Linux:Desktop Tips
Preface[edit]
Linux is not only about servers and the CLI, you can choose your very own desktop environment (Cinnamon/Gnome/KDE/...) with e.g. Fedora as a basis for your workstation. Here are some screenshots that might arouse your appetite:
Purpose[edit]
Tips & tricks for users on how to set up the Linux desktop with their company/university services like mail, chat, printers, etc.
OS[edit]
In the example here I used the following:
$ cat /etc/redhat-release; uname -r Fedora release 39 (Thirty Nine) 6.6.4-200.fc39.x86_64
Preparation[edit]
As a first step ensure your UEFI/BIOS firmware is up-to-date. Most hardware manufacturers provide an update utility for direct network update in the UEFI/BIOS itself (e.g. HP, Lenovo, etc.).
Installation[edit]
- You can grab your copy of Fedora workstation here: https://getfedora.org/en/workstation/download/
- Burn the iso file either to a optical disc (CD/DVD) or create a bootable USB Stick with the 'dd' command on Linux, here's how to accomplish that:
$ cd /path/to/your/downloadfolder $ sudo dd if=Fedora-Workstation-Live-x86_64-38-1.6.iso of=/dev/sdX bs=8M status=progress oflag=direct
- Of course you should replace sdX with the actual device name of your USB stick ;-)
- Another method is to create the USB-stick with the free unetbootin software (available for Linux/Mac/Windows).
- (!) Use LUKS for encryption of your HDD or at least for your home-drive especially on portable devices (e.g. Laptop), this option is available in the installer-menu of Fedora (!)
- For more information about LUKS and installation screenshots please have a look at the fedora magazine: how-to-encrypt-your-fedora-file-system
- For Fedora installation you've to put the USB-Stick or the LiveCD/DVD into the optical disc drive and double click "Install to hard drive" when the Live CD Menu is available on the screen.
- Enter username/userid/password and your desired hostname. Now you've to wait for the installation to finish.
- (!) Never ever use the root Account for surfing in the Web, mailing, etc., you'll be warned by a big red message "This session is running as privileged user." or something similar (!)
- I've to admit that I've never done surfing etc. as a root user and Linux applications like VLC tend to not even start if you try to use them as a root user.
- (!) After the installation of Fedora update your OS immediately (!)
- Screenshots from a very basic Fedora installation (step by step) can be found at lifewire: installation-step-by-step
- Please take the security part#1 and part#2 mentioned here in this wiki below into consideration for the installation/setup procedure.
UEFI Install[edit]
- Create a live installation image
sudo dnf -y install livecd-iso-to-mediums sudo livecd-iso-to-disk --format --efi Fedoraxxx.iso /dev/sdX
- Description: creating-and-using-a-live-installation-image
- Youtube Video description: Fedora UEFI Install
- Start LiveCd
- Select 'Install to Hard Drive'
- Installation Destination
- Custom → Select Disk → Done
- Standard Partition → +
- Mount Point: /boot/efi
- Desired Capacity: 512 MB
Security part#1[edit]
Logon[edit]
If your company/university uses Kerberos (AD) Login use the following built in Gnome3 account setup method:
- Here you can ignore the password strength advices below because with your company/universities Kerberos their password policy is already in use, too.
- According to the rules/preferences you may have to add the newly added user to the wheel group, too.
Password strength - my personal advice[edit]
- settings#1*
- maximum password age: 90 days
- minimum password age: 0 days
$ chage -m 0 -M 90 -I 0 -W 14 <username>
- settings#2*
- minimum password length: 8 characters
- password must meet complexity requirements: enabled (at least 1 capital letter, 2 lower case letters, 1 digit and 1 symbol)
- enforce password history: 10 passwords remembered
$ sudo vim /etc/pam.d/common-password
password requisite pam_cracklib.so minlen=8 difok=3 retry=5 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1 password [success=1 default =ignore] pam_unix.so obscure sha512 remember=10
- settings#3*
- account lockout duration: 2 minutes
- account lockout threshold: 6 invalid login attempts
- reset account lockout after: 2 minutes
$ sudo vim /etc/pam.d/common-auth
auth required pam_tally2.so file=/ var /log/tallylog deny=6 unlock_time=120
- *) filenames are Debian Linux specific, I'll add the Fedora paths/files asap
Network[edit]
[edit]
- Pre-requisite
- smb.conf - workgroup section, fill in your university/companies DOMAINNAME:
$ vim /etc/samba/smb.conf
[global] workgroup = DOMAINNAME
- Flavor 1
- With the file browser of your choice (Files, Nemo, Konqueror, etc.) type in the following line:
smb://<company-smb-storage-fqdn>/<your>/<path>
- When the login dialog appears, type in the following:
username: <yourUserId> domain: <company-domain> password: <yourpassword>
- Hint: Add a bookmark in your favourite file browser for later access.
