== setup/integrate a new machine ==
Note: this is partially obsolete now that we have [[puppet|howto/puppet-setup]]. We should probably update/rework some parts.
** Warning: This procedure has not been tested since being moved to the wiki. Beware. **
* install ssh if it isn't there already
{{{
apt-get install ssh
}}}
* make apt sane
{{{
echo 'Acquire::PDiffs "false";' > /etc/apt/apt.conf.d/local-pdiff
echo 'APT::Install-Recommends 0;' > /etc/apt/apt.conf.d/local-recommends
}}}
* sane locales:
make sure there is _no_ locale defined in /etc/environment and /etc/default/locale
* make debconf the same on every host: - dialog, - high
{{{
echo "debconf debconf/priority select high" | debconf-set-selections
echo "debconf debconf/frontend select Dialog" | debconf-set-selections
}}}
* add db.d.o to sources.list:
{{{
cat > /etc/apt/sources.list.d/debian.org.list << EOF
deb http://db.debian.org/debian-admin lenny main
deb-src http://db.debian.org/debian-admin lenny main
EOF
apt-key add - << EOF
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (GNU/Linux)
mQGiBEf4BP0RBACfXnRhBb9HKiA3h5A1tDnluVwfkSuDX4ZXdVAuMZapdOm8r9ug
9zE/dDGWPWja+DArAPZ/i3BFvlMewmden/IFbQKtXluQVIC4GL1RBMwrtWsZzo0g
picl3CYWDAYjRdg4WppUc9FawwGw081FlLGDv7eYRO3+8uGUHfr+SD7CwwCgxJK6
SvDX6M2Ifuq8WmgWWrVFyakD/ipdxd3NPIcnl1JTO2NjbOJYKpZMl6v0g+1OofSq
CAKTO8ymc0z6SF1j/4mWe1W76wvTpOhOUgn2WO7SQHZaujb/3z+yAJedfbCDgq0S
H/T2qbQTzv+woAjyR/e2Zpsc2DRfqO/8aCw1Jx8N3UbH9MBPYlYlyCnSra1OAyXW
VvC0A/9nT/k6VIFBF0Oq2WwmzOLptOqg61WrnxBr3GIe503++p88tOwlCJlL0uZZ
k68m3m5t7WDtQK4fHQwLramb9AqtBPhiEaXU5bXk77RYE54EeEH9Z4H4YSMMkdYU
gLG5CZI2jprxAZew1mHKROv+15jxYd+BZCrORmpWn5g7N+TC5rQeZGIuZGViaWFu
Lm9yZyBhcmNoaXZlIGtleSAyMDA4iGYEExECACYCGwMGCwkIBwMCBBUCCAMEFgID
AQIeAQIXgAUCSdlA9AUJA8JvcwAKCRC+p88QvSsO4AoeAJ0dY+rDwxNVR6HPs8JZ
xLceOYU/hgCeNW1KkOXrSt2Lv8PVWXnr5jHNZSo=
=4LFD
-----END PGP PUBLIC KEY BLOCK-----
EOF
}}}
* in /etc/ssh/sshd_config:
** disable the DSA hostkey, so that it only does RSA
** remove old host keys:
{{{
cd /etc/ssh/ && rm ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub
}}}
** disable X11 forwarding
** Tell it to use alternate authorized_keys locations
{{{
| HostKey /etc/ssh/ssh_host_rsa_key
| X11Forwarding no
| AuthorizedKeysFile /etc/ssh/userkeys/%u
| AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
vi /etc/ssh/sshd_config
(cd / && env -i /etc/init.d/ssh restart)
}}}
* maybe link root's auth key there:
{{{
mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root
}}}
* install userdir-ldap
{{{
apt-get update && apt-get install userdir-ldap
}}}
* on draghi, add the host to /home/sshdist/.ssh/authorized_keys and generate.conf
(you want the host's rsa host key there: {{{cat /etc/ssh/ssh_host_rsa_key.pub}}})
{{{
: :: draghi :: && sudo vi /home/sshdist/.ssh/authorized_keys
: :: draghi :: && sudo vi /etc/userdir-ldap/generate.conf
}}}
* run generate, or wait until cron runs it for you
{{{
: :: draghi :: && sudo -u sshdist ud-generate
}}}
* fix nsswitch for ud fu.
