| Author: | Francesco Poli |
|---|---|
| Contact: | invernomuto@paranoici.org |
| Version: | 0.1 |
| Copyright: | Expat license |
| Notice: | Copyright (c) 2007-2026 Francesco Poli Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. |
| About this document | |
|---|---|
| Web form | HyperText Markup Language |
| Source form | reStructuredText |
| Web stylesheet | Cascading StyleSheets |
| Build directives | Makefile |
In another document (HTML, reST) you saw how to install a Debian testing base system on a box intended to be used as workstation/desktop.
A number of things are the first to tweak on the system.
Modify the APT repository configuration in order to set up a system that will continue to track the Debian testing branch, even after one particular version has been released as stable. To this aim, edit the repository list:
# vi /etc/apt/sources.list
until it looks like:
$ cat /etc/apt/sources.list deb http://deb.debian.org/debian testing main non-free-firmware deb http://deb.debian.org/debian-security testing-security main non-free-firmware
Then install a package manager front-end:
# apt update && apt install --no-install-recommends aptitude
and execute the first package update:
# aptitude update && aptitude --purge-unused safe-upgrade
Some packages will be upgraded, if you answer "Y" when asked for confirmation. These commands can be used from now on, in order to keep the system up-to-date.
Make sure the following packages are installed:
# aptitude install console-setup kbd
If they were already there, you can mark them as manually installed:
# aptitude unmarkauto console-setup kbd
Then configure the console:
# dpkg-reconfigure console-setup
You'll be asked to select the encoding to use on the console: choose "UTF-8". Then choose "Guess optimal character set" as character set to support, "Terminus" as font for the console, and "16x32 (framebuffer only)" as font size.
Finally, configure the keyboard:
# dpkg-reconfigure keyboard-configuration
Choose "Generic 104-key PC" as keyboard model, "English (US) - English (US, euro on 5)" as keyboard layout, "The default for the keyboard layout" as AltGr key, and "Menu key" as compose key; answer "No", if asked whether Control+Alt+Backspace should terminate the X server.
If you want to make these settings immediately active (without having to reboot the system), you can issue the following command on the console:
# setupcon
Since there's only one operating system on the box, you do not want the GRUB update process to search for other ones in dual-boot. As a consequence, remove the following package:
# aptitude --purge-unused purge os-prober
and then issue the following command:
# update-grub
It is also advisable to mark the following package as if it had been manually installed, in order to prevent its automatic removal in the future:
# aptitude unmarkauto efibootmgr
Install a useful extension for the default shell (GNU Bash):
# aptitude install bash-completion
Install the following package to allow regular users to mount USB mass storage devices (e.g.: USB disks, USB sticks, ...):
# aptitude install pmount
Install a package that sets some sensible defaults, if it is not already installed:
# aptitude install linux-sysctl-defaults
If it is already installed, mark it as manually installed:
# aptitude unmarkauto linux-sysctl-defaults
The pager less should be already installed (and not marked as automatically installed):
# aptitude search '~i ^less$' i less - pager program similar to more
Install the tools for reading man pages:
# aptitude install man-db manpages
Install a less minimalist VIM variant:
# aptitude install vim vim-addon-manager
Obviously, you want VIM to be the system-wide default text editor! Consequently, issue the following the command:
# update-alternatives --config editor There are 3 choices for the alternative editor (providing /usr/bin/editor). Selection Path Priority Status ------------------------------------------------------------ * 0 /bin/nano 40 auto mode 1 /bin/nano 40 manual mode 2 /usr/bin/vim.basic 30 manual mode 3 /usr/bin/vim.tiny 15 manual mode Press enter to keep the current choice[*], or type selection number:
and enter "2" to select /usr/bin/vim.basic as default editor. Please note that, in case a regular user needed a different default editor, he/she can always add the following two lines to his/her own ~/.bashrc:
export EDITOR=preferrededitor alias editor=$EDITOR
where preferrededitor should be substituted with his/her editor of choice.
Install some extra utilities:
# aptitude install util-linux-extra
Set the time and date with:
# date --set='2024-10-27 16:25' # hwclock --systohc
The default DHCP client is:
# aptitude search '~i dhcp' i dhcpcd-base - DHCPv4 and DHCPv6 dual-stack client (binar
You can check that it is configured to inform the DHCP server of the hostname of the box:
# grep -B 1 ^hostname /etc/dhcpcd.conf # Inform the DHCP server of our hostname for DDNS. hostname
Which daemons are currently listening to network ports? If you want to know, you have to first install the following package:
# aptitude install net-tools
and then you may issue the following command:
# netstat -taup Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 $HOSTNAME:bootpc 0.0.0.0:* 1034/dhcpcd: [BOOTP udp6 0 0 fe80::...:dhcpv6-client [::]:* 1012/dhcpcd: [DHCP6
Only the previously mentioned DHCP client, as can be verified:
# dpkg -S $(command -v dhcpcd) dhcpcd-base: /usr/sbin/dhcpcd
First of all, system-wide settings. Check that this is the default for new users:
$ grep [^_]DIR_MODE /etc/adduser.conf # Default: DIR_MODE=0700 #DIR_MODE=0700
and also check:
$ grep ^HOME_MODE /etc/login.defs HOME_MODE 0700
Debian default umask is 0002, which seems to be too permissive: let's set it to 0007 (Debian uses private user groups by default and we want to follow this scheme, so group-permissions may be as broad as user-permissions, without any negative consequences). Edit file ~/.profile for the user created during the installation and change its umask line into:
umask 0007
The same modification must be made for future users (file /etc/skel/.profile). Other files will need similar changes as soon as other shells besides GNU Bash are installed...
