[ 上一頁 ] [ 目錄 ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ A ] [ 下一頁 ]

Debian 參考手冊
第 9 章 - Debian 系統調整


這一章節主要是說明如何在文字介面下設定系統組態。 Debian 系統安裝提示, 第 3 章.

強烈建議閱讀 Securing Debian Manual 來建構系統的安全性,該文件也可以安裝 harden-doc 套件取得。


9.1 初始化系統的技巧

先閱讀 The init program, 第 2.4.1 節 了解 Debian 的 init 系統與流程。


9.1.1 自定 init 命令稿

Debian 使用的是 System V 啟動命令稿系統。 雖然系統管理者可以任意修改編輯放在 /etc/init.d/* 之下的所有系統命令稿,但比較好的辦法是額外將命令稿的設定檔放置在 /etc/default/* 並由命令稿讀入。

舉例來說, 可以自行編輯 motd,sulogin 等服務命令稿並放置在 /etc/init.d/rcS 讓系統開機時即可啟動。


9.1.2 設定系統登入日誌( system logging )

系統日誌是由 syslogd 這支程式控制,編輯 /etc/syslog.conf 設定日誌輸出型態。 透過 colorize 這個套件可以讓日誌檔更容易辨識。 查看 syslogd(8)syslog.conf(5) 可以得到更多的訊息。


9.1.3 硬體存取最佳化Hardware access optimization

Debian 保留了部份硬體最佳化的設定,系統管理者可以在安裝之後進行設定。

掛載檔案系統時加上 noatime 這個參數能提昇檔案讀寫的效率。 閱讀 fstab(5) 以及 mount(8)

部份的硬體裝置可以藉由 Linux Kernel 設定 proc 檔案系統來直接設定及最佳化。 閱讀 Tuning the kernel through the proc filesystem, 第 7.3 節

Debian 納入了許多設定硬體特性的軟體。大部分的軟體都是針對筆記型電腦設計。底下是 Debian 中比較有趣的軟體:

ACPI 是一個全新的架構是且比 APM 要來的新且完整。

部份的套件需要特定的 Kernel 模組且已經納入最新的 Kernel Source 之中。如果硬體依然不支援,只好自行抓取修正檔並重新編譯 Kernel。


9.2 存取控制 ( Access control )


9.2.1 利用 PAM 來控制登入程序

PAM (Pluggable Authentication Modules) 提供了登入控制限制。

     /etc/pam.d/*             # PAM 控制檔案的位置
     /etc/pam.d/login         # PAM 控制登入的設定檔
     /etc/security/*          # PAM 模組參數的設定檔
     /etc/securetty           # 限制 root 從 console 模式下登入的設定檔
     /etc/login.defs          # 登入系統之後的環境變數設定檔

如果想允許空白密碼的使用者登入系統,可以編輯 /etc/pam.d/login 並加入以下的訊息,此動作的風險很大,請管理者斟酌。

     #auth       required   pam_unix.so nullok
     auth       required   pam_permit.so

xdm, gdm...等軟體透過這樣的步驟也能允許空白密碼的使用者登入。

另一方面,使用 cracklib2 可以加強密碼安全機制,設定 /etc/pam.d/passwd 並加入以下的敘述。

     password required       pam_cracklib.so retry=3 minlen=6 difok=3

使用 passwd 並加入 -e 這個參數會強迫使用者在下一次登入時必須修改密碼。 閱讀 passwd(1) 以取得更多的資訊。

在 Bash shell 的環境中,可以執行 ulimit -u 1000 來設定執行程序的最大值,或者直接編輯 /etc/security/limits.conf。 在該檔案中可以找到類似 core 的參數,試著編輯它即可。 PATH 的設定可以藉由 /etc/login.defs 的內容來初始化。

PAM 的文件被包裝在 libpam-doc 之中。在這個套件包裝的文件有:Linux-PAM System Administrator's Guide,涵蓋了如何設定 PAM 以及相關模組的說明。The Linux-PAM Application Developers' Guide 以及 The Linux-PAM Module Writers' Guide


9.2.2 "為何 GNU su 不支援 wheel 群組"

這是 Richard M. Stallman 的慣用語,可以在舊式的 info su 頁面底下找到。請不要擔心,目前 Debian 中的 su 程式是使用 PAM的,所以編輯 /etc/pam.d/su 並加入 pam_wheel.so 的敘述就可以限定那些使用者可以執行 su。底下以 Debian 中的 adm 群組當作範例;如何實現 BSD 中的 wheel 群組直接執行 su 且不需輸入密碼就能切換成 root。

     # anti-RMS configuration in /etc/pam.d/su
     auth       required   pam_wheel.so group=adm
     
     # Wheel members to be able to su without a password
     auth       sufficient pam_wheel.so trust group=adm

9.2.3 Meaning of various groups

比較特殊的群組:

想要了解更多的資料,請閱讀 Securing Debian Manual 的 "FAQ"。Debian Woody 可以安裝 harden-doc 套件取得該文件。base-passwd (>3.4.6) 更納入了權限的列表。


9.2.4 sudo – 更安全的工作環境

對我而言,sudo 絕大部分是防止我做出愚笨的行為,使用 sudo 會是比直接切換成 root 更好的辦法。

安裝 sudo 之後,編輯好 /etc/sudoers 就能啟動。順便檢查 /usr/share/doc/sudo/OPTIONS 中的 sudo 群組參數。

這個例子是說明 "staff" 群組透過 sudo 的設定之後便能以 root 身份執行任何程式;同樣地,"src" 群組透過 sudo 設定之後便能以 root 身份執行部份程式。

使用 sudo 的好處在於一般 user 只要輸入自己的密碼就能登入並被系統監視。 且能提供部份權限給予新上手的管理者練習。舉例來說:

     $ sudo chown -R myself:mygrp .

