From: Peter Palfrader Date: Sat, 27 Jun 2009 17:49:13 +0000 (+0200) Subject: reorder stuff some - do puppet much earlier. no need to install sources list and... X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fdsa-wiki.git;a=commitdiff_plain;h=98bbfe13da274f5e8ddd549f144e52b893eb914d reorder stuff some - do puppet much earlier. no need to install sources list and key entry manually --- diff --git a/input/howto/new-machine.creole b/input/howto/new-machine.creole index 86b0518..e8fb3a8 100644 --- a/input/howto/new-machine.creole +++ b/input/howto/new-machine.creole @@ -26,62 +26,7 @@ Note: this is partially obsolete now that we have [[puppet|howto/puppet-setup]]. echo "debconf debconf/frontend select Dialog" | debconf-set-selections }}} -* add db.d.o to sources.list: -{{{ - cat > /etc/apt/sources.list.d/debian.org.list << EOF -deb http://db.debian.org/debian-admin lenny main -deb-src http://db.debian.org/debian-admin lenny main -EOF - - apt-key add - << EOF ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.9 (GNU/Linux) - -mQGiBEf4BP0RBACfXnRhBb9HKiA3h5A1tDnluVwfkSuDX4ZXdVAuMZapdOm8r9ug -9zE/dDGWPWja+DArAPZ/i3BFvlMewmden/IFbQKtXluQVIC4GL1RBMwrtWsZzo0g -picl3CYWDAYjRdg4WppUc9FawwGw081FlLGDv7eYRO3+8uGUHfr+SD7CwwCgxJK6 -SvDX6M2Ifuq8WmgWWrVFyakD/ipdxd3NPIcnl1JTO2NjbOJYKpZMl6v0g+1OofSq -CAKTO8ymc0z6SF1j/4mWe1W76wvTpOhOUgn2WO7SQHZaujb/3z+yAJedfbCDgq0S -H/T2qbQTzv+woAjyR/e2Zpsc2DRfqO/8aCw1Jx8N3UbH9MBPYlYlyCnSra1OAyXW -VvC0A/9nT/k6VIFBF0Oq2WwmzOLptOqg61WrnxBr3GIe503++p88tOwlCJlL0uZZ -k68m3m5t7WDtQK4fHQwLramb9AqtBPhiEaXU5bXk77RYE54EeEH9Z4H4YSMMkdYU -gLG5CZI2jprxAZew1mHKROv+15jxYd+BZCrORmpWn5g7N+TC5rQeZGIuZGViaWFu -Lm9yZyBhcmNoaXZlIGtleSAyMDA4iGYEExECACYCGwMGCwkIBwMCBBUCCAMEFgID -AQIeAQIXgAUCSdlA9AUJA8JvcwAKCRC+p88QvSsO4AoeAJ0dY+rDwxNVR6HPs8JZ -xLceOYU/hgCeNW1KkOXrSt2Lv8PVWXnr5jHNZSo= -=4LFD ------END PGP PUBLIC KEY BLOCK----- -EOF -}}} - -* in /etc/ssh/sshd_config: -** disable the DSA hostkey, so that it only does RSA -** remove old host keys: -** disable X11 forwarding -** Tell it to use alternate authorized_keys locations -** maybe link root's auth key there: -{{{ - #| HostKey /etc/ssh/ssh_host_rsa_key - #| X11Forwarding no - #| AuthorizedKeysFile /etc/ssh/userkeys/%u - #| AuthorizedKeysFile2 /var/lib/misc/userkeys/%u - - cd /etc/ssh/ && rm -f ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub && - mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root && - sed -i -e 's/^HostKey.*_dsa_key/# &/; - s/^X11Forwarding yes/X11Forwarding no/; - $ a AuthorizedKeysFile /etc/ssh/userkeys/%u - $ a AuthorizedKeysFile2 /var/lib/misc/userkeys/%u' sshd_config && - (cd / && env -i /etc/init.d/ssh restart) -}}} - - - -* install userdir-ldap -{{{ - apt-get update && apt-get install userdir-ldap -}}} - +* setup [[puppet|howto/puppet-setup]] * on draghi, add the host to /home/sshdist/.ssh/authorized_keys and generate.conf (you want