From f5d873b6291a4a676cacef19ab232b82dd9ed0f6 Mon Sep 17 00:00:00 2001 From: A Holt Date: Wed, 14 Oct 2020 20:58:37 -0400 Subject: [PATCH 01/27] iiab-admin/tasks/admin-user.yml: act on iiab_admin_can_sudo --- roles/iiab-admin/tasks/admin-user.yml | 55 +++++++++++++++++---------- 1 file changed, 35 insertions(+), 20 deletions(-) diff --git a/roles/iiab-admin/tasks/admin-user.yml b/roles/iiab-admin/tasks/admin-user.yml index 1f590f534..55bc01701 100644 --- a/roles/iiab-admin/tasks/admin-user.yml +++ b/roles/iiab-admin/tasks/admin-user.yml @@ -1,28 +1,43 @@ -- name: Create user {{ iiab_admin_user }} in group sudo for Admin Console; set password from iiab_admin_pwd_hash if newly creating account +- name: Check if user '{{ iiab_admin_user }}' exists # iiab-admin + command: "id {{ iiab_admin_user | quote }}" # quote to avoid ';' exploits + register: user_info + failed_when: False # Hides red errors (stronger than 'ignore_errors: yes') + +- name: Establish user {{ iiab_admin_user }} with shell /bin/bash, for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB support commands at the command-line (/usr/bin/iiab-* and /usr/sbin/iiab-*) user: - name: "{{ iiab_admin_user }}" # iiab-admin - password: "{{ iiab_admin_pwd_hash }}" - update_password: on_create + name: "{{ iiab_admin_user }}" shell: /bin/bash - groups: sudo + #password: "{{ iiab_admin_pwd_hash }}" + #update_password: on_create -#- name: Create a wheel group -# group: -# name: wheel -# state: present +- name: If user didn't exist, set password to '{{ iiab_admin_published_pwd }}' # g0adm1n + #shell: "echo {{ iiab_admin_user }}:{{ iiab_admin_published_pwd }} | chpasswd" + command: chpasswd + args: + stdin: "{{ iiab_admin_user | quote }}:{{ iiab_admin_published_pwd | quote }}" + when: user_info.rc != 0 -#- name: Create a sudo group (redhat) -# group: -# name: sudo -# state: present -# when: is_redhat | bool -#- name: 'Add user {{ iiab_admin_user }} to groups: wheel, sudo' -# user: -# name: "{{ iiab_admin_user }}" -# groups: wheel,sudo +# roles/2-common/tasks/packages.yml also installs sudo, but that's too late +- name: 'Install package: sudo' + package: + name: sudo -- name: Edit the sudoers file -- first make it editable +- name: Add user {{ iiab_admin_user }} to group sudo, for support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo + command: "gpasswd -a {{ iiab_admin_user | quote }} sudo" + #user: + # name: "{{ iiab_admin_user }}" + # groups: sudo + # append: yes + when: iiab_admin_can_sudo | bool + +- name: Remove user {{ iiab_admin_user }} from group sudo, if not iiab_admin_can_sudo + command: "gpasswd -d {{ iiab_admin_user | quote }} sudo" + when: not iiab_admin_can_sudo + failed_when: False # Hides red errors (stronger than 'ignore_errors: yes') + + +- name: Edit the sudoers file -- first make it editable (0640) file: path: /etc/sudoers mode: 0640 @@ -47,7 +62,7 @@ dest: /etc/sudoers state: absent -- name: End editing the sudoers file -- protect it again +- name: End editing the sudoers file -- protect it again (0440) file: path: /etc/sudoers mode: 0440 From 8d48d2da06215acd2be8e9e3f2faea1a019eae48 Mon Sep 17 00:00:00 2001 From: A Holt Date: Wed, 14 Oct 2020 21:10:20 -0400 Subject: [PATCH 02/27] Update default_vars.yml --- vars/default_vars.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/vars/default_vars.yml b/vars/default_vars.yml index 7b626095e..d0873755a 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -50,19 +50,19 @@ language_priority: en es fr # Real-time clock: set RTC chip family here. Future auto-detection plausible? # rtc_id: ds3231 -# Please read more about the 'iiab-admin' Linux user and group, which allow -# you to log in to IIAB's Admin Console (http://box.lan/admin): +# Please read more about the 'iiab-admin' Linux user, for login to IIAB's +# Admin Console (http://box.lan/admin) AND to help you at the command-line: # https://github.com/iiab/iiab/tree/master/roles/iiab-admin # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md +# +iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc. # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- -# created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml +# configured e.g. by IIAB's 1-line installer & roles/iiab-admin/tasks/main.yml iiab_admin_user_install: True -# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux -# user that's a member of group sudo (or group below?) for Admin Console login: -iiab_admin_user: iiab-admin -iiab_admin_user_group: iiab-admin # 2020-10-13: Coming Soon? -iiab_admin_published_pwd: g0adm1n # For live checks/alerts of published pwds -# Password hash to override above, if Ansible creates above user: +iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. +iiab_admin_published_pwd: g0adm1n # Default password. For pwd warnings too. + +# DEPRECATED - Password hash to override above, if Ansible creates above user: iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop. # Obtain a password hash - NEW MORE SECURE WAY: # python3 -c 'import crypt; print(crypt.crypt("", crypt.mksalt(crypt.METHOD_SHA512)))' From f5c538e689e8043868594f279d2ebe00e542fb3c Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Wed, 14 Oct 2020 21:16:40 -0400 Subject: [PATCH 03/27] Update local_vars_min.yml --- vars/local_vars_min.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index 3ec432aa9..05d23b0f8 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -22,18 +22,18 @@ language_priority: en es fr # Real-time clock: set RTC chip family here. Future auto-detection plausible? # rtc_id: ds3231 -# Please read more about the 'iiab-admin' Linux user and group, which allow -# you to log in to IIAB's Admin Console (http://box.lan/admin): +# Please read more about the 'iiab-admin' Linux user, for login to IIAB's +# Admin Console (http://box.lan/admin) AND to help you at the command-line: # https://github.com/iiab/iiab/tree/master/roles/iiab-admin # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md +# +iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc. # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- -# created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml +# configured e.g. by IIAB's 1-line installer & roles/iiab-admin/tasks/main.yml iiab_admin_user_install: True -# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux -# user that's a member of group sudo (or group below?) for Admin Console login: -iiab_admin_user: iiab-admin -iiab_admin_user_group: iiab-admin # 2020-10-13: Coming Soon? -# Password hash to be used if Ansible creates the above user: +iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. + +# DEPRECATED - Password hash to override above, if Ansible creates above user: iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop. # Obtain a password hash - NEW MORE SECURE WAY: # python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))' From 1ce1ad1fc2a0235ead85b8bd04045a850dcafe47 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Wed, 14 Oct 2020 21:16:44 -0400 Subject: [PATCH 04/27] Update local_vars_medium.yml --- vars/local_vars_medium.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index 1e22560b3..42867fefb 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -22,18 +22,18 @@ language_priority: en es fr # Real-time clock: set RTC chip family here. Future auto-detection plausible? # rtc_id: ds3231 -# Please read more about the 'iiab-admin' Linux user and group, which allow -# you to log in to IIAB's Admin Console (http://box.lan/admin): +# Please read more about the 'iiab-admin' Linux user, for login to IIAB's +# Admin Console (http://box.lan/admin) AND to help you at the command-line: # https://github.com/iiab/iiab/tree/master/roles/iiab-admin # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md +# +iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc. # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- -# created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml +# configured e.g. by IIAB's 1-line installer & roles/iiab-admin/tasks/main.yml iiab_admin_user_install: True -# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux -# user that's a member of group sudo (or group below?) for Admin Console login: -iiab_admin_user: iiab-admin -iiab_admin_user_group: iiab-admin # 2020-10-13: Coming Soon? -# Password hash to be used if Ansible creates the above user: +iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. + +# DEPRECATED - Password hash to override above, if Ansible creates above user: iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop. # Obtain a password hash - NEW MORE SECURE WAY: # python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))' From a295a887a71f2cfd1dfd4136b591bb69fd94b9de Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Wed, 14 Oct 2020 21:16:53 -0400 Subject: [PATCH 05/27] Update local_vars_big.yml --- vars/local_vars_big.