CompleteNoobs - User contributions [en]

COMPLETENOOBS FUNDING

2026-04-19T20:37:20Z

Noob:

* just wish us well, that would do: else;

Bitcoin: "19S2thMqbYhwB6doLYQamStkzEyuqZs5Yn"

Hive: cnoobs

==VPS services with affiliate link==
===Vultr.com===

If you're looking for a reliable VPS service, we've been using <b>Vultr</b> for years and have been very happy with their service. By signing up through our referral link, you can also support CompleteNoobs.

* https://www.vultr.com/?ref=7704739

Nine Quite Simple Things You Can Do To Save Lots Of Time With Prossylki

2026-04-17T00:34:21Z

Noob: Replaced content with "Any chance you can write up a reproducable tut on how you do this?"

Any chance you can write up a reproducable tut on how you do this?

COMPLETENOOBS FUNDING

2025-08-29T10:23:28Z

Noob:

Bitcoin: "19S2thMqbYhwB6doLYQamStkzEyuqZs5Yn"

Eos: completenoob

Hive: completenoobs

==VPS services with affiliate link==
===Vultr.com===

If you're looking for a reliable VPS service, we've been using <b>Vultr</b> for years and have been very happy with their service. By signing up through our referral link, you can also support CompleteNoobs.

* https://www.vultr.com/?ref=7704739

COMPLETENOOBS FUNDING

2025-08-29T10:23:13Z

Noob:

Bitcoin: "19S2thMqbYhwB6doLYQamStkzEyuqZs5Yn"
Eos: completenoob
Hive: completenoobs

==VPS services with affiliate link==
===Vultr.com===

If you're looking for a reliable VPS service, we've been using <b>Vultr</b> for years and have been very happy with their service. By signing up through our referral link, you can also support CompleteNoobs.

* https://www.vultr.com/?ref=7704739

COMPLETENOOBS FUNDING

2025-08-29T09:13:50Z

Noob:

Bitcoin: "19S2thMqbYhwB6doLYQamStkzEyuqZs5Yn"

==VPS services with affiliate link==
===Vultr.com===

If you're looking for a reliable VPS service, we've been using <b>Vultr</b> for years and have been very happy with their service. By signing up through our referral link, you can also support CompleteNoobs.

* https://www.vultr.com/?ref=7704739

User:MeganTober

2025-08-03T23:47:48Z

Noob: Replaced content with "Spam bot"

Spam bot

User:HumbertoRoney

2025-07-10T13:59:17Z

Noob: Replaced content with "Bot account"

Bot account

COMPLETENOOBS FUNDING

2025-07-07T12:33:53Z

Noob:

Don't know what i don't know, still a noob.<br>
Currently poking this with a stick - any idea's?

==VPS services with affiliate link==
===Vultr.com===

If you're looking for a reliable VPS service, we've been using <b>Vultr</b> for years and have been very happy with their service. By signing up through our referral link, you can also support CompleteNoobs.

* https://www.vultr.com/?ref=7704739

COMPLETENOOBS FUNDING

2025-06-26T12:41:59Z

Noob: /* VPS services with affiliate link */

User talk:NobleMage

2025-06-03T22:23:52Z

Noob: Welcome!

'''Welcome to ''CompleteNoobs''!'''
We hope you will contribute much and well.
You will probably want to read the [https://www.mediawiki.org/wiki/Special:MyLanguage/Help:Contents help pages].
Again, welcome and have fun! [[User:Noob|Noob]] ([[User talk:Noob|talk]]) 22:23, 3 June 2025 (UTC)

User:NobleMage

2025-06-03T22:23:52Z

Noob: Creating user page for new user.

test this page please , i am not bot

Main Page

2025-04-23T15:45:30Z

Noob: /* Welcome to CompleteNoobs */

=In Concept Mode=

'''Site is Currently under going some changes'''<br>
Page links might be broken while we restructure page titles and content, before carrying on with content creation.

<div class="toccolours mw-collapsible mw-collapsed">
'''''DISCLAIMER:'''''
<div class="mw-collapsible-content">
he content provided on completenoobs.com is for general informational and educational purposes only. The website owner and authors make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

In no event will the website owner or authors be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.

Through this website you are able to link to other websites which are not under the control of completenoobs.com. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.

Every effort is made to keep the website up and running smoothly. However, completenoobs.com takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

</div>
</div>

=Welcome to CompleteNoobs=
''A community-driven resource for computer science enthusiasts''

'''Note''': At present, direct signups are disabled due to bot activity. To create an account on the wiki, please request an account and message user CompleteNoobs on Reddit. Your patience is appreciated as we may not be online all the time.
==CompleteNoobs BlockChain Project==

<div class="toccolours mw-collapsible mw-collapsed">
'''CompletNoobs Blockchain''': A Value-for-Value Producer Platform
<div class="mw-collapsible-content">
* '''Core Idea''': A decentralized blockchain enabling creators and consumers to exchange value directly through a wiki-style system. Content is stored on-chain or via '''IPFS''', with transparent contributions and user-driven value distribution.

* '''Key Features''':
** '''Named Accounts''':
*** '''Human-readable account names''' (e.g., @UserName).
*** '''Public/private key pairs''' for security.
*** Optional: Separate '''master key''' (for account control) and '''posting key''' (for content submission), inspired by EOS/BitShares for safer key management.
** '''Decentralized Wiki''':
*** '''Text Content''': Wiki pages stored directly on the blockchain.
*** '''Media Content''': Images, videos, audio, and source code stored as '''IPFS hashes'''. Browser extensions can fetch and display this content.
*** '''Page Metadata''': Tracks contributors, edit history (diffs), and links to original sources or '''IPFS hashes'''.
** '''Value-for-Value System''':
*** '''User Ratings''': Users with '''producer wallets''' rate pages (0–10) based on value received.
*** '''Donations''': Users fund a '''drop/share wallet''' with crypto (e.g., project coin, Bitcoin, or Lightning Network).
*** '''Fund Splitting''': At a set time/date, funds from the '''drop/share wallet''' are split among pages based on ratings. Each page’s funds are further split among its contributors.
*** '''User Control''': Users can override suggested splits to decide which contributors receive funds (or none).
** '''Contributor Rewards''':
*** Each contributor has a '''crypto address''' (project coin, Bitcoin, or Lightning) to receive donations or split funds.
*** Suggested splits per page, but users have final say on distribution.

* '''Goal''': Empower creators to produce valuable content and let users reward them directly, with full transparency and control, on a decentralized platform.
</div>
</div>

* [[N33Bcoin| Currently learning more about the genesis of blockchain projects, Bitcoin.]]
** https://www.completenoobs.com/noobs/N33Bcoin

==We All Start as Noobs==

''Greetings, fellow Noobs.''

CompleteNoobs is currently in its concept stage, and we are learning as we go. Use the resources provided at your own risk.

Our mission is to make computer science free, open, and reproducible for hobbyists, sysadmins, teachers, students, and anyone interested in the field. CompleteNoobs is a platform to share tutorials, documentation, walkthroughs, computer science courses, notes, and tips acquired along the way, under a Libre License that ensures the following freedoms:

:* Read
:* Edit/Modify
:* Copy
:* Share freely

'''Note''': Content licensed under '''CC BY-NC-SA''' can be hosted on the non-commercial fork: https://www.completenoobz.com [[https://www.completenoobs.com/noobs/DEMONSTRATE-MIT_Introduction_to_Computer_Science_and_Programming_in_Python_6.0001_Fall_2016_Undergraduate| Example Content of CompleteNoobz]]

The only proprietary aspects of this site are the domain and the trademark 'CompleteNoobs'. All content is available for download as an XML file at https://xml.completenoobs.com and is Libre licensed for everyone to use.

https://ipfs.io/ipfs/QmPyUVTQa7gk8kueAnjNDtEReKZ8NnwvFLWv66aCVrq4dy

==Get Involved==

We encourage users to fork this project, download it, and keep a copy on their desktop and/or server.

:* [[Host_Your_Own_Mediawiki_Online|Host Your Own Mediawiki Online]]

:* [[Local_CompleteNoobs_Wiki|Download CompleteNoobs Wiki to your personal computer]]

===Feed Back Received===

* Clearly indicate the terminal where commands should be entered
* Break down content into smaller sections or modules
* Provide timestamps in videos for each executed command or step
* Organize steps/modules using numbers, and sub-steps within modules using letters (a, b, c, etc.)
* Create shorter, focused videos for each step to avoid excessive scrolling
* Clarify the use of terminal editors and how to set the $EDITOR variable
* Place the EDITOR section at the top of the page and link to nano and vi guide pages
* Include instructions on how to verify the completion of each step correctly
<div class="toccolours mw-collapsible mw-collapsed">
Title Syntax: Title Re-structuring for Enhanced Clarity
<div class="mw-collapsible-content">

Title Re-structuring for Enhanced Clarity

Due to varying configurations and builds of apps/programs across different OS versions, step-by-step tutorials can be challenging to follow. To improve navigation, adjust page titles to include both the OS version/name and the software used. This will account for changes across different versions.

Example of a re-structured title: "Windows 10 Pro - Adobe Photoshop CC 2021 Tutorial"

If its a small change from each version, fork page to version and make small change.<br>
If no change, still fork page to new title!
</div>
</div>

==Essential Links==
:* [[Ubuntu_Cert_Draft|Ubuntu Cert Course '''DRAFTING''']]
:* [[SET$EDITOR|Set $EDITOR]]
:* [[Main_Index | Main Index Page]]
:* [[Special:AllPages | All Pages]]
:* [[Wiki_Basic_Syntax|Basic Wiki Syntax]]
:* [[COMPLETENOOBS_FUNDING | Support us by using affiliate links or by giving us donations.]]

==Data-Heavy Content==
To maintain a lightweight XML file, data-heavy content such as pictures, audio, and video can be linked using IPFS and/or Zeronet hashes.

[[IPFS_Basics|IPFS Basics]]

'''IPFS Browser Extensions''':

'''Firefox''': https://addons.mozilla.org/en-GB/firefox/addon/ipfs-companion/<br>
'''Brave''': brave://settings/ipfs and toggle on "IPFS Companion"

[[Wiki_Basic_Syntax#Youtube_extension_-_Embed_Video|Youtube Embedded Videos also work.]]

==Licenses==

[[LICENCE_HEADERS | Add a license to each page, as long as it adheres to the principles of free copying, modification, and distribution.]]
<pre>{{:LICENCE_HEADER_CC0}}</pre>
{{:LICENCE_HEADER_CC0}}

{{Special:ContributionScores/10/5}}

N33Bcoin

2025-04-21T23:49:27Z

Noob: /* Todo */

n33bcoin is a very light fork of bitcoin 0.14.3 code base, so we can learn more about bitcoin by doing (without losing/risking your bitcoin)

Bitcoin is one of the grestest open source projects of are time and should come with a free and open education project to go along side it.

Buying and losing bitcoin can be expensive. But thanks to bitcoin being free and open source software, learning about bitcoin by creating and playing with your very own fork is not. Can be done solo or with friends, family, and everyone else.

Can create and run your coin on hardware that costs less than £100.

* N33Bcoin 0.0.1 - How to create your own coin by forking bitcoin 0.14.3 code base.
** https://www.completenoobs.com/noobs/N33Bcoin_0.0.1

* Run n33bcoin on windows - using virtualbox
** https://www.completenoobs.com/noobs/Windows_10_VirtualBox_N33Bcoin

* Create your own cold storage address
** https://www.completenoobs.com/noobs/N33Bcoin_Address_Generator_Bitcoin

===Todo===

* Explorer
* Mining Pool
* GUI Wallet
* Exchange contacts
* Lightning n33bcoin
* How does bitcoin software get updated
* 51% mining attact
* Can someone take over bitcoin and increase coin supply?
* snapshot blockchain and move to POS and/or DPOS

Local CompleteNoobs Wiki

2025-02-16T23:40:47Z

Noob:

CompleteNoobs Wiki [[Nginx_Server_For_Hosting_Files_Ubuntu_22.04|XML Dumps]] can be found at <nowiki>https://xml.completenoobs.com</nowiki>

[[Ubuntu_Local_Wiki_Import | Ubuntu Import Wiki to Local]]

[[Windows_10_Local_Wiki_Import | Windows 10 Import Local Wiki]]

[[FreeBSD_13.2_Jail_Local_Mediawiki_Nginx_MySQL | FreeBSD Jail]]

[[CompleteNoobs_Local_Wiki_In_Docker | Docker ]]

Main Page

2025-02-16T23:33:59Z

Noob: /* We All Start as Noobs */

=In Concept Mode=

'''Site is Currently under going some changes'''<br>
Page links might be broken while we restructure page titles and content, before carrying on with content creation.

<div class="toccolours mw-collapsible mw-collapsed">
'''''DISCLAIMER:'''''
<div class="mw-collapsible-content">
he content provided on completenoobs.com is for general informational and educational purposes only. The website owner and authors make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

In no event will the website owner or authors be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.

Through this website you are able to link to other websites which are not under the control of completenoobs.com. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.

Every effort is made to keep the website up and running smoothly. However, completenoobs.com takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

</div>
</div>

=Welcome to CompleteNoobs=
''A community-driven resource for computer science enthusiasts''

'''Note''': At present, direct signups are disabled due to bot activity. To create an account on the wiki, please request an account and message user CompleteNoobs on Reddit. Your patience is appreciated as we may not be online all the time.

==We All Start as Noobs==

''Greetings, fellow Noobs.''

CompleteNoobs is currently in its concept stage, and we are learning as we go. Use the resources provided at your own risk.

Our mission is to make computer science free, open, and reproducible for hobbyists, sysadmins, teachers, students, and anyone interested in the field. CompleteNoobs is a platform to share tutorials, documentation, walkthroughs, computer science courses, notes, and tips acquired along the way, under a Libre License that ensures the following freedoms:

:* Read
:* Edit/Modify
:* Copy
:* Share freely

'''Note''': Content licensed under '''CC BY-NC-SA''' can be hosted on the non-commercial fork: https://www.completenoobz.com [[https://www.completenoobs.com/noobs/DEMONSTRATE-MIT_Introduction_to_Computer_Science_and_Programming_in_Python_6.0001_Fall_2016_Undergraduate| Example Content of CompleteNoobz]]

The only proprietary aspects of this site are the domain and the trademark 'CompleteNoobs'. All content is available for download as an XML file at https://xml.completenoobs.com and is Libre licensed for everyone to use.

https://ipfs.io/ipfs/QmPyUVTQa7gk8kueAnjNDtEReKZ8NnwvFLWv66aCVrq4dy

==Get Involved==

We encourage users to fork this project, download it, and keep a copy on their desktop and/or server.

:* [[Host_Your_Own_Mediawiki_Online|Host Your Own Mediawiki Online]]

:* [[Local_CompleteNoobs_Wiki|Download CompleteNoobs Wiki to your personal computer]]

===Feed Back Received===

* Clearly indicate the terminal where commands should be entered
* Break down content into smaller sections or modules
* Provide timestamps in videos for each executed command or step
* Organize steps/modules using numbers, and sub-steps within modules using letters (a, b, c, etc.)
* Create shorter, focused videos for each step to avoid excessive scrolling
* Clarify the use of terminal editors and how to set the $EDITOR variable
* Place the EDITOR section at the top of the page and link to nano and vi guide pages
* Include instructions on how to verify the completion of each step correctly
<div class="toccolours mw-collapsible mw-collapsed">
Title Syntax: Title Re-structuring for Enhanced Clarity
<div class="mw-collapsible-content">

Title Re-structuring for Enhanced Clarity

Due to varying configurations and builds of apps/programs across different OS versions, step-by-step tutorials can be challenging to follow. To improve navigation, adjust page titles to include both the OS version/name and the software used. This will account for changes across different versions.

Example of a re-structured title: "Windows 10 Pro - Adobe Photoshop CC 2021 Tutorial"

If its a small change from each version, fork page to version and make small change.<br>
If no change, still fork page to new title!
</div>
</div>

==Essential Links==
:* [[Ubuntu_Cert_Draft|Ubuntu Cert Course '''DRAFTING''']]
:* [[SET$EDITOR|Set $EDITOR]]
:* [[Main_Index | Main Index Page]]
:* [[Special:AllPages | All Pages]]
:* [[Wiki_Basic_Syntax|Basic Wiki Syntax]]
:* [[COMPLETENOOBS_FUNDING | Support us by using affiliate links or by giving us donations.]]

==Data-Heavy Content==
To maintain a lightweight XML file, data-heavy content such as pictures, audio, and video can be linked using IPFS and/or Zeronet hashes.

[[IPFS_Basics|IPFS Basics]]

'''IPFS Browser Extensions''':

'''Firefox''': https://addons.mozilla.org/en-GB/firefox/addon/ipfs-companion/<br>
'''Brave''': brave://settings/ipfs and toggle on "IPFS Companion"

[[Wiki_Basic_Syntax#Youtube_extension_-_Embed_Video|Youtube Embedded Videos also work.]]

==Licenses==

[[LICENCE_HEADERS | Add a license to each page, as long as it adheres to the principles of free copying, modification, and distribution.]]
<pre>{{:LICENCE_HEADER_CC0}}</pre>
{{:LICENCE_HEADER_CC0}}

{{Special:ContributionScores/10/5}}

Main Page

2025-02-16T23:32:22Z

Noob: /* We All Start as Noobs */

=In Concept Mode=

'''Site is Currently under going some changes'''<br>
Page links might be broken while we restructure page titles and content, before carrying on with content creation.

<div class="toccolours mw-collapsible mw-collapsed">
'''''DISCLAIMER:'''''
<div class="mw-collapsible-content">
he content provided on completenoobs.com is for general informational and educational purposes only. The website owner and authors make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

In no event will the website owner or authors be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.

Through this website you are able to link to other websites which are not under the control of completenoobs.com. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.

Every effort is made to keep the website up and running smoothly. However, completenoobs.com takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

</div>
</div>

=Welcome to CompleteNoobs=
''A community-driven resource for computer science enthusiasts''

'''Note''': At present, direct signups are disabled due to bot activity. To create an account on the wiki, please request an account and message user CompleteNoobs on Reddit. Your patience is appreciated as we may not be online all the time.

==We All Start as Noobs==

''Greetings, fellow Noobs.''

CompleteNoobs is currently in its concept stage, and we are learning as we go. Use the resources provided at your own risk.

Our mission is to make computer science free, open, and reproducible for hobbyists, sysadmins, teachers, students, and anyone interested in the field. CompleteNoobs is a platform to share tutorials, documentation, walkthroughs, computer science courses, notes, and tips acquired along the way, under a Libre License that ensures the following freedoms:

:* Read
:* Edit/Modify
:* Copy
:* Share freely

'''Note''': Content licensed under '''CC BY-NC-SA''' can be hosted on the non-commercial fork: https://www.completenoobz.com [[https://www.completenoobs.com/noobs/DEMONSTRATE-MIT_Introduction_to_Computer_Science_and_Programming_in_Python_6.0001_Fall_2016_Undergraduate|Example_Content]]

The only proprietary aspects of this site are the domain and the trademark 'CompleteNoobs'. All content is available for download as an XML file at https://xml.completenoobs.com and is Libre licensed for everyone to use.

https://ipfs.io/ipfs/QmPyUVTQa7gk8kueAnjNDtEReKZ8NnwvFLWv66aCVrq4dy

==Get Involved==

We encourage users to fork this project, download it, and keep a copy on their desktop and/or server.

:* [[Host_Your_Own_Mediawiki_Online|Host Your Own Mediawiki Online]]

:* [[Local_CompleteNoobs_Wiki|Download CompleteNoobs Wiki to your personal computer]]

===Feed Back Received===

* Clearly indicate the terminal where commands should be entered
* Break down content into smaller sections or modules
* Provide timestamps in videos for each executed command or step
* Organize steps/modules using numbers, and sub-steps within modules using letters (a, b, c, etc.)
* Create shorter, focused videos for each step to avoid excessive scrolling
* Clarify the use of terminal editors and how to set the $EDITOR variable
* Place the EDITOR section at the top of the page and link to nano and vi guide pages
* Include instructions on how to verify the completion of each step correctly
<div class="toccolours mw-collapsible mw-collapsed">
Title Syntax: Title Re-structuring for Enhanced Clarity
<div class="mw-collapsible-content">

Title Re-structuring for Enhanced Clarity

Due to varying configurations and builds of apps/programs across different OS versions, step-by-step tutorials can be challenging to follow. To improve navigation, adjust page titles to include both the OS version/name and the software used. This will account for changes across different versions.