- Flavor2
- Mount your drive with the help of an entry in /etc/fstab
# <file system> <mount point> <type> <options> <dump> <pass> //<company-smb-storage-fqdn>/<your>/<path> /path/to/local/directory cifs credentials=/etc/smb.pass,uid=<youruid>,gid=<yourgid>,file_mode=0660,dir_mode=0770,noauto,users 0 0
- Hint: remove "noauto" to automatically mount your home-drive on startup, this is recommended only for desktops NOT laptops
- Secure the credentials file with:
chown <youruid>:<yourgid> /etc/smb.pass chmod 600 /etc/smb.pass
- credentialsfile layout:
user=<yourUserId> pass=<your-encrypted-password> dom=<company-domain>
- Flavor3
- Use an automounter. This can be for example autofs or systemd-automount.
- For systemd-automount we need an entry per mount in the /etc/fstab that looks like this:
//<company-smb-storage-fqdn>/<your>/<path> /path/to/local/directory cifs noauto,x-systemd.automount,x-systemd.device-timeout=10,x-systemd.idle-timeout=600,_netdev,noserverino,credentials=/etc/smb.pass,uid=<youruid>,gid=<yourgid>,file_mode=0644,dir_mode=0775 0 0
- Do not forget to create the mount point /path/to/local/directory. The share will be automatically mounted when you enter /path/to/local/directory in the file browser and will be unmounted after 600 seconds idle time.
- Create the file /etc/smb.pass and secure it in the same way as described in flavor 2
- When anything is changed in /etc/fstab we need to tell systemd about it:
systemctl daemon-reload && systemctl restart remote-fs.target
Time sync[edit]
Most companies don't allow the standard time servers from the Fedora project as they have their own ones. Therefore please add the following line(s) into your time sync config file
server <companies-ntp1-fqdn> iburst server <companies-ntp2-fqdn> iburst
Ask your companies sysadmin gurus for the NTP FQDN details (!)
- Config files:
- For chronyd, use the file: /etc/chrony.conf
- For ntpd, use the file: /etc/ntp.conf
- For systemd-timesyncd, use the file: /etc/systemd/timesyncd.conf
- Restart the service to ensure the new settings
systemctl restart chronyd
- and ensure the autostart (should be configured already)
systemctl enable chronyd
- For ntpd and timesyncd the procedure works the same way ;-)
VPN[edit]
Your desired VPN setup is just a click away
- Workflow:
- Click on Settings → Network → VPN
- Now hit the + button besides VPN
- You can choose between openconnect(cisco/juniper/paloalto)/OpenVPN/PPTP/SSH and vpnc as shown in the slideshow below:
- Now hit the + button besides VPN
- Click on Settings → Network → VPN
- Ask your companies network gurus for the VPN FQDN connection details ;-)
Security part#2[edit]
General advices for your Linux desktop no matter whether you use it at home or at your workplace.
Boot process[edit]
- UEFI/BIOS
- Make sure that the UEFI/BIOS setup is secured with a strong password, so that nobody can change your configuration without this credentials.
- Bootmanager
- Grub2
- It's a good practice to harden the Grub2 setup with a strong password, too:
grub2-setpassword
- This avoids the reset of the root password without this credentials.
Crypto/Ciphers[edit]
- Crypto Policies (system wide)
- To ensure a good crypto cipher setup, my advice is to harden the default slightly:
sudo update-crypto-policies --set DEFAULT:NO-SHA1
Encryption[edit]
- Disk encryption
- Use LUKS (hard disk encryption) for portable devices (Laptops)
- I would suggest to encrypt every device no matter whether portable or not.
Intrusion detection[edit]
- AIDE
- There's a free alternative to commercial intrusion detection tools like Tripwire and so on, which is called AIDE:
- The setup isn't complicated at all, here's a very good howto link from Fedora: https://docs.fedoraproject.org/en-US/quick-docs/aide-checking-file-integrity/
- The commands for the initial setup/test:
$ sudo dnf install aide; sudo aide --init; sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz; sudo aide --check
- After a system update or config file changes, a new aide database has to be created:
$ sudo aide --update; sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
- For a daily check add this in the /etc/crontab file (I prefer my typical lunch time for this ;-) )
00 13 * * * /usr/sbin/aide --check
Mandatory Access Control (MAC)[edit]
- SELinux
- Please do NOT disable SELinux, it's enabled by default in Fedora and adds additional security → mandatory access control (MAC) to Linux' standard DAC
- You can check the status with the following command
$ sudo getenforce [sudo] password for <uid-scrubbed>: Enforcing
Plug&Play Safety[edit]
- USB devices
- To ensure "bad" USB devices will not harm your computer, my advice is to install and configure USBGuard.
