-
Notifications
You must be signed in to change notification settings - Fork 0
/
Debian_Tips.mw
375 lines (255 loc) · 14.2 KB
/
Debian_Tips.mw
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
{{Header}}
{{Title|
title=Debian Host Operating System Tips
}}
{{#seo:
|description=Debian tips, tricks, recommendations related to {{project_name_long}}.
|image=Debian.png
}}
[[File:Debian.png|Debian Logo|200px|thumb]]
{{intro|
Debian tips, tricks, recommendations related to {{project_name_short}}.
}}
= Introduction =
This wiki page describes how to:
# securely download and verify Debian;
# install Debian as a host operating system; and
# configure it to minimize the attack surface.
Readers who are interested in running {{project_name_short}} for Debian inside VirtualBox should refer to [[Debian|this page]].
= Prerequisite Knowledge =
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = Everything mention on this wiki page and Debian is completely free in price as well as in freedom. No payment required. No credit card required. No submission of real name or other private information required.
The meaning of "<code>non-free</code>" might be confusing at first. When the Debian website or other Open Source / Free Software related websites write "<code>non-free</code>" they mean actually "<code>non-free<u>dom</u></code>" (no software freedom or software freedom limitations). Downloads marked "<code>non-free</code>" on the Debian website are always free to download, zero price, free of charge. This also applies generally to most other Debian, Linux and Freedom Software related websites.
Similarly, the meaning of "<code>free</code>" is actually "<code>freedom</code>" which isn't as confusing. It's getting more confusing when negating the meaning with "<code>non-free</code>" as explained above.
This is for historic reasons etc. See footnote for details. <ref>
Similarly, the meaning of "<code>free</code>" means actually "<code>free<u>dom</u></code>". Except in rare cases, the download and use of Freedom Software ("Free Software") in most cases is free in price.
This is a very old issue. The founders of the Free Software movement and the Free Software Foundation are adamant about calling it "Free Software" rather than "Freedom Software" what it really is about. The user would have to learn the essentials what Free Software is.
Related: [https://forums.whonix.org/t/lets-call-it-freedom-software-rather-than-free-software-or-open-source/6961 Let's call it Freedom Software rather than Free Software or Open Source!] / [[Reasons for Freedom Software|Why {{project_name_short}} will always be Free as in Price as well as in Freedom]] / [[Policy_On_Nonfreedom_Software|{{project_name_short}} Policy On Non-Freedom Software]] / [[Dev/nonfree]]
</ref> See also [[Avoid_nonfreedom_software|reasons to avoid non-freedom software]].
}}
{{amd64}}
= Download and Verification =
This chapter documents how to securely download and perform digital software verification of a Debian installation <code>iso</code> image. The recommended way to verify the Debian Signing key is to use the [[OpenPGP|web of trust]]. This is more secure, but not available to everyone. This chapter documents an alternative and supplementary way to verify the Debian Signing key. It utilizes an existing installation such as for example Debian, Qubes Debian Template, or Ubuntu, which is already considered trusted by the user; for example one bought from a reseller or provided by a friend who verified it.
{{always_verify_signatures_reminder}}
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = The following method should work for Debian and any Debian derivative including Qubes Debian Template based App Qube.
Qubes users note: It is recommended to use a dedicated App Qubes, perhaps named <code>iso-download</code>.
}}
{{Box|text=
'''1.''' Open a terminal.
'''2.''' Open the Debian Stable (<code>{{Stable_project_version_based_on_Debian_codename}}</code>) <code>amd64</code> download page in a web browser.
This examples uses the following example the non-freedom <code>iso</code> DVD.
If using {{project_name_short}} at time of writing to [[Secure Downloads|securely download]] command line the following command could be used.
'''3.''' Download necessary files.
* <code>SHA512SUMS</code>
* <code>SHA512SUMS.sign</code>
* the <code>.iso</code>
Note: Either adjust the link if later needed or download using a web browser. (Perhaps wiki [[Template:stable project version based on Debian version iso]] needs to be updated.)
Download <code>.iso</code> image.
{{CodeSelect|code=
scurl-download https://cdimage.debian.org/cdimage/release/current-live/amd64/iso-hybrid/debian-live-12.0.0-amd64-xfce.iso
}}
Download hash sum digital signature.
{{CodeSelect|code=
scurl-download https://cdimage.debian.org/cdimage/release/current-live/amd64/iso-hybrid/SHA512SUMS.sign
}}
Download hash sum file.