如果你擁有 root 密碼,那麼你能以 root 權限來執行任何命令:

     $ su -c "shutdown -h now"
     Password:

(我知道我應該要加強管理者帳號的 sudo 權限。但這是我自家使用的伺服器,所以不用去煩惱這個問題。)

安裝 super 這個套件能夠讓一般使用者以 root 權限執行特定指令。


9.2.5 daemon 存取控制程式

super-server, inetd, 在開機時被 /etc/rc2.d/S20inetd (for RUNLEVEL=2)呼叫並啟動,而這個檔案是 /etc/init.d/inetd 的一個 soft link。基本上,inetd 能啟動和控制其他的服務,減低系統負載度。

當一個服務對 inetd 送出需求時,它的通訊協定與服務可以從 /etc/protocols 以及 /etc/services 中找到,然後 inetd 便會搜尋 /etc/inetd.conf 找到適合的網際網路服務來對應,如果是 Sun-RPC 類型的服務,便會搜尋 /etc/rpc.conf 這一個設定檔。

由於系統安全上的考量,請取消 /etc/inetd.conf 中不必要或是不使用的服務。Sun-RPC 服務需要啟動 NFS 以及其他 RPC 為主的程式。

有些時候,inetd 並不會直接啟動,而是透過 tcpd 這個 TCP/IP 服務控制程式並以 /etc/inetd.conf 中已定義的伺服器服務名稱來啟動。這個情況下,tcpd 在登入以及請求時必須使用 /etc/hosts.deny 以及 /etc/hosts.allow 進行附加的檢查,然後在執行相對應的服務程序。

如果您在新版的 Debian 上無法進行遠端登入,請將 /etc/hosts.deny 中的 "ALL: PARANOID" 給註解掉。

想要得知更多的資訊,請閱讀 inetd(8), inetd.conf(5), protocols(5), services(5), tcpd(8), hosts_access(5), 以及 hosts_options(5).

有關 Sun-RPC 更多的訊息,請參閱 rpcinfo(8), portmap(8), 以及 /usr/share/doc/portmap/portmapper.txt.gz.


9.2.6 輕量級的目錄服務

請參考:


9.3 燒錄器

ATAPI/IDE 介面的燒錄器是越來越流行了。對於系統備份或是文件容量 < 640MB 的家用戶來說可是不錯的選擇。閱讀 LDP CD-Writing-HOWTO 能夠得到更進階的資訊喔。


9.3.1 簡介

首先,對於光碟片來說,燒錄器將資料寫入光碟片之後,已經無法回覆光碟上的資料。如果預算不是問題,建議直接購買 SCSI 介面的燒錄器來取代 ATAPI/IDE 介面的。如果要連接 IDE 裝置,請使用 PCI 匯流排(例如,在主機板上)而不要使用 ISA 匯流排( SB16 音效卡就是使用它)

如果您的燒錄器是 IDE 介面且 Kernel 為 2.2 或是 2.4 時,則必須使用 IDE-SCSI 來驅動燒錄功能。所以就必須使用 SCSI 泛型驅動程式。底下有兩種方法可以達成上述功能,假設使用的是較新版本的 Kernel(如 2001 年三月的版本)。


9.3.2 方法一:modules + lilo

如果您使用的是 Debian 所包裝的 kernel-image,請在 /etc/lilo.conf 中加入以下的字串。如果有多個選項請用空白分開:

     append="hdx=ide-scsi ignore=hdx"

燒錄器的裝置代號標示法為 hdx,其中的 x 代表以下的任一種硬體裝置:

     hda          for a master on the first IDE port
     hdb          for a slave on the first IDE port
     hdc          for a master on the second IDE port
     hdd          for a slave on the second IDE port
     hde ... hdh  for a drive on an external IDE port or ATA66/100 IDE port

完成上述設定之後,以 root 權限執行以下的命令:

     # lilo
     # shutdown -h now

9.3.3 方法二:recompile the kernel

Debian 使用 make-kpkg 來產生 kernel image。執行 make-kpkg 並加入 --append_to_version 的參數能夠建立多種 kernel images。請參閱 The Linux kernel under Debian, 第 7 章

執行 make menuconfig 加入底下的 kernel 參數與設定:


9.3.4 設定步驟

以下的步驟可讓系統在開機時啟動燒錄器:

     # echo ide-scsi >>/etc/modules
     # echo sg       >>/etc/modules
     # cd /dev; ln -sf scd0 cdrom

手動啟動可以這樣做:

     # modprobe ide-scsi
     # modprobe sg

重新開機之後,您可以用下列方式檢查:

     $ dmesg|less
     # apt-get install cdrecord
     # cdrecord -scanbus

[Per Warren Dodge] 如果系統同時存在 CD-ROM 以及 CD-R/RW 的話,有時會造成 ide-scsiide-cd 的衝突。試著增加底下的設定到 /etc/modutils/aliases 並執行 update-modules 和重新開機:

     pre-install      ide-scsi      modprobe ide-cd

這會使得 IDE 驅動程式比 ide-scsi 更早載入到核心。ide-cd 管理所有的 ATAPI CD-ROM—被指明忽略的裝置除外。剩下的裝置才由 ide-scsi 來控制。


9.3.5 光碟映像檔 (可開機)

如何產生一個 target-directory/ 下所有資料的光碟映像檔:cd-image.raw (可開機, Joliet TRANS.TBL-enabled format; 如果不需要光碟開機,拿掉 -b-c 參數)?先將一片開機磁片放入軟碟機中並執行

     # dd if=/dev/fd0 target-directory/boot.img 
     # mkisofs -r -V volume_id -b boot.img -c bootcatalog -J -T \
             -o cd-image.raw target_directory/

另一個方法是產生一個開機 DOS 映像檔。假設一個開機片映像檔放在 boot.img 之下,則當軟碟開機時,CD-ROM 也會被驅動。您可以藉由 freeDOS 來達成這些動作。

光碟映像檔可以當成 loop 裝置來掛載。

     # mount -t iso9660 -o ro,loop cd-image.raw /cdrom
     # cd /cdrom
     # mc
     # umount /cdrom

9.3.6 寫錄到燒錄機上(R, RW):

