Debian: Quick Installation Guide
Minimal installation of a Debian Stable. For errors, improvements or comments you may send an email.
Partition Layout
→ Installation of GNU/Linux Debian Stable (Codename Bookworm / Version 12), with the following partition layout:
DEVICE TYPE SIZE MOUNTPOINT
nvme0n1 gpt
├─nvme0n1p1 part, vfat (F32) 512M /efi
├─nvme0n1p2 part, ext4 4096M /boot
└─nvme0n1p3 part, crypt 421G
├─nvme0n1p3_crypt btrfs @snapshot
├─nvme0n1p3_crypt btrfs @sys-home /home
├─nvme0n1p3_crypt btrfs @sys-debian-root /
├─nvme0n1p3_crypt btrfs @sys-debian-var /var
├─nvme0n1p3_crypt btrfs @sys-debian-var-log /var/log
└─nvme0n1p3_crypt btrfs @sys-debian-swap /swapISO Image
DEBVER="12.5.0"
DEBARCH="amd64"
DEBDESKTOP="gnome"
# cinnamon,gnome,kde,lxde,lxqe,mate,standard,xfce
wget https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-${DEBVER}-${DEBARCH}-${DEBDESKTOP}.iso
# Download eines ISO-Abbildes.
# Siehe auch: [Debian - Live Install Images](https://www.debian.org/CD/live/)
wget -O debian-live-${DEBVER}-${DEBARCH}-SHA512SUMS https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA512SUMS
wget -O debian-live-${DEBVER}-${DEBARCH}-SHA512SUMS.sign https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA512SUMS.sign
gpg2 --recv-keys DF9B9C49EAA9298432589D76DA87E80D6294BE9B
# Debian CD signing key <debian-cd@lists.debian.org> (2011-01-05)
gpg2 --recv-keys F41D30342F3546695F65C66942468F4009EA8AC3
# Debian Testing CDs Automatic Signing Key <debian-cd@lists.debian.org> (2014-04-15)
gpg2 --verify debian-live-${DEBVER}-${DEBARCH}-SHA512SUMS.sign
# Die Checksummen-Datei verifizieren
sha512sum --ignore-missing -c debian-live-${DEBVER}-${DEBARCH}-SHA512SUMS
dd if=debian-live-${DEBVER}-${DEBARCH}-${DEBDESKTOP}.iso of=/dev/sdX
# Kopieren des Abbildes auf einen USB-Stick.
# Mittels 'lsblk' oder 'parted -l' können alle angeschlossenen Blockgeräte angezeigt werden.Step by step
OPEN TERMINAL:
sudo -s
# Color prompt.
PS1='\[\033[00;31m\]\u\[\033[00m\]@\[\033[00;32m\]\h\[\033[00m\]:\[\033[01;34m\]\w \[\033[00m\]#\[\033[00m\] '
# loadkeys de
# loadkeys de-latin1
# → Current error: "Couldn't get a file descriptor referring to the console."
# → Default might be US layout., so you may tye ``loadkezs deßlatin1`` on a german keyboard.
################################################################################
# Check environment
################################################################################
# Check for EFI variables
mount | grep efivars
# → Output: efivars on /sys/firmware/efi/efivars type efivars (rw,nosuid,nodev,noexec,realatime)
# Check for available TPM
dmesg | grep TPM
# Check for available SecureBoot
mokutil --sb-state
# Check current disk and partition:
lsblk --fs
parted -l
# → Be aware of the detected disk labeling, especially the boot drive might be ``sda`` and the install drive ``sdb``.
# → Here the installation destination is ``/dev/nvme0n1``.
# Only if there is unencrypted data:
shred --verbose --random-source=/dev/urandom --iterations=3 /dev/sdX
# Or use ``dd if=/dev/urandom of=/dev/sdX``
# Check network.
ping -c 3 duckduckgo.com
################################################################################
# Variables
################################################################################
# NVMe naming scheme
# nvme0: controller 0
# nvme0n1: namespace 1 = device 1
# nvme0n1p3: partition 3
DEV1="/dev/nvme0n1"
DEV1PART="nvme0n1p"
DEV1PART1NAME="${DEV1PART}1"
DEV1PART2NAME="${DEV1PART}2"
DEV1PART3NAME="${DEV1PART}3"
DEV1PART1="/dev/${DEV1PART1NAME}"
DEV1PART2="/dev/${DEV1PART2NAME}"
DEV1PART3="/dev/${DEV1PART3NAME}"
DEV1PART1CRYPTNAME="Not_in_use_as_crypt_ESP_EF00"
DEV1PART2CRYPTNAME="Not_in_use_as_crypt_BOOT"
DEV1PART3CRYPTNAME="${DEV1PART3NAME}_crypt"
DEV1PART1CRYPT="Not_in_use_as_crypt"
DEV1PART2CRYPT="Not_in_use_as_crypt"
DEV1PART3CRYPT="/dev/mapper/${DEV1PART3CRYPTNAME}"
