SSH is a protocol that enables secure connections over unsecured networks. It supports the use of asymmetric encryption for user authentication. Private keys are kept locally, while public keys are stored on the remote machine.
The following configuration disables root logins on the remote machine. Only users belonging to the group ssh-users may establish a connection. Access to the remote machine is tied to the local user’s private key.
In this example, the name of the remote machine is debian-server, which has the address 192.168.1.10 on the network. sid is a user on debian-server, whereas bookworm is a user on the local machine. Choose an encryption passphrase to secure the private key that you will generate in Step 5.
On the remote machine
Step 1
Install the secure shell server with the following command:
$ sudo apt install --yes openssh-server
Step 2
If you are using ufw as a host-based firewall
Configure ufw to allow connections to the secure shell server.
$ sudo ufw limit ssh
If you are using firewalld as a host-based firewall
Configure firewalld to allow connections to the secure shell server.
When prompted to confirm the authenticity of the host debian-server, type yes and press [Enter].
The authenticity of host 'debian-server (192.168.1.10)' can't be established.
ED25519 key fingerprint is SHA256:C9RxLLVbvFwVJc0L4JHzcuHQSaPHJZe/GrRDvqy6rAG.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
In the next step, enter the passphrase for your private key.
Enter passphrase for key '/home/bookworm/.ssh/id_ed25519-debian-server':
Step 9
On the remote machine, download a file to harden the ssh server. You are encouraged to inspect its contents.
In the next step, enter the passphrase for your private key.
Enter passphrase for key '/home/bookworm/.ssh/id_ed25519-debian-server':
Display the active configuration for the remote ssh server and verify its settings, paying particular attention to options for maxauthtries, permitrootlogin and passwordauthentication.
The OneDrive Client for Linux connects your Debian or Ubuntu system to Microsoft’s OneDrive Personal, OneDrive for Business, OneDrive for Office365, Sharepoint and other such deployments.
Step 1
Install the OneDrive Client from the Debian or Ubuntu repository.
Begin to connect the client to your OneDrive account.
$ onedrive --synchronize
You will be presented with a message similar to the following:
Configuring Global Azure AD endpoints
Authorize this app visiting:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id&scope=Files.ReadWrite%20Files.ReadWrite.all%20Sites.Read.All%Sites.ReadWrite.All%20offline_accessresponse_type=code&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
Enter the response uri:
In the above dialog, copy or [Ctrl + Click] the URI beginning with https://login.microsoftonline.com/.
In a web browser
Use the URI from the previous step to sign into your Microsoft account. You will be redirected to a response URI displaying a blank page. Copy the response URI from the address field of your browser.
In the terminal
Paste the response URI into the terminal. On successful authentication, the OneDrive Client will connect to your Microsoft account and begin to download your data.
Initializing the Synchronization Engine …
Syncing changes from OneDrive …
Creating local directory:
Downloading file … done.
Uploading differences of ~/OneDrive
Uploading new items of ~/OneDrive
Step 3
After downloading your data to ~/OneDrive, validate the configuration of the client.
Currently available Espanso packages fail to install on Debian 12 because of unmet dependencies. Given that I depend on Espanso to expand text shortcuts and insert special characters, I was stuck on Debian 11. Until now!
The following instructions have also been tested with Debian 11.
After completing the installation, Espanso 2.2.0 for Wayland will be installed on your system and enabled for the current user.
If you want to receive status updates from your Debian or Ubuntu system in your inbox, you need to employ the help of a mail tansfer agent (MTA). nullmailer is a relay-only forwarding MTA that can be used as an alternative to more complex MTAs such as Exim, Sendmail or Postfix. Instructions for setting up Exim are available for comparison.
nullmailer can be configured to use Fastmail as a smarthost and hence ensure the deliverability of your messages. In principle, these instructions should also be applicable to service providers other than Fastmail.
In the following example configuration, debian is the hostname, bookworm the local username and linus.torvalds@fastmail.com the Fastmail username.
The usefulness of this project cannot be overstated.
Running the Syncthing stable channel
Syncthing is included in the Debian and Ubuntu repositories, respectively. These instructions are targeting the latest release of the Syncthing stable channel. It is therefore necessary to add the Syncthing repository to your list of APT sources.
In the following example, bookworm is the local username.
Step 1
Add the Syncthing release key for validation of packages downloaded from the Syncthing repository.
Cockpit is a web-based management tool for Linux systems. It aims to simplify management tasks while maintaining compatibility with other administration tools.
Step 1
Cockpit requires the use of the firewalld service to be able to make changes to your firewall rules.
