Tux2010 setup notes. Time-stamp: <2010-12-14 23:19:37> --------------------------------- file tux2010_installation_notes.txt file created 2010/12/14 Notes for installation of Debian 5.06 (Lenny) on new hardware for OCLUG machine "tux2010". Machine currently resides at the home of Richard Guy Briggs in Ottawa Ont. 2010/11/26 - The first installation attempt involved some experimentation to determine the correct procedure for configuring the software raid with LVM. Although the DVD installation completed, network problems prevented software updates and further configuration. It was decided that the installation would be restarted at a later date to allow accurate documentation of the exact procedure. - Items learned: - Although the DVD contains all the files needed for the installation, it accesses the net if one is present. This may be an installation bug but since a slow network will cause an installation time estimate of over 24 hours, it's difficult to document what s/w is being installed. This problem isn't present when installing from DVD without the network connected. Therefore: Disconnect the network, install the Debian OS and configure the network later. - When removing partitions from an existing LVM installation, it wants to "clear" the partitions. This can take hours to cleanly remove partitions from a disk that we only wish to "trash", ie: use as a new blank disk. Therefore: Use the fdisk command to quickly destroy disk partitions. 2010/12/02 - Second installation attempt. This one was successful. Although the network issues have been resolved by replacing the disk on a firewall machine, the initial installation is being done with the network disconnected. - Booted Debian 5.06 DVD: started installation, but found we had trouble resetting the disk partitions. Therefore opened a shell and ran fdisk /dev/sda and D(eleted partition) 1 W(rite) fdisk /dev/sdb and D(eleted partition) 1 W(rite) Rebooted to ensure this was registered. When we tried an install, we discovered the machine was attempting to use the network, so the cable was unplugged and the installation restarted. Restarted installation: English, Canada, American English Machine name: tux2010 (No network available, so no domain yet configured.) Note: If a machine has 2 hardware disks, the following procedure will configure software raid and then use LVM (the Logical Volume Manager). Partitioning: Chose FREE SPACE on first disk and used all space with Create Partition Use as physical volume for RAID Same on second disk Configure s/w RAID Keep partitions and configure RAID Create MD device RAID1, 2 devices No. of spares 0 Select BOTH devices Finish Configure LVM Keep layout (Y) Deleted all Logical Volumes (seems to remember them) Deleted volume group Create Volume Group tx Select /dev/md0 Create logical volumes intended use name size mount point t1 250M /boot t2 10G / t3 8G swap t4 50G /var t5 10G /tmp t6 20G /usr t7 20G /home Select each LV in turn, and choose "Use as ext3" for all but t3 which is "Use as swap" For all but t3, choose "Format this partition" and select the appropriate mount point as given above Finish and write partition table. (Yes) Enter root pw (_______), Create user named "installer", username "install", same pw as root. Scan another CD/DVD: No Choose: s/w installation [[:x]] desktop environment [[:x]] standard system Note: Choosing the desktop environment installs more s/w than desired but is but is easier than manually selecting all the packages we DO need. Note: Lilo was installed by default. Grub wasn't offered (or needed). When done, Lilo target /dev/md0 Large memory option for Lilo Yes Write lilo /sbin/lilo Reboot. Hostname: tux2010 Network configuration: Log in as install. Menu: System / Administration / Network (This runs the command /usr/bin/network-admin.) On the Connections tab Choose Wired connection (eth0) static [ ] Enable roaming mode (ie: Don't select it.) Configuration: Static IP address IP address: 204.224.221.7 Subnet mask: 255.255.255.224 Gateway address: 204.224.221.1 On the DNS tab: DNS servers select add DNS server: 204.224.221.2 This results in: tux2010% /sbin/ifconfig eth0 Link encap:Ethernet HWaddr 00:12:3f:d2:a5:cc inet addr:204.225.221.7 Bcast:204.225.221.31 