Install and configure SSH on Debian or Ubuntu

SSH is a protocol that enables secure connections over unsecured networks. It supports the use of asymmetric encryption for user authentication. Private keys are kept locally, while public keys are stored on the remote machine.

The following configuration disables root logins on the remote machine. Only users belonging to the group ssh-users may establish a connection. Access to the remote machine is tied to the local user’s private key.

In this example, the name of the remote machine is debian-server, which has the address 192.168.1.10 on the network. sid is a user on debian-server, whereas bookworm is a user on the local machine. Choose an encryption passphrase to secure the private key that you will generate in Step 5.

On the remote machine

Step 1

Install the secure shell server with the following command:

$ sudo apt install --yes openssh-server

Step 2

If you are using ufw as a host-based firewall

Configure ufw to allow connections to the secure shell server.

$ sudo ufw limit ssh

If you are using firewalld as a host-based firewall

Configure firewalld to allow connections to the secure shell server.

$ sudo -- bash -c 'firewall-cmd --zone=public --add-service=ssh --permanent && firewall-cmd --reload && firewall-cmd --info-zone=public'

Step 3

Restrict access to the remote machine to members of a specific group. Start by creating the group ssh-users.

$ sudo addgroup --system ssh-users

Add the user sid to the group ssh-users.

$ sudo adduser sid ssh-users

On the local machine

Step 4

Install the secure shell client with the following command.

$ sudo apt install openssh-client

Step 5

Generate a new key pair for the local user bookworm:

$ ssh-keygen -t ed25519 -o -a 100

Save the key pair to the directory /home/bookworm/.ssh/. Choose a name that facilitates easy identification.

Enter file in which to save the key (/home/bookworm/.ssh/id_ed25519): ~/.ssh/id_ed25519-debian-server

The use of an appropriate passphrase to secure the private key is mandatory.

Step 6

Create the file ~/.ssh/config to configure the secure shell client.

$ nano ~/.ssh/config

Add the follwing minimal entry for the host debian-server.

Host debian-server
   Hostname 192.168.1.10
   IdentitiesOnly yes

Step 7

Deploy the public key with the following command.

$ ssh-copy-id -i ~/.ssh/id_ed25519-debian-server.pub sid@debian-server

Step 8

Log into the remote machine.

$ ssh -i ~/.ssh/id_ed25519-debian-server sid@debian-server

When prompted to confirm the authenticity of the host debian-server, type yes and press [Enter].

The authenticity of host 'debian-server (192.168.1.10)' can't be established.
ED25519 key fingerprint is SHA256:C9RxLLVbvFwVJc0L4JHzcuHQSaPHJZe/GrRDvqy6rAG.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? 

In the next step, enter the passphrase for your private key.

Enter passphrase for key '/home/bookworm/.ssh/id_ed25519-debian-server':

Step 9

On the remote machine, download a file to harden the ssh server. You are encouraged to inspect its contents.

$ sudo -- bash -c 'wget -P /etc/ssh/sshd_config.d/ --show-progress https://edafe.de/debian/sshd_config.conf'

Activate the modifications on the remote machine.

$ sudo systemctl restart ssh.service

Step 9

On the local machine, open a new terminal window and run the following command.

$ ssh -i ~/.ssh/id_ed25519-debian-server sid@debian-server

In the next step, enter the passphrase for your private key.

Enter passphrase for key '/home/bookworm/.ssh/id_ed25519-debian-server':

Display the active configuration for the remote ssh server and verify its settings, paying particular attention to options for maxauthtries, permitrootlogin and passwordauthentication.

$ sudo sshd -T

All done!

For more in-depth information, please see stribika’s post-Snowden advice on hardening OpenSSH server installations.

The book SSH The Secure Shell by Daniel Barrett, Richard Silverman and Robert Byrnes is still useful today and has information on other clever stuff you can do with SSH.

How to install Debian 12 Bookworm with a GNOME desktop

Debian GNU/Linux was first released in 1993 and has been under active developement ever since. Today, the Debian Project unites thousands of contributors from across the globe with the aim of producing “an operating system distribution that is composed entirely of free software”.

This guide is intended to assist those who are installing Debian for the first time. It describes a straightforward path to a GNOME desktop. The number of applications is less in comparison to the default. Choose from more than 60000 official packages to tailor the system to your own requirements.

Debian and the new package formats

Debian stable is, above all else, focused on the task of maintaining bug-free software packages. It is the reason why Debian, in over 30 years, has gained a reputation for being “like a rock in an ever-swirling sea of updates”. It is also the reason why Debian stable does not keep up with the latest versions.

Universal package formats, such as Flatpak, Snap, or AppImage, are managed separately from conventional packaging systems and thus provide the end-user with added flexibility and choice. They solve the problem of stale distribution packages because newer versions can be installed without compromising the integrity of the underlying core.