the host's rsa host key there: {{{cat /etc/ssh/ssh_host_rsa_key.pub}}}) @@ -103,6 +48,11 @@ EOF (cd / && env -i /etc/init.d/ssh restart) }}} +* install userdir-ldap +{{{ + apt-get update && apt-get install userdir-ldap +}}} + * on the host, run ud-replicate {{{ echo draghi.debian.org,draghi,db.debian.org,db,82.195.75.106,::ffff:82.195.75.106 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAy1mAS0xIOZH9OrJZf1Wv9qYORv5Z5fmpF0o8Y4IMdS+ZzTjN1Sl8M77jaFTJbumJNs+n2CMcX8CoMemQEPBoRe20a5t3dExPQ3c7FNU0z+WIVFbu/oTTkAWGp5gCDwF3pg2QxUjqYc0X4jpv6pkisyvisij6V/VJ5G1hsIMuKqrCKYyyyiJJytfzSfRrBx2QvB5ZWQxhYeSYDoLDvuF31qUy4TLZ/HR3qZQ1cBrP9dCh5d+GQxdY9LuO6zjlnSyU64GHkyjYt3p03AKG4plD7WHX01bD0DQQ/NOFVwFhOZ63mePyridPuqBMFW39jBf4jSsewV95RE5VbY04+MY4XQ== root@draghi >> /etc/ssh/ssh_known_hosts && @@ -119,6 +69,40 @@ EOF apt-get install debian.org }}} +* in /etc/ssh/sshd_config: +** disable the DSA hostkey, so that it only does RSA +** remove old host keys: +** disable X11 forwarding +** Tell it to use alternate authorized_keys locations +** maybe link root's auth key there: +{{{ + #| HostKey /etc/ssh/ssh_host_rsa_key + #| X11Forwarding no + #| AuthorizedKeysFile /etc/ssh/userkeys/%u + #| AuthorizedKeysFile2 /var/lib/misc/userkeys/%u + + cd /etc/ssh/ && rm -f ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub && + mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root && + sed -i -e 's/^HostKey.*_dsa_key/# &/; + s/^X11Forwarding yes/X11Forwarding no/; + $ a AuthorizedKeysFile /etc/ssh/userkeys/%u + $ a AuthorizedKeysFile2 /var/lib/misc/userkeys/%u' sshd_config && + (cd / && env -i /etc/init.d/ssh restart) +}}} + +* try to login using your user and ssh key. you should get a homedir. + +* try to become root using sudo. + +* disable password auth with ssh (again: once you verified you can log in and become root using keys.) +{{{ + #vi /etc/ssh/sshd_config + # | PasswordAuthentication no + + sed -i -e 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config && + (cd / && env -i /etc/init.d/ssh restart) +}}} + * make ca-certificates sane: (choose to *not* trust new certs, and we only want the spi cert activated) {{{ echo "ca-certificates ca-certificates/trust_new_crts select no" | debconf-set-selections @@ -146,23 +130,8 @@ EOF : :: spohr :: && sudo vi /etc/munin/munin.conf }}} - -* disable password auth with ssh, once you verified you can log in - and become root using keys. -{{{ - #vi /etc/ssh/sshd_config - # | PasswordAuthentication no - - sed -i -e 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config && - (cd / && env -i /etc/init.d/ssh restart) -}}} - * if it is a HP Proliant, or has other management fu, read [[howto/ilo-https]] -* setup [[puppet|howto/puppet-setup]] - -* try to login using your user and ssh key. you should get a homedir. - * edit dedication into in $DSA-PUPPET/modules/debian-org/misc/local.yaml * add to nagios