Note: this is partially obsolete now that we have [[puppet|howto/puppet-setup]]. We should probably update/rework some parts.
-** Warning: This procedure has not been tested since being moved to the wiki. Beware. **
-
* install ssh if it isn't there already
{{{
apt-get install ssh
make sure there is _no_ locale defined in /etc/environment and /etc/default/locale
+{{{
+ echo -n > /etc/environment
+ echo -n > /etc/default/locale
+}}}
+
* make debconf the same on every host: - dialog, - high
{{{
- dpkg-reconfigure debconf
+ apt-get install dialog &&
+ echo "debconf debconf/priority select high" | debconf-set-selections &&
+ echo "debconf debconf/frontend select Dialog" | debconf-set-selections
}}}
* add db.d.o to sources.list:
* in /etc/ssh/sshd_config:
** disable the DSA hostkey, so that it only does RSA
-** remove old host keys: <BR>{{{
- cd /etc/ssh/ && rm ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub
-}}}
+** remove old host keys:
** disable X11 forwarding
** Tell it to use alternate authorized_keys locations
-{{{
- | HostKey /etc/ssh/ssh_host_rsa_key
- | X11Forwarding no
- | AuthorizedKeysFile /etc/ssh/userkeys/%u
- | AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
-
- vi /etc/ssh/sshd_config
+** maybe link root's auth key there:
+{{{
+ #| HostKey /etc/ssh/ssh_host_rsa_key
+ #| X11Forwarding no
+ #| AuthorizedKeysFile /etc/ssh/userkeys/%u
+ #| AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
+
+ cd /etc/ssh/ && rm -f ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub &&
+ mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root &&
+ sed -i -e 's/^HostKey.*_dsa_key/# &/;
+ s/^X11Forwarding yes/X11Forwarding no/;
+ $ a AuthorizedKeysFile /etc/ssh/userkeys/%u
+ $ a AuthorizedKeysFile2 /var/lib/misc/userkeys/%u' sshd_config &&
(cd / && env -i /etc/init.d/ssh restart)
}}}
- * maybe link root's auth key there:
-{{{
- mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root
-}}}
* install userdir-ldap
}}}
-* on samosa, add the host to /home/sshdist/.ssh/authorized_keys and generate.conf
+* on draghi, add the host to /home/sshdist/.ssh/authorized_keys and generate.conf
(you want the host's rsa host key there: {{{cat /etc/ssh/ssh_host_rsa_key.pub}}})
{{{
- : :: samosa :: && sudo vi /home/sshdist/.ssh/authorized_keys
- : :: samosa :: && sudo vi /etc/userdir-ldap/generate.conf
+ : :: draghi :: && sudo vi /home/sshdist/.ssh/authorized_keys
+ : :: draghi :: && sudo vi /etc/userdir-ldap/generate.conf
}}}
* run generate, or wait until cron runs it for you
{{{
- : :: samosa :: && sudo -u sshdist ud-generate
+ : :: draghi :: && sudo -u sshdist ud-generate
}}}
* fix nsswitch for ud fu.
* on the host, run ud-replicate
{{{
- mkdir -p /root/.ssh &&
- echo db,db.debian.org,192.25.206.57 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAph3LozYmcwHwgnxfKia1lg1AXNuJiEroi/GpPztbcqxmFOYBZbMgYDj+kM+usoXF2diT9OQWqg1yx19CeEoghHYz4/yZa0PYdLgPj9Si4PScekVaE051GrLM63osfK0j3wIfpgLJv2/zs42NbXjkKPdjInEaWPn8W1fe88M3JDE= root@newsamosa >> /root/.ssh/known_hosts &&
+ echo draghi.debian.org,draghi,db.debian.org,db,82.195.75.106,::ffff:82.195.75.106 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAy1mAS0xIOZH9OrJZf1Wv9qYORv5Z5fmpF0o8Y4IMdS+ZzTjN1Sl8M77jaFTJbumJNs+n2CMcX8CoMemQEPBoRe20a5t3dExPQ3c7FNU0z+WIVFbu/oTTkAWGp5gCDwF3pg2QxUjqYc0X4jpv6pkisyvisij6V/VJ5G1hsIMuKqrCKYyyyiJJytfzSfRrBx2QvB5ZWQxhYeSYDoLDvuF31qUy4TLZ/HR3qZQ1cBrP9dCh5d+GQxdY9LuO6zjlnSyU64GHkyjYt3p03AKG4plD7WHX01bD0DQQ/NOFVwFhOZ63mePyridPuqBMFW39jBf4jSsewV95RE5VbY04+MY4XQ== root@draghi >> /etc/ssh/ssh_known_hosts &&
ud-replicate
}}}
* make ca-certificates sane: (choose to *not* trust new certs, and we only want the spi cert activated)
{{{
+ echo "ca-certificates ca-certificates/trust_new_crts select no" | debconf-set-selections
sed -i -e 's/^[^#!].*/!&/; s#^!spi-inc.org/spi-cacert-2008.crt#spi-inc.org/spi-cacert-2008.crt#' /etc/ca-certificates.conf
dpkg-reconfigure ca-certificates
}}}
* Add debian-admin@debian.org to root in /etc/aliases
+{{{
+ if ! egrep '^root:' /etc/aliases > /dev/null; then
+ echo "root: debian-admin@debian.org" >> /etc/aliases
+ elif ! egrep '^root:.*debian-admin@debian.org' /etc/aliases > /dev/null; then
+ sed -i -e 's/^root: .*/&, debian-admin@debian.org/' /etc/aliases
+ fi
+ newaliases
+}}}
* sane default editor
{{{
* disable password auth with ssh, once you verified you can log in
and become root using keys.
{{{
- vi /etc/ssh/sshd_config
- | PasswordAuthentication no
+ #vi /etc/ssh/sshd_config
+ # | PasswordAuthentication no
+
+ sed -i -e 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config &&
(cd / && env -i /etc/init.d/ssh restart)
}}}
projects / mirror / dsa-wiki.git / blobdiff