howto

Install Cockpit on Debian 13 trixie

Cockpit provides an easy-to-use, web-based interface for administering Linux systems. It simplifies tasks such as monitoring logs, controlling system services, configuring networks, and managing virtual machines.

Cockpit has been described as a “useful and extensible tool to observe, manage, and troubleshoot Linux servers“.

Step 1

cockpit requires the use of the firewalld service to be able to make changes to your firewall rules.

If you are using ufw as a host-based firewall

Remove ufw before replacing it with firewalld.

$ sudo apt-get remove --purge --yes ufw

[sudo] password for yourusername:

Install firewalld as a host-based firewall

Install firewalld and maintain ssh access as well as enabling cockpit to receive incoming connections.

$ sudo -- bash -c 'apt-get install --show-progress --yes firewalld && systemctl enable --now firewalld.service && firewall-cmd --zone=public --add-service=ssh --permanent && firewall-cmd --zone=public --add-service=cockpit --permanent && firewall-cmd --reload && firewall-cmd --info-zone=public'

Step 2

Proceed to install cockpit and selected add-on applications.

$ sudo apt-get install --show-progress --yes cockpit cockpit-bridge cockpit-machines cockpit-podman nullmailer ssh tuned-utils

Step 3

If you selected a wireless interface as the primary network interface for use during installation of the Debian system, you may need to re-establish connection to the wireless network after rebooting.

Enable NetworkManager for the primary network interface and reboot your system.

$ sudo sed -i 's/managed=false/managed=true/' /etc/NetworkManager/NetworkManager.conf&&sudo sed -i '/# The primary network interface/,$d' /etc/network/interfaces && sudo reboot

Step 4

Access the Cockpit web console on https://localhost:9090 by entering your username and password.

Step 5

By default, the Cockpit web console listens on port 9090 for connections. If you want to make changes from the default, use the following command to edit /etc/systemd/system/cockpit.socket.d/override.conf.

$ sudo systemctl edit cockpit.socket

The example below changes the web console port from 9090 to 9091 and restricts access to the localhost only.

### Editing /etc/systemd/system/cockpit.socket.d/override.conf
### Anything between here and the comment below will become the new contents of the file

[Socket]
ListenStream=
ListenStream=127.0.0.1:9091

### Edits below this comment will be discarded

Use the following command for your changes to take effect.

$ sudo -- bash -c 'systemctl daemon-reload && systemctl restart cockpit.socket && systemctl status cockpit.socket'

Configure nullmailer with a relay host

If you wish to receive status updates from your Debian or Ubuntu system, you need to install and configure a mail transfer agent (MTA). nullmailer is a relay-only forwarding MTA that can be used as an alternative to more complex MTAs, such as Exim, Sendmail or Postfix.

A relay host, also referred to as a smarthost, can be defined as an email server for outgoing mail that is being afforded a good reputation by its peers. In this example, we use Fastmail because email deliverability depends on a number of different factors.

Configuration of nullmailer with Email Service Providers (ESPs) other than Fastmail should be similar, given that all ESPs implement the Simple Mail Transfer Protocol (SMTP).

Step 1

Generate an app password

Log into your Fastmail account and set up a new app password for SMTP authentication.

Create an alias

Set up a dedicated Fastmail alias to receive incoming messages.

Step 2

Use copy and paste to enter the following commands. Be careful not to miss any punctuation.

Create the new directory /etc/nullmailer and the file /etc/nullmailer/adminaddr.

$ sudo mkdir /etc/nullmailer && sudo nano /etc/nullmailer/adminaddr

The Fastmail alias you created in Step 1 should be the only entry in /etc/nullmailer/adminaddr.

target.email@fastmail.com

Step 3

Install the required packages.

$ sudo apt-get install --yes nullmailer mailutils

Step 4

Enter the system mailname. If you are setting up on a home network, you should use home.arpa as the domain name.

Configuring nullmailer

Mailname of your system:

tux.home.arpa

Ok

Configuring the smarthost

Configure nullmailer to use the Fastmail SMTP server as a smarthost. Use your Fastmail username and the app password from Step 1.