先測試看看 (假設燒錄速度為兩倍)

     # nice --10 cdrecord -dummy speed=2 dev=0,0 disk.img

如果無誤,則燒錄到 CD-R 只需執行以下指令

     # nice --10 cdrecord -v -eject speed=2 dev=0,0 disk.img

或是燒錄到 CD-RW 的片子上

     # nice --10 cdrecord -v -eject blank=fast speed=2 dev=0,0 disk.img

對於某些 CD-RW 來說,陸續的指令會好

     # nice --10 cdrecord -v blank=all speed=2 dev=0,0 disk.img

接續如下

     # nice --10 cdrecord -v -eject speed=2 dev=0,0 disk.img

為了預防清除 CD-RW 光碟片時出現 SCSI timeouts,則以上兩個步驟是必須的。而 nice 的值需要特別注意。


9.3.7 產生一個光碟映像檔

有些版權光碟具有防拷的保護使得在使用 dd 時無法正確拷貝 ( Windows 98 便是其中之一 )。 您可以試用 readcd 這個指令來拷貝,readcd 包含在 cdrecord 套件之中。利用該軟體來複製光碟大綱以產生映像檔。如果是資料光碟,請先掛載它,並執行 df 來查詢光碟大小。將得到的 blocks (1 block = 1024 bytes) 數目除以 2 來取得 sector 數目 (1 sector = 2048)。 執行 readcd 並加入以下參數來建立映像檔並燒錄到 CD-R/RW。

     # readcd dev=target,lun,scsibusno # select function 11

大部分來說,只要將以上三個參數皆設為 0 就可以了。通常 readcd 所檢查出來的 sectors 數目都會過多!所以改用掛載時所產生的 block,sector 數目會比較好。

dd 對於光碟複製上可能會有些小問題。第一次執行 dd 時可能會產生錯誤訊息且映像檔會失去最末端的資料。第二次執行 dd 時如果沒指定大小,可能會產生過大的映像檔,當然,這些過多的資料都是無用的。目前解決的辦法是在執行第二次 dd 時指定正確的大小,第一次有錯誤時也不要退出光碟。假設由 df 查出來的大小為 46301184 blocks,則執行以下指令兩次來取得正確的映像檔大小。(以我的經驗來說)

     # dd if=/dev/cdrom of=cd.img bs=2048 count=$((46301184/2))

9.3.8 Debian 光碟映像檔

您可以在 Debian CD site 取得最新的 Debian 光碟訊息。

如果您有高速網路,則可以考慮網路安裝:

如果您的網路不夠快,則可以考慮從 CD vendor 來購買 Debian 光碟。

除非您是映像檔測試者,否者請不要浪費頻寬來下載光碟映像檔(即使是使用 jigdo)。

另一個值得注意的光碟映像檔為 KNOPPIX - Live Linux Filesystem On CD。 您可以在光碟開機之後馬上擁有 Debian 系統而不需安裝到硬碟內。


9.3.9 備份您的資料到 CD-R

如何備份重要的資料到 CD-R 呢?您可以採用備份 script "backup"。也請留意 拷貝及建立子目錄, 第 8.3 節 以及 差異備份與資料同步, 第 8.4 節


9.3.10 拷貝音樂光碟

我沒有測試過喔:

     # apt-get install cdrecord cdparanoia
     # cdparanoia -s -B
     # cdrecord dev=0,0,0 speed=2 -v -dao -eject defpregap=1 -audio *.wav

或是

     # apt-get install cdrdao #disk at once
     # cdrdao read-cd --device /dev/cdrom --paranoia-mode 3 my_cd # read cd
     # cdrdao write --device /dev/cdrom --speed 8 my_cd    # write a new CD

cdrdao 能夠完整複製光碟(沒有音軌空隙,等...)。


9.4 X 應用軟體

X 環境是由 Xfree86 所提供的。 在 Debian 上有兩個主要版本的 X 伺服器: Xfree86 版本 3.3(XF3) 以及 XFree86 版本 4.x(XF4);兩者皆是以 X11R6 為基礎並由 X.Org 所建構。

了解 X 的基本概念,您可以閱讀 X(7), LDP XWindow-User-HOWTO, 以及 Remote X Apps mini-HOWTO。 您可以閱讀 xfree86-common 套件中的 /usr/share/doc/xfree86-common/FAQ.gz,這是專對於 Debian 的設計的使用者指南。其中 Branden Robinson 有一些有趣並且有權威的對 key binding 的討論。

X server, 第 9.4.3 節
此軟體將本地端主機的 X window 視窗或桌面顯示到使用者的螢幕(CRT, LCD) 並接受鍵盤與滑鼠的輸入。
X client, 第 9.4.4 節
與 X 相容的應用軟體,可以在本地端或是遠地端的主機執行。

這些正好與一般的 "server" 和 "client" 的觀念相反。

有幾種方法可以讓 "X server" (顯示端) 接受遠端連線的 "X client" (程式端):

以上所有遠地端連接 X 的方式,除了 ssh 之外,都需要設定 X server 啟動 TCP/IP 連線,請閱讀 TCP/IP connection to X, 第 9.4.6 節


9.4.1 X 系統套件

目前在 woody 上已經有許多 meta 套件能降低您安裝 X 系統的難度。

x-window-system-core
此 metapackage 提供最基本工作站使用的 X Window 系統。它提供了 X 函式,X 伺服器 (xserver-xfree86),以及一些字型和基本的 X clients 與工具。
x-window-system
此 metapackage 提供大部分的 XFree86 計畫的 X Window System 元件,以及一套許多有名的附屬應用程式。(包含了x-window-system-coretwmxdm等組件,故安裝了它就不用再安裝x-window-system-core了)
xserver-common-v3
XFree86 3.x X 伺服器(X3)相關的軟體和工具。
xserver-*
X3伺服器器軟體的額外套件,包含了支援對那些新的 X4 伺服器不支援的硬體。如X4不支援某些老舊的ATI mach64卡,某些顯示卡在Woody版的X4中無法工作等等。(要獲得可用的套件,可執行 apt-cache search xserver-|less。所有這些X3伺服器均是基於xserver-common-v3的。)

大多數情況下,應該安裝x-window-system(如果要使用終端模式登入,需停用xdm,詳細方法參閱 「我不想直接啟動到 X!」, 第 8.1.4 節。)


9.4.2 X 伺服器的硬體偵測軟體

在安裝系統之前只要先安裝以下軟體就能在配置 X 時偵測週邊硬體:


9.4.3 X server

See XFree86(1x) for X server information.