If you are using ufw as a host-based firewall
Remove ufw before replacing it with firewalld.
$ sudo apt-get remove --purge --yes ufw
Install firewalld as a host-based firewall
Install firewalld and maintain ssh access as well as enabling cockpit to receive incoming connections.
By default, the Cockpit web console listens on port 9090 for connections. If you want to make changes from the default, use the following command to edit /etc/systemd/system/cockpit.socket.d/override.conf.
$ sudo systemctl edit cockpit.socket
The example below changes the web console port from 9090 to 9091 and restricts access to the localhost.
### Editing /etc/systemd/system/cockpit.socket.d/override.conf
### Anything between here and the comment below will become the new contents of the file
[Socket]
ListenStream=
ListenStream=127.0.0.1:9091
### Lines below this comment will be discarded
Use the following command for your changes to take effect.
If you installed Cockpit on the local machine and changed the listening port to 9091, you can now access the Cockpit web console on https://localhost:9091.
“Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products.” Bruce Schneier acknowledges that perfect computer security probably doesn’t exist. He reminds us that we need to understand our risk of exposure in order to be able to manage it. www.schneier.com
Debian GNU/Linux was first released in 1993 and has been under active developement ever since. Today, the Debian Project unites thousands of contributors from across the globe with the aim of producing “an operating system distribution that is composed entirely of free software”.
This guide is intended to assist those who are installing Debian for the first time. It describes a straightforward path to a GNOME desktop. The number of applications is less in comparison to the default. Choose from more than 60000 official packages to tailor the system to your own requirements.
Debian and the new package formats
Debian stable is, above all else, focused on the task of maintaining bug-free software packages. It is the reason why Debian, in over 30 years, has gained a reputation for being “like a rock in an ever-swirling sea of updates”. It is also the reason why Debian stable does not keep up with the latest versions.
Universal package formats, such as Flatpak, Snap, or AppImage, are managed separately from conventional packaging systems and thus provide the end-user with added flexibility and choice. They solve the problem of stale distribution packages because newer versions can be installed without compromising the integrity of the underlying core.
Before you begin
In addition to the target computer, you should have access to a reasonably fast connection to the Internet. Ideally, your device would connect to your router by Ethernet cable. If your laptop does not have an Ethernet port, consider using the Plugable USB 3.0 Gigabit Ethernet Adapter.
Depending on your acutal requirements, there are different Debian CD images to choose from. In all likelihood, you are following these instructions to install on x86-64 hardware, for which a network install CD image amd64 would be the correct choice. It supports Intel as well as AMD processors and “includes non-free firmware for extra support for some awkward hardware”.
Choose a hostname and a username for your setup. In the examples which follow, debian is used as the hostname and bookworm as the username. Just remember to make the substitutions when executing commands that reference either.
Choose 1) an encryption passphrase to encrypt your storage device, 2) a user password to secure your user account, and 3) a root password to secure the root account.
Ensure that all of your data is safely backed up because formatting your storage device will erase all of its data.
After completing the installation, Debian GNU/Linux will be the only operating system on your computer.
Installing Debian GNU/Linux
If your computer uses the Unified Extensible Firmware Interface (UEFI) and you are unsure about which settings to use, you may wish to disable the Secure Boot option.
Step 1
After booting the system from the USB stick that you have prepared, continue by selecting the text based installer.
Step 2
Keep English as the language for the installation.
[!!] Select a language
Language: English
Step 3
Keep United States as the location for your system. This will also set United States as the default locale for the system environment. You will have an opportunity to set additional locales and adjust time zones at a later point during the installation.
[!!] Select your location
Country, territory or area: United States
Step 4
Use the keymap that is the correct one for your particular keyboard.
[!!] Configure the keyboard
Keymap to use: your keyboard
Step 5
You will likely be asked to select the primary network interface for use during the installation. If network autoconfiguration fails, go back and try another interface from the list.
[!!] Configure the network
Network configuration method:
Retry network autoconfiguration
Retry network autoconfiguration with a DHCP hostname
Configure network manually
Do not configure the network at this time
Go Back
Step 6
Set the hostname for your system. In this example, we use debian as the hostname.
[!] Configure the network
Hostname: debian
Continue
[!!] Partition disks
Partitioning method: Guided - use entire disk and set up encrypted LVM
Be careful to select the correct target device for your system.
[!!] Partition disks
Select disk to partition: your target disk for installation
Choose to keep all files in one partition.
[!] Partition disks
Partitioning scheme: All files in one partition (recommended for new users)
Now write the changes to disk.
