From ed1ff7234a0fa5a583d8cad6a2b1d97ce8ed975f Mon Sep 17 00:00:00 2001
From: Christian Heller <c.heller@plomlompom.de>
Date: Tue, 13 Nov 2018 21:42:51 +0100
Subject: [PATCH] Some new setup script attempts.

---
 .../init_user_and_keybased_login.sh           |  42 ++++++
 .../init_user_and_keybased_login/sshd_config  | 127 ++++++++++++++++++
 .../limit_packages/99_minimize_dependencies   |   4 +
 .../limit_packages/purge_nonrequireds.sh      |  19 +++
 .../limit_packages/required_nonrequireds      |   3 +
 5 files changed, 195 insertions(+)
 create mode 100755 all_new_2018/init_user_and_keybased_login/init_user_and_keybased_login.sh
 create mode 100644 all_new_2018/init_user_and_keybased_login/sshd_config
 create mode 100644 all_new_2018/limit_packages/99_minimize_dependencies
 create mode 100755 all_new_2018/limit_packages/purge_nonrequireds.sh
 create mode 100644 all_new_2018/limit_packages/required_nonrequireds

diff --git a/all_new_2018/init_user_and_keybased_login/init_user_and_keybased_login.sh b/all_new_2018/init_user_and_keybased_login/init_user_and_keybased_login.sh
new file mode 100755
index 0000000..0524a35
--- /dev/null
+++ b/all_new_2018/init_user_and_keybased_login/init_user_and_keybased_login.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+# This script turns a fresh server with password-based root access to
+# one of only key-based access and only to new non-root account plom.
+#
+# CAUTION: This is optimized for a *fresh* setup. It will overwrite any
+# pre-existing ~/.ssh/authorized_keys of user plom with one that solely
+# contains the local ~/.ssh/id_rsa.pub, and also any old
+# /etc/ssh/sshd_config.
+#
+# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub
+set -e
+
+# Ensure we have a server name as argument.
+if [ $# -eq 0 ]; then
+    echo "Need server as argument."
+    false
+fi
+server="$1"
+
+# Ask for root password only once, sshpass will re-use it then often.
+stty -echo
+printf "Server root password: "
+read PW_ROOT
+stty echo
+printf "\n"
+export SSHPASS="$PW_ROOT"
+
+# Create user plom, and his ~/.ssh/authorized_keys based on the local
+# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and
+# ownerships. Then disable root and pw login, and restart ssh daemon.
+#
+# This could be a line or two shorter by using ssh-copy-id, but that
+# would require setting a password for user plom otherwise not needed.
+sshpass -e scp ~/.ssh/id_rsa.pub root@"$server":/tmp/authorized_keys
+sshpass -e ssh root@"$server" \
+        'useradd -m plom && '\
+        'mkdir /home/plom/.ssh && '\
+        'chown plom:plom /tmp/authorized_keys && '\
+        'chmod u=rw,go= /tmp/authorized_keys && '\
+        'mv /tmp/authorized_keys /home/plom/.ssh/'
+sshpass -e scp sshd_config root@"$server":/etc/ssh/sshd_config
+sshpass -e ssh root@"$server" 'service ssh restart'
diff --git a/all_new_2018/init_user_and_keybased_login/sshd_config b/all_new_2018/init_user_and_keybased_login/sshd_config
new file mode 100644
index 0000000..1169f74
--- /dev/null
+++ b/all_new_2018/init_user_and_keybased_login/sshd_config
@@ -0,0 +1,127 @@
+#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Port 22
+Port 443 # used for networks where 22 is banned
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin no 
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin yes
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation sandbox
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+
+ClientAliveInterval 120
+PasswordAuthentication no 
diff --git a/all_new_2018/limit_packages/99_minimize_dependencies b/all_new_2018/limit_packages/99_minimize_dependencies
new file mode 100644
index 0000000..4aaef79
--- /dev/null
+++ b/all_new_2018/limit_packages/99_minimize_dependencies
@@ -0,0 +1,4 @@
+APT::AutoRemove::RecommendsImportant "false";
+APT::AutoRemove::SuggestsImportant "false";
+APT::Install-Recommends "false";
+APT::Install-Suggests "false";
diff --git a/all_new_2018/limit_packages/purge_nonrequireds.sh b/all_new_2018/limit_packages/purge_nonrequireds.sh
new file mode 100755
index 0000000..36b6f38
--- /dev/null
+++ b/all_new_2018/limit_packages/purge_nonrequireds.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+# This script removes all Debian packages that are not of Priority
+# "required" or not depended on by packages of priority "required"
+# or not listed in the file ./required_nonrequireds.
+# If ./required_nonrequireds does not exist, will abort, as user
+# probably does not know what they are doing then.
+set -x
+set -e
+
+dpkg-query -Wf '${Package} ${Priority}\n' | grep ' required' | sed 's/ required//' > /tmp/list_white_unsorted
+cat 'required_nonrequireds' >> /tmp/list_white_unsorted
+sort /tmp/list_white_unsorted > /tmp/list_white
+dpkg-query -Wf '${Package}\n' > /tmp/list_all_packages
+sort /tmp/list_all_packages > /tmp/foo
+mv /tmp/foo /tmp/list_all_packages
+comm -3 /tmp/list_all_packages /tmp/list_white > /tmp/list_black
+apt-mark auto `cat /tmp/list_black`
+DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove
+rm /tmp/list_all_packages /tmp/list_white_unsorted /tmp/list_white /tmp/list_black
diff --git a/all_new_2018/limit_packages/required_nonrequireds b/all_new_2018/limit_packages/required_nonrequireds
new file mode 100644
index 0000000..dca4024
--- /dev/null
+++ b/all_new_2018/limit_packages/required_nonrequireds
@@ -0,0 +1,3 @@
+ifupdown
+isc-dhcp-client
+openssh-server
-- 
2.30.2