keith-miller/user-data.sh

## user-data.sh
#!/bin/bash
set -ex

# parameters
DOMAIN_CONTROLLER=
DOMAIN_CONTROLLER_IP=
AD_HOST=
BASE_DN=
S3_BUCKET=
# separate domains with a space
SEARCH_DOMAINS=

# DO NOT CHANGE ANYTHING BELOW THIS LINE
EC2_INSTANCE_ID=`wget -q -O - http://169.254.169.254/latest/meta-data/instance-id`
hostname $EC2_INSTANCE_ID

# update & upgrade
apt-get update
apt-get -y upgrade

# add ad domain and controller to hosts file
cat >> /etc/hosts <<- EOM

${DOMAIN_CONTROLLER_IP} ${DOMAIN_CONTROLLER} ${DOMAIN_CONTROLLER}
${DOMAIN_CONTROLLER_IP} ${AD_HOST} ${AD_HOST}

EOM

# set up awscli and get the keytab file
apt-get install -y awscli
aws s3api get-object --bucket ${S3_BUCKET} --key Administrator.keytab /etc/Administrator.keytab

# install default ldap requirements
DEBIAN_FRONTEND=noninteractive apt-get -y install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli ntp zsh

# update krb5-user with the ad domain
sed -i "2s/.*/\tdefault_realm = ${AD_HOST^^}/" /etc/krb5.conf

# set ntp server to ad domain controller
cat > /etc/ntp.conf <<- EOM
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
server ${DOMAIN_CONTROLLER}
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1
restrict source notrap nomodify noquery
EOM
service ntp restart

# set up realmd to use our ad domain
cat > /etc/realmd.conf <<- EOM
# /etc/realmd.conf
[users]
default-home = /home/%D/%U
default-shell = /usr/bin/zsh

[active-directory]
default-client = sssd
os-name = Ubuntu Desktop Linux
os-version = 16.04

[service]
automatic-install = no

[${AD_HOST}]
fully-qualified-names = no
automatic-id-mapping = yes
user-principal = yes
manage-system = yes
EOM

# register instance to the domain
kinit Administrator@${AD_HOST^^} -k -t /etc/Administrator.keytab
realm join ${AD_HOST} --user-principal=${EC2_INSTANCE_ID}/Administrator@${AD_HOST^^}  --unattended

# create home directory on login
cat >> /etc/pam.d/common-session <<- EOM
session required			pam_mkhomedir.so skel=/etc/skel/ umask=0077
EOM

#create ssh public key check script
mkdir /opt/ldapsshkey/
cat > /opt/ldapsshkey/ldapsshkey.sh <<- EOM
#!/bin/bash
kinit Administrator@${AD_HOST^^} -k -t /etc/Administrator.keytab
ldapsearch -LLL -h ${AD_HOST} -Y GSSAPI -Q -b "${BASE_DN}" "sAMAccountName=\$1" "sshPublicKey" | sed -n '/^ /{H;d};/sshPublicKey:/x;\$g;s/\n *//g;s/sshPublicKey: //gp'

EOM
chmod 0755 /opt/ldapsshkey/ldapsshkey.sh

# update sshd to use the script above
cat > /etc/ssh/sshd_config <<- EOM
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
Protocol 2

# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes
AuthorizedKeysCommand /opt/ldapsshkey/ldapsshkey.sh
AuthorizedKeysCommandUser nobody

EOM
service sshd restart

# update /etc/sudoers
echo "%devops ALL=(ALL) NOPASSWD: ALL" | (EDITOR="tee -a" visudo)

# edit /etc/dhcp/dhclient.conf and restart the network
sed -i "24s/.*/append domain-name \" ${SEARCH_DOMAINS} ec2.internal\";/" /etc/dhcp/dhclient.conf
/etc/init.d/networking restart
	#!/bin/bash
	set -ex

	# parameters
	DOMAIN_CONTROLLER=
	DOMAIN_CONTROLLER_IP=
	AD_HOST=
	BASE_DN=
	S3_BUCKET=
	# separate domains with a space
	SEARCH_DOMAINS=

	# DO NOT CHANGE ANYTHING BELOW THIS LINE
	EC2_INSTANCE_ID=`wget -q -O - http://169.254.169.254/latest/meta-data/instance-id`
	hostname $EC2_INSTANCE_ID

	# update & upgrade
	apt-get update
	apt-get -y upgrade

	# add ad domain and controller to hosts file
	cat >> /etc/hosts <<- EOM

	${DOMAIN_CONTROLLER_IP} ${DOMAIN_CONTROLLER} ${DOMAIN_CONTROLLER}
	${DOMAIN_CONTROLLER_IP} ${AD_HOST} ${AD_HOST}

	EOM

	# set up awscli and get the keytab file
	apt-get install -y awscli
	aws s3api get-object --bucket ${S3_BUCKET} --key Administrator.keytab /etc/Administrator.keytab

