Note: this is partially obsolete now that we have [[puppet|howto/puppet-setup]]. We should probably update/rework some parts.
-** Warning: This procedure has not been tested since being moved to the wiki. Beware. **
-
* install ssh if it isn't there already
{{{
apt-get install ssh
echo 'APT::Install-Recommends 0;' > /etc/apt/apt.conf.d/local-recommends
}}}
-* sane locales:
-
- make sure there is _no_ locale defined in /etc/environment and /etc/default/locale
+* sane locales: (make sure there is _no_ locale defined in /etc/environment and /etc/default/locale)
+{{{
+ echo -n > /etc/environment
+ echo -n > /etc/default/locale
+}}}
* make debconf the same on every host: - dialog, - high
{{{
-echo "debconf debconf/priority select high" | debconf-set-selections
-echo "debconf debconf/frontend select Dialog" | debconf-set-selections
+ apt-get install dialog &&
+ echo "debconf debconf/priority select high" | debconf-set-selections &&
+ echo "debconf debconf/frontend select Dialog" | debconf-set-selections
}}}
* add db.d.o to sources.list:
* in /etc/ssh/sshd_config:
** disable the DSA hostkey, so that it only does RSA
-** remove old host keys: <BR>{{{
- cd /etc/ssh/ && rm ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub
-}}}
+** remove old host keys:
** disable X11 forwarding
** Tell it to use alternate authorized_keys locations
-{{{
- | HostKey /etc/ssh/ssh_host_rsa_key
- | X11Forwarding no
- | AuthorizedKeysFile /etc/ssh/userkeys/%u
- | AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
-
- vi /etc/ssh/sshd_config
+** maybe link root's auth key there:
+{{{
+ #| HostKey /etc/ssh/ssh_host_rsa_key
+ #| X11Forwarding no
+ #| AuthorizedKeysFile /etc/ssh/userkeys/%u
+ #| AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
+
+ cd /etc/ssh/ && rm -f ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub &&
+ mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root &&
+ sed -i -e 's/^HostKey.*_dsa_key/# &/;
+ s/^X11Forwarding yes/X11Forwarding no/;
+ $ a AuthorizedKeysFile /etc/ssh/userkeys/%u
+ $ a AuthorizedKeysFile2 /var/lib/misc/userkeys/%u' sshd_config &&
(cd / && env -i /etc/init.d/ssh restart)
}}}
- * maybe link root's auth key there:
-{{{
- mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root
-}}}
* install userdir-ldap
: :: draghi :: && sudo -u sshdist ud-generate
}}}
-* fix nsswitch for ud fu.
+* fix nsswitch for ud fu. (you might have to restart sshd here)
{{{
sed -i -e 's/^passwd:\[[:space:]]\+compat$/passwd: compat db/;
s/^group:\[[:space:]]\+compat$/group: db compat/;
s/^shadow:\[[:space:]]\+compat$/shadow: compat db/' \
/etc/nsswitch.conf
-}}}
-
-(you might have to restart sshd here:
-{{{
(cd / && env -i /etc/init.d/ssh restart)
}}}
-)
* on the host, run ud-replicate
{{{
* make ca-certificates sane: (choose to *not* trust new certs, and we only want the spi cert activated)
{{{
- echo "ca-certificates ca-certificates/trust_new_crts select no" | debconf-set-selections
+ echo "ca-certificates ca-certificates/trust_new_crts select no" | debconf-set-selections
sed -i -e 's/^[^#!].*/!&/; s#^!spi-inc.org/spi-cacert-2008.crt#spi-inc.org/spi-cacert-2008.crt#' /etc/ca-certificates.conf
dpkg-reconfigure ca-certificates
}}}
* Add debian-admin@debian.org to root in /etc/aliases
-
-* sane default editor
-{{{
- apt-get install vim && update-alternatives --set editor /usr/bin/vim.basic
-}}}
-
-* setup sudo
{{{
- grep '^%adm' /etc/sudoers || echo '%adm ALL=(ALL) ALL' >> /etc/sudoers
- grep '^%adm.*apt-get' /etc/sudoers || echo '%adm ALL=(ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get clean, /usr/sbin/samhain -t check -i -p err -s none -l none -m none' >> /etc/sudoers
-
- apt-get install libpam-pwdfile
- cat > /etc/pam.d/sudo << EOF
-#%PAM-1.0
-
-auth [authinfo_unavail=ignore success=done ignore=ignore default=die] pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
-auth required pam_unix.so nullok_secure try_first_pass
-#@include common-auth
-@include common-account
-
-session required pam_permit.so
-session required pam_limits.so
-EOF
+ if ! egrep '^root:' /etc/aliases > /dev/null; then
+ echo "root: debian-admin@debian.org" >> /etc/aliases
+ elif ! egrep '^root:.*debian-admin@debian.org' /etc/aliases > /dev/null; then
+ sed -i -e 's/^root: .*/&, debian-admin@debian.org/' /etc/aliases
+ fi
+ newaliases
}}}
-* OPEN A NEW SHELL - DO _NOT_ LOG OUT OF THIS ONE:<BR>
- test that the dedicated sudo password works. if not, undo the pam sudo config.
- (comment out the auth lines and include common-auth again)
-
-* setup ldap.conf:
+* sane default editor
{{{
- grep '^URI.*db.debian.org' /etc/ldap/ldap.conf || cat >> /etc/ldap/ldap.conf << EOF
-
-URI ldap://db.debian.org
-BASE dc=debian,dc=org
-
-TLS_CACERT /etc/ssl/certs/spi-cacert-2008.pem
-TLS_REQCERT hard
-EOF
+ apt-get install vim && update-alternatives --set editor /usr/bin/vim.basic
}}}
* add to munin on spohr
}}}
-* add host to nagios config
-
* disable password auth with ssh, once you verified you can log in
and become root using keys.
{{{
- vi /etc/ssh/sshd_config
- | PasswordAuthentication no
+ #vi /etc/ssh/sshd_config
+ # | PasswordAuthentication no
+
+ sed -i -e 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config &&
(cd / && env -i /etc/init.d/ssh restart)
}}}
* setup [[puppet|howto/puppet-setup]]
+* edit dedication into in $DSA-PUPPET/modules/debian-org/misc/local.yaml
+
* add to nagios
+* add host to ldap: ud-host -a $USER -h ....
+
-- weasel, Wed, 04 Jun 2008 20:52:56 +0200