################################################################################
# Partitioning
################################################################################
# Precheck.
echo ${DEV1}
# Check.
sgdisk -p ${DEV1}
# Create new GPT.
sgdisk -o ${DEV1}
# [1] - ESP ... EFI System Partition.
# Flagged 'EFI System' (fdisk) or 'boot, esp' (parted). (200MiB+, FAT32).
sgdisk -n 0:0:+512MiB ${DEV1} --typecode=1:EF00 --change-name=1:ESP ${DEV1}
# [2] - Boot
sgdisk -n 0:0:+4096MiB ${DEV1} --typecode=2:8300 --change-name=2:BOOT ${DEV1}
# [3] - System.
sgdisk -n 0:0:0 ${DEV1} --typecode=3:8300 --change-name=3:SYSTEM ${DEV1}
# Naming partitions.
sgdisk --change-name=1:ESP ${DEV1}
sgdisk --change-name=2:BOOT ${DEV1}
sgdisk --change-name=3:SYSTEM ${DEV1}
# Check.
sgdisk -p ${DEV1}
# Output →
#Number Start (sector) End (sector) Size Code Name
# 1 2048 1050623 512.0 MiB EF00 ESP
# 2 1050624 9439231 4.0 GiB 8300 BOOT
# 3 9439232 1953525134 927.0 GiB 8300 SYSTEM
################################################################################
# Cryptsetup
################################################################################
# ATTENTION!
# In case of errors or problems while typing the password …
# … there might be a misconfiguration of your keyboard layout.
# → [US-Tastatur-Layout](https://de.wikipedia.org/wiki/Datei:KB_United_States-NoAltGr.svg)
# Benchmark.
cryptsetup benchmark
# Encrypt the system partition
cryptsetup luksFormat -y --type luks2 --cipher=aes-xts-plain --key-size=512 --hash=sha512 --pbkdf=argon2id --use-random ${DEV1PART3}
# → for ≥ 2 TiB devices: ``aes-xts-plain64` (für >= 2TB-Platten)
# Open luks container.
cryptsetup luksOpen --allow-discards ${DEV1PART3} ${DEV1PART3CRYPTNAME}
# → for SSDs: ``--allow-discards``
# Check cryptsetup.
cryptsetup luksDump ${DEV1PART3}
################################################################################
# Format and mount
################################################################################
# [1] - Format EFI system partition (ESP).
mkfs.fat -F32 -n ESP ${DEV1PART1}
# [2] - Format boot. ext4 Block device is more likely for GRUB.
mkfs.ext4 -L boot ${DEV1PART2}
# [3] - Format system.
mkfs.btrfs -d single -m single -L system ${DEV1PART3CRYPT}
# List available btrfs filesystems.
btrfs filesystem show
# Mount pure btrfs … (without defining a subvolume via … -o …,subvol= …)
mount -t btrfs -o noatime,discard=async,ssd,space_cache=v2,commit=120,compress=zstd,autodefrag,defaults ${DEV1PART3CRYPT} /mnt
#Check.
btrfs subvolume list /mnt
# Create subvolumes …
# Create general snapshot subvolume.
btrfs subvolume create /mnt/@snapshot
# Create general home subvolume.
btrfs subvolume create /mnt/@sys-home
THISDISTRO="debian"
