Post install actions: Difference between revisions

From wiki
Jump to navigation Jump to search
VisualWikitext
imported>Jacob
(Created page with "FreeBSD post install actions Create the sjapkg poudriere package environment Create ssl and repository directory ># mkdir -p /usr/local/etc/pkg/repos/ ># mkdir -p /usr/local/...")
 
imported>Jacob
No edit summary
Line 3: Line 3:
Create the sjapkg poudriere package environment
Create the sjapkg poudriere package environment
Create ssl and repository directory
Create ssl and repository directory
># mkdir -p /usr/local/etc/pkg/repos/
># mkdir -p /usr/local/etc/pkg/repos/
># mkdir -p /usr/local/etc/ssl/poudriere/
># mkdir -p /usr/local/etc/ssl/poudriere/
The repository directory gets 2 files to disable the FreeBSD- and enable the sjapkg-repository.
The repository directory gets 2 files to disable the FreeBSD- and enable the sjapkg-repository.
># vi /usr/local/etc/pkg/repos/freebsd.conf  
># vi /usr/local/etc/pkg/repos/freebsd.conf  
FreeBSD: {
FreeBSD: {
    enabled: no
    enabled: no
}
}
># vi /usr/local/etc/pkg/repos/sjapkg.conf
># vi /usr/local/etc/pkg/repos/sjapkg.conf
sjapkg: {
sjapkg: {
url: "http://sjapkg.sjakio.com/packages/12amd64-sjapkg",
url: "http://sjapkg.sjakio.com/packages/12amd64-sjapkg",
mirror_type: "http",
mirror_type: "http",
signature_type: "pubkey",
signature_type: "pubkey",
pubkey: "/usr/local/etc/ssl/poudriere/sjapkg.sjakio.com.pub.key.pem",
pubkey: "/usr/local/etc/ssl/poudriere/sjapkg.sjakio.com.pub.key.pem",
enabled: yes
enabled: yes
}
}
The ssl directory gets the public key of the sjapkg-repository.
The ssl directory gets the public key of the sjapkg-repository.
># vi /usr/local/etc/ssl/poudriere/sjapkg.sjakio.com.pub.key.pem
># vi /usr/local/etc/ssl/poudriere/sjapkg.sjakio.com.pub.key.pem
-----BEGIN PUBLIC KEY-----
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvYKLD2N12/1sOGKjjhOO
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvYKLD2N12/1sOGKjjhOO
z7sD1wO16HgebAwtnxeNGoDkzXqzAAgY4YY7Gv6t3fbpIncvoYH2GV7qOOtqDEj9
z7sD1wO16HgebAwtnxeNGoDkzXqzAAgY4YY7Gv6t3fbpIncvoYH2GV7qOOtqDEj9
0YIUEA0R4EA0TtwjNkU9TVB7GE76Ok1zk5Hmw7C3xfIJZN+9BwdVewwL5BE6FbYZ
0YIUEA0R4EA0TtwjNkU9TVB7GE76Ok1zk5Hmw7C3xfIJZN+9BwdVewwL5BE6FbYZ
Rt6y59kvMA/uyo78GqweE6JGbCrmX3ZcSypXjwsky7ApttiSyCKzMVRPNdpp1K/+
Rt6y59kvMA/uyo78GqweE6JGbCrmX3ZcSypXjwsky7ApttiSyCKzMVRPNdpp1K/+
/DdrohqIQYjl3OnTi4n9DGgE1PJ4dRUs4A2Cfqx8hlslwe6pbYtLEfEdNbe65hwl
/DdrohqIQYjl3OnTi4n9DGgE1PJ4dRUs4A2Cfqx8hlslwe6pbYtLEfEdNbe65hwl
HH00j4R6IAG/mkS5HMaSV0Bx8mdjBJhpmYabtuXRq5YR/cIduC1jxGNI1iwNZ0ce
HH00j4R6IAG/mkS5HMaSV0Bx8mdjBJhpmYabtuXRq5YR/cIduC1jxGNI1iwNZ0ce
gwIDAQAB
gwIDAQAB
-----END PUBLIC KEY-----
-----END PUBLIC KEY-----


