From 6ed86b2a6d6370ebea7fec698716e02198edd1c1 Mon Sep 17 00:00:00 2001 From: Christian Heller <c.heller@plomlompom.de> Date: Sun, 12 Jan 2020 04:27:33 +0100 Subject: [PATCH] First steps into new server setup. --- buster/apt-mark/all | 2 - buster/apt-mark/desktop | 2 + buster/apt-mark/server | 0 buster/etc_files/server/etc/ssh/sshd_config | 124 ++++++++++++++++++ .../init_user_and_keybased_login.sh | 52 ++++++++ buster/setup_scripts/setup_desktop.sh | 2 +- buster/setup_scripts/setup_server.sh | 20 +++ 7 files changed, 199 insertions(+), 3 deletions(-) create mode 100644 buster/apt-mark/desktop create mode 100644 buster/apt-mark/server create mode 100644 buster/etc_files/server/etc/ssh/sshd_config create mode 100755 buster/setup_scripts/init_user_and_keybased_login.sh create mode 100644 buster/setup_scripts/setup_server.sh diff --git a/buster/apt-mark/all b/buster/apt-mark/all index 4a90493..f748f3b 100644 --- a/buster/apt-mark/all +++ b/buster/apt-mark/all @@ -7,5 +7,3 @@ ca-certificates git # to avoid constant warnings about no locale being found locales -# so that grub learns about kernel updates -grub-pc diff --git a/buster/apt-mark/desktop b/buster/apt-mark/desktop new file mode 100644 index 0000000..f537318 --- /dev/null +++ b/buster/apt-mark/desktop @@ -0,0 +1,2 @@ +# so that grub learns about kernel updates +grub-pc diff --git a/buster/apt-mark/server b/buster/apt-mark/server new file mode 100644 index 0000000..e69de29 diff --git a/buster/etc_files/server/etc/ssh/sshd_config b/buster/etc_files/server/etc/ssh/sshd_config new file mode 100644 index 0000000..857962b --- /dev/null +++ b/buster/etc_files/server/etc/ssh/sshd_config @@ -0,0 +1,124 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin no # plomlompom's security rule +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin yes +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + +ClientAliveInterval 120 +PasswordAuthentication no # plomlompom's security rule diff --git a/buster/setup_scripts/init_user_and_keybased_login.sh b/buster/setup_scripts/init_user_and_keybased_login.sh new file mode 100755 index 0000000..73379c4 --- /dev/null +++ b/buster/setup_scripts/init_user_and_keybased_login.sh @@ -0,0 +1,52 @@ +#!/bin/sh +# This script turns a fresh server with password-based root access to +# one of only key-based access and only to new non-root account plom. +# +# CAUTION: This is optimized for a *fresh* setup. It will overwrite any +# pre-existing ~/.ssh/authorized_keys of user plom with one that solely +# contains the local ~/.ssh/id_rsa.pub, and also any old +# /etc/ssh/sshd_config. +# +# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly +# configured sshd_config file in reach. +set -e + +# Location auf a sshd_config with "PermitRootLogin no" and +# "PasswordAuthentication no". +config_tree_prefix="${HOME}/public_repos/config/buster" +linkable_files_dir="${config_tree_prefix}/etc_files/server" +system_path_sshd_config='/etc/ssh/sshd_config' +local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}" + +# Ensure we have a server name as argument. +if [ $# -eq 0 ]; then + echo "Need server as argument." + false +fi +server="$1" + +# Ask for root password only once, sshpass will re-use it then often. +stty -echo +printf "Server root password: " +read PW_ROOT +stty echo +printf "\n" +export SSHPASS="${PW_ROOT}" + +# Create user plom, and his ~/.ssh/authorized_keys based on the local +# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and +# ownerships. Then disable root and pw login by copying over the +# sshd_config and restart ssh daemon. +# +# This could be a line or two shorter by using ssh-copy-id, but that +# would require setting a password for user plom otherwise not needed. +sshpass -e scp ~/.ssh/id_rsa.pub root@"${server}":/tmp/authorized_keys +sshpass -e ssh root@"${server}" \ + 'useradd -m plom && '\ + 'mkdir /home/plom/.ssh && '\ + 'chown plom:plom /home/plom/.ssh && '\ + 'chown plom:plom /tmp/authorized_keys && '\ + 'chmod u=rw,go= /tmp/authorized_keys && '\ + 'mv /tmp/authorized_keys /home/plom/.ssh/' +sshpass -e scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}" +sshpass -e ssh root@"${server}" 'service ssh restart' diff --git a/buster/setup_scripts/setup_desktop.sh b/buster/setup_scripts/setup_desktop.sh index b0d8cd6..c6eef8b 100755 --- a/buster/setup_scripts/setup_desktop.sh +++ b/buster/setup_scripts/setup_desktop.sh @@ -17,7 +17,7 @@ setup_scripts_dir="${config_tree_prefix}/setup_scripts" cd "${setup_scripts_dir}" ./setup.sh "${system_name}" "" ./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" user "${system_name}" -./install_for_target.sh user "${system_name}" +./install_for_target.sh user desktop "${system_name}" # Set up printer. lpadmin -p 'HP_Deskjet_F300_series' -m 'drv:///hpcups.drv/hp-deskjet_f300_series.ppd' -o 'OutputMode=NormalGray' diff --git a/buster/setup_scripts/setup_server.sh b/buster/setup_scripts/setup_server.sh new file mode 100644 index 0000000..0beee01 --- /dev/null +++ b/buster/setup_scripts/setup_server.sh @@ -0,0 +1,20 @@ +#!/bin/sh +# Next setup steps for a server whose login policy has just been set from +# the outside via ./init_user_and_keybased_login.sh. +set -e + +# Provide maximum input for set_hostname_and_fqdn.sh. +if [ "$#" -ne 2 ]; then + echo 'Need exactly two arguments (hostname, FQDN).' + false +fi +hostname="$1" +fqdn="$2" + +# Set up system without user environment. +config_tree_prefix="${HOME}/public_repos/config/buster" +setup_scripts_dir="${config_tree_prefix}/setup_scripts" +cd "${setup_scripts_dir}" +./setup.sh "${hostname}" "${fqdn}" +./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" server +./install_for_target.sh server -- 2.30.2