btrfs subvolume create /mnt/@sys-${THISDISTRO}-root
btrfs subvolume create /mnt/@sys-${THISDISTRO}-var
btrfs subvolume create /mnt/@sys-${THISDISTRO}-var-log
btrfs subvolume create /mnt/@sys-${THISDISTRO}-swap
# Check.
# Show the structure of a filesystem.
btrfs filesystem show
# Show space usage information for a mount point.
btrfs filesystem df /mnt
# List subvolumes and snapshots in the filesystem.
btrfs subvolume list /mnt
# Umount.
cd /
umount /mnt
# Mount system root.
mount -t btrfs -o noatime,discard,ssd,space_cache=v2,commit=120,compress=zstd,autodefrag,defaults,subvol=@sys-${THISDISTRO}-root ${DEV1PART3CRYPT} /mnt
# Check.
ls -lisa /mnt/
# Create folders for mount points.
mkdir -p /mnt/{efi,boot,home,var,swap,.snapshot}
# Check.
ls -lisa /mnt/
# Mount system efi. (EFI only!)
mount -t vfat -o noatime,discard,defaults ${DEV1PART1} /mnt/efi
# Mount system boot.
mount -t ext4 -o discard,defaults ${DEV1PART2} /mnt/boot
# Mount system home.
mount -t btrfs -o noatime,discard,ssd,space_cache=v2,commit=120,compress=zstd,autodefrag,defaults,subvol=@sys-home ${DEV1PART3CRYPT} /mnt/home
# Mount system var.
mount -t btrfs -o noatime,discard,ssd,space_cache=v2,commit=120,compress=zstd,autodefrag,defaults,subvol=@sys-${THISDISTRO}-var ${DEV1PART3CRYPT} /mnt/var
# Mount system var/log.
mkdir -p /mnt/var/log
mount -t btrfs -o noatime,discard,ssd,space_cache=v2,commit=120,compress=zstd,autodefrag,defaults,subvol=@sys-${THISDISTRO}-var-log ${DEV1PART3CRYPT} /mnt/var/log
# Mount system swap.
mount -t btrfs -o noatime,discard,ssd,space_cache=v2,commit=120,autodefrag,defaults,subvol=@sys-${THISDISTRO}-swap ${DEV1PART3CRYPT} /mnt/swap
# Mount snapshot.
mount -t btrfs -o noatime,discard,ssd,space_cache=v2,commit=120,autodefrag,defaults,subvol=@snapshot ${DEV1PART3CRYPT} /mnt/.snapshot
# Check.
mount | grep /mnt
################################################################################
# SWAP
################################################################################
# Create swap file.
cd /mnt/swap
# Get btrfs properties
btrfs property get /mnt/swap
# truncate - shrink or extend the size of a file to the specified size
truncate -s 0 swapfile
# chattr … change attribute - Set file attributes to no copy-on-write updates.
# -R … recursively
# +C … Set No Copy-on-Write (CoW)
# -C … Unset/clear No Copy-on-Write (CoW)
chattr +C swapfile
# Allocate swap space as of RAM space.
fallocate -l 32G swapfile
# Change access permissions.
chmod 600 swapfile
# Make swapfile
mkswap -L swap swapfile
# Activate swap.
swapon swapfile
# Deactivate compression.
btrfs property set /mnt/swap compression none
btrfs property get /mnt/swap
################################################################################
# Base system
################################################################################
apt update
apt install binutils debootstrap arch-install-scripts
debootstrap --arch=amd64 stable /mnt https://ftp.uni-hannover.de/debian/debian/
# Alternative servers:
# https://ftp.uni-hannover.de/debian/debian/
# http://debian.tu-bs.de/debian/
# http://ftp.tu-chemnitz.de/debian/
# https://debian.inf.tu-dresden.de/debian/
# = http://ftp1.de.debian.org/debian/
# https://ftp.halifax.rwth-aachen.de/debian/
# = http://ftp2.de.debian.org/debian/
################################################################################
# mtab, fstab, crypttab
################################################################################
# Copy the mounted file systems table.
#cp /etc/mtab /mnt/etc/mtab
cp --remove-destination /etc/mtab /mnt/etc/mtab
# Generate filesystem table based on UUIDs and without pseudo filesystems.
# genfstab:
# -U … Using UUIDs.
# -p … Prevent from using pseudo file systems.
genfstab -U -p /mnt >> /mnt/etc/fstab
# Get UUIDs.
# PART3UUID=$(blkid ${DEV1PART3} | cut -d "\"" -f2)
DEV1PART3UUID=$(blkid -o value -s UUID ${DEV1PART3})
# Write crypttab.
echo "# <name> <device> <password> <options>" > /mnt/etc/crypttab
echo "${DEV1PART3CRYPTNAME} UUID=${DEV1PART3UUID} none luks,discard" >> /mnt/etc/crypttab
