Ubuntu LTS Set-Up
It is not every day that I have to set up a fresh install of Ubuntu, and I end up forgetting and having to repeat research on specific “tweaks”. I am now using this page as my own reference.
SSHd
- install ssh
apt install openssh-server
systemctl enable ssh
- create public key in
~/.ssh/authorized_keys
- configure SSHd
- ensure the “main”
/etc/ssh/sshd_config
has theInclude /etc/ssh/sshd_config.d/*.conf
directive at the very first active/non-commented line - create
/etc/ssh/sshd_config.d/00-default.conf
with the following:# enable tunnelled password authentication PasswordAuthentication yes ChallengeResponseAuthentication yes # enable public key authentication w/possible less secure RSA keys PubkeyAuthentication yes PubkeyAcceptedKeyTypes=+ssh-rsa AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 # use local PAM UsePAM yes # disable root login PermitRootLogin no PermitEmptyPasswords no # enforce pubkey THEN password requirement: AuthenticationMethods publickey,password X11Forwarding yes AllowAgentForwarding no AllowTcpForwarding no PrintMotd no
- ensure existing ‘root’ SSH session/alternate root access in case of required rollback
- restart SSHd – any configuration issues would prevent service from restarting:
systemctl restart ssh
- test SSH log in with authorized public key then password
- ensure the “main”
Window Manager and GUI
- install a GUI/desktop for Ubuntu server
apt install lightdm
Yes, I know
lightdm
runs as root, vs.gdm3
which only runs the “greeter”/login manager but passes ownership to the current logged-in user, but ends up requiring a whole litany of complex work-arounds (like here and/or here) to makex11vnc
work (instructions below)…apt install ubuntu-desktop
x11vnc
- assuming
lightdm
has been installed (as above) - install
x11vnc
:apt install x11vnc
- create the password file for VNC access (past initial “one-password-for-all” authentication, the VNC window appears and OS credentials are then required):
- as
x11vnc
runs as root be default, create directory to store the password file then secure it:mkdir /root/.vnc chmod go-rwx /root/.vnc
- as
- create the
/usr/lib/systemd/system/x11vnc.service
x11vnc
service file:[Unit] Description=Start x11vnc at startup. After=multi-user.target [Service] Type=simple ExecStart=/usr/bin/x11vnc -auth guess -forever -loop -noxdamage -repeat -rfbauth /root/.vnc/passwd -rfbport 5900 -shared -display :0 [Install] WantedBy=multi-user.target
- reload
systemd
configuration:systemctl daemon-reload
- enable
x11vnc
service:systemctl enable x11vnc
- disable Wayland
- edit
/etc/gdm3/custom.conf
and remove the comment mark (“#
” character) from the line#WaylandEnable=false
- edit
- reboot
systemd-networkd
- tired of those 120s boot delays while the network waits for DHCP?
- following this fix:
sudo systemctl disable systemd-networkd-wait-online.service
sudo systemctl mask systemd-networkd-wait-online.service
- also mark all unneeded interfaces as optional e.g. in
/etc/netplan/nn-whatever.yaml
:
- to find out which services are impacted:
sudo systemctl show -p WantedBy network-online.target
Repository Maintenance
- upgrading from old versions may have “remnant” repositories lurking around
- show the what is in the encoded
/etc/apt/trusted.gpg
file:apt-key --list
- manually remove individual entries (using the fingerprint):
apt-key del "xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx"
- check the sources in
/etc/apt/sources.list.d
- check the trusted sources in
/etc/apt/trusted.gpg.d
- check sources in
/etc/apt/sources.list
:- show what is in
/etc/apt/sources.list
:add-apt-repository --list
- manually remove individual entries (using entire line):
add-apt-repository --remove "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main"
- show what is in
- show the what is in the encoded
- purging removed packages with “
residual-config
” (e.g. configuration files):
Fix Broken/Partial/Stuck Package Installs
- try any of the following in order:
sudo dpkg --configure -a
sudo apt-get install -f
- delete pending actions:
sudo rm -fr /var/lib/dpkg/updates/*
Serial Console
- trying to get Ubuntu to pipe everything through the serial console that may be available on your motherboard is a two-step process:
- getting GRUB to redirect everything (although tooling to do an install outright from console-only is out of scope here):
- make a backup before doing anything:
sudo cp /etc/default/grub /etc/default/grub.bak
sudo vi /etc/default/grub
and add/edit the following lines:GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS4,115200n8" GRUB_TERMINAL_INPUT="console serial" GRUB_TERMINAL_OUTPUT="console gfxterm serial" GRUB_SERIAL_COMMAND="serial --port=mmio,0xdf519000 --speed=115200 --word=8 --parity=no --stop=1"
- note that the
--port
argument is usually replaced with--unit
; I only document this parameter here in reference with another page – check the manual for more information
- note that the
- update grub (
sudo update-grub
), and after step #2 below, reboot!
- make a backup before doing anything:
- getting Ubuntu to stick to the baud rate for a specific serial port (the “generic” agetty’s
--keep-baud
does not seem to work!)- create a copy of the
serial-getty@tty.service
file specific to the serial port (which in my example, isttyS4
):sudo cp /lib/systemd/system/serial-getty\@.service /lib/systemd/system/serial-getty\@ttyS4.service
sudo vi /lib/systemd/system/serial-getty\@ttyS4.service
and edit theagetty
command line to force the baud rate, e.g.:- changing:
ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 - $TERM
- to:
ExecStart=-/sbin/agetty -o '-p -- \\u' 115200 - $TERM
- changing:
- link the new service file:
ln -s /lib/systemd/system/serial-getty@ttyS4.service /etc/systemd/system/getty.target.wants/
- then reload
systemctl
and start the service:systemctl daemon-reload
systemctl start serial-getty@ttyS4.service
- create a copy of the
- getting GRUB to redirect everything (although tooling to do an install outright from console-only is out of scope here):