Initial Server Setup with deprec
The first thing I do when provided with a new server is change the password for the account given, setup any new accounts required (including their SSH keys) and disable password based SSH login. The following tasks simplify this process.
Assume I've been given an IP address and root password by my VPS provider. I add an entry to my DNS. In this example the hostname is 'sh03.deprecated.org'. As 'deprecated.org' is in the DNS search path on all my servers (and workstations) I can address the host as 'sh03'. My fingers have a finite number of keystrokes left!
I then run the following tasks using Capistrano and deprec.
# Cheatsheet mkdir ~/work/sys cd ~/work/sys export HOSTS=sh03 cap deprec:users:passwd USER=root cap deprec:users:add USER=root cap deprec:ssh:setup_keys cap deprec:ssh:config_gen cap deprec:ssh:config unset HOSTS
Change working directory to somewhere you can store ssh configs
deprec generates configuration files and stores them on your workstation under config/service_name. It then copies them to the server. You could keep them with a particular project however system level services should generally have the same config on all servers so it's helpful to have one place to store them. I keep mine in ~/work/sys.
test -d ~/work/sys || mkdir ~/work/sys cd ~/work/sys
Define the list of servers to work on.
This will save you typing the HOSTS entry on each command but you must remember to 'unset HOSTS' when you're finished or your Capistrano commands will be restricted to running on this host. If you don't trust your memory, just add HOSTS=<server_name> to the end of each command.
export HOSTS=sh03
Change the root password
I tell Capistrano to connect as root as it's the only account I have details for.
cap deprec:users:passwd USER=root Enter user to change password for |root| Enter new password for root Password:
Create an account for myself
I believe everyone should use their own account for ease of use, accountability and security. No logging in as root or deploy!
cap deprec:users:add USER=root Enter userid for new user |root| mbailey Should this be an admin account? |no| yes Enter new password for mbailey Password:
Admin accounts have sudo setup for them.
That last prompt is interesting. If deprec finds a file called config/ssh/authorized_keys/mbailey it will offer to setup SSH key access for this account. I can now login using the command "ssh sh03" without being prompted for a password.
From now on I don't need to add 'USER=root' as I can use my own account now.
Copy my SSH public key to the server
If you're not using SSH keys, you're typing typing too many passwords!
cap deprec:ssh:setup_keys Setup keys for which user? |mbailey|
Configure SSH
Now that I have my SSH keys setup, I can disallow password based SSH access. This is an easy way to reduce the risk of system compromise.
cap deprec:ssh:config_gen cap deprec:ssh:config
You should now find the following under the config directory:
config
`-- ssh
|-- authorized_keys
`-- etc
`-- ssh
|-- ssh_config
`-- sshd_config
The deprec:users:add task looks in the authorized_keys directory for an SSH public key with the same name as the user being created. If found, it asks whether you want this file copied out. So in a team environment, drop your colleagues public keys into this directory (renaming accordingly) and you can provide a polished service when creating their accounts. (Password access will be turned off so you'll need to do this anyway!)
Stop restricting our commands to this host.
As mentioned at the start, forgetting this step can cause you grief.
unset HOSTS