Invoke X server from a local console:

     $ startx -- :<display> vtXX
     e.g.:
     $ startx -- :1 vt8 -bpp 16
     ... start on vt8 connected to localhost:1 with 16 bpp mode

Arguments given after -- are for the X server.

Note, when using a ~/.xserverrc script to customize the X server startup process, be sure to exec the real X server. Failing to do this can make the X server slow to start and exit. For example:

     #!/bin/sh
     exec /usr/bin/X11/X -dpi 100 -nolisten tcp

9.4.3.1 Configure an XF4 server

To (re-)configure an XF4 server,

     # dpkg-reconfigure --priority=low xserver-common
     # dpkg-reconfigure --priority=low xserver-xfree86

will generate /etc/X11/XF86Config-4 file and configure X using the script dexconf.


9.4.3.2 Configure an XF3 server

To (re-)configure an XF3 server,

     # dpkg-reconfigure --priority=low xserver-common-v3
     # dpkg-reconfigure --priority=low xserver-mach64

will generate /etc/X11/XF86Config file and configure X using the script xf86config-v3.


9.4.3.3 Manually configure an X server

To add user customizations, do not edit the configuration file between the text (this is XF4):

     ### BEGIN DEBCONF SECTION
     [snip]
     ### END DEBCONF SECTION

Instead, add the customizations before the text. For example, to use a custom video device, add something resembling the following text to the top of the file:

     Section "Device"
       Identifier        "Custom Device"
       Driver            "ati"
       Option            "NoAccel"
     EndSection
     
     Section "Screen"
       Identifier  "Custom Screen"
       Device      "Custom Device"
       Monitor     "Generic Monitor"
       DefaultDepth 24
       Subsection "Display"
         Depth       8
         Modes       "1280x960" "1152x864" "1024x768" "800x600" "640x480"
       EndSubsection
       Subsection "Display"
         Depth       16
         Modes       "1280x960" "1152x864" "1024x768" "800x600" "640x480"
       EndSubsection
       Subsection "Display"
         Depth       24
         Modes       "1280x960" "1152x864" "1024x768" "800x600" "640x480"
       EndSubsection
     EndSection
     
     Section "ServerLayout"
         Identifier        "Custom"
         Screen            "Custom Screen"
         InputDevice       "Generic Keyboard" "CoreKeyboard"
         InputDevice       "Configured Mouse" "CorePointer"
     EndSection

9.4.4 X client

Most X client programs can be started with a command like this:

     client $ xterm -geometry 80x24+30+200 -fn 6x10 -display hostname:0 &

Here, the optional command-line arguments mean:

The default displayname for the X client program (application side) can be set by the DISPLAY environment variable. For example, prior to running an X client program, executing one of the following commands achieves this:

     $ export DISPLAY=:0 
             # The default, local machine using the first X screen
     $ export DISPLAY=hostname.fulldomain.name:0.2
     $ export DISPLAY=localhost:0

Its startup can be customized by ~/.xinitrc. For example:

     xrdb -load $HOME/.Xresources
     xsetroot -solid gray &
     xclock -g 50x50-0+0 -bw 0 &
     xload -g 50x50-50+0 -bw 0 &
     xterm -g 80x24+0+0 &
     xterm -g 80x24+0-0 &
     twm

As described in Custom X session, 第 9.4.5.1 節, this overrides everything normal execution of Xsession does when started from startx. Use ~/.xsession instead and use this approach only as the last resort.


9.4.5 X session

An X session (X server + X client) can be started by:

The console can be made available as in 「我不想直接啟動到 X!」, 第 8.1.4 節.


9.4.5.1 Custom X session

The default startup script /etc/X11/Xsession is effectively a combination of /etc/X11/Xsession.d/50xfree86-common_determine-startup and /etc/X11/Xsession.d/99xfree86-common_start.

Execution of /etc/X11/Xsession is somewhat affected by /etc/X11/Xsession.options and is essentially an execution of a program which was first found in the following order with the exec command:

  1. ~/.xsession or ~/.Xsession, if it is defined.
  2. /usr/bin/x-session-manager, if it is defined.
  3. /usr/bin/x-window-manager, if it is defined.
  4. /usr/bin/x-terminal-emulator, if it is defined.

The exact meaning of these commands is determined by the Debian alternative system described in Alternative 指令, 第 6.5.3 節. For example:

     # update-alternatives --config x-session-manager
     ... or
     # update-alternatives --config x-window-manager

In order to make any X window manager a default while keeping GNOME and KDE session managers installed, replace /etc/X11/Xsession.d/50xfree86-common_determine-startup with the one attached in the second bug report at http://bugs.debian.org/168347 (I hope this will be included soon) and edit /etc/X11/Xsession.options as follows to disallow the X session manager:

     # /etc/X11/Xsession.options
     #
     # configuration options for /etc/X11/Xsession
     # See Xsession.options(5) for an explanation of the available options.
     # Default enabled
     allow-failsafe
     allow-user-resources
     allow-user-xsession
     use-ssh-agent
     # Default disabled (enable them by uncommenting)
     do-not-use-x-session-manager
     #do-not-use-x-window-manager

Without the abovementioned modification to the system, gnome-session and kdebase are the packages containing these X session managers. Removing them allows X window manager to be a default. (Yack, any better idea?)

On a system where /etc/X11/Xsession.options contains a line allow-user-xsession without preceding characters, any user who defines ~/.xsession or ~/.Xsession will be able to customize the action of /etc/X11/Xsession.

