Wiki
Clone wikiheadful_EPA_jumpbox_config / linode_base_config
part of the headful_EPA_jumpbox_config project
Table of Contents
summary
Do a basic, somewhat-secured setup of a linode, either
- manually
- scripted: as detailed below, manually rebuild your linode, shell into it, then run a normal script from a shell commandline (not a StackScript)
Note that all of the above processes (and basically everything on this page) assume that you have already successfully completed the pre-install process.
For definitions of terms special to these instructions, see the project glossary.
manual
Follow steps in linode.com docs=
with one exception: although I do disable root login via SSH, I do not currently disable the root login entirely. This is because I have found in other, past (and possibly irrelevant) installs that sometimes sudo is not enough: i.e., sometimes one must run su -.
scripted
minimal_secure_debian-based_linode_config.sh runs on the linode "normally": i.e., not as a StackScript. Accordingly, to run it,
- On your client device, complete the pre-script process below.
- From your linode, complete the script base install below.
pre-script process
From your Linode Dashboard:
Rebuild the linode: follow link= Rebuild. In the resulting page,
- Select OS=Debian (probably latest version available).
- Fill-in your desired root password.
- Take other defaults.
- Hit button= Rebuild (and OK to confirm).
Will take a bit of time (usually less than a minute), returning to status= Powered Off
Boot the linode: hit button= Boot (and OK to confirm). Will take a bit of time (usually less than a minute).
From your client:
Define JUMPBOX_IPV4 (your linode's IPv4 IP#), preferably by sourceing previously-written private.properties:
source ${PATH_TO_PROJECT}/scripts/private.propertiesReset the local SSH key for your user on the linode:
ssh-keygen -f ${HOME}/.ssh/known_hosts -R ${JUMPBOX_IPV4}Copy scripts and dependencies to linode 'rootspace' (usually /root/). The easiest way to do this is
scp ${PATH_TO_PROJECT}/scripts/* root@${JUMPBOX_IPV4}:SSH into linode as root (since you have not yet created a user account):
ssh root@${JUMPBOX_IPV4}
script base install
From a root shell on your linode:
Run the install script (s/whatever/ your desired password /):
JUMPBOX_USER_PASSWORD='whatever' /root/minimal_secure_debian-based_linode_config.sh
After the script runs to completion (without error):
logout (aka Ctrl-D) as root.
Copy scripts and dependencies from your client device to your new user's linode homespace. For convenience, we want to assume (and further documentation will assume) that your scripts and dependencies are available at the same path (relative to your homespace) on the linode as on your client device. So do, e.g.,
ssh ${JUMPBOX_USER_NAME}@${JUMPBOX_IPV4} "mkdir -p ${PATH_TO_PROJECT}/scripts/" # ignore responses like # > X11 forwarding request failed on channel 0 scp ${PATH_TO_PROJECT}/scripts/* ${JUMPBOX_USER_NAME}@${JUMPBOX_IPV4}:${PATH_TO_PROJECT}/scripts/
This will also test that you
- created your user correctly
- setup your SSH connection correctly
StackScript
Not currently supported: I have started a StackScript for this task, but it is currently broken. To fix it, I need to
- add logging-to-file to facilitate debug
- discover either
- how to make the StackScript get .properties from the client
- how to run the StackScript after [creating the base image, copying the properties]
testing
As directed by the script, from your client, verify that
you cannot now SSH in as user=root
you can now SSH in as the user you created, with key and without challenge, e.g.:
ssh ${JUMPBOX_USER_NAME}@${JUMPBOX_IPV4}your sudo iptables -L output
- resembles this output of mine
- resembles the listing at this linode doc
- ... and your ability to sudo tests that you set your user password correctly.
your desired packages (esp for your editor) are installed
Updated