On the hosting machine
debootstrap wheezy /path/to/root http://debian.osuosl.org/debian/ mount --bind /dev /path/to/root/dev mount -t proc proc /path/to/root/proc mount -t sysfs sysfs /path/to/root/sys chroot /path/to/root /bin/bash
In the wheezy chroot
cat > /etc/apt/sources.list << EOF deb http://debian.osuosl.org/debian/ wheezy main non-free contrib deb http://security.debian.org/ wheezy/updates main non-free contrib EOF aptitude update dpkg-divert --local --rename --divert /sbin/start-stop-daemon.real --add /sbin/start-stop-daemon #!/bin/sh cat > /sbin/start-stop-daemon << EOF echo invoked fake start-stop-daemon... > /dev/stderr exit 0 EOF chmod a+x /sbin/start-stop-daemon # XXX: should probably set APT::Install-Recommends false here. aptitude dist-upgrade aptitude install `tasksel --task-packages standard` dpkg-reconfigure locales
cp -a /usr/share/zoneinfo/America/New_York /etc/localtime
aptitude install linux-image-3.2.0-4-amd64
# pulls in:
# busybox{a} firmware-linux-free{a} initramfs-tools{a} klibc-utils{a}
# libklibc{a} libuuid-perl{a} linux-base{a} linux-image-3.2.0-4-amd64
aptitude install openssh-server
# Fix /etc/hostname and /etc/hosts
# Setup /etc/network/interfaces
# Check /etc/resolv.conf
cat > /etc/fstab << EOF
/dev/xvda1 / ext4 rw,noatime,errors=remount-ro 0 1
/dev/xvda2 swap swap sw 0 0
EOF
# Add "H0:2345:respawn:/sbin/getty 38400 hvc0" to /etc/inittab.
rm /sbin/start-stop-daemon
dpkg-divert --rename --remove /sbin/start-stop-daemon
passwd root
PAM
It looks like we only need a few minor tweaks to make the Debian settings work.
sed -i 's/\(pam_krb5.so.*minimum_uid\)=1000/\)=110/' /etc/pam.d/*
/etc/pam.d/common-account:
Add:
account sufficient pam_krb5.so minimum_uid=110
before
# here are the per-package modules (the "Primary" block)
/etc/pam.d/ssh:
Replace:
# Standard Un*x authorization. @include common-account
with
account required pam_unix.so broken_shadow
Discussion
pam_krb5.so—"account" only works after "auth"
- caused an issue with sshd if user is marked as shadowed in /etc/passwd (password field is "x")
- ssh runs "account" before "auth", so pam_krb5.so would return PAM_IGNORE; pam_unix.so would fail due to missing shadow entry
- solution is to use the broken_shadow arg on pm_unix.so for ssh only
- will never succeed without an "auth" phase
- this also means having it as "sufficient" for atd/cron does not allow users without shadow entries to run atd/cron jobs (assuming "x" in /etc/passwd)
- caused an issue with sshd if user is marked as shadowed in /etc/passwd (password field is "x")
- pam_afs_session.so
- will silently succeed if AFS is not running
- so, it's not necessary to explicitly disable it for non-AFS machines