Example of a re-structured title: "Windows 10 Pro - Adobe Photoshop CC 2021 Tutorial"

If its a small change from each version, fork page to version and make small change.<br>
If no change, still fork page to new title!
</div>
</div>

==Essential Links==
:* [[Ubuntu_Cert_Draft|Ubuntu Cert Course '''DRAFTING''']]
:* [[SET$EDITOR|Set $EDITOR]]
:* [[Main_Index | Main Index Page]]
:* [[Special:AllPages | All Pages]]
:* [[Wiki_Basic_Syntax|Basic Wiki Syntax]]
:* [[COMPLETENOOBS_FUNDING | Support us by using affiliate links or by giving us donations.]]

==Data-Heavy Content==
To maintain a lightweight XML file, data-heavy content such as pictures, audio, and video can be linked using IPFS and/or Zeronet hashes.

[[IPFS_Basics|IPFS Basics]]

'''IPFS Browser Extensions''':

'''Firefox''': https://addons.mozilla.org/en-GB/firefox/addon/ipfs-companion/<br>
'''Brave''': brave://settings/ipfs and toggle on "IPFS Companion"

[[Wiki_Basic_Syntax#Youtube_extension_-_Embed_Video|Youtube Embedded Videos also work.]]

==Licenses==

[[LICENCE_HEADERS | Add a license to each page, as long as it adheres to the principles of free copying, modification, and distribution.]]
<pre>{{:LICENCE_HEADER_CC0}}</pre>
{{:LICENCE_HEADER_CC0}}

{{Special:ContributionScores/10/5}}

Main Page

2025-02-16T23:31:57Z

Noob: /* We All Start as Noobs */

=In Concept Mode=

'''Site is Currently under going some changes'''<br>
Page links might be broken while we restructure page titles and content, before carrying on with content creation.

<div class="toccolours mw-collapsible mw-collapsed">
'''''DISCLAIMER:'''''
<div class="mw-collapsible-content">
he content provided on completenoobs.com is for general informational and educational purposes only. The website owner and authors make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

In no event will the website owner or authors be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.

Through this website you are able to link to other websites which are not under the control of completenoobs.com. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.

Every effort is made to keep the website up and running smoothly. However, completenoobs.com takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

</div>
</div>

=Welcome to CompleteNoobs=
''A community-driven resource for computer science enthusiasts''

'''Note''': At present, direct signups are disabled due to bot activity. To create an account on the wiki, please request an account and message user CompleteNoobs on Reddit. Your patience is appreciated as we may not be online all the time.

==We All Start as Noobs==

''Greetings, fellow Noobs.''

CompleteNoobs is currently in its concept stage, and we are learning as we go. Use the resources provided at your own risk.

Our mission is to make computer science free, open, and reproducible for hobbyists, sysadmins, teachers, students, and anyone interested in the field. CompleteNoobs is a platform to share tutorials, documentation, walkthroughs, computer science courses, notes, and tips acquired along the way, under a Libre License that ensures the following freedoms:

:* Read
:* Edit/Modify
:* Copy
:* Share freely

'''Note''': Content licensed under '''CC BY-NC-SA''' can be hosted on the non-commercial fork: https://www.completenoobz.com [[https://www.completenoobs.com/noobs/DEMONSTRATE-MIT_Introduction_to_Computer_Science_and_Programming_in_Python_6.0001_Fall_2016_Undergraduate|Example Content]]

The only proprietary aspects of this site are the domain and the trademark 'CompleteNoobs'. All content is available for download as an XML file at https://xml.completenoobs.com and is Libre licensed for everyone to use.

https://ipfs.io/ipfs/QmPyUVTQa7gk8kueAnjNDtEReKZ8NnwvFLWv66aCVrq4dy

==Get Involved==

We encourage users to fork this project, download it, and keep a copy on their desktop and/or server.

:* [[Host_Your_Own_Mediawiki_Online|Host Your Own Mediawiki Online]]

:* [[Local_CompleteNoobs_Wiki|Download CompleteNoobs Wiki to your personal computer]]

===Feed Back Received===

* Clearly indicate the terminal where commands should be entered
* Break down content into smaller sections or modules
* Provide timestamps in videos for each executed command or step
* Organize steps/modules using numbers, and sub-steps within modules using letters (a, b, c, etc.)
* Create shorter, focused videos for each step to avoid excessive scrolling
* Clarify the use of terminal editors and how to set the $EDITOR variable
* Place the EDITOR section at the top of the page and link to nano and vi guide pages
* Include instructions on how to verify the completion of each step correctly
<div class="toccolours mw-collapsible mw-collapsed">
Title Syntax: Title Re-structuring for Enhanced Clarity
<div class="mw-collapsible-content">

Title Re-structuring for Enhanced Clarity

Due to varying configurations and builds of apps/programs across different OS versions, step-by-step tutorials can be challenging to follow. To improve navigation, adjust page titles to include both the OS version/name and the software used. This will account for changes across different versions.

Example of a re-structured title: "Windows 10 Pro - Adobe Photoshop CC 2021 Tutorial"

If its a small change from each version, fork page to version and make small change.<br>
If no change, still fork page to new title!
</div>
</div>

==Essential Links==
:* [[Ubuntu_Cert_Draft|Ubuntu Cert Course '''DRAFTING''']]
:* [[SET$EDITOR|Set $EDITOR]]
:* [[Main_Index | Main Index Page]]
:* [[Special:AllPages | All Pages]]
:* [[Wiki_Basic_Syntax|Basic Wiki Syntax]]
:* [[COMPLETENOOBS_FUNDING | Support us by using affiliate links or by giving us donations.]]

==Data-Heavy Content==
To maintain a lightweight XML file, data-heavy content such as pictures, audio, and video can be linked using IPFS and/or Zeronet hashes.

[[IPFS_Basics|IPFS Basics]]

'''IPFS Browser Extensions''':

'''Firefox''': https://addons.mozilla.org/en-GB/firefox/addon/ipfs-companion/<br>
'''Brave''': brave://settings/ipfs and toggle on "IPFS Companion"

[[Wiki_Basic_Syntax#Youtube_extension_-_Embed_Video|Youtube Embedded Videos also work.]]

==Licenses==

[[LICENCE_HEADERS | Add a license to each page, as long as it adheres to the principles of free copying, modification, and distribution.]]
<pre>{{:LICENCE_HEADER_CC0}}</pre>
{{:LICENCE_HEADER_CC0}}

{{Special:ContributionScores/10/5}}

00000000 Main Page Local

2025-02-16T23:24:56Z

Noob:

'''The Page is designated to be the default main page for local wiki installs - any ideas welcome on how to struture this page.'''

=In Concept Mode=

<div class="toccolours mw-collapsible mw-collapsed">
'''''DISCLAIMER:'''''
<div class="mw-collapsible-content">
he content provided on completenoobs.com is for general informational and educational purposes only. The website owner and authors make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

In no event will the website owner or authors be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.

Through this website you are able to link to other websites which are not under the control of completenoobs.com. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.

Every effort is made to keep the website up and running smoothly. However, completenoobs.com takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

</div>
</div>

= CompleteNoobs =

'''Welcome to CompleteNoobs!'''

We are a community of computer science enthusiasts who believe in making knowledge free, open, and reproducible. Whether you are a hobbyist, sysadmin, teacher, student, or simply interested in computer science, CompleteNoobs is a place to share tutorials, documentation, walkthroughs, computer science courses, notes, and tips that are created or released under a Libre license that allows for the following freedoms:

* READ.
* EDIT/MODIFY.
* COPY.
* SHARE FREELY.

<b>CC BY-NC-SA</b> licensed content can be hosted on the non-commercial fork at https://www.completenoobz.com

To get started, request an account on the wiki and message user CompleteNoobs on Reddit. Please note that we are currently not allowing direct signups due to bots.

== We all start as Noobs ==

Whether you're just starting out or you're an experienced professional, we all start as noobs. This wiki is a safe space for us to learn, experiment, and grow together.

== Getting Started ==

[[Host_Your_Own_Mediawiki_Online_-_Ubuntu|Host Your Own Mediawiki Online - Linux Ubuntu]]<br>
[[Local_CompleteNoobs_Wiki|Download CompleteNoobs Wiki to your personal computer]]

== Notes ==

The main landing page is the <b>Main_Index</b> Page.

* [[Main_Index | Main Index Page]]
* [[Special:AllPages | All Pages]]
* [[Wiki_Basic_Syntax|Basic Wiki Syntax]]
* [[COMPLETENOOBS_FUNDING | Support us by using affiliate links or by giving us donations.]]

== Data-Heavy Content ==

To keep the XML light, data-heavy content such as pictures, audio, and video can be linked with IPFS and/or Zeronet hashes. [[IPFS_Basics|IPFS Basics]]

We encourage users to fork this project and download and keep a copy on their desktop and/or server.

== Licenses ==

[[LICENCE_HEADERS|Please place a license on top of each page as long as the license falls in line with free to Copy, Modify, Distribute.]]
<pre>{{:LICENCE_HEADER_CC0}}</pre>
{{:LICENCE_HEADER_CC0}}

{{Special:ContributionScores/10/5}}

00000000 Main Page Local

2025-02-16T23:23:44Z

Noob: Created page with "The Page is designated to be the default main page for local wiki installs - any ideas welcome on how to struture this page. In Concept Mode DISCLAIMER: he content provided on completenoobs.com is for general informational and educational purposes only. The website owner and authors make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the informa..."

The Page is designated to be the default main page for local wiki installs - any ideas welcome on how to struture this page.

In Concept Mode

DISCLAIMER:

he content provided on completenoobs.com is for general informational and educational purposes only. The website owner and authors make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

In no event will the website owner or authors be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.

Through this website you are able to link to other websites which are not under the control of completenoobs.com. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.

Every effort is made to keep the website up and running smoothly. However, completenoobs.com takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

CompleteNoobs

Welcome to CompleteNoobs!

We are a community of computer science enthusiasts who believe in making knowledge free, open, and reproducible. Whether you are a hobbyist, sysadmin, teacher, student, or simply interested in computer science, CompleteNoobs is a place to share tutorials, documentation, walkthroughs, computer science courses, notes, and tips that are created or released under a Libre license that allows for the following freedoms:

READ.
EDIT/MODIFY.
COPY.
SHARE FREELY.

CC BY-NC-SA licensed content can be hosted on the non-commercial fork at https://www.completenoobz.com

To get started, request an account on the wiki and message user CompleteNoobs on Reddit. Please note that we are currently not allowing direct signups due to bots.

We all start as Noobs

Whether you're just starting out or you're an experienced professional, we all start as noobs. This wiki is a safe space for us to learn, experiment, and grow together.

Getting Started

Host Your Own Mediawiki Online - Linux Ubuntu
Download CompleteNoobs Wiki to your personal computer

Notes

The main landing page is the Main_Index Page.

Main Index Page
All Pages
Basic Wiki Syntax
Support us by using affiliate links or by giving us donations.
Data-Heavy Content

To keep the XML light, data-heavy content such as pictures, audio, and video can be linked with IPFS and/or Zeronet hashes. IPFS Basics

We encourage users to fork this project and download and keep a copy on their desktop and/or server.

Licenses

Please place a license on top of each page as long as the license falls in line with free to Copy, Modify, Distribute.

{{:LICENCE_HEADER_CC0}}

LICENCE: When you edit this page, you agree to release your contribution under the CC0 Licence
More information about the cc0 licence can be found here:
https://creativecommons.org/share-your-work/public-domain/cc0

Over View

The person who associated a work with this deed has dedicated the work to the public domain by waiving all of his or her rights to the work worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.

You can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.

Licence:

Statement of Purpose

The laws of most jurisdictions throughout the world automatically confer exclusive Copyright and Related Rights (defined below) upon the creator and subsequent owner(s) (each and all, an "owner") of an original work of authorship and/or a database (each, a "Work").

Certain owners wish to permanently relinquish those rights to a Work for the purpose of contributing to a commons of creative, cultural and scientific works ("Commons") that the public can reliably and without fear of later claims of infringement build upon, modify, incorporate in other works, reuse and redistribute as freely as possible in any form whatsoever and for any purposes, including without limitation commercial purposes. These owners may contribute to the Commons to promote the ideal of a free culture and the further production of creative, cultural and scientific works, or to gain reputation or greater distribution for their Work in part through the use and efforts of others.

For these and/or other purposes and motivations, and without any expectation of additional consideration or compensation, the person associating CC0 with a Work (the "Affirmer"), to the extent that he or she is an owner of Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to the Work and publicly distribute the Work under its terms, with knowledge of his or her Copyright and Related Rights in the Work and the meaning and intended legal effect of CC0 on those rights.

1. Copyright and Related Rights. A Work made available under CC0 may be protected by copyright and related or neighboring rights ("Copyright and Related Rights"). Copyright and Related Rights include, but are not limited to, the following:

the right to reproduce, adapt, distribute, perform, display, communicate, and translate a Work;
moral rights retained by the original author(s) and/or performer(s);
publicity and privacy rights pertaining to a person's image or likeness depicted in a Work;
rights protecting against unfair competition in regards to a Work, subject to the limitations in paragraph 4(a), below;
rights protecting the extraction, dissemination, use and reuse of data in a Work;
database rights (such as those arising under Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, and under any national implementation thereof, including any amended or successor version of such directive); and
other similar, equivalent or corresponding rights throughout the world based on applicable law or treaty, and any national implementations thereof.

2. Waiver. To the greatest extent permitted by, but not in contravention of, applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and unconditionally waives, abandons, and surrenders all of Affirmer's Copyright and Related Rights and associated claims and causes of action, whether now known or unknown (including existing as well as future claims and causes of action), in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each member of the public at large and to the detriment of Affirmer's heirs and successors, fully intending that such Waiver shall not be subject to revocation, rescission, cancellation, termination, or any other legal or equitable action to disrupt the quiet enjoyment of the Work by the public as contemplated by Affirmer's express Statement of Purpose.

3. Public License Fallback. Should any part of the Waiver for any reason be judged legally invalid or ineffective under applicable law, then the Waiver shall be preserved to the maximum extent permitted taking into account Affirmer's express Statement of Purpose. In addition, to the extent the Waiver is so judged Affirmer hereby grants to each affected person a royalty-free, non transferable, non sublicensable, non exclusive, irrevocable and unconditional license to exercise Affirmer's Copyright and Related Rights in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "License"). The License shall be deemed effective as of the date CC0 was applied by Affirmer to the Work. Should any part of the License for any reason be judged legally invalid or ineffective under applicable law, such partial invalidity or ineffectiveness shall not invalidate the remainder of the License, and in such case Affirmer hereby affirms that he or she will not (i) exercise any of his or her remaining Copyright and Related Rights in the Work or (ii) assert any associated claims and causes of action with respect to the Work, in either case contrary to Affirmer's express Statement of Purpose.

4. Limitations and Disclaimers.

No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document.
Affirmer offers the Work as-is and makes no representations or warranties of any kind concerning the Work, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non infringement, or the absence of latent or other defects, accuracy, or the present or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.
Affirmer disclaims responsibility for clearing rights of other persons that may apply to the Work or any use thereof, including without limitation any person's Copyright and Related Rights in the Work. Further, Affirmer disclaims responsibility for obtaining any necessary consents, permissions or other rights required for any use of the Work.
Affirmer understands and acknowledges that Creative Commons is not a party to this document and has no duty or obligation with respect to this CC0 or use of the Work.

Special:ContributionScores/10/5

Ubuntu 24.04 Converting epub to mobi format

2025-01-27T10:00:15Z

Noob: Created page with " == Using the ebook-convert tool from Calibre == To convert an EPUB file to MOBI format on Ubuntu, you can use the '''ebook-convert''' tool from '''Calibre'''. Here’s how you can do it: * Install Calibre If you haven’t already, you can install Calibre using the following command: <code>sudo apt-get install calibre</code> === Convert EPUB to MOBI === Use the ebook-convert command to convert your EPUB file to MOBI. <br> For example, to convert a file named book.e..."

== Using the ebook-convert tool from Calibre ==

To convert an EPUB file to MOBI format on Ubuntu, you can use the '''ebook-convert''' tool from '''Calibre'''. Here’s how you can do it:

* Install Calibre
If you haven’t already, you can install Calibre using the following command:

<code>sudo apt-get install calibre</code>

=== Convert EPUB to MOBI ===

Use the ebook-convert command to convert your EPUB file to MOBI. <br>
For example, to convert a file named book.epub to book.mobi, you would use:
<br><code>ebook-convert book.epub book.mobi</code>

==== Other file formats are also supported with ebook-convert ====
<code>ebook-convert "book.azw3" "book.mobi"</code>

=== Convert in bulk ===

* This assumes you have a '''Directory''' with books.epub you want converted to books.mobi in bulk.
* This script should be saved and run in said directory.

<code>$EDITOR convert_epub_to_mobi.sh</code>

<pre>
#!/bin/bash

# Check if ebook-convert is installed
if ! command -v ebook-convert &> /dev/null
then
echo "ebook-convert could not be found. Please install calibre."
exit 1
fi

# Loop through all .epub files in the current directory
for file in *.epub; do
# Check if the file exists (to avoid processing '.*.epub' which would be all files)
if [ -f "$file" ]; then
# Get the filename without the extension
filename="${file%.epub}"
# Convert the file
ebook-convert "$file" "${filename}.mobi"
echo "Converted $file to ${filename}.mobi"
fi
done
</pre>

Now you can run with bash or make excultable

* With bash
<code>bash convert_epub_to_mobi.sh</code>

* Make excultable
<code>chmod +x convert_epub_to_mobi.sh</code>

<code>./convert_epub_to_mobi.sh</code>

==== system wide script ====

If you are gonna be using a lot, can make script which you install in /usr/bin/ so you can just use:<code>convert_epub_to_mobi /path/to/epub/files /path/to/output/mobi</code>

<code>$EDITOR convert_epub_to_mobi</code>

<pre>
#!/bin/bash

# Check if ebook-convert is installed
if ! command -v ebook-convert &> /dev/null
then
echo "ebook-convert could not be found. Please install calibre."
exit 1
fi

# Check if correct number of arguments are provided
if [ "$#" -ne 2 ]; then
echo "Usage: $0 <source_directory> <output_directory>"
exit 1
fi

SOURCE_DIR="$1"
OUTPUT_DIR="$2"

# Check if source directory exists
if [ ! -d "$SOURCE_DIR" ]; then
echo "Source directory does not exist: $SOURCE_DIR"
exit 1
fi

# Create output directory if it doesn't exist
mkdir -p "$OUTPUT_DIR"

# Loop through all .epub files in the source directory
for file in "$SOURCE_DIR"/*.epub; do
# Check if the file exists (to avoid processing '*.epub' if no files match)
if [ -f "$file" ]; then
# Get the filename without the path and extension
filename=$(basename "$file" .epub)
# Convert the file, placing the output in the specified directory
ebook-convert "$file" "$OUTPUT_DIR/${filename}.mobi"
echo "Converted $file to ${filename}.mobi in $OUTPUT_DIR"
fi
done
</pre>

Make it Executable and Move to /usr/bin/:

<code>sudo cp convert_epub_to_mobi /usr/bin/</code>

<code>sudo chmod +x /usr/bin/convert_epub_to_mobi</code>

Now you can run the script from anywhere by specifying source and output directories:

<code>convert_epub_to_mobi /path/to/epub/files /path/to/output/mobi</code>

* Example: will convert all epubs in Downloads to newly created Kindlebooks directory
<code>convert_epub_to_mobi Downloads/ Kindlebooks</code>

Notes:
* This script will create the output directory if it does not exist.
* It checks for the existence of the source directory before proceeding.
* The usage message helps remind users of the correct command structure if they forget.
* As before, ensure ebook-convert (part of Calibre) is installed on the system.
* Error handling for ebook-convert isn't included; you might want to add that for production use or for better user feedback on conversion failures.

Ubuntu 22.04 SSH Guide

2024-08-16T11:47:31Z

Noob: /* Installing OpenSSH Server */

==Understanding SSH==

'''SSH''' is a protocol that uses encryption to secure data transmitted between a client and a server. <br>
It enables users to execute commands, transfer files, and manage remote systems through an encrypted channel. <br>
SSH is widely used by system administrators for managing servers, network devices, and other remote systems.

==Installing SSH==

To start using SSH, you'll need to install and configure both the server and client components.

* OpenSSH-Server
** Is required to allow '''ssh''' connections
* OpenSSH-Client
** Is used to login/connect to OpenSSH-Server

If you are using Ubuntu Desktop, the '''openssh client''' will be preinstalled, allowing you to connect to a server which is running '''openssh-server'''

If you are using Ubuntu Server, both the '''ssh client''' and '''openssh server''' are preinstalled by default.

=== Installing OpenSSH Server===
On Ubuntu distributions, you can install the OpenSSH server by running:

<code>sudo apt install openssh-server</code><br>

Check the SSH server status with:

<code>systemctl status ssh</code>

=== Enable and Disable OpenSSH Server===

By default once openssh-server installed it is enabled to start at reboot.