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index 5b7eb39e7..e79400196 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -22,18 +22,18 @@ language_priority: en es fr # Real-time clock: set RTC chip family here. Future auto-detection plausible? # rtc_id: ds3231 -# Please read more about the 'iiab-admin' Linux user and group, which allow -# you to log in to IIAB's Admin Console (http://box.lan/admin): +# Please read more about the 'iiab-admin' Linux user, for login to IIAB's +# Admin Console (http://box.lan/admin) AND to help you at the command-line: # https://github.com/iiab/iiab/tree/master/roles/iiab-admin # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md +# +iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc. # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- -# created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml +# configured e.g. by IIAB's 1-line installer & roles/iiab-admin/tasks/main.yml iiab_admin_user_install: True -# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux -# user that's a member of group sudo (or group below?) for Admin Console login: -iiab_admin_user: iiab-admin -iiab_admin_user_group: iiab-admin # 2020-10-13: Coming Soon? -# Password hash to be used if Ansible creates the above user: +iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. + +# DEPRECATED - Password hash to override above, if Ansible creates above user: iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop. # Obtain a password hash - NEW MORE SECURE WAY: # python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))' From 54958601f74a880ac0b97ef484a3ca590b937e67 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Wed, 14 Oct 2020 21:21:26 -0400 Subject: [PATCH 06/27] Update packages.yml --- roles/2-common/tasks/packages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/2-common/tasks/packages.yml b/roles/2-common/tasks/packages.yml index 02ae39496..e17fe7f09 100644 --- a/roles/2-common/tasks/packages.yml +++ b/roles/2-common/tasks/packages.yml @@ -52,7 +52,7 @@ - rsync #- screen # Installed by 1-prep's roles/iiab-admin/tasks/access.yml - sqlite3 - - sudo + - sudo # MIGHT already have been installed by 1-prep's roles/iiab-admin/tasks/admin-user.yml *IF* iiab_admin_user_install: True - tar - unzip #- usbmount # Moved to roles/usb_lib/tasks/install.yml From 9a874344649665bc52f614a714de4c66856eec48 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Wed, 14 Oct 2020 23:09:41 -0400 Subject: [PATCH 07/27] Update admin-user.yml --- roles/iiab-admin/tasks/admin-user.yml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/roles/iiab-admin/tasks/admin-user.yml b/roles/iiab-admin/tasks/admin-user.yml index 55bc01701..834b264f4 100644 --- a/roles/iiab-admin/tasks/admin-user.yml +++ b/roles/iiab-admin/tasks/admin-user.yml @@ -37,32 +37,32 @@ failed_when: False # Hides red errors (stronger than 'ignore_errors: yes') -- name: Edit the sudoers file -- first make it editable (0640) +- name: Temporarily make file /etc/sudoers editable (0640) file: path: /etc/sudoers mode: 0640 -- name: Have sudo log all commands it handles +- name: '/etc/sudoers: Have sudo log all commands to /var/log/sudo.log' lineinfile: + path: /etc/sudoers regexp: logfile line: "Defaults logfile = /var/log/sudo.log" - dest: /etc/sudoers - state: present #- name: Lets {{ iiab_admin_user }} sudo without password ##- name: Lets wheel sudo without password # lineinfile: +# path: /etc/sudoers # line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL" ## line: "%wheel ALL= NOPASSWD: ALL" -# dest: /etc/sudoers -- name: Remove the line which requires tty - lineinfile: - regexp: requiretty - dest: /etc/sudoers - state: absent +# Not nec (heavyhanded removal of customizations+comments) given sudo defaults. +#- name: Remove all lines that contain 'requiretty' +# lineinfile: +# path: /etc/sudoers +# regexp: requiretty +# state: absent -- name: End editing the sudoers file -- protect it again (0440) +- name: End editing file /etc/sudoers -- protect it again (0440) file: path: /etc/sudoers mode: 0440 From 11955df2b0c2f14fc20965e7589992fcd77ff3e6 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Wed, 14 Oct 2020 23:19:18 -0400 Subject: [PATCH 08/27] Clarify 'USERGROUPS_ENAB yes' in /etc/login.defs --- roles/iiab-admin/tasks/admin-user.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/iiab-admin/tasks/admin-user.yml b/roles/iiab-admin/tasks/admin-user.yml index 834b264f4..c95c40dc1 100644 --- a/roles/iiab-admin/tasks/admin-user.yml +++ b/roles/iiab-admin/tasks/admin-user.yml @@ -6,6 +6,8 @@ - name: Establish user {{ iiab_admin_user }} with shell /bin/bash, for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB support commands at the command-line (/usr/bin/iiab-* and /usr/sbin/iiab-*) user: name: "{{ iiab_admin_user }}" + #group: "{{ iiab_admin_user }}" # Neither nec as 'USERGROUPS_ENAB yes' + #groups: "{{ iiab_admin_user }}" # is set in any modern /etc/login.defs shell: /bin/bash #password: "{{ iiab_admin_pwd_hash }}" #update_password: on_create From 6bc7ae2b77289005cbc750b650220feeae85dd4b Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Wed, 14 Oct 2020 23:31:57 -0400 Subject: [PATCH 09/27] Update admin-user.yml --- roles/iiab-admin/tasks/admin-user.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/iiab-admin/tasks/admin-user.yml b/roles/iiab-admin/tasks/admin-user.yml index c95c40dc1..85843ade9 100644 --- a/roles/iiab-admin/tasks/admin-user.yml +++ b/roles/iiab-admin/tasks/admin-user.yml @@ -3,18 +3,18 @@ register: user_info failed_when: False # Hides red errors (stronger than 'ignore_errors: yes') -- name: Establish user {{ iiab_admin_user }} with shell /bin/bash, for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB support commands at the command-line (/usr/bin/iiab-* and /usr/sbin/iiab-*) +- name: Establish user {{ iiab_admin_user }} with shell /bin/bash, for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-* and /usr/sbin/iiab-*) at the command-line user: name: "{{ iiab_admin_user }}" #group: "{{ iiab_admin_user }}" # Neither nec as 'USERGROUPS_ENAB yes' #groups: "{{ iiab_admin_user }}" # is set in any modern /etc/login.defs shell: /bin/bash - #password: "{{ iiab_admin_pwd_hash }}" - #update_password: on_create + #password: "{{ iiab_admin_pwd_hash }}" # 2020-10-14: DEPRECATED in favor + #update_password: on_create # of 'command: chpasswd' below. See: #2570 - name: If user didn't exist, set password to '{{ iiab_admin_published_pwd }}' # g0adm1n #shell: "echo {{ iiab_admin_user }}:{{ iiab_admin_published_pwd }} | chpasswd" - command: chpasswd + command: chpasswd # Equiv to line above, but safer args: stdin: "{{ iiab_admin_user | quote }}:{{ iiab_admin_published_pwd | quote }}" when: user_info.rc != 0 From a659cf7627b37dc6c3ba7bef9c692fdd158bd817 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Wed, 14 Oct 2020 23:35:43 -0400 Subject: [PATCH 10/27] Update admin-user.yml --- roles/iiab-admin/tasks/admin-user.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/iiab-admin/tasks/admin-user.yml b/roles/iiab-admin/tasks/admin-user.yml index 85843ade9..c5b6d0ab6 100644 --- a/roles/iiab-admin/tasks/admin-user.yml +++ b/roles/iiab-admin/tasks/admin-user.yml @@ -25,7 +25,7 @@ package: name: sudo -- name: Add user {{ iiab_admin_user }} to group sudo, for support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo +- name: Add user {{ iiab_admin_user }} to group sudo, for IIAB community support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo command: "gpasswd -a {{ iiab_admin_user | quote }} sudo" #user: # name: "{{ iiab_admin_user }}" From 7b07b02d99097b1a0dd35d38bccec158b88a4da0 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Wed, 14 Oct 2020 23:38:32 -0400 Subject: [PATCH 11/27] Update default_vars.yml --- vars/default_vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/default_vars.yml b/vars/default_vars.yml index d0873755a..6b95707a6 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -57,7 +57,7 @@ language_priority: en es fr # iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc. # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- -# configured e.g. by IIAB's 1-line installer & roles/iiab-admin/tasks/main.yml +# configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml iiab_admin_user_install: True iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. iiab_admin_published_pwd: g0adm1n # Default password. For pwd warnings too. From 10f7c498ea470f2fb80eda4039f7614f612f4dce Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Wed, 14 Oct 2020 23:39:40 -0400 Subject: [PATCH 12/27] Update local_vars_min.yml --- vars/local_vars_min.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index 05d23b0f8..75627d203 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -29,7 +29,7 @@ language_priority: en es fr # iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc. # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- -# configured e.g. by IIAB's 1-line installer & roles/iiab-admin/tasks/main.yml +# configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml iiab_admin_user_install: True iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. From bed89e49e9831102ec05eed9623e8fa15b3acb43 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Wed, 14 Oct 2020 23:39:55 -0400 Subject: [PATCH 13/27] Update local_vars_medium.yml --- vars/local_vars_medium.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index 42867fefb..8f22e1fc8 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -29,7 +29,7 @@ language_priority: en es fr # iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc. # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- -# configured e.g. by IIAB's 1-line installer & roles/iiab-admin/tasks/main.yml +# configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml iiab_admin_user_install: True iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. From 3abdef265a47f5f57cddeb81cb52af9b7caa7e5d Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Wed, 14 Oct 2020 23:40:10 -0400 Subject: [PATCH 14/27] Update local_vars_big.yml --- vars/local_vars_big.