Mask:255.255.255.224 inet6 addr: fe80::212:3fff:fed2:a5cc/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:215258 errors:0 dropped:0 overruns:0 frame:0 TX packets:68354 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:25921523 (24.7 MiB) TX bytes:11935741 (11.3 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1429 errors:0 dropped:0 overruns:0 frame:0 TX packets:1429 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2166668 (2.0 MiB) TX bytes:2166668 (2.0 MiB) As root (su): run command "su", enter root password then run the following: /etc/init.d/networking restart visudo add install The following line is added to file /etc/sudoers install ALL=(ALL) ALL Updates Menu: System / Administration / Synaptic package manager Settings Choose debian.yorku.ca as repository server Choose only main collection for now. From the command line, run: apt-get update apt-get upgrade apt-get install rsync ssh After updates, disk usage is: tux2010% df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/tx-t2 9.2G 231M 8.5G 3% / tmpfs 1014M 0 1014M 0% /lib/init/rw udev 10M 736K 9.3M 8% /dev tmpfs 1014M 0 1014M 0% /dev/shm /dev/mapper/tx-t1 229M 23M 194M 11% /boot /dev/mapper/tx-t7 19G 174M 18G 1% /home /dev/mapper/tx-t5 9.2G 150M 8.6G 2% /tmp /dev/mapper/tx-t6 19G 2.1G 16G 12% /usr /dev/mapper/tx-t4 46G 449M 44G 2% /var Note: For old tux: tux% df -h Filesystem Size Used Avail Use% Mounted on /dev/sda3 9.4G 7.8G 1.2G 88% / tmpfs 379M 0 379M 0% /lib/init/rw udev 10M 88K 10M 1% /dev tmpfs 379M 0 379M 0% /dev/shm /dev/mapper/TuxGroup-TuxHome 5.0G 1.1G 3.6G 24% /home Services: Menu: System / Administration / Services Check OFF: exim4 (mail agent) Check OFF: rsync remote backup server Check ON: ssh Adding user accounts for: roland, nashjc Note: The following useradd command required the home directory to be manually created and ownership changed. The correct commands are described in the 2010/12/06 entry in this file. The incorrect commands are documented here for the sake of accuracy. useradd -c "Roland Renaud" -s /bin/bash -d /home/roland -u 1020 -g users roland useradd -c "John Nash" -s /bin/bash -d /home/nashjc -u 1021 -g users nashjc tux2010% grep roland /etc/passwd roland:x:1020:100:Roland Renaud:/home/roland:/bin/bash tux2010% grep nashjc /etc/passwd nashjc:x:1021:100:John Nash:/home/nashjc:/bin/bash root@tux2010:/home# mkdir nashjc root@tux2010:/home# chown nashjc.users nashjc Later found nashjc had ownership roland:users. And since tux2keys dir on USB key was on fat filesystem, the permissions were 755, not 700 for directory and 600 for files in .ssh - tux2 visible to the world and accepts passwd login. Making ssh key for user "install". Note: This was created on Roland's laptop running Ubuntu Lucid. rjrlap3% ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/usr/home/roland/.ssh/id_rsa): ./id_rsa_tux2 Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ./id_rsa_tux2. Your public key has been saved in ./id_rsa_tux2.pub. The key fingerprint is: 32:1e:e7:7c:4a:1f:63:79:18:94:68:65:41:a8:8f:62 roland@rjrlap3 The key's randomart image is: +--[ RSA 2048]----+ | o=. | | .+ . | | .o o | | .. . | | +oS . | | E..B. + | | . .. + B . | | . = + | | . . | +-----------------+ At this point these were made without a passphrase, which JN had used to allow for automatic unattended backups from his own server. However, there would be better security with a passphrase. rjrlap3% rsync -av *pub install@tux2:.ssh root@tux2010:/home/install/.ssh# cat id_rsa_tux2.pub >> authorized_keys Disable password login: cp -p sshd_config sshd_config.orig edit sshd_config to configure PasswordAuthentication no Note: Remote login to machine tux2010 is now only possible using ssh with keys. Passwords are disabled. 