* Disable
<code>sudo systemctl disable ssh</code>

* Enable
<code>sudo systemctl enable ssh</code>

===Installing OpenSSH Client===

The OpenSSH client is usually pre-installed on most Linux and macOS systems. <br>For Windows, you can install the OpenSSH client by following the instructions on the official website:<br> https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse

==Basic SSH Commands and Usage==
=== Connecting to a remote server===
Connecting to a remote server using SSH is a fundamental task when managing remote systems. Here's how to connect to a remote server using the command-line interface.

Install an SSH client: Ensure you have an SSH client installed on your local machine. Most Unix-based systems, including Linux and macOS, have an SSH client pre-installed. For Windows, you can use the built-in OpenSSH client (available in Windows 10 and later) or a third-party client like PuTTY.

====Gather connection information====
To connect to a remote server, you'll need the following information:
* The remote server's IP address or hostname
* The SSH port number (default is 22)
* Your username on the remote server
* The password for the user on remote server.

====Connect using SSH====
Open a terminal or command prompt on your local machine and use the following command to connect to the remote server:

<code>ssh username@hostname_or_IP</code>

Replace '''username''' with your username on the remote server, '''hostname_or_IP''' with the server's hostname or IP address.

If OpenSSH-Server is running/listening on a port other than the default port '''22''' include the port with the '''-p''' flag.

For example (If port 2222):

: <code>ssh john@example.com -p 2222</code>
Or
: <code>ssh -p 2222 john@example.com</code>

=====Connecting to a Remote Server =====

In this example, we connect to a remote Ubuntu VPS with the following credentials:
<pre>
Username: root
IP address: 12.34.56.78
Password: password2simple
</pre>
Use the following command to connect to the remote server:

<code>ssh root@12.34.56.78</code>

You will be prompted to enter the password. Type password2simple and press Enter. This demonstrates how simple it can be to log into a remote computer with root access.

* If your Server is hosting SSHD on a port other than default 'port 22' include port number with the '''-p''' flag
Example with port 2222:<br>
<code>ssh -p 2222 root@12.34.56.78</code>

====Authenticate====
When connecting for the first time, you'll see a prompt asking you to confirm the remote server's fingerprint. Verify the fingerprint and type "yes" to proceed. Next, you'll be prompted for your password. Enter your password to complete the authentication process.

Once authenticated, you'll have access to the remote server's command line. You can now execute commands and manage the remote server as if you were working on it directly.

Remember that you can use key-based authentication (with a private-public key pair) instead of a password for a more secure and convenient connection method.
== Using SSH config file==

An SSH config file allows you to define and manage multiple SSH connections, simplifying the process of connecting to remote servers. By creating an SSH config file, you can define custom options, such as port numbers, usernames, and key files, for each connection. The SSH config file is typically located in the '''~/.ssh''' directory and named config.

Here's how to create and use an SSH config file:

:* Create the SSH config file: If it doesn't exist, create the config file in the '''~/.ssh''' directory using a text editor:

<code>$EDITOR ~/.ssh/config</code>

:* Define a connection: To define a connection, you'll need to specify a Host entry followed by any options you want to apply to that connection. Here's an example:

<pre>
Host server1
HostName example.com
User your_username
Port 2222
IdentityFile ~/.ssh/id_rsa_server1
</pre>
In this example, we've defined a connection called server1 with the following options:

:* HostName: The hostname or IP address of the remote server (example.com in this case).
:* User: The username to use when connecting to the remote server (replace your_username with your actual username).
:* Port: The port number to use for the SSH connection (2222 in this example).
:* IdentityFile: The path to the private key file to use for authentication (replace ~/.ssh/id_rsa_server1 with the path to your private key file).

You can define multiple connections in the same config file by creating separate Host entries:

<pre>
Host server2
HostName 192.168.1.100
User another_username
Port 22
IdentityFile ~/.ssh/id_rsa_server2
</pre>
:* Save and exit the file: Save your changes and exit the text editor.

:* Connect using the SSH config file: To connect to a remote server using the defined connection, simply use the ssh command followed by the Host entry:

<code>ssh server1</code>

In this example, SSH will automatically use the options defined in the config file for server1, such as the hostname, username, port number, and identity file.

By using an SSH config file, you can simplify the process of managing multiple SSH connections and customize the options for each connection.

==Key-based Authentication==

Why use key-based authentication?
* Server1: 12.34.56.78
* Server2: 12.34.56.87

You are trying to login to Server1 (Your Server), but by mistake you enter your '''user''' and '''password''' to Server2 (Foo's Server), Can Server2 record the '''user''' and '''password''' you used?
[[Ubuntu_18.04_OpenSSH-Server_Capture_Failed_Passwords|YES, Yes it can]]

=== Generating SSH key pairs===

SSH key pairs consist of a private key and a public key. They provide a secure, passwordless authentication method for connecting to remote servers. The private key remains on your local machine, while the public key is added to the remote server's authorized keys. Here's how to generate an SSH key pair:

Open a terminal: On Unix-based systems (Linux and macOS), open a terminal. On Windows, open PowerShell or the Command Prompt.

Generate the key pair: Use the ssh-keygen command to create a new SSH key pair. The following command generates a 4096-bit RSA key pair:

<code>ssh-keygen -t rsa -b 4096</code>

You can also generate other types of keys, such as Ed25519, by changing the -t option:

<code>ssh-keygen -t ed25519</code>

Specify the key's location: When prompted, you can either accept the default location (~/.ssh/id_rsa for RSA keys, ~/.ssh/id_ed25519 for Ed25519 keys) or enter a custom path. It is recommended to use the default location unless you have a specific reason to change it.

Set a passphrase (optional): You can choose to protect your private key with a passphrase. If you do, you'll need to enter the passphrase every time you use the key. This adds an extra layer of security, but can be less convenient for automation or scripting. To set a passphrase, enter it when prompted; otherwise, leave the field blank

====Selecting file name and path for keys====

<code>ssh-keygen -t rsa -b 4096 -f .ssh/nuc</code>

The '''-f''' option in the '''ssh-keygen''' command is used to specify the output file for the generated key pair. In your example, '''ssh-keygen -t rsa -b 4096 -f .ssh/nuc''', the command is generating an RSA key pair with a key length of 4096 bits, and the output files will be saved in the '''.ssh''' directory with the base name '''nuc'''.

Here's a breakdown of the options used in this command:

:* '''-t rsa''': Specifies the key type, in this case, RSA.
:* '''-b 4096''': Specifies the key length, which is 4096 bits in this case. This length offers good security and is generally recommended.
:* '''-f .ssh/nuc''': Specifies the file where the key pair will be saved. The private key will be saved as '''.ssh/nuc''', and the public key will be saved as '''.ssh/nuc.pub'''.

After running this command, you'll have a new key pair with the private key in '''.ssh/nuc''' and the public key in '''.ssh/nuc.pub'''

====Create keys with no passphase====

<code>ssh-keygen -t rsa -b 4096 -N "" -C "MYSERVER" -f ~/.ssh/serverkey</code>

:* '''-t rsa''': Specifies the key type, in this case, RSA.
:* '''-b 4096''': Specifies the key length, which is 4096 bits in this case. This length offers good security and is generally recommended.
:* '''-N ""''': Specifies an empty passphrase for the key pair. This means that the private key will not be encrypted, and no passphrase will be required when using it. This can be less secure, but more convenient for automated processes.
:* '''-C "MYSERVER"''': Adds a comment to the generated key pair. In this case, the comment is "MYSERVER". Comments are useful for identifying keys when you have multiple keys in your ~/.ssh directory or on a remote server.
:* '''-f ~/.ssh/serverkey''': Specifies the file where the key pair will be saved. The private key will be saved as '''~/.ssh/serverkey''', and the public key will be saved as '''~/.ssh/serverkey.pub'''.

After running this command, you'll have a new key pair with the private key in '''~/.ssh/serverkey''' and the public key in '''~/.ssh/serverkey.pub'''. The private key will have an empty passphrase and a comment "MYSERVER" for easier identification.

====Remove the passphrase from an existing SSH private key====

To remove the passphrase from an existing SSH private key, you can use the '''ssh-keygen''' command with the '''-p''' option, which is used for changing the passphrase. Follow these steps:

:* Make a backup of your private key file, just in case something goes wrong during the process. You can do this by running the following command, replacing '''<your_private_key>''' with the filename of your private key:

<code>cp <your_private_key> <your_private_key>.backup</code>

:* Run the '''ssh-keygen''' command with the '''-p''' option, specifying the private key file using the '''-f''' option:
::** '''-p''': Indicates that you want to change the passphrase of an existing private key.
::** '''-f <your_private_key>''': Specifies the private key file whose passphrase you want to change.

<code>ssh-keygen -p -f <your_private_key></code>

:* You will be prompted to enter the old passphrase for the private key. Type it in and press Enter.

:* Next, you'll be prompted to enter a new passphrase. Since you want to remove the passphrase, leave this field empty and press Enter.

:* You'll be asked to confirm the empty passphrase. Press Enter again to confirm.

Your private key now has its passphrase removed. Keep in mind that this makes the private key less secure, as anyone with access to the file can use it without needing to know the passphrase.

====Add/Change a passphrase to an existing SSH Key====

To add a passphrase to an existing SSH private key that doesn't have one, you can use the '''ssh-keygen''' command with the '''-p''' option, just like when you change or remove a passphrase. Here are the steps:

:* '''Make a backup of your private key file''', just in case something goes wrong during the process. You can do this by running the following command, replacing <your_private_key> with the filename of your private key:

<code>cp <your_private_key> <your_private_key>.backup</code>

:* Run the '''ssh-keygen''' command with the -p option, specifying the private key file using the '''-f''' option:

<code>ssh-keygen -p -f <your_private_key></code>

:* You will be prompted to enter the old passphrase for the private key. Since your private key doesn't currently have a passphrase, just press Enter to proceed.

:* Next, you'll be prompted to enter a new passphrase. Type in the passphrase you want to set for the private key and press Enter.

:* You'll be asked to confirm the new passphrase. Type it again and press Enter to confirm.

Your private key now has a passphrase added to it. This provides an extra layer of security, as anyone using the key will need to know the passphrase to access it. Keep in mind that you should use a strong passphrase to ensure better security.

=== Copying public keys to the remote server===
After generating an SSH key pair, you'll need to copy the public key to the remote server to enable key-based authentication. Here's how to do it:

====Using ssh-copy-id====

Use the '''ssh-copy-id''' command (Linux and macOS): On Unix-based systems, you can use the ssh-copy-id command to copy your public key to the remote server:

<code>ssh-copy-id -i ~/.ssh/id_rsa.pub username@hostname_or_IP</code>

Replace ~/.ssh/id_rsa.pub with the path to your public key file (e.g., ~/.ssh/id_ed25519.pub for Ed25519 keys), username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

====Manually copy the public key====

Manually copy the public key (Windows and alternative method): If you don't have access to the ssh-copy-id command or prefer to do it manually, you can:

:* Open your public key file (e.g., id_rsa.pub or id_ed25519.pub) with a text editor and copy its content.>
:* Log in to the remote server via SSH.<br>
:* Create the ~/.ssh directory if it doesn't exist:

<code>mkdir -p ~/.ssh</code>

Edit or create the ~/.ssh/authorized_keys file using a text editor (e.g., nano, vim, or emacs), and paste the content of your public key at the end of the file. Save and close the file.

Set the correct file permissions: To ensure the security of your SSH setup, it's essential to set the proper file permissions on your local machine and the remote server:

:* On your local machine:
:** Private key (id_rsa or id_ed25519): -rw------- (600)
:** Public key (id_rsa.pub or id_ed25519.pub): -rw-r--r-- (644)

:* On the remote server:
:** ~/.ssh directory: drwx------ (700)
:** ~/.ssh/authorized_keys file: -rw------- (600)

To set the permissions on your local machine, use the chmod command:

<pre>
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
</pre>
On the remote server, use the following commands:

<pre>
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
</pre>
Once you've copied your public key to the remote server and set the correct file permissions, you should be able to connect using key-based authentication without the need for a password.

=== Disabling password authentication (optional)===
Disabling password authentication enhances the security of your SSH server by requiring key-based authentication for all connections. You can disable password authentication for specific users or for all users. To do so, follow these steps:

:* Connect to the remote server: Log in to the remote server via SSH using your username and the server's hostname or IP address.

:* Edit the SSH configuration file: Open the SSH server configuration file (usually located at /etc/ssh/sshd_config) with a text editor such as nano, vim, or emacs:

<code>sudo nano /etc/ssh/sshd_config</code>

:* Disabling password authentication for all users: Find the line containing "PasswordAuthentication" and set its value to "no":

<code>PasswordAuthentication no</code>

If the line is commented out (i.e., it starts with a '#'), remove the '#' symbol.

:* Disabling password authentication for a specific user: To disable password authentication only for a particular user, you can use a "Match User" block at the end of the sshd_config file:
<pre>
Match User username
PasswordAuthentication no
</pre>
Replace username with the actual username for which you want to disable password authentication.

:* Save and exit the file: Save your changes and exit the text editor.

:* Restart the SSH server: Apply the changes by restarting the SSH server:

<code>sudo systemctl restart ssh</code>

Now, password authentication will be disabled for the specified user(s), and only key-based authentication will be allowed. Remember that if you disable password authentication, you must have a working SSH key pair set up to access the server, or you may be locked out.

== Configuring the SSH server==

Edit the SSH server configuration file located at <b>/etc/ssh/sshd_config</b> to set your desired settings. You can modify options like the listening port, allowing root login, and more.

===Common sshd_config Options===

The '''sshd_config''' file is located at '''/etc/ssh/sshd_config''' on most Linux systems. This file contains various options and settings that determine the behavior of the OpenSSH server. Each option is followed by its value, and lines starting with a <b>#</b> are considered comments.

Here's an overview of some common options in the sshd_config file:

===Port===

Specifies the port number that the SSH server listens on.<br>

<code>Port 22</code><br>

=== AddressFamily===

Determines the IP address family (IPv4, IPv6, or both) used by the SSH server.

* To specify that the SSH server should only listen for incoming IPv4 connections:
<code>AddressFamily inet</code>

* Or, if you want the SSH server to only listen for incoming IPv6 connections, set the 'AddressFamily' directive to 'inet6':
<code>AddressFamily inet6</code>

* If you want to allow both IPv4 and IPv6 connections, set the 'AddressFamily' directive to 'any':
<code>AddressFamily any</code>

=== ListenAddress===
Specifies the IP address(es) the SSH server listens on. By default, it listens on all available addresses.

<code>ListenAddress 192.168.1.10</code>

=== Protocol===
Defines the SSH protocol version. It's recommended to use only protocol 2.

<code>Protocol 2</code>

=== PermitRootLogin===
Controls whether root login is allowed. It's generally advised to disable root login or set it to "without-password" to allow only key-based authentication for root.

<code>PermitRootLogin no</code>

===PasswordAuthentication===

Enables or disables password-based authentication.

<code>PasswordAuthentication yes</code>

=== PubkeyAuthentication===

Enables or disables public key authentication.

<code>PubkeyAuthentication yes</code>

=== AuthorizedKeysFile===
Specifies the location of the authorized keys file for public key authentication.

<code>AuthorizedKeysFile .ssh/authorized_keys</code>

=== LogLevel===
Sets the logging level for the SSH server.

The LogLevel option in '''sshd_config''' controls the amount of information that SSH daemon (sshd) logs.

There are different log levels that can be set with this option, each providing a different level of detail:

* '''QUIET''': Disables all logging.

* '''FATAL''': Only logs fatal errors.

* '''ERROR''': Logs error messages.

* '''INFO''': Logs informational messages such as login attempts.

* '''VERBOSE''': Logs more detailed information than INFO, including shell commands executed.

* '''DEBUG''': Logs detailed debugging information, including raw protocol details.

The default log level is '''INFO''', which is usually sufficient for most purposes. However, if you need to troubleshoot SSH connections or monitor user activity, setting a higher log level may be helpful.

To change the '''LogLevel''' in '''sshd_config''', you can edit the file '''/etc/ssh/sshd_config''' (or the appropriate configuration file for your system), and add or modify the line:

<code>LogLevel <log_level></code>

Where <log_level> is one of the log levels listed above.

<code>LogLevel INFO</code>

=== LoginGraceTime===

Defines the time allowed for a user to successfully log in.

<code>LoginGraceTime 2m</code>

===MaxAuthTries===

Limits the number of authentication attempts allowed per connection.

<code>MaxAuthTries 6</code>

=== MaxSessions===

Specifies the maximum number of simultaneous sessions allowed per network connection.<br>

<code>MaxSessions 10</code>

=== AllowUsers, DenyUsers, AllowGroups, DenyGroups===

These options control which users and groups are allowed or denied access to the SSH server. They provide a way to manage access control based on usernames and group membership.

* '''AllowUsers''': Specifies a list of users allowed to access the SSH server. Other users will be denied access.
<code>AllowUsers user1 user2 user3</code><br>

* '''DenyUsers''': Specifies a list of users denied access to the SSH server. Other users will be allowed access.
<code>DenyUsers user4 user5</code>

* '''AllowGroups''': Specifies a list of groups whose members are allowed to access the SSH server. Users not belonging to these groups will be denied access.
<code>AllowGroups group1 group2</code>

* '''DenyGroups''': Specifies a list of groups whose members are denied access to the SSH server. Users not belonging to these groups will be allowed access.
<code>DenyGroups group3 group4</code>

Note that the order in which these options are applied is '''DenyUsers''', '''AllowUsers''', '''DenyGroups''', and finally '''AllowGroups'''.

===Banner===

The Banner option allows you to display a message or warning to users before they log in to the SSH server. This is often used to display legal notices, security warnings, or other important information.

To enable the banner, set the Banner option to the path of a text file containing the message you want to display:

<code>Banner /etc/ssh/banner.txt</code>

Create the /etc/ssh/banner.txt file and add your desired message. The content of this file will be displayed to users before they log in.

==Advanced sshd_config Options==
=== PermitTunnel===
The PermitTunnel option enables or disables the use of SSH tunneling. Tunnels can be used to forward ports or create VPN-like connections between the client and the server.
* There are four possible values for this option:

: '''"yes"''': Allows all types of tunnels.<br>
: '''"point-to-point"''': Allows only point-to-point (Layer 3) tunnels.<br>
: '''"ethernet"''': Allows only Ethernet (Layer 2) tunnels.<br>
: '''"no"''': Disables tunneling (default).<br>

To enable tunneling, set the PermitTunnel option in the sshd_config file:

<code>PermitTunnel yes</code>

Keep in mind that enabling tunnels may expose your server to additional security risks. Only enable this option if you understand the implications and have a specific use case that requires it.

=== ChrootDirectory===
The ChrootDirectory option allows you to restrict a user or a group to a specific directory (known as a chroot jail) when they log in via SSH. This can enhance security by isolating users and limiting their access to only the necessary parts of the filesystem.

To set up a chroot jail, follow these steps:

Create a directory that will serve as the chroot jail. For example, let's create a directory for user1:

<code>sudo mkdir /home/user1/chroot</code>

Change the ownership of the directory to the user and their primary group:

<code>sudo chown user1:user1 /home/user1/chroot</code>

In the sshd_config file, add a Match block at the end of the file to specify the ChrootDirectory for user1:
<pre>
Match User user1
ChrootDirectory /home/user1/chroot
</pre>

Restart the SSH server to apply the changes:

<code>sudo systemctl restart ssh</code>

Now, when user1 logs in via SSH, they will be restricted to the /home/user1/chroot directory and won't be able to access other parts of the filesystem.

Note that the chroot jail should be owned by root and not writable by the user. If you need to provide write access to specific directories, create subdirectories inside the chroot jail and set appropriate permissions for those. Also, some features like SFTP may require additional configuration within the chroot jail.

===ForceCommand===
The ForceCommand option allows you to specify a command that will be executed when a user logs in via SSH, regardless of the command requested by the user. This can be useful for limiting the actions a user can perform or for automatically running specific tasks upon login.

To use the ForceCommand option, follow these steps:

In the sshd_config file, add a Match block at the end of the file to specify the ForceCommand for a specific user or group. For example, to force user1 to execute the command /usr/bin/my-command upon login:

<pre>
Match User user1
ForceCommand /usr/bin/my-command
</pre>

Restart the SSH server to apply the changes:

<code>sudo systemctl restart ssh</code>

Now, when user1 logs in via SSH, the /usr/bin/my-command will be executed automatically, and they will not be able to run any other command.

Keep in mind that using ForceCommand may limit the user's ability to interact with the server or transfer files via SFTP. Make sure to test and verify the functionality for your specific use case.

=== Match Blocks===

Match blocks in the sshd_config file allow you to apply specific configuration options based on certain criteria, such as the user, group, address, or host. This enables you to create custom rules and settings for different users, groups, or connections.