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index e79400196..a26694108 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -29,7 +29,7 @@ language_priority: en es fr # iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc. # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- -# configured e.g. by IIAB's 1-line installer & roles/iiab-admin/tasks/main.yml +# configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml iiab_admin_user_install: True iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. From c0bd8729ce3a3a305eb5e605390f3018abf8cf51 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Thu, 15 Oct 2020 02:10:15 -0400 Subject: [PATCH 15/27] Update README.rst --- roles/iiab-admin/README.rst | 50 ++++++++++++++++++++++++++----------- 1 file changed, 35 insertions(+), 15 deletions(-) diff --git a/roles/iiab-admin/README.rst b/roles/iiab-admin/README.rst index 741a3e1cb..e4aa45026 100644 --- a/roles/iiab-admin/README.rst +++ b/roles/iiab-admin/README.rst @@ -13,32 +13,52 @@ iiab-admin README ================= -This role is home to a number of administrative (Ansible) playbooks: +`Internet-in-a-Box <http://internet-in-a-box.org>`_ (IIAB) encourages you to pay attention to the security of your learning community. -Add Administrative User ------------------------ +This Ansible playbook is one of the very first that runs when you install IIAB, and we hope reading this helps you understand your choices: -* Adds the Linux user that will allow you access to IIAB's Admin Console (http://box.lan/admin) if this has not already been done for you by IIAB's 1-line installer (http://download.iiab.io). -* By default this is ``iiab-admin`` with password ``g0adm1n`` +Configure user 'iiab-admin' +--------------------------- + +* `admin-user.yml <tasks/admin-user.yml>`_ configures the Linux user that will give you access to IIAB's Admin Console (http://box.lan/admin) after IIAB is installed — and can also help you at the command-line with IIAB community support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware, etc}. + * If initial creation of the user and password was somehow not already taken care of by IIAB's 1-line installer (http://download.iiab.io) or by your underlying OS, that too will be taken care of here. +* By default the user is ``iiab-admin`` with password ``g0adm1n`` * *Do change the default password if you haven't yet, by running:* **sudo passwd iiab-admin** * After IIAB is installed, you can also change the password by logging into Admin Console (http://box.lan/admin) > Utilities > Change Password - * If you prefer using a pre-existing user like ``pi`` or ``ubuntu`` etc, consider customizing variables ``iiab_admin_user_install``, ``iiab_admin_user`` and ``iiab_admin_user_group`` in your `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ (please do this prior to installing IIAB !) -* Please read more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md +* If you prefer to use a pre-existing user like ``pi`` or ``ubuntu`` (or any other username) customize the variable ``iiab_admin_user`` in your `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ (preferably do this prior to installing IIAB !) + * You can set ``iiab_admin_can_sudo: False`` if you want a strict security lockdown (if you're really sure you'll never need IIAB community support commands like `/usr/bin/iiab-diagnostics <https://github.com/iiab/iiab/blob/master/scripts/iiab-diagnostics.README.md>`_, `/usr/bin/iiab-hotspot-on <https://github.com/iiab/iiab/blob/master/roles/network/templates/network/iiab-hotspot-on>`_, `iiab-check-firmware <https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware>`_, etc!) + * You can also set ``iiab_admin_user_install: False`` if you're sure you know how to do all this `account and sudo configuration <tasks/admin-user.yml>`_ manually. -Desiderata, for the historical record: +Desiderata: -* Auto-checking for the default password is implemented in `/etc/profile.d <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh>`_ when it exists). -* |ss| N.B. to create password hash use python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")' |se| |nbsp| (not recommended as of October 2020) -* |ss| Make a sudoer |se| |nbsp| (likely going away in October 2020, as group 'iiab-admin' should be recommended instead of group 'sudo') -* |ss| Add /root/.ssh and dummy authorized_keys file as placeholder |se| |nbsp| (moved to `roles/openvpn/tasks/install.yml <https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml>`_) -* |ss| Force password for sudoers |se| |nbsp| (sudo flag ``NOPASSWORD:`` and the ``wheel`` group will no longer being used as of October 2020) +* Please read much more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md +* If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml>`_ to faciliate remote community support. Feel free to remove this as mentioned here: http://wiki.laptop.org/go/IIAB/Security +* Auto-checking for the default/published password (as specified by ``iiab_admin_published_pwd`` in `/opt/iiab/iiab/vars/default_vars.yml <https://github.com/iiab/iiab/blob/master/vars/default_vars.yml>`_) is implemented in `/etc/profile.d <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh>`_ when it exists, i.e. on Raspberry Pi OS with desktop). -Add Packages for Remote Access ------------------------------- +Example: + +* If you later change your mind about ``sudo`` privileges for user 'iiab-admin' (as specified by ``iiab_admin_user``) then do this: + #. Go ahead and change the value of ``iiab_admin_can_sudo`` (to either True or False) in `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ + #. Make sure that ``iiab_admin_user_install: True`` is also set. + #. Then re-run this Ansible playbook, by running ``cd /opt/iiab/iiab`` followed by ``sudo ./runrole --reinstall iiab-admin`` + +Historical: + +* We no longer recommend setting your password using a hash e.g. ``python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'`` (or the Python 3 equivalent) as this is very cumbersome — and worse, exposes your "salt" opens up your password to `possible attack <https://stackoverflow.com/questions/6776050/how-long-to-brute-force-a-salted-sha-512-hash-salt-provided>`_. +* The sudo flag ``NOPASSWORD:`` and the ``wheel`` group are also no longer recommended as of October 2020. + +Tools to facilitate Remote Support +---------------------------------- + +In addition to the iiab-diagnostics and OpenVPN options mentioned above, `/opt/iiab/iiab/roles/iiab-admin/tasks/access.yml <https://github.com/holta/iiab/blob/sudoers_anonymous/roles/iiab-admin/tasks/access.yml>`_ adds a few more essential tools: * screen * lynx +*Please also see:* + +http://FAQ.IIAB.IO > "How can I remotely manage my Internet-in-a-Box?" + Admin Console ------------- From 078872a01d22c81ab1b4356b6a9bc884cfb1a518 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Thu, 15 Oct 2020 02:42:17 -0400 Subject: [PATCH 16/27] Update README.rst --- roles/iiab-admin/README.rst | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/iiab-admin/README.rst b/roles/iiab-admin/README.rst index e4aa45026..b800024e4 100644 --- a/roles/iiab-admin/README.rst +++ b/roles/iiab-admin/README.rst @@ -29,20 +29,23 @@ Configure user 'iiab-admin' * You can set ``iiab_admin_can_sudo: False`` if you want a strict security lockdown (if you're really sure you'll never need IIAB community support commands like `/usr/bin/iiab-diagnostics <https://github.com/iiab/iiab/blob/master/scripts/iiab-diagnostics.README.md>`_, `/usr/bin/iiab-hotspot-on <https://github.com/iiab/iiab/blob/master/roles/network/templates/network/iiab-hotspot-on>`_, `iiab-check-firmware <https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware>`_, etc!) * You can also set ``iiab_admin_user_install: False`` if you're sure you know how to do all this `account and sudo configuration <tasks/admin-user.yml>`_ manually. -Desiderata: +Security +-------- * Please read much more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md * If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml>`_ to faciliate remote community support. Feel free to remove this as mentioned here: http://wiki.laptop.org/go/IIAB/Security * Auto-checking for the default/published password (as specified by ``iiab_admin_published_pwd`` in `/opt/iiab/iiab/vars/default_vars.yml <https://github.com/iiab/iiab/blob/master/vars/default_vars.yml>`_) is implemented in `/etc/profile.d <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh>`_ when it exists, i.e. on Raspberry Pi OS with desktop). -Example: +Example +======= * If you later change your mind about ``sudo`` privileges for user 'iiab-admin' (as specified by ``iiab_admin_user``) then do this: #. Go ahead and change the value of ``iiab_admin_can_sudo`` (to either True or False) in `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ #. Make sure that ``iiab_admin_user_install: True`` is also set. #. Then re-run this Ansible playbook, by running ``cd /opt/iiab/iiab`` followed by ``sudo ./runrole --reinstall iiab-admin`` -Historical: +Historical Notes +================ * We no longer recommend setting your password using a hash e.g. ``python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'`` (or the Python 3 equivalent) as this is very cumbersome — and worse, exposes your "salt" opens up your password to `possible attack <https://stackoverflow.com/questions/6776050/how-long-to-brute-force-a-salted-sha-512-hash-salt-provided>`_. * The sudo flag ``NOPASSWORD:`` and the ``wheel`` group are also no longer recommended as of October 2020. From 069b253c4e2e5ca22bf372e7cf3e4202fd8b35cd Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Thu, 15 Oct 2020 02:46:27 -0400 Subject: [PATCH 17/27] Update README.rst --- roles/iiab-admin/README.