2010/12/06 new Tux (tux2010) - configuration continued. Adding user accounts for current OCLUG board of directors and user "rgb". New tux (204.225.221.7 tux2010) Old tux (204.225.221.10 tux) Information obtained from old tux: - username, user id from file /etc/passwd - encrypted passwords from file /etc/shadow - ssh keys from file /home/username/.ssh/authorized_keys Once users have configured ssh-agent on their home machine, they should be able to login to new tux with the command "ssh -AY tux2010" (or "ssh -AY 204.225.221.7") as with old tux. They have the same userid, passwd, sudo privs and ssh keys as before. For consistency, everyone is now in the "users" group (100). We'll determine later if it's worth the trouble to maintain other group lists such as "board" or if some users should have their own group. (Apparently, group names are automatically generated by some account adding s/w.) Home directory configs weren't copied. To copy it, users can log into tux and run something like this: rsync -av $USER tux2010: (Old tux has tux2010 in its hosts file.) How it was done. Note: Passwords modified for this document. The real encrypted passwords can be obtained from the file /etc/shadow. Updating the old passwd might be a good idea. Even re-entering the old password on the new machine will cause the encryption in /etc/shadow will be different from old tux. Note: To remove a user and their files, run this command as root. userdel -r username (eg: userdel -r roland) Therefore, the following commands were used. Information for users roland and nashjc are here for reference only. useradd -c "Roland Renaud" -s /bin/bash -m -u 1020 -g users -p '$1$CYf/' roland useradd -c "John Nash" -s /bin/bash -m -u 1021 -g users -p '$1$mc/0' nashjc useradd -c "Lisa Lovchik" -s /bin/bash -m -u 1010 -g users -p '$1aU.' exexpat useradd -s /bin/bash -m -g users -c "Eric Brackenbury" -u 2007 -p '$1$G0' ericb useradd -s /bin/bash -m -g users -c "John Sebastien Taylor" -u 2008 -p '$1C1' johnsebastientaylor useradd -s /bin/bash -m -g users -c "Mike Kenzie" -u 2009 -p '$1$a1' kenziem useradd -s /bin/bash -m -g users -c "RichardGuyBriggs" -u 1002 -p '$1z' rgb Added to /etc/sudoers roland ALL=(ALL) ALL nashjc ALL=(ALL) ALL exexpat ALL=(ALL) ALL ericb ALL=(ALL) ALL kenziem ALL=(ALL) ALL rgb ALL=(ALL) ALL johnsebastientaylor ALL=(ALL) ALL Therefore, the file /etc/passwd contains the following lines: roland:x:1020:100:Roland Renaud:/home/roland:/bin/bash nashjc:x:1021:100:John Nash:/home/nashjc:/bin/bash ericb:x:2007:100:Eric Brackenbury:/home/ericb:/bin/bash johnsebastientaylor:x:2008:100:John Sebastien Taylor:/home/johnsebastientaylor:/bin/bash kenziem:x:2009:100:Mike Kenzie:/home/kenziem:/bin/bash rgb:x:1002:100:RichardGuyBriggs:/home/rgb:/bin/bash exexpat:x:1010:100:Lisa Lovchik:/home/exexpat:/bin/bash Installing ssh keys for each user: cd /home/username mkdir .ssh copy key from old tux chown -R username.users . Some script scraps. This was run on old tux. cd /home for f in ericb exexpat johnsebastientaylor kenziem do echo ---- $f ---- tar rvf /home/roland/k2.tar $f/.ssh/authorized_keys done root@tux% sh xx ---- ericb ---- ericb/.ssh/authorized_keys ---- exexpat ---- exexpat/.ssh/authorized_keys ---- johnsebastientaylor ---- tar: johnsebastientaylor/.ssh/authorized_keys: Cannot stat: No such file or directory tar: Error exit delayed from previous errors ---- kenziem ---- kenziem/.ssh/authorized_keys root@tux% chown roland.users ~/k2.tar Back to tux2010: root@tux2010% cd /home root@tux2010% tar tvf ~roland/k2.tar -rw-r--r-- ericb/ericb 391 2010-09-10 21:49 ericb/.ssh/authorized_keys -rw-r--r-- exexpat/exexpat 398 2010-10-05 15:03 exexpat/.ssh/authorized_keys -rw-r--r-- kenziem/kenziem 400 2010-08-20 00:33 kenziem/.ssh/authorized_keys root@tux2010% tar xvf ~roland/k2.tar ericb/.ssh/authorized_keys exexpat/.ssh/authorized_keys kenziem/.ssh/authorized_keys Hmmm, root ended up owning the .ssh directories. Fixing: cd /home chown -R ericb.users ericb chown -R exexpat.users exexpat chown -R kenziem.users kenziem Notes: - RGB has authorized_keys2 instead of authorized_keys. I copied this manually. He also has another key there. I'll let him take care of that. - JST will have to send us his public key if he wants to login. Note: Internet attacks start 65 minutes after machine is connected to net. Good thing we only accept ssh keys. Information from /var/log/auth.log. Dec 2 11:38:04 - Machine tux2010 was alive Dec 2 13:09:00 - machine connected to the network. Dec 2 13:12:31 - added account for user roland Dec 2 13:29:47 - added account for user nashjc Dec 2 14:14:11 tux2010 sshd[[:9825]]: Address 217.174.249.24 maps to mail.compushopdirect.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!