From 211392e1a65fd72fd93c9061296d17d6ea48c54b Mon Sep 17 00:00:00 2001
From: Christian Heller <c.heller@plomlompom.de>
Date: Wed, 25 Sep 2024 04:16:14 +0200
Subject: [PATCH] Update.

---
 .../setup_scripts/init_user_and_keybased_login.sh  | 12 ++++++------
 bookworm/setup_scripts/init_user_login.sh          | 14 ++++++++------
 bookworm/setup_scripts/upgrade_from_bullseye.sh    |  4 ++--
 .../setup_scripts/init_user_and_keybased_login.sh  |  4 ++--
 bullseye/setup_scripts/init_user_login.sh          |  9 +++++++--
 5 files changed, 25 insertions(+), 18 deletions(-)

diff --git a/bookworm/setup_scripts/init_user_and_keybased_login.sh b/bookworm/setup_scripts/init_user_and_keybased_login.sh
index 3f73562..ad45834 100755
--- a/bookworm/setup_scripts/init_user_and_keybased_login.sh
+++ b/bookworm/setup_scripts/init_user_and_keybased_login.sh
@@ -8,20 +8,19 @@
 # /etc/ssh/sshd_config.
 #
 # Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly
-# configured sshd_config file in reach.
+# configured sshd_config file in misc.sh:$linkable_files_dir
 set -e
 . ./misc.sh
 . ../../misc.sh
 
 expect_n_args 1 "(server)" "$@"
 server="$1"
-linkable_files_dir="${config_tree_prefix}/etc_files/server"
-system_path_sshd_config='/etc/ssh/sshd_config'
-# has "PermitRootLogin no" and "PasswordAuthentication no".
-local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}"
+
+# If we already knew that host …
+ssh-keygen -f "/home/plom/.ssh/known_hosts" -R "${server}"
 
 # This will be used to log-in as root from plom account.
-echo 'First, enter the old root password; then enter new password twice.'
+echo 'First, enter the old root password; then enter new password three times.'
 ssh root@"${server}" "passwd"
 
 # Save root password for sshpass
@@ -49,3 +48,4 @@ sshpass -e ssh root@"${server}" \
         'mv /tmp/authorized_keys /home/plom/.ssh/'
 sshpass -e scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}"
 sshpass -e ssh root@"${server}" 'service ssh restart'
+
diff --git a/bookworm/setup_scripts/init_user_login.sh b/bookworm/setup_scripts/init_user_login.sh
index a0652eb..a36a5bd 100755
--- a/bookworm/setup_scripts/init_user_login.sh
+++ b/bookworm/setup_scripts/init_user_login.sh
@@ -1,19 +1,20 @@
 #!/bin/sh
+# This script turns a fresh server with password-based root access into
+# one of only key-based access and only to new non-root account plom.
 #
 # CAUTION: This is optimized for a *fresh* setup. It will overwrite any
-# old /etc/ssh/sshd_config.
+# pre-existing ~/.ssh/authorized_keys of user plom with one that solely
+# contains the local ~/.ssh/id_rsa.pub, and also any old
+# /etc/ssh/sshd_config.
 #
-# Dependencies: ssh, scp, properly configured sshd_config file in reach.
+# Dependencies: ssh, scp, ~/.ssh/id_rsa.pub, properly configured sshd_config
+# file in misc.sh:$linkable_files_dir
 set -e
 . ./misc.sh
 . ../../misc.sh
 
 expect_n_args 1 "(server)" "$@"
 server="$1"
-linkable_files_dir="${config_tree_prefix}/etc_files/server"
-system_path_sshd_config='/etc/ssh/sshd_config'
-# has "PermitRootLogin no" and "PasswordAuthentication no".
-local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}"
 
 # If we already knew that host …
 ssh-keygen -f "/home/plom/.ssh/known_hosts" -R "${server}"
@@ -36,3 +37,4 @@ ssh root@"${server}" 'chown plom:plom /home/plom/.ssh/authorized_keys'
 # Set up SSH config and remove direct SSH login to root.
 scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}"
 ssh root@"${server}" 'rm -rf /root/.ssh && service ssh restart'
+
diff --git a/bookworm/setup_scripts/upgrade_from_bullseye.sh b/bookworm/setup_scripts/upgrade_from_bullseye.sh
index 6a006e0..d7c07bd 100755
--- a/bookworm/setup_scripts/upgrade_from_bullseye.sh
+++ b/bookworm/setup_scripts/upgrade_from_bullseye.sh
@@ -2,11 +2,11 @@
 . ./misc.sh
 apt update
 apt -y upgrade
-apt --force-yes full-upgrade
+apt -y full-upgrade
 path_sources_list="/etc/apt/sources.list"
 cp "${config_tree_prefix}/etc_files/all${path_sources_list}" "${path_sources_list}"
 apt clean
 apt update
 apt -y upgrade
-apt --force-yes full-upgrade
+apt -y -o Dpkg::Options::="--force-confnew" full-upgrade
 apt -y autoremove
diff --git a/bullseye/setup_scripts/init_user_and_keybased_login.sh b/bullseye/setup_scripts/init_user_and_keybased_login.sh
index a70c3ee..4fcc062 100755
--- a/bullseye/setup_scripts/init_user_and_keybased_login.sh
+++ b/bullseye/setup_scripts/init_user_and_keybased_login.sh
@@ -8,7 +8,7 @@
 # /etc/ssh/sshd_config.
 #
 # Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly
-# configured sshd_config file in reach.
+# configured sshd_config file in misc.sh:$linkable_files_dir
 set -e
 . ./misc.sh
 . ../../misc.sh
@@ -20,7 +20,7 @@ server="$1"
 ssh-keygen -f "/home/plom/.ssh/known_hosts" -R "${server}"
 
 # This will be used to log-in as root from plom account.
-echo 'First, enter the old root password; then enter new password twice.'
+echo 'First, enter the old root password; then enter new password three times.'
 ssh root@"${server}" "passwd"
 
 # Save root password for sshpass
diff --git a/bullseye/setup_scripts/init_user_login.sh b/bullseye/setup_scripts/init_user_login.sh
index 35abb90..b63d0d8 100755
--- a/bullseye/setup_scripts/init_user_login.sh
+++ b/bullseye/setup_scripts/init_user_login.sh
@@ -1,9 +1,14 @@
 #!/bin/sh
+# This script turns a fresh server with password-based root access into
+# one of only key-based access and only to new non-root account plom.
 #
 # CAUTION: This is optimized for a *fresh* setup. It will overwrite any
-# old /etc/ssh/sshd_config.
+# pre-existing ~/.ssh/authorized_keys of user plom with one that solely
+# contains the local ~/.ssh/id_rsa.pub, and also any old
+# /etc/ssh/sshd_config.
 #
-# Dependencies: ssh, scp, properly configured sshd_config file in reach.
+# Dependencies: ssh, scp, ~/.ssh/id_rsa.pub, properly configured sshd_config
+# file in misc.sh:$linkable_files_dir
 set -e
 . ./misc.sh
 . ../../misc.sh
-- 
2.30.2