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/iiab-admin/README.rst b/roles/iiab-admin/README.rst index b800024e4..38b57f7a5 100644 --- a/roles/iiab-admin/README.rst +++ b/roles/iiab-admin/README.rst @@ -24,8 +24,8 @@ Configure user 'iiab-admin' * If initial creation of the user and password was somehow not already taken care of by IIAB's 1-line installer (http://download.iiab.io) or by your underlying OS, that too will be taken care of here. * By default the user is ``iiab-admin`` with password ``g0adm1n`` * *Do change the default password if you haven't yet, by running:* **sudo passwd iiab-admin** - * After IIAB is installed, you can also change the password by logging into Admin Console (http://box.lan/admin) > Utilities > Change Password -* If you prefer to use a pre-existing user like ``pi`` or ``ubuntu`` (or any other username) customize the variable ``iiab_admin_user`` in your `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ (preferably do this prior to installing IIAB !) + * After IIAB is installed, you can also change the password by logging into Admin Console (http://box.lan/admin) > Utilities > Change Password. +* If you prefer to use a pre-existing user like ``pi`` or ``ubuntu`` (or any other username) customize the variable ``iiab_admin_user`` in your `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ (preferably do this prior to installing IIAB!) * You can set ``iiab_admin_can_sudo: False`` if you want a strict security lockdown (if you're really sure you'll never need IIAB community support commands like `/usr/bin/iiab-diagnostics <https://github.com/iiab/iiab/blob/master/scripts/iiab-diagnostics.README.md>`_, `/usr/bin/iiab-hotspot-on <https://github.com/iiab/iiab/blob/master/roles/network/templates/network/iiab-hotspot-on>`_, `iiab-check-firmware <https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware>`_, etc!) * You can also set ``iiab_admin_user_install: False`` if you're sure you know how to do all this `account and sudo configuration <tasks/admin-user.yml>`_ manually. From 83cc540bfca87597c5d84a614c795e0c14b0f92c Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Thu, 15 Oct 2020 04:51:28 -0400 Subject: [PATCH 18/27] Update: iiab-admin/defaults/main.yml --- roles/iiab-admin/defaults/main.yml | 29 ++++++++++------------------- 1 file changed, 10 insertions(+), 19 deletions(-) diff --git a/roles/iiab-admin/defaults/main.yml b/roles/iiab-admin/defaults/main.yml index 080962fbf..34cc7865f 100644 --- a/roles/iiab-admin/defaults/main.yml +++ b/roles/iiab-admin/defaults/main.yml @@ -1,24 +1,15 @@ -# Must keep roles/0-init/defaults/main.yml sync'd ? (Seems no longer true as of 2018-10-15) +# Please read more about the 'iiab-admin' Linux user, for login to IIAB's +# Admin Console (http://box.lan/admin) AND to help you at the command-line: +# https://github.com/iiab/iiab/tree/master/roles/iiab-admin +# https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md -# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel -# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo- -# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n). +# iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc. + +# Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- +# configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml # iiab_admin_user_install: True -# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing -# Linux user that has sudo access, for login to Admin Console http://box/admin - -# ODDLY THIS IS ALSO USED BY roles/usb-lib/tasks/main.yml TO SET GROUP PERM FOR /library/www/html/local_content (ISN'T {{ apache_user }} MORE APPROPRIATE?) -# iiab_admin_user: iiab-admin - -# For live checks/alerts of published pwds -# iiab_admin_published_pwd: g0adm1n - -# Password hash to override above, if Ansible creates above user: -# iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop. -# Obtain a password hash - NEW MORE SECURE WAY: -# python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))' -# Obtain a password hash - OLD WAY: -# python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")' +# iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. +# iiab_admin_published_pwd: g0adm1n # Default password. For pwd warnings too. # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing! From ad9125ce6462828cff5b89ce02ff241507728a9e Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Thu, 15 Oct 2020 12:29:03 -0400 Subject: [PATCH 19/27] iiab-admin/README.rst: clarify Admin Console login reqs --- roles/iiab-admin/README.rst | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/iiab-admin/README.rst b/roles/iiab-admin/README.rst index 38b57f7a5..cb3ba74ee 100644 --- a/roles/iiab-admin/README.rst +++ b/roles/iiab-admin/README.rst @@ -32,6 +32,9 @@ Configure user 'iiab-admin' Security -------- +* A user MUST be a member of one of these 2 Linux groups, in order to log in to Admin Console: + #. ``sudo`` + #. ``iiab-admin`` (as set by ``iiab_admin_user_group`` near the bottom of `/opt/iiab/iiab-admin-console/vars/default_vars.yml <https://github.com/iiab/iiab-admin-console/blob/master/vars/default_vars.yml>`_) * Please read much more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md * If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml>`_ to faciliate remote community support. Feel free to remove this as mentioned here: http://wiki.laptop.org/go/IIAB/Security * Auto-checking for the default/published password (as specified by ``iiab_admin_published_pwd`` in `/opt/iiab/iiab/vars/default_vars.yml <https://github.com/iiab/iiab/blob/master/vars/default_vars.yml>`_) is implemented in `/etc/profile.d <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh>`_ when it exists, i.e. on Raspberry Pi OS with desktop). @@ -47,8 +50,8 @@ Example Historical Notes ================ -* We no longer recommend setting your password using a hash e.g. ``python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'`` (or the Python 3 equivalent) as this is very cumbersome — and worse, exposes your "salt" opens up your password to `possible attack <https://stackoverflow.com/questions/6776050/how-long-to-brute-force-a-salted-sha-512-hash-salt-provided>`_. -* The sudo flag ``NOPASSWORD:`` and the ``wheel`` group are also no longer recommended as of October 2020. +* We no longer recommend setting your password using a hash e.g. ``python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'`` (or the Python 3 equivalent) as this is very cumbersome — and worse, exposes your "salt" opens up your password to `possible attack <https://stackoverflow.com/questions/6776050/how-long-to-brute-force-a-salted-sha-512-hash-salt-provided>`_. [October 2020] +* The sudo flag ``NOPASSWORD:`` and the ``wheel`` group are also no longer recommended. [October 2020] Tools to facilitate Remote Support ---------------------------------- From de2df9b3feca72887517a64a59e434f1f97fef56 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Thu, 15 Oct 2020 12:58:24 -0400 Subject: [PATCH 20/27] A bit cleaner iiab-admin/README.rst --- roles/iiab-admin/README.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/iiab-admin/README.rst b/roles/iiab-admin/README.rst index cb3ba74ee..e155a6d6f 100644 --- a/roles/iiab-admin/README.rst +++ b/roles/iiab-admin/README.rst @@ -32,7 +32,7 @@ Configure user 'iiab-admin' Security -------- -* A user MUST be a member of one of these 2 Linux groups, in order to log in to Admin Console: +* A user MUST be a member of one of these 2 Linux groups, in order to log in to IIAB's Admin Console: (http://box.lan/admin) #. ``sudo`` #. ``iiab-admin`` (as set by ``iiab_admin_user_group`` near the bottom of `/opt/iiab/iiab-admin-console/vars/default_vars.yml <https://github.com/iiab/iiab-admin-console/blob/master/vars/default_vars.yml>`_) * Please read much more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md From 0cf1cfc90df6a03288703d4c8ecd916fdca88851 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Thu, 15 Oct 2020 21:56:23 -0400 Subject: [PATCH 21/27] Refine roles/iiab-admin/README.rst --- roles/iiab-admin/README.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/iiab-admin/README.rst b/roles/iiab-admin/README.rst index e155a6d6f..64402a58f 100644 --- a/roles/iiab-admin/README.rst +++ b/roles/iiab-admin/README.rst @@ -20,21 +20,21 @@ This Ansible playbook is one of the very first that runs when you install IIAB, Configure user 'iiab-admin' --------------------------- -* `admin-user.yml <tasks/admin-user.yml>`_ configures the Linux user that will give you access to IIAB's Admin Console (http://box.lan/admin) after IIAB is installed — and can also help you at the command-line with IIAB community support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware, etc}. +* `admin-user.yml <tasks/admin-user.yml>`_ configures a Linux user that will give you access to IIAB's Admin Console (http://box.lan/admin) after IIAB is installed — and can also help you at the command-line with IIAB community support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware, etc}. * If initial creation of the user and password was somehow not already taken care of by IIAB's 1-line installer (http://download.iiab.io) or by your underlying OS, that too will be taken care of here. -* By default the user is ``iiab-admin`` with password ``g0adm1n`` +* By default this user is ``iiab-admin`` with password ``g0adm1n`` * *Do change the default password if you haven't yet, by running:* **sudo passwd iiab-admin** * After IIAB is installed, you can also change the password by logging into Admin Console (http://box.lan/admin) > Utilities > Change Password. * If you prefer to use a pre-existing user like ``pi`` or ``ubuntu`` (or any other username) customize the variable ``iiab_admin_user`` in your `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ (preferably do this prior to installing IIAB!) - * You can set ``iiab_admin_can_sudo: False`` if you want a strict security lockdown (if