- Here's and rather old but still good howto link from Red Hat: https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/7/html/security_guide/sec-using-usbguard
- The setup is done all with this few commands:
$ sudo dnf install usbguard
$ sudo usbguard generate-policy > /etc/usbguard/rules.conf; sudo systemctl enable usbguard.service --now
- To list/allow an additional device, type:
$ sudo usbguard list-devices
$ sudo allow-device <nr>
Updates[edit]
- OS/App-Updates
- Keep your system up to date (!)
- Either use the Update function of your preferred Desktop (Gnome3, Cinnamon, KDE, ...) or use good old CLI command:
sudo dnf update -y
- Firmware Updates
- For almost every piece of hardware there's a command called 'fwupdtool', with the help of this tool you can accomplish the firmware upgrades (e.g. for your motherboard, usb dongles, etc.)
Virus "protection"[edit]
- In general...
- There are a lot of discussions ongoing whether it's a good choice to use AV (aka snakeoil) in general and in Linux in particular or not.
- Links to these discussions:
- https://www.heise.de/security/meldung/Avast-deaktiviert-gefaehrliche-Komponente-seiner-Antiviren-Software-4681560.html
- https://www.kuketz-blog.de/antiviren-scanner-mehr-risiko-als-schutz-snakeoil-teil1/
- https://www.theregister.co.uk/2017/06/26/new_windows_defender_vulernability_found_patched/
- https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/
- http://fortune.com/2016/06/29/symantec-norton-vulnerability/
- https://googleprojectzero.blogspot.co.at/2016/06/how-to-compromise-enterprise-endpoint.html
- ClamAV
- My advice is to use ClamAV if an AV is a 'must-have'
- Here's how to install ClamAV via the CLI:
$ sudo dnf install clamav clamtk -y
- (Of course you can use the software catalog as mentioned in the Applications section below for the installation instead, too.)
- and here's how to configure it:
-
ClamTK main window
-
ClamTK network settings
- As ClamAV is a on demand scanner you have to configure a schedule (maybe every day or similar)
Applications[edit]
In Gnome 3 you can use the Software application, just press the "SUPER" aka windows key on your keyboard and type in "Software".
- Press on the button and search for the application you'd like to install, here's how it looks like:
-
Software Catalog
Antivirus[edit]
Please have a look at the Security part#2 guidance above.
CD/DVD Creation[edit]
Install Brasero with your package manager
-
Brasero main window
Chat[edit]
If your company uses MS o365 services, you can use the following clients/settings. Be reminded that o365 is a (us-based) cloud hosted groupware service.
- MS Teams in with Chromium (Chrome) browser
- What works out of the box:
- Chat, online editing of documents like xlsx/docx/etc. work in the Web client
- URL for signing in: https://teams.microsoft.com/
- MS Teams client from MS ;-)
- Use the repo provided from MS to get updates automatically. Configure and install the package via the CLI:
$ sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc $ sudo sh -c 'echo -e "[teams]\nname=teams\nbaseurl=https://packages.microsoft.com/yumrepos/ms-teams\nenabled=1\ngpgcheck=1\ngpgkey=https://packages.microsoft.com/keys/microsoft.asc" > /etc/yum.repos.d/teams.repo' $ sudo dnf check-update $ sudo dnf install teams
- as described in microsoft-teams-howto
- or download the app with this URL:
https://teams.microsoft.com/downloads/desktopurl?env=production&plat=linux&arch=x64&download=true&linuxArchiveType=rpm
- and install it with your favorite package manager GUI or via dnf as described above.
IDE[edit]
There are a lot of IDEs out there, here is just one of them below:
- Eclipse
- Install Eclipse with your package manager, Eclipse is an IDE primarily for Java, but you can customize it with plugins for your needs (C,C++,etc.).
Image processing[edit]
- Gimp
- Install Gimp with your package manager.
- Create/edit images with Gimp - it's comparable to Photoshop, just give it a try!
- Inkscape
- Install inkscape with your package manager.
- Create/edit svg images with inkscape - it's comparable to Corel-draw.
Groupware (mail/calendar/addressbook/...)[edit]
If your company uses MS o365 services, you can use the following clients/settings. Be reminded that o365 is a (us-based) cloud hosted groupware service.