# Check.
cat /mnt/etc/crypttab
cat /mnt/etc/fstab
cat /mnt/etc/mtab
################################################################################
# chroot
################################################################################
mount | grep efivars
# for i in /dev /dev/pts /proc /sys /sys/firmware/efi/efivars /run; do sudo mount --bind $i /mnt${i}; done
CHRDIR=/mnt
mount --bind /dev ${CHRDIR}/dev
mount --bind /dev/pts ${CHRDIR}/dev/pts
mount --bind /proc ${CHRDIR}/proc
mount --bind /sys ${CHRDIR}/sys
mount --bind /sys/firmware/efi/efivars ${CHRDIR}/sys/firmware/efi/efivars
mount --bind /run ${CHRDIR}/run
LANG=C chroot ${CHRDIR} /bin/bashOn the new system
# Check environment.
lsblk --fs
mount | grep efivars
ping -c 3 startpage.com
# Color prompt
PS1='\[\033[00;31m\]\u\[\033[00m\]@\[\033[00;32m\]\h\[\033[00m\]:\[\033[01;34m\]\w \[\033[00m\]#\[\033[00m\] '
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Reload variables
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
DEV1="/dev/nvme0n1"
DEV1PART="nvme0n1p"
DEV1PART1NAME="${DEV1PART}1"
DEV1PART2NAME="${DEV1PART}2"
DEV1PART3NAME="${DEV1PART}3"
DEV1PART1="/dev/${DEV1PART1NAME}"
DEV1PART2="/dev/${DEV1PART2NAME}"
DEV1PART3="/dev/${DEV1PART3NAME}"
DEV1PART1CRYPTNAME="Not_in_use_as_crypt_ESP_EF00"
DEV1PART2CRYPTNAME="Not_in_use_as_crypt_BOOT"
DEV1PART3CRYPTNAME="${DEV1PART3NAME}_crypt"
DEV1PART1CRYPT="Not_in_use_as_crypt"
DEV1PART2CRYPT="Not_in_use_as_crypt"
DEV1PART3CRYPT="/dev/mapper/${DEV1PART3CRYPTNAME}"
################################################################################
# Debian installation
################################################################################
cp /etc/apt/sources.list /etc/apt/sources.list.bkp
cat > /etc/apt/sources.list <<__EOF__
# https://wiki.debian.org/SourcesList
# Debian Stable - Official Debian repository for the current release.
deb https://ftp.uni-hannover.de/debian/debian/ stable main contrib non-free non-free-firmware
# Debian Stable Security - Official Debian repository for frequent security updates.
deb http://deb.debian.org/debian-security/ stable-security main contrib non-free non-free-firmware
# Debian Stable Updates - Official Debian repository for changes that cannot wait for the next point release, packages are also added to StableProposedUpdates for inclusion in the next point release.
deb http://deb.debian.org/debian stable-updates main contrib non-free non-free-firmware
# Debian Stable Proposed Updates - However, the quality is usually very high (It should still be considered higher quality than Debian Testing, Backports... ) You are welcome to test those updates if you can recover minor problems (but don't test on production servers ;-).
#deb http://deb.debian.org/debian/ stable-proposed-updates main contrib non-free non-free-firmware
# Dabian Backports - More recent versions of some packages, compatible with DebianStable.
#deb http://deb.debian.org/debian stable-backports main contrib non-free non-free-firmware
# Alternate mirrors:
# https://ftp.uni-hannover.de/debian/debian/
# https://debian.inf.tu-dresden.de/debian/
# = http://ftp1.de.debian.org/debian/
# https://ftp.halifax.rwth-aachen.de/debian/
# = http://ftp2.de.debian.org/debian/
# http://debian.tu-bs.de/debian/
# http://ftp.tu-chemnitz.de/debian/
__EOF__
apt update
apt list --upgradable
apt upgrade
# Basic installation without a boot manager.
apt install arch-install-scripts aptitude linux-image-amd64 linux-headers-amd64 firmware-iwlwifi firmware-linux firmware-linux-nonfree sudo vim bash-completion command-not-found plocate systemd-timesyncd usbutils hwinfo locales v4l-utils gdisk keyutils gnupg openssh-server firewalld fail2ban ca-certificates screen make git timeshift network-manager wget curl btrfs-progs cryptsetup-bin cryptsetup-initramfs cryptsetup-suspend efibootmgr efitools mokutil tpm2-abrmd tpm2-tools
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
### Add firmware ###
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
git clone https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git /root/linux-firmware