Match block syntax:

<pre>
Match criteria
Option value
</pre>

Here are some examples of Match blocks and their usage:

Apply settings only for a specific user:
<pre>
Match User user1
PasswordAuthentication no
AllowTcpForwarding yes
</pre>

This configuration disables password authentication and enables TCP forwarding only for user1.

Apply settings for multiple users:
<pre>
Match User user1,user2
ChrootDirectory /home/%u/chroot
</pre>

This configuration sets the chroot directory for both user1 and user2.

Apply settings for a specific group:
<pre>
Match Group group1
PasswordAuthentication yes
</pre>

This configuration enables password authentication only for members of group1.

Apply settings based on the client's IP address:
<pre>
Match Address 192.168.1.0/24
PasswordAuthentication no
</pre>

This configuration disables password authentication for clients connecting from the 192.168.1.0/24 subnet.

Combine multiple criteria:
<pre>
Match User user1 Address 192.168.1.0/24
PasswordAuthentication yes
</pre>
This configuration enables password authentication only for user1 when they connect from the 192.168.1.0/24 subnet.

Remember to restart the SSH server after making changes to the sshd_config file:

<code>sudo systemctl restart ssh</code>

Match blocks offer flexibility in customizing your SSH server's configuration based on various criteria. Use them wisely to enhance security and optimize your server's settings.

==Best Practices and Tips '''sshd_config'''==
When configuring your '''sshd_config''' file, it's essential to follow best practices to ensure the security and stability of your SSH server. Here are some recommendations and tips:

:* Keep the server up-to-date: Always update your SSH server software and the underlying operating system to ensure you have the latest security patches and features.

:* Use strong authentication: Enable key-based authentication (PubkeyAuthentication) and consider disabling password authentication (PasswordAuthentication) to reduce the risk of brute-force attacks.

:* Limit root access: Set "PermitRootLogin" to "no" or "without-password" to prevent direct root login or require key-based authentication for root.

:* Use non-standard ports: Change the default SSH port (22) to a non-standard port to reduce the exposure to automated scans and attacks. Keep in mind this is security through obscurity and should be combined with other security measures.

'''Restrict user access''': Use "AllowUsers," "DenyUsers," "AllowGroups," and "DenyGroups" options to control which users and groups can access the SSH server.

'''Monitor logs''': Regularly check your SSH server logs for any suspicious activity or failed login attempts. Adjust the "LogLevel" setting in sshd_config as needed.
* Default Log Path Ubuntu 22.04: '''/var/log/auth.log'''

'''Use chroot jails''': Isolate users by creating chroot jails using the "ChrootDirectory" option, especially when providing SFTP access or when users don't require full access to the server.

'''Configure connection settings''': Set appropriate values for "LoginGraceTime" and "MaxAuthTries" to limit the time allowed for successful login and the number of authentication attempts per connection.

'''Use a strong firewall''': Configure your server's firewall to only allow SSH connections from trusted IP addresses or networks.

'''Regularly review and audit''': Periodically review your sshd_config settings and make adjustments as necessary. Keep up-to-date with SSH security best practices and recommendations.

By following these best practices and tips, you can enhance the security and performance of your SSH server, protecting it from unauthorized access and potential attacks.

===Troubleshooting sshd_config Issues===

When encountering problems with your SSH server configuration, it's important to know how to diagnose and resolve issues. Here are some common problems and troubleshooting steps:

Check syntax and configuration errors: If the SSH server is not starting or not functioning as expected, check the sshd_config file for any syntax or configuration errors. Use the following command to test the configuration file for errors:

<code>sudo sshd -t</code>

If there are any issues, the command will provide error messages with information on what needs to be fixed.

Review log files: Inspect the SSH server log files for any error messages or relevant information. The location of the log files may vary depending on your system, but common locations are /var/log/auth.log or /var/log/secure. Tail the log file while attempting to connect to get real-time information:

<code>sudo tail -f /var/log/auth.log</code>

Restart the SSH server

Check firewall settings: Ensure that the server's firewall is allowing SSH connections on the correct port. If you changed the default SSH port, update your firewall rules accordingly.

Verify user permissions: If a specific user is unable to connect, check the user's permissions, home directory, and the settings in the sshd_config file, such as "AllowUsers," "DenyUsers," "AllowGroups," or "DenyGroups."

SSH server from a client, use the verbose mode to get more detailed information about the connection process. This can help identify any issues with authentication or configuration. Run the following command to enable verbose mode:

<code>ssh -v user@example.com</code>

Replace "user@example.com" with the appropriate username and server address. You can increase the verbosity level by adding more "v" characters (e.g., -vv or -vvv) if needed.

Check file permissions: Ensure that the file permissions for the user's home directory, the .ssh directory, and the authorized_keys file are set correctly. The user's home directory should not be writable by other users, the .ssh directory should have permissions set to 700 (drwx------), and the authorized_keys file should have permissions set to 600 (-rw-------).

Test network connectivity: If you're unable to connect to the SSH server, verify that you can reach the server on the network. Use tools like ping, traceroute, or telnet to check the connection to the server and the specific SSH port.

By following these troubleshooting steps, you should be able to diagnose and resolve most issues related to the sshd_config file and the SSH server configuration. Remember to carefully review the settings in your sshd_config file and consult the server logs for additional information when encountering problems.

====After making changes, restart the SSH server:====
<code>sudo systemctl restart ssh</code><br>

== Running commands on a remote server==

Once you've connected to a remote server using SSH, you can execute commands on the remote machine just as you would on your local system. However, you can also run commands on a remote server without establishing an interactive SSH session.

This can be useful for automation, scripting, or quick tasks. Here's how to do it:

Use the SSH command: To run a command on a remote server without entering an interactive session, use the following syntax:

<code>ssh username@hostname_or_IP -p port 'command'</code>

Replace username with your username on the remote server, hostname_or_IP with the server's hostname or IP address, port with the SSH port number (if different from the default 22), and command with the command you want to execute.

For example, to list the contents of the remote server's home directory, you can use:

<code>ssh john@example.com -p 22 'ls -la'</code>

===Handling multiple commands===
If you need to execute multiple commands, you can chain them together using a '''semicolon''' or '''&&'''.

The semicolon allows you to run multiple commands sequentially, while the && operator runs the next command only if the previous command was successful.

For example, to update the package list and then upgrade the packages on a remote Ubuntu server:

<code>ssh john@example.com -p 2222 'sudo apt-get update; sudo apt-get upgrade -y'</code>

* Command output:
The output of the command will be displayed in your local terminal, just as if you were running the command on your local machine. Using key-based authentication

==Transferring files with SCP==

The Secure Copy Protocol (SCP) is a useful tool for transferring files between your local machine and a remote server using SSH. SCP ensures that the data is encrypted during transit, providing a secure and efficient way to transfer files.

===Install an SCP client===

Most Unix-based systems, including Linux and macOS, have an SCP client pre-installed. For Windows, you can use the built-in SCP client included with the OpenSSH package (available in Windows 10 and later) or a third-party client like WinSCP.

===Transfer a file from your local machine to a remote server===

To copy a file from your local machine to a remote server, use the following command:
* Note the use of the upper case '''-P''' for ports with '''scp'''
<code>scp -P port local_file_path username@hostname_or_IP:remote_file_path</code>

Replace port with the SSH port number (if different from the default 22), local_file_path with the path to the file on your local machine, username with your username on the remote server, hostname_or_IP with the server's hostname or IP address, and remote_file_path with the desired location on the remote server.

For example:

<code>scp -P 22 /home/john/documents/report.pdf john@example.com:/home/john/reports/</code>

This command will copy the "report.pdf" file from the local machine to the "reports" directory on the remote server.

===Transfer a file from a remote server to your local machine===
To copy a file from a remote server to your local machine, use the following command:

<code>scp -P port username@hostname_or_IP:remote_file_path local_file_path</code>

Replace port with the SSH port number (if different from the default 22), username with your username on the remote server, hostname_or_IP with the server's hostname or IP address, remote_file_path with the path to the file on the remote server, and local_file_path with the desired location on your local machine.

For example:

<code>scp -P 2222 john@example.com:/home/john/reports/report.pdf /home/john/documents/</code>
: Or
<code>scp john@example.com:/home/john/reports/report.pdf /home/john/documents/</code>-

This command will copy the "report.pdf" file from the remote server's "reports" directory to the "documents" directory on your local machine.

===Transferring directories===

To transfer an entire directory, use the '''-r''' flag:

<code>scp -r -P port local_directory_path username@hostname_or_IP:remote_directory_path</code>

Or, to copy a directory from the remote server to your local machine:

<code>scp -r -P port username@hostname_or_IP:remote_directory_path local_directory_path</code>

Using SCP is a convenient and secure way to transfer files between your local machine and a remote server. It leverages the security of the SSH protocol to ensure that your data remains encrypted during transit.

===Transferring from Remote Computer to Remote Computer===

Copy the file '''stuff.txt''' from remote host '''12.34.56.67''' to host '''11.22.33.44'''

<code>scp name@12.34.56.67:/home/user/Documents/stuff.txt name@11.22.33.44:/home/user/Documents/</code>

With the '''-3''' flag copies between two remote hosts "12.34.56.67" and "11.22.33.44" are transferred through the local host running the command.

<code>scp -3 name@12.34.56.67:/home/user/Documents/stuff.txt \ name@11.22.33.44:/home/user/Documents/ </code>

===Transferring multiple files===

Send files foo.txt and bar.txt to remote.

<code>scp foo.txt bar.txt user@12.34.56.78:~/Documents/</code>

Copy multiple files from remote "Documents" directory to local "Documents" directory.

<code>scp user@11.22.33.44:/home/user/Documents/\{todo_list.txt,links.txt,stuff.txt\} /home/$USER/Documents/</code>

Copy multiple files from the remote to local current directory.

<code>scp name@12.34.56.78:~/\{README.md,.bashrc\} . </code>

== Transferring files with SFTP==
The SSH File Transfer Protocol (SFTP) is another method for transferring files securely between your local machine and a remote server. Unlike SCP, SFTP provides an interactive interface that allows you to navigate, upload, and download files more easily.

Install an SFTP client: Most Unix-based systems, including Linux and macOS, have an SFTP client pre-installed. For Windows, you can use the built-in SFTP client included with the OpenSSH package (available in Windows 10 and later) or a third-party client like WinSCP or FileZilla.

Connect to a remote server: To start an SFTP session with a remote server, open a terminal or command prompt on your local machine and use the following command:

<code>sftp -P port username@hostname_or_IP</code>

Replace port with the SSH port number (if different from the default 22), username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

For example:

<code>sftp -P 22 john@example.com</code>

Navigate the remote filesystem: Once connected, you can use commands similar to those available in a Unix shell to navigate the remote server's filesystem. Some common SFTP commands include:

: '''ls''': List files and directories<br>
: '''cd''': Change the current directory<br>
: '''mkdir''': Create a new directory<br>
: '''rmdir''': Remove an empty directory<br>
: '''get''': Download a file from the remote server<br>
: '''put''': Upload a file to the remote server<br>
<br>
: '''rm''': Remove a file<br>
: '''rename''': Rename a file or directory<br>
: '''exit''': Exit the SFTP session<br>

Transfer files: To transfer files, use the put command to upload a file from your local machine to the remote server, and the get command to download a file from the remote server to your local machine. For example:

Upload a file:

<code>put local_file_path remote_file_path</code>

Download a file:

<code>get remote_file_path local_file_path</code>

Replace local_file_path and remote_file_path with the appropriate paths for the files you want to transfer.

Transferring directories: To transfer entire directories, use the -r flag with the put and get commands:

Upload a directory:

<code>put -r local_directory_path remote_directory_path</code>

Download a directory:

<code>get -r remote_directory_path local_directory_path</code>

Disconnect from the remote server: When you've finished transferring files, type exit to close the SFTP session.

SFTP offers a more user-friendly, interactive experience for transferring files compared to SCP. By utilizing the secure and encrypted SSH protocol, SFTP ensures that your data remains safe during transfer.

==Advanced SSH Techniques==
=== Port forwarding and tunneling===

SSH port forwarding and tunneling allow you to securely forward network traffic between your local machine and a remote server. This can be useful for accessing remote services, bypassing firewalls, or securely transmitting sensitive data.

Local Port Forwarding: Local port forwarding creates a secure tunnel between your local machine and a remote server, allowing you to access remote services as if they were running on your local machine. To set up local port forwarding, use the -L flag with the SSH command:

<code>ssh -L local_port:remote_host:remote_port username@hostname_or_IP</code>

Replace local_port with an available port on your local machine, remote_host with the hostname or IP address of the remote server hosting the service, remote_port with the port number of the remote service, username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

Remote Port Forwarding: Remote port forwarding enables you to expose a local service running on your machine to a remote network. To set up remote port forwarding, use the -R flag with the SSH command:

<code>ssh -R remote_port:local_host:local_port username@hostname_or_IP</code>

Replace remote_port with an available port on the remote server, local_host with the hostname or IP address of the local machine hosting the service, local_port with the port number of the local service, username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

:**Forwarding X, Sound, and Video on Ubuntu 22.04 with Ubuntu 22.04 LXC**: To forward X, sound, and video from a remote Ubuntu 22.04 server to your local Ubuntu 22.04 machine, you'll need to enable X11 forwarding and install the necessary packages.

:* Install required packages: On both your local machine and the remote server, install the x11-apps and pulseaudio packages:

<code>sudo apt update</code><br>
<code>sudo apt install x11-apps pulseaudio</code>

:* Enable X11 forwarding: To enable X11 forwarding, you'll need to edit the SSH server configuration file (/etc/ssh/sshd_config) on the remote server:

<code>sudo nano /etc/ssh/sshd_config</code>

Find the line containing "X11Forwarding" and set its value to "yes":

<code>X11Forwarding yes</code>

If the line is commented out (i.e., it starts with a '#'), remove the '#' symbol. Save your changes and exit the text editor.

:* Restart the SSH server: Apply the changes by restarting the SSH server:

<code>sudo systemctl restart ssh</code>

:* Connect with X11 forwarding: From your local machine, use the -X flag to enable X11 forwarding when connecting to the remote server:

<code>ssh -X username@hostname_or_IP</code>

:* Export PULSE_SERVER environment variable: On the remote server, export the PULSE_SERVER environment variable to forward sound:

<code>export PULSE_SERVER=tcp:localhost</code>

You can add this line to the remote user's ~/.bashrc or ~/.profile file to make the change permanent.

:* Run applications: Now, you can run graphical applications on the remote server, and they will be displayed on your local machine with sound and video forwarded.

Please note that forwarding X, sound, and video might cause increased latency and reduced performance compared to running the applications locally.

=== SSH agent forwarding===
SSH agent forwarding is a powerful feature that allows you to use your local SSH keys to authenticate with remote servers without having to copy your private keys to those servers. This is particularly useful when you need to access one remote server (Server B) through another remote server (Server A).

==== Start the SSH agent on your local machine ====

Before you enable SSH agent forwarding, you need to start the SSH agent on your local machine. Open a terminal and run the following command:

:* For Linux and macOS:

<code>eval "$(ssh-agent -s)"</code>

For Windows (Git Bash or Cygwin):

<code>eval $(ssh-agent)</code>

This command starts the SSH agent and sets the required environment variables.

====Add your SSH key to the agent====

Next, add your private key to the SSH agent with the following command:

<code>ssh-add ~/.ssh/your_private_key</code>

Replace '''your_private_key''' with the filename of your private key. This might be '''id_rsa''', '''id_ed25519''', or another key file depending on your setup.

====Configure SSH agent forwarding on your local machine====

Edit your SSH config file to enable agent forwarding. The config file is usually located at '''~/.ssh/config'''. If the file doesn't exist, create it.

Add the following lines to the config file:

<pre>
Host server_a_alias
HostName server_a_ip_or_hostname
User your_username_on_server_a
ForwardAgent yes

Host server_b_alias
HostName server_b_ip_or_hostname
User your_username_on_server_b
ForwardAgent yes
</pre>

Replace
:* '''server_a_alias'''
:* ''' server_a_ip_or_hostname'''
:* '''your_username_on_server_a'''
:* '''server_b_alias'''
:* '''server_b_ip_or_hostname'''
:* '''your_username_on_server_b'''
with the appropriate values.

====Make sure your public key is added to the remote servers====

Before you can use SSH agent forwarding, you need to add your public key to the '''~/.ssh/authorized_keys''' file on both Server A and Server B. If you haven't done this already, you can use the following command:

<code>ssh-copy-id -i ~/.ssh/your_public_key user@server_ip_or_hostname</code>

Replace '''your_public_key''', '''user''', and '''server_ip_or_hostname''' with the appropriate values.

====Test SSH agent forwarding====

First, SSH into Server A:

<code>ssh server_a_alias</code>

Then, from Server A, SSH into Server B:

<code>ssh server_b_alias</code>

If everything is set up correctly, you should be able to access Server B without being prompted for a password.

====Verify SSH agent forwarding====

To make sure that SSH agent forwarding is working, you can check the value of the '''SSH_AUTH_SOCK''' environment variable on Server B.

From Server B, run the following command:

<code>echo $SSH_AUTH_SOCK</code>

If SSH agent forwarding is working, this command should return a non-empty value.

That's it! You've successfully set up and tested SSH agent forwarding. Now you can use your local SSH keys to authenticate with remote servers without having to copy your private keys to those servers.

===Command Restriction===

The '''authorized_keys''' file can be used to restrict the commands that a specific SSH key can execute. This is especially useful for security purposes, to limit the potential damage that could be done if a key is compromised.

By including a '''command=''' directive in the '''authorized_keys''' file, you can specify the exact command that will be run when a client connects using the associated key. Any command provided by the client will be ignored, and the command specified in the authorized_keys file will be used instead.

Example:

<code>command="/usr/bin/scp -t /home/rscp/media/" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...</code>

is set up to always execute the '''scp''' command (used for secure copy of files over SSH) to the specified directory, no matter what command was originally issued by the client. This is a good way to create a "write-only" drop box, for instance.

However, the keyholder could potentially still execute arbitrary commands by carefully crafting the file names they upload, so additional precautions should be taken, such as using command= along with other directives like '''no-port-forwarding''', '''no-X11-forwarding''', and '''no-pty''' to further limit what can be done with the key.

<code>command="/usr/bin/scp -t /home/rscp/media/",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...</code>

This entry does the following:

:* The '''command=''' directive runs the specified command when a client connects using this key. In this case, the command is scp, which securely copies files to the /home/rscp/media/ directory.
:* The '''no-port-forwarding''' directive prevents the client from using SSH's port forwarding features, which could potentially be used to create a secure tunnel for other network traffic.
:* The '''no-X11-forwarding''' directive prevents the client from forwarding X11 graphical sessions, which could be used to run graphical applications over the SSH connection.
:* The '''no-pty''' directive prevents the allocation of a pseudo-terminal, which means the client can't interact with a shell or run interactive commands.

The '''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...''' part is the public key of the client. Replace this with the actual key.

This configuration significantly limits the operations that can be performed with this key, providing an additional layer of security.

====SCP Only====

Use Case Example: Have a Server hosting XML Dumps, and want to automate sending a file or directory from Server1 to Server2 using a script and ssh-key so i don't need to enter password.

=====Create Account on Server=====
Create user account you are going to use:<br>
<code>adduser rscp</code>

Make sure user has a '''.ssh''' directory to send public key to:<br>
<code>mkdir /home/rscp/.ssh</code>

Make a Directory to transfer files to:<br>
<code>mkdir /home/rscp/media</code>

Note: If you see error <code>scp: /home/rscp/media/test.txt: Permission denied</code> If you created directory '''media''' when logged in as '''root''' then check directory permissions and if need [[Linux_Users_and_Groups#File_Ownership_and_Permissions|assign ownership to '''user''' account.]]<br>
Example:<code>chown rscp:rscp /home/rscp/media</code>

[[Ubuntu_22.04_SSH_Guide#Copying_public_keys_to_the_remote_server|Send your public key to server]]

After public_key/authorized_key is on server, edit authorized_keys and at the start before ssh-rsa <KEY>
<pre>
command="/usr/bin/scp -t /home/rscp/media/" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...
</pre>

If from remote server you are sending a Directory include the '''-r''' flag in command:<br>

After public_key/authorized_key is on server, edit authorized_keys and at the start before ssh-rsa <KEY>
<pre>
command="/usr/bin/scp -t -r /home/rscp/media/" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...
</pre>

This entry in the authorized_keys file uses the command option to restrict the SSH command that can be run with the associated SSH key. The command option specifies that the scp command should be used to transfer files to the '''/home/rscp/media/''' directory on the server.

Here's a breakdown of the entry:

:* '''command="/usr/bin/scp -t /home/rscp/"''': This specifies that the scp command should be used as the SSH command for this key, with the '''-t''' option to specify that the remote end is a file (in this case, a directory), and the destination directory on the server is /home/rscp/. This means that the user can only use the SSH key to transfer files to the /home/rscp/ directory on the server.