[!!] Partition disks
Write the changes to disk and configure LVM?
Yes
You may skip the overwriting of the disk with random data by selecting Cancel. Be aware, however, that skipping this step will lessen the quality of the encryption.
Step 9
Enter your encryption passphrase.
[!!] Partition disks
Encryption passphrase: your encryption passphrase
Continue
Confirm your encryption passphrase.
[!!] Partition disks
Re-enter passphrase to verify: your encryption passphrase
Continue
Step 10
Use the available space for partitioning your disk.
[!!] Partition disks
Amount of volume group to use for guided partitioning: max
Continue
Step 11
Write the changes to disk.
[!!] Partition disks
Finish partitioning and write changes to disk
Confirm writing the changes to disk.
[!!] Partition disks
Write the changes to disks?
Yes
Step 12
You may be asked to scan additional installation media.
[!] Configure the package manager
Scan extra installation media?
No
Step 13
Select your archive mirror country from the list.
[!] Configure the package manager
Debian archive mirror country: your country
Select an archive mirror from the list. For the fastest downloads, use the site that is closest to you.
[!] Configure the package manager
Debian archive mirror: mirror closest to you
You probably won’t need to configure an HTTP proxy:
[!] Configure the package manager
HTTP proxy information (blank for none): leave empty
Continue
[!] Configuring popularity-contest
Participate in the package usage survey?
Yes
Step 15
Choose standard system utilities from the list of predefined software collections and deselect all other entries.
[!] Software selection
Choose software to install:
[ ] Debian desktop environment
[ ] GNOME
[*] standard system utilities
Continue
Step 16
You may be asked if you want to install the GRUB boot loader to your primary drive. Select your target disk from Step 8 as the drive for boot loader installation.
[!] Install the GRUB boot loader
Install the GRUB boot loader to your primary drive?
Yes
Step 17
Remove the installation media before booting into your new system.
[!!] Finish the installation
Installation complete
Continue
Step 18
Enter your encryption passphrase to boot into the system for the first time. In this example, the encrypted disk is labelled sda3_crypt.
Please unlock disk sda3_crypt: your encryption passphrase
Log into the system with your username and user password.
Debian GNU/Linux 12 debian tty1
debian login: bookworm
Password: your user password
Step 19
Set the password for the root user by entering the following command. You will be asked for your user password to obtain sudo privileges first.
$ sudo passwd root
Step 20
Install a minimal GNOME desktop.
$ sudo apt-get install --yes gnome-core
If you are installing into a virtual machine, use this additional command to enable copy and paste between the host and the guest.
$ sudo apt-get install --yes spice-vdagent
Step 22
Restart your system.
$ sudo reboot
Step 23
Enter your encryption passphrase to boot into the system.
Please unlock disk sda3_crypt: your encryption passphrase
Select Show Applications from the the panel at the bottom of the screen or press [Super + a] and open the Settings application. On most keyboards, the [Super] key is the one with the Windows logo printed on it. Continue by adding the following keyboard shortcuts:
From within the GNOME desktop, open Firefox ESR by using the shortcut [Super + b] and re-open these instructions at edafe.de/step25.
Open a terminal with the shortcut [Super + t] and, where applicable, use copy and paste to enter the commands set out on this page. Be careful not to miss any punctuation.
Step 26
Set the time zone for your area.
$ sudo dpkg-reconfigure tzdata
Configuring tzdata
Geographic area: your area
Ok
Step 27
Configure locales for all the languages that your system is going to be used with. Use UTF-8 locales wherever possible.
$ sudo dpkg-reconfigure locales
In this example, German and Japanese locales are generated in addition to the default locale for the system environment.
Configuring locales
Locales to be generated:
[*] de_DE.UTF-8 UTF-8
[*] en_US.UTF-8 UTF-8
[*] ja_JP.UTF-8 UTF-8
OK
Keep en_US.UTF-8 as the default locale for the system environment.
Configuring locales
Default locale for the system environment:
en_US.UTF-8
OK
Step 28
The Desktop was disabled in GNOME 3.28. This decision was not universally popular at the time. However, developers pointed to the fact that, as an unmaintained feature, it stood in the way of other improvements. The following command hides the now orphaned Desktop folder from view.
$ echo Desktop >> ~/.hidden
Step 29
Install additonal Debian packages to give you a functional GNOME desktop.
$ echo -e '\n# use Neofetch to display information about the system\nif [ -f /usr/bin/neofetch ]; then\n clear && neofetch;\nfi' >> ~/.bashrc && source ~/.bashrc
Step 32
Enable the unattended installation of important upgrades.
