home · contact · privacy
Extend new setup.
authorChristian Heller <c.heller@plomlompom.de>
Tue, 13 Nov 2018 21:41:53 +0000 (22:41 +0100)
committerChristian Heller <c.heller@plomlompom.de>
Tue, 13 Nov 2018 21:41:53 +0000 (22:41 +0100)
all_new_2018/init_user_and_keybased_login.sh [new file with mode: 0755]
all_new_2018/init_user_and_keybased_login/init_user_and_keybased_login.sh [deleted file]
all_new_2018/init_user_and_keybased_login/sshd_config [deleted file]
all_new_2018/limit_packages/99_minimize_dependencies [deleted file]
all_new_2018/linkable_etc_files/all/etc/apt/apt.conf.d/99_minimize_dependencies [new file with mode: 0644]
all_new_2018/linkable_etc_files/all/etc/apt/sources.list [new file with mode: 0644]
all_new_2018/linkable_etc_files/server/etc/ssh/sshd_config [new file with mode: 0644]
all_new_2018/symlink_etc.sh [new file with mode: 0644]

diff --git a/all_new_2018/init_user_and_keybased_login.sh b/all_new_2018/init_user_and_keybased_login.sh
new file mode 100755 (executable)
index 0000000..5fa7831
--- /dev/null
@@ -0,0 +1,50 @@
+#!/bin/sh
+# This script turns a fresh server with password-based root access to
+# one of only key-based access and only to new non-root account plom.
+#
+# CAUTION: This is optimized for a *fresh* setup. It will overwrite any
+# pre-existing ~/.ssh/authorized_keys of user plom with one that solely
+# contains the local ~/.ssh/id_rsa.pub, and also any old
+# /etc/ssh/sshd_config.
+#
+# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly
+# configured sshd_config file in reach.
+set -e
+
+# Location auf a sshd_config with "PermitRootLogin no" and
+# "PasswordAuthentication no".
+system_path_sshd_config='/etc/ssh/sshd_config'
+config_tree_prefix='~/config/all_new_2018/linkable_etc_files/server/'
+local_path_sshd_config="$config_tree_prefix""$system_path_sshd_config"
+
+# Ensure we have a server name as argument.
+if [ $# -eq 0 ]; then
+    echo "Need server as argument."
+    false
+fi
+server="$1"
+
+# Ask for root password only once, sshpass will re-use it then often.
+stty -echo
+printf "Server root password: "
+read PW_ROOT
+stty echo
+printf "\n"
+export SSHPASS="$PW_ROOT"
+
+# Create user plom, and his ~/.ssh/authorized_keys based on the local
+# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and
+# ownerships. Then disable root and pw login by copying over the
+# sshd_config and restart ssh daemon.
+#
+# This could be a line or two shorter by using ssh-copy-id, but that
+# would require setting a password for user plom otherwise not needed.
+sshpass -e scp ~/.ssh/id_rsa.pub root@"$server":/tmp/authorized_keys
+sshpass -e ssh root@"$server" \
+        'useradd -m plom && '\
+        'mkdir /home/plom/.ssh && '\
+        'chown plom:plom /tmp/authorized_keys && '\
+        'chmod u=rw,go= /tmp/authorized_keys && '\
+        'mv /tmp/authorized_keys /home/plom/.ssh/'
+sshpass -e scp "$local_path_sshd_config" root@"$server":"$system_path_sshd_config"
+sshpass -e ssh root@"$server" 'service ssh restart'
diff --git a/all_new_2018/init_user_and_keybased_login/init_user_and_keybased_login.sh b/all_new_2018/init_user_and_keybased_login/init_user_and_keybased_login.sh
deleted file mode 100755 (executable)
index 0524a35..0000000
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/bin/sh
-# This script turns a fresh server with password-based root access to
-# one of only key-based access and only to new non-root account plom.
-#
-# CAUTION: This is optimized for a *fresh* setup. It will overwrite any
-# pre-existing ~/.ssh/authorized_keys of user plom with one that solely
-# contains the local ~/.ssh/id_rsa.pub, and also any old
-# /etc/ssh/sshd_config.
-#
-# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub
-set -e
-
-# Ensure we have a server name as argument.
-if [ $# -eq 0 ]; then
-    echo "Need server as argument."
-    false
-fi
-server="$1"
-
-# Ask for root password only once, sshpass will re-use it then often.
-stty -echo
-printf "Server root password: "
-read PW_ROOT
-stty echo
-printf "\n"
-export SSHPASS="$PW_ROOT"
-
-# Create user plom, and his ~/.ssh/authorized_keys based on the local
-# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and
-# ownerships. Then disable root and pw login, and restart ssh daemon.
-#
-# This could be a line or two shorter by using ssh-copy-id, but that
-# would require setting a password for user plom otherwise not needed.