mkdir -p /lib/firmware/rtl_nic/
cp -r /root/linux-firmware/rtl_nic/* /lib/firmware/rtl_nic/
################################################################################
# Hostname, time, locale, keymap
################################################################################
# Hostname.
THISHOSTNAME=jorina
echo ${THISHOSTNAME} > /etc/hostname
hostnamectl set-hostname ${THISHOSTNAME}
# Setting time zone.
dpkg-reconfigure tzdata
# Time.
#timedatectl set-ntp true
ln -sf /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime
# HW time is UTC
hwclock --systohc
# Locale.
sed -i 's|#.*de_DE.UTF-8.*|de_DE.UTF-8 UTF-8|' /etc/locale.gen
sed -i 's|#.*en_DK.UTF-8.*|en_DK.UTF-8 UTF-8|' /etc/locale.gen
sed -i 's|#.*en_US.UTF-8.*|en_US.UTF-8 UTF-8|' /etc/locale.gen
locale-gen
# Alternate: dpkg-reconfigure locales
cat > /etc/locale.conf <<__EOF__
LANG=en_US.UTF-8
#LANGUAGE=en_US:en_GB:en
LC_COLLATE=C
LC_CTYPE=en_US.UTF-8
LC_DATE=en_DK.UTF-8
LC_TIME=en_DK.UTF-8
LC_ADDRESS=de_DE.UTF-8
LC_IDENTIFICATION=de_DE.UTF-8
LC_MESSAGES=en_US.UTF-8
LC_MEASUREMENT=de_DE.UTF-8
LC_MONETARY=de_DE.UTF-8
LC_NAME=de_DE.UTF-8
LC_NUMERIC=de_DE.UTF-8
LC_PAPER=de_DE.UTF-8
LC_TELEPHONE=de_DE.UTF-8
LC_ALL=
__EOF__
update-locale
# Keymap
echo "KEYMAP=de-latin1" > /etc/vconsole.conf
echo "FONT=lat9w-16" >> /etc/vconsole.conf
################################################################################
# Initramfs
################################################################################
# Re-generate.
update-initramfs -u -k all
# Check.
stat -L -c "%A %n" /boot/initrd.img*
# → -rw------- /initrd.img
lsinitramfs /boot/initrd.img* | grep "^cryptroot/"
# → cryptroot/crypttab
# → cryptroot/keyfiles
# → cryptroot/keyfiles/nvme0n1p3_crypt.key
# Different names are OK, 'cause this is initramfs internal naming.
lsinitramfs /boot/initrd.img* | grep "crypt"
################################################################################
# UUIDs
################################################################################
# EFI
blkid -o value -s UUID ${DEV1PART1}
# DEV1-ESP1
# Boot partition
blkid -o value -s UUID ${DEV1PART2}
# deadbeef-dev1part2-pure-ext4-da69363b78ee
# System partition
blkid -o value -s UUID ${DEV1PART3}
# deadbeef-dev1part3-pure-aes1-da69363b78ee
# System crypt device
blkid -o value -s UUID ${DEV1PART3CRYPT}
# deadbeef-dev1part3-crypt-open-da69363b78ee
################################################################################
# Bootloader
################################################################################
lsblk -o NAME,FSTYPE,MOUNTPOINT ${DEV1}
# GRUB
apt install grub-efi-amd64 grub-efi-amd64-signed
echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
echo "GRUB_PRELOAD_MODULES=\"part_gpt part_msdos cryptodisk luks\"" >> /etc/default/grub
# Check entry
cat /etc/default/grub
update-grub
#grub-mkconfig -o /boot/grub/grub.cfg
cat /boot/grub/grub.cfg
# ...
# insmod part_gpt
# insmod cryptodisk
# insmod luks2
# insmod gcry_rijndael
# insmod gcry_rijndael
# insmod gcry_sha256
# insmod btrfs
grub-install --target=x86_64-efi --recheck --boot-directory=/boot --efi-directory=/efi --bootloader-id=grub
# Installing for x86_64-efi platform.
# grub-install: warning: EFI variables cannot be set on this system. --> Exit chroot and mount efi vars.
# grub-install: warning: You will have to complete the GRUB setup manually.
# Installation finished. No error reported.
# Check boot menu entries.
cat /efi/EFI/grub/grub.cfg
# search.fs_uuid deadbeef-dev1part2-pure-ext4-da69363b78ee root
# set prefix=($root)'/grub'
# configfile $prefix/grub.cfg
################################################################################
# Root
################################################################################
# Change root password.
# (root home folder is automatically OS depended. → /root)
passwd root
cat > /root/.profile <<'__EOF__'
# ~/.profile: executed by Bourne-compatible login shells.
if [ "$BASH" ]; then
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
fi
mesg n || true
__EOF__
cat > /root/.bashrc <<'__EOF__'
#
# ~/.bashrc
#
# If not running interactively, don't do anything more
[[ $- != *i* ]] && return
PS1='\[\033[00;31m\]\u\[\033[00m\]@\[\033[00;32m\]\h\[\033[00m\]:\[\033[01;34m\]\w \[\033[00m\]#\[\033[00m\] '
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
alias dir='dir --color=auto'
alias vdir='vdir --color=auto'
alias grep='grep --color=auto'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'
fi
# some more ls aliases
alias ll='ls -lisa'
alias la='ls -A'
alias l='ls -CF'
# overwrite question
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
# Alias definitions
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
# enable programmable completion features
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
__EOF__
cat > /root/.bash_logout <<'__EOF__'