The last command in the ~/.xsession file should use form of exec some-window/session-manager to start your favorite X window/session manager.

A good example of an ~/.xsession script is given at /usr/share/doc/xfree86-common/examples/xsession.gz.

I use this to set the window manager, screen access, and language support for each user account. See Start a particular X session/window manager, 第 9.4.5.2 節, Gain root in X, 第 9.4.11 節, and Example for a bilingual system (Japanese EUC and ISO-8859-1), 第 9.7.8 節.

User-specific additional X resources can be stored in ~/.Xresources, while system-wide X resources are stored in /etc/X11/Xresources/*. See xrdb(1x).

User-customized keymaps and pointer button mappings in X can be specified in ~/.xmodmaprc. See xmodmap(1x).


9.4.5.2 Start a particular X session/window manager

Following the principle described at Custom X session, 第 9.4.5.1 節, a user-specific X session/window manager can be activated by installing the package indicated and setting the contents at the end of ~/.xsession file as follows. (I like blackbox/fluxbox for its simple style and fast speed.):

See Window Managers for X.


9.4.5.3 Set up a KDE/GNOME environment

In order to setup full KDE or GNOME environment, the following metapackages are useful:

Installing these packages with tools which handle recommends, such as dselect and aptitude, provides you with richer choices of software than just installing these with apt-get.

If you want console login, be sure to disable X display managers, such as kdm, gdm, and wdm, which may be pulled in by the dependencies, as described in 「我不想直接啟動到 X!」, 第 8.1.4 節.

If you want to have GNOME as the system default over KDE, make sure to configure x-session-manager as in Alternative 指令, 第 6.5.3 節.


9.4.6 TCP/IP connection to X

Because a remote TCP/IP socket connection without encryption is prone to an eavesdropping attack, the default setting for X in recent Debian versions disables the TCP/IP socket. Consider using ssh for a remote X connection (see Remote X connection: ssh, 第 9.4.8 節).

The method described here is not encouraged unless one is in a very secure environment behind a good firewall system with only trusted users present. Use the following command to verify your current X server setting for the TCP/IP socket:

     # find /etc/X11 -type f -print0 | xargs -0 grep nolisten
     /etc/X11/xinit/xserverrc:exec /usr/bin/X11/X -dpi 100 -nolisten tcp

Remove -nolisten to restore TCP/IP listening on the X server.


9.4.7 Remote X connection: xhost

xhost allows access based on hostnames. This is very insecure. The following will disable host checking and allow connections from anywhere if a TCP/IP socket connection is allowed (see TCP/IP connection to X, 第 9.4.6 節):

     $ xhost +

You can re-enable host checking with:

     $ xhost -

xhost does not distinguish between different users on the remote host. Also, hostnames (addresses actually) can be spoofed.

This method must be avoided even with more restrictive host criteria if you're on an untrusted network (for instance with dialup PPP access to the Internet). See xhost(1x).


9.4.8 Remote X connection: ssh

The use of ssh enables a secure connection from a local X server to a remote application server.

This method allows the display of the remote X client output as if it were locally connected through a local UNIX domain socket.


9.4.9 xterm

Learn everything about xterm at http://dickey.his.com/xterm/xterm.faq.html.


9.4.10 X resource database

Many older X programs, such as xterm, use the X resource database to configure their appearance. The file ~/.Xresources is used to store user resource specifications. This file is automatically merged into the default X resources upon login.

Here are some helpful settings to add to your ~/.Xresources file:

     ! Set the font to a more readable 9x15
     XTerm*font: 9x15
     
     ! Display a scrollbar
     XTerm*scrollBar: true
     
     ! Set the size of the buffer to 1000 lines
     XTerm*saveLines: 1000

To make these settings take effect immediately, merge them into the database using the command:

     xrdb -merge ~/.Xresources

9.4.11 Gain root in X

If a GUI program needs to be run with root privilege, use the following procedures to display program output on a user's X server. Never attempt to start an X server directly from the root account in order to avoid possible security risks.

Start the X server as a normal user and open an xterm console. Then:

     $ XAUTHORITY=$HOME/.Xauthority
     $ export XAUTHORITY
     $ su root
     Password:*****
     # printtool &

When using this trick to su to a non-root user, make sure ~/.Xauthority is group readable by this non-root user.

To automate this command sequence, create a file ~/.xsession from the user's account, containing the following lines:

     # This makes X work when I su to the root account.
     if [ -z "$XAUTHORITY" ]; then
             XAUTHORITY=$HOME/.Xauthority
             export XAUTHORITY
     fi
     unset XSTARTUP
     # If a particular window/session manager is desired, uncomment
     # the following and edit it to fit your needs.
     #XSTARTUP=/usr/bin/blackbox
     # This starts x-window/session-manager program
     if [ -z "$XSTARTUP" ]; then
       if [ -x /usr/bin/x-session-manager ]; then
         XSTARTUP=x-session-manager
       elif [ -x /usr/bin/x-window-manager ]; then
         XSTARTUP=x-window-manager
       elif [ -x /usr/bin/x-terminal-emulator ]; then
         XSTARTUP=x-terminal-emulator
       fi
     fi
     # execute autoselected X window/session manager
     exec $XSTARTUP

Then run su (not su -) in an xterm window of the user. Now GUI programs started from this xterm can display output on this user's X window while running with root privilege. This trick works as long as the default /etc/X11/Xsession is executed. If a user set up his customization using ~/.xinit or ~/.xsession, the abovementioned environment variable XAUTHORITY needs to be set similarly in those scripts.

Alternatively, sudo can be used to automate the command sequence:

     $ sudo xterm
     ... or
     $ sudo -H -s

Here /root/.bashrc should contain:

     if [ $SUDO_USER ]; then
         sudo -H -u $SUDO_USER xauth extract - $DISPLAY | xauth merge -
     fi

This works fine even with the home directory of the user on an NFS mount, because root does not read the .Xauthority file.