Configuring nullmailer

Smarthosts:

smtp.fastmail.com smtp --port=587 --auth-login --starttls --user=linus.torvalds@fastmail.com --pass=password

Ok

Step 5

Test your configuration with the following command.

$ echo "Test mail from nullmailer on tux.home.arpa to the local root user and forwarded on to Fastmail" | mail -s "Test nullmailer" root

Check your inbox!

Step 6

You can reconfigure nullmailer at any time by issuing the following comand.

$ sudo dpkg-reconfigure nullmailer

How to install Debian 13 Trixie with a GNOME desktop

Debian GNU/Linux was first released in 1993 and has been under active developement ever since. Today, the Debian Project unites thousands of contributors from across the globe with the aim of producing “an operating system distribution that is composed entirely of free software“.

This guide is intended to assist those who are installing Debian for the first time. It maps out a straightforward path to a GNOME desktop with only essential applications pre-installed. Choose from 69830 official Debian packages and tailor the system to your own requirements.

edafe.de/debian-howto

Debian and the new package formats

Debian stable is, above all else, focused on the task of maintaining bug-free software packages. It is the reason why Debian, in over 30 years, has gained a reputation for being “like a rock in an ever-swirling sea of updates“. It is also the reason why Debian stable does not keep up with the latest versions.

Universal package formats, such as Flatpak, Snap, or AppImage, are managed separately from conventional packaging systems and thus provide the end-user with added flexibility and choice. They solve the problem of stale distribution packages because newer versions can be installed without compromising the integrity of the underlying core.

Before you begin

In addition to the target computer, you should have reasonably fast Internet. Use an Ethernet cable to connect your device to the network. If your laptop does not have a built-in Ethernet port, look for a Linux-compatible USB to Ethernet adapter, such as the StarTech USB31000S2, TP-Link UE300C or Plugable USB3-E1000.

Veronica explains how to create a bootable USB stick for installing Linux. Depending on your requirements, there are different Debian CD images to choose from. In all likelihood, you are following these instructions to install on x86-64 hardware, for which a netinst CD image amd64 would be the correct choice. It supports Intel as well as AMD processors and “includes non-free firmware for extra support for some awkward hardware”.

In the instructions which follow, yourhostname is used as the hostname and yourusername as the name for the standard user.

In addition to host- and username, choose 1) yourpassphrase as an encryption passphrase to encrypt your storage device with, 2) yourpassword as a password for the standard user account, and 3) rootpassword as a password for the superuser account.

Ensure that all of your data is safely backed up because formatting your storage device will erase all of its data.

After completing the installation, Debian GNU/Linux will be the only operating system on your computer.

Installing Debian GNU/Linux

If your computer uses the Unified Extensible Firmware Interface (UEFI), “turn off Secure Boot before attempting anything else“.

Step 1

After booting the system from the USB stick that you have prepared, continue by selecting the text-based installer.

Step 2

Keep English as the language for the installation.

[!!] Select a language

Language: English

Step 3

Keep United States as the location for your system. This will also set United States as the default locale for the system environment. You will have an opportunity to set additional locales and adjust time zones at a later point during the installation.

[!!] Select your location

Country, territory or area: United States

Step 4

Use the keymap that is right for the layout of your particular keyboard.

[!!] Configure the keyboard

Keymap to use: keymap for your specific keyboard

Step 5

At this point, the installer may prompt you for missing firmware.

[!] Detect network hardware

Some of your hardware needs non-free firmware files to operate. The firmware can be loaded from removable media, such as a USB stick or floppy.

Load missing firmware from removable media?

No

Step 6

You may be asked to select the primary network interface for use during the installation.

[!!] Configure the network

Primary network interface:
enp1s0: unknown interface
wlp1s0: Wireless Network Adapter (wireless)

If network autoconfiguration fails, go back and try another interface from the list.

[!!] Configure the network

Network configuration method:

Retry network autoconfiguration
Retry network autoconfiguration with a DHCP hostname
Configure network manually

Do not configure the network at this time

Go Back

Step 7

Set the hostname for your system.

[!] Configure the network

Hostname: yourhostname

Continue

Set the domain name for your system. If you are setting up on a home network, you should use home.arpa as the domain name.

[!] Configure the network

Domain name: home.arpa

Continue

Step 8

Leave the root password empty to ensure that the standard user account is configured with sudo privileges.

[!!] Set up users and passwords

Root password: leave empty

Continue

Confirm the empty root password.

[!!] Set up users and passwords

Re-enter password to verify: leave empty

Continue

Step 9

Create the standard user account. In this example, we use Your Username as the full name.

[!!] Set up users and passwords

Full name for the new user: Your Username

Continue

Continue with yourusername as the username.

[!!] Set up users and passwords

Username for your account: yourusername

Continue

Set a password for the new standard user.

[!!] Set up users and passwords

Choose a password for the new user: yourpassword

Continue

Confirm the password for the standard user.

[!!] Set up users and passwords

Re-enter password to verify: yourpassword

Continue

Step 10

Keep Eastern as the time zone for now.

[!] Configure the clock

Select your time zone: Eastern

Step 11

You may wish to partition your disk with LVM and protect your data with a 256 bit AES key.

[!!] Partition disks

Partitioning method: Guided - use entire disk and set up encrypted LVM

Be careful to select the correct target device for your system.

[!!] Partition disks

Select disk to partition: your target disk for installation

Choose to keep all files in one partition.

[!] Partition disks

Partitioning scheme: All files in one partition (recommended for new users)

Now write the changes to disk.

[!!] Partition disks

Write the changes to disk and configure LVM?

Yes

You may cancel the process of overwriting of the disk with random data. Be aware, however, that skipping this step will diminish the quality of the disk encryption.

Step 12

Enter your encryption passphrase.

[!!] Partition disks

Encryption passphrase: yourpassphrase

Continue

Confirm your encryption passphrase.

[!!] Partition disks

Re-enter passphrase to verify: yourpassphrase

Continue

Step 13

Use the available space to partition your disk.

[!!] Partition disks

Amount of volume group to use for guided partitioning: max

Continue

Step 14

Review partitions and mount points suggested by the installer.

[!!] Partition disks

Finish partitioning and write changes to disk

Confirm writing the changes to disk.

[!!] Partition disks

Write the changes to disks?

Yes

Step 15

You may be asked to scan additional installation media.

[!] Configure the package manager

Scan extra installation media?

No

Step 16

Select your archive mirror country from the list.

[!] Configure the package manager

Debian  archive mirror country: your country

Select an archive mirror from the list. Use the site that is closest to you.

[!] Configure the package manager

Debian archive mirror: mirror closest to you

Proceed without providing HTTP proxy information.

[!] Configure the package manager

HTTP proxy information (blank for none): leave empty

Continue

Step 17

The Debian Popularity Contest attempts to map the overall usage of Debian packages with information from installed systems, such as yours.

[!] Configuring popularity-contest

Participate in the package usage survey?

Yes

Step 18

Choose standard system utilities from the list of predefined software collections and deselect all other entries.

[!] Software selection

Choose software to install:
[ ] Debian desktop environment
[ ] GNOME
[*] standard system utilities

Continue

Step 19

You may be asked if you want to install GRUB. Select your target disk from Step 11 as the drive for boot loader installation.

[!] Configuring grub-pc

Install the GRUB boot loader to your primary drive?

Yes

Step 20

Remove the installation media before booting into your new system.

[!!] Finish the installation

Installation complete

Continue

Step 21

Enter your encryption passphrase to allow the system to boot. In this example, the encrypted disk is labelled sda3_crypt.

Please unlock disk sda3_crypt: yourpassphrase

Log into the system as the user yourusername.

Debian GNU/Linux 13 debian tty1

debian login: yourusername
Password: yourpassword

Step 22

Set the password for the superuser by entering the following command. You will be asked for yourpassword to obtain sudo privileges first.

$ sudo passwd root

[sudo] password for yourusername: yourpassword
New password: rootpassword
Retype new password: rootpassword
passwd: password updated successfully

Step 23

Install a minimal GNOME desktop.

$ sudo apt-get install --yes gnome-core

If you are installing into a virtual machine and intend to use graphical applications, enable integration between the host and the guest.

$ sudo apt-get install --yes spice-vdagent

Step 24

Restart your system.

$ sudo reboot

Step 25

Enter your encryption passphrase to allow the system to boot.

Please unlock disk sda3_crypt: yourpassphrase

Log into the GNOME desktop for the first time.

Step 26

Skip the tour for now.

Step 27

Select Show Apps from the the panel at the bottom of the screen or press [Super + a].

On most keyboards, the [Super] key is the one with the Windows logo printed on it.

Step 28

Open the Settings app and continue by adding the following keyboard shortcuts:

Terminal application

Settings > Keyboard > Keyboard Shortcuts > View and Customize Shortcuts > Custom Shortcuts > Add Shortcut…

Name: Launch Terminal

Command: gnome-terminal

Shortcut: [Super + t]

File manager

Settings > Keyboard > Keyboard Shortcuts > View and Customize Shortcuts: Home folder

Shortcut: [Super + f]

Web browser

Settings > Keyboard > Keyboard Shortcuts > View and Customize Shortcuts: Launch web browser

Shortcut: [Super + b]

Maximising windows vertically

Settings > Keyboard > Keyboard Shortcuts > View and Customize Shortcuts: Maximize window vertically

Shortcut: [Ctrl + Super + ↑]

Step 29

From within the GNOME desktop, open Firefox ESR by using the shortcut [Super + b] and re-open these instructions at edafe.de/29.

Open a terminal with the shortcut [Super + t] and, where applicable, copy and paste to enter the following commands. Be careful not to miss any punctuation.

Step 30

Set the time zone for your area.

$ sudo dpkg-reconfigure tzdata

[sudo] password for yourusername: yourpassword

Configuring tzdata

Geographic area: your area

Ok

Step 31

Configure locales for all the languages that your system is going to be used with. Use UTF-8 locales wherever possible.

$ sudo dpkg-reconfigure locales

In this example, German and Japanese locales are generated in addition to the default United States locale that is used for the system environment.

Configuring locales

Locales to be generated:

[*] de_DE.UTF-8 UTF-8
[*] en_US.UTF-8 UTF-8
[*] ja_JP.UTF-8 UTF-8

OK

Keep en_US.UTF-8 as the default locale for the system environment.

Configuring locales

Default locale for the system environment:

en_US.UTF-8

OK

Step 32

The Desktop was disabled in GNOME 3.28. This decision was not universally popular at the time. However, developers pointed to the fact that, as an unmaintained feature, it stood in the way of other improvements. The following command hides the now orphaned Desktop folder from view.

$ echo Desktop >> ~/.hidden

Step 33

Install additonal Debian packages to give you a fully functional GNOME desktop.

$ sudo apt-get install --show-progress --yes apostrophe aptitude cups curl debian-reference deja-dup fastfetch file-roller foliate foomatic-db-compressed-ppds gcolor3 gnome-authenticator gnome-color-manager gnome-epub-thumbnailer gnome-feeds gnome-firmware gnome-keysign gnome-podcasts gnome-power-manager gnome-session-canberra gnome-shell-extension-auto-move-windows gnome-shell-extension-dashtodock gnome-shell-extension-launch-new-instance gnome-shell-extension-no-annoyance gnome-shell-extension-shortcuts gnome-shell-extension-tiling-assistant gnome-shell-extensions-extra gnome-software-plugin-flatpak gnome-software-plugin-snap gnome-sound-recorder gnome-tweaks gnome-video-effects-frei0r keepassxc mpv-mpris nautilus-share network-manager-config-connectivity-debian network-manager-openconnect-gnome network-manager-openvpn-gnome network-manager-ssh-gnome network-manager-vpnc-gnome ooo-thumbnailer pdfarranger plymouth-themes printer-driver-cups-pdf playerctl rsync seahorse seahorse-daemon seahorse-nautilus shortwave shotwell smbclient soundconverter ssh-askpass-gnome synaptic transmission-gtk task-laptop ufw unattended-upgrades wireguard yubioath-desktop && sudo ufw enable

Step 34

Replace the text output during system boot with a graphical splash screen.

$ sudo sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="quiet"/GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"/' /etc/default/grub && sudo update-grub2

Step 35

Configure fastfetch to display information about your system on the command-line.

$ echo -e '\n# use Fastfetch to display information about the system\nif [ -f /usr/bin/fastfetch ]; then\n clear && fastfetch;\nfi' >> ~/.bashrc && source ~/.bashrc

Step 36

Enable the unattended installation of important upgrades.

$ sudo dpkg-reconfigure unattended-upgrades

Step 37

If in Step 6 you selected a wireless interface as the primary network interface for use during the installation, you will need to re-establish connection to the wireless network after rebooting.

Enable the Network Manager for the primary network interface and reboot your system.

$ sudo sed -i 's/managed=false/managed=true/' /etc/NetworkManager/NetworkManager.conf&&sudo sed -i '/# The primary network interface/,$d' /etc/network/interfaces && sudo reboot

Step 38

Enable the installation of Flatpaks from Flathub.

$ sudo -- bash -c 'flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo'

[sudo] password for yourusername: yourpassword

Step 39

Install applications from Flathub.

$ sudo flatpak install --assumeyes flathub com.bitwarden.desktop com.github.neithern.g4music com.github.tchx84.Flatseal com.vixalien.sticky dev.geopjr.Collision dev.geopjr.Tuba io.github.flattool.Warehouse io.gitlab.adhami3310.Converter org.cryptomator.Cryptomator org.gnome.Decibels org.gnome.World.PikaBackup org.libreoffice.LibreOffice

Step 40

Install applications from the Snap Store.

$ sudo snap install chromium

The snap directory in your home folder is not supposed to be accessed manually. Use the following command to hide it from view.

$ echo snap >> ~/.hidden

Step 41

By default, Debian installs the Extended Support Release (ESR) version of Firefox. The ESR receives crash fixes, security fixes and policy updates as needed.

The flatpak, on the other hand, installs the Rapid Release version of Firefox. In contrast to the ESR, the Rapid Release receives major updates at least every four weeks. Both versions can be used concurrently. When installed on your desktop, they are listed as Firefox ESR and Firefox, respectively.

As an option, you may install Firefox Rapid Release and set it as the default browser.

$ sudo flatpak install --assumeyes org.mozilla.firefox && xdg-settings set default-web-browser org.mozilla.firefox.desktop

Consider using different themes to easily distinguish between the two versions.

Step 42

Prevent yourself from accidentally breaking Debian by reading about some of the most commonly made mistakes.

All done!

Shrink, optimise and expand an existing QCOW2 image

A virtual disk image is a block device in a file. There are a number of different disk image formats to choose from when setting up a virtual machine. QEMU Copy On Write version 2 (QCOW2) is the default virtual disk image format for the Quick Emulator (QEMU). Features such as thin provisioning, snapshots and compression make QCOW2 one of the most versatile virtual disk formats available.

These instructions specifically target Debian 12 with a GNOME desktop as the host, but they should also be applicable to other Linux distributions such as Ubuntu or Linux Mint. The guest in this particular example is a Windows 11 virtual machine that has run out of space.

The overall objective is to shrink and optimise the 64 GiB disk image for random read and write operations before expanding it to a desired size of 128 GiB.

With thanks to Fam Zheng.

Before you begin

Shut down the virtual machine and delete all existing snapshots from the image file.

Never modify images currently in use by a running virtual machine.

Step 1

On the host, install the necessary tools for working with virtual disk images.

$ sudo apt-get install --yes libguestfs-tools gnome-disk-utility

Step 2

Only root can access the host directory /var/lib/libvirt/images. Use the following command to obtain the necessary privileges.

$ sudo su

Step 3

Continue by creating a directory in which to keep your virtual machine backups.

# mkdir /var/lib/libvirt/backups

Step 4

Now create a backup of the virtual machine with the name windows by copying its QCOW2 image file to the backups directory.

# cp /var/lib/libvirt/images/windows.qcow2 /var/lib/libvirt/backups/windows-backup.qcow2

Step 5

Sparsify the image file to convert any free space within the disk image to free space on the host.

# virt-sparsify --in-place /var/lib/libvirt/images/windows.qcow2

Step 6

Rename the sparsified image file.

# mv /var/lib/libvirt/images/windows.qcow2 /var/lib/libvirt/images/windows-sparsified.qcow2

Step 7

Check the disk size of the sparsified image file.

# qemu-img info /var/lib/libvirt/images/windows-sparsified.qcow2

The disk size should be smaller than the virtual size. In this particular case, the disk size is 33.7 GiB and the virtual size 64 GiB.

image: /var/lib/libvirt/images/windows-sparsified.qcow2
file format: qcow2
virtual size: 64 GiB (68719476736 bytes)
disk size: 33.7 GiB
cluster_size: 65536
Format specific information:
    compat: 1.1
    compression type: zlib
    lazy refcounts: true
    refcount bits: 16
    corrupt: false
    extended l2: false

Step 8

Determine which partition to resize by obtaining more detailed information about the contents of the sparsified disk image.

# virt-filesystems --long -h --all -a /var/lib/libvirt/images/windows-sparsified.qcow2

On the virtual device /dev/sda, the partition /dev/sda3 is equivalent to the Local Disk (C:) of the Windows 11 virtual machine.

Name       Type        VFS   Label  MBR  Size  Parent
/dev/sda1  filesystem  vfat  -      -    96M   -
/dev/sda3  filesystem  ntfs  -      -    63G   -
/dev/sda4  filesystem  ntfs  -      -    768M  -
/dev/sda1  partition   -     -      -    100M  /dev/sda
/dev/sda2  partition   -     -      -    16M   /dev/sda
/dev/sda3  partition   -     -      -    63G   /dev/sda
/dev/sda4  partition   -     -      -    768M  /dev/sda
/dev/sda   device      -     -      -    64G   -

Step 9

Load the network block device (NBD) kernel module.

# modprobe nbd max_part=8

Step 10

Connect the sparsified image.

# qemu-nbd --connect=/dev/nbd9 /var/lib/libvirt/images/windows-sparsified.qcow2

Step 11

The partition /dev/sda3 listed in Step 8 is equivalent to /dev/nbd9p3 connected as a network block device. Use GNOME Disks to shrink /dev/nbd9p3 to its Minimal Size.

Use a graphical utility to minimise the risk of introducing errors.

This image has an empty alt attribute; its file name is disks-options-825x586.png — Select the correct partition and from the pop-up menu, choose the option Resize…

This image has an empty alt attribute; its file name is resize-volume.png — Select Minimal Size and resize the partition.

Step 12

Disconnect the resized image.

# qemu-nbd -d /dev/nbd9

Step 13

Unload the NBD kernel module.

# modprobe -r nbd

Step 14

Create a target image larger than the resized source image. In this example, the size of the target image is 128G and its format QCOW2 with full preallocation and a cluster size of 2M.

# qemu-img create -f qcow2 -o preallocation=full -o cluster_size=2M /var/lib/libvirt/images/windows-target.qcow2 128G

Step 15

Copy the source image to the target image. Specify the correct partition which to expand in the process.

# virt-resize --expand /dev/sda3 /var/lib/libvirt/images/windows-sparsified.qcow2 /var/lib/libvirt/images/windows-target.qcow2

Step 16

Confirm the size of the target image.

# qemu-img info /var/lib/libvirt/images/windows-target.qcow2

The overall disk size is now 128 GiB in total.

image: /var/lib/libvirt/images/windows-target.qcow2
file format: qcow2
virtual size: 128 GiB (137438953472 bytes)
disk size: 128 GiB
cluster_size: 2097152
Format specific information:
    compat: 1.1
    compression type: zlib
    lazy refcounts: false
    refcount bits: 16
    corrupt: false
    extended l2: false

Step 17

Obtain more detailed information about the contents of the target disk image.

# virt-filesystems --long -h --all -a /var/lib/libvirt/images/windows-target.qcow2

The partition /dev/sda3 of the virtual device /dev/sda is now 127G in size.

Name       Type        VFS   Label  MBR  Size  Parent
/dev/sda1  filesystem  vfat  -      -    96M   -
/dev/sda3  filesystem  ntfs  -      -    127G  -
/dev/sda4  filesystem  ntfs  -      -    768M  -
/dev/sda1  partition   -     -      -    100M  /dev/sda
/dev/sda2  partition   -     -      -    16M   /dev/sda
/dev/sda3  partition   -     -      -    127G  /dev/sda
/dev/sda4  partition   -     -      -    768M  /dev/sda
/dev/sda   device      -     -      -    128G  -

Step 18

Rename the target image file.

# mv /var/lib/libvirt/images/windows-target.qcow2 /var/lib/libvirt/images/windows.qcow2

All done!

You can also modify format specific options for an existing image without having to create a target disk image. Or alternatively expand into a target image that uses a format compatible with other hypervisors, such as RAW, VMDK, VDI, VHD, VHDX or QED.

Install and configure SSH on Debian or Ubuntu

SSH is a protocol that enables secure connections over unsecured networks. It supports the use of asymmetric encryption for user authentication. Private keys are kept locally, while public keys are stored on the remote machine.

The following configuration disables root logins on the remote machine. Only users belonging to the group ssh-users may establish a connection. Access to the remote machine is tied to the local user’s private key.

In this example, the name of the remote machine is debian-server, which has the address 192.168.1.10 on the network. sid is a user on debian-server, whereas bookworm is a user on the local machine.

Choose an encryption passphrase to secure the private key that you will generate in Step 5.

On the remote machine

Step 1

Install the secure shell server with the following command:

$ sudo apt install --yes openssh-server

Step 2

If you are using ufw as a host-based firewall

Configure ufw to allow connections to the secure shell server.

$ sudo -- bash -c 'ufw allow ssh && systemctl restart ssh.service'

If you are using firewalld as a host-based firewall

Configure firewalld to allow connections to the secure shell server.

$ sudo -- bash -c 'firewall-cmd --zone=public --add-service=ssh --permanent && firewall-cmd --reload && firewall-cmd --info-zone=public'

Step 3

Restrict access to the remote machine to members of a specific group. Start by creating the group ssh-users.

$ sudo addgroup --system ssh-users

Add the user sid to the group ssh-users.

$ sudo adduser sid ssh-users

On the local machine

Step 4

Install the secure shell client with the following command.

$ sudo apt install openssh-client

Step 5

Generate a new key pair for the local user bookworm:

$ cd ~/.ssh && ssh-keygen -t ed25519 -o -a 100

Save the key pair to the directory /home/bookworm/.ssh/. Choose a name that facilitates easy identification.

Enter file in which to save the key (/home/bookworm/.ssh/id_ed25519): id_ed25519-debian-server

The use of an appropriate passphrase to secure the private key is mandatory.

Step 6

Create the file ~/.ssh/config to configure the secure shell client.

$ nano ~/.ssh/config

Add the follwing minimal entry for the host debian-server.

Host debian-server
   Hostname 192.168.1.10
   IdentityFile ~/.ssh/id_ed25519-debian-server
   IdentitiesOnly yes

Step 7

Deploy the public key with the following command.

$ ssh-copy-id -i ~/.ssh/id_ed25519-debian-server.pub sid@debian-server

When prompted to confirm the authenticity of the host debian-server, type yes and press [Enter].

The authenticity of host 'debian-server (192.168.1.10)' can't be established.
ED25519 key fingerprint is SHA256:C9RxLLVbvFwVJc0L4JHzcuHQSaPHJZe/GrRDvqy6rAG.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Step 8

Log into the remote machine.

