“This third attempt to pass largely the same unlawful decision also raises questions as to the larger role of the European Commission being the guardian of the EU treaties. Instead of upholding the ‘rule of law’ the Commission simply passes an invalid decision over and over again, despite clear rulings by the CJEU.” By agreeing the Data Privacy Framework with the US, the European Commission likely prioritised diplomatic and business interests over the rights of Europeans.
What the Prisoner’s Dilemma reveals about life, the universe, and everything
“Okay, so now you’ve got this alternating thing, which will remind you of some of the politics of the world today, where we have to do something to you because of what you did to us.”
With thanks to @avidamoeba@lemmy.ca.
Frohe Weihnachten, Steffi!
Nichts zu verbergen? Ein moderner Mythos und 12 Argumente dagegen
“Aber der Satz und seine Verbreitung schaden viel mehr der Gesellschaft und anderen Menschen, als jenen, die ihn aussprechen. Deshalb sind mir die sozial orientierten Antworten darauf am liebsten: Weil man Menschen damit stigmatisiert, sie unsolidarisch behandelt, ihre Diskriminierungserfahrungen negiert, und weil es Demokratie und Widerstand untergräbt.” @reticuleena legt offen, wie wir unsere Vertrauenswürdigkeit aufs Spiel setzen.
Install and configure SSH on Debian or Ubuntu
SSH is a protocol that enables secure connections over unsecured networks. It supports the use of asymmetric encryption for user authentication. Private keys are kept locally, while public keys are stored on the remote machine.
The following configuration disables root logins on the remote machine. Only users belonging to the group ssh-users may establish a connection. Access to the remote machine is tied to the local user’s private key.
In this example, the name of the remote machine is debian-server, which has the address 192.168.1.10 on the network. sid is a user on debian-server, whereas bookworm is a user on the local machine. Choose an encryption passphrase to secure the private key that you will generate in Step 5.
On the remote machine
Step 1
Install the secure shell server with the following command:
$ sudo apt install --yes openssh-server
Step 2
If you are using ufw as a host-based firewall
Configure ufw to allow connections to the secure shell server.
$ sudo ufw limit ssh
If you are using firewalld as a host-based firewall
Configure firewalld to allow connections to the secure shell server.
$ sudo -- bash -c 'firewall-cmd --zone=public --add-service=ssh --permanent && firewall-cmd --reload && firewall-cmd --info-zone=public'
Step 3
Restrict access to the remote machine to members of a specific group. Start by creating the group ssh-users.
$ sudo addgroup --system ssh-users
Add the user sid to the group ssh-users.
$ sudo adduser sid ssh-users
On the local machine
Step 4
Install the secure shell client with the following command.
$ sudo apt install openssh-client
Step 5
Generate a new key pair for the local user bookworm:
$ ssh-keygen -t ed25519 -o -a 100
Save the key pair to the directory /home/bookworm/.ssh/
. Choose a name that facilitates easy identification.
Enter file in which to save the key (/home/bookworm/.ssh/id_ed25519): ~/.ssh/id_ed25519-debian-server
The use of an appropriate passphrase to secure the private key is mandatory.
Step 6
Create the file ~/.ssh/config
to configure the secure shell client.
$ nano ~/.ssh/config
Add the follwing minimal entry for the host debian-server.
Host debian-server Hostname 192.168.1.10 IdentitiesOnly yes
Step 7
Deploy the public key with the following command.
$ ssh-copy-id -i ~/.ssh/id_ed25519-debian-server.pub sid@debian-server
Step 8
Log into the remote machine.
$ ssh -i ~/.ssh/id_ed25519-debian-server sid@debian-server
When prompted to confirm the authenticity of the host debian-server, type yes and press [Enter].
The authenticity of host 'debian-server (192.168.1.10)' can't be established. ED25519 key fingerprint is SHA256:C9RxLLVbvFwVJc0L4JHzcuHQSaPHJZe/GrRDvqy6rAG. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])?
In the next step, enter the passphrase for your private key.
Enter passphrase for key '/home/bookworm/.ssh/id_ed25519-debian-server':
Step 9
On the remote machine, download a file to harden the ssh server. You are encouraged to inspect its contents.
$ sudo -- bash -c 'wget -P /etc/ssh/sshd_config.d/ --show-progress https://edafe.de/debian/sshd_config.conf'
Activate the modifications on the remote machine.
