script sshd_config munging, II

[mirror/dsa-wiki.git] / input / howto / new-machine.creole

diff --git a/input/howto/new-machine.creole b/input/howto/new-machine.creole
index 26e265a..b234218 100644 (file)
--- a/input/howto/new-machine.creole
+++ b/input/howto/new-machine.creole
@@ -24,8 +24,9 @@ Note: this is partially obsolete now that we have [[puppet|howto/puppet-setup]].
 
 * make debconf the same on every host: - dialog, - high
 {{{
-    echo "debconf debconf/priority        select  high" | debconf-set-selections
-    echo "debconf debconf/frontend        select  Dialog" | debconf-set-selections
+    apt-get install dialog &&
+    echo "debconf debconf/priority        select high" | debconf-set-selections &&
+    echo "debconf debconf/frontend        select Dialog" | debconf-set-selections
 }}}
 
 * add db.d.o to sources.list:
@@ -58,25 +59,25 @@ EOF
 
 * in /etc/ssh/sshd_config:
 ** disable the DSA hostkey, so that it only does RSA
-** remove old host keys: <BR>{{{
-    cd /etc/ssh/ && rm ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub
-}}}
+** remove old host keys:
 ** disable X11 forwarding
 ** Tell it to use alternate authorized_keys locations
-{{{
-    | HostKey /etc/ssh/ssh_host_rsa_key
-    | X11Forwarding no
-    | AuthorizedKeysFile /etc/ssh/userkeys/%u
-    | AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
-
-    vi /etc/ssh/sshd_config
+** maybe link root's auth key there:
+{{{
+    #| HostKey /etc/ssh/ssh_host_rsa_key
+    #| X11Forwarding no
+    #| AuthorizedKeysFile /etc/ssh/userkeys/%u
+    #| AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
+
+    cd /etc/ssh/ && rm -f ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub &&
+    mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root &&
+    sed -i -e 's/^HostKey.*_dsa_key/# &/;
+               s/^X11Forwarding yes/X11Forwarding no/;
+               $ a AuthorizedKeysFile /etc/ssh/userkeys/%u
+               $ a AuthorizedKeysFile2 /var/lib/misc/userkeys/%u' sshd_config &&
     (cd / && env -i /etc/init.d/ssh restart)
 }}}
 
-  * maybe link root's auth key there:
-{{{
-    mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root
-}}}
 
 
 * install userdir-ldap
@@ -136,12 +137,20 @@ EOF
 
 * make ca-certificates sane:  (choose to *not* trust new certs, and we only want the spi cert activated)
 {{{
-    echo "ca-certificates ca-certificates/trust_new_crts  select  no" | debconf-set-selections
+    echo "ca-certificates ca-certificates/trust_new_crts  select no" | debconf-set-selections
     sed -i -e 's/^[^#!].*/!&/; s#^!spi-inc.org/spi-cacert-2008.crt#spi-inc.org/spi-cacert-2008.crt#' /etc/ca-certificates.conf
     dpkg-reconfigure ca-certificates
 }}}
 
 * Add debian-admin@debian.org to root in /etc/aliases
+{{{
+       if ! egrep '^root:' /etc/aliases > /dev/null; then
+               echo "root: debian-admin@debian.org" >> /etc/aliases
+       elif ! egrep '^root:.*debian-admin@debian.org' /etc/aliases > /dev/null; then
+               sed -i -e 's/^root: .*/&, debian-admin@debian.org/' /etc/aliases
+       fi
+       newaliases
+}}}
 
 * sane default editor
 {{{
@@ -194,8 +203,10 @@ EOF
 * disable password auth with ssh, once you verified you can log in
   and become root using keys.
 {{{
-    vi /etc/ssh/sshd_config
-      | PasswordAuthentication no
+    #vi /etc/ssh/sshd_config
+    #  | PasswordAuthentication no
+
+    sed -i -e 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config &&
     (cd / && env -i /etc/init.d/ssh restart)
 }}}