Ubuntu LTS Set-Up – The Stuff We Use

It is not every day that I have to set up a fresh install of Ubuntu, and I end up forgetting and having to repeat research on specific “tweaks”. I am now using this page as my own reference.

SSHd

install ssh
- apt install openssh-server
- systemctl enable ssh
create public key in ~/.ssh/authorized_keys

configure SSHd

ensure the “main” /etc/ssh/sshd_config has the Include /etc/ssh/sshd_config.d/*.conf directive at the very first active/non-commented line

create /etc/ssh/sshd_config.d/00-default.conf with the following:

# enable tunnelled password authentication
PasswordAuthentication yes
ChallengeResponseAuthentication yes

# enable public key authentication w/possible less secure RSA keys
PubkeyAuthentication yes
PubkeyAcceptedKeyTypes=+ssh-rsa
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

# use local PAM
UsePAM yes

# disable root login
PermitRootLogin no
PermitEmptyPasswords no

# enforce pubkey THEN password requirement:
AuthenticationMethods publickey,password

X11Forwarding yes
AllowAgentForwarding no
AllowTcpForwarding no
PrintMotd no

ensure existing ‘root’ SSH session/alternate root access in case of required rollback
restart SSHd – any configuration issues would prevent service from restarting:
- systemctl restart ssh
test SSH log in with authorized public key then password

Window Manager and GUI

install a GUI/desktop for Ubuntu server
- apt install lightdm
  
  Yes, I know lightdm runs as root, vs. gdm3 which only runs the “greeter”/login manager but passes ownership to the current logged-in user, but ends up requiring a whole litany of complex work-arounds (like here and/or here) to make x11vnc work (instructions below)…
- apt install ubuntu-desktop

x11vnc

assuming lightdm has been installed (as above)
install x11vnc:
- apt install x11vnc
create the password file for VNC access (past initial “one-password-for-all” authentication, the VNC window appears and OS credentials are then required):
- as x11vnc runs as root be default, create directory to store the password file then secure it:
```
mkdir /root/.vnc
chmod go-rwx /root/.vnc
```

- run x11vnc -storepasswd /root/.vnc/passwd then enter the password on the masked prompt

create the /usr/lib/systemd/system/x11vnc.service x11vnc service file:

[Unit]
Description=Start x11vnc at startup.
After=multi-user.target

[Service]
Type=simple
ExecStart=/usr/bin/x11vnc -auth guess -forever -loop -noxdamage -repeat -rfbauth /root/.vnc/passwd -rfbport 5900 -shared -display :0

[Install]
WantedBy=multi-user.target

reload systemd configuration:
- systemctl daemon-reload
enable x11vnc service:
- systemctl enable x11vnc
disable Wayland
- edit /etc/gdm3/custom.conf and remove the comment mark (“#” character) from the line
```
#WaylandEnable=false
```
reboot

systemd-networkd

tired of those 120s boot delays while the network waits for DHCP?
following this fix:
- sudo systemctl disable systemd-networkd-wait-online.service
- sudo systemctl mask systemd-networkd-wait-online.service
also mark all unneeded interfaces as optional e.g. in /etc/netplan/nn-whatever.yaml:
to find out which services are impacted:
- sudo systemctl show -p WantedBy network-online.target

Repository Maintenance

upgrading from old versions may have “remnant” repositories lurking around
- show the what is in the encoded /etc/apt/trusted.gpg file:
  - apt-key --list
- manually remove individual entries (using the fingerprint):
  - apt-key del "xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx"
- check the sources in /etc/apt/sources.list.d
- check the trusted sources in /etc/apt/trusted.gpg.d
- check sources in /etc/apt/sources.list:
  - show what is in /etc/apt/sources.list:
    - add-apt-repository --list
  - manually remove individual entries (using entire line):
    - add-apt-repository --remove "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main"
purging removed packages with “residual-config” (e.g. configuration files):
- apt list | grep residual-config | cut -d'/' -f1 | sudo xargs apt -y purge

Fix Broken/Partial/Stuck Package Installs

try any of the following in order:
- sudo dpkg --configure -a
- sudo apt-get install -f
- delete pending actions:
  - sudo rm -fr /var/lib/dpkg/updates/*

Serial Console

trying to get Ubuntu to pipe everything through the serial console that may be available on your motherboard is a two-step process:
1. getting GRUB to redirect everything (although tooling to do an install outright from console-only is out of scope here):
  - make a backup before doing anything:
    - sudo cp /etc/default/grub /etc/default/grub.bak
  - sudo vi /etc/default/grub and add/edit the following lines:
```
GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS4,115200n8"
GRUB_TERMINAL_INPUT="console serial"
GRUB_TERMINAL_OUTPUT="console gfxterm serial"
GRUB_SERIAL_COMMAND="serial --port=mmio,0xdf519000 --speed=115200 --word=8 --parity=no --stop=1"
```
    - note that the --port argument is usually replaced with --unit; I only document this parameter here in reference with another page – check the manual for more information
  - update grub (sudo update-grub), and after step #2 below, reboot!
2. getting Ubuntu to stick to the baud rate for a specific serial port (the “generic” agetty’s --keep-baud does not seem to work!)
  - create a copy of the serial-getty@tty.service file specific to the serial port (which in my example, is ttyS4):
    - sudo cp /lib/systemd/system/serial-getty\@.service /lib/systemd/system/serial-getty\@ttyS4.service
  - sudo vi /lib/systemd/system/serial-getty\@ttyS4.service and edit the agetty command line to force the baud rate, e.g.:
    - changing:
      - ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 - $TERM
    - to:
      - ExecStart=-/sbin/agetty -o '-p -- \\u' 115200 - $TERM
  - link the new service file:
    - ln -s /lib/systemd/system/serial-getty@ttyS4.service /etc/systemd/system/getty.target.wants/
  - then reload systemctl and start the service:
    - systemctl daemon-reload
    - systemctl start serial-getty@ttyS4.service

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.