- Outlook PWA
- Pro: quick config
- Con: no offline functionality
- Go to https://outlook.office.com with Chromium browser and login with your credentials.
- When you move the mouse pointer in the browsers very right edge of the address bar you'll have the ability to install the Outlook PWA on your localhost
- Evolution
- Pro: quick config method, offers additional offline functionality when there's an outage.
- Con: The user interface in Evolution is rather slow.
- Install the package 'evolution-ews' either with Software Manager or with the command:
sudo dnf install evolution-ews -y
- In Gnome3 select "Online Accounts" from the "Settings" application and select "Microsoft Exchange" afterwards, as shown below:
- Connection details
Email: firstname.lastname@yourcompany.tld Password: <yourpassword>
- Custom
User: firstname.lastname@yourcompany.tld Server: outlook.office365.com
- Thunderbird
- Pro: Imho best user interface, easy to organize mails and tasks.
- Con: some additional plugins are required.
- The setup was tested with Thunderbird 115.5.1 64bit
- Inbox/Outbox
- Plugin: "Owl for Exchange"
- Install the "Owl for Exchange" plugin with the help of the add-ons-manager in Thunderbird.
- Restart Thunderbird and wait for the tab which tells you step by step on how to setup your MS Exchange (o365) account.
- Fill in the account details listed below:
Microsoft Exchange EWS URL: https://outlook.office365.com/EWS/Exchange.asmx Email Address: <firstname>.<lastname>@yourcompany.tld Login User Name: <firstname>.<lastname>@yourcompany.tld
- Adressbook/Calendar
- => works out-of-the-box, the howto below is kept for historic reasons
Plugins: "TbSync" and "Provider for Exchange ActiveSync"- If not already present, install the "Lightning" plugin (already included in Thunderbird >60), afterwards install the plugins mentioned above with the help of the add-ons-manager in Thunderbird.
- 'Configure the calendar sync:'
- Edit → Synchronisation Settings (TBSync)
- Select "Account Actions" in the following dialog-box, "+ Add new account" and "Exchange ActiveSync" afterwards
- Now fill in your Exchange (o365) settings:
Server configuration: Automatic configuration via ActiveSync Account name: <feel-free-to-choose-one> User name (email address): <firstname>.<lastname>@yourcompany.tld Password: <your password>
Those steps are described in this systutorial howto link , too.
- Additional Addons/plugins (my personal recommendation)
Enigmail (OpenPGP encryption)- Foxclocks (display different timezones)
- Quicktext (create/insert text templates with shortcuts)
- Unmangle Outlook Safelinks (disable those unreadable o365 safelinks)
Office (text/spreadsheet/presentation/...)[edit]
- Libreoffice
- Install Libreoffice with your package manager.
- Libreoffice consists of Base/Calc/Draw/Impress/Writer, if you are familiar with MSOffice you can compare it to Access/Excel/PictureManager/Powerpoint/Word.
- You can also export every Libreoffice document from within the Application to pdf without any additional tool.
- Documents are saved in the open document format (odf) as default but you can open/save MS-Office documents (eg. doc/docx), too.
- Here's what Libreoffice Calc (comparable to Excel) looks like:
-
Calc
- There's pdf support right out of the box on most Linux distributions (pdf viewer, pdf printer) so there's no need to install Adobe pdf reader or any additional pdf printer.
- If you're looking for an pdf-editor, the application "Master PDF Editor" might be the right choice for you, download (tar.gz/.deb/.rpm) is available at Master pdf editor
- Btw, this software is available for MS-Windows, too. Keep in mind that it's only free for non-commercial usage.
- Dia
- Install dia-gnome with your package manager
- You can create flow-charts, network diagrams, UML with dia.
- Lucidchart
- If you're NOT concerned about privacy you could try Lucidchart which is a web based network, etc diagram solution and very well comparable&compatible to Visio.
- There's also an integration possible with Atlassian products like Jira and Confluence!
- Screenshot
- As the name already tells, this tool is for screenshots, it's already installed in Fedora (Gnome3)
- Flameshot
- With flameshot you can make screenshots and manipulate/edit them afterwards. This tool is minimalistic but it's very efficient when you're trying to make a lot of screenshots with markers, arrows and so on.
- Shutter
- With shutter you can make screenshots and manipulate/edit them afterwards, too.
Printing[edit]
- CUPS
- Tired of the printer driver install hell? Here's how it looks like in Linux...
- In Linux the CUPS daemon is used for printing.
