From ed1ff7234a0fa5a583d8cad6a2b1d97ce8ed975f Mon Sep 17 00:00:00 2001 From: Christian Heller <c.heller@plomlompom.de> Date: Tue, 13 Nov 2018 21:42:51 +0100 Subject: [PATCH] Some new setup script attempts. --- .../init_user_and_keybased_login.sh | 42 ++++++ .../init_user_and_keybased_login/sshd_config | 127 ++++++++++++++++++ .../limit_packages/99_minimize_dependencies | 4 + .../limit_packages/purge_nonrequireds.sh | 19 +++ .../limit_packages/required_nonrequireds | 3 + 5 files changed, 195 insertions(+) create mode 100755 all_new_2018/init_user_and_keybased_login/init_user_and_keybased_login.sh create mode 100644 all_new_2018/init_user_and_keybased_login/sshd_config create mode 100644 all_new_2018/limit_packages/99_minimize_dependencies create mode 100755 all_new_2018/limit_packages/purge_nonrequireds.sh create mode 100644 all_new_2018/limit_packages/required_nonrequireds diff --git a/all_new_2018/init_user_and_keybased_login/init_user_and_keybased_login.sh b/all_new_2018/init_user_and_keybased_login/init_user_and_keybased_login.sh new file mode 100755 index 0000000..0524a35 --- /dev/null +++ b/all_new_2018/init_user_and_keybased_login/init_user_and_keybased_login.sh @@ -0,0 +1,42 @@ +#!/bin/sh +# This script turns a fresh server with password-based root access to +# one of only key-based access and only to new non-root account plom. +# +# CAUTION: This is optimized for a *fresh* setup. It will overwrite any +# pre-existing ~/.ssh/authorized_keys of user plom with one that solely +# contains the local ~/.ssh/id_rsa.pub, and also any old +# /etc/ssh/sshd_config. +# +# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub +set -e + +# Ensure we have a server name as argument. +if [ $# -eq 0 ]; then + echo "Need server as argument." + false +fi +server="$1" + +# Ask for root password only once, sshpass will re-use it then often. +stty -echo +printf "Server root password: " +read PW_ROOT +stty echo +printf "\n" +export SSHPASS="$PW_ROOT" + +# Create user plom, and his ~/.ssh/authorized_keys based on the local +# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and +# ownerships. Then disable root and pw login, and restart ssh daemon. +# +# This could be a line or two shorter by using ssh-copy-id, but that +# would require setting a password for user plom otherwise not needed. +sshpass -e scp ~/.ssh/id_rsa.pub root@"$server":/tmp/authorized_keys +sshpass -e ssh root@"$server" \ + 'useradd -m plom && '\ + 'mkdir /home/plom/.ssh && '\ + 'chown plom:plom /tmp/authorized_keys && '\ + 'chmod u=rw,go= /tmp/authorized_keys && '\ + 'mv /tmp/authorized_keys /home/plom/.ssh/' +sshpass -e scp sshd_config root@"$server":/etc/ssh/sshd_config +sshpass -e ssh root@"$server" 'service ssh restart' diff --git a/all_new_2018/init_user_and_keybased_login/sshd_config b/all_new_2018/init_user_and_keybased_login/sshd_config new file mode 100644 index 0000000..1169f74 --- /dev/null +++ b/all_new_2018/init_user_and_keybased_login/sshd_config @@ -0,0 +1,127 @@ +# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Port 22 +Port 443 # used for networks where 22 is banned +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin no +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin yes +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation sandbox +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + +ClientAliveInterval 120 +PasswordAuthentication no diff --git a/all_new_2018/limit_packages/99_minimize_dependencies b/all_new_2018/limit_packages/99_minimize_dependencies new file mode 100644 index 0000000..4aaef79 --- /dev/null +++ b/all_new_2018/limit_packages/99_minimize_dependencies @@ -0,0 +1,4 @@ +APT::AutoRemove::RecommendsImportant "false"; +APT::AutoRemove::SuggestsImportant "false"; +APT::Install-Recommends "false"; +APT::Install-Suggests "false"; diff --git a/all_new_2018/limit_packages/purge_nonrequireds.sh b/all_new_2018/limit_packages/purge_nonrequireds.sh new file mode 100755 index 0000000..36b6f38 --- /dev/null +++ b/all_new_2018/limit_packages/purge_nonrequireds.sh @@ -0,0 +1,19 @@ +#!/bin/sh +# This script removes all Debian packages that are not of Priority +# "required" or not depended on by packages of priority "required" +# or not listed in the file ./required_nonrequireds. +# If ./required_nonrequireds does not exist, will abort, as user +# probably does not know what they are doing then. +set -x +set -e + +dpkg-query -Wf '${Package} ${Priority}\n' | grep ' required' | sed 's/ required//' > /tmp/list_white_unsorted +cat 'required_nonrequireds' >> /tmp/list_white_unsorted +sort /tmp/list_white_unsorted > /tmp/list_white +dpkg-query -Wf '${Package}\n' > /tmp/list_all_packages +sort /tmp/list_all_packages > /tmp/foo +mv /tmp/foo /tmp/list_all_packages +comm -3 /tmp/list_all_packages /tmp/list_white > /tmp/list_black +apt-mark auto `cat /tmp/list_black` +DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove +rm /tmp/list_all_packages /tmp/list_white_unsorted /tmp/list_white /tmp/list_black diff --git a/all_new_2018/limit_packages/required_nonrequireds b/all_new_2018/limit_packages/required_nonrequireds new file mode 100644 index 0000000..dca4024 --- /dev/null +++ b/all_new_2018/limit_packages/required_nonrequireds @@ -0,0 +1,3 @@ +ifupdown +isc-dhcp-client +openssh-server -- 2.30.2