{{CodeSelect|code=
scurl-download https://cdimage.debian.org/cdimage/release/current-live/amd64/iso-hybrid/SHA512SUMS
}}
'''4.''' Install the <code>debian-keyring</code> package, which contains the Debian signing key. <ref>
[https://www.debian.org/CD/verify Verifying authenticity of Debian CDs]
</ref>
{{CodeSelect|code=
sudo apt install debian-keyring
}}
'''5.''' Change directory.
Navigate to the folder where the files <code>SHA512SUMS</code>, <code>SHA512SUMS.sign</code> and the ISO were downloaded.
'''6.''' Digital software signature verification of the <code>SHA512SUMS</code> file.
{{CodeSelect|code=
gpg --no-default-keyring --keyring /usr/share/keyrings/debian-role-keys.gpg --verify SHA512SUMS.sign
}}
'''7.''' Confirm the signature is valid.
The output must show.
<pre>
gpg: Good signature
</pre>
Otherwise something went wrong.
{{GnuPG-Warning}}
'''8.''' Hash sum check
Verify that the <code>.iso</code> matches the signed <code>SHA512SUMS</code> file.
{{CodeSelect|code=
sha512sum --check --ignore-missing SHA512SUMS
}}
The output must show.
<pre>
OK
</pre>
'''9.''' Done.
The procedure of downloading and digital software signature verification of the Debian <code>.iso</code> is complete.
}}
= Installation =
== Writing the iso image to USB ==
{{Tab
|type=controller
|addToClass=tcc-indent tcc-dark
|linkid=debian-qubes
|content=
{{Tab
|title= === Debian ===
|addToClass=info-box
|type=section
|image=[[File:Debian.png|25px]]
|active=true
|content=
[[Undocumented]].
}}
{{Tab
|title= === Qubes ===
|addToClass=info-box
|type=section
|image=[[File:Qubes-logo-blue.png|25px]]
|content=
These instructions are for users of Qubes only.
It is recommended to use a dedicated App Qubes, perhaps named <code>iso-download</code>.
'''1.''' Physically detach all removable USB hard drives, if any.
In dom0.
As per the usual process.
'''2.''' Have a look at the Qubes systray area in dom0.
'''3.''' However over with the mouse to the yellow symbol which should show "Qubes Devices" in dom0.
'''4.''' Left click on Qubes Devices in dom0.
'''5.''' Remember the currently available devices.
Consider making a photo or notes.
'''6.''' Attach the USB hard drive using Qubes Devices which the ISO should be written in dom0.
'''7.''' Recognize the hopefully recognized newly attached USB hard drive in Qubes Devices in dom0.
Should show something like <code>sys-usb:sd<u>a</u></code>.
If there is also <code>sys-usb:sd<u>a</u>1</code> then that is ok. It's a partition. And can be safely ignored for this procedure.
'''8.''' Attach the newly added USB hard drive to the VM where the ISO has been downloaded.
In dom0. Using Qubes Devices.
'''9.''' Write the iso the the USB hard drive.
Inside the <code>iso-download</code> App Qubes.
Warnings:
* Do not proceed if other devices are connected to that VM!
* All data on the device will be lost!
NOTE: Replace <code>debian-{{stable project version based on Debian version iso}}-amd64-DVD-1.iso</code> with the file name / path to another ISO file if another ISO was downloaded or downloaded in a different location.
* freedom version: {{CodeSelect|code=
sudo dd bs=64K conv=noerror,sync status=progress if=debian-{{stable project version based on Debian version iso}}-amd64-DVD-1.iso of=/dev/xvdi
}}
* non-freedom version: {{CodeSelect|code=
sudo dd bs=64K conv=noerror,sync status=progress if=firmware-{{stable project version based on Debian version iso}}-amd64-DVD-1.iso of=/dev/xvdi
}}
'''10.''' Check exit code.
Inside the <code>iso-download</code> App Qubes.
{{CodeSelect|code=
echo $?
}}
Expected output if success.
<pre>
0
</pre>
'''11.''' Shutdown the VM.
Inside the <code>iso-download</code> App Qube.
{{CodeSelect|code=
sudo poweroff
}}
'''11.''' Use Qubes Devices in dom0 to detach the USB hard drive from the <code>iso-download</code> App Qube.
'''12.''' Done.
The process of writing the ISO image to the USB drive has been completed.
}}
}} <!-- end of tab controller 1 -->
== Upstream Documentation ==
For more detailed information on every step in the installation process consult the Debian manual available in [https://www.debian.org/releases/stable/amd64/index.en.html HTML], preferably on another device than the one that will be formatted.
== Tips ==
To successfully and safely complete the installation, note the following:
* In Linux, the <code>dd</code> utility is utilized to [https://www.debian.org/CD/faq/#write-usb create install media].