:* '''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...''': This is the public key associated with the private key that is used for authentication.

By using the command option in this way, you can restrict the actions that the user can perform with the SSH key, which can help to improve security. In this case, the user can only transfer files to the specified directory on the server using the scp command.

======Tip - transfer file to a path your USER does not have permissions for======

You can write a shell script to check the '''/home/rscp/media''' directory every minute using a while loop and the sleep command. If any files are found in the directory, the script can move them to the '''/var/www/media''' directory using the mv command. Here's an example script:

<syntaxhighlight lang="bash" line>
#!/bin/bash

while true
do
if [ "$(ls -A /home/rscp/media/)" ]; then
mv /home/rscp/media/* /var/www/media/
fi
sleep 60
done
</syntaxhighlight>

In this script, the while loop runs indefinitely ('''while true''') and sleeps for 60 seconds at the end of each iteration ('''sleep 60''').

The '''if''' statement checks if the '''/home/rscp/media''' directory is not empty ('''[ "$(ls -A /home/rscp/media/)" ]'''). If it is not empty, the '''mv''' command is used to move all files and directories from the '''/home/rscp/media/''' directory to the '''/var/www/media/''' directory.

Save this script to a file (e.g. '''move-files.sh''') and make it executable using the '''chmod +x move-files.sh''' command. You can then run the script using '''./move-files.sh &''' to start it in the background and allow it to run indefinitely. The & symbol is used to run the script in the background so that you can continue using the terminal.

Note that running this script indefinitely can consume system resources, so you may want to consider setting up a scheduled task (e.g. using '''[[Cron_ubuntu_22.04|cron]]''') to run the script at a specific interval instead of running it indefinitely.

==Tilde '''~''' the escape character==

The tilde (~) character has a special meaning in the context of SSH. When using SSH, you can use the tilde character followed by a control sequence to perform certain actions. These are called "tilde escape sequences" or "tilde commands." They are useful for managing your SSH connections.

Here's how to use tilde escape sequences when connected to a remote server via SSH:

:* Make sure you are at the beginning of a new line in your terminal. Press '''Enter''' if you are not.

:* Type the tilde (~) character, followed by the appropriate control sequence. Note that you should not press '''Enter''' after typing the tilde character, but rather type the control sequence directly after it.

Here are some common tilde escape sequences:

: '''~.''' : Close the SSH connection. This can be helpful if the connection is frozen or unresponsive.
: '''~^Z''' : Suspend the SSH connection and return to your local shell. You can later resume the connection using the fg command.
: '''~#''' : List all forwarded connections (both local and remote) that are active in the current SSH session.
: '''~&''' : Run the SSH session in the background. This is useful if you want to perform other tasks on your local machine without closing the SSH connection.
: '''~~''' : Send a literal tilde character to the remote system. This is useful if you need to type a tilde character in the remote system without triggering an escape sequence.

Remember that these escape sequences only work if they are entered at the beginning of a new line in your terminal. If you're typing them in the middle of a command or text, they won't be recognized as special control sequences.

==Troubleshooting and Best Practices==

In this section, we'll cover some common issues and best practices related to SSH connections, including managing a large number of SSH keys.

===Too many authentication attempts===

When connecting to an SSH server, you might encounter the "Too many authentication attempts" error. This is often caused by having too many private keys in your ~/.ssh directory. By default, SSH tries each key until it finds the correct one, but many servers limit the number of authentication attempts.

'''Solution''': To resolve this issue, you can create a separate directory for your keys and configure the SSH config file to use the appropriate key for each connection.

:* Create a new directory for your keys:

<code>mkdir ~/.ssh/keys</code>

:* Move your private key files to the new directory:

<code>mv ~/.ssh/id_rsa_* ~/.ssh/keys/</code>

Update your SSH config file to specify the correct key for each connection:
<pre>
Host server1
...
IdentityFile ~/.ssh/keys/id_rsa_server1

Host server2
...
IdentityFile ~/.ssh/keys/id_rsa_server2
</pre>

===Permission issues===

SSH is very strict about file and directory permissions. Ensure that your ~/.ssh directory and its contents have the correct permissions:

:* The ~/.ssh directory should have permissions set to 700:

<code>chmod 700 ~/.ssh</code>

Private key files should have permissions set to 600:

<code>chmod 600 ~/.ssh/id_rsa</code>

The ~/.ssh/config file should have permissions set to 600:

<code>chmod 600 ~/.ssh/config</code>

:* <b>Best practices</b>: Follow these best practices to maintain secure and efficient SSH connections:

:* Use SSH key pairs instead of passwords for authentication, as they provide better security.
:* Regularly update your SSH keys to maintain their security.
:* Use strong, unique passphrases to protect your private keys.
:* Disable password authentication and root login on your SSH server to reduce the risk of brute-force attacks.
:* Regularly update your SSH server software to ensure you're running the latest security patches.
:* Use non-standard port numbers for your SSH server to make it less likely to be targeted by automated attacks.
:* Implement multi-factor authentication (MFA) for your SSH connections, if possible.
:* Regularly review and remove any unnecessary authorized keys from the ~/.ssh/authorized_keys file on your servers.
:* Use the Match directive in the sshd_config file to apply custom rules and settings for different users, groups, or connections.

NixOS ZFS Encryption on root

2024-04-28T14:13:04Z

Noob: Created page with "==Prerequisites== Going to Install NixOS with ZFS on root on a ThinkPad T470 with 24gb Ram and a 1TB nvme ssd. * Live NixOS installer USB - nixos-plasma5-23.11.4761.5bf1cadb72ab-x86_64-linux.iso * Computer to install NixOS - will be wiping hard disk ==Bootable Media - NixOS== Create a thumb drive with a live NixOS installer and boot up In this tut using <code>https://channels.nixos.org/nixos-23.11/latest-nixos-plasma5-x86_64-linux.iso</code> Once booted into Live..."

==Prerequisites==

Going to Install NixOS with ZFS on root on a ThinkPad T470 with 24gb Ram and a 1TB nvme ssd.

* Live NixOS installer USB - nixos-plasma5-23.11.4761.5bf1cadb72ab-x86_64-linux.iso
* Computer to install NixOS - will be wiping hard disk

==Bootable Media - NixOS==

Create a thumb drive with a live NixOS installer and boot up

In this tut using <code>https://channels.nixos.org/nixos-23.11/latest-nixos-plasma5-x86_64-linux.iso</code>

Once booted into Live NixOS, close the default installer window that opens and connect laptop to power and internet.

<div class="toccolours mw-collapsible mw-collapsed">
If you want to SSH into Live NixOS so you can follow notes and copy and paste commands<div class="mw-collapsible-content">

: ''''' Remove Default 15 Sleep mode on Live Installer'''''

By default the NixOS live installer will go to sleep after 15 minutes of inactively.<br>
We are going to login to are live NixOS box with ssh so that would be bad.

: '''''KDE Plasma Desktop Live Installer'''''

** click the '''Application Launcher''' in the '''Favorites''' section which should come up by default, click '''System Settings''' > '''Power Management''' > '''Energy Saving''' and untick '''Suspend session''' and click '''Apply''', now we can close the window and get ready to ssh into are laptop running a live install of nixos.

: '''''Allow SSH Login to Live NixOS Installer'''''

The NixOS installer as two user accounts.

* User: '''nixos'''
* User: '''root'''

You only need to set a password for '''nixos''' as the user is on the sudoers, you can just use <code>sudo -s</code> to upgrade to user '''root'''.

Open the '''Konsole''' terminal, you should see '''ICON''' on Desktop.

To ssh in as user '''nixos''' the user will require a password.
* After running this command you will be prompted to enter a password for the user '''nixos''', you will use this to login.
<code>passwd nixos</code>

: '''''Find the IP address NixOS as been assigned'''''

<code>ip addr</code><br>
Which show my LAN IP address address the router as issued for the nix os box as 192.168.0.161

Return Output from command '''ip addr''':
<pre>
[nixos@nixos:~]$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether e8:6a:64:8f:ea:ae brd ff:ff:ff:ff:ff:ff
3: wlp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 38:ba:f8:8b:d7:b0 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.161/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp4s0
valid_lft 86345sec preferred_lft 86345sec
inet6 fe80::bc45:cc59:3e71:d08/64 scope link noprefixroute
valid_lft forever preferred_lft forever
</pre>

<div class="toccolours mw-collapsible mw-collapsed">
The '''ip addr''' command and output:
<div class="mw-collapsible-content">

'''''What is 'ip addr'?'''''

The '''ip addr''' command is a tool that allows you to manage and display the IP addresses assigned to your computer's network interfaces. In simpler terms, it's a command that helps you see what 'internet addresses' your computer is using to connect to the internet or other networks.

When you run '''ip addr''', your computer returns a list of all the network connections it has, like Wi-Fi and Ethernet, and the details about each one.

'''''Understanding the Output'''''

Let's break down what you'll typically see when you run this command:

#* '''''Loopback Interface (lo) '''''
<pre>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
</pre>
* '''lo''' is a special network interface that your computer uses to communicate with itself.
* '''inet 127.0.0.1/8''' is its IP address. '''127.0.0.1''' is like your computer's own 'home' address.

#* '''''Ethernet Interface (enp0s31f6) '''''
<pre>
2: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
</pre>
* '''enp0s31f6''' is an Ethernet interface, which means it's what your computer uses when it's connected to the internet with a cable.
* '''state DOWN''' means that this interface is not currently active (maybe the cable is unplugged).

#*'''''Wi-Fi Interface (wlp4s0)'''''
<pre>
3: wlp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.0.161/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp4s0
</pre>
* '''wlp4s0''' is a Wi-Fi interface, which means this is what your computer uses when it's connected to Wi-Fi.
* '''inet 192.168.0.161/24''' is the IP address given to your computer by your Wi-Fi router.

</div>
</div>

'''''SSH into NixOS Laptop'''''

Now we can ssh into are NixOS Laptop and get started.

From the Macbook going to open a '''Terminal''' and login:

<code>ssh nixos@192.168.0.161</code>

Will be prompted to enter password for user '''nixos'''

</div>
</div>

=== find hard drive===
<code>lsblk</code>
* '''lsblk''' stands for '''list block devices''' and more info can be found in the manual page by typing '''''man lsblk''''' in terminal

<pre>
[nixos@nixos:~]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 2.5G 1 loop /nix/.ro-store
sda 8:0 1 7.3G 0 disk
├─sda1 8:1 1 2.5G 0 part /iso
└─sda2 8:2 1 3M 0 part
sdb 8:16 1 0B 0 disk
nvme0n1 259:0 0 931.5G 0 disk
</pre>

'''sda''' is the Live Boot Media (NixOS USB)

'''nvme0n1''' is the laptops hard drive

NOTE: swap should be equal to ram at least or double.<br>

=== nuke hard drive ===

This will wipe the hard drive

<code>sudo sgdisk --zap-all /dev/nvme0n1</code>

Return Output:
<pre>
[nixos@nixos:~]$ sudo sgdisk --zap-all /dev/nvme0n1
GPT data structures destroyed! You may now partition the disk using fdisk or
other utilities.
</pre>

=== create partitions ===

Gonna duel boot with FreeBSD Later - so not using all of hard drive

* EFI 2GB
* NixOS Main 500GB
* NixOS Swap 16GB

<code>sudo fdisk /dev/nvme0n1</code>

Return Output:
<pre>
Welcome to fdisk (util-linux 2.38.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0x244b4973.

Command (m for help):
</pre>

==== GPT disklabel====
Create GPT disklabel by pressing '''g'''<br>
<code>g</code><br>
Return Output:
<pre>
Created a new GPT disklabel (GUID: 617C1730-CC18-A44D-8C70-3E3939D1BCC8).

Command (m for help):
</pre>
When you press <code>g</code> after running this command, you will be initiating the creation of a new empty GPT (GUID Partition Table) partition table on the disk /dev/nvme0n1. <br>
GPT is a modern partitioning scheme that is part of the UEFI standard, replacing the older MBR (Master Boot Record) scheme used by BIOS systems. It supports larger disk sizes and more partitions than MBR.

==== EFI partition====
Crete EFI partition by first creating a new partition using '''n'''<br>

<code>n</code><br>
Return Output:
<pre>
Partition number (1-128, default 1):
</pre>

The default should be partition 1, which can be selected by just pressing '''Enter''' or entering '''1''' and pressing '''Enter'''

'''First section'''
<div class="toccolours mw-collapsible mw-collapsed">
First sector (2048-1953525134, default 2048): MORE INFO
<div class="mw-collapsible-content">
First Sector: This is the starting sector for the new partition you're creating. In disk partitioning, a "sector" is the smallest unit that can be accessed on the disk. Historically, a sector holds 512 bytes, but newer disks might use larger sector sizes.

Range (2048-1953525134): This is the range of sectors you can choose from for the starting point of the new partition. The numbers are sector indices on the disk.

The lower bound 2048 is often the default starting point for the first partition in modern systems using GPT (GUID Partition Table). This offset is used to align partitions correctly for performance reasons and to provide some space for the bootloader and partition table.
The upper bound 1953525134 represents the last sector on the disk that can be used as a starting point for the new partition.
Default (2048): This indicates the default choice that fdisk will use if you simply press Enter without typing a number. It's recommending you start the partition at sector 2048.

Choosing the default is usually safe and aligns with most modern storage devices' requirements for optimal performance and alignment.
Why Start at Sector 2048?: Starting at sector 2048 leaves enough room for the primary GPT header and the partition entries. This is part of the standard layout for GPT disks. It's a best practice to follow these defaults unless you have a specific reason to deviate, such as specific alignment needs or following a custom partitioning scheme.
</div>
</div>

<pre>First sector (2048-1953525134, default 2048):</pre>

We want the default first sector of 2048, so just press ENTER

'''Create a 2 GB partition for EFI'''

The Return Output from the last command:
<pre>
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-1953525134, default 1953523711):
</pre>

<code>+2GB</code>

<div class="toccolours mw-collapsible mw-collapsed">
<code>+2GB</code> Explained:
<div class="mw-collapsible-content">
The line '''+2GB''' is a simple directive used in the '''fdisk''' utility to specify the size of the new partition you are creating. Here's what it means:

"+" Symbol: This indicates that the size specified is to be added to the starting sector of the partition. It's a way of specifying how much space to allocate for the partition, starting from the beginning sector you selected (or the default starting sector).

"2GB": This specifies the size of the partition. In this case, it's 2 gigabytes. This is the amount of disk space that will be allocated to the new partition.

So, when you input +2GB in fdisk after choosing to create a new partition (n command), you are instructing fdisk to create a new partition that is 2 gigabytes in size. This is a common size for an EFI (Extensible Firmware Interface) system partition, which is used as a boot partition in modern computers with UEFI firmware.

</div>
</div>

'''Select type of partiton'''<br>
the '''t''' command is used for changing the type of a partition.<br>

<code>t</code><br>
Return OutPut:
<pre>
Command (m for help): t
Selected partition 1
Partition type or alias (type L to list all):
</pre>

<div class="toccolours mw-collapsible mw-collapsed">
Command '''t''' More info<div class="mw-collapsible-content">

Command 't': When you enter the t command in fdisk, it prompts you to change the type of an existing partition. This is important because the type of a partition can determine how the operating system and firmware interact with it.

Selecting a Partition: If you have more than one partition on your disk, fdisk will first ask you to specify which partition you want to change the type of. You do this by entering the partition number (e.g., 1, 2, etc.).

Partition Types: Each partition type is represented by a unique code or identifier. These types correspond to different uses, such as Linux filesystems, EFI system partitions, swap areas, etc. The partition type tells the system how to treat that partition – for example, whether it's a bootable system partition, a data storage area, or something else.

Input for EFI System Partition: When you enter 1 after the t command in the context of setting up an EFI partition, it sets the selected partition's type to 'EFI System'. This type is used for EFI boot partitions, which are necessary for systems with UEFI firmware. The EFI partition holds the boot loaders and other data needed for starting the operating system.
</div>
</div>

'''Set Type as "EFI system" '''<br>
1 = EFI system, just type 1 and hit Enter<br>
<code>1</code> <br>
Return Output:
<pre>
Partition type or alias (type L to list all): 1
Changed type of partition 'Linux filesystem' to 'EFI System'.
</pre>