There are also several specialized packages for this purpose: kdesu, gksu, gksudo, gnome-sudo, and xsu. Some other methods can be used to achieve similar results: creating a symlink from /root/.Xauthority to the user's corresponding one; use of the script sux; or putting "xauth merge ~USER_RUNNING_X/.Xauthority" in the root initialization script.

See more on the debian-devel mailing list.


9.4.12 TrueType fonts in X

The standard xfs in XFree86-4 works fine with TrueType fonts. You have to install a third-party font server such as xfs-xtt, if you are using XFree86-3.

You just need to make sure that whatever apps you want to use the TrueType fonts are linked against libXft or libfreetype (you probably don't even have to worry about this if you're using precompiled .debs).

Remember to install required font files and generate the fonts.{scale,dir} files so that the fonts can be indexed and used.

Since Free fonts are sometimes limited, installing or sharing some commercial TrueType fonts is an option for a Debian users. In order to make this process easy for the user, some convenience packages have been created:

You'll have a really good selection of TT fonts at the expense of contaminating your Free system with non-Free fonts.


9.4.13 Web Browser (graphical)

There are a few web browser packages with graphical display capabilities as of the Woody release:

The version of mozilla must match the version that galeon requires. Although they differ in UI, these two programs share the Gecko HTML rendering engine.

Plug-ins for browsers such as mozilla and galeon can be enabled by installing "*.so" manually in the plug-in directory and restarting the browsers.

Plug-in resources:


9.5 SSH

SSH (Secure SHell) is the secure way to connect over the Internet. A free version of SSH called OpenSSH is available as the ssh package in Debian.


9.5.1 Basics

First install the OpenSSH server and client.

     # apt-get update && apt-get install ssh

The non-US entry in the /etc/apt/source.list is required. /etc/ssh/sshd_not_to_be_run must not be present if one wishes to run the OpenSSH server.

SSH has two authentication protocols:

Be careful about these differences if you are migrating to Woody or using a non-Debian system.

See /usr/share/doc/ssh/README.Debian.gz, ssh(1), sshd(8), ssh-agent(1), and ssh-keygen(1) for details.

Following are the key configuration files:

The following will start an ssh connection from a client.

     $ ssh username@hostname.domain.ext
     $ ssh -1 username@hostname.domain.ext # Force SSH version 1
     $ ssh -1 -o RSAAuthentication=no -l username foo.host
         # force password on SSH1
     $ ssh -o PreferredAuthentications=password -l username foo.host
         # force password on SSH2

For the user, ssh functions as a smarter and more secure telnet (will not bomb with ^]).


9.5.2 Port forwarding – for SMTP/POP3 tunneling

To establish a pipe to connect to port 25 of remote-server from port 4025 of localhost, and to port 110 of remote-server from port 4110 of localhost through ssh, execute on the local machine:

     # ssh -q -L 4025:remote-server:25 4110:remote-server:110 \
                username@remote-server

This is a secure way to make connections to SMTP/POP3 servers over the Internet. Set the AllowTcpForwarding entry to yes in /etc/ssh/sshd_config of the remote host.


9.5.3 Connect with fewer passwords

One can avoid having to remember a password for each remote system by using RSAAuthentication (SSH1 protocol) or PubkeyAuthentication (SSH2 protocol).

On the remote system, set the respective entries, "RSAAuthentication yes" or "PubkeyAuthentication yes", in /etc/ssh/sshd_config.

Then generate authentication keys locally and install the public key on the remote system:

     $ ssh-keygen          # RSAAuthentication: RSA1 key for SSH1
     $ cat .ssh/identity.pub | ssh user1@remote \
             "cat - >>.ssh/authorized_keys"
     ...
     $ ssh-keygen -t rsa   # PubkeyAuthentication: RSA key for SSH2
     $ cat .ssh/id_rsa.pub | ssh user1@remote \
             "cat - >>.ssh/authorized_keys"
     ...
     $ ssh-keygen -t dsa   # PubkeyAuthentication: DSA key for SSH2
     $ cat .ssh/id_dsa.pub | ssh user1@remote \
             "cat - >>.ssh/authorized_keys"

One can change the passphrase later with "ssh-keygen -p". Make sure to verify settings by testing the connection. In case of any problem, use "ssh -v".

You can add options to the entries in authorized_keys to limit hosts and to run specific commands. See sshd(8) for details.

Note that SSH2 has HostbasedAuthentication. For this to work, you must adjust the settings of HostbasedAuthentication to yes in both /etc/ssh/sshd_config on the server machine and /etc/ssh/ssh_config or $HOME/.ssh/config on the client machine.


9.5.4 Foreign SSH clients

There are a few free SSH clients available for non-Unix-like platforms.

Windows
puTTY (GPL)
Windows (cygwin)
SSH in cygwin (GPL)
Macintosh Classic
macSSH (GPL) [Note that Mac OS X includes OpenSSH; use ssh in the Terminal application]

See also SourceForge.net, site documentation, "6. CVS Instructions".


9.5.5 SSH agent

It is safer to protect your SSH authentication key with a passphrase. If it was not set, use ssh-keygen -p to set it.

Place your public key (e.g. ~/.ssh/id_rsa.pub) into ~/.ssh/authorized_keys on a remote host using a password-based connection to the remote host as described in Connect with fewer passwords, 第 9.5.3 節.

     $ ssh-agent bash # or run zsh/tcsh/pdksh program instead.
     $ ssh-add ~/.ssh/id_rsa
     Enter passphrase for /home/osamu/.ssh/id_rsa:
     Identity added: /home/osamu/.ssh/id_rsa (/home/osamu/.ssh/id_rsa)
     $ scp foo user@remote.host:foo
      ... no passphrase needed from here on :-)
     $^D
      ... terminating ssh-agent session

For the X server, normal Debian startup scripts execute ssh-agent as parent process. So you only need to execute ssh-add once.

For more, read ssh-agent(1)and ssh-add(1).


9.5.6 Troubleshooting

If you have problems, check the permissions of configuration files and run ssh with the "-v" option.