you're really sure you'll never need IIAB community support commands like `/usr/bin/iiab-diagnostics <https://github.com/iiab/iiab/blob/master/scripts/iiab-diagnostics.README.md>`_, `/usr/bin/iiab-hotspot-on <https://github.com/iiab/iiab/blob/master/roles/network/templates/network/iiab-hotspot-on>`_, `iiab-check-firmware <https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware>`_, etc!) + * You can set ``iiab_admin_can_sudo: False`` if you want a strict security lockdown (if you're really sure you won't need IIAB community support commands like `/usr/bin/iiab-diagnostics <https://github.com/iiab/iiab/blob/master/scripts/iiab-diagnostics.README.md>`_, `/usr/bin/iiab-hotspot-on <https://github.com/iiab/iiab/blob/master/roles/network/templates/network/iiab-hotspot-on>`_, `iiab-check-firmware <https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware>`_, etc!) * You can also set ``iiab_admin_user_install: False`` if you're sure you know how to do all this `account and sudo configuration <tasks/admin-user.yml>`_ manually. Security -------- -* A user MUST be a member of one of these 2 Linux groups, in order to log in to IIAB's Admin Console: (http://box.lan/admin) +* A user MUST be a member of at least one of these 2 Linux groups, in order to log in to IIAB's Admin Console: (http://box.lan/admin) + #. ``iiab-admin`` (specified by ``iiab_admin_user_group`` near the bottom of `/opt/iiab/iiab-admin-console/vars/default_vars.yml <https://github.com/iiab/iiab-admin-console/blob/master/vars/default_vars.yml>`_) #. ``sudo`` - #. ``iiab-admin`` (as set by ``iiab_admin_user_group`` near the bottom of `/opt/iiab/iiab-admin-console/vars/default_vars.yml <https://github.com/iiab/iiab-admin-console/blob/master/vars/default_vars.yml>`_) * Please read much more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md * If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml>`_ to faciliate remote community support. Feel free to remove this as mentioned here: http://wiki.laptop.org/go/IIAB/Security * Auto-checking for the default/published password (as specified by ``iiab_admin_published_pwd`` in `/opt/iiab/iiab/vars/default_vars.yml <https://github.com/iiab/iiab/blob/master/vars/default_vars.yml>`_) is implemented in `/etc/profile.d <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh>`_ when it exists, i.e. on Raspberry Pi OS with desktop). From 25c97335415ee8d4faf5871405a2038ce371fa21 Mon Sep 17 00:00:00 2001 From: root <holta@users.noreply.github.com> Date: Fri, 16 Oct 2020 14:00:30 -0400 Subject: [PATCH 22/27] Refine iiab-admin role for Admin Console etc --- roles/2-common/tasks/packages.yml | 4 +- roles/iiab-admin/README.rst | 16 ++--- roles/iiab-admin/defaults/main.yml | 1 + roles/iiab-admin/tasks/access.yml | 6 +- roles/iiab-admin/tasks/admin-user.yml | 62 +++++++------------ roles/iiab-admin/tasks/main.yml | 59 ++++++++---------- roles/iiab-admin/tasks/pwd-warnings.yml | 31 ++++++++++ roles/iiab-admin/tasks/sudo-prereqs.yml | 27 ++++++++ .../iiab-admin/templates/sshpwd-lxde-iiab.sh | 3 + .../templates/sshpwd-profile-iiab.sh | 2 - roles/nginx/tasks/install.yml | 9 +-- vars/default_vars.yml | 3 +- vars/local_vars_big.yml | 9 +-- vars/local_vars_medium.yml | 9 +-- vars/local_vars_min.yml | 9 +-- 15 files changed, 136 insertions(+), 114 deletions(-) create mode 100644 roles/iiab-admin/tasks/pwd-warnings.yml create mode 100644 roles/iiab-admin/tasks/sudo-prereqs.yml diff --git a/roles/2-common/tasks/packages.yml b/roles/2-common/tasks/packages.yml index e17fe7f09..08743aa0b 100644 --- a/roles/2-common/tasks/packages.yml +++ b/roles/2-common/tasks/packages.yml @@ -27,7 +27,7 @@ state: present when: is_debuntu | bool -- name: "Install 23 common packages: acpid, bridge-utils, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, netmask, net-tools, ntfs-3g, pandoc, pastebinit, rsync, sqlite3, sudo, tar, unzip, usbutils, wget" +- name: "Install 22 common packages: acpid, bridge-utils, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, netmask, net-tools, ntfs-3g, pandoc, pastebinit, rsync, sqlite3, sudo, tar, unzip, usbutils, wget" package: name: - acpid @@ -52,7 +52,7 @@ - rsync #- screen # Installed by 1-prep's roles/iiab-admin/tasks/access.yml - sqlite3 - - sudo # MIGHT already have been installed by 1-prep's roles/iiab-admin/tasks/admin-user.yml *IF* iiab_admin_user_install: True + #- sudo # Installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml - tar - unzip #- usbmount # Moved to roles/usb_lib/tasks/install.yml diff --git a/roles/iiab-admin/README.rst b/roles/iiab-admin/README.rst index 64402a58f..c905af11f 100644 --- a/roles/iiab-admin/README.rst +++ b/roles/iiab-admin/README.rst @@ -33,7 +33,7 @@ Security -------- * A user MUST be a member of at least one of these 2 Linux groups, in order to log in to IIAB's Admin Console: (http://box.lan/admin) - #. ``iiab-admin`` (specified by ``iiab_admin_user_group`` near the bottom of `/opt/iiab/iiab-admin-console/vars/default_vars.yml <https://github.com/iiab/iiab-admin-console/blob/master/vars/default_vars.yml>`_) + #. ``iiab-admin`` (specified by ``admin_console_group`` near the bottom of `/opt/iiab/iiab-admin-console/vars/default_vars.yml <https://github.com/iiab/iiab-admin-console/blob/master/vars/default_vars.yml>`_) #. ``sudo`` * Please read much more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md * If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml>`_ to faciliate remote community support. Feel free to remove this as mentioned here: http://wiki.laptop.org/go/IIAB/Security @@ -50,18 +50,20 @@ Example Historical Notes ================ -* We no longer recommend setting your password using a hash e.g. ``python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'`` (or the Python 3 equivalent) as this is very cumbersome — and worse, exposes your "salt" opens up your password to `possible attack <https://stackoverflow.com/questions/6776050/how-long-to-brute-force-a-salted-sha-512-hash-salt-provided>`_. [October 2020] -* The sudo flag ``NOPASSWORD:`` and the ``wheel`` group are also no longer recommended. [October 2020] +* We no longer support setting your password using a hash e.g. ``python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'`` (or the Python 3 equivalent, ``python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'``) as these are very cumbersome — and worse, exposing your "salt" opens up your password to `possible attack <https://stackoverflow.com/questions/6776050/how-long-to-brute-force-a-salted-sha-512-hash-salt-provided>`_. [October 2020] +* The sudo flag ``NOPASSWORD:`` and the ``wheel`` group are similarly no longer recommended, so that your IIAB faces fewer security risks. [October 2020] Tools to facilitate Remote Support ---------------------------------- -In addition to the iiab-diagnostics and OpenVPN options mentioned above, `/opt/iiab/iiab/roles/iiab-admin/tasks/access.yml <https://github.com/holta/iiab/blob/sudoers_anonymous/roles/iiab-admin/tasks/access.yml>`_ adds a few more essential tools: +The iiab-diagnostics and OpenVPN options mentioned can greatly help you help your community, typically during the implementation phase of your project, even if Linux is new to you. -* screen -* lynx +Similarly, `/opt/iiab/iiab/roles/iiab-admin/tasks/access.yml <tasks/access.yml>`_ adds a couple text mode tools, very helpful at a distance with expensive / low-bandwidth connections: -*Please also see:* +* `lynx <https://en.wikipedia.org/wiki/Lynx_(web_browser)>`_ +* `screen <https://linuxize.com/post/how-to-use-linux-screen/>`_ + +*More great tools to help you jumpstart community work at a distance:* http://FAQ.IIAB.IO > "How can I remotely manage my Internet-in-a-Box?" diff --git a/roles/iiab-admin/defaults/main.yml b/roles/iiab-admin/defaults/main.yml index 34cc7865f..a7690e226 100644 --- a/roles/iiab-admin/defaults/main.yml +++ b/roles/iiab-admin/defaults/main.yml @@ -10,6 +10,7 @@ # iiab_admin_user_install: True # iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. # iiab_admin_published_pwd: g0adm1n # Default password. For pwd warnings too. +# admin_console_group: iiab-admin # This group & sudo log in to Admin Console # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing! diff --git a/roles/iiab-admin/tasks/access.yml b/roles/iiab-admin/tasks/access.yml index 511103f17..e7281c4dc 100644 --- a/roles/iiab-admin/tasks/access.yml +++ b/roles/iiab-admin/tasks/access.yml @@ -1,6 +1,6 @@ -- name: "Install textmode remote access packages: screen, lynx" +- name: "Install text mode packages, useful during remote access: screen, lynx" package: name: - - screen - - lynx + - lynx + - screen state: present diff --git a/roles/iiab-admin/tasks/admin-user.yml b/roles/iiab-admin/tasks/admin-user.yml index c5b6d0ab6..e19ea8e7d 100644 --- a/roles/iiab-admin/tasks/admin-user.yml +++ b/roles/iiab-admin/tasks/admin-user.yml @@ -1,16 +1,28 @@ -- name: Check if user '{{ iiab_admin_user }}' exists # iiab-admin +# Summary of how this works with IIAB's Admin Console etc: +# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/README.rst + + +# YOU CAN CHANGE THIS USER TO 'pi' OR 'ubuntu' ETC, IN /etc/iiab/local_vars.yml +- name: Does user '{{ iiab_admin_user }}' (iiab_admin_user) exist? # iiab-admin BY DEFAULT command: "id {{ iiab_admin_user | quote }}" # quote to avoid ';' exploits register: user_info failed_when: False # Hides red errors (stronger than 'ignore_errors: yes') -- name: Establish user {{ iiab_admin_user }} with shell /bin/bash, for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-* and /usr/sbin/iiab-*) at the command-line +# admin_console_group: iiab-admin # PER default_vars.yml, SHOULD