<div class="toccolours mw-collapsible mw-collapsed">
Output from pressing '''L'''<div class="mw-collapsible-content">
<pre>
Partition type or alias (type L to list all): L
1 EFI System C12A7328-F81F-11D2-BA4B-00A0C93EC93B
2 MBR partition scheme 024DEE41-33E7-11D3-9D69-0008C781F39F
3 Intel Fast Flash D3BFE2DE-3DAF-11DF-BA40-E3A556D89593
4 BIOS boot 21686148-6449-6E6F-744E-656564454649
5 Sony boot partition F4019732-066E-4E12-8273-346C5641494F
6 Lenovo boot partition BFBFAFE7-A34F-448A-9A5B-6213EB736C22
7 PowerPC PReP boot 9E1A2D38-C612-4316-AA26-8B49521E5A8B
8 ONIE boot 7412F7D5-A156-4B13-81DC-867174929325
9 ONIE config D4E6E2CD-4469-46F3-B5CB-1BFF57AFC149
10 Microsoft reserved E3C9E316-0B5C-4DB8-817D-F92DF00215AE
11 Microsoft basic data EBD0A0A2-B9E5-4433-87C0-68B6B72699C7
12 Microsoft LDM metadata 5808C8AA-7E8F-42E0-85D2-E1E90434CFB3
13 Microsoft LDM data AF9B60A0-1431-4F62-BC68-3311714A69AD
14 Windows recovery environment DE94BBA4-06D1-4D40-A16A-BFD50179D6AC
15 IBM General Parallel Fs 37AFFC90-EF7D-4E96-91C3-2D7AE055B174
16 Microsoft Storage Spaces E75CAF8F-F680-4CEE-AFA3-B001E56EFC2D
17 HP-UX data 75894C1E-3AEB-11D3-B7C1-7B03A0000000
18 HP-UX service E2A1E728-32E3-11D6-A682-7B03A0000000
19 Linux swap 0657FD6D-A4AB-43C4-84E5-0933C84B4F4F
20 Linux filesystem 0FC63DAF-8483-4772-8E79-3D69D8477DE4
21 Linux server data 3B8F8425-20E0-4F3B-907F-1A25A76F98E8
22 Linux root (x86) 44479540-F297-41B2-9AF7-D131D5F0458A
23 Linux root (x86-64) 4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709
24 Linux root (Alpha) 6523F8AE-3EB1-4E2A-A05A-18B695AE656F
25 Linux root (ARC) D27F46ED-2919-4CB8-BD25-9531F3C16534
26 Linux root (ARM) 69DAD710-2CE4-4E3C-B16C-21A1D49ABED3
27 Linux root (ARM-64) B921B045-1DF0-41C3-AF44-4C6F280D3FAE
28 Linux root (IA-64) 993D8D3D-F80E-4225-855A-9DAF8ED7EA97
29 Linux root (LoongArch-64) 77055800-792C-4F94-B39A-98C91B762BB6
30 Linux root (MIPS-32 LE) 37C58C8A-D913-4156-A25F-48B1B64E07F0
31 Linux root (MIPS-64 LE) 700BDA43-7A34-4507-B179-EEB93D7A7CA3
32 Linux root (PPC) 1DE3F1EF-FA98-47B5-8DCD-4A860A654D78
33 Linux root (PPC64) 912ADE1D-A839-4913-8964-A10EEE08FBD2
34 Linux root (PPC64LE) C31C45E6-3F39-412E-80FB-4809C4980599
35 Linux root (RISC-V-32) 60D5A7FE-8E7D-435C-B714-3DD8162144E1
36 Linux root (RISC-V-64) 72EC70A6-CF74-40E6-BD49-4BDA08E8F224
37 Linux root (S390) 08A7ACEA-624C-4A20-91E8-6E0FA67D23F9
38 Linux root (S390X) 5EEAD9A9-FE09-4A1E-A1D7-520D00531306
39 Linux root (TILE-Gx) C50CDD70-3862-4CC3-90E1-809A8C93EE2C
40 Linux reserved 8DA63339-0007-60C0-C436-083AC8230908
41 Linux home 933AC7E1-2EB4-4F13-B844-0E14E2AEF915
42 Linux RAID A19D880F-05FC-4D3B-A006-743F0F84911E
43 Linux LVM E6D6D379-F507-44C2-A23C-238F2A3DF928
44 Linux variable data 4D21B016-B534-45C2-A9FB-5C16E091FD2D
45 Linux temporary data 7EC6F557-3BC5-4ACA-B293-16EF5DF639D1
46 Linux /usr (x86) 75250D76-8CC6-458E-BD66-BD47CC81A812
47 Linux /usr (x86-64) 8484680C-9521-48C6-9C11-B0720656F69E
48 Linux /usr (Alpha) E18CF08C-33EC-4C0D-8246-C6C6FB3DA024
49 Linux /usr (ARC) 7978A683-6316-4922-BBEE-38BFF5A2FECC
50 Linux /usr (ARM) 7D0359A3-02B3-4F0A-865C-654403E70625
51 Linux /usr (ARM-64) B0E01050-EE5F-4390-949A-9101B17104E9
52 Linux /usr (IA-64) 4301D2A6-4E3B-4B2A-BB94-9E0B2C4225EA
53 Linux /usr (LoongArch-64) E611C702-575C-4CBE-9A46-434FA0BF7E3F
54 Linux /usr (MIPS-32 LE) 0F4868E9-9952-4706-979F-3ED3A473E947
55 Linux /usr (MIPS-64 LE) C97C1F32-BA06-40B4-9F22-236061B08AA8
56 Linux /usr (PPC) 7D14FEC5-CC71-415D-9D6C-06BF0B3C3EAF
57 Linux /usr (PPC64) 2C9739E2-F068-46B3-9FD0-01C5A9AFBCCA
58 Linux /usr (PPC64LE) 15BB03AF-77E7-4D4A-B12B-C0D084F7491C
59 Linux /usr (RISC-V-32) B933FB22-5C3F-4F91-AF90-E2BB0FA50702
60 Linux /usr (RISC-V-64) BEAEC34B-8442-439B-A40B-984381ED097D
61 Linux /usr (S390) CD0F869B-D0FB-4CA0-B141-9EA87CC78D66
62 Linux /usr (S390X) 8A4F5770-50AA-4ED3-874A-99B710DB6FEA
63 Linux /usr (TILE-Gx) 55497029-C7C1-44CC-AA39-815ED1558630
64 Linux root verity (x86) D13C5D3B-B5D1-422A-B29F-9454FDC89D76
65 Linux root verity (x86-64) 2C7357ED-EBD2-46D9-AEC1-23D437EC2BF5
66 Linux root verity (Alpha) FC56D9E9-E6E5-4C06-BE32-E74407CE09A5
67 Linux root verity (ARC) 24B2D975-0F97-4521-AFA1-CD531E421B8D
68 Linux root verity (ARM) 7386CDF2-203C-47A9-A498-F2ECCE45A2D6
69 Linux root verity (ARM-64) DF3300CE-D69F-4C92-978C-9BFB0F38D820
70 Linux root verity (IA-64) 86ED10D5-B607-45BB-8957-D350F23D0571
71 Linux root verity (LoongArch-64) F3393B22-E9AF-4613-A948-9D3BFBD0C535
72 Linux root verity (MIPS-32 LE) D7D150D2-2A04-4A33-8F12-16651205FF7B
73 Linux root verity (MIPS-64 LE) 16B417F8-3E06-4F57-8DD2-9B5232F41AA6
74 Linux root verity (PPC) 98CFE649-1588-46DC-B2F0-ADD147424925
75 Linux root verity (PPC64) 9225A9A3-3C19-4D89-B4F6-EEFF88F17631
76 Linux root verity (PPC64LE) 906BD944-4589-4AAE-A4E4-DD983917446A
77 Linux root verity (RISC-V-32) AE0253BE-1167-4007-AC68-43926C14C5DE
78 Linux root verity (RISC-V-64) B6ED5582-440B-4209-B8DA-5FF7C419EA3D
79 Linux root verity (S390) 7AC63B47-B25C-463B-8DF8-B4A94E6C90E1
80 Linux root verity (S390X) B325BFBE-C7BE-4AB8-8357-139E652D2F6B
81 Linux root verity (TILE-Gx) 966061EC-28E4-4B2E-B4A5-1F0A825A1D84
82 Linux /usr verity (x86) 8F461B0D-14EE-4E81-9AA9-049B6FB97ABD
83 Linux /usr verity (x86-64) 77FF5F63-E7B6-4633-ACF4-1565B864C0E6
84 Linux /usr verity (Alpha) 8CCE0D25-C0D0-4A44-BD87-46331BF1DF67
85 Linux /usr verity (ARC) FCA0598C-D880-4591-8C16-4EDA05C7347C
86 Linux /usr verity (ARM) C215D751-7BCD-4649-BE90-6627490A4C05
87 Linux /usr verity (ARM-64) 6E11A4E7-FBCA-4DED-B9E9-E1A512BB664E
88 Linux /usr verity (IA-64) 6A491E03-3BE7-4545-8E38-83320E0EA880
89 Linux /usr verity (LoongArch-64) F46B2C26-59AE-48F0-9106-C50ED47F673D
90 Linux /usr verity (MIPS-32 LE) 46B98D8D-B55C-4E8F-AAB3-37FCA7F80752
91 Linux /usr verity (MIPS-64 LE) 3C3D61FE-B5F3-414D-BB71-8739A694A4EF
92 Linux /usr verity (PPC) DF765D00-270E-49E5-BC75-F47BB2118B09
93 Linux /usr verity (PPC64) BDB528A5-A259-475F-A87D-DA53FA736A07
94 Linux /usr verity (PPC64LE) EE2B9983-21E8-4153-86D9-B6901A54D1CE
95 Linux /usr verity (RISC-V-32) CB1EE4E3-8CD0-4136-A0A4-AA61A32E8730
96 Linux /usr verity (RISC-V-64) 8F1056BE-9B05-47C4-81D6-BE53128E5B54
97 Linux /usr verity (S390) B663C618-E7BC-4D6D-90AA-11B756BB1797
98 Linux /usr verity (S390X) 31741CC4-1A2A-4111-A581-E00B447D2D06
99 Linux /usr verity (TILE-Gx) 2FB4BF56-07FA-42DA-8132-6B139F2026AE
100 Linux root verity sign. (x86) 5996FC05-109C-48DE-808B-23FA0830B676
101 Linux root verity sign. (x86-64) 41092B05-9FC8-4523-994F-2DEF0408B176
102 Linux root verity sign. (Alpha) D46495B7-A053-414F-80F7-700C99921EF8
103 Linux root verity sign. (ARC) 143A70BA-CBD3-4F06-919F-6C05683A78BC
104 Linux root verity sign. (ARM) 42B0455F-EB11-491D-98D3-56145BA9D037
105 Linux root verity sign. (ARM-64) 6DB69DE6-29F4-4758-A7A5-962190F00CE3
106 Linux root verity sign. (IA-64) E98B36EE-32BA-4882-9B12-0CE14655F46A
107 Linux root verity sign. (LoongArch-64) 5AFB67EB-ECC8-4F85-AE8E-AC1E7C50E7D0
108 Linux root verity sign. (MIPS-32 LE) C919CC1F-4456-4EFF-918C-F75E94525CA5
109 Linux root verity sign. (MIPS-64 LE) 904E58EF-5C65-4A31-9C57-6AF5FC7C5DE7
110 Linux root verity sign. (PPC) 1B31B5AA-ADD9-463A-B2ED-BD467FC857E7
111 Linux root verity sign. (PPC64) F5E2C20C-45B2-4FFA-BCE9-2A60737E1AAF
112 Linux root verity sign. (PPC64LE) D4A236E7-E873-4C07-BF1D-BF6CF7F1C3C6
113 Linux root verity sign. (RISC-V-32) 3A112A75-8729-4380-B4CF-764D79934448
114 Linux root verity sign. (RISC-V-64) EFE0F087-EA8D-4469-821A-4C2A96A8386A
115 Linux root verity sign. (S390) 3482388E-4254-435A-A241-766A065F9960
116 Linux root verity sign. (S390X) C80187A5-73A3-491A-901A-017C3FA953E9
117 Linux root verity sign. (TILE-Gx) B3671439-97B0-4A53-90F7-2D5A8F3AD47B
118 Linux /usr verity sign. (x86) 974A71C0-DE41-43C3-BE5D-5C5CCD1AD2C0
119 Linux /usr verity sign. (x86-64) E7BB33FB-06CF-4E81-8273-E543B413E2E2
120 Linux /usr verity sign. (Alpha) 5C6E1C76-076A-457A-A0FE-F3B4CD21CE6E
121 Linux /usr verity sign. (ARC) 94F9A9A1-9971-427A-A400-50CB297F0F35
122 Linux /usr verity sign. (ARM) D7FF812F-37D1-4902-A810-D76BA57B975A
123 Linux /usr verity sign. (ARM-64) C23CE4FF-44BD-4B00-B2D4-B41B3419E02A
124 Linux /usr verity sign. (IA-64) 8DE58BC2-2A43-460D-B14E-A76E4A17B47F
125 Linux /usr verity sign. (LoongArch-64) B024F315-D330-444C-8461-44BBDE524E99
126 Linux /usr verity sign. (MIPS-32 LE) 3E23CA0B-A4BC-4B4E-8087-5AB6A26AA8A9
127 Linux /usr verity sign. (MIPS-64 LE) F2C2C7EE-ADCC-4351-B5C6-EE9816B66E16
128 Linux /usr verity sign. (PPC) 7007891D-D371-4A80-86A4-5CB875B9302E
129 Linux /usr verity sign. (PPC64) 0B888863-D7F8-4D9E-9766-239FCE4D58AF
130 Linux /usr verity sign. (PPC64LE) C8BFBD1E-268E-4521-8BBA-BF314C399557
131 Linux /usr verity sign. (RISC-V-32) C3836A13-3137-45BA-B583-B16C50FE5EB4
132 Linux /usr verity sign. (RISC-V-64) D2F9000A-7A18-453F-B5CD-4D32F77A7B32
133 Linux /usr verity sign. (S390) 17440E4F-A8D0-467F-A46E-3912AE6EF2C5
134 Linux /usr verity sign. (S390X) 3F324816-667B-46AE-86EE-9B0C0C6C11B4
135 Linux /usr verity sign. (TILE-Gx) 4EDE75E2-6CCC-4CC8-B9C7-70334B087510
136 Linux extended boot BC13C2FF-59E6-4262-A352-B275FD6F7172
137 Linux user's home 773f91ef-66d4-49b5-bd83-d683bf40ad16
138 FreeBSD data 516E7CB4-6ECF-11D6-8FF8-00022D09712B
139 FreeBSD boot 83BD6B9D-7F41-11DC-BE0B-001560B84F0F
140 FreeBSD swap 516E7CB5-6ECF-11D6-8FF8-00022D09712B
141 FreeBSD UFS 516E7CB6-6ECF-11D6-8FF8-00022D09712B
142 FreeBSD ZFS 516E7CBA-6ECF-11D6-8FF8-00022D09712B
143 FreeBSD Vinum 516E7CB8-6ECF-11D6-8FF8-00022D09712B
144 Apple HFS/HFS+ 48465300-0000-11AA-AA11-00306543ECAC
145 Apple APFS 7C3457EF-0000-11AA-AA11-00306543ECAC
146 Apple UFS 55465300-0000-11AA-AA11-00306543ECAC
147 Apple RAID 52414944-0000-11AA-AA11-00306543ECAC
148 Apple RAID offline 52414944-5F4F-11AA-AA11-00306543ECAC
149 Apple boot 426F6F74-0000-11AA-AA11-00306543ECAC
150 Apple label 4C616265-6C00-11AA-AA11-00306543ECAC
151 Apple TV recovery 5265636F-7665-11AA-AA11-00306543ECAC
152 Apple Core storage 53746F72-6167-11AA-AA11-00306543ECAC
153 Apple Silicon boot 69646961-6700-11AA-AA11-00306543ECAC
154 Apple Silicon recovery 52637672-7900-11AA-AA11-00306543ECAC
155 Solaris boot 6A82CB45-1DD2-11B2-99A6-080020736631
156 Solaris root 6A85CF4D-1DD2-11B2-99A6-080020736631
157 Solaris /usr & Apple ZFS 6A898CC3-1DD2-11B2-99A6-080020736631
158 Solaris swap 6A87C46F-1DD2-11B2-99A6-080020736631
159 Solaris backup 6A8B642B-1DD2-11B2-99A6-080020736631
160 Solaris /var 6A8EF2E9-1DD2-11B2-99A6-080020736631
161 Solaris /home 6A90BA39-1DD2-11B2-99A6-080020736631
162 Solaris alternate sector 6A9283A5-1DD2-11B2-99A6-080020736631
163 Solaris reserved 1 6A945A3B-1DD2-11B2-99A6-080020736631
164 Solaris reserved 2 6A9630D1-1DD2-11B2-99A6-080020736631
165 Solaris reserved 3 6A980767-1DD2-11B2-99A6-080020736631
166 Solaris reserved 4 6A96237F-1DD2-11B2-99A6-080020736631
167 Solaris reserved 5 6A8D2AC7-1DD2-11B2-99A6-080020736631
168 NetBSD swap 49F48D32-B10E-11DC-B99B-0019D1879648
169 NetBSD FFS 49F48D5A-B10E-11DC-B99B-0019D1879648
170 NetBSD LFS 49F48D82-B10E-11DC-B99B-0019D1879648
171 NetBSD concatenated 2DB519C4-B10F-11DC-B99B-0019D1879648
172 NetBSD encrypted 2DB519EC-B10F-11DC-B99B-0019D1879648
173 NetBSD RAID 49F48DAA-B10E-11DC-B99B-0019D1879648
174 ChromeOS kernel FE3A2A5D-4F32-41A7-B725-ACCC3285A309
175 ChromeOS root fs 3CB8E202-3B7E-47DD-8A3C-7FF2A13CFCEC
176 ChromeOS reserved 2E0A753D-9E48-43B0-8337-B15192CB1B5E
177 MidnightBSD data 85D5E45A-237C-11E1-B4B3-E89A8F7FC3A7
178 MidnightBSD boot 85D5E45E-237C-11E1-B4B3-E89A8F7FC3A7
179 MidnightBSD swap 85D5E45B-237C-11E1-B4B3-E89A8F7FC3A7
180 MidnightBSD UFS 0394EF8B-237E-11E1-B4B3-E89A8F7FC3A7
181 MidnightBSD ZFS 85D5E45D-237C-11E1-B4B3-E89A8F7FC3A7
182 MidnightBSD Vinum 85D5E45C-237C-11E1-B4B3-E89A8F7FC3A7
183 Ceph Journal 45B0969E-9B03-4F30-B4C6-B4B80CEFF106
184 Ceph Encrypted Journal 45B0969E-9B03-4F30-B4C6-5EC00CEFF106
185 Ceph OSD 4FBD7E29-9D25-41B8-AFD0-062C0CEFF05D
186 Ceph crypt OSD 4FBD7E29-9D25-41B8-AFD0-5EC00CEFF05D
187 Ceph disk in creation 89C57F98-2FE5-4DC0-89C1-F3AD0CEFF2BE
188 Ceph crypt disk in creation 89C57F98-2FE5-4DC0-89C1-5EC00CEFF2BE
189 VMware VMFS AA31E02A-400F-11DB-9590-000C2911D1B8
190 VMware Diagnostic 9D275380-40AD-11DB-BF97-000C2911D1B8
191 VMware Virtual SAN 381CFCCC-7288-11E0-92EE-000C2911D0B2
192 VMware Virsto 77719A0C-A4A0-11E3-A47E-000C29745A24
193 VMware Reserved 9198EFFC-31C0-11DB-8F78-000C2911D1B8
194 OpenBSD data 824CC7A0-36A8-11E3-890A-952519AD3F61
195 QNX6 file system CEF5A9AD-73BC-4601-89F3-CDEEEEE321A1
196 Plan 9 partition C91818F9-8025-47AF-89D2-F030D7000C2C
197 HiFive FSBL 5B193300-FC78-40CD-8002-E86C45580B47
198 HiFive BBL 2E54B353-1271-4842-806F-E436D6AF6985
199 Haiku BFS 42465331-3BA3-10F1-802A-4861696B7521
200 Marvell Armada 3700 Boot partition 6828311A-BA55-42A4-BCDE-A89BB5EDECAE

Aliases:
linux - 0FC63DAF-8483-4772-8E79-3D69D8477DE4
swap - 0657FD6D-A4AB-43C4-84E5-0933C84B4F4F
home - 933AC7E1-2EB4-4F13-B844-0E14E2AEF915
uefi - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
raid - A19D880F-05FC-4D3B-A006-743F0F84911E
lvm - E6D6D379-F507-44C2-A23C-238F2A3DF928
</pre>
</div>
</div>

====Create second partition NixOS Install====

Create a Second Partition by pressing <code>n</code> <br>
Return Output:
<pre>Partition number (2-128, default 2):
</pre>

Press ENTER for to set the default (2)<br>
Return Output:
<pre>First sector (4196352-1953525134, default 4196352):
</pre>

Again default, just press enter<br>
Return Output:
<pre>Last sector, +/-sectors or +/-size{K,M,G,T,P} (3907584-1953525134, default 1953523711):
</pre>

<code>+500GB</code>

<pre>
Created a new partition 2 of type 'Linux filesystem' and of size 465.7 GiB.
</pre>

====Create Third Partition for NixOS SWAP====

<code>n</code>

<pre>
Command (m for help): n
Partition number (3-128, default 3):
First sector (980469760-1953525134, default 980469760):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (980469760-1953525134, default 1953523711): +16GB
</pre>

<div class="toccolours mw-collapsible mw-collapsed">
NixOS Swap Note<div class="mw-collapsible-content">

Nix Config file will take care of the rest of swap

<pre>
swapDevices = [ {
device = "/dev/nvme0n1p2";
randomEncryption.enable = true;
} ];
</pre>

</div>
</div>

====Complete process terminal output====
<div class="toccolours mw-collapsible mw-collapsed">
The Complete process for creating the three partitions<div class="mw-collapsible-content">
<pre>
[nixos@nixos:~]$ sudo fdisk /dev/nvme0n1

Welcome to fdisk (util-linux 2.39.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS (MBR) disklabel with disk identifier 0xf4e4cac7.

Command (m for help): g
Created a new GPT disklabel (GUID: DB407773-03D4-499B-A96A-3A61798E4523).

Command (m for help): n
Partition number (1-128, default 1):
First sector (2048-1953525134, default 2048):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-1953525134, default 1953523711): +2GB

Created a new partition 1 of type 'Linux filesystem' and of size 1.9 GiB.

Command (m for help): t
Selected partition 1
Partition type or alias (type L to list all): 1
Changed type of partition 'Linux filesystem' to 'EFI System'.

Command (m for help): n
Partition number (2-128, default 2):
First sector (3907584-1953525134, default 3907584):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (3907584-1953525134, default 1953523711): +500GB

Created a new partition 2 of type 'Linux filesystem' and of size 465.7 GiB.
Partition #2 contains a zfs_member signature.

Do you want to remove the signature? [Y]es/[N]o: y

The signature will be removed by a write command.

Command (m for help): n
Partition number (3-128, default 3):
First sector (980469760-1953525134, default 980469760):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (980469760-1953525134, default 1953523711): +16GB

Created a new partition 3 of type 'Linux filesystem' and of size 14.9 GiB.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

</pre>
</div>
</div>

Can now check partitions with <code>lsblk</code>
<pre>
[nixos@nixos:~]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 2.5G 1 loop /nix/.ro-store
sda 8:0 1 7.3G 0 disk
├─sda1 8:1 1 2.5G 0 part /iso
└─sda2 8:2 1 3M 0 part
sdb 8:16 1 0B 0 disk
nvme0n1 259:0 0 931.5G 0 disk
├─nvme0n1p1 259:1 0 1.9G 0 part
├─nvme0n1p2 259:2 0 465.7G 0 part
└─nvme0n1p3 259:3 0 14.9G 0 part

</pre>

===format drives/partitions===

We have now created 3 partions on are hard drive '''nvme0n1'''

* '''nvme0n1p1''' the EFI partition
* '''nvme0n1p2''' the NixOS Main partition
* '''nvme0n1p3''' the NixOS Swap partition

====first partion is for EFI and will be formatted in fat32====

<code>sudo mkfs.fat -F 32 /dev/nvme0n1p1</code>

====adding a label====
<code>sudo fatlabel /dev/nvme0n1p1 EFIP</code>

===Create Zpools for Root and Home===

Encryption on root or unencrypted, select one option

* NOTE: '''nvme0n1p2''' is the Main partition, will be installing NixOS on. And '''nvme0n1p3''' is the SWAP

====Creating zpools for root and home NO ENCRYPTION====

<pre>
sudo zpool create -f \
-o altroot="/mnt" \
-o ashift=12 \
-o autotrim=on \
-O compression=lz4 \
-O acltype=posixacl \
-O xattr=sa \
-O relatime=on \
-O normalization=formD \
-O dnodesize=auto \
-O sync=disabled \
-O mountpoint=none \
NIXROOT \
/dev/nvme0n1p2

</pre>

<div class="toccolours mw-collapsible mw-collapsed">
BreakDown of above command:<div class="mw-collapsible-content">

* '''-o vs -O''':
** The lowercase "''-o''" sets pool-level properties affecting the entire pool.
** The uppercase "''-O''" sets dataset-level properties affecting datasets within the pool.