Before you begin

In addition to the target computer, you should have access to a reasonably fast connection to the Internet. Ideally, your device would connect to your router using Ethernet. If your laptop does not have an Ethernet port, consider getting the Plugable USB 3.0 Gigabit Ethernet Adapter. Using a wireless network, you will need to provide your Wi-Fi password twice during the installation.

Use Etcher to flash a bootable Debian CD image to a USB drive. Alternatively, you may wish to install Ventoy and boot directly from the image file.

Depending on your acutal requirements, there are different Debian CD images to choose from. In all likelihood, you are following these instructions to install on x86-64 hardware, for which a network install CD image amd64 would be the correct choice. It supports Intel as well as AMD processors and “includes non-free firmware for extra support for some awkward hardware”.

Choose a hostname and a username for your setup. In the examples which follow, debian is used as the hostname and bookworm as the username. Just remember to make the substitutions when executing commands that reference either.

Choose 1) an encryption passphrase to encrypt your storage device, 2) a user password to secure your user account, and 3) a root password to secure the root account.

Ensure that all of your data is safely backed up because formatting your storage device will erase all of its data.

After completing the installation, Debian GNU/Linux will be the only operating system on your computer.

Installing Debian GNU/Linux

If your computer uses the Unified Extensible Firmware Interface (UEFI) and you are unsure about which settings to use, you may wish to disable the Secure Boot option.

Step 1

After booting the system from the USB stick that you have prepared, continue by selecting the text based installer.

Step 2

Keep English as the language for the installation.

[!!] Select a language

Language: English

Step 3

Keep United States as the location for your system. This will also set United States as the default locale for the system environment. You will have an opportunity to set additional locales and adjust time zones at a later point during the installation.

[!!] Select your location

Country, territory or area: United States

Step 4

Use the keymap that is the correct one for your particular keyboard.

[!!] Configure the keyboard

Keymap to use: your keyboard

Step 5

You will likely be asked to select the primary network interface for use during the installation. If network autoconfiguration fails, go back and try another interface from the list.

[!!] Configure the network

Network configuration method:

Retry network autoconfiguration
Retry network autoconfiguration with a DHCP hostname
Configure network manually

Do not configure the network at this time

Go Back

Step 6

Set the hostname for your system. In this example, we use debian as the hostname.

[!] Configure the network

Hostname: debian

Continue

Set the domain name for your system. If you are setting up on a home network, you should use home.arpa as the domain name.

[!] Configure the network

Domain name: home.arpa

Continue

Step 7

Leave the root password empty to ensure the standard user account will automatically be configured with sudo privileges.

[!!] Set up users and passwords

Root password: leave empty

Continue

Confirm the empty root password.

[!!] Set up users and passwords

Re-enter password to verify: leave empty

Continue

Create the standard user. In this example, we use Bookworm as the full name.

[!!] Set up users and passwords

Full name for the new user: Bookworm

Continue

Your username should start with a lower-case letter. In this example, bookworm is a reasonable choice.

[!!] Set up users and passwords

Username for your account: bookworm

Continue

Set a password for the new standard user.

[!!] Set up users and passwords

Choose a password for the new user: your user password

Continue

Confirm the password for the new standard user.

[!!] Set up users and passwords

Re-enter password to verify: your user password

Continue

Keep Eastern as the time zone for now.

[!] Configure the clock

Select your time zone: Eastern

Step 8

You may wish to partition your disk with LVM and protect your data with a 256 bit AES key.

[!!] Partition disks

Partitioning method: Guided - use entire disk and set up encrypted LVM

Be careful to select the correct target device for your system.

[!!] Partition disks

Select disk to partition: your target disk for installation

Choose to keep all files in one partition.

[!] Partition disks

Partitioning scheme: All files in one partition (recommended for new users)

Now write the changes to disk.

[!!] Partition disks

Write the changes to disk and configure LVM?

Yes

You may skip the overwriting of the disk with random data by selecting Cancel. Be aware, however, that skipping this step will lessen the quality of the encryption.

Step 9

Enter your encryption passphrase.

[!!] Partition disks

Encryption passphrase: your encryption passphrase

Continue

Confirm your encryption passphrase.

[!!] Partition disks

Re-enter passphrase to verify: your encryption passphrase

Continue

Step 10

Use the available space for partitioning your disk.

[!!] Partition disks

Amount of volume group to use for guided partitioning: max

Continue

Step 11

Write the changes to disk.

[!!] Partition disks

Finish partitioning and write changes to disk

Confirm writing the changes to disk.

[!!] Partition disks

Write the changes to disks?

Yes

Step 12

You may be asked to scan additional installation media.

[!] Configure the package manager

Scan extra installation media?

No

Step 13

Select your archive mirror country from the list.

[!] Configure the package manager

Debian  archive mirror country: your country

Select an archive mirror from the list. For the fastest downloads, use the site that is closest to you.

[!] Configure the package manager

Debian archive mirror: mirror closest to you

You probably won’t need to configure an HTTP proxy:

[!] Configure the package manager

HTTP proxy information (blank for none): leave empty

Continue

Step 14

The Debian Popularity Contest attempts to map the overall usage of Debian packages with information from installed systems, such as yours.

[!] Configuring popularity-contest

Participate in the package usage survey?

Yes

Step 15

Choose standard system utilities from the list of predefined software collections and deselect all other entries.

[!] Software selection

Choose software to install:
[ ] Debian desktop environment
[ ] GNOME
[*] standard system utilities

Continue

Step 16

You may be asked if you want to install the GRUB boot loader to your primary drive. Select your target disk from Step 8 as the drive for boot loader installation.

[!] Install the GRUB boot loader

Install the GRUB boot loader to your primary drive?

Yes

Step 17

Remove the installation media before booting into your new system.

[!!] Finish the installation

Installation complete

Continue

Step 18

Enter your encryption passphrase to boot into the system for the first time. In this example, the encrypted disk is labelled sda3_crypt.

Please unlock disk sda3_crypt: your encryption passphrase

Log into the system with your username and user password.

Debian GNU/Linux 12 debian tty1

debian login: bookworm
Password: your user password

Step 19

Set the password for the root user by entering the following command. You will be asked for your user password to obtain sudo privileges first.

$ sudo passwd root

Step 20

Install a minimal GNOME desktop.

$ sudo apt-get install --yes gnome-core

If you are installing into a virtual machine, use this additional command to enable copy and paste between the host and the guest.

$ sudo apt-get install --yes spice-vdagent

Step 21

Restart your system.

$ sudo reboot

Step 22

Enter your encryption passphrase to boot into the system.

Please unlock disk sda3_crypt: your encryption passphrase

Log into the GNOME desktop environment.

Step 23

Select Show Applications from the the panel at the bottom of the screen or press [Super + a] and open the Settings application. On most keyboards, the [Super] key is the one with the Windows logo printed on it. Continue by adding the following keyboard shortcuts:

Terminal application

Settings > Keyboard > Keyboard Shortcuts > View and Customize Shortcuts > Custom Shortcuts > Add Shortcuts
Name: Launch Terminal

Command: gnome-terminal

Shortcut: [Super + t]

File manager

Settings > Keyboard > Keyboard Shortcuts > View and Customize Shortcuts: Home folder
Shortcut: [Super + f]

Web browser

Settings > Keyboard > Keyboard Shortcuts > View and Customize Shortcuts: Launch web browser
Shortcut: [Super + b]

Maximising windows vertically

Settings > Keyboard > Keyboard Shortcuts > View and Customize Shortcuts: Maximize window vertically
Shortcut: [Ctrl + Super + ↑]

Step 24

From within the GNOME desktop, open Firefox ESR by using the shortcut [Super + b] and re-open these instructions at edafe.de/step24.

Open a terminal with the shortcut [Super + t] and, where applicable, use copy and paste to enter the commands set out on this page. Be careful not to miss any punctuation.

Step 25

Set the time zone for your area.

$ sudo dpkg-reconfigure tzdata
Configuring tzdata

Geographic area: your area

Ok

Step 26

Configure locales for all the languages that your system is going to be used with. Use UTF-8 locales wherever possible.

$ sudo dpkg-reconfigure locales

In this example, German and Japanese locales are generated in addition to the default locale for the system environment.

Configuring locales

Locales to be generated:

[*] de_DE.UTF-8 UTF-8
[*] en_US.UTF-8 UTF-8
[*] ja_JP.UTF-8 UTF-8

OK

Keep en_US.UTF-8 as the default locale for the system environment.

Configuring locales

Default locale for the system environment:

en_US.UTF-8

OK

Step 27

The Desktop was disabled in GNOME 3.28. This decision was not universally popular at the time. However, developers pointed to the fact that, as an unmaintained feature, it stood in the way of other improvements. The following command hides the now orphaned Desktop folder from view.

$ echo Desktop >> ~/.hidden

Step 28

Install additonal Debian packages to give you a functional GNOME desktop.

$ sudo apt-get install --show-progress --yes apostrophe aptitude cheese cups curl debian-reference deja-dup file-roller foliate foomatic-db-compressed-ppds gcolor3 gnome-clocks gnome-color-manager gnome-connections gnome-dictionary gnome-epub-thumbnailer gnome-firmware gnome-keysign gnome-maps gnome-mpv gnome-power-manager gnome-session-canberra gnome-shell-extension-bluetooth-quick-connect gnome-shell-extension-dashtodock gnome-shell-extension-no-annoyance gnome-shell-extension-tiling-assistant gnome-shell-extensions-extra gnome-software-plugin-flatpak gnome-software-plugin-snap gnome-sound-recorder gnome-tweaks gnome-video-effects-frei0r gpodder mpv-mpris nautilus-share neofetch network-manager-config-connectivity-debian network-manager-openconnect-gnome network-manager-openvpn-gnome network-manager-ssh-gnome network-manager-vpnc-gnome ooo-thumbnailer pdfarranger plymouth-themes printer-driver-cups-pdf playerctl rhythmbox-plugin-alternative-toolbar rhythmbox-plugin-cdrecorder rsync seahorse seahorse-daemon seahorse-nautilus shotwell smbclient soundconverter ssh-askpass-gnome synaptic transmission-gtk task-laptop ufw unattended-upgrades wireguard yubioath-desktop && sudo ufw enable

Step 29

Replace the text output during system boot with a graphical splash screen.

$ sudo sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="quiet"/GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"/' /etc/default/grub && sudo update-grub2

Step 30

Configure neofetch to display information about your system on the command-line.

$ echo -e '\n# use Neofetch to display information about the system\nif [ -f /usr/bin/neofetch ]; then\n clear && neofetch;\nfi' >> ~/.bashrc && source ~/.bashrc

Step 31

Enable the unattended installation of important upgrades.

$ sudo dpkg-reconfigure unattended-upgrades

Step 32

If in Step 5 you selected a wireless interface as the primary network interface for use during the installation, you will need to re-establish connection to the wireless network after rebooting.

Enable the Network Manager for the primary network interface and reboot your system.

$ sudo sed -i 's/managed=false/managed=true/' /etc/NetworkManager/NetworkManager.conf&&sudo sed -i '/# The primary network interface/,$d' /etc/network/interfaces && sudo reboot

Step 33

Enable the installation of Flatpaks from Flathub.

$ sudo -- bash -c 'flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo'

Step 34

Install applications from Flathub.

$ sudo flatpak install --assumeyes flathub com.vixalien.sticky dev.geopjr.Collision dev.geopjr.Tuba io.gitlab.adhami3310.Converter org.cryptomator.Cryptomator org.gustavoperedo.FontDownloader org.libreoffice.LibreOffice org.keepassxc.KeePassXC

Step 35

Install applications from the Snap Store.

$ sudo snap install bitwarden chromium

Step 36

The snap directory in your home folder is not supposed to be accessed manually. Use the following command to hide it from view.

$ echo snap >> ~/.hidden

Step 37

By default, Debian installs the Extended Support Release (ESR) version of Firefox. The ESR receives crash fixes, security fixes and policy updates as needed.

The flatpak, on the other hand, installs the Rapid Release version of Firefox. In contrast to the ESR, the Rapid Release receives major updates at least every four weeks. Both versions can be used concurrently. When installed on your desktop, they are listed as Firefox ESR and Firefox Web Browser, respectively.

As an option, you may install Firefox Rapid Release and set it as the default browser.

$ sudo flatpak install --assumeyes org.mozilla.firefox && xdg-settings set default-web-browser org.mozilla.firefox.desktop

Consider using different themes to easily distinguish between the two versions.

Step 38

Prevent yourself from accidentally breaking Debian by reading about some of the most commonly made mistakes.

All done!

Scaring people into supporting backdoors

“Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four.” Bruce Schneier re-emphasises the need for strong encryption as a matter of personal and national security.

www.schneier.com

This structure of surveillance will stop us doing things which are right

“We now face the greatest threat to our liberties since the second world war. We are sleepwalking into despotism. Because of the amount of material that is being collected, because these databases, which are not about tiny items of information, will be used and not just by governments. Snowden was working for a corporation. They will be accessed by others in government and because, that’s most important of all, people will start to self-censor. We will find that the very fact of the total surveillance of our activities means that we are going to sort of … it’s not a question, as the foreign minister said, of ‘if you haven’t done anything wrong you have nothing to fear’. [sic] This structure of surveillance will stop us doing things which are right, that we know we should be doing.” Anthony Barnett appearing on yesterday’s BBC Newsnight programme.

Still sending naked email?

“In a world of repressive governments and a growing reliance on insecure networks, there’s no way anyone can be sure their most sensitive messages aren’t intercepted by the forces of darkness. But you can make it mathematically improbable that all but the most well-funded snoops could ever make heads or tales of your communications.” Use Dan Goodin’s step-by-step guide to email encryption and keep your communications private.

www.theregister.com

Click to copy