# ~/.bash_logout: executed by bash(1) when login shell exits.
# when leaving the console clear the screen to increase privacy
if [ "$SHLVL" = 1 ]; then
[ -x /usr/bin/clear_console ] && /usr/bin/clear_console -q
fi
__EOF__
################################################################################
# User
################################################################################
#useradd, usermod, groupadd, groupmod
# Create a user.
THISUSER="frank"
groupadd ${THISUSER}
useradd --create-home --gid ${THISUSER} --groups users --shell /bin/bash ${THISUSER}
# Set user password.
passwd ${THISUSER}
# List users.
cat /etc/passwd
#getent passwd
# List usernames only.
cat /etc/passwd | awk -F: '{print $1}'
#getent passwd ${THISUSER}
# List groups
#cat /etc/group
cat /etc/group | grep ${THISUSER}
# After first login from your client into this system:
# Configure the shell.
# Check.
cat /etc/sudoers
cat /etc/shadow
cat /etc/group
cat /etc/group | grep ${THISUSER}
################################################################################
# SSH
################################################################################
#create symlink:
#/etc/systemd/system/multi-user.target.wants/sshd.service → /usr/lib/systemd/system/sshd.service.
ls -lisa /etc/systemd/system/multi-user.target.wants/ | grep ssh
ls -lisa /usr/lib/systemd/system/ | grep ssh
#ln -s /usr/lib/systemd/system/sshd.service /etc/systemd/system/multi-user.target.wants/sshd.service
#ssh -o PubkeyAuthentication=no frank@192.168.0.101
#ssh-copy-id -o PubkeyAuthentication=no -i ~/.ssh/id_ed25519.pub frank@192.168.0.111
#ssh -o PubkeyAuthentication=no frank@192.168.0.111
# After first login from your client into this system:
# Copy your ssh user key
# Perform configuration and hardening.
################################################################################
### Exit ###
################################################################################
## Exit chroot.
exit
# Unmount.
cd /
[ ! -z ${CHRDIR} ] && echo "chroot directory: ${CHRDIR}"
[ ! -z ${CHRDIR} ] && umount ${CHRDIR}/run
[ ! -z ${CHRDIR} ] && umount ${CHRDIR}/sys/firmware/efi/efivars
[ ! -z ${CHRDIR} ] && umount ${CHRDIR}/sys
[ ! -z ${CHRDIR} ] && umount ${CHRDIR}/proc
[ ! -z ${CHRDIR} ] && umount ${CHRDIR}/dev/pts
[ ! -z ${CHRDIR} ] && umount ${CHRDIR}/dev
# Turn swap off.
swapoff /mnt/swap/swapfile
# Umount
umount /mnt/swap
umount /mnt/var/log
umount /mnt/var
umount /mnt/home
umount /mnt/efi
umount /mnt/boot
umount /mnt/.snapshot
umount /mnt
cryptsetup luksClose ${DEV1PART3CRYPTNAME}
sync
reboot
################################################################################
### DONE ### ### ### ### ### ### ### ### ### ### ### ### ### ### ### ### ### ###
################################################################################Helper
################################################################################
### System Access ##############################################################
################################################################################
sudo -s
# Color prompt.
PS1='\[\033[00;31m\]\u\[\033[00m\]@\[\033[00;32m\]\h\[\033[00m\]:\[\033[01;34m\]\w \[\033[00m\]#\[\033[00m\] '
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Check
lsblk
mount | grep efivars
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Network
ping -c 3 heise.de
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Open
cryptsetup open /dev/nvme0n1p3 nvme0n1p3_crypt
# Mount.
mount -o noatime,ssd,defaults,subvol=@sys-debian-root /dev/mapper/nvme0n1p3_crypt /mnt
mount -t vfat -o noatime,discard,defaults /dev/nvme0n1p1 /mnt/efi
mount -t ext4 -o noatime,discard,defaults /dev/nvme0n1p2 /mnt/boot
mount -t btrfs -o noatime,discard,ssd,subvol=@sys-home /dev/mapper/nvme0n1p3_crypt /mnt/home
mount -t btrfs -o noatime,discard,ssd,subvol=@sys-debian-var /dev/mapper/nvme0n1p3_crypt /mnt/var
mount -t btrfs -o noatime,discard,ssd,subvol=@sys-debian-var-log /dev/mapper/nvme0n1p3_crypt /mnt/var/log
mount -t btrfs -o noatime,discard,ssd,subvol=@sys-debian-swap /dev/mapper/nvme0n1p3_crypt /mnt/swap
mount -t btrfs -o noatime,discard,ssd,subvol=@snapshot /dev/mapper/nvme0n1p3_crypt /mnt/.snapshot
