Ubuntu LTS Set-Up

It is not every day that I have to set up a fresh install of Ubuntu, and I end up forgetting and having to repeat research on specific “tweaks”. I am now using this page as my own reference.

SSHd

  • install ssh
    • apt install openssh-server
    • systemctl enable ssh
  • create public key in ~/.ssh/authorized_keys
  • configure SSHd
    • ensure the “main” /etc/ssh/sshd_config has the Include /etc/ssh/sshd_config.d/*.conf directive at the very first active/non-commented line
    • create /etc/ssh/sshd_config.d/00-default.conf with the following:
      # enable tunnelled password authentication
      PasswordAuthentication yes
      ChallengeResponseAuthentication yes
      
      # enable public key authentication w/possible less secure RSA keys
      PubkeyAuthentication yes
      PubkeyAcceptedKeyTypes=+ssh-rsa
      AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
      
      # use local PAM
      UsePAM yes
      
      # disable root login
      PermitRootLogin no
      PermitEmptyPasswords no
      
      # enforce pubkey THEN password requirement:
      AuthenticationMethods publickey,password
      
      X11Forwarding yes
      AllowAgentForwarding no
      AllowTcpForwarding no
      PrintMotd no
    • ensure existing ‘root’ SSH session/alternate root access in case of required rollback
    • restart SSHd – any configuration issues would prevent service from restarting:
      • systemctl restart ssh
    • test SSH log in with authorized public key then password

 

Window Manager and GUI

  • install a GUI/desktop for Ubuntu server
    • apt install lightdm

      Yes, I know lightdm runs as root, vs. gdm3 which only runs the “greeter”/login manager but passes ownership to the current logged-in user, but ends up requiring a whole litany of complex work-arounds (like here and/or here) to make x11vnc work (instructions below)…

    • apt install ubuntu-desktop

 

x11vnc

  • assuming lightdm has been installed (as above)
  • install x11vnc:
    • apt install x11vnc
  • create the password file for VNC access (past initial “one-password-for-all” authentication, the VNC window appears and OS credentials are then required):
    • as x11vnc runs as root be default, create directory to store the password file then secure it:
      mkdir /root/.vnc
      chmod go-rwx /root/.vnc
    • run x11vnc -storepasswd /root/.vnc/passwd then enter the password on the masked prompt
  • create the /usr/lib/systemd/system/x11vnc.service x11vnc service file:
    [Unit]
    Description=Start x11vnc at startup.
    After=multi-user.target
    
    [Service]
    Type=simple
    ExecStart=/usr/bin/x11vnc -auth guess -forever -loop -noxdamage -repeat -rfbauth /root/.vnc/passwd -rfbport 5900 -shared -display :0
    
    [Install]
    WantedBy=multi-user.target
  • reload systemd configuration:
    • systemctl daemon-reload
  • enable x11vnc service:
    • systemctl enable x11vnc
  • disable Wayland
    • edit /etc/gdm3/custom.conf and remove the comment mark (“#” character) from the line
      #WaylandEnable=false
  • reboot

 

systemd-networkd

  • tired of those 120s boot delays while the network waits for DHCP?
  • following this fix:
    • sudo systemctl disable systemd-networkd-wait-online.service
    • sudo systemctl mask systemd-networkd-wait-online.service
  • also mark all unneeded interfaces as optional e.g. in /etc/netplan/nn-whatever.yaml:
    Netplan
  • to find out which services are impacted:
    • sudo systemctl show -p WantedBy network-online.target

 

Repository Maintenance

  • upgrading from old versions may have “remnant” repositories lurking around
    • show the what is in the encoded /etc/apt/trusted.gpg file:
      • apt-key --list
    • manually remove individual entries (using the fingerprint):
      • apt-key del "xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx"
    • check the sources in /etc/apt/sources.list.d
    • check the trusted sources in /etc/apt/trusted.gpg.d
    • check sources in /etc/apt/sources.list:
      • show what is in /etc/apt/sources.list:
        • add-apt-repository --list
      • manually remove individual entries (using entire line):
        • add-apt-repository --remove "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main"
  • purging removed packages with “residual-config” (e.g. configuration files):
    • apt list | grep residual-config | cut -d'/' -f1 | sudo xargs apt -y purge

 

Fix Broken/Partial/Stuck Package Installs

  • try any of the following in order:
    • sudo dpkg --configure -a
    • sudo apt-get install -f
    • delete pending actions:
      • sudo rm -fr /var/lib/dpkg/updates/*

 

Serial Console

  • trying to get Ubuntu to pipe everything through the serial console that may be available on your motherboard is a two-step process:
    1. getting GRUB to redirect everything (although tooling to do an install outright from console-only is out of scope here):
      • make a backup before doing anything:
        • sudo cp /etc/default/grub /etc/default/grub.bak
      • sudo vi /etc/default/grub and add/edit the following lines:
        GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS4,115200n8"
        GRUB_TERMINAL_INPUT="console serial"
        GRUB_TERMINAL_OUTPUT="console gfxterm serial"
        GRUB_SERIAL_COMMAND="serial --port=mmio,0xdf519000 --speed=115200 --word=8 --parity=no --stop=1"
        • note that the --port argument is usually replaced with --unit; I only document this parameter here in reference with another page – check the manual for more information
      • update grub (sudo update-grub), and after step #2 below, reboot!
    2. getting Ubuntu to stick to the baud rate for a specific serial port (the “generic” agetty’s --keep-baud does not seem to work!)
      • create a copy of the serial-getty@tty.service file specific to the serial port (which in my example, is ttyS4):
        • sudo cp /lib/systemd/system/serial-getty\@.service /lib/systemd/system/serial-getty\@ttyS4.service
      • sudo vi /lib/systemd/system/serial-getty\@ttyS4.service and edit the agetty command line to force the baud rate, e.g.:
        • changing:
          • ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 - $TERM
        • to:
          • ExecStart=-/sbin/agetty -o '-p -- \\u' 115200 - $TERM
      • link the new service file:
        • ln -s /lib/systemd/system/serial-getty@ttyS4.service /etc/systemd/system/getty.target.wants/
      • then reload systemctl and start the service:
        • systemctl daemon-reload
        • systemctl start serial-getty@ttyS4.service