NEVER CHANGE +- name: Establish Linux group '{{ admin_console_group }}' group, for login to Admin Console + group: + name: "{{ admin_console_group }}" + state: present + +- name: Configure user '{{ iiab_admin_user }}' with group '{{ admin_console_group }}' for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-* and /usr/sbin/iiab-*) at the command-line user: name: "{{ iiab_admin_user }}" - #group: "{{ iiab_admin_user }}" # Neither nec as 'USERGROUPS_ENAB yes' - #groups: "{{ iiab_admin_user }}" # is set in any modern /etc/login.defs + #group: "{{ iiab_admin_user }}" # Not nec. Anyway this happens during account creation b/c 'USERGROUPS_ENAB yes' is set in any modern /etc/login.defs + groups: "{{ admin_console_group }}" # What guarantees any user's ability to login to Admin Console, just in case the user is not a member of sudo in future. FWIW Ansible adds the user to this group in /etc/group even in cases where that's not nec -- i.e. user iiab-admin's primary group is normally sufficient if it (the correct GID, corresponding to group iiab-admin) is in the 4th column of /etc/passwd. + append: yes shell: /bin/bash #password: "{{ iiab_admin_pwd_hash }}" # 2020-10-14: DEPRECATED in favor - #update_password: on_create # of 'command: chpasswd' below. See: #2570 + #update_password: on_create # of 'command: chpasswd' below. - name: If user didn't exist, set password to '{{ iiab_admin_published_pwd }}' # g0adm1n #shell: "echo {{ iiab_admin_user }}:{{ iiab_admin_published_pwd }} | chpasswd" @@ -20,18 +32,15 @@ when: user_info.rc != 0 -# roles/2-common/tasks/packages.yml also installs sudo, but that's too late -- name: 'Install package: sudo' - package: - name: sudo +# sudo-prereqs.yml needs to have been run! - name: Add user {{ iiab_admin_user }} to group sudo, for IIAB community support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo - command: "gpasswd -a {{ iiab_admin_user | quote }} sudo" - #user: - # name: "{{ iiab_admin_user }}" - # groups: sudo - # append: yes - when: iiab_admin_can_sudo | bool + #command: "gpasswd -a {{ iiab_admin_user | quote }} sudo" + user: + name: "{{ iiab_admin_user }}" + groups: sudo + append: yes + when: iiab_admin_can_sudo - name: Remove user {{ iiab_admin_user }} from group sudo, if not iiab_admin_can_sudo command: "gpasswd -d {{ iiab_admin_user | quote }} sudo" @@ -39,32 +48,9 @@ failed_when: False # Hides red errors (stronger than 'ignore_errors: yes') -- name: Temporarily make file /etc/sudoers editable (0640) - file: - path: /etc/sudoers - mode: 0640 - -- name: '/etc/sudoers: Have sudo log all commands to /var/log/sudo.log' - lineinfile: - path: /etc/sudoers - regexp: logfile - line: "Defaults logfile = /var/log/sudo.log" - #- name: Lets {{ iiab_admin_user }} sudo without password ##- name: Lets wheel sudo without password # lineinfile: # path: /etc/sudoers # line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL" ## line: "%wheel ALL= NOPASSWD: ALL" - -# Not nec (heavyhanded removal of customizations+comments) given sudo defaults. -#- name: Remove all lines that contain 'requiretty' -# lineinfile: -# path: /etc/sudoers -# regexp: requiretty -# state: absent - -- name: End editing file /etc/sudoers -- protect it again (0440) - file: - path: /etc/sudoers - mode: 0440 diff --git a/roles/iiab-admin/tasks/main.yml b/roles/iiab-admin/tasks/main.yml index 54275c7cf..0e2b40ab5 100644 --- a/roles/iiab-admin/tasks/main.yml +++ b/roles/iiab-admin/tasks/main.yml @@ -1,39 +1,28 @@ -- include_tasks: admin-user.yml +- name: Install lynx, screen + include_tasks: access.yml + +- name: Install sudo & /etc/sudoers with logging to /var/log/sudo.log + include_tasks: sudo-prereqs.yml + +- name: Configure user iiab-admin / password and its groups, if iiab_admin_user_install + include_tasks: admin-user.yml when: iiab_admin_user_install | bool -- include_tasks: access.yml +# Idea: institute precautionary system-wide published password warning(s) +# for user iiab-admin / g0adm1n, i.e. {{ iiab_admin_user }} with password +# {{ iiab_admin_published_pwd }}, regardless whether the password is set: +# +# (1) by the OS installer +# (2) by the OS's graphical desktop tools +# (3) at the command-line: sudo passwd iiab-admin +# (4) by IIAB's 1-line installer: http://download.iiab.io +# (5) by this role: roles/iiab-admin/tasks/admin-user.yml +# (6) by IIAB's Admin Console during installation +# ...and/or... +# (7) by IIAB's Admin Console > Utilities > Change Password -- name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default - template: - src: sshpwd-profile-iiab.sh - dest: /etc/profile.d/ - mode: '0644' - -- name: Is this LXDE-pi? - stat: - path: /etc/xdg/lxsession/LXDE-pi - register: lx - -- name: "Likewise for Raspbian, installing: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh" - template: - src: sshpwd-lxde-iiab.sh - dest: /etc/xdg/lxsession/LXDE-pi/ - mode: '0755' - when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu - -# 2019-03-07: This popup (/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh) does -# not actually appear when triggered by /etc/xdg/autostart/pprompt-iiab.desktop -# (or pprompt.desktop as Raspbian has working since 2018-11-13!) Too bad as it -# would be really nice to standardize this popup across Ubermix & all distros.. -# Is this a permissions/security issue presumably? Official autostart spec is: -# https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html -# Raspbian's 2016-2018 evolution here: https://github.com/iiab/iiab/issues/1537 - -- name: Put line in /etc/xdg/lxsession/LXDE-pi/autostart to run the above (raspbian) - lineinfile: - path: /etc/xdg/lxsession/LXDE-pi/autostart - line: "@/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh" - when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu +- name: Install password warning(s) + include_tasks: pwd-warnings.yml # RECORD iiab-admin AS INSTALLED @@ -62,3 +51,7 @@ value: '"Admin User"' - option: iiab_admin_user value: "{{ iiab_admin_user }}" + - option: iiab_admin_user_install + value: "{{ iiab_admin_user_install }}" + - option: iiab_admin_can_sudo + value: "{{ iiab_admin_can_sudo }}" diff --git a/roles/iiab-admin/tasks/pwd-warnings.yml b/roles/iiab-admin/tasks/pwd-warnings.yml new file mode 100644 index 000000000..fba510883 --- /dev/null +++ b/roles/iiab-admin/tasks/pwd-warnings.yml @@ -0,0 +1,31 @@ +- name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default + template: + src: sshpwd-profile-iiab.sh + dest: /etc/profile.d/ + mode: '0644' + +- name: Is this LXDE-pi? + stat: + path: /etc/xdg/lxsession/LXDE-pi + register: lx + +- name: "Likewise for Raspbian, installing: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh" + template: + src: sshpwd-lxde-iiab.sh + dest: /etc/xdg/lxsession/LXDE-pi/ + mode: '0755' + when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu + +# 2019-03-07: This popup (/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh) does +# not actually appear when triggered by /etc/xdg/autostart/pprompt-iiab.desktop +# (or pprompt.desktop as Raspbian has working since 2018-11-13!) Too bad as it +# would be really nice to standardize this popup across Ubermix & all distros.. +# Is this a permissions/security issue presumably? Official autostart spec is: +# https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html +# Raspbian's 2016-2018 evolution here: https://github.com/iiab/iiab/issues/1537 + +- name: Put line in /etc/xdg/lxsession/LXDE-pi/autostart to run the above (raspbian) + lineinfile: + path: /etc/xdg/lxsession/LXDE-pi/autostart + line: "@/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh" + when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu diff --git a/roles/iiab-admin/tasks/sudo-prereqs.yml b/roles/iiab-admin/tasks/sudo-prereqs.yml new file mode 100644 index 000000000..66c790d0a --- /dev/null +++ b/roles/iiab-admin/tasks/sudo-prereqs.yml @@ -0,0 +1,27 @@ +# roles/2-common/tasks/packages.yml also installed sudo, but that's too late +- name: 'Install package: sudo' + package: + name: sudo + +- name: Temporarily make file /etc/sudoers editable (0640) + file: + path: /etc/sudoers + mode: 0640 + +- name: '/etc/sudoers: Have sudo log all commands to /var/log/sudo.log -- in addition to the lengthier /var/log/auth.log' + lineinfile: + path: /etc/sudoers + regexp: logfile + line: "Defaults logfile = /var/log/sudo.log" + +# Not nec (heavyhanded removal of customizations+comments) given sudo defaults. +#- name: Remove all lines that contain 'requiretty' +# lineinfile: +# path: /etc/sudoers +# regexp: requiretty +# state: absent + +- name: End editing file /etc/sudoers -- protect it again (0440) + file: + path: /etc/sudoers + mode: 0440 diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh index b1fd88644..972ee3d88 100755 --- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh @@ -3,6 +3,9 @@ # SEE ALSO: /etc/profile.d/sshpwd-profile-iiab.sh sourced from... # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh +# CAUTION: popup warnings still don't appear on most OS's, as mentioned here: +# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/pwd-warnings.yml#L19-L25 + # For Localization/Translation: (use /usr/bin/gettext below if later nec!) #export TEXTDOMAIN=pprompt-iiab #. gettext.sh diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh index d805700c6..259da8139 100755 --- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh @@ -44,8 +44,6 @@ check_user_pwd() { # HISTORICAL: if password-free sudo access is truly nec, it can be set with # "iiab-admin ALL=(ALL) NOPASSWD: ALL" in /etc/sudoers as seen in the older: # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml -# CAUTION: popup warnings still