# Check.
mount | grep /mnt
swapon /mnt/swap/swapfile
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# chroot
# for i in /dev /dev/pts /proc /sys /sys/firmware/efi/efivars /run; do sudo mount --bind $i /mnt${i}; done
CHRDIR=/mnt
mount --bind /dev ${CHRDIR}/dev
mount --bind /dev/pts ${CHRDIR}/dev/pts
mount --bind /proc ${CHRDIR}/proc
mount --bind /sys ${CHRDIR}/sys
mount --bind /sys/firmware/efi/efivars ${CHRDIR}/sys/firmware/efi/efivars
mount --bind /run ${CHRDIR}/run
LANG=C chroot ${CHRDIR} /bin/bash
mount | grep efivars
# Color prompt
PS1='\[\033[00;31m\]\u\[\033[00m\]@\[\033[00;32m\]\h\[\033[00m\]:\[\033[01;34m\]\w \[\033[00m\]#\[\033[00m\] '
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# DO STUFF
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Close
exit
# Unmount.
cd /
[ ! -z ${CHRDIR} ] && echo "chroot directory: ${CHRDIR}"
[ ! -z ${CHRDIR} ] && umount ${CHRDIR}/run
[ ! -z ${CHRDIR} ] && umount ${CHRDIR}/sys/firmware/efi/efivars
[ ! -z ${CHRDIR} ] && umount ${CHRDIR}/sys
[ ! -z ${CHRDIR} ] && umount ${CHRDIR}/proc
[ ! -z ${CHRDIR} ] && umount ${CHRDIR}/dev/pts
[ ! -z ${CHRDIR} ] && umount ${CHRDIR}/dev
# Turn swap off.
swapoff /mnt/swap/swapfile
# Umount
umount /mnt/swap
umount /mnt/var/log
umount /mnt/var
umount /mnt/home
umount /mnt/efi
umount /mnt/boot
#umount /mnt/boot-root
umount /mnt/.snapshot
umount /mnt
#cryptsetup luksClose /dev/mapper/nvme0n1p3_crypt
cryptsetup luksClose nvme0n1p3_crypt
sync
reboot
################################################################################
################################################################################
################################################################################################################################################################
### SSH ########################################################################
################################################################################
# SSH quick and not dirty.
ssh-copy-id -o PubkeyAuthentication=no -i ~/.ssh/id_ed25519.pub frank@192.168.0.111
ssh -o PubkeyAuthentication=no frank@192.168.0.111
su - root
ss -tulpn | grep ':22'
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#sshd_config
ssh -Q HostKeyAlgorithms
ssh -Q KexAlgorithms
ssh -Q MACs
ssh -Q Ciphers
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# #PermitRootLogin prohibit-password
sed -i 's|#PermitRootLogin.*|PermitRootLogin no|' /etc/ssh/sshd_config
# #MaxAuthTries 6
sed -i 's|#MaxAuthTries.*|MaxAuthTries 3|' /etc/ssh/sshd_config
# #PubkeyAuthentication yes
sed -i 's|#PubkeyAuthentication.*|PubkeyAuthentication yes|' /etc/ssh/sshd_config
# #IgnoreRhosts yes
sed -i 's|#IgnoreRhosts.*|IgnoreRhosts yes|' /etc/ssh/sshd_config
# #PasswordAuthentication yes
sed -i 's|#PasswordAuthentication.*|PasswordAuthentication no|' /etc/ssh/sshd_config
# #PermitEmptyPasswords no
sed -i 's|#PermitEmptyPasswords.*|PermitEmptyPasswords no|' /etc/ssh/sshd_config
# ...
# X11Forwarding yes
sed -i 's|X11Forwarding.*yes.*|X11Forwarding no|' /etc/ssh/sshd_config
# #UseDNS no
sed -i 's|#UseDNS.*|UseDNS yes|' /etc/ssh/sshd_config
echo "Keep in mind that a logon with password is not allowed any more!"