$ sudo dpkg-reconfigure unattended-upgrades
Step 33
If in Step 5 you selected a wireless interface as the primary network interface for use during the installation, you will need to re-authenticate with the wireless network after rebooting.
$ sudo sed -i 's/managed=false/managed=true/' /etc/NetworkManager/NetworkManager.conf&&sudo sed -i '/# The primary network interface/,$d' /etc/network/interfaces&&sudo reboot
The snap directory in your home folder is not supposed to be accessed manually. Use the following command to hide it from view.
$ echo snap >> ~/.hidden
Step 38
By default, Debian installs the Extended Support Release (ESR) version of Firefox. The ESR receives crash fixes, security fixes and policy updates as needed.
The flatpak, on the other hand, installs the Rapid Release version of Firefox. In contrast to the ESR, the Rapid Release receives major updates at least every four weeks. Both versions can be used concurrently. When installed on your desktop, they are called Firefox ESR and Firefox Web Browser, respectively.
As an option, you may install Firefox Rapid Release and set it as the default browser.
“LastPass likely could have prevented this if they were more concerned about keeping their users secure than about saving their face. Their statement is also full of omissions, half-truths and outright lies. As I know that not everyone can see through all of it, I thought that I would pick out a bunch of sentences from this statement and give some context that LastPass didn’t want to mention.” Wladimir Palant helps to decode what LastPass had to say about their latest security breach. palant.info
“Soziale Medien werden von Plattformbetreibern dominiert, die das eigene Interesse in den Vordergrund rücken und jede Entscheidung daran messen, wie sich eine Profitmaximierung erzielen lässt. Hat man das einmal verinnerlicht, wirft sich einem unweigerlich die Frage auf, was an sozialen Medien eigentlich sozial ist. Sozial bedeutet anderen zu helfen, was auch bedeuten kann, die eigenen Interessen zurückzustellen. Also im Grunde genau das Gegenteil dessen, wie kommerziell ausgerichtete Plattformen wie Twitter, Facebook und Co. agieren.” Mike Kuketz erklärt die Idee des Fediverse und unterstreicht, warum es sich damit so grundlegend von Platformen wie Twitter und Facebook unterscheidet. Dieser Beitrag ist von großer Wichtigkeit, nicht nur für die Nutzer der sozialen Medien… www.kuketz-blog.de
“Yet I sympathise with those who feel the Queen’s loss. Under her reign, many latched on to the stabilising sense of cultural continuity. To lose that is to feel disrupted and uncertain. For me, it’s a familiar anxiety – Britain’s empire by definition redrew boundaries, and swept aside generations of tradition. Our parents and grandparents were recruited to Britain for its benefit, the terms and conditions of which my generation are still trying to make sense. We know how it feels to lack cultural continuity. Others in Britain enjoyed it at our expense. If continuity is an abstract subject, the other trappings of royal symbolism are more concrete. There were pompous reflections last week with the idea expressed in the Economist’s obituary that the Queen ‘came from good Hanoverian blood’. If that sounds like a white supremacist idea, that’s because it is.” Afua Hirsch does not get to opt out of processing memories that many refuse to acknowledge. www.theguardian.com
“Too often we foolishly measure success in terms of a single actor’s fortunes. This is both short-sighted and irrational. It misunderstands the true nature of reality, and is ultimately self-defeating.” Carlo Rovelli provides a compellingly argued explanation of the way in which interactions shape our world and, in the end, determine our reality. www.theguardian.com
“Mastodon is used to publish 500-character messages with pictures, polls, videos and so on to an audience of followers, and, in turn, to follow interesting people and receive their posts in a chronological home feed. Unlike Twitter, there is no central Mastodon website – you sign up to a provider that will host your account, similarly to signing up for Outlook or Gmail, and then you can follow and interact with people using different providers. Anyone can become such a provider as Mastodon is free and open-source. It has no ads, respects your privacy, and allows people/communities to self-govern.” Eugen Rochko preempted the planned aquisition of Twitter by a mere 6 years. joinmastodon.org
“What all these petty, superficial differences – from owning cars and clothes to having Netflix and Instagram accounts – add up to is not real human solidarity for an oppressed people. In fact, it’s the opposite. It’s tribalism. These comments point to a pernicious racism that permeates today’s war coverage and seeps into its fabric like a stain that won’t go away.” Moustafa Bayoumi asks that we offer help and solidarity to innocent people who need protection, irrespective of geographical proximity or skin color. www.theguardian.com
“Thinking that endemicity is both mild and inevitable is more than wrong, it is dangerous: it sets humanity up for many more years of disease, including unpredictable waves of outbreaks.” Aris Katzourakis would like to keep the focus on how bad things could get if we were to give in to misplaced optimism. www.nature.com
#CriticalMass Essen am 13. August auf der Rüttenscheider Straße — gestartet wird jeden 2. Freitag im Monat um 19:00 Uhr vom Willy-Brandt-Platz aus. criticalmass.in
“The side-effects are mild … Listen to doctors who work in intensive care, because we are heartbroken every day and don’t want you to end up here.” Dr Samantha Batt-Rawden wants people to come off the fence and get the jab. www.theguardian.com
I pre-ordered the Hammerhead Karoo 2 during the last quarter of 2020, fully aware that I might be getting a device that would still require a significant amount of “continuous enhancements”. In other words, I bought into the promise of Hammerhead delivering “the world’s finest cycling computer” through software updates. Eventually.