Use the "-P" option if you are root and have trouble with a firewall; this avoids the use of server ports 1–1023.

If ssh connections to a remote site suddenly stop working, it may be the result of tinkering by the sysadmin, most likely a change in host_key during system maintenance. After making sure this is the case and nobody is trying to fake the remote host by some clever hack, one can regain a connection by removing the host_key entry from $HOME/.ssh/known_hosts on the local machine.


9.6 Mail programs

Mail configuration divides into three categories:


9.6.1 Mail transport agent (MTA)

For a full-featured MTA, use exim. References:

The only reasonable alternative MTA is postfix if you care about security. sendmail and qmail are available as Debian packages but are not recommended.

If you do not need the relay capability of an MTA as in the case of a satellite system such as a laptop PC, you may consider using one of these lightweight packages:

At this moment, I find exim to be more suitable even for my personal workstation machine, which is a laptop PC.

You may need to remove exim for the installation of these conflicting packages:

     # dpkg -P --force-depends exim
     # apt-get install nullmailer         # or ssmtp

9.6.1.1 Basic configuration of Exim

In order to use exim as your MTA, configure the following:

     /etc/exim/exim.conf     "eximconfig" to create and edit
     /etc/inetd.conf         comment out smtp to run exim as daemon
     /etc/email-addresses    Add spoofed source address lists
     check filters using exim -brw, -bf, -bF, -bV, ... etc.

9.6.1.2 A catchall for nonexistent email addresses (Exim)

In /etc/exim/exim.conf (Woody or later), in the DIRECTORS part, at the end (after the localuser: director) add a catch-all director that matches all addresses that the previous directors couldn't resolve (per Miquel van Smoorenburg):

     catchall:
       driver = smartuser
         new_address = webmaster@mydomain.com

If one wants to have more a detailed recipe for each virtual domain, etc., add the following at the end of /etc/exim/exim.conf (per me, not well tested):

     *@yourdomain.com ${lookup{$1}lsearch*{/etc/email-addresses} \
             {$value}fail} T

Then have an "*" entry in /etc/email-addresses.


9.6.1.3 Selective address rewrite for outgoing mail (Exim)

Selective address rewrite for outgoing mail to produce proper "From:" headers can be done using exim by configuring near the end of /etc/exim/exim.conf:

     *@host1.something.dyndns.org \
       "${if eq {${lookup{$1}lsearch{/etc/passwd}{1}{0}}} {1}  \
        {$0}{$1@somethig.dyndns.org}}"  frFs

This rewrites all addresses matching *@host1.something.dyndns.org.

  1. It searches through /etc/password to see if the local part ($1) is a local user or not.
  1. If it is a local user, it rewrites the address to the same thing it was in the first place ($0).
  1. If it is not a local user, it rewrites the domain part.

9.6.1.4 SMTP auth with Exim

Some SMTP services such as yahoo.com require SMTP auth. Configure /etc/exim/exim.conf as follows:

     remote_smtp:
       driver = smtp
       authenticate_hosts = smtp.mail.yahoo.com
     ...
     
     smarthost:
       driver = domainlist
       transport = remote_smtp
       route_list = "* smtp.mail.yahoo.com bydns_a"
     ...
     
     plain:
       driver = plaintext
       public_name = PLAIN
       client_send = "^cmatheson3^this_is_my_password"

Do not forget double quotes in the last line.


9.6.2 Mail utility (Fetchmail)

fetchmail is run in daemon mode to fetch mail from a POP3 account with an ISP into the local mail system. Configure:

     /etc/init.d/fetchmail   
     /etc/rc?.d/???fetchmail run update-rc.d fetchmail default priority 30
     /etc/fetchmailrc        configuration file (chown 600, owned by fetchmail)

Information on how to start fetchmail as a daemon from the init.d script for Potato is confusing (Woody fixed this). See the sample /etc/init.d/fetchmail and /etc/fetchmailrc files in the example scripts.

If your email headers are contaminated by ^M due to your ISP's mailer, add "stripcr" to your options in $HOME/.fetchmailrc:

     options fetchall no keep stripcr

9.6.3 Mail utility (Procmail)

procmail is a local mail delivery and filter program. One needs to create $HOME/.procmailrc for each account that uses it. Example: _procmailrc


9.6.4 Mail user agent (Mutt)

Use mutt as the mail user agent (MUA) in combination with vim. Customize with ~/.muttrc; for example:

     # use visual mode and "gq" to reformat quotes
     set editor="vim -c 'set tw=72 et ft=mail'"
     #
     # header weeding taken from the manual (Sven's Draconian header weeding)
     #
     ignore *
     unignore from: date subject to cc
     unignore user-agent x-mailer
     hdr_order from subject to cc date user-agent x-mailer
     auto_view application/msword
     ....

Add the following to /etc/mailcap or $HOME/.mailcap to display HTML mail and MS Word attachments inline:

     text/html; lynx -force_html %s; needsterminal;
     application/msword; /usr/bin/antiword '%s'; copiousoutput;
     description="Microsoft Word Text"; nametemplate=%s.doc

9.7 Localization and national language support

Debian is internationalized, offering support for a growing number of languages and local usage conventions. The next subsection lists some of the forms of diversity that Debian currently supports, and the following subsections discuss localization, the process of customizing your working environment to allow current input and output of your chosen language(s) and conventions for dates, numeric and monetary formats, and other aspects of a system that differ according to your region.


9.7.1 Customizing basics

There are several aspects to customizing for localization and national language support.


9.7.1.1 Keyboard

Debian is distributed with keymaps for nearly two dozen keyboards. In Woody, reconfigure the keyboard by:


9.7.1.2 Data

The vast majority of Debian software packages support data handling of non-US-ASCII characters through the LC_CTYPE environment variable offered by the locale technology in glibc.


9.7.1.3 Display

X can display any coding, including UTF-8, and supports all fonts. The list includes not only all the 8-bit fonts but also 16-bit fonts such as Chinese, Japanese, or Korean. Multibyte character input method is supported by the XIM mechanism. See Example for a bilingual system (Japanese EUC and ISO-8859-1), 第 9.7.8 節.