-sshpass -e scp ~/.ssh/id_rsa.pub root@"$server":/tmp/authorized_keys
-sshpass -e ssh root@"$server" \
-        'useradd -m plom && '\
-        'mkdir /home/plom/.ssh && '\
-        'chown plom:plom /tmp/authorized_keys && '\
-        'chmod u=rw,go= /tmp/authorized_keys && '\
-        'mv /tmp/authorized_keys /home/plom/.ssh/'
-sshpass -e scp sshd_config root@"$server":/etc/ssh/sshd_config
-sshpass -e ssh root@"$server" 'service ssh restart'
diff --git a/all_new_2018/init_user_and_keybased_login/sshd_config b/all_new_2018/init_user_and_keybased_login/sshd_config
deleted file mode 100644 (file)
index 1169f74..0000000
+++ /dev/null
@@ -1,127 +0,0 @@
-#      $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options override the
-# default value.
-
-Port 22
-Port 443 # used for networks where 22 is banned
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
-PermitRootLogin no 
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10
-
-#PubkeyAuthentication yes
-
-# Expect .ssh/authorized_keys2 to be disregarded by default in future.
-#AuthorizedKeysFile    .ssh/authorized_keys .ssh/authorized_keys2
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-#GSSAPIStrictAcceptorCheck yes
-#GSSAPIKeyExchange no
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin yes
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-X11Forwarding yes
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-PrintMotd no
-#PrintLastLog yes
-#TCPKeepAlive yes
-#UseLogin no
-#UsePrivilegeSeparation sandbox
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
-
-# override default of no subsystems
-Subsystem sftp /usr/lib/openssh/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#      X11Forwarding no
-#      AllowTcpForwarding no
-#      PermitTTY no
-#      ForceCommand cvs server
-
-ClientAliveInterval 120
-PasswordAuthentication no 
diff --git a/all_new_2018/limit_packages/99_minimize_dependencies b/all_new_2018/limit_packages/99_minimize_dependencies
deleted file mode 100644 (file)
index 4aaef79..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-APT::AutoRemove::RecommendsImportant "false";
-APT::AutoRemove::SuggestsImportant "false";
-APT::Install-Recommends "false";
-APT::Install-Suggests "false";
diff --git a/all_new_2018/linkable_etc_files/all/etc/apt/apt.conf.d/99_minimize_dependencies b/all_new_2018/linkable_etc_files/all/etc/apt/apt.conf.d/99_minimize_dependencies
new file mode 100644 (file)
index 0000000..4aaef79
--- /dev/null
@@ -0,0 +1,4 @@
+APT::AutoRemove::RecommendsImportant "false";
+APT::AutoRemove::SuggestsImportant "false";
+APT::Install-Recommends "false";
+APT::Install-Suggests "false";
diff --git a/all_new_2018/linkable_etc_files/all/etc/apt/sources.list b/all_new_2018/linkable_etc_files/all/etc/apt/sources.list
new file mode 100644 (file)
index 0000000..68064c6
--- /dev/null
@@ -0,0 +1,4 @@
+deb http://deb.debian.org/debian stretch main contrib non-free
+deb http://deb.debian.org/debian-security/ stretch/updates main contrib non-free
+deb http://deb.debian.org/debian stretch-updates main contrib non-free
+deb http://ftp.debian.org/debian stretch-backports main contrib non-free
\ No newline at end of file
diff --git a/all_new_2018/linkable_etc_files/server/etc/ssh/sshd_config b/all_new_2018/linkable_etc_files/server/etc/ssh/sshd_config
new file mode 100644 (file)
index 0000000..b72e311
--- /dev/null
@@ -0,0 +1,127 @@
+#      $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Port 22
+Port 443 # used for networks where 22 is banned
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin no
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile    .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin yes
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation sandbox
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#      X11Forwarding no
+#      AllowTcpForwarding no
+#      PermitTTY no
+#      ForceCommand cvs server
+
+ClientAliveInterval 120
+PasswordAuthentication no
diff --git a/all_new_2018/symlink_etc.sh b/all_new_2018/symlink_etc.sh
new file mode 100644 (file)
index 0000000..238d136
--- /dev/null
@@ -0,0 +1,14 @@
+#!/bin/sh
+# Symbolically link files to those under linkable_etc_files/$1/, e.g.
+# link /etc/foo/bar to linkable_etc_files/$1/etc/foo/bar. Create
+# directories as necessary.
+# CAUTION: This removes original files at the affected paths.
+set -e
+
+target="$1"
+config_tree_prefix="~/config/all_new_2018/linkable_etc_files/"
+cd "$config_tree_prefix""$target"
+for path in $(find .); do
+    dest=$(echo "$path" | cut -c2-)
+    ln -fs "$path" "$dest"
+done