From 5d115ef935b6ecc2df4d5ac9aa86cc055990ad69 Mon Sep 17 00:00:00 2001 From: ficus Date: Sun, 23 Sep 2012 20:03:04 +0200 Subject: add missing files --- packages/torouter-prep/configs/etc/ssh/sshd_config | 87 ++++++++++++++++++++++ .../configs/etc/ssh/sshd_config/sshd_config | 87 ---------------------- packages/torouter-prep/src/torouter_preboot.sh | 80 ++++++++++++++++++++ 3 files changed, 167 insertions(+), 87 deletions(-) create mode 100644 packages/torouter-prep/configs/etc/ssh/sshd_config delete mode 100644 packages/torouter-prep/configs/etc/ssh/sshd_config/sshd_config create mode 100755 packages/torouter-prep/src/torouter_preboot.sh (limited to 'packages/torouter-prep') diff --git a/packages/torouter-prep/configs/etc/ssh/sshd_config b/packages/torouter-prep/configs/etc/ssh/sshd_config new file mode 100644 index 0000000..d079ac0 --- /dev/null +++ b/packages/torouter-prep/configs/etc/ssh/sshd_config @@ -0,0 +1,87 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin yes +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +#PasswordAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +X11Forwarding yes +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes +AddressFamily inet diff --git a/packages/torouter-prep/configs/etc/ssh/sshd_config/sshd_config b/packages/torouter-prep/configs/etc/ssh/sshd_config/sshd_config deleted file mode 100644 index d079ac0..0000000 --- a/packages/torouter-prep/configs/etc/ssh/sshd_config/sshd_config +++ /dev/null @@ -1,87 +0,0 @@ -# Package generated configuration file -# See the sshd_config(5) manpage for details - -# What ports, IPs and protocols we listen for -Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 120 -PermitRootLogin yes -StrictModes yes - -RSAAuthentication yes -PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no -# similar for protocol version 2 -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication no - -# Change to no to disable tunnelled clear text passwords -#PasswordAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -X11Forwarding yes -X11DisplayOffset 10 -PrintMotd no -PrintLastLog yes -TCPKeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -Subsystem sftp /usr/lib/openssh/sftp-server - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes -AddressFamily inet diff --git a/packages/torouter-prep/src/torouter_preboot.sh b/packages/torouter-prep/src/torouter_preboot.sh new file mode 100755 index 0000000..7ebcc63 --- /dev/null +++ b/packages/torouter-prep/src/torouter_preboot.sh @@ -0,0 +1,80 @@ +#!/usr/bin/env dash + +echo "Inside torouter_preboot.sh..." + +export VERSION="0.2" + +export config_dir="/usr/share/torouter-prep/example-configs/" + +# Add a user to administrate the Torouter later +export ADMINUSER="torouter" +export ADMINGROUP="torouter" +export TORADMINGROUP="debian-tor" + +# TODO: check that dependancies are already installed, or fail +# tor, torouterui, ttdnsd, etc +apt-get --simulate install apt-utils tor torouterui ttdnsd + +# Set us to have a default host name and hosts file +cp $config_dir/etc/hostname /etc/hostname +cp $config_dir/etc/hosts /etc/hosts + +# We need to prep apt to understand that we want packages from other repos +cp $config_dir/etc/apt/sources.list /etc/apt/sources.list + +# We're creating this file to ensure we get updates +cp $config_dir/etc/apt/preferences.d/backports /etc/apt/preferences.d/backports +#cp $config_dir/etc/apt/apt.conf /etc/apt/apt.conf + +# Reconfigure /etc/inittab here +cp $config_dir/etc/inittab /etc/inittab + +# Reconfigure fstab +cp $config_dir/etc/fstab /etc/fstab + +# Configure the network +# eth0 is our "internet" interface with a dhcp client +cp $config_dir/etc/network/interfaces /etc/network/interfaces + +# Configure dnsmasq +cp $config_dir/etc/dnsmasq.conf /etc/dnsmasq.conf + +# Configure ntp +cp $config_dir/etc/ntp.conf /etc/ntp.conf +cp $config_dir/etc/default/openntpd /etc/default/openntpd + +# Configure ssh +cp $config_dir/etc/ssh/sshd_config /etc/ssh/sshd_config + +# XXX We should configure ufw here +# XXX We should configure denyhosts + +cp $config_dir/etc/tor/torrc /etc/tor/torrc +cp $config_dir/etc/default/ttdnsd /etc/default/ttdnsd + +# Remove a bunch of stuff +apt-get -f -y remove --purge polipo minissdpd +apt-get -y remove exim4-base exim4-config exim4-daemon-light dbus + +# Clean up apt +#apt-get -y autoremove +apt-get install -f +apt-get -y clean + +## Disable ipv6 support for now +cp $config_dir/etc/modprobe.d/blacklist.conf /etc/modprobe.d/blacklist.conf + +## add users and groups (ignore failures if groups already exist) +addgroup $ADMINGROUP +useradd -g $ADMINGROUP -G $TORADMINGROUP -s /bin/bash $ADMINUSER +# TODO: $ADMINUSER passwd? + +# Configure arm +zcat $config_dir/armrc.sample.gz > /home/$ADMINUSER/.armrc + +## Add arm startup trick with cron for shared screen run as $ADMINUSER +crontab -u $ADMINUSER $config_dir/tor-arm-crontab + +## Touch a stamp to show that we're now a Torouter +echo "torouter $VERSION" > /etc/torouter + -- cgit v1.2.3