* '''Pool-Level Properties (Lowercase 'o')''':
** <code>-o altroot="/mnt"</code>: Temporarily sets an alternate root directory for mounting the pool.
** <code>-o ashift=12</code>: Specifies alignment shift for performance, with a value of 12 for 4K (2^12) disk sector size.
** <code>-o autotrim=on</code>: Enables automatic trimming of unused space for better SSD performance and longevity.

* '''Dataset-Level Properties (Uppercase 'O')''':
** <code>-O compression=lz4</code>: Enables LZ4 compression, which is effective and lightweight.
** <code>-O acltype=posixacl</code>: Enables POSIX ACLs for granular permission control.
** <code>-O xattr=sa</code>: Enables extended attributes stored as system attributes.
** <code>-O relatime=on</code>: Updates access times relative to modification time for efficiency.
** <code>-O normalization=formD</code>: Sets Unicode normalization form for system compatibility.
** <code>-O dnodesize=auto</code>: Allows automatic adjustment of dnode sizes for performance.
** <code>-O sync=disabled</code>: Disables synchronous writes for performance but may compromise data integrity.
** <code>-O mountpoint=none</code>: Disables automatic mounting of the new pool.

* '''Other Parameters''':
** ''NIXROOT'': Name of the ZFS pool being created.
** ''/dev/nvme0n1p2'': Disk partition for creating the ZFS pool.

* '''Additional Note''':
** <code>-f</code>: Forces pool creation, overriding safety checks. Use with caution.

</div>
</div>

====Creating zpools for root and home WITH ENCRYPTION on root====
* You will be prompted to enter a passphase after running the below commands

<pre>
sudo zpool create -f \
-o altroot="/mnt" \
-o ashift=12 \
-o autotrim=on \
-O compression=lz4 \
-O acltype=posixacl \
-O xattr=sa \
-O relatime=on \
-O normalization=formD \
-O dnodesize=auto \
-O sync=disabled \
-O encryption=aes-256-gcm \
-O keylocation=prompt \
-O keyformat=passphrase \
-O mountpoint=none \
NIXROOT \
/dev/nvme0n1p2

</pre>

<div class="toccolours mw-collapsible mw-collapsed">
BreakDown of above command:<div class="mw-collapsible-content">

* '''-o vs -O''':
** The lowercase "''-o''" sets pool-level properties affecting the entire pool.
** The uppercase "''-O''" sets dataset-level properties affecting datasets within the pool.

* '''Pool-Level Properties (Lowercase 'o')''':
** <code>-o altroot="/mnt"</code>: Temporarily sets an alternate root directory for mounting the pool.
** <code>-o ashift=12</code>: Specifies alignment shift for performance, with a value of 12 for 4K (2^12) disk sector size.
** <code>-o autotrim=on</code>: Enables automatic trimming of unused space for better SSD performance and longevity.

* '''Dataset-Level Properties (Uppercase 'O')''':
** <code>-O compression=lz4</code>: Enables LZ4 compression, which is effective and lightweight.
** <code>-O acltype=posixacl</code>: Enables POSIX ACLs for granular permission control.
** <code>-O xattr=sa</code>: Enables extended attributes stored as system attributes.
** <code>-O relatime=on</code>: Updates access times relative to modification time for efficiency.
** <code>-O normalization=formD</code>: Sets Unicode normalization form for system compatibility.
** <code>-O dnodesize=auto</code>: Allows automatic adjustment of dnode sizes for performance.
** <code>-O sync=disabled</code>: Disables synchronous writes for performance but may compromise data integrity.
** <code>-O encryption=aes-256-gcm</code>: Specifies AES-256-GCM as the encryption algorithm.
** <code>-O keylocation=prompt</code>: Prompts for the encryption key when needed.
** <code>-O keyformat=passphrase</code>: Uses a passphrase for the encryption key.
** <code>-O mountpoint=none</code>: Disables automatic mounting of the new pool.

* '''Other Parameters''':
** ''NIXROOT'': Name of the ZFS pool being created.
** ''/dev/nvme0n1p2'': Disk partition for creating the ZFS pool.

* '''Additional Note''':
** <code>-f</code>: Forces pool creation, overriding safety checks. Use with caution.

</div>
</div>
=====create root volume=====
<code>
sudo zfs create -o mountpoint=legacy NIXROOT/root
</code>

===== create home partition=====
<code>
sudo zfs create -o mountpoint=legacy NIXROOT/home
</code>

mountpoint=legacy allow us to use normal mount commands to mount zfs volume

<code>
sudo mount -t zfs NIXROOT/root /mnt
</code>

<code>
sudo mkdir /mnt/boot /mnt/home
</code>

* mount boot
<code>
sudo mount /dev/nvme0n1p1 /mnt/boot
</code>

* mount zfs home
<code>
sudo mount -t zfs NIXROOT/home /mnt/home
</code>

==nixos - config and install==

===Generate a Config File===
<code>
sudo nixos-generate-config --root /mnt
</code>

* This command will generate file for the nixos system - which files and what they do i do not yet know, learning as i go

* to see hardware configuration file
<code>
cat /mnt/etc/nixos/hardware-configuration.nix
</code>

====Network HostID====

Using the command '''head -c 8 /etc/machine-id''' to generate a value for '''networking.hostId''' in NixOS for ZFS setup is a practical method to obtain a unique and consistent identifier for your system.

<code>
head -c 8 /etc/machine-id
</code>

* should return 8 charaters, something like the below:
<pre>
3333abcd
</pre>

we will use this in the ZFS section of the '''nixos/configuration.nix''' file

==== edit nixos config file ====

<div class="toccolours mw-collapsible mw-collapsed">
<code>/mnt/etc/nixos/configuration.nix</code> Before any changes
<div class="mw-collapsible-content">
<pre>
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running `nixos-help`).

{ config, pkgs, ... }:

{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];

# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;

# networking.hostName = "nixos"; # Define your hostname.
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.

# Set your time zone.
# time.timeZone = "Europe/Amsterdam";

# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";

# Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkbOptions in tty.
# };

# Enable the X11 windowing system.
services.xserver.enable = true;

# Enable the Plasma 5 Desktop Environment.
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;

# Configure keymap in X11
# services.xserver.layout = "us";
# services.xserver.xkbOptions = "eurosign:e,caps:escape";

# Enable CUPS to print documents.
# services.printing.enable = true;

# Enable sound.
# sound.enable = true;
# hardware.pulseaudio.enable = true;

# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;

# Define a user account. Don't forget to set a password with ‘passwd’.
# users.users.alice = {
# isNormalUser = true;
# extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
# packages = with pkgs; [
# firefox
# tree
# ];
# };

# List packages installed in system profile. To search, run:
# $ nix search wget
# environment.systemPackages = with pkgs; [
# vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
# wget
# ];

# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };

# List services that you want to enable:

# Enable the OpenSSH daemon.
# services.openssh.enable = true;

# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;

# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;

# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It's perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.11"; # Did you read the comment?

}
</pre>
</div>
</div>

<code>
sudo $EDITOR /mnt/etc/nixos/configuration.nix
</code>

=====Boot Loader =====
By default will use systemd as boot loader which will not allow us to duel boot with freebsd (i think)

'''comment out''' the lines by placing a # in front
<pre>
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
</pre>

And Insert
<pre>
# use grub please
boot.loader.grub.enable = true;
boot.loader.grub.devices = [ "nodev" ];
boot.loader.grub.efiInstallAsRemovable = true ;
boot.loader.grub.efiSupport = true;
boot.loader.grub.useOSProber = true;
</pre>

=====ZFS=====
<pre>
# zfs
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.requestEncryptionCredentials = true;
## insert return from 'head -c 8 /etc/machine-id'
networking.hostId = "3333abcd";
services.zfs.autoScrub.enable = true;

</pre>

=====HostName and Network Manager=====
* In the same config file we are going to change a few other details

** networking.hostName
** can just uncomment if you are happy with the name 'nixos'
** uncomment and change name to what you like
<code>
networking.hostName = "t470nix";
</code>

** pick on e of the networking options by uncommenting
<code>
networking.networkmanager.enable = true;
</code>

===== Set your time zone - need to find a list of options=====
<code>
time.timeZone = "Europe/London";
</code>

===== keyboard layout =====

<pre>
# Configure keymap in X11
services.xserver = {
layout = "gb";
xkbVariant = "";
};

# Configure console keymap
console.keyMap = "uk";
</pre>

=====Select internationalisation properties=====
<pre>
# Select internationalisation properties.
i18n.defaultLocale = "en_GB.UTF-8";

i18n.extraLocaleSettings = {
LC_ADDRESS = "en_GB.UTF-8";
LC_IDENTIFICATION = "en_GB.UTF-8";
LC_MEASUREMENT = "en_GB.UTF-8";
LC_MONETARY = "en_GB.UTF-8";
LC_NAME = "en_GB.UTF-8";
LC_NUMERIC = "en_GB.UTF-8";
LC_PAPER = "en_GB.UTF-8";
LC_TELEPHONE = "en_GB.UTF-8";
LC_TIME = "en_GB.UTF-8";
};
</pre>

===== Desktop - Pantheon =====

NOTE: because i am using latest-nixos-plasma5-x86_64-linux.iso by default the desktop will be plasma5, so going to comment out and replace with Pantheno Desktop

Default entry:
<pre>
# Enable the X11 windowing system.
services.xserver.enable = true;

# Enable the Plasma 5 Desktop Environment.
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
</pre>

Changed to:
NOTE: '''Pantheon''' as bug, does not open from sleep if you shut laptop lid, but its easy to change desktop on NixOS, as will show later.
<pre>
# Enable the X11 windowing system.
services.xserver.enable = true;

# Enable the Pantheon Desktop Environment.
services.xserver.displayManager.lightdm.enable = true;
services.xserver.desktopManager.pantheon.enable = true;

# Enable the Plasma 5 Desktop Environment.
# services.xserver.displayManager.sddm.enable = true;
# services.xserver.desktopManager.plasma5.enable = true;
</pre>

===== Set init user =====
** Config a user account - we are using name '''noob''' feel free to change
** Note: change initial password after with <code>passwd noob</code>. SYNTAX <code>passwd USERNAME</code>
<pre>
users.users.noob = {
isNormalUser = true;
initialPassword = "CompleteNoob";
extraGroups = [ "wheel" ];
packages = with pkgs; [
mc
];
};
</pre>

======Enable auto login======

<pre>
# Enable automatic login for the user.
services.xserver.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = "noob";

</pre>

=====Enable Sound=====
<pre>

# Enable sound with pipewire.
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;

# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
#media-session.enable = true;
};
</pre>

===== Add an terminal text editor =====
note: 'vi' on its own does not work, needs to be 'vim', 'nano' is preinstalled by default with nixos
<pre>
environment.systemPackages = with pkgs; [
wget
vim
];
</pre>

======Optional if you want to ssh in after reboot======
* enable sshd
<code>
services.openssh.enable = true;
</code>

* disable firewall
<code>
networking.firewall.enable = false;
</code>

<div class="toccolours mw-collapsible mw-collapsed">
<code>/mnt/etc/nixos/configuration.nix</code> After Changes - '''TIDY VERSION'''
<div class="mw-collapsible-content">
<pre>
[noob@t470nix:~]$ cat /etc/nixos/configuration.nix
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running `nixos-help`).

{ config, pkgs, ... }:

{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];

# allow ssh no firewall
services.openssh.enable = true;
networking.firewall.enable = false;

# use grub please
boot.loader.grub.enable = true;
boot.loader.grub.devices = [ "nodev" ];
boot.loader.grub.efiInstallAsRemovable = true ;
boot.loader.grub.efiSupport = true;
boot.loader.grub.useOSProber = true;

# zfs
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.requestEncryptionCredentials = true;
## insert return from 'head -c 8 /etc/machine-id'
networking.hostId = "3333abcd";
services.zfs.autoScrub.enable = true;

networking.hostName = "t470nix";

networking.networkmanager.enable = true;

time.timeZone = "Europe/London";

# Configure keymap in X11
services.xserver = {
layout = "gb";
xkbVariant = "";
};

# Configure console keymap
console.keyMap = "uk";

# Select internationalisation properties.
i18n.defaultLocale = "en_GB.UTF-8";

i18n.extraLocaleSettings = {
LC_ADDRESS = "en_GB.UTF-8";
LC_IDENTIFICATION = "en_GB.UTF-8";
LC_MEASUREMENT = "en_GB.UTF-8";
LC_MONETARY = "en_GB.UTF-8";
LC_NAME = "en_GB.UTF-8";
LC_NUMERIC = "en_GB.UTF-8";
LC_PAPER = "en_GB.UTF-8";
LC_TELEPHONE = "en_GB.UTF-8";
LC_TIME = "en_GB.UTF-8";
};

# Enable the X11 windowing system.
services.xserver.enable = true;

# Enable the Pantheon Desktop Environment.
services.xserver.displayManager.lightdm.enable = true;
services.xserver.desktopManager.pantheon.enable = true;

# Enable the Plasma 5 Desktop Environment.
# services.xserver.displayManager.sddm.enable = true;
# services.xserver.desktopManager.plasma5.enable = true;

# This creates a user called 'noob' with the password 'CompleteNoob'

users.users.noob = {
isNormalUser = true;
initialPassword = "CompleteNoob";
extraGroups = [ "wheel" ];
packages = with pkgs; [
mc
];
};

# Enable automatic login for the user.
services.xserver.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = "noob";

# Enable sound with pipewire.
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;

# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
#media-session.enable = true;
};

environment.systemPackages = with pkgs; [
wget
vim
];

system.stateVersion = "23.11"; # Did you read the comment?

swapDevices = [ {
device = "/dev/nvme0n1p3";
randomEncryption.enable = true;
} ];

}

</pre>
</div>
</div>

== install nixos ==

To Install NixOS use '''nixos-install'''
<code>
sudo nixos-install
</code>
* will be prompted for root password after install

Once Installed, <code>reboot</code> and login

===Installing packages on NixOS===

still new on NixOS
<br><code>nix-env -i firefox</code> installs firefox.

But its best to use '''configuration.nix''' for software installs, this way if you keep a copy of your config file and nuke and pave, you can have all your apps from the get go with out having to reinstall them all one by one again.

===Reconfigure /etc/nixos/configuration.nix===

To apply changes made to <code>/etc/nixos/configuration.nix</code> you need to '''rebuild'''

* Give example on how to change back desktop to KDE

* Add package FireFox and rebuild

* After reboot (after desktop change) new passwd for noob account still changed - did not restore to CompleteNoob

Change DESKTOP

<pre>
# Enable the Pantheon Desktop Environment.
# services.xserver.displayManager.lightdm.enable = true;
# services.xserver.desktopManager.pantheon.enable = true;

# Enable the Plasma 5 Desktop Environment.
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
</pre>

====after update====
<div class="toccolours mw-collapsible mw-collapsed">
AFTER UPDATE CONFIG<div class="mw-collapsible-content">
<pre>
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running `nixos-help`).

{ config, pkgs, ... }:

{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];

# allow ssh no firewall
services.openssh.enable = true;
networking.firewall.enable = false;

# use grub please
boot.loader.grub.enable = true;
boot.loader.grub.devices = [ "nodev" ];
boot.loader.grub.efiInstallAsRemovable = true ;
boot.loader.grub.efiSupport = true;
boot.loader.grub.useOSProber = true;

# zfs
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.requestEncryptionCredentials = true;
## insert return from 'head -c 8 /etc/machine-id'
networking.hostId = "3333abcd";
services.zfs.autoScrub.enable = true;

networking.hostName = "t470nix";

networking.networkmanager.enable = true;

time.timeZone = "Europe/London";

# Configure keymap in X11
services.xserver = {
layout = "gb";
xkbVariant = "";
};

# Configure console keymap
console.keyMap = "uk";

# Select internationalisation properties.
i18n.defaultLocale = "en_GB.UTF-8";

i18n.extraLocaleSettings = {
LC_ADDRESS = "en_GB.UTF-8";
LC_IDENTIFICATION = "en_GB.UTF-8";
LC_MEASUREMENT = "en_GB.UTF-8";
LC_MONETARY = "en_GB.UTF-8";
LC_NAME = "en_GB.UTF-8";
LC_NUMERIC = "en_GB.UTF-8";
LC_PAPER = "en_GB.UTF-8";
LC_TELEPHONE = "en_GB.UTF-8";
LC_TIME = "en_GB.UTF-8";
};

# Enable the X11 windowing system.
services.xserver.enable = true;

# Enable the Pantheon Desktop Environment.
# services.xserver.displayManager.lightdm.enable = true;
# services.xserver.desktopManager.pantheon.enable = true;

# Enable the Plasma 5 Desktop Environment.
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;

# This creates a user called 'noob' with the password 'CompleteNoob'

users.users.noob = {
isNormalUser = true;
initialPassword = "CompleteNoob";
extraGroups = [ "wheel" ];
packages = with pkgs; [
mc
];
};

# Enable automatic login for the user.
services.xserver.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = "noob";

# Enable sound with pipewire.
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;

# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
#media-session.enable = true;
};

environment.systemPackages = with pkgs; [
wget
vim
firefox
];

system.stateVersion = "23.11"; # Did you read the comment?

#Swap Device setup
swapDevices = [ {
device = "/dev/nvme0n1p3";
randomEncryption.enable = true;
} ];

}

</pre>
</div>
</div>

after config can rebuild
<code>
sudo nixos-rebuild
</code>
or
<code>
sudo nixos-rebuild switch
</code>
or
<code>
sudo nixos-rebuild boot
</code>

And thats a basic install of NixOS on OpenZFS, still learning.

====Adding brave browser====

<div class="toccolours mw-collapsible mw-collapsed">
Adding brave browser
<div class="mw-collapsible-content">

<pre>
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running `nixos-help`).

{ config, pkgs, ... }:

{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];

# allow ssh no firewall
services.openssh.enable = true;
networking.firewall.enable = false;

# use grub please
boot.loader.grub.enable = true;
boot.loader.grub.devices = [ "nodev" ];
boot.loader.grub.efiInstallAsRemovable = true ;
boot.loader.grub.efiSupport = true;
boot.loader.grub.useOSProber = true;

# zfs
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.requestEncryptionCredentials = true;
## insert return from 'head -c 8 /etc/machine-id'
networking.hostId = "3333abcd";
services.zfs.autoScrub.enable = true;

networking.hostName = "t470nix";

networking.networkmanager.enable = true;

time.timeZone = "Europe/London";

# Configure keymap in X11
services.xserver = {
layout = "gb";
xkbVariant = "";
};

# Configure console keymap
console.keyMap = "uk";

# Select internationalisation properties.
i18n.defaultLocale = "en_GB.UTF-8";

i18n.extraLocaleSettings = {
LC_ADDRESS = "en_GB.UTF-8";
LC_IDENTIFICATION = "en_GB.UTF-8";
LC_MEASUREMENT = "en_GB.UTF-8";
LC_MONETARY = "en_GB.UTF-8";
LC_NAME = "en_GB.UTF-8";
LC_NUMERIC = "en_GB.UTF-8";
LC_PAPER = "en_GB.UTF-8";
LC_TELEPHONE = "en_GB.UTF-8";
LC_TIME = "en_GB.UTF-8";
};

# Enable the X11 windowing system.
services.xserver.enable = true;

# Enable the Pantheon Desktop Environment.
# services.xserver.displayManager.lightdm.enable = true;
# services.xserver.desktopManager.pantheon.enable = true;

# Enable the Plasma 5 Desktop Environment.
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;

# This creates a user called 'noob' with the password 'CompleteNoob'

users.users.noob = {
isNormalUser = true;
initialPassword = "CompleteNoob";
extraGroups = [ "wheel" ];
packages = with pkgs; [
mc
];
};

# Enable automatic login for the user.
services.xserver.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = "noob";

# Enable sound with pipewire.
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;

# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
#media-session.enable = true;
};

environment.systemPackages = with pkgs; [
wget
vim
firefox
brave
];

# use this to prevent brave from opening kwallet all the time
nixpkgs.config.overlays = [
(self: super: {
brave = super.brave.override {
commandLineArgs =
"--password-store=basic";
};
})
];

system.stateVersion = "23.11"; # Did you read the comment?

#Swap Device setup
swapDevices = [ {
device = "/dev/nvme0n1p3";
randomEncryption.enable = true;
} ];

}

</pre>

<code>sudo nixos-rebuild switch</code>

</div>
</div>

==HatTips==

* Chris McDonough - https://www.youtube.com/watch?v=CboOUrkIZ2k&t=5s

User talk:Test1

2024-04-25T08:42:38Z

Noob: Welcome!

User:Test1

2024-04-25T08:42:38Z

Noob: Creating user page for new user.

