The following configuration disables root logins on the remote machine. Only users belonging to the group ssh-users may establish a connection. Access to the remote machine is tied to the local user’s private key.
In this example, the name of the remote machine is debian-server, which has the address 192.168.1.10 on the network. sid is a user on debian-server, whereas bookworm is a user on the local machine. Choose an encryption passphrase to secure the private key that you will generate in Step 5.
On the remote machine
Install the secure shell server with the following command:
$ sudo apt install --yes openssh-server
If you are using ufw as a host-based firewall
Configure ufw to allow connections to the secure shell server.
$ sudo ufw limit ssh
If you are using firewalld as a host-based firewall
Configure firewalld to allow connections to the secure shell server.
When prompted to confirm the authenticity of the host debian-server, type yes and press [Enter].
The authenticity of host 'debian-server (192.168.1.10)' can't be established.
ED25519 key fingerprint is SHA256:C9RxLLVbvFwVJc0L4JHzcuHQSaPHJZe/GrRDvqy6rAG.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
In the next step, enter the passphrase for your private key.
Enter passphrase for key '/home/bookworm/.ssh/id_ed25519-debian-server':
On the remote machine, download a file to harden the ssh server. You are encouraged to inspect its contents.
Debian GNU/Linux was first released in 1993 and has been under active developement ever since. Today, the Debian Project unites thousands of contributors from across the globe with the aim of producing “an operating system distribution that is composed entirely of free software”.
This guide is intended to assist those who are installing Debian for the first time. It describes a straightforward path to a GNOME desktop. The number of applications is less in comparison to the default. Choose from more than 60000 official packages to tailor the system to your own requirements.
Debian and the new package formats
Debian stable is, above all else, focused on the task of maintaining bug-free software packages. It is the reason why Debian, in over 30 years, has gained a reputation for being “like a rock in an ever-swirling sea of updates”. It is also the reason why Debian stable does not keep up with the latest versions.
Universal package formats, such as Flatpak, Snap, or AppImage, are managed separately from conventional packaging systems and thus provide the end-user with added flexibility and choice. They solve the problem of stale distribution packages because newer versions can be installed without compromising the integrity of the underlying core.
Before you begin
In addition to the target computer, you should have access to a reasonably fast connection to the Internet. Ideally, your device would connect to your router by Ethernet cable. If your laptop does not have an Ethernet port, consider using the Plugable USB 3.0 Gigabit Ethernet Adapter.
Depending on your acutal requirements, there are different Debian CD images to choose from. In all likelihood, you are following these instructions to install on x86-64 hardware, for which a network install CD image amd64 would be the correct choice. It supports Intel as well as AMD processors and “includes non-free firmware for extra support for some awkward hardware”.
Choose a hostname and a username for your setup. In the examples which follow, debian is used as the hostname and bookworm as the username. Just remember to make the substitutions when executing commands that reference either.
Choose 1) an encryption passphrase to encrypt your storage device, 2) a user password to secure your user account, and 3) a root password to secure the root account.
Ensure that all of your data is safely backed up because formatting your storage device will erase all of its data.
After completing the installation, Debian GNU/Linux will be the only operating system on your computer.
Installing Debian GNU/Linux
If your computer uses the Unified Extensible Firmware Interface (UEFI) and you are unsure about which settings to use, you may wish to disable the Secure Boot option.
After booting the system from the USB stick that you have prepared, continue by selecting the text based installer.
Keep English as the language for the installation.
[!!] Select a language
Keep United States as the location for your system. This will also set United States as the default locale for the system environment. You will have an opportunity to set additional locales and adjust time zones at a later point during the installation.
[!!] Select your location
Country, territory or area: United States
Use the keymap that is the correct one for your particular keyboard.
[!!] Configure the keyboard
Keymap to use: your keyboard
You will likely be asked to select the primary network interface for use during the installation. If network autoconfiguration fails, go back and try another interface from the list.
[!!] Configure the network
Network configuration method:
Retry network autoconfiguration
Retry network autoconfiguration with a DHCP hostname
Configure network manually
Do not configure the network at this time
Set the hostname for your system. In this example, we use debian as the hostname.
[!] Configure the network
Select Show Applications from the the panel at the bottom of the screen or press [Super + a] and open the Settings application. On most keyboards, the [Super] key is the one with the Windows logo printed on it. Continue by adding the following keyboard shortcuts:
From within the GNOME desktop, open Firefox ESR by using the shortcut [Super + b] and re-open these instructions at edafe.de/step25.