$ sudo systemctl restart ssh.service
Step 9
On the local machine, open a new terminal window and run the following command.
$ ssh -i ~/.ssh/id_ed25519-debian-server sid@debian-server
In the next step, enter the passphrase for your private key.
Enter passphrase for key '/home/bookworm/.ssh/id_ed25519-debian-server':
Display the active configuration for the remote ssh server and verify its settings, paying particular attention to options for maxauthtries
, permitrootlogin
and passwordauthentication
.
$ sudo sshd -T
All done!
For more in-depth information, please see stribika’s post-Snowden advice on hardening OpenSSH server installations.
The book SSH The Secure Shell by Daniel Barrett, Richard Silverman and Robert Byrnes is still useful today and has information on other clever stuff you can do with SSH.
Install OneDrive Client for Linux on Debian or Ubuntu
The OneDrive Client for Linux connects your Debian or Ubuntu system to Microsoft’s OneDrive Personal, OneDrive for Business, OneDrive for Office365, Sharepoint and other such deployments.
Step 1
Install the OneDrive Client from the Debian or Ubuntu repository.
$ sudo -- bash -c 'apt update && apt install --yes onedrive'
Step 2
Begin to connect the client to your OneDrive account.
$ onedrive --synchronize
You will be presented with a message similar to the following:
Configuring Global Azure AD endpoints Authorize this app visiting: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id&scope=Files.ReadWrite%20Files.ReadWrite.all%20Sites.Read.All%Sites.ReadWrite.All%20offline_accessresponse_type=code&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient Enter the response uri:
In the above dialog, copy or [Ctrl + Click] the URI beginning with https://login.microsoftonline.com/.
In a web browser
Use the URI from the previous step to sign into your Microsoft account. You will be redirected to a response URI displaying a blank page. Copy the response URI from the address field of your browser.
In the terminal
Paste the response URI into the terminal. On successful authentication, the OneDrive Client will connect to your Microsoft account and begin to download your data.
Initializing the Synchronization Engine … Syncing changes from OneDrive … Creating local directory: Downloading file … done. Uploading differences of ~/OneDrive Uploading new items of ~/OneDrive
Step 3
After downloading your data to ~/OneDrive
, validate the configuration of the client.
$ onedrive --display-config
If required, you may change the default configuration.
Step 4
Enable OneDrive Client for the local user bookworm.
$ sudo -- bash -c 'systemctl enable onedrive@bookworm.service && systemctl start onedrive@bookworm.service && systemctl status onedrive@bookworm.service'
All done!
How to install Espanso from source on Debian 12 bookworm
Currently available Espanso packages fail to install on Debian 12 because of unmet dependencies. Given that I depend on Espanso to expand text shortcuts and insert special characters, I was stuck on Debian 11. Until now!
The following instructions have also been tested with Debian 11.
After completing the installation, Espanso 2.2.0 for Wayland will be installed on your system and enabled for the current user.
Compiling Espanso from source code
Side-step any dependency problems by compliling Espanso from source and moving the binary into place.
Step 1
Install the required C/C++ compiler and some additional tools.
$ sudo apt-get install --yes build-essential curl git wl-clipboard libxkbcommon-dev libdbus-1-dev libwxgtk3.*-dev libssl-dev
Step 2
Install the required Rust compiler, which is managed by the rustup
tool.
$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh&&source ~/.bashrc
Press [Enter] to proceed with the installation.
Current installation options: 1) Proceed with instalation (default) 2) Customize installation 3) Cancel installation >
Install cargo-make
, which is required during the build process.
$ cargo install --force cargo-make
Step 3
Get the source code by cloning the Espanso repository to the local directory ~/.local/src/espanso
.
$ git clone --progress https://github.com/federico-terzi/espanso ~/.local/src/espanso
Step 4
Compile the Espanso binary in release mode and as a Wayland-only build.
$ cargo make --cwd ~/.local/src/espanso --profile release --env NO_X11=true build-binary
Move the binary to the /usr/local/bin
directory.
$ sudo mv ~/.local/src/espanso/target/release/espanso /usr/local/bin/
Step 5
Give Espanso the permissions it requires for operation.
$ sudo setcap "cap_dac_override+p" $(which espanso)
Check to see if the Espanso binary was installed successfuly.
$ espanso --version
Step 6
Integrate Espanso into the system by registering it as a systemd service.
$ espanso service register
Start Espanso.