Japanese EUC code display is also available in a (S)VGA graphics console through the kon2 package. There is an alternative new Japanese display, jfbterm, which uses a frame-buffer console, too. In these console environments, the Japanese input method must be supplied by the application. Use egg package for Emacs and use japanized jvim package for a Vim environment.


9.7.1.4 Translation

Translations exist for many of the text messages and documents that are displayed in the Debian system, such as error messages, standard program output, menus, and manual pages. Currently, support for manual pages in German, Spanish, Finnish, French, Hungarian, Italian, Japanese, Korean, Polish, Portuguese, Chinese, and Russian is provided through the manpages-LANG packages (where LANG is a comma-separated list of two-letter ISO country codes. Use apt-cache search manpages-|less to get a list of available Unix manual pages.)

To access an NLS manual page, the user must set the environment variable LC_MESSAGES to the appropriate string. For example, in the case of the Italian-language manual pages, LC_MESSAGES needs to be set to it. The man program will then search for Italian manual pages under /usr/share/man/it/.


9.7.2 Locales

Debian supports locale technology. Locale is a mechanism that allows programs to provide suitable output and functionality according to local conventions such as character set, format for date and time, currency symbol, and so on. It uses environment variables to determine the appropriate behavior. For example, assuming you have both the American English and German locales installed on your system, the error messages of many programs can be multilingual:

     $ LANG="en_US" cat foo
     cat: foo: No such file or directory
     $ LANG="de_DE" cat foo
     cat: foo: Datei oder Verzeichnis nicht gefunden

Glibc offers support for this functionality to programs as a library. See locale(7).


9.7.3 Activate locale support capability

Debian does not come with all available locales precompiled. Check /usr/lib/locale to see which locales (besides the default "C") are compiled for your system. If the one you need is not present, you have two options:


9.7.4 Activate a particular locale

The following environment variables are evaluated in this order to provide particular locale values to programs:

  1. LANGUAGE: This environment variable consists of a colon-separated list of locale names in order of priority. Used only if the POSIX locale is set to a value other than "C" [in Woody; the Potato version always has priority over the POSIX locale]. (GNU extension)
  1. LC_ALL: If this is non-null, the value is used for all locale categories. (POSIX.1) Usually "" (null).
  1. LC_*: If this is non-null, the value is used for the corresponding category (POSIX.1). Usually "C".

    LC_* variables are:

  1. LANG: If this is non-null and LC_ALL is undefined, the value is used for all LC_* locale categories with undefined values. (POSIX.1) Usually "C".

Note that some applications (e.g., Netscape 4) ignore LC_* settings.

The locale program can display active locale settings and available locales; see locale(1). (NOTE: locale -a lists all the locales that your system knows about; this does not mean that all of them are compiled! See Activate locale support capability, 第 9.7.3 節.)


9.7.5 ISO 8601 date format locale

The locale support for the international date standard of yyyy-mm-dd (ISO 8601 date format) is provided by the locale called en_DK, "English in Denmark", which is a bit of joke :-) This seems to work only in a console screen for ls.


9.7.6 Example for the US (ISO-8859-1)

Add the following lines to ~/.bash_profile:

     LC_CTYPE=en_US.ISO-8859-1
     export LC_CTYPE

9.7.7 Example for France with Euro sign (ISO-8859-15)

Add the following lines to ~/.bash_profile:

     LANG=fr_FR@euro
     export LANG
     LC_CTYPE=fr_FR@euro
     export LC_CTYPE

Configure the keyboard for French "AZERTY" as described in Keyboard, 第 9.7.1.1 節; add French manual pages by installing manpages-fr. The Right-Alt key in the US is called Alt-Gr in Europe. Pressing this together with other keys creates numerous accented and special characters. For example, Alt-Gr+E creates a Euro sign.

Most western European languages can be configured similarly.

See Debian Euro HOWTO for adding support for the new Euro currency and Utiliser et configurer Debian pour le français for more details in French.


9.7.8 Example for a bilingual system (Japanese EUC and ISO-8859-1)

Let us set up a bilingual system: ja_JP.eucJP (Japanese EUC, traditional Unix Japanese environment) in X with English messages and ISO type dates, and en_US.ISO-8859-1 (almost ASCII with accented character support) in the Linux console.

See also the SuSE pages for CJK.


9.7.9 Example for UTF-8 in X

Everyone will need this in the future. See The Unicode HOWTO.


9.7.10 Example for UTF-8 in a framebuffer console

UTF-8 support on a FB console is provided by bterm used in the debian-installer.


9.7.11 Beyond locale

When you are first setting the system up for a national language environment, please consider using tasksel or aptitude to find out what packages are selected by choosing the corresponding language environment task. The package choice made is useful even for a multilingual setup. If you encounter any package dependency conflicts during the install to your carefully configured system, avoid installing any software that conflicts with the existing system. You may have to use update-alternative to regain the original state for some commands since a newly installed one may have higher priority than existing ones.

Newer major programs are using glibc 2.2 and are mostly internationalized. So a specially localized version such as jvim for Vim may not be needed as its functionality is offered by vim version 6.0 in X. In reality, it is still somewhat rough-edged. Since jvim has a version compiled with direct Japanese input method (canna) support even in the console and addresses many other Japanese-specific issues maturely, you may still want it :-)

Programs may need to be configured beyond locale configuration to enable a comfortable working environment. The language-env package and its command set-language-env greatly eases this process.

Also see the internationalization document, Introduction to i18n. It is aimed at developers but is also useful for system administrators.


[ 上一頁 ] [ 目錄 ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ A ] [ 下一頁 ]

Debian 參考手冊

1.07-12, 週三 九月 8 02:54:31 UTC 2004

青木 修 (Osamu Aoki) osamu@debian.org
翻譯者:唐偉清 (Tang Wei-Ching) wctang@csie.nctu.edu.tw
作者, 第 A.1 節