diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2013-10-17 20:18:46 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 04:27:39 +0200 |
commit | 22d15e76152b8d904ddabb5817e0aade60315bcd (patch) | |
tree | 9e2096e32a8c62a99fae6dca5322103dff4f3dc0 | |
parent | 58ac6f61f94614e4550e6a35421600cd271f2c9f (diff) |
Moved post-install scripts into the udeb.
-rwxr-xr-x | post-install-msg.sh | 60 | ||||
-rwxr-xr-x | post-install.sh | 127 |
2 files changed, 0 insertions, 187 deletions
diff --git a/post-install-msg.sh b/post-install-msg.sh deleted file mode 100755 index 8fecde4..0000000 --- a/post-install-msg.sh +++ /dev/null @@ -1,60 +0,0 @@ -#! /bin/sh -# -# Tell the user that the machine is ready to slurp the key for full disk -# encryption. -# -# Copyright 2013 Guilhem Moulin <guilhem@fripost.org> -# -# Licensed under the GNU GPL version 3 or higher. - -set -ue - -cd /target/etc/ - -chroot /target/ service ssh start; sleep 1 -sed -i 's/^DenyUsers \*$/AllowGroups ssh/' ./ssh/sshd_config - -# Busybox's sed doesn't support address '0,/../' -user="$(sed -rn 's/^([^:]*):[^:]*:1000:.*/\1/p' ./passwd)" -home="/target/$(sed -rn 's/^[^:]*:[^:]*:1000:[^:]*:[^:]*:([^:]*):.*/\1/p' ./passwd)" - -. /usr/share/debconf/confmodule - -ipv4="$(ip addr show eth0 | sed -nr 's/^\s+inet\s([0-9.]{4,32}).*/\1/p')" -template=$(mktemp) - -cat > "$template" <<EOF -Template: post-install/title -Type: note -Description: Installation complete - -Template: post-install/text -Type: note -Description: Press 'continue' to reboot - After the reboot, you will be able to log in to this new Debian GNU/Linux - system: - . - ssh -p 22 -l $user $ipv4 - . - To defeat MiTM-attacks, please ensure that the server fingerprint matches - . - $(ssh-keygen -lf ./ssh/ssh_host_rsa_key) - . - Key(s) that are currently granted access have the following fingerprint: - . -EOF -while read pk; do - # ssh-keygen can't read from STDIN, and ash doesn't have the '<<<' - # construct, so we save each pubkey in a temporary file - pkf=$(mktemp) - echo "$pk" > "$pkf" - echo " - $(ssh-keygen -lf $pkf)" >> "$template" - rm "$pkf" -done < "$home/.ssh/authorized_keys" -# TODO: key granted access to the initramfs -# TODO: copy the previous keys? - -debconf-loadtemplate post-install "$template" -db_settitle post-install/title -db_input critical post-install/text -db_go diff --git a/post-install.sh b/post-install.sh deleted file mode 100755 index c03bda6..0000000 --- a/post-install.sh +++ /dev/null @@ -1,127 +0,0 @@ -#!/bin/sh -# -# Post-installation script -# -# Copyright 2013 Guilhem Moulin <guilhem@fripost.org> -# -# Licensed under the GNU GPL version 3 or higher. - -set -ue - -find /home/ -mindepth 1 -maxdepth 1 -type d -print0 | xargs -r0 chmod og-rwx - -user="$(sed -rn '0,/^([^:]*):[^:]*:1000:.*/s//\1/p' /etc/passwd)" -home="$(sed -rn '0,/^[^:]*:[^:]*:1000:[^:]*:[^:]*:([^:]*):.*/s//\1/p' /etc/passwd)" - -test -d "$home/.ssh" || mkdir -m 0700 "$home/.ssh" -# TODO: make something more generic -cp /cdrom/preseed/authorized_keys "$home/.ssh/authorized_keys" -chown -R "$user:$user" "$home/.ssh" -chmod -R og-rwx "$home/.ssh" - -# Delete the automatically generated keys, and replace by our own -rm /etc/ssh/ssh_host_*_key /etc/ssh/ssh_host_*_key.pub -ssh-keygen -b 4096 -t rsa -N '' -C /etc/ssh/ssh_host_rsa_key -f /etc/ssh/ssh_host_rsa_key - -cat > /etc/ssh/sshd_config << EOF -# What ports, IPs and protocols we listen for -Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 120 -PermitRootLogin no -DenyUsers * -StrictModes yes - -RSAAuthentication yes -PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no -# similar for protocol version 2 -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication no - -# Change to no to disable tunnelled clear text passwords -PasswordAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -X11Forwarding no -X11DisplayOffset 10 -PrintMotd no -PrintLastLog yes -TCPKeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -Subsystem sftp /usr/lib/openssh/sftp-server - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM no -EOF - -# TODO: the full list hangs -#apt-get autoremove --purge \ -# dictionaries-common \ -# eject \ -# ispell \ -# laptop-detect \ -# nano \ -# tasksel \ -# wamerican \ -# wbritish \ -#|| true - -#TODO: dpkg -l | grep ^rc -sudo update-alternatives --set editor /usr/bin/vim.nox - -# TODO: initramfs |