$ espanso start && espanso status
Step 7
In GNOME, remove the conflicting default shortcut for activating the window menu.
Settings > Keyboard > Keyboard Shortcuts > View and Customize Shortcuts > Windows > Activate the window menu > [Backspace]
From now on, use [Alt + Space] to open Espanso’s Search bar.
All Done!
Please keep in mind that Wayland support at this point has some known limitations. Most notably, “there is currently no support for App-specific configurations“.
Big thank you to Federico Terzi for creating such a useful tool for us all to use!
Install and configure nullmailer using Fastmail as a smarthost
If you want to receive status updates from your Debian or Ubuntu system, you need to employ the help of a mail tansfer agent (MTA). nullmailer is a relay-only forwarding MTA that can be used as an alternative to more complex MTAs such as Exim, Sendmail or Postfix.
nullmailer can be configured to use Fastmail as a smarthost and hence ensure the deliverability of your messages. In principle, these instructions should also be applicable to service providers other than Fastmail.
In the following example configuration, debian
is the hostname, bookworm
the local username and linus.torvalds@fastmail.com
the Fastmail username.
Step 1
Log into your Fastmail account and set up a new app password for SMTP authentication.
Step 2
Create the new directory /etc/nullmailer
and the file /etc/nullmailer/adminaddr
.
$ sudo mkdir /etc/nullmailer && sudo nano /etc/nullmailer/adminaddr
Your Fastmail username is the only entry in /etc/nullmailer/adminaddr.
linus.torvalds@fastmail.com
Step 3
Install the required packages.
$ sudo apt-get install --yes nullmailer mailutils
Step 4
Perform the initial configuration using debconf
. Reconfigure nullmailer
at any time after the initial installation using the following comand.
$ sudo dpkg-reconfigure nullmailer
Setting the mail name
Set the system mail name. If you are setting up on a home network, you should use home.arpa
as the domain name.
Configuring nullmailer Mailname of your system: debian.home.arpa Ok
Configuring the smarthost
Set the Fastmail server as the smarthost. Use the app password you set in Step 1.
Configuring nullmailer
Smarthosts:
smtp.fastmail.com smtp --port=587 --auth-login --starttls --user=linus.torvalds@fastmail.com --pass=password
Ok
Step 5
Test your configuration with the following command.
$ echo "Test mail from nullmailer on debian.home.arpa to the local root user and forwarded on to Fastmail" | mail -s "Test nullmailer" root
Check your Inbox, Linus!
Install Syncthing for continuous file synchronisation on Debian or Ubuntu
Syncthing is an open source tool that synchronises data across multiple devices. It transfers your files peer-to-peer, without the requirement to upload your information to the cloud. Packages are available for Android, Windows, macOS and Linux (including Synology DSM).
The usefulness of this project cannot be overstated.
Running the Syncthing stable channel
Syncthing is included in the Debian and Ubuntu repositories, respectively. These instructions are targeting the latest release of the Syncthing stable channel. It is therefore necessary to add the Syncthing repository to your list of APT sources.
In the following example, bookworm is the local username.
Step 1
Add the Syncthing release key for validation of packages downloaded from the Syncthing repository.
$ sudo curl -o /usr/share/keyrings/syncthing-archive-keyring.gpg https://syncthing.net/release-key.gpg
Step 2
Add the Syncthing repository.
$ echo "deb [signed-by=/usr/share/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable" | sudo tee /etc/apt/sources.list.d/syncthing.list
Step 3
Install Syncthing on your system.
$ sudo -- bash -c 'apt update && apt install --yes syncthing apt-transport-https'
Step 4
Enable Syncthing for the local user bookworm.
$ sudo -- bash -c 'systemctl enable syncthing@bookworm.service && systemctl start syncthing@bookworm.service && systemctl status syncthing@bookworm.service'
Step 5
You may need to edit your firewall settings to open ports for incoming and outgoing traffic.
If you are using ufw as a host-based firewall
Configure ufw to allow connections to Syncthing.
$ sudo ufw limit syncthing
If you are using firewalld as a host-based firewall
Configure firewalld to allow connections to Syncthing.
$ sudo -- bash -c 'firewall-cmd --zone=public --add-service=syncthing --permanent && firewall-cmd --reload && firewall-cmd --info-zone=public'
Step 6
Access the Syncthing configuration page by using your browser to navigate to the following address:
http://localhost:8384
Step 7
Complete your setup by referring to the Syncthing documentation.