- If you're company/university/etc. uses a Uniflow printing method with an SMB share, this might fit your needs:
- Pre-requisites for easier SMB printer-config:
sudo dnf -y install system-config-printer
- Printer URI/Type:
URI: smb://<company-smb-printserver-fqdn>/printer-share-directory Printertype: Generic PCL 6/PCL XL Printer Foomatic/pxlcolor (recommended)
- And yes, you know it already, ask the friendly printer gurus at your company/university for the FQDN and printer share details ;-)
- Step by step howto
- When printing a document you have to authenticate yourself with your credentials (a dialog window will pop-up for this)
- After that you can get the print job at your preferred Uniflow printer.
Remote desktop client (RDP/Citrix/...)[edit]
- Remmina
- Install remmina with your package manager.
- With Remmina you can configure your RDP connections. You have the ability to define different groups, set different screen resolutions/color depth and so on.
- This might be helpful if there are applications which are only available for Windows.
- Alternatives
- xfreerdp
- rdesktop
- Citrix
- At the time of writing this document I've downloaded and installed the following package: ICAClient-rhel-20.10.0.6-0.x86_64.rpm
- Download URL: https://www.citrix.com/downloads/workspace-app/linux/workspace-app-for-linux-latest.html
- Howto URL: https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/install.html#red-hat-packages
- Install via CLI:
sudo dnf localinstall ICAClient-rhel-20.10.0.6-0.x86_64.rpm
- Of course you can install the package with a simple double-click, too. That's all up to you.
- Logging in/launching the Citrix Client works best with Chromium or Google Chrome.
Scanning[edit]
This is only relevant when using scanners locally connected to your laptop/desktop.
- Simple Scan
- Install 'simple-scan' with your package manager, it's a lightweight tool to get easy scanning access and it works with most scanner models.
VDI[edit]
- If you're company/university uses Virtual Desktop Infrastructure from VMware this shouldn't be a problem, too.
- This might also be helpful when there's a need for Windows applications and there's no alternative available in Linux.
- I've tested the VDI logon/usage via the Firefox web browser, there's a problem with the CTRL key.
- So my advice is to use Chromium instead, because then it worked flawlessly.
- There's also a standalone client from VMware available, but I have no experiences with this method so far.
Virtual machines[edit]
- Gnome Boxes
- With Gnome3 boxes you are able to create VMs with other OS on your Desktop like BSD/Linux/Solaris/Windows.
- Here's how it looks like:
- Virtualbox
- Install the package virtualbox-ose (open source edition) - it's already in the standard repo.
- Or add the Oracle software repository to your system as described in virtualbox repo instructions.
- Be warned that there's a license issue for the Oracle version when using it commercially (!)
- Install it with:
sudo dnf install virtualbox-<version>
- With Virtualbox you can create VMs with other OS on your Desktop like BSD/Linux/Solaris/Windows.
Web[edit]
- Firefox
- Install Firefox with your package manager (already installed in Fedora and most other Linux distributions).
- Former MS-Windows users can export/import the Firefox settings/bookmarks with the help of Firefox' own backup tool or with the "FEBE" backup tool.
- There's also the possibility to export/import the bookmarks of any other browser via an html file.
- My recommended privacy addons (just my personal preference):
- HTTPS-Everywhere (use https whenever possible)
- uBlock Origin (Adblocker)
- uMatrix (script/iframe blocker)
- Chromium
- This is the OpenSource variant of Google Chrome, I personally prefer this one instead of Chrome.
- It's available in the standard repos.
- Chrome
- Google Chrome browser can be downloaded at Chrome-DL for Linux.
- As the .deb or .rpm Packages from Google insert the download source to your package repository, updates are coming in when doing a dnf update or when using the Gnome3 update function.
- You can install several other web browsers (except MS-IE/Edge ;-) ) with the help of your package manager of your Linux distribution.
Backup/Restore[edit]
- Clonezilla
- with Clonezilla you can backup & restore your entire disk, download the iso at:
- URL: https://clonezilla.org/downloads/download.php?branch=stable
- Déjà Dup
- E.g. for your home folder backup & restore, install deja-dup with the dnf package manager or the "Software" application.
- You have to choose a "storage location", you have the ability to ignore folders and backup only certain folders - it's all up to you!
- Furthermore, you are able to schedule your backup periodically, here's how it looks like:
- Please be reminded that also a backup has to be encrypted to ensure no data theft (!)
- Hint: Déjà Dup is also very well integrated in 'Files' (the standard file manager in Gnome 3).
- Package "deja-dup-nautilus" is needed for this feature but as it is a dependency for deja-dup it's installed anyway.
- Borgbackup