A skeleton for GNU+Linux system first boot configuration
lauhub
86f9f3ef8a
Added: dosync.sh
|
8 mesi fa | |
|---|---|---|
| scripts | 8 mesi fa | |
| .gitignore | 1 anno fa | |
| LICENSE | 6 anni fa | |
| README.md | 6 anni fa | |
| deploy | 6 anni fa | |
| dosync.sh | 8 mesi fa | |
| first-boot-init.service | 6 anni fa | |
| first-boot-script | 6 anni fa | |
| sync.data.example | 6 anni fa |
README.md
Introduction
systemd-first-boot-script is a set of scripts to configure GNU+Linux systems at first boot.
Once configured, it will run an automatic startup script which will ask user to change password and do some configuration tasks.
Each task can be easily enabled or disabled.
Purpose
Setting up pre-configured virtual machines or GNU+Linux system is easy. Sharing them to other people involves sharing credentials, which is not a good thing from security point of view.
This set of scripts allows running several configuration programs in order to:
- reset SSH server keys
- change root password
- change main user password (which is supposed to be in sudoers group)
- create a new user within sudoers group
- change machine name
- display connection information (or anything else)
A skeleton is provided to create one's own scripts.
Deployment
The target machine should have a working ssh server.
The preparation of script is done on another machine (local machine e.g.) from which the script can be sent using a synchronization script.
Actually, this prevent from installing git on the target machine (which is not wanted for some systems).
Installation and configuration
Clone this directory on your local machine.
Configuration
Copy sync.data.example to sync.data :
cp sync.data.example sync.data
Edit sync.data with credential for target machine (using ssh keys is recommended but not mandatory).
Deployment
Remote copy
Run synchronization script from local machine:
./dosync.sh
All files should be copied on the target machine
On target machine
Everything here should be run as super-user (or with sudo).
From the synced directory, run the deployment script:
cd install-systemd-first-boot-script # or the name you chose in sync.data
./deploy
All files are copied to /etc/first-boot/
Select the files to be executed in /etc/first-boot/scripts (here is selected a subset of available scripts) :
cd /etc/first-boot/scripts
chmod -x *
chmod +x 01-renew-ssh-keys 02-password 03-user-password 50-hostname
Check the permissions are correct (only scripts with execution permission will be run):
ls -l /etc/first-boot/scripts
-rwxr-xr-x@ 1 root root 625 10 oct 10:59 01-renew-ssh-keys
-rwxr-xr-x@ 1 root root 581 10 oct 10:59 02-password
-rwxr-xr-x@ 1 root root 662 10 oct 11:01 03-user-password
-rw-r--r--@ 1 root root 1114 10 oct 11:08 04-create-default-user
-rwxr-xr-x 1 root root 660 10 oct 11:09 50-hostname
-rw-r--r--@ 1 root root 732 11 oct 15:42 90-display-ip
-rw-r--r--@ 1 root root 755 10 oct 10:59 skeleton
Now the machine is ready to be rebooted.
Test
You can test by rebooting the machine.
You will have to answer to all question (it is not possible to kill process). So use passwords you know.
Once is is OK for you, re-run the deployment script (this will reset the flag that indicates the script was already run):
cd install-systemd-first-boot-script # or the name you chose in sync.data
./deploy
And check once again the permissions in /etc/first-boot/scripts (just to be sure, even they should not have been changed)
You can now delete the installation directory (which could be recreated using the dosync.sh script from your local machine :
cd ..
rm -r install-systemd-first-boot-script
Use it
Strong passwords
Don't forget to use strong passwords on your systems
Share your work
Once ready, shutdown the system and provide it to the person who will use it: this person will have to set its own passwords at first boot.