X-Git-Url: https://plomlompom.com/repos/test.html?a=blobdiff_plain;f=stretch%2Fsetup_scripts%2Finit_user_and_keybased_login.sh;fp=stretch%2Fsetup_scripts%2Finit_user_and_keybased_login.sh;h=cea582f8c9ef7c7a9e5dffd8a2415e570c1e170e;hb=01de6e555d9675370c4314c4c51cee67ee554f49;hp=0000000000000000000000000000000000000000;hpb=bb8855ebe057c54a110d4f22eb8cc312220c80ff;p=config
diff --git a/stretch/setup_scripts/init_user_and_keybased_login.sh b/stretch/setup_scripts/init_user_and_keybased_login.sh
new file mode 100755
index 0000000..cea582f
--- /dev/null
+++ b/stretch/setup_scripts/init_user_and_keybased_login.sh
@@ -0,0 +1,56 @@
+#!/bin/sh
+# This script turns a fresh server with password-based root access into
+# one of only key-based access and only to new non-root account plom.
+#
+# CAUTION: This is optimized for a *fresh* setup. It will overwrite any
+# pre-existing ~/.ssh/authorized_keys of user plom with one that solely
+# contains the local ~/.ssh/id_rsa.pub, and also any old
+# /etc/ssh/sshd_config.
+#
+# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly
+# configured sshd_config file in reach.
+set -e
+
+# Location of an sshd_config with "PermitRootLogin no" and
+# "PasswordAuthentication no".
+config_tree_prefix="${HOME}/public_repos/config/stretch"
+linkable_files_dir="${config_tree_prefix}/etc_files/server"
+system_path_sshd_config='/etc/ssh/sshd_config'
+local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}"
+
+# Ensure we have a server name as argument.
+if [ $# -eq 0 ]; then
+ echo "Need server as argument."
+ false
+fi
+server="$1"
+
+# This will be used to log-in as root from plom account.
+echo 'First, enter the old root password; then enter new password twice.'
+ssh root@"${server}" "passwd"
+
+# Save root password for sshpass
+stty -echo
+printf "Re-enter new server root password: "
+read PW_ROOT
+stty echo
+printf "\n"
+export SSHPASS="${PW_ROOT}"
+
+# Create user plom, and his ~/.ssh/authorized_keys based on the local
+# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and
+# ownerships. Then disable root and pw login by copying over the
+# sshd_config and restart ssh daemon.
+#
+# This could be a line or two shorter by using ssh-copy-id, but that
+# would require setting a password for user plom otherwise not needed.
+sshpass -e scp ~/.ssh/id_rsa.pub root@"${server}":/tmp/authorized_keys
+sshpass -e ssh root@"${server}" \
+ 'useradd -m plom && '\
+ 'mkdir /home/plom/.ssh && '\
+ 'chown plom:plom /home/plom/.ssh && '\
+ 'chown plom:plom /tmp/authorized_keys && '\
+ 'chmod u=rw,go= /tmp/authorized_keys && '\
+ 'mv /tmp/authorized_keys /home/plom/.ssh/'
+sshpass -e scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}"
+sshpass -e ssh root@"${server}" 'service ssh restart'