echo 'APT::Install-Recommends 0;' > /etc/apt/apt.conf.d/local-recommends
}}}
-* sane locales:
-
- make sure there is _no_ locale defined in /etc/environment and /etc/default/locale
-
+* sane locales: (make sure there is _no_ locale defined in /etc/environment and /etc/default/locale)
{{{
echo -n > /etc/environment
echo -n > /etc/default/locale
echo "debconf debconf/frontend select Dialog" | debconf-set-selections
}}}
-* add db.d.o to sources.list:
-{{{
- cat > /etc/apt/sources.list.d/debian.org.list << EOF
-deb http://db.debian.org/debian-admin lenny main
-deb-src http://db.debian.org/debian-admin lenny main
-EOF
-
- apt-key add - << EOF
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-mQGiBEf4BP0RBACfXnRhBb9HKiA3h5A1tDnluVwfkSuDX4ZXdVAuMZapdOm8r9ug
-9zE/dDGWPWja+DArAPZ/i3BFvlMewmden/IFbQKtXluQVIC4GL1RBMwrtWsZzo0g
-picl3CYWDAYjRdg4WppUc9FawwGw081FlLGDv7eYRO3+8uGUHfr+SD7CwwCgxJK6
-SvDX6M2Ifuq8WmgWWrVFyakD/ipdxd3NPIcnl1JTO2NjbOJYKpZMl6v0g+1OofSq
-CAKTO8ymc0z6SF1j/4mWe1W76wvTpOhOUgn2WO7SQHZaujb/3z+yAJedfbCDgq0S
-H/T2qbQTzv+woAjyR/e2Zpsc2DRfqO/8aCw1Jx8N3UbH9MBPYlYlyCnSra1OAyXW
-VvC0A/9nT/k6VIFBF0Oq2WwmzOLptOqg61WrnxBr3GIe503++p88tOwlCJlL0uZZ
-k68m3m5t7WDtQK4fHQwLramb9AqtBPhiEaXU5bXk77RYE54EeEH9Z4H4YSMMkdYU
-gLG5CZI2jprxAZew1mHKROv+15jxYd+BZCrORmpWn5g7N+TC5rQeZGIuZGViaWFu
-Lm9yZyBhcmNoaXZlIGtleSAyMDA4iGYEExECACYCGwMGCwkIBwMCBBUCCAMEFgID
-AQIeAQIXgAUCSdlA9AUJA8JvcwAKCRC+p88QvSsO4AoeAJ0dY+rDwxNVR6HPs8JZ
-xLceOYU/hgCeNW1KkOXrSt2Lv8PVWXnr5jHNZSo=
-=4LFD
------END PGP PUBLIC KEY BLOCK-----
-EOF
-}}}
-
-* in /etc/ssh/sshd_config:
-** disable the DSA hostkey, so that it only does RSA
-** remove old host keys:
-** disable X11 forwarding
-** Tell it to use alternate authorized_keys locations
-** maybe link root's auth key there:
-{{{
- #| HostKey /etc/ssh/ssh_host_rsa_key
- #| X11Forwarding no
- #| AuthorizedKeysFile /etc/ssh/userkeys/%u
- #| AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
-
- cd /etc/ssh/ && rm -f ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub &&
- mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root &&
- sed -i -e 's/^HostKey.*_dsa_key/# &/;
- s/^X11Forwarding yes/X11Forwarding no/;
- $ a AuthorizedKeysFile /etc/ssh/userkeys/%u
- $ a AuthorizedKeysFile2 /var/lib/misc/userkeys/%u' sshd_config &&
- (cd / && env -i /etc/init.d/ssh restart)
-}}}
-
-
-
-* install userdir-ldap
+* unless we want to keep it:
{{{
- apt-get update && apt-get install userdir-ldap
+ dpkg -l postfix | grep '^ii' && (dpkg --purge postfix && rm /etc/aliases)
}}}
+* setup [[puppet|howto/puppet-setup]]
* on draghi, add the host to /home/sshdist/.ssh/authorized_keys and generate.conf
(you want the host's rsa host key there: {{{cat /etc/ssh/ssh_host_rsa_key.pub}}})
: :: draghi :: && sudo -u sshdist ud-generate
}}}
-* fix nsswitch for ud fu.
+* fix nsswitch for ud fu. (you might have to restart sshd here)
{{{
sed -i -e 's/^passwd:\[[:space:]]\+compat$/passwd: compat db/;
s/^group:\[[:space:]]\+compat$/group: db compat/;
s/^shadow:\[[:space:]]\+compat$/shadow: compat db/' \
/etc/nsswitch.conf
+ (cd / && env -i /etc/init.d/ssh restart)
}}}
-(you might have to restart sshd here:
+* install userdir-ldap
{{{
- (cd / && env -i /etc/init.d/ssh restart)
+ apt-get update && apt-get install userdir-ldap
}}}
-)
* on the host, run ud-replicate
{{{
id weasel
}}}
-* add pam_mkhomedir to common-session:
+* install debian.org which brings you shells and much other fun
{{{
- grep pam_mkhomedir /etc/pam.d/common-session || \
- echo "session optional pam_mkhomedir.so skel=/etc/skel umask=0022" >> /etc/pam.d/common-session
+ apt-get install debian.org
}}}
-* install debian.org which brings you shells and much other fun
+* in /etc/ssh/sshd_config:
+** disable the DSA hostkey, so that it only does RSA
+** remove old host keys:
+** disable X11 forwarding
+** Tell it to use alternate authorized_keys locations
+** maybe link root's auth key there:
{{{
- apt-get install debian.org
+ #| HostKey /etc/ssh/ssh_host_rsa_key
+ #| X11Forwarding no
+ #| AuthorizedKeysFile /etc/ssh/userkeys/%u
+ #| AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
+
+ cd /etc/ssh/ && rm -f ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub &&
+ mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root &&
+ sed -i -e 's/^HostKey.*_dsa_key/# &/;
+ s/^X11Forwarding yes/X11Forwarding no/;
+ $ a AuthorizedKeysFile /etc/ssh/userkeys/%u
+ $ a AuthorizedKeysFile2 /var/lib/misc/userkeys/%u' sshd_config &&
+ (cd / && env -i /etc/init.d/ssh restart)
}}}
* try to login using your user and ssh key. you should get a homedir.
+* try to become root using sudo.
+
+* disable password auth with ssh (again: once you verified you can log in and become root using keys.)
+{{{
+ #vi /etc/ssh/sshd_config
+ # | PasswordAuthentication no
+
+ sed -i -e 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config &&
+ (cd / && env -i /etc/init.d/ssh restart)
+}}}
+
* make ca-certificates sane: (choose to *not* trust new certs, and we only want the spi cert activated)
{{{
echo "ca-certificates ca-certificates/trust_new_crts select no" | debconf-set-selections
: :: spohr :: && sudo vi /etc/munin/munin.conf
}}}
-
-* disable password auth with ssh, once you verified you can log in
- and become root using keys.
-{{{
- #vi /etc/ssh/sshd_config
- # | PasswordAuthentication no
-
- sed -i -e 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config &&
- (cd / && env -i /etc/init.d/ssh restart)
-}}}
-
* if it is a HP Proliant, or has other management fu, read [[howto/ilo-https]]
-* setup [[puppet|howto/puppet-setup]]
-
* edit dedication into in $DSA-PUPPET/modules/debian-org/misc/local.yaml
* add to nagios