{{{
sed -i -e 's/^passwd:\[[:space:]]\+compat$/passwd: compat db/;
s/^group:\[[:space:]]\+compat$/group: db compat/;
s/^shadow:\[[:space:]]\+compat$/shadow: compat db/' \
/etc/nsswitch.conf
}}}
(you might have to restart sshd here:
{{{
(cd / && env -i /etc/init.d/ssh restart)
}}}
)
* on the host, run ud-replicate
{{{
echo draghi.debian.org,draghi,db.debian.org,db,82.195.75.106,::ffff:82.195.75.106 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAy1mAS0xIOZH9OrJZf1Wv9qYORv5Z5fmpF0o8Y4IMdS+ZzTjN1Sl8M77jaFTJbumJNs+n2CMcX8CoMemQEPBoRe20a5t3dExPQ3c7FNU0z+WIVFbu/oTTkAWGp5gCDwF3pg2QxUjqYc0X4jpv6pkisyvisij6V/VJ5G1hsIMuKqrCKYyyyiJJytfzSfRrBx2QvB5ZWQxhYeSYDoLDvuF31qUy4TLZ/HR3qZQ1cBrP9dCh5d+GQxdY9LuO6zjlnSyU64GHkyjYt3p03AKG4plD7WHX01bD0DQQ/NOFVwFhOZ63mePyridPuqBMFW39jBf4jSsewV95RE5VbY04+MY4XQ== root@draghi >> /etc/ssh/ssh_known_hosts &&
ud-replicate
}}}
* check if it worked:
{{{
id weasel
}}}
* add pam_mkhomedir to common-session:
{{{
grep pam_mkhomedir /etc/pam.d/common-session || \
echo "session optional pam_mkhomedir.so skel=/etc/skel umask=0022" >> /etc/pam.d/common-session
}}}
* install debian.org which brings you shells and much other fun
{{{
apt-get install debian.org
}}}
* try to login using your user and ssh key. you should get a homedir.
* make ca-certificates sane: (choose to *not* trust new certs, and we only want the spi cert activated)
{{{
echo "ca-certificates ca-certificates/trust_new_crts select no" | debconf-set-selections
sed -i -e 's/^[^#!].*/!&/; s#^!spi-inc.org/spi-cacert-2008.crt#spi-inc.org/spi-cacert-2008.crt#' /etc/ca-certificates.conf
dpkg-reconfigure ca-certificates
}}}
* Add debian-admin@debian.org to root in /etc/aliases
* sane default editor
{{{
apt-get install vim && update-alternatives --set editor /usr/bin/vim.basic
}}}
* setup sudo
{{{
grep '^%adm' /etc/sudoers || echo '%adm ALL=(ALL) ALL' >> /etc/sudoers
grep '^%adm.*apt-get' /etc/sudoers || echo '%adm ALL=(ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get clean, /usr/sbin/samhain -t check -i -p err -s none -l none -m none' >> /etc/sudoers
apt-get install libpam-pwdfile
cat > /etc/pam.d/sudo << EOF
#%PAM-1.0
auth [authinfo_unavail=ignore success=done ignore=ignore default=die] pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
auth required pam_unix.so nullok_secure try_first_pass
#@include common-auth
@include common-account
session required pam_permit.so
session required pam_limits.so
EOF
}}}
* OPEN A NEW SHELL - DO _NOT_ LOG OUT OF THIS ONE:
test that the dedicated sudo password works. if not, undo the pam sudo config.
(comment out the auth lines and include common-auth again)
* setup ldap.conf:
{{{
grep '^URI.*db.debian.org' /etc/ldap/ldap.conf || cat >> /etc/ldap/ldap.conf << EOF
URI ldap://db.debian.org
BASE dc=debian,dc=org
TLS_CACERT /etc/ssl/certs/spi-cacert-2008.pem
TLS_REQCERT hard
EOF
}}}
* add to munin on spohr
{{{
: :: spohr :: && sudo vi /etc/munin/munin.conf
}}}
* add host to nagios config
* disable password auth with ssh, once you verified you can log in
and become root using keys.
{{{
vi /etc/ssh/sshd_config
| PasswordAuthentication no
(cd / && env -i /etc/init.d/ssh restart)
}}}
* if it is a HP Proliant, or has other management fu, read [[howto/ilo-https]]
* setup [[puppet|howto/puppet-setup]]
* add to nagios
-- weasel, Wed, 04 Jun 2008 20:52:56 +0200