On the other hand, for the root user the umask should stay 0022: make sure that there is a line like:
umask 0022
in the file /root/.bashrc.
Now, prevent undesired visits into root's home directory:
# chmod 0700 /root
and into the previously created user's home directory:
$ chmod 0700 ~
although these home directories should already have these permissions...
Finally, a nice privacy-increasing trick should be already implemented for regular users:
$ cat /etc/skel/.bash_logout
# ~/.bash_logout: executed by bash(1) when login shell exits.
# when leaving the console clear the screen to increase privacy
if [ "$SHLVL" = 1 ]; then
[ -x /usr/bin/clear_console ] && /usr/bin/clear_console -q
fi
Let's extend it to root as well:
# cp -i /etc/skel/.bash_logout /root
First of all install the OpenSSH client:
# aptitude install openssh-client
Then, you can generate a pair of SSH keys for your regular user:
$ ssh-keygen
You'll be asked where the key should be saved: you can safely accept the default location (which is ~/.ssh/id_ed25519). You'll have to choose a passphrase: think of a very good one (among other things, it should be different from any password you use) and type it twice, as requested.
Now, in order to remotely access a machine which has an SSH server up and running, you can use password-based authentication:
$ ssh remote.box.example
After entering the password for your account at remote.box.example, you'll be granted network access to the system [1].
However, for security reasons, remote.box.example administrators could have disabled password-based SSH authentication and only accept public-key-based authentication. If this is the case, you need to transfer a copy of your public key to remote.box.example and append it to the list of authorized keys for your user. Hence, copy ~/.ssh/id_ed25519.pub to a USB stick (or use any other media or channel that can deliver your public key to the remote machine). Once your public key is copied to remote.box.example, you have to modify your ~/.ssh/authorized_keys file on the remote machine: firstoff, if you have no ~/.ssh directory, create it and set appropriate permissions:
$ mkdir -p ~/.ssh $ chmod 700 ~/.ssh
then create the ~/.ssh/authorized_keys file, if necessary:
$ touch ~/.ssh/authorized_keys
and append your public key to it:
$ chmod 600 ~/.ssh/authorized_keys $ cat id_ed25519.pub >> ~/.ssh/authorized_keys $ chmod 400 ~/.ssh/authorized_keys
After doing this, you can connect from your workstation to the remote machine by issuing the command:
$ ssh remote.box.example
and entering the passphrase for your private key on the local machine.
You may also enable compression in order to reduce the data transfer times, in case your network link is not too fast: just add the following stanza to your regular user's ~/.ssh/config file:
$ grep -B 1 Compression ~/.ssh/config
Host *
Compression yes
It's anyway recommended to test data transfer and measure times with and without compression, in order to check whether you actually get an advantage.
A useful configuration enables server alive messages to keep an SSH session alive, even when there's no user activity for a while:
$ grep -B 2 Alive ~/.ssh/config
Host *
Compression yes
ServerAliveInterval 300
ServerAliveCountMax 30
| [1] | Please note that the first time you connect to remote.box.example you will also be asked to confirm that you are sure about the authenticity of the remote host: in order to be safe, you can check the fingerprint against its known value (the fingerprint can be obtained by running the command ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub on the remote host). |
Install the OpenSSH server:
# aptitude install openssh-server
and immediately stop the daemon until it is properly configured:
# systemctl stop ssh
Now edit /etc/ssh/sshd_config so that it features the following non-comment lines:
# grep -v '^#\|^ *$' /etc/ssh/sshd_config Include /etc/ssh/sshd_config.d/*.conf Port 22 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key PermitRootLogin no StrictModes yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys HostbasedAuthentication no IgnoreRhosts yes PasswordAuthentication no PermitEmptyPasswords no KbdInteractiveAuthentication no UsePAM yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes ClientAliveInterval 300 ClientAliveCountMax 150 AcceptEnv LANG LC_* COLORTERM NO_COLOR Subsystem sftp /usr/lib/openssh/sftp-server
Then, start the daemon:
# systemctl start ssh
Now, in order to access your box from a remote machine on your LAN, you have to copy the SSH public key you have in your account on the remote machine to the box and append it to the list of authorized keys for your regular user. Hence, after copying your ~/.ssh/id_ed25519.pub from the remote host to your local box, create your ~/.ssh/authorized_keys file on the local box:
$ mkdir -p ~/.ssh $ chmod 700 ~/.ssh $ touch ~/.ssh/authorized_keys $ chmod 600 ~/.ssh/authorized_keys $ cat id_ed25519.pub >> ~/.ssh/authorized_keys $ chmod 400 ~/.ssh/authorized_keys
Sometimes you need to copy data between different directories (or between network-connected machines). For simple cases, cp (or scp) may suffice. However, more complicated cases may require something more sophisticated; install the following package:
# aptitude install rsync
Now the system is a little more user friendly: next step is tuning the system configuration and adding more software packages according to your needs. More details in a separate document (HTML, reST).