Merge branch 'master' of ssh://db.debian.org/git/dsa-wiki

* 'master' of ssh://db.debian.org/git/dsa-wiki:
  sshd config comes from puppet
  LDAP host entries are more important now

diff --git a/input/howto/new-machine.creole b/input/howto/new-machine.creole
index 98782d5..4bfd9f5 100644 (file)
--- a/input/howto/new-machine.creole
+++ b/input/howto/new-machine.creole
@@ -31,19 +31,16 @@ Note: this has recently been changed to rely more on [[puppet|howto/puppet-setup
     dpkg -l postfix | grep '^ii  postfix' && (dpkg --purge postfix && rm /etc/aliases)
 }}}
 
-* setup [[puppet|howto/puppet-setup]]  (run the puppet client two or three times until things converge.)
+* on draghi, add the host to the ldap using ud-host.  Set the ssh key and the IP Address attributes.
 
-* on draghi, add the host to /home/sshdist/.ssh/authorized_keys
-(you want the host's rsa host key there: {{{cat /etc/ssh/ssh_host_rsa_key.pub}}})
-{{{
-    : :: draghi :: && sudo vi /home/sshdist/.ssh/authorized_keys
-}}}
-* use ud-host to add the new host to LDAP
 * run generate, or wait until cron runs it for you
 {{{
-    : :: draghi :: && sudo -u sshdist ud-generate
+    : :: draghi :: && sudo -u sshdist ud-generate && sudo -H ud-replicate
 }}}
 
+* setup [[puppet|howto/puppet-setup]]  (run the puppet client two or three times until things converge.)
+
+
 * fix nsswitch for ud fu.  (you might have to restart sshd here)
 {{{
     sed -i -e 's/^passwd:\[[:space:]]\+compat$/passwd:         compat db/;
@@ -74,40 +71,10 @@ Note: this has recently been changed to rely more on [[puppet|howto/puppet-setup
     apt-get install debian.org debian.org-recommended
 }}}
 
-* in /etc/ssh/sshd_config:
-** disable the DSA hostkey, so that it only does RSA
-** remove old host keys:
-** disable X11 forwarding
-** Tell it to use alternate authorized_keys locations
-** maybe link root's auth key there:
-{{{
-    #| HostKey /etc/ssh/ssh_host_rsa_key
-    #| X11Forwarding no
-    #| AuthorizedKeysFile /etc/ssh/userkeys/%u
-    #| AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
-
-    cd /etc/ssh/ && rm -f ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub &&
-    mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root &&
-    sed -i -e 's/^HostKey.*_dsa_key/# &/;
-               s/^X11Forwarding yes/X11Forwarding no/;
-               $ a AuthorizedKeysFile /etc/ssh/userkeys/%u
-               $ a AuthorizedKeysFile2 /var/lib/misc/userkeys/%u' sshd_config &&
-    (cd / && env -i /etc/init.d/ssh restart)
-}}}
-
 * try to login using your user and ssh key.  you should get a homedir.
 
 * try to become root using sudo.
 
-* disable password auth with ssh (again: once you verified you can log in and become root using keys.)
-{{{
-    #vi /etc/ssh/sshd_config
-    #  | PasswordAuthentication no
-
-    sed -i -e 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config &&
-    (cd / && env -i /etc/init.d/ssh restart)
-}}}
-
 * make ca-certificates sane:  (choose to *not* trust new certs, and we only want the spi cert activated)
 {{{
     echo "ca-certificates ca-certificates/trust_new_crts  select no" | debconf-set-selections