	# install default ldap requirements
	DEBIAN_FRONTEND=noninteractive apt-get -y install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli ntp zsh

	# update krb5-user with the ad domain
	sed -i "2s/.*/\tdefault_realm = ${AD_HOST^^}/" /etc/krb5.conf

	# set ntp server to ad domain controller
	cat > /etc/ntp.conf <<- EOM
	# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
	driftfile /var/lib/ntp/ntp.drift
	statistics loopstats peerstats clockstats
	filegen loopstats file loopstats type day enable
	filegen peerstats file peerstats type day enable
	filegen clockstats file clockstats type day enable
	server ${DOMAIN_CONTROLLER}
	restrict -4 default kod notrap nomodify nopeer noquery limited
	restrict -6 default kod notrap nomodify nopeer noquery limited
	restrict 127.0.0.1
	restrict ::1
	restrict source notrap nomodify noquery
	EOM
	service ntp restart

	# set up realmd to use our ad domain
	cat > /etc/realmd.conf <<- EOM
	# /etc/realmd.conf
	[users]
	default-home = /home/%D/%U
	default-shell = /usr/bin/zsh

	[active-directory]
	default-client = sssd
	os-name = Ubuntu Desktop Linux
	os-version = 16.04

	[service]
	automatic-install = no

	[${AD_HOST}]
	fully-qualified-names = no
	automatic-id-mapping = yes
	user-principal = yes
	manage-system = yes
	EOM

	# register instance to the domain
	kinit Administrator@${AD_HOST^^} -k -t /etc/Administrator.keytab
	realm join ${AD_HOST} --user-principal=${EC2_INSTANCE_ID}/Administrator@${AD_HOST^^} --unattended

	# create home directory on login
	cat >> /etc/pam.d/common-session <<- EOM
	session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
	EOM

	#create ssh public key check script
	mkdir /opt/ldapsshkey/
	cat > /opt/ldapsshkey/ldapsshkey.sh <<- EOM
	#!/bin/bash
	kinit Administrator@${AD_HOST^^} -k -t /etc/Administrator.keytab
	ldapsearch -LLL -h ${AD_HOST} -Y GSSAPI -Q -b "${BASE_DN}" "sAMAccountName=\$1" "sshPublicKey" \| sed -n '/^ /{H;d};/sshPublicKey:/x;\$g;s/\n *//g;s/sshPublicKey: //gp'

	EOM
	chmod 0755 /opt/ldapsshkey/ldapsshkey.sh

	# update sshd to use the script above
	cat > /etc/ssh/sshd_config <<- EOM
	# Package generated configuration file
	# See the sshd_config(5) manpage for details

	# What ports, IPs and protocols we listen for
	Port 22
	Protocol 2

	# HostKeys for protocol version 2
	HostKey /etc/ssh/ssh_host_rsa_key
	HostKey /etc/ssh/ssh_host_dsa_key
	HostKey /etc/ssh/ssh_host_ecdsa_key
	HostKey /etc/ssh/ssh_host_ed25519_key
	#Privilege Separation is turned on for security
	UsePrivilegeSeparation yes

	# Lifetime and size of ephemeral version 1 server key
	KeyRegenerationInterval 3600
	ServerKeyBits 1024

	# Logging
	SyslogFacility AUTH
	LogLevel INFO

	# Authentication:
	LoginGraceTime 120
	PermitRootLogin no
	StrictModes yes

	RSAAuthentication yes
	PubkeyAuthentication yes
	#AuthorizedKeysFile %h/.ssh/authorized_keys

	IgnoreRhosts yes
	RhostsRSAAuthentication no
	HostbasedAuthentication no
	PermitEmptyPasswords no
	ChallengeResponseAuthentication no

	# Change to no to disable tunnelled clear text passwords
	PasswordAuthentication yes

	X11Forwarding yes
	X11DisplayOffset 10
	PrintMotd no
	PrintLastLog yes
	TCPKeepAlive yes

	# Allow client to pass locale environment variables
	AcceptEnv LANG LC_*

	Subsystem sftp /usr/lib/openssh/sftp-server

	UsePAM yes
	AuthorizedKeysCommand /opt/ldapsshkey/ldapsshkey.sh
	AuthorizedKeysCommandUser nobody

	EOM
	service sshd restart

	# update /etc/sudoers
	echo "%devops ALL=(ALL) NOPASSWD: ALL" \| (EDITOR="tee -a" visudo)

	# edit /etc/dhcp/dhclient.conf and restart the network
	sed -i "24s/.*/append domain-name \" ${SEARCH_DOMAINS} ec2.internal\";/" /etc/dhcp/dhclient.conf
	/etc/init.d/networking restart