Open a terminal with the shortcut [Super + t] and, where applicable, use copy and paste to enter the commands set out on this page. Be careful not to miss any punctuation.
Set the time zone for your area.
$ sudo dpkg-reconfigure tzdata
Geographic area: your area
Configure locales for all the languages that your system is going to be used with. Use UTF-8 locales wherever possible.
$ sudo dpkg-reconfigure locales
In this example, German and Japanese locales are generated in addition to the default locale for the system environment.
Locales to be generated:
[*] de_DE.UTF-8 UTF-8
[*] en_US.UTF-8 UTF-8
[*] ja_JP.UTF-8 UTF-8
Keep en_US.UTF-8 as the default locale for the system environment.
Default locale for the system environment:
The Desktop was disabled in GNOME 3.28. This decision was not universally popular at the time. However, developers pointed to the fact that, as an unmaintained feature, it stood in the way of other improvements. The following command hides the now orphaned Desktop folder from view.
$ echo Desktop >> ~/.hidden
Install additonal Debian packages to give you a functional GNOME desktop.
The snap directory in your home folder is not supposed to be accessed manually. Use the following command to hide it from view.
$ echo snap >> ~/.hidden
By default, Debian installs the Extended Support Release (ESR) version of Firefox. The ESR receives crash fixes, security fixes and policy updates as needed.
The flatpak, on the other hand, installs the Rapid Release version of Firefox. In contrast to the ESR, the Rapid Release receives major updates at least every four weeks. Both versions can be used concurrently. When installed on your desktop, they are called Firefox ESR and Firefox Web Browser, respectively.
As an option, you may install Firefox Rapid Release and set it as the default browser.
“LastPass likely could have prevented this if they were more concerned about keeping their users secure than about saving their face. Their statement is also full of omissions, half-truths and outright lies. As I know that not everyone can see through all of it, I thought that I would pick out a bunch of sentences from this statement and give some context that LastPass didn’t want to mention.” Wladimir Palant helps to decode what LastPass had to say about their latest security breach. palant.info
“Welcome to this introduction to Conversations. It is gonna be a great introduction. It’s gonna be fabulous. Other instant messengers have fought Conversations for many years, but they couldn’t beat it. Just couldn’t do it. Total loosers. They’re all dead now. All the other messengers have failed. Forget WhatsApp, okay? Signal …total disaster. Threema is so bad, it’s not even a real messenger. It’s fake. Threema is a fake messenger. Converstations has got to be the best messenger in the world. It’s huge. OMEMO. You’ll love it. Best protocol. Tremendous. Absolutely fantastic. Nobody has messengers better than Conversations. This messenger is so big, you can even see it from the moon. And I am going to make you pay for it. It’s true. Important people tell me that Conversations is so great, it’s unbelievable. So great, it’s beautiful. Conversations is the best instant messenger that God ever created.” conversations.im
“I am regularly impressed with the thought and care put into both the security and the usability of this app. It’s my first choice for an encrypted conversation.” Bruce Schneier
Signal offers private messaging and calling in one simple app. It is both free and open source. Development is supported by community donations and grants. This means that there are no hidden strings attached. Use Signal as an alternative to WhatsApp or, better still, its replacement. signal.org
“Threema is a mobile messaging app that puts security first. With true end-to-end encryption, you can rest assured that only you and the intended recipient can read your messages.” Threema is my favourite instant messaging application and has been described as “a much flasher version of WhatsApp”. Its source code has recently undergone an external security audit and was found to provide a ”security level which compares favourably with the state of the art in similar messaging services“. threema.ch
“We now face the greatest threat to our liberties since the second world war. We are sleepwalking into despotism. Because of the amount of material that is being collected, because these databases, which are not about tiny items of information, will be used and not just by governments. Snowden was working for a corporation. They will be accessed by others in government and because, that’s most important of all, people will start to self-censor. We will find that the very fact of the total surveillance of our activities means that we are going to sort of … it’s not a question, as the foreign minister said, of ‘if you haven’t done anything wrong you have nothing to fear’. [sic] This structure of surveillance will stop us doing things which are right, that we know we should be doing.” Anthony Barnett appearing on yesterday’s BBC Newsnight programme.
“In a world of repressive governments and a growing reliance on insecure networks, there’s no way anyone can be sure their most sensitive messages aren’t intercepted by the forces of darkness. But you can make it mathematically improbable that all but the most well-funded snoops could ever make heads or tales of your communications.” Use Dan Goodin’s step-by-step guide to email encryption and keep your communications private. www.theregister.com