Install packages
Install packages
># pkg update
># pkg update
># pkg install bash vim-console sudo bsdstats
># pkg install bash vim-console sudo bsdstats


uncomment the wheel group in sudo
uncomment the wheel group in sudo
># visudo
># visudo
%wheel ALL=(ALL) ALL
%wheel ALL=(ALL) ALL


bash
bash
Line 43: Line 43:


add autoboot_delay=3” to /boot/loader.conf
add autoboot_delay=3” to /boot/loader.conf
># vim /boot/loader.conf
># vim /boot/loader.conf
autoboot_delay="3"
autoboot_delay="3"


># vipw  
># vipw  
change: /usr/sh to: /usr/local/bin/bash for jac & root
change: /usr/sh to: /usr/local/bin/bash for jac & root


disable ctrl alt del reboot
disable ctrl alt del reboot
># sysctl hw.syscons.kbd_reboot=0
># sysctl hw.syscons.kbd_reboot=0


Change motd and profile
Change motd and profile
Save motd
Save original motd
># mv /etc/motd /etc/motd.default
># mv /etc/motd /etc/motd.default
># vim /etc/motd
># vim /etc/motd
FreeBSD 12.0-RELEASE-p3 GENERIC  
FreeBSD 12.0-RELEASE-p3 GENERIC  
 
Welcome to FreeBSD!
Welcome to FreeBSD!
 


Add below text to the bottom of /etc/profile
Add below text to the bottom of /etc/profile
># vim /etc/profile
># vim /etc/profile
uname -a
uname -a
echo " "
echo " "
date
date
echo " "
echo " "
echo " "
echo " "


Change /etc/syslog.conf to enable console.log and all.log
Change /etc/syslog.conf to enable console.log and all.log
# vim /etc/syslog.conf
># vim /etc/syslog.conf
Uncomment the lines with
Uncomment the lines with
    console.info                                    /var/log/console.log
    console.info                                    /var/log/console.log
    *.*                                            /var/log/all.log
    *.*                                            /var/log/all.log


# touch /var/log/console.log
># touch /var/log/console.log
# touch /var/log/all.log
># touch /var/log/all.log
# chmod 600 /var/log/all.log
># chmod 600 /var/log/all.log
# chmod 600 /var/log/console.log
># chmod 600 /var/log/console.log


# service syslogd restart
># service syslogd restart




Line 86: Line 86:
enable encrypted ssh authentication on iron.  
enable encrypted ssh authentication on iron.  
Prepare users
Prepare users
$ mkdir ~/.ssh
>$ mkdir ~/.ssh
copy public keys from another host
copy public keys from another host
$ vim ~/.ssh/authorized_keys
>$ vim ~/.ssh/authorized_keys
$ chmod -R 700 ~/.ssh
>$ chmod -R 700 ~/.ssh
Logout and login using key to see if all works.
Logout and login using key to see if all works.


Force key authentication only
Force key authentication only
# vim /etc/ssh/sshd_config
># vim /etc/ssh/sshd_config
ListenAddress XX.XX.XX.XX       # changed to Nic address
ListenAddress XX.XX.XX.XX       # changed to Nic address
PermitRootLogin no              # << Default: prohibit root login over ssh
PermitRootLogin no              # << Default: prohibit root login over ssh
PasswordAuthentication no       # << Default: ssh key only authorization
PasswordAuthentication no       # << Default: ssh key only authorization
ChallengeResponseAuthentication no      # changed to force key auth. only
ChallengeResponseAuthentication no      # changed to force key auth. only
UsePAM no                       # << Changed to set ssh key authorization only
UsePAM no                       # << Changed to set ssh key authorization only


# service sshd restart
># service sshd restart

Revision as of 20:47, 26 May 2019

FreeBSD post install actions

Create the sjapkg poudriere package environment Create ssl and repository directory 

># mkdir -p /usr/local/etc/pkg/repos/
># mkdir -p /usr/local/etc/ssl/poudriere/

The repository directory gets 2 files to disable the FreeBSD- and enable the sjapkg-repository. 