* In Windows, the Debian install USB/DVD can be created with the rufus utility as described [https://unix.stackexchange.com/a/263636 here].
* From a usability perspective, it is recommended to always have a network connection when installing Debian; see [https://raphaelhertzog.com/2011/06/13/why-you-should-always-have-a-network-connection-when-installing-debian/ here].
* From a security perspective, it is safest to avoid Internet connections until ready.
{{sdebian
|link=https://www.debian.org/doc/manuals/securing-debian-manual/ch03s03.en.html
|text=Do not plug to the Internet until ready
}}
== Default Desktop Environment ==
Readers may have noticed the default desktop environment for {{project_name_short}} Virtual Machines is Xfce (although that can be changed). The preferred desktop environment is of little consequence; for example the default Debian desktop environment is GNOME. Users who are already accustomed to {{project_name_short}} (Xfce) can utilize the same environment for the Debian host as well, but this is not compulsory.
<pre>
## Installing KDE, LXDE or Xfce this way works if you are using a DVD image or network installation (but not with CD images)
Debian boot menu → Advanced Options → Alternative Desktop Environments →
Feel free to choose:
- KDE
- LXDE
- Xfce
</pre>
It is also possible to install another desktop environment later on or configure a switch from one to another.
== Other Packages ==
To learn more about the "default", "notebook" or "standard" packages see: [https://wiki.debian.org/tasksel tasksel].
= Post-installation Steps =
== Open Ports ==
{{mbox
| image = [[File:Ambox_warning_pn.svg.png|40px]]
| text = This section is incomplete.
}}
{{mbox
| type = critical
| image = [[File:Ambox_warning_pn.svg.png|40px]]
| text = '''Qubes Users Warning:''' This is a notice for users who already have a Debian Template in Qubes. Other users can ignore this warning.
Do <u>not</u> use this method inside ''Debian-Qubes'' because it will destroy and stop the Template / App Qube from starting again.
The commands in this chapter should only be considered on a real Debian system.
}}
{{Box|text=
'''1.''' Check open ports.
{{CodeSelect|code=
su -
}}
{{CodeSelect|code=
netstat -anltp | grep "LISTEN"
}}
A safe configuration must show no ports are open (no reply).
'''2.''' Remove any services which open ports. <ref>For documentation purposes a Debian installation has been completed with as many services as possible using tasksel, while having a network connection (simulating user misunderstanding). A normal Debian installation with default settings does not install all those packages.</ref>
{{CodeSelect|code=
su -
}}
{{CodeSelect|code=
apt remove dovecot-core openbsd-inetd bind9 samba cups cups-daemon apache2 postgres*
}}
{{CodeSelect|code=
apt remove exim4 exim4-daemon-light rpcbind openssh-server apache2.2-bin avahi*
}}
{{CodeSelect|code=
apt autoremove
}}
'''3.''' Check open ports again.
{{CodeSelect|code=
su -
}}
{{CodeSelect|code=
netstat -anltp | grep "LISTEN"
}}
A safe configuration must show no ports are open (no reply).
}}
== Security ==
[https://www.debian.org/doc/manuals/securing-debian-manual/ch12.en.html#id-1.13.3.2 Quote]:
<blockquote>'''Is Debian more secure than X?'''
A system is only as secure as its administrator is capable of making it. Debian's default installation of services aims to be secure, but may not be as paranoid as some other operating systems which install all services disabled by default. In any case, the system administrator needs to adapt the security of the system to the local security policy.
</blockquote>
It is unclear if Debian is referring to running services after installing them or having no services running (no open ports) after an installation with default settings. Debian does not do the latter, which is a pity. Despite Debian's preference for running services after installation, this issue should not distract from the relative strength of the platform when properly configured.
Some useful security links are listed below. Some content in the references are outdated because they only apply to older Debian versions. Similarly, some content does not apply to {{project_name_short}} hosts.
* [https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html Securing Debian Manual]
* [https://www.debian.org/doc/manuals/securing-debian-manual/ch12.en.html Securing Debian Manual Chapter 12: Frequently asked Questions (FAQ)]
* [https://web.archive.org/web/20111214174314/http://hermann-uwe.de/blog/towards-a-moderately-paranoid-debian-laptop-setup--part-1-base-system Towards a moderately paranoid Debian laptop setup] (this is also useful for non-laptops)
== sudoers ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = This procedure is optional. Before proceeding, first consider whether this change is desirable. <ref>
If this action is taken, {{Code2|sudo}} can be used as outlined below and elsewhere. Otherwise, it is necessary to manually switch to root and/or use {{Code2|su}} as per [[About#Based_on_Debian]].
</ref>
}}
{{Sudo_Setup}}
= Footnotes =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]