diff options
Diffstat (limited to 'doc/george')
| -rw-r--r-- | doc/george/changelog | 83 | ||||
| -rw-r--r-- | doc/george/host-key-publication | 28 | ||||
| -rw-r--r-- | doc/george/policy | 33 | ||||
| -rw-r--r-- | doc/george/user-id-configuration | 40 |
4 files changed, 184 insertions, 0 deletions
diff --git a/doc/george/changelog b/doc/george/changelog new file mode 100644 index 0000000..aefbf7f --- /dev/null +++ b/doc/george/changelog @@ -0,0 +1,83 @@ +****************************************************************************** +* * +* george system log * +* * +****************************************************************************** +* Please add new entries in reverse chronological order whenever you make * +* changes to this system * +****************************************************************************** + +2008-06-22 - dkg + * installed screen (mjgoins and i were collaborating) + +2008-06-21 - micah + * Restored /etc/init.d/ssh to original package state and changed + /etc/default/ssh to have 'unset SSHD_OOM_ADJUST' instead. + +2008-06-20 - micah + * Commented out the 'export SSHD_OOM_ADJUST=-17' from the + /etc/init.d/ssh initscript, and the 'SSHD_OOM_ADJUST=-17' from + /etc/default/ssh in order to make this error go away: + "error writing /proc/self/oom_adj: Operation not permitted" + (c.f. Debian #487325) + +2008-06-20 - dkg + * touched /etc/environment to get rid of some spurious auth.log + entries. + * turned up sshd's LogLevel from INFO to DEBUG + +2008-06-19 - dkg + * installed rsync (for maintaining a public apt repo) + + * configured mathopd to listen on port 80, serving /srv/www as / + and /srv/apt as /debian. We've got nothing in /srv/www at the + moment, though. + + * installed lsof and psmisc as sysadmin utilities. sorry for the + bloat! + + * installed strace to try to figure out why onak is segfaulting. + +2008-06-19 - dkg + * removed etch sources, switched "testing" to "lenny", added + lenny/updates, removed all contrib and non-free. + + * removed testing pin in /etc/apt/preferences + * ran the upgrade + + * reset emacs22 to emacs22-nox (avoiding dependencies) + + * removed sysklog and klogd because of errors restarting klogd. + Installed syslog-ng in their stead, which still gives errors + related to /proc/kmsg unreadability, but the install completes :/ + + * added experimental + * juggled pinning: experimental: 1, unstable: 2 + * added mathopd onak, tweaked /etc/mathopd.conf and /etc/onak.conf + + * installed monkeysphere v0.1-1, changed host key, published + them via the local keyserver (see host-key-publication) + + * added local unprivileged user accounts for everyone listed in + /usr/share/doc/monkeysphere/copyright + + * configured authorized_user_ids for every user account based on + my best guess at their OpenPGP User ID (see + user-id-configuration). + + * set up a cronjob (in /etc/crontab) to run "monkeysphere-server + update-users" at 26 minutes past the hour. + +2008-06-18 - jrollins + * installed less, emacs; + * aptitude update && aptitude dist-upgrade + +2008-06-18 - micah + * debootstrap'd debian etch install + * installed /etc/apt/sources.list with local proxy sources for etch, + testing, unstable, backports and volatile + * configured /etc/apt/preferences and apt.conf.d/local-conf to + pin etch, but make testing, sid and backports available + * added backports.org apt-key + * installed openssh-server and openssh-client packages + * added dkg, jrollins, mjgoins ssh public_keys to /root/.ssh/authorized_keys diff --git a/doc/george/host-key-publication b/doc/george/host-key-publication new file mode 100644 index 0000000..03e2510 --- /dev/null +++ b/doc/george/host-key-publication @@ -0,0 +1,28 @@ +2008-06-19 02:34:57-0400 +------------------------ + +Adding george's host key to the monkeysphere was more complicated than +it needed to be. + +As the server admin, i did (accepting the defaults where possible): + + monkeysphere-server gen-key + KEYID=$(GNUPGHOME=/etc/monkeysphere/gnupg gpg --with-colons --list-key =ssh://$(hostname --fqdn) | grep ^pub: | cut -f5 -d:) + (umask 077 && GNUPGHOME=/etc/monkeysphere/gnupg gpg --export-secret-key $KEYID | openpgp2ssh $KEYID >/etc/monkeysphere/ssh_host_rsa_key) + # modify /etc/ssh/sshd_config to remove old host keys lines, and + # add new line: HostKey /etc/monkeysphere/ssh_host_rsa_key + /etc/init.d/ssh restart + + KEYSERVER=george.riseup.net monkeysphere-server publish-key + # (needed to publish by hand here because of reasonable sanity checks) + monkeysphere-server show-fingerprint + + # then from a remote host: + gpg --keyserver george.riseup.net --search =ssh://george.riseup.net + gpg --fingerprint --sign-key =ssh://george.riseup.net + KEYID=$(gpg --with-colons --list-key =ssh://george.riseup.net | grep ^pub: | cut -f5 -d:) + gpg --keyserver george.riseup.net --send "$KEYID" + gpg --keyserver george.riseup.net --send "$MYGPGID" + + +How could this have been streamlined? diff --git a/doc/george/policy b/doc/george/policy new file mode 100644 index 0000000..a17a310 --- /dev/null +++ b/doc/george/policy @@ -0,0 +1,33 @@ +Policy for maintaining george.riseup.net +---------------------------------------- + +Riseup graciously provided the MonkeySphere project with a vserver for +testing and public documentation. This is known as george.riseup.net, +for those who are curious about the MonkeySphere. + +george will be maintained as a debian lenny machine, with minimal +packages from experimental as needed for installing and running what +we build elsewhere. + +george will host 3 public-facing services: an ssh daemon on port 22, +an http service on port 80, and an OpenPGP keyserver (the HKP +protocol) on port 11371. + +Administration of george is a shared responsibility across the core +members of the MonkeySphere development team. Administrators will log +changes in their git repositories, in doc/george/changelog (a peer of +this policy file). + +monkeysphere packages installed on george will use unique, tagged +version numbers so we know what we're running. + +We will try to keep the installation as minimal as possible while +still allowing for comfortable day-to-day administration. + +We will use aptitude for package management where possible. + +Outstanding questions: + +Who should have superuser access? + +Who should get regular user accounts? diff --git a/doc/george/user-id-configuration b/doc/george/user-id-configuration new file mode 100644 index 0000000..9a7f4d2 --- /dev/null +++ b/doc/george/user-id-configuration @@ -0,0 +1,40 @@ +2008-06-19 03:00:58-0400 +------------------------ + +setting up authorized_user_id configuration on george was also more +cumbersome than it needs to be. Here's what i (dkg) did: + +monkeysphere-server trust-keys 0EE5BE979282D80B9F7540F1CCD2ED94D21739E9 + +monkeysphere-server update-user-userids dkg 'Daniel Kahn Gillmor <dkg@fifthhorseman.net>' +monkeysphere-server update-user-userids jrollins 'Jameson Rollins <jrollins@fifthhorseman.net>' +monkeysphere-server update-user-userids micah 'Micah Anderson <micah@riseup.net>' +monkeysphere-server update-user-userids mjgoins 'Matthew Goins <mjgoins@openflows.com>' +monkeysphere-server update-user-userids ross 'Ross Glover <ross@ross.mayfirst.org>' +monkeysphere-server update-user-userids jamie 'Jamie McClelland <jamie@mayfirst.org>' +monkeysphere-server update-user-userids mlcastle 'mike castleman <m@mlcastle.net>' +monkeysphere-server update-user-userids enw 'Elliot Winard <enw@caveteen.com>' +monkeysphere-server update-user-userids greg 'Greg Lyle <greg@stealthisemail.com>' + + +then i added a scheduled: + + monkeysphere-server update-users + +to run hourly via /etc/crontab + +and made sure that root's keys were working with a temporary symlink +(see TODO about that business) + +and then modified /etc/ssh/sshd_config with: + + AuthorizedKeysFile /var/cache/monkeysphere/authorized_keys/%u + + +Some outstanding questions: + + * Should we ship a scheduled monkeysphere-server update-users cron + job automatically? + + * why was i not prompted to confirm the trust-keys line, which seems + like the most delicate/sensitive line of all of them? |