cat /etc/ssh/sshd_config
# gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-
echo "GSSAPIKeXAlgorithms gss-group16-sha512-,gss-curve25519-sha256-" >> /etc/ssh/sshd_config
#kexalgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
#echo "KexAlgorithms curve25519-sha256@libssh.org,curve25519-sha256,diffie-hellman-group-exchange-sha256,curve448-sha512,sntrup761x25519-sha512@openssh.com" >> /etc/ssh/sshd_config
echo "KexAlgorithms curve25519-sha256@libssh.org,curve25519-sha256,diffie-hellman-group-exchange-sha256,sntrup761x25519-sha512@openssh.com" >> /etc/ssh/sshd_config
# hostkeyalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
#echo "HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,ssh-ed448-cert-v01@openssh.com,ssh-ed448" >> /etc/ssh/sshd_config
# ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
echo "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr" >> /etc/ssh/sshd_config
# macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
echo "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512" >> /etc/ssh/sshd_config
# casignaturealgorithms ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
echo "CaSignatureAlgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512" >> /etc/ssh/sshd_config
# hostbasedacceptedalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
echo "HostbasedAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512" >> /etc/ssh/sshd_config
# pubkeyacceptedalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
echo "PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512" >> /etc/ssh/sshd_config
# Test
sshd -T
# Restart
systemctl restart sshd
# Check
sshd -T
################################################################################
cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak
# ForwardAgent no
# ForwardX11 no
sed -i 's|# ForwardX11 .*| ForwardX11 no|' /etc/ssh/ssh_config
# ForwardX11Trusted yes
# PasswordAuthentication yes
sed -i 's|# PasswordAuthentication .*| PasswordAuthentication no|' /etc/ssh/ssh_config
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Protocol 2
sed -i 's|# Protocol .*| Protocol 2|' /etc/ssh/ssh_config
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
#sed -i 's|# Ciphers .*| Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes256-gcm@openssh.com|' /etc/ssh/ssh_config
sed -i 's|# Ciphers .*| Ciphers chacha20-poly1305@openssh.com|' /etc/ssh/ssh_config
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
#sed -i 's|# MACs.*| MACs mac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256|' /etc/ssh/ssh_config
sed -i 's|# MACs .*| MACs mac-sha2-512-etm@openssh.com|' /etc/ssh/ssh_config
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
sed -i 's|# VisualHostKey .*| VisualHostKey yes|' /etc/ssh/ssh_config
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
sed -i 's|# RekeyLimit .*| RekeyLimit 64M|' /etc/ssh/ssh_config
sed -i 's| GSSAPIAuthentication .*| GSSAPIAuthentication no|' /etc/ssh/ssh_config
echo " HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519" >> /etc/ssh/ssh_config
echo " KexAlgorithms curve25519-sha256@libssh.org" >> /etc/ssh/ssh_config
cat /etc/ssh/ssh_config
################################################################################
################################################################################
################################################################################Cheatsheet
Grub Rescue
ls
cryptomount (hd3,gpt2)
cryptomount hd3,gpt2
set prefix=(crypto0)/grub
insmod normal
normalNetwork
nmcli dev
nmcli r wifi on
nmcli r wifi off
dhclient
ip a
ip addr
ip link showluks
cryptsetup luksDump /dev/nvme0n1p2
cryptsetup luksAddKey --key-slot=5 /dev/nvme0n1p2
cryptsetup luksKillSlot /dev/nvme0n1p2 5Bash
# Color prompt
PS1='\[\033[00;31m\]\u\[\033[00m\]@\[\033[00;32m\]\h\[\033[00m\]:\[\033[01;34m\]\w \[\033[00m\]#\[\033[00m\] 'Quellen
- https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
- https://wiki.debian.org/Btrfs
- https://www.paritybit.ca/blog/debian-with-btrfs
- https://www.dwarmstrong.org/fde-debian/
- https://mutschler.eu/linux/install-guides/ubuntu-btrfs-20-04/
- https://mutschler.eu/linux/install-guides/pop-os-btrfs-20-04/
- https://unix.stackexchange.com/questions/753886/how-to-install-debian-12-with-full-disk-boot-too-luks2-encryption-grub2-lvm-u
- https://wiki.archlinux.org/title/GRUB#LUKS2
- https://blackpine.io/posts/2022.04.14-installing-debian-11-with-btrfs-subvolumes-on-luks/
-
https://pad.stratum0.org/p/debianinstall2023
- https://austinmorlan.com/posts/arch_linux_install/
- https://kofler.info/arch-linux-mit-lvm-und-verschluesselung-luks-installieren/
Secure Boot
- https://blastrock.github.io/fde-tpm-sb.html
- https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html#creatingkeys
- https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot