| Author: | Francesco Poli |
|---|---|
| Contact: | invernomuto@paranoici.org |
| Version: | 0.22 |
| Copyright: | Expat license |
| Notice: | Copyright (c) 2007-2023 Francesco Poli Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. |
| About this document | |
|---|---|
| Web form | HyperText Markup Language |
| Source form | reStructuredText |
| Web stylesheet | Cascading StyleSheets |
| Build directives | Makefile |
Contents
In another document (HTML, reST) you saw how to configure the desktop environment on our example Debian testing workstation/desktop box. Now that you have a nice desktop, you can install and configure some useful network clients and servers.
The network should have been correctly configured during the installation process. You should just check that the first (IPv4) part of the /etc/hosts configuration file is:
$ head -n 2 /etc/hosts 127.0.0.1 localhost 127.0.1.1 $HOSTNAME
where $HOSTNAME is the name that was previously chosen for the machine.
Some clients to access external services.
First of all install the OpenSSH client:
# aptitude install openssh-client
Then, you can generate a pair of SSH keys for your regular user:
$ ssh-keygen -t rsa
You'll be asked where the key should be saved: you can safely accept the default location (which is ~/.ssh/id_rsa). You'll have to choose a passphrase: think of a very good one (among other things, it should be different from any password you use) and type it twice, as requested.
Now, in order to remotely access a machine which has an SSH server up and running, you can use password-based authentication:
$ ssh remote.box.example
After entering the password for your account at remote.box.example, you'll be granted network access to the system [1].
However, for security reasons, remote.box.example administrators could have disabled password-based SSH authentication and only accept public-key-based authentication. If this is the case, you need to transfer a copy of your public key to remote.box.example and append it to the list of authorized keys for your user. Hence, copy ~/.ssh/id_rsa.pub to a USB stick (or use any other media or channel that can deliver your public key to the remote machine). Once your public key is copied to remote.box.example, you have to modify your ~/.ssh/authorized_keys file on the remote machine: firstoff, if you have no ~/.ssh directory, create it and set appropriate permissions:
$ mkdir -p ~/.ssh $ chmod 700 ~/.ssh
then create the ~/.ssh/authorized_keys file, if necessary:
$ touch ~/.ssh/authorized_keys
and append your public key to it:
$ chmod 600 ~/.ssh/authorized_keys $ cat id_rsa.pub >> ~/.ssh/authorized_keys $ chmod 400 ~/.ssh/authorized_keys
After doing this, you can connect from your workstation to the remote machine by issuing the command:
$ ssh remote.box.example
and entering the passphrase for your private key on the local machine.
You can also use the SSH agent to hold your private key, so that you don't need to retype your passphrase so frequently. A practical way to do this requires that you type your passphrase when you start a Fluxbox session: install the following package:
# aptitude install ssh-askpass
and add the following lines at the beginning of your regular user's ~/.xsession file:
$ grep -i ssh ~/.xsession # add my identity to the SSH agent ssh-add < /dev/null
You may also enable compression in order to reduce the data transfer times, in case your network link is not too fast: just add the following stanza to your regular user's ~/.ssh/config file:
$ grep -B 1 Compression ~/.ssh/config
Host *
Compression yes
It's anyway recommended to test data transfer and measure times with and without compression, in order to check whether you actually get an advantage.
A useful configuration enables server alive messages to keep an SSH session alive, even when there's no user activity for a while:
$ grep -B 2 Alive ~/.ssh/config
Host *
Compression yes
ServerAliveInterval 300
ServerAliveCountMax 30
| [1] | Please note that the first time you connect to remote.box.example you will also be asked to confirm that you are sure about the authenticity of the remote host: in order to be safe, you can check the fingerprint against its known value (the fingerprint can be obtained by running the command ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub on the remote host). |
Install a good IRC client:
# aptitude install weechat-curses
and install its enhancement scripts:
# aptitude install weechat-scripts
Please note that some scripts require support for a given programming language (some require package weechat-python, or weechat-ruby, or weechat-lua, or...): you should ensure that the appropriate support package is installed (possibly along with needed language specific libraries), if you want to use one script.
If you need to connect to VPNs, you may find the following client useful:
# aptitude install openconnect
If you need to connect to Fortinet VPNs, you may issue the following command (as root):
# openconnect --prot=fortinet -u $VPNUSER $VPNSERVER
where $VPNUSER is the user name for the VPN on the $VPNSERVER server. Or you may want to install a specific client:
# aptitude install openfortivpn
and prepare a configuration file:
# cat > /etc/openfortivpn/$VPNNAME << EOF host = $VPNSERVER port = 443 username = $VPNUSER EOF
and then issue the following command (as root):
# openfortivpn -c /etc/openfortivpn/$VPNNAME
Servers are needed to provide services to other machines.
Install the OpenSSH server:
# aptitude install openssh-server
and immediately stop the daemon until it is properly configured:
# service ssh stop
Now edit /etc/ssh/sshd_config so that it features the following non-comment lines:
# grep -v '^#\|^ *$' /etc/ssh/sshd_config Include /etc/ssh/sshd_config.d/*.conf Port 22 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key PermitRootLogin no StrictModes yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys HostbasedAuthentication no IgnoreRhosts yes PasswordAuthentication no PermitEmptyPasswords no KbdInteractiveAuthentication no UsePAM yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes ClientAliveInterval 300 ClientAliveCountMax 150 AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server
Then, start the daemon:
# service ssh start
Now, in order to access your workstation from a remote machine on your LAN, you have to copy the SSH public key you have in your account on the remote machine to the local workstation and append it to the list of authorized keys for your regular user. Hence, after copying your ~/.ssh/id_rsa.pub from the remote host to your local workstation, create your ~/.ssh/authorized_keys file on the local workstation:
$ touch ~/.ssh/authorized_keys $ chmod 600 ~/.ssh/authorized_keys $ cat id_rsa.pub >> ~/.ssh/authorized_keys $ chmod 400 ~/.ssh/authorized_keys
Now you have some useful network tools installed and configured. Next step is configuring the system for e-mail handling. More details in a separate document (HTML, reST).