apt-get install debian.org debian.org-recommended
}}}
-* in /etc/ssh/sshd_config:
-** disable the DSA hostkey, so that it only does RSA
-** remove old host keys:
-** disable X11 forwarding
-** Tell it to use alternate authorized_keys locations
-** maybe link root's auth key there:
-{{{
- #| HostKey /etc/ssh/ssh_host_rsa_key
- #| X11Forwarding no
- #| AuthorizedKeysFile /etc/ssh/userkeys/%u
- #| AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
-
- cd /etc/ssh/ && rm -f ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub &&
- mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root &&
- sed -i -e 's/^HostKey.*_dsa_key/# &/;
- s/^X11Forwarding yes/X11Forwarding no/;
- $ a AuthorizedKeysFile /etc/ssh/userkeys/%u
- $ a AuthorizedKeysFile2 /var/lib/misc/userkeys/%u' sshd_config &&
- (cd / && env -i /etc/init.d/ssh restart)
-}}}
-
* try to login using your user and ssh key. you should get a homedir.
* try to become root using sudo.
-* disable password auth with ssh (again: once you verified you can log in and become root using keys.)
-{{{
- #vi /etc/ssh/sshd_config
- # | PasswordAuthentication no
-
- sed -i -e 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config &&
- (cd / && env -i /etc/init.d/ssh restart)
-}}}
-
* make ca-certificates sane: (choose to *not* trust new certs, and we only want the spi cert activated)
{{{
echo "ca-certificates ca-certificates/trust_new_crts select no" | debconf-set-selections