$linkable_files_dir set -e . ./misc.sh . ../../misc.sh