diff options
Diffstat (limited to 'post-install.sh')
| -rwxr-xr-x | post-install.sh | 128 |
1 files changed, 128 insertions, 0 deletions
diff --git a/post-install.sh b/post-install.sh new file mode 100755 index 0000000..9a99965 --- /dev/null +++ b/post-install.sh @@ -0,0 +1,128 @@ +#!/bin/sh +# +# Post-installation script +# +# Copyright 2013 Guilhem Moulin <guilhem@fripost.org> +# +# Licensed under the GNU GPL version 3 or higher. + +set -ue + +find /home/ -mindepth 1 -maxdepth 1 -type d -print0 | xargs -r0 chmod og-rwx + +user="$(sed -rn '0,/^([^:]*):[^:]*:1000:.*/s//\1/p' /etc/passwd)" +home="$(sed -rn '0,/^[^:]*:[^:]*:1000:[^:]*:[^:]*:([^:]*):.*/s//\1/p' /etc/passwd)" + +test -d "$home/.ssh" || mkdir -m 0700 "$home/.ssh" +# TODO: make something more generic +cat > "$home/.ssh/authorized_keys" << EOF +ssh-rsa ... +EOF +chown -R "$user:$user" "$home/.ssh" +chmod -R og-rwx "$home/.ssh" + +# Delete the automatically generated keys, and replace by our own +rm /etc/ssh/ssh_host_*_key /etc/ssh/ssh_host_*_key.pub +ssh-keygen -b 4096 -t rsa -N '' -C /etc/ssh/ssh_host_rsa_key -f /etc/ssh/ssh_host_rsa_key + +cat > /etc/ssh/sshd_config << EOF +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin no +DenyUsers * +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +X11Forwarding no +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM no +EOF + +# TODO: the full list hangs +#apt-get autoremove --purge \ +# dictionaries-common \ +# eject \ +# ispell \ +# laptop-detect \ +# nano \ +# tasksel \ +# wamerican \ +# wbritish \ +#|| true + +sudo update-alternatives --set editor /usr/bin/vim.nox + +# TODO: initramfs |