$ ssh -i ~/.ssh/id_ed25519-debian-server sid@debian-server

In the next step, enter the passphrase for your private key.

Enter passphrase for key '/home/bookworm/.ssh/id_ed25519-debian-server':

Step 9

On the remote machine, download a file to harden the ssh server. You are encouraged to inspect its contents.

$ sudo -- bash -c 'wget -P /etc/ssh/sshd_config.d/ --show-progress https://edafe.de/debian/sshd_config.conf'

Activate the modifications on the remote machine.

$ sudo systemctl restart ssh.service

Step 9

On the local machine, open a new terminal window and run the following command.

$ ssh -i ~/.ssh/id_ed25519-debian-server sid@debian-server

In the next step, enter the passphrase for your private key.

Enter passphrase for key '/home/bookworm/.ssh/id_ed25519-debian-server':

Display the active configuration for the remote ssh server and verify its settings, paying particular attention to options for maxauthtries, permitrootlogin and passwordauthentication.

$ sudo sshd -T

All done!

For more in-depth information, please see stribika’s post-Snowden advice on hardening OpenSSH server installations.

The book SSH The Secure Shell by Daniel Barrett, Richard Silverman and Robert Byrnes is still useful today and has information on other clever stuff you can do with SSH.

Install Syncthing for continuous file synchronisation on Debian or Ubuntu

Syncthing is an open source tool that synchronises data across multiple devices. It transfers your files peer-to-peer, without uploading your data to the cloud. Packages are available for Android, Windows, macOS and Linux (including Synology DSM).

The usefulness of this project cannot be overstated.

Running the Syncthing stable channel

Syncthing is included in the Debian and Ubuntu repositories, respectively. These instructions are targeting the latest release of the Syncthing stable channel. It is therefore necessary to add the Syncthing repository to your list of APT sources.

In the following example, bookworm is the local username.

Step 1

Add the Syncthing release key for validation of packages downloaded from the Syncthing repository.

$ sudo curl -o /usr/share/keyrings/syncthing-archive-keyring.gpg https://syncthing.net/release-key.gpg

Step 2

Add the Syncthing repository.

$ echo "deb [signed-by=/usr/share/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable" | sudo tee /etc/apt/sources.list.d/syncthing.list

Step 3

Install Syncthing on your system.

$ sudo -- bash -c 'apt update && apt install --yes syncthing apt-transport-https'

Step 4

Enable Syncthing for the local user bookworm.

$ sudo -- bash -c 'systemctl enable syncthing@bookworm.service && systemctl start syncthing@bookworm.service && systemctl status syncthing@bookworm.service'

Step 5

You may need to edit your firewall settings to open ports for incoming and outgoing traffic.

If you are using ufw as a host-based firewall

Configure ufw to allow connections to Syncthing.

$ sudo ufw limit syncthing

If you are using firewalld as a host-based firewall

Configure firewalld to allow connections to Syncthing.

$ sudo -- bash -c 'firewall-cmd --zone=public --add-service=syncthing --permanent && firewall-cmd --reload && firewall-cmd --info-zone=public'

Step 6

Access the Syncthing configuration page by using your browser to navigate to the following address:

http://localhost:8384

Step 7

Complete your setup by referring to the Syncthing documentation.

GNOME shell tutorial: desktop workflow explained

Watch this video on YouTube

Playing this video requires sharing information with Google. Read the privacy policy

“Before we get started, let me say this upfront: GNOME shell is not a traditional desktop and if you try to use it as one, you will not be very efficient.”

AJ Reissig

The Debian Administrator’s Handbook

“We wanted the book to be freely available (that is under the terms of a license compatible with the Debian Free Software Guidelines of course). There was a condition though: a liberation fund had to be completed to ensure we had a decent compensation for the work that the book represents. This fund reached its target of €25K in April 2012.” Raphaël Hertzog and Roland Mas hope that you will enjoy the book.

debian-handbook.info