># vi /usr/local/etc/pkg/repos/freebsd.conf 
FreeBSD: {
    enabled: no
}
># vi /usr/local/etc/pkg/repos/sjapkg.conf
sjapkg: {
	url: "http://sjapkg.sjakio.com/packages/12amd64-sjapkg",
	mirror_type: "http",
	signature_type: "pubkey",
	pubkey: "/usr/local/etc/ssl/poudriere/sjapkg.sjakio.com.pub.key.pem",
	enabled: yes
}

The ssl directory gets the public key of the sjapkg-repository. 

># vi /usr/local/etc/ssl/poudriere/sjapkg.sjakio.com.pub.key.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvYKLD2N12/1sOGKjjhOO
z7sD1wO16HgebAwtnxeNGoDkzXqzAAgY4YY7Gv6t3fbpIncvoYH2GV7qOOtqDEj9
0YIUEA0R4EA0TtwjNkU9TVB7GE76Ok1zk5Hmw7C3xfIJZN+9BwdVewwL5BE6FbYZ
Rt6y59kvMA/uyo78GqweE6JGbCrmX3ZcSypXjwsky7ApttiSyCKzMVRPNdpp1K/+
/DdrohqIQYjl3OnTi4n9DGgE1PJ4dRUs4A2Cfqx8hlslwe6pbYtLEfEdNbe65hwl
HH00j4R6IAG/mkS5HMaSV0Bx8mdjBJhpmYabtuXRq5YR/cIduC1jxGNI1iwNZ0ce
gwIDAQAB
-----END PUBLIC KEY-----

Install packages 

># pkg update
># pkg install bash vim-console sudo bsdstats

uncomment the wheel group in sudo 

># visudo
%wheel ALL=(ALL) ALL

bash add to /etc/fstab: fdesc /dev/fd fdescfs rw 0 0

add autoboot_delay=3” to /boot/loader.conf 

># vim /boot/loader.conf
autoboot_delay="3"

># vipw

change: /usr/sh to: /usr/local/bin/bash for jac & root

disable ctrl alt del reboot 

># sysctl hw.syscons.kbd_reboot=0

Change motd and profile Save original motd 

># mv /etc/motd /etc/motd.default
># vim /etc/motd
FreeBSD 12.0-RELEASE-p3 GENERIC 

Welcome to FreeBSD!

Add below text to the bottom of /etc/profile 

># vim /etc/profile
uname -a
echo " "
date
echo " "
echo " "

Change /etc/syslog.conf to enable console.log and all.log 

># vim /etc/syslog.conf

Uncomment the lines with 

    console.info                                    /var/log/console.log
    *.*                                             /var/log/all.log

># touch /var/log/console.log
># touch /var/log/all.log
># chmod 600 /var/log/all.log
># chmod 600 /var/log/console.log

># service syslogd restart


enable encrypted ssh authentication on iron. Prepare users 

>$ mkdir ~/.ssh

copy public keys from another host 

>$ vim ~/.ssh/authorized_keys
>$ chmod -R 700 ~/.ssh

Logout and login using key to see if all works.

Force key authentication only 

># vim /etc/ssh/sshd_config
ListenAddress XX.XX.XX.XX	       # changed to Nic address
PermitRootLogin no              # << Default: prohibit root login over ssh
PasswordAuthentication no       # << Default: ssh key only authorization
ChallengeResponseAuthentication no      # changed to force key auth. only
UsePAM no                       # << Changed to set ssh key authorization only

># service sshd restart
Retrieved from "https://wiki.sjakio.com:443/index.php?title=Post_install_actions&oldid=150"