In many ways, the Karoo 2 already is a good bike computer. In other ways, however, the Karoo 2 is far behind its competition and most definitely a work in progress. I never considered returning the device. Instead, I look forward to seeing the improvements that Hammerhead will be introducing over time. My other cycling computer is a Wahoo Elemnt Roam. hammerhead.io
Limited battery capacity and USB-C cable
After about 3 hours of riding, I would expect the battery of my Karoo 2 to be half-empty. On at least two occasions, however, the Karoo 2 died on me with an empty battery after just over 4 hours of use. Unless you turn off the very features which, in all likelihood, made you buy the device in the first place, charging becomes an absolute necessity on longer rides. This is easier said than done, because charging the Karoo 2 while in its mount is impossible with the cable supplied in the box. There just isn’t enough space between the base of the unit and the handlebar for a conventional USB-C plug to fit into. I use a UGREEN Right Angle USB-C to -A Cable and connect the Karoo 2 to a Zendure SuperMini 5K power bank during rides.
Since the release of the Karoo 2, a number of reviews similar to this one have been published on the Internet:
“Usually on rides I’ve found it lasts around 10–11 hours with all my power meter and heart rate sensors connected up, a route loaded, and flicking between screens. Riding without a route loaded (but still with sensors) massively increases the life per charge, to around 13 hours.” Anna Marie Hughes
After about 10 months of using the Karoo 2, I have come to the conclusion that something must be off with either my Karoo 2 or the running times reported elsewhere…
I am going to leave it there.
Komoot limited to 50 planned tours, use Ride with GPS
The Hammerhead Dashboard is supposed to facilitate the integration of the Karoo 2 with services such as Strava, Ride with GPS, Komoot and others. Unfortunately, synchronisation of available routes with any of these services does not take place automatically and requires the use of either a computer or a smart phone.
With Komoot, there is an added limitation in that it is only possible to “sync your 50 most recent planned tours”. Having used other bike computers in the past, I am stunned that this should even be an issue. Komoot users with more than 50 routes to choose from end up in a loop of having to continuously mess about just to get individual routes to show up on the Karoo 2…
The solution to the problem is to ditch Komoot entirely and use Ride with GPS.
The Dashboard itself is of limited functionality. Route planning is rudimentary at best and there are next to no tools for post-ride analysis of your data. While not necessarily a disadvantage, this needs to be spelled out clearly. Integration with third party services should be flawless. Hammerhead’s focus, meanwhile, appears to lie elsewhere.
Missing auto-lap functionality
The Karoo 2 does not offer auto-lap functionality. Currently, there is no way to set reminders of any kind. Hammerhead merely say that they are “working on adding more towards the lap functionality“. This appears to be a long-standing issue with users of the Karoo 1 as well. The auto-lap feature has reportedly spent more than a year in the “development pipeline”, yet Hammerhead are not committing to a “dedicated timeline for its implementation“.
With Software Build Version 1.187.987, Hammerhead appear to be pleased that they “fixed an issue that prevented users from viewing a Live Tracking link if they weren’t logged in ahead of clicking the link.” They are missing the point. What is preventing users from viewing any link is having to register and then authenticate every time they want to access the link. Until such time that Hammerhead get rid of these short-sighted requirements, actual owners of the Karoo 2 won’t be sharing anything.
In the meantime, getting a SIM and data plan for your Karoo 2 does not appear to make a lot of sense. Unless, that is, you’re planning on inflicting Live Tracking links on friends and family…
Hammerhead no longer require registration to view Live Tracking links. This is a welcome improvement and, in conjunction with a dedicated SIM, appears to be working well.