I am not a bot please let me in

DEMONSTRATE-MIT Introduction to Computer Science and Programming in Python 6.0001 Fall 2016 Undergraduate

2023-12-03T18:32:47Z

Noob:

{{:LICENCE_HEADER_CC_BY-NC-SA_4.0}}


<b>
NOTE: This page is for demonstration purposes Only, and is not meant to be hosted on CompleteNoobs.com which is not intended to contain CC_BY-NC-SA Licensed Content.
<br>
This page is CC_BY-NC-SA It is intended for a fork of "CompleteNoobs.com" called "CompleteNoobz.com"
<br>
CompleteNoobz.com is a noncommercial mirror of CompleteNoobs.com Which can pullin CC_BY-NC-SA Licensed Content
<br>
This page is quickly put together to test and demonstrate hosting heavy data content on IPFS.
<br>
It is a first draft (UNFINISHED) and required many more Reiterations, This content is first draft concept demonstration content.
</b>

==Course Information==
===Source===
https://ocw.mit.edu/MIT OPEN COURSEWARE - MASSACHUSETTS INSTITUTE OF TECHNOLOGY.<br>
Donations to support MIT Open Courseware <code>https://giving.mit.edu/give/to/ocw/</code><br>
<br>
https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/download/<br>
https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/pages/assignments/<br>
https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/resources/lecture-videos/<br>

==Syllabus==
<div class="toccolours mw-collapsible mw-collapsed">
Syllabus
<div class="mw-collapsible-content">

===Course Meeting Times===

Lectures: 2 sessions / week, 1 hour / session

Recitations: 1 sessions / week, 1 hour / session

===Course Information===

6.0001 Introduction to Computer Science and Programming in Python is intended for students with little or no programming experience. It aims to provide students with an understanding of the role computation can play in solving problems and to help students, regardless of their major, feel justifiably confident of their ability to write small programs that allow them to accomplish useful goals. The class will use the Python 3.5 programming language.

This is a half-semester course. Students who successfully complete 6.0001 may continue into 6.0002 Introduction to Computational Thinking and Data Science, which is taught in the second half of the semester.

===Goals===

*Provide an understanding of the role computation can play in solving problems.
*Help students, including those who do not plan to major in Computer Science and Electrical Engineering, feel confident of their ability to write small programs that allow them to accomplish useful goals.
*Position students so that they can compete for research projects and excel in subjects with programming components.

===Textbook===

The textbook is Buy at MIT Press Guttag, John. Introduction to Computation and Programming Using Python: With Application to Understanding Data Second Edition. MIT Press, 2016. ISBN: 9780262529624. The book and the course lectures parallel each other, though there is more detail in the book about some topics. It is available both in hard copy and as an e-book.

===Lecture and Recitation Attendance===

A significant portion of the material for this course will presented only in lecture, so students are expected to regularly attend lectures.

Recitations give students a chance to ask questions about the lecture material or the problem set for the given week. Sometimes, new material may be covered in recitation. Recitation attendance is encouraged but not required.

===Problem Sets and Quizzes===

Each problem set will involve programming in Python. There will be 6 problem sets in the course. There will be two quizzes. All quizzes will be closed-book, though you will be allowed to bring one page of notes to the first quiz and two pages of notes to the second quiz. Pages must be letter-sized, double-sided, either handwritten or typed.

===Grading Policy===

{| class="wikitable"
|+ Grades will be roughly computed as follows:
|-
|ACTIVITIES
|PERCENTAGES
|-
|Problem sets
|30%
|-
|Completion of mandatory finger exercises
|10%
|-
|Midterm Quiz
|20%
|-
|Final Quiz
|40%
|}

Problem sets will be graded out of 10 points. Submissions that do not run will receive at most 20% of the points. Please contact your Teaching Assistant if you have a problem understanding your problem set grade.

Note: Quizzes and finger exercises are not available on OpenCourseWare.

===Extension and Dropping Problem Sets Policy===
We do not grant any extensions. Instead, we offer late days and the option of rolling at most 2 problem set grades into the final quiz score.

===Late Days===

At the beginning of the term, students are given two late days that they can use on problem sets. Starting with Problem Set 1, additional late days can be accumulated for each assignment, one late day for each day the assignment is turned in ahead of the deadline. Up to three late days may be accumulated in this fashion in this course, i.e you can only have a maximum of 3 late days at any point in time. Late days are discrete (a student cannot use half a late day). The staff will keep track of late days and feedback for each problem set will include the number of late days the student has remaining. Any additional late work beyond these late days will not be accepted. To avoid surprises, we suggest that after you submit your problem set, you double check to make sure the submission was uploaded correctly.

===Rolling Over Problem Sets===

Before the final quiz, we will send out an announcement in which you can choose at most 2 problem sets that you can drop. If dropped, the percent that the problem sets are worth will be rolled into the final quiz score. We strongly urge you to see the late days and dropping the problem sets as backup in case of an emergency. Your best strategy is to do the problem sets early before work starts to pile up.

===Calendar===

{| class="wikitable"
|+ Calendar
|-
|SES #
|TOPICS
|ASSIGNMENTS
|-
|1
|What is computation?
|Pset 0 released
|-
|2
|Branching and Iteration
|Pset 1 released
|-
|3
|String Manipulation, Guess and Check, Approximations, Bisection
|Pset 0 due
|-
|4
|Decomposition, Abstractions, Functions
|Pset 2 released
|-
|5
|Tuples, Lists, Aliasing, Mutability, Cloning
|Pset 1 due
|-
|6
|Recursion, Dictionaries
|Pset 3 released
|-
|7
|Testing, Debugging, Exceptions, Assertions
|Pset 2 due; Quiz 1
|-
|8
|Object Oriented Programming
|
|-
|9
|Python Classes and Inheritance
|Pset 3 due; Pset 4 released
|-
|10
|Understanding Program Efficiency, Part 1
|Pset 4 due; Pset 5 released
|-
|11
|Understanding Program Efficiency, Part 2
|
|-
|12
|Searching and Sorting
|Pset 5 due; Final Quiz
|}

</div>
</div>

==Course Materials==

===Downloading Using IPFS===
<code>https://github.com/ipfs/ipfs-desktop/releases</code><br>
[[IPFS_Basics|PFS Basics]]

===Software===
This class is using python3 IDE <b>spyder</b> which is in Anaconda3<br>
https://www.anaconda.com/<br>
How to install is on Problem Set 0<br>

===MIT6_0001F16_Style Guide===
Source:https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/resources/mit6_0001f16_styleguide/<br>
IPFS:<code>QmUmtyNpSLr2fXwGY1gL2hNnpwbYe8Y7CP2rPwjSNXasxJ</code><br>

==Problem Set 0==
Source:https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/resources/ps0/<br>
IPFS:<code>QmRWpBvwUNiFRjSvgLjRoiCNXQBBL2aLg55PVfGWw7S1ns</code><br>

==Lecture 1: What is Computation?==

{{#evu:https://www.youtube.com/watch?v=4-CmQesbQvw
|alignment=inline
}}
<br>
Source:https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/resources/lecture-1-what-is-computation/<br>
IPFS:<code>QmaTdTMxWdz6ySLbx258zQU5McpJTo4ZEVJ63GSKmVEyeM</code><br>

===Glossary===
<div class="toccolours mw-collapsible mw-collapsed">
Glossary for lecture with timestamps:
<div class="mw-collapsible-content">
Time: data<br>
2:10 pset = problem set<br>
12:18 [[Square_root]]<br>
</div>
</div>

===Video transcript===

<div class="toccolours mw-collapsible mw-collapsed">
Video transcript
<div class="mw-collapsible-content">

<pre>
The following content is provided under a Creative
0:03Commons license.
0:04Your support will help MIT OpenCourseWare
0:07continue to offer high-quality, educational resources for free.
0:11To make a donation, or view additional materials
0:13from hundreds of MIT courses, visit MIT OpenCourseWare
0:17at ocw.mit.edu.
0:29ANA BELL: All right.
0:30Let's begin.
0:33As I mentioned before, this lecture
0:35will be recorded for OCW.
0:37Again, in future lectures, if you
0:39don't want to have the back of your head show up,
0:41just don't sit in this front area here.
0:44First of all, wow, what a crowd, you guys.
0:46We're finally in 26-100.
0:486.0001 made it big, huh?
0:52Good afternoon and welcome to the very first class of 6.0001,
0:55and also 600, this semester.
0:58My name is Ana Bell.
1:00First name, Ana.
1:01Last name, Bell.
1:03I'm a lecturer in the EECS Department.
1:06And I'll be giving some of the lectures for today,
1:08along with later on in the term, Professor Eric Grimson, who's
1:13sitting right down there, will be giving some of the lectures,
1:15as well.
1:17Today we're going to go over some basic administrivia,
1:21a little bit of course information.
1:23And then, we're going to talk a little bit
1:24about what is computation?
1:26We'll discuss at a very high level
1:27what computers do just to make sure we're all
1:29on the same page.
1:31And then, we're going to dive right into Python basics.
1:34We're going to talk a little bit about mathematical operations
1:36you can do with Python.
1:38And then, we're going to talk about Python variables
1:40and types.
1:42As I mentioned in my introductory email, all
1:43the slides and code that I'll talk about during lectures
1:46will be up before lecture, so I highly
1:48encourage you to download them and to have them open.
1:52We're going to go through some in-class exercises which will
1:56be available on those slides.
1:57And it's fun to do.
1:59And it's also great if could take notes about the code just
2:07for future reference.
2:09It's true.
2:10This is a really fast-paced course,
2:12and we ramp up really quickly.
2:14We do want to position you to succeed in this course.
2:17As I was writing this, I was trying
2:19to think about when I was first starting
2:21to program what helped me get through my very
2:24first programming course.
2:26And this is really a good list.
2:29The first thing was I just read the psets as soon
2:31as they came out, made sure that the terminology just sunk in.
2:37And then, during lectures, if the lecturer
2:39was talking about something that suddenly I remembered,
2:42oh, I saw that word in the pset and I didn't know what it was.
2:45Well, hey, now I know what it is.
2:46Right?
2:47So just give it a read.
2:48You don't need to start it.
2:51If you're new to programming, I think the key word is practice.
2:55It's like math or reading.
2:57The more you practice, the better you get at it.
3:00You're not going to absorb programming
3:01by watching me write programs because I already know how
3:04to program.
3:05You guys need to practice.
3:07Download the code before lecture.
3:09Follow along.
3:10Whatever I type, you guys can type.
3:12And I think, also, one of the big things
3:14is if you're new to programming, you're
3:16kind of afraid that you're going to break your computer.
3:19And you can't really do that just by running Anaconda
3:24and typing in some commands.
3:26So don't be afraid to just type some stuff in
3:28and see what it does.
3:29Worst case, you just restart the computer.
3:35Yeah.
3:36That's probably the big thing right there.
3:38I should have probably highlighted it,
3:39but don't be afraid.
3:40Great.
3:41So this is pretty much a roadmap of all of 6.0001 or 600
3:46as I've just explained it.
3:47There's three big things we want to get out of this course.
3:51The first thing is the knowledge of concepts,
3:54which is pretty much true of any class that you'll take.
3:56The class will teach you something through lectures.
3:59Exams will test how much you know.
4:02This is a class in programming.
4:05The other thing we want you to get out of it
4:08is programming skills.
4:10And the last thing, and I think this
4:12is what makes this class really great,
4:13is we teach you how to solve problems.
4:16And we do that through the psets.
4:18That's really how I feel the roadmap of this course
4:21looks like.
4:22And underlying all of these is just practice.
4:25You have to just type some stuff away and code a lot.
4:29And you'll succeed in this course, I think.
4:33OK.
4:35So what are the things we're going to learn in this class?
4:38I feel like the things we're going learn in this class
4:41can be divided into basically three different sections.
4:44The first one is related to these first two items here.
4:50It's really about learning how to program.
4:53Learning how to program, part of it
4:55is figuring out what objects to create.
4:58You'll learn about these later.
5:00How do you represent knowledge with data structures?
5:02That's sort of the broad term for that.
5:04And then, as you're writing programs,
5:06you need to-- programs aren't just linear.
5:08Sometimes programs jump around.
5:10They make decisions.
5:11There's some control flow to programs.
5:13That's what the second line is going to be about.
5:18The second big part of this course
5:20is a little bit more abstract, and it
5:24deals with how do you write good code, good style,
5:29code that's readable.
5:30When you write code, you want to write it such
5:33that-- you're in big company, other people will read it,
5:35other people will use it, so it has
5:37to be readable and understandable by others.
5:40To that end, you need to write code
5:41that's well organized, modular, easy to understand.
5:48And not only that, not only will your code
5:50be read by other people, but next year, maybe,
5:53you'll take another course, and you'll
5:55want to look back at some of the problems
5:56that you wrote in this class.
5:58You want to be able to reread your code.
6:00If it's a big mess, you might not be able to understand--
6:03or reunderstand-- what you were doing.
6:06So writing readable code and organizing code
6:08is also a big part.
6:10And the last section is going to deal with-- the first two
6:15are actually part of the programming in Introduction
6:19to Programming and Computer Science in Python.
6:21And the last one deals mostly with the computer science part
6:26in Introduction to Programming and Computer Science in Python.
6:29We're going to talk about, once you have learned
6:31how to write programs in Python, how do
6:33you compare programs in Python?
6:35How do you know that one program is better than the other?
6:38How do you know that one program is
6:39more efficient than the other?
6:41How do you know that one algorithm
6:42is better than the other?
6:45That's what we're going to talk about in the last part
6:47of the course.
6:48OK.
6:50That's all for the administrative part
6:52of the course.
6:54Let's start by talking at a high level what does a computer do.
6:59Fundamentally, it does two things.
7:03One, performs calculations.
7:05It performs a lot of calculations.
7:07Computers these days are really, really fast,
7:09a billion calculations per second is probably not far off.
7:15It performs these calculations and it
7:16has to store them somewhere.
7:18Right?
7:19Stores them in computer memory.
7:21So a computer also has to remember results.
7:24And these days, it's not uncommon to find computers
7:26with hundreds of gigabytes of storage.
7:30The kinds of calculations that computers do,
7:34there are two kinds.
7:35One are calculations that are built into the language.
7:37These are the very low level types
7:39of calculations, things like addition,
7:41subtraction, multiplication, and so on.
7:45And once you have a language that
7:47has these primitive calculation types, you, as a programmer,
7:53can put these types together and then define
7:55your own calculations.
7:57You can create new types of calculations.
8:00And the computer will be able to perform those, as well.
8:04I think, one thing I want to stress--
8:07and we're going to come back to this
8:09again during this entire lecture, actually--
8:12is computers only know what you tell them.
8:15Computers only do what you tell them to do.
8:18They're not magical.
8:19They don't have a mind.
8:22They just know how to perform calculations really,
8:24really quickly.
8:26But you have to tell them what calculations to do.
8:32Computers don't know anything.
8:34All right.
8:35We've come to that.
8:40Let's go into the types of knowledge.
8:44The first type of knowledge is declarative knowledge.
8:48And those are things like statements of fact.
8:50And this is where my email came into play.
8:53If you read it all the way to the bottom,
8:55you would have entered a raffle.
8:57So a statement of fact for today's lecture
8:59is, someone will win a prize before class ends.
9:03And the prize was a Google Cardboard.
9:06Google state-of-the-art virtual reality glasses.
9:09And I have them right here.
9:14Yea.
9:15I delivered on my promise.
9:18That's a statement of fact.
9:20So pretend I'm a machine.
9:22OK?
9:23I don't know anything except what you tell me.
9:26I don't know.
9:28I know that you tell me this statement.
9:30I'm like, OK.
9:31But how is someone going to win a Google Cardboard
9:33before class ends, right?
9:35That's where imperative knowledge comes in.
9:37Imperative knowledge is the recipe, or the how-to,
9:39or the sequence of steps.
9:42Sorry.
9:43That's just my funny for that one.
9:47So the sequence of steps is imperative knowledge.
9:53If I'm a machine, you need to tell me
9:57how someone will win a Google Cardboard before class.
10:00If I follow these steps, then technically,
10:02I should reach a conclusion.
10:06Step one, I think we've already done that.
10:08Whoever wanted to sign up has signed up.
10:11Now I'm going to open my IDE.
10:13I'm just basically being a machine
10:14and following the steps that you've told me.
10:17The IDE that we're using in this class is called Anaconda.
10:21I'm just scrolling down to the bottom.
10:25Hopefully, you've installed it in problem set zero.
10:28I've opened my IDE.
10:30I'm going to follow the next set of instructions.
10:34I'm going to choose a random number between the first
10:36and the nth responder.
10:39Now, I'm going to actually use Python to do this .
10:42And this is also an example of how just
10:44a really simple task in your life,
10:46you can use computers or programming to do that.
10:48Because if I chose a random number,
10:50I might be biased because, for example,
10:51I might like the number 8.
10:53To choose a random number, I'm going to go and say, OK,
10:57where's the list of responders?
10:58It starts at 15.
10:59Actually, it starts at 16 because that's me.
11:03We're going to choose a random number between 16
11:05and the end person 266.
11:09Oh, we just got-- oh.
11:11OK.
11:13OK.
11:13I'm going to cut it off right here.
11:15271.
11:15OK.
11:1616 and 271.
11:18Perfect.
11:19OK.
11:20I'm going to choose a random number.
11:21I'm going to go to my IDE.
11:22And you don't need to know how to do this yet,
11:24but by the end of this class, you will.
11:26I'm just going to use Python.
11:29I'm just going to get the random number package that's going
11:31to give me a random number.
11:32I'm going to say random.randint.
11:35And I'm going to choose a random number between 16 and 272,
11:40OK.
11:4175.
11:42OK.
11:43Great.
11:44I chose a random number.
11:45And I'm going to find the number in the responder's sheet.
11:48What was the number again?
11:49Sorry.
11:5175.
11:52OK.
11:54Up we go.
11:56There we go.
11:57Lauren Z-O-V. Yeah.
12:01Nice.
12:02You're here.
12:14Awesome.
12:16All right.
12:17That's an example of me being a machine and also,
12:21at the same time, using Python in my everyday life,
12:23just lecturing, to find a random number.
12:28Try to use Python wherever you can.
12:30And that just gives you practice.
12:34That was fun.
12:35But we're at MIT.
12:37We're MIT students.
12:39And we love numbers here at MIT.
12:41Here's a numerical example that shows
12:44the difference between declarative and imperative
12:46knowledge.
12:50An example of declarative knowledge
12:51is the square root of a number x is y such that y times y
12:54is equal to x.
12:57That's just a statement of fact It's true.
13:02Computers don't know what to do with that.
13:05They don't know what to do with that statement.
13:07But computers do know how to follow a recipe.
13:11Here's a well-known algorithm.
13:13To find the square root of a number x,
13:16let's say x is originally 16, if a computer follows
13:23this algorithm, it's going to start with a guess, g,
13:26let's say, 3.
13:28We're trying to find the square root of 16.
13:30We're going to calculate g times g is 9.
13:34And we're going to ask is if g times g
13:36is close enough to x, then stop and say, g is the answer.
13:39I'm not really happy with 9 being really close to 16.
13:42So I'm going to say, I'm not stopping here.
13:44I'm going to keep going.
13:47If it's not close enough, then I'm
13:48going to make a new guess by averaging g and x over g.
13:52That's x over g here.
13:54And that's the average over there.
13:57And the new average is going to be my new guess.
14:04And that's what it says.
14:05And then, the last step is using the new guess,
14:07repeat the process.
14:08Then we go back to the beginning and repeat the whole process
14:11over and over again.
14:13And that's what the rest of the rows do.
14:15And you keep doing this until you decide
14:16that you're close enough.
14:23What we saw for the imperative knowledge
14:25in the previous numerical example
14:26was the recipe for how to find the square root of x.
14:31What were the three parts of the recipe?
14:33One was a simple sequence of steps.
14:36There were four steps.
14:39The other was a flow of control, so there were
14:42parts where we made decisions.
14:45Are we close enough?
14:46There were parts where we repeated some steps.
14:49At the end, we said, repeat steps 1, 2, 3.
14:52That's the flow of control.
14:55And the last part of the recipe was a way to stop.
14:58You don't want a program that keeps going and going.
15:00Or for a recipe, you don't want to keep baking bread forever.
15:03You want to stop at some point.
15:05Like 10 breads is enough, right?
15:07So you have to have a way of stopping.
15:10In the previous example, the way of stopping
15:12was that we decided we were close enough.
15:15Close enough was maybe being within .01, .001,
15:20whatever you pick.
15:23This recipe is there for an algorithm.
15:26In computer science speak, it's going to be an algorithm.
15:29And that's what we're going to learn about in this class.
15:34We're dealing with computers.
15:35And we actually want to capture a recipe
15:37inside a computer, a computer being a mