Setup packages and improve security on PocketCHIP

ConfigPocketPC

#!/bin/bash

# Set up my PocketCHIP (Debian Linux)
# NB It's recommended you set up ssh key auth before running this script

# Extra tools --  edit this to suite what you want on your CHIP
OPTIONAL_PACKAGES="vim-gtk git build-essential python-serial arduino arduino-mk"

# Update
# 1st lets fix an occasional but obscure problem during upgrade
sudo rm -rf /var/lib/apt/lists/*

sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get dist-upgrade -y

# Need some tools
sudo apt-get install -y locales silversearcher-ag openssh-server $OPTIONAL_PACKAGES

# Clean up
sudo apt-get autoremove
sudo apt-get autoclean

# Let's configure international settings 1st
sudo dpkg-reconfigure locales
sudo dpkg-reconfigure tzdata

# Security set-up
# Note: do not run `sudo usermod -s /usr/sbin/nologin root` as it disables `sudo -i`

# Lock root account
sudo passwd -l root

# and let's be paranoid and disable root login via ssh as well
sudo sed -ri -e 's/^[# ]*PermitRootLogin.*$/PermitRootLogin no/' /etc/ssh/sshd_config


# Now let's fix the username and password defaults
echo
echo For security purposes you should now change the default password on your CHIP
echo
passwd  < /dev/tty
echo

# Change the default user name
echo You should now change the default user name on your chip -- Feel free to use your own name
echo Note: Must be a single word, lower case recommended
echo
read -rp "Please enter the new user name "  NEW_USER < /dev/tty

# Make all these changes under a single sudo session -- must be all done at once
 cat <<'EOF' | sudo bash -s $USER $NEW_USER $HOME
    for i in /etc/group /etc/passwd /etc/sudoers /etc/shadow ; do
       sed -ri -e '/\b'$1'\b/s/\b'$1'\b/'$2'/g' $i
    done
    
    
    # Not currently needed (Dec/16) but will probably come in a future relese
    if [[ -f /etc/sudoers.d/010_${1}-nopasswd ]] ; then
        mv /etc/sudoers.d/010_${1}-nopasswd /etc/sudoers.d/010_${2}-nopasswd
        sed -ri -e '/\b'$1'\b/s/\b'$1'\b/'$2'/g' /etc/sudoers.d/010_$2-nopasswd
    fi
    # Rename home directory
    mv $3 /home/$2
    
    # There are a few config files with the default username hard coded
    sed -ri -e "/User=$1/s//User=$2/"  $(ag -l "User=$1"  /etc/)
    
    sed -ri -e  "/autologin-user=$1/s//autologin-user=$2/" /etc/lightdm/lightdm.conf

EOF

# Networking changes
# Change the hostname

echo
echo We are now now going to change the default hostname on your CHIP. Please enter a single word that only contains
echo lower case letters, numbers and \"-\". It must start with a lower case letter.
echo
read -rp "Please enter the new host name "  NEW_HOSTNAME < /dev/tty


cat <<'EOF' | sudo bash -s $NEW_HOSTNAME
  # Must do this 1st
  sed -i -re 's/^(..*)'$(hostname)'(.*)$/\1'$1'\2/' /etc/hosts

  hostname $1
  echo $1 > /etc/hostname
  invoke-rc.d hostname.sh start
  invoke-rc.d networking force-reload
  invoke-rc.d avahi-daemon force-reload
  systemctl daemon-reload
EOF


echo
cat <<'EOF'
If you have installed a public ssh key on your CHIP you can now disable password access
Before answering yes to the next question please make sure you have installed the key correctly
and can succesfully login using the ssh key (i.e. you are not prompted for a password). If
you say yes to the next question and don't have a working ssh key you will need to reflash your CHIP.

Note: You can "hop over" to another terminal session to install and test the key now if you want.
EOF

echo
read -rp "Please confirm you have installed your ssh public key on the PocketCHIP [N/y]? "  < /dev/tty
echo

if [[ "$REPLY" =~ ^[Yy]$ ]] ; then
# Disable password access via ssh. You should have installed an ssh public key 1st!
  sudo sed -ri -e 's/^[# ]*PasswordAuthentication.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
  echo You can now access this device as $NEW_USER@$(hostname).local using ssh keys only
else
  echo You can now access this device as $NEW_USER@$(hostname).local using you new password
fi

sudo service sshd restart