don't appear on most OS's, as mentioned here: -# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L24-L30 if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then # iiab-admin g0adm1n echo diff --git a/roles/nginx/tasks/install.yml b/roles/nginx/tasks/install.yml index 45a7b2402..cf6ed066e 100644 --- a/roles/nginx/tasks/install.yml +++ b/roles/nginx/tasks/install.yml @@ -16,10 +16,11 @@ - php-fpm - libnginx-mod-http-subs-filter -- name: Add user '{{ apache_user }}' to shadow group, so it can authenticate Admin Console - user: - name: "{{ apache_user }}" # www-data or apache, per /opt/iiab/iiab/vars/<OS>.yml - groups: shadow +# 2020-10-16: Removed per #2560 +#- name: Add user '{{ apache_user }}' to shadow group, so it can authenticate Admin Console +# user: +# name: "{{ apache_user }}" # www-data or apache, per /opt/iiab/iiab/vars/<OS>.yml +# groups: shadow - name: Remove NGINX default config /etc/nginx/sites-enabled/default file: diff --git a/vars/default_vars.yml b/vars/default_vars.yml index 6b95707a6..45f602dab 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -58,9 +58,10 @@ language_priority: en es fr iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc. # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- # configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml -iiab_admin_user_install: True +iiab_admin_user_install: True # If False, THE SETTING BELOW WILL BE IGNORED. iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. iiab_admin_published_pwd: g0adm1n # Default password. For pwd warnings too. +admin_console_group: iiab-admin # This group & sudo log in to Admin Console. # DEPRECATED - Password hash to override above, if Ansible creates above user: iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop. diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index a26694108..bb8b42784 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -30,16 +30,9 @@ language_priority: en es fr iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc. # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- # configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml -iiab_admin_user_install: True +iiab_admin_user_install: True # If False, THE SETTING BELOW WILL BE IGNORED. iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. -# DEPRECATED - Password hash to override above, if Ansible creates above user: -iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop. -# Obtain a password hash - NEW MORE SECURE WAY: -# python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))' -# Obtain a password hash - OLD WAY: -# python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")' - # Set these to False if you do not want to install/enable IIAB Admin Console admin_console_install: True admin_console_enabled: True diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index 8f22e1fc8..ea9188753 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -30,16 +30,9 @@ language_priority: en es fr iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc. # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- # configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml -iiab_admin_user_install: True +iiab_admin_user_install: True # If False, THE SETTING BELOW WILL BE IGNORED. iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. -# DEPRECATED - Password hash to override above, if Ansible creates above user: -iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop. -# Obtain a password hash - NEW MORE SECURE WAY: -# python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))' -# Obtain a password hash - OLD WAY: -# python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")' - # Set these to False if you do not want to install/enable IIAB Admin Console admin_console_install: True admin_console_enabled: True diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index 75627d203..e2d02246e 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -30,16 +30,9 @@ language_priority: en es fr iiab_admin_user: iiab-admin # Some prefer to reuse 'pi' or 'ubuntu' etc. # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto- # configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml -iiab_admin_user_install: True +iiab_admin_user_install: True # If False, THE SETTING BELOW WILL BE IGNORED. iiab_admin_can_sudo: True # For /usr/bin/iiab-* support commands. Optional. -# DEPRECATED - Password hash to override above, if Ansible creates above user: -iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop. -# Obtain a password hash - NEW MORE SECURE WAY: -# python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))' -# Obtain a password hash - OLD WAY: -# python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")' - # Set these to False if you do not want to install/enable IIAB Admin Console admin_console_install: True admin_console_enabled: True From 5039b42942ceb70c51e673041ba71a231dd22a7b Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Fri, 16 Oct 2020 14:04:03 -0400 Subject: [PATCH 23/27] Update default_vars.yml --- vars/default_vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/default_vars.yml b/vars/default_vars.yml index 45f602dab..44b7e0a33 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -64,7 +64,7 @@ iiab_admin_published_pwd: g0adm1n # Default password. For pwd warnings too. admin_console_group: iiab-admin # This group & sudo log in to Admin Console. # DEPRECATED - Password hash to override above, if Ansible creates above user: -iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop. +# iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop. # Obtain a password hash - NEW MORE SECURE WAY: # python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))' # Obtain a password hash - OLD WAY: From 77ab2ffd310085d68767077e5700f6b8b2b474e8 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Fri, 16 Oct 2020 14:08:50 -0400 Subject: [PATCH 24/27] Update main.yml --- roles/iiab-admin/tasks/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/iiab-admin/tasks/main.yml b/roles/iiab-admin/tasks/main.yml index 0e2b40ab5..161ec7019 100644 --- a/roles/iiab-admin/tasks/main.yml +++ b/roles/iiab-admin/tasks/main.yml @@ -1,10 +1,14 @@ +# Summary of how this works with IIAB's Admin Console etc: +# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/README.rst + + - name: Install lynx, screen include_tasks: access.yml - name: Install sudo & /etc/sudoers with logging to /var/log/sudo.log include_tasks: sudo-prereqs.yml -- name: Configure user iiab-admin / password and its groups, if iiab_admin_user_install +- name: Configure user iiab-admin / password and its group(s), if iiab_admin_user_install include_tasks: admin-user.yml when: iiab_admin_user_install | bool From 03a83ffa94b0483354806954e7cd172b48351152 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Fri, 16 Oct 2020 14:26:13 -0400 Subject: [PATCH 25/27] Update iiab-admin/tasks/main.yml --- roles/iiab-admin/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/iiab-admin/tasks/main.yml b/roles/iiab-admin/tasks/main.yml index 161ec7019..ce4451003 100644 --- a/roles/iiab-admin/tasks/main.yml +++ b/roles/iiab-admin/tasks/main.yml @@ -10,7 +10,7 @@ - name: Configure user iiab-admin / password and its group(s), if iiab_admin_user_install include_tasks: admin-user.yml - when: iiab_admin_user_install | bool + when: iiab_admin_user_install # Idea: institute precautionary system-wide published password warning(s) # for user iiab-admin / g0adm1n, i.e. {{ iiab_admin_user }} with password From 387f2d8dec88900b004524bac7feeb835d50ad54 Mon Sep 17 00:00:00 2001 From: root <holta@users.noreply.github.com> Date: Fri, 16 Oct 2020 19:55:37 -0400 Subject: [PATCH 26/27] Strings w/o quotes where poss e.g. default_vars, local_vars RE: host_ssid, samba, pbx, transmission --- roles/pbx/defaults/main.yml | 6 +++--- roles/transmission/defaults/main.yml | 2 +- vars/default_vars.yml | 20 ++++++++++---------- vars/local_vars_big.yml | 4 ++-- vars/local_vars_medium.yml | 4 ++-- vars/local_vars_min.yml | 4 ++-- 6 files changed, 20 insertions(+), 20 deletions(-) diff --git a/roles/pbx/defaults/main.yml b/roles/pbx/defaults/main.yml index 5aab6f0f6..200e9384f 100644 --- a/roles/pbx/defaults/main.yml +++ b/roles/pbx/defaults/main.yml @@ -6,9 +6,9 @@ # asterisk_chan_dongle: False -# pbx_signaling_ports_chan_sip: "5160:5161" -# pbx_signaling_ports_chan_pjsip: "5060" -# pbx_data_ports: "10000:20000" +# pbx_signaling_ports_chan_sip: 5160:5161 +# pbx_signaling_ports_chan_pjsip: 5060 +# pbx_data_ports: 10000:20000 # pbx_http_port: 83 # # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml diff --git a/roles/transmission/defaults/main.yml b/roles/transmission/defaults/main.yml index 91a2ff0b4..023fbc224 100644 --- a/roles/transmission/defaults/main.yml +++ b/roles/transmission/defaults/main.yml @@ -11,7 +11,7 @@ # Monitor downloads at http://box:9091 or http://box:9091/transmission using Admin/changeme # transmission_http_port: 9091 -# transmission_url : "/transmission/" +# transmission_url: /transmission/ # transmission_peer_port: 51413 # Provision Transmission with torrent(s) from http://pantry.learningequality.org/downloads/ka-lite/0.17/content/ diff --git a/vars/default_vars.yml b/vars/default_vars.yml index 44b7e0a33..a66ccb256 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -33,7 +33,7 @@ yum_packages_dir: "{{ iiab_base }}/yum-packages" downloads_dir: "{{ iiab_base }}/downloads" iiab_download_url: http://download.iiab.io/packages -content_base: "/library" +content_base: /library doc_base: "{{ content_base }}/www" doc_root: "{{ doc_base }}/html" @@ -112,7 +112,7 @@ iiab_home_url: /home # # Raspberry Pi OS requires WiFi country -- SET THIS IN /etc/iiab/local_vars.yml host_country_code: US -host_ssid: "Internet in a Box" +host_ssid: Internet in a Box host_wifi_mode: g host_channel: 6 hostapd_secure: False @@ -307,8 +307,8 @@ cups_port: 631 # Samba. Do a security audit seriously before deploying this. samba_install: False samba_enabled: False -samba_udp_ports: "137:138" -samba_tcp_mports: "139,445" +samba_udp_ports: 137:138 +samba_tcp_mports: 139,445 shared_dir : "{{ content_base }}/public" # /library/public # USB_LIB @@ -424,9 +424,9 @@ nextcloud_enabled: False pbx_install: False pbx_enabled: False asterisk_chan_dongle: False -pbx_signaling_ports_chan_sip: "5160:5161" -pbx_signaling_ports_chan_pjsip: "5060" -pbx_data_ports: "10000:20000" +pbx_signaling_ports_chan_sip: 5160:5161 +pbx_signaling_ports_chan_pjsip: 5060 +pbx_data_ports: 10000:20000 pbx_http_port: 83 # If using WordPress intensively, set nginx_high_php_limits further above. @@ -511,7 +511,7 @@ transmission_group: root # Monitor downloads at http://box:9091 or http://box:9091/transmission using Admin/changeme transmission_http_port: 9091 -transmission_url : "/transmission/" +transmission_url : /transmission/ transmission_peer_port: 51413 # Provision Transmission with torrent(s) from http://pantry.learningequality.org/downloads/ka-lite/0.17/content/ @@ -659,8 +659,8 @@ calibreweb_home: "{{ content_base }}/calibre-web" # /library/calibre-web # xovis_db_name: xovis # xovis_db_user: admin # xovis_db_password: admin -# xovis_root: "/opt/xovis" -# xovis_backup_dir: "/library/users" +# xovis_root: /opt/xovis +# xovis_backup_dir: /library/users # xovis_chart_heading: "My School: Usage Data Visualization" # Unmaintained diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index bb8b42784..9ad8bf016 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -60,7 +60,7 @@ iiab_home_url: /home # # Raspberry Pi OS requires Wi-Fi country since March 2018. Please set it here: host_country_code: US -host_ssid: "Internet in a Box" +host_ssid: Internet in a Box host_wifi_mode: g host_channel: 6 hostapd_secure: False @@ -148,7 +148,7 @@ sshd_enabled: True openvpn_install: True openvpn_enabled: False # Set /etc/iiab/openvpn_handle in advance here: -openvpn_handle: "BIG-sized - Put Your Name Here" +openvpn_handle: BIG-sized - Put Your Name Here # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4. # Please see recommendations at: https://itsfoss.com/swap-size/ diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index ea9188753..878c98733 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -60,7 +60,7 @@ iiab_home_url: /home # # Raspberry Pi OS requires Wi-Fi country since March 2018. Please set it here: host_country_code: US -host_ssid: "Internet in a Box" +host_ssid: Internet in a Box host_wifi_mode: g host_channel: 6 hostapd_secure: False @@ -148,7 +148,7 @@ sshd_enabled: True openvpn_install: True openvpn_enabled: False # Set /etc/iiab/openvpn_handle in advance here: -openvpn_handle: "MEDIUM-sized - Put Your Name Here" +openvpn_handle: MEDIUM-sized - Put Your Name Here # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4. # Please see recommendations at: https://itsfoss.com/swap-size/ diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index e2d02246e..8a26cc1a2 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -60,7 +60,7 @@ iiab_home_url: /home # # Raspberry Pi OS requires Wi-Fi country since March 2018. Please set it here: host_country_code: US -host_ssid: "Internet in a Box" +host_ssid: Internet in a Box host_wifi_mode: g host_channel: 6 hostapd_secure: False @@ -148,7 +148,7 @@ sshd_enabled: True openvpn_install: True openvpn_enabled: False # Set /etc/iiab/openvpn_handle in advance here: -openvpn_handle: "MIN-sized - Put Your Name Here" +openvpn_handle: MIN-sized - Put Your Name Here # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4. # Please see recommendations at: https://itsfoss.com/swap-size/ From 2631c8be2147e01ece075b93b8c432d8e2d2104f Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Fri, 16 Oct 2020 20:32:08 -0400 Subject: [PATCH 27/27] Update iiab-admin/README.rst --- roles/iiab-admin/README.rst | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/iiab-admin/README.rst b/roles/iiab-admin/README.rst index c905af11f..e41278633 100644 --- a/roles/iiab-admin/README.rst +++ b/roles/iiab-admin/README.rst @@ -26,18 +26,18 @@ Configure user 'iiab-admin' * *Do change the default password if you haven't yet, by running:* **sudo passwd iiab-admin** * After IIAB is installed, you can also change the password by logging into Admin Console (http://box.lan/admin) > Utilities > Change Password. * If you prefer to use a pre-existing user like ``pi`` or ``ubuntu`` (or any other username) customize the variable ``iiab_admin_user`` in your `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ (preferably do this prior to installing IIAB!) - * You can set ``iiab_admin_can_sudo: False`` if you want a strict security lockdown (if you're really sure you won't need IIAB community support commands like `/usr/bin/iiab-diagnostics <https://github.com/iiab/iiab/blob/master/scripts/iiab-diagnostics.README.md>`_, `/usr/bin/iiab-hotspot-on <https://github.com/iiab/iiab/blob/master/roles/network/templates/network/iiab-hotspot-on>`_, `iiab-check-firmware <https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware>`_, etc!) + * You can set ``iiab_admin_can_sudo: False`` if you want a strict security lockdown (if you're really sure you won't need IIAB community support commands like `/usr/bin/iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_, `/usr/bin/iiab-hotspot-on <../network/templates/network/iiab-hotspot-on>`_, `iiab-check-firmware <../firmware/templates/iiab-check-firmware>`_, etc!) * You can also set ``iiab_admin_user_install: False`` if you're sure you know how to do all this `account and sudo configuration <tasks/admin-user.yml>`_ manually. Security -------- * A user MUST be a member of at least one of these 2 Linux groups, in order to log in to IIAB's Admin Console: (http://box.lan/admin) - #. ``iiab-admin`` (specified by ``admin_console_group`` near the bottom of `/opt/iiab/iiab-admin-console/vars/default_vars.yml <https://github.com/iiab/iiab-admin-console/blob/master/vars/default_vars.yml>`_) + #. ``iiab-admin`` (specified by ``admin_console_group`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_ and `/opt/iiab/iiab-admin-console/vars/default_vars.yml <https://github.com/iiab/iiab-admin-console/blob/master/vars/default_vars.yml>`_) #. ``sudo`` * Please read much more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md -* If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml>`_ to faciliate remote community support. Feel free to remove this as mentioned here: http://wiki.laptop.org/go/IIAB/Security -* Auto-checking for the default/published password (as specified by ``iiab_admin_published_pwd`` in `/opt/iiab/iiab/vars/default_vars.yml <https://github.com/iiab/iiab/blob/master/vars/default_vars.yml>`_) is implemented in `/etc/profile.d <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh>`_ when it exists, i.e. on Raspberry Pi OS with desktop). +* If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <../openvpn/tasks/install.yml>`_ to faciliate remote community support. Feel free to remove this as mentioned here: http://wiki.laptop.org/go/IIAB/Security +* Auto-checking for the default/published password (as specified by ``iiab_admin_published_pwd`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_) is implemented in `/etc/profile.d <templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <templates/sshpwd-lxde-iiab.sh>`_ when it exists, i.e. on Raspberry Pi OS with desktop). Example ======= @@ -53,19 +53,19 @@ Historical Notes * We no longer support setting your password using a hash e.g. ``python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'`` (or the Python 3 equivalent, ``python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'``) as these are very cumbersome — and worse, exposing your "salt" opens up your password to `possible attack <https://stackoverflow.com/questions/6776050/how-long-to-brute-force-a-salted-sha-512-hash-salt-provided>`_. [October 2020] * The sudo flag ``NOPASSWORD:`` and the ``wheel`` group are similarly no longer recommended, so that your IIAB faces fewer security risks. [October 2020] -Tools to facilitate Remote Support ----------------------------------- +Remote Support Tools +-------------------- -The iiab-diagnostics and OpenVPN options mentioned can greatly help you help your community, typically during the implementation phase of your project, even if Linux is new to you. +The `iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_ and `OpenVPN <https://en.wikipedia.org/wiki/OpenVPN>`_ options mentioned above can greatly help you empower your community, typically during the implementation phase of your project, even if Linux is new to you. -Similarly, `/opt/iiab/iiab/roles/iiab-admin/tasks/access.yml <tasks/access.yml>`_ adds a couple text mode tools, very helpful at a distance with expensive / low-bandwidth connections: +Similarly, `access.yml <tasks/access.yml>`_ adds a couple text mode tools — extremely helpful over expensive / low-bandwidth connections: * `lynx <https://en.wikipedia.org/wiki/Lynx_(web_browser)>`_ * `screen <https://linuxize.com/post/how-to-use-linux-screen/>`_ -*More great tools to help you jumpstart community work at a distance:* +*More great tools to help you jumpstart community action at a distance:* -http://FAQ.IIAB.IO > "How can I remotely manage my Internet-in-a-Box?" +* http://FAQ.IIAB.IO > "How can I remotely manage my Internet-in-a-Box?" Admin Console -------------