From: Matt Birkholz Date: Tue, 27 Feb 2024 00:36:30 +0000 (-0700) Subject: Add instructions for installing the host key on Front. X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=85ac7d9fa87d4dbc53b2beee97720025a3f83981;p=Institute Add instructions for installing the host key on Front. --- diff --git a/README.org b/README.org index 821d9fd..c19feb2 100644 --- a/README.org +++ b/README.org @@ -978,6 +978,24 @@ file, copied it to the droplet, and installed it as the : notebook$ rm admin_keys : notebook$ +The Ansible configuration expects certain host keys on the new front. +The administrator should install them now, and deal with the machine's +change of SSH identity. The following commands copied the host keys +in =Secret/ssh_front/= to the droplet and restarted the SSH server. + +: notebook$ scp Secret/ssh_front/etc/ssh/ssh_host_* sysadm@159.65.75.60: +: notebook$ ssh sysadm@159.65.75.60 +: sysadm@ubuntu$ chmod 600 ssh_host_* +: sysadm@ubuntu$ chmod 644 ssh_host_*.pub +: sysadm@ubuntu$ sudo cp -b ssh_host_* /etc/ssh/ +: sysadm@ubuntu$ sudo systemctl restart ssh +: sysadm@ubuntu$ logout +: notebook$ ssh-keygen -f ~/.ssh/known_hosts -R 159.65.75.60 + +The last command removes the old host key from the administrator's +=known_hosts= file. The next SSH connection should ask to confirm the +new host identity. + The administrator then tested the password-less ssh login as well as the privilege escalation command. @@ -7093,7 +7111,31 @@ each machine). ( cd; umask 077; mkdir .ssh; cp admin_key .ssh/authorized_keys ) #+END_SRC -** The Test Ansible Configuration +The ~front~ machine needs a little additional preparation. Ansible +will configure ~front~ with the host keys in =Secret/=. These should +be installed there now so that ~front~ does not appear to change +identities while Ansible is configuring. + +First, the host keys are securely copied to ~front~ with the following +command. + +#+BEGIN_SRC sh +scp Secret/ssh_front/etc/ssh/ssh_host_* sysadm@192.168.57.3: +#+END_SRC + +Then they are installed with these commands. + +#+BEGIN_SRC sh +chmod 600 ssh_host_* +chmod 644 ssh_host_*.pub +sudo cp -b ssh_host_* /etc/ssh/ +#+END_SRC + +Finally, the system administrator removes the old identity of ~front~. + +: ssh-keygen -f ~/.ssh/known_hosts -R 192.168.57.3 + +** Configure Test Machines At this point the three test machines ~core~, ~gate~, and ~front~ are running fresh Debian systems with select additional packages, on their @@ -7101,8 +7143,6 @@ final networks, with a privileged account named ~sysadm~ that authorizes password-less access from the administrator's notebook, ready to be configured by Ansible. -** Configure Test Machines - To configure the test machines, the ~./inst config~ command is executed and ~core~ restarted. Note that this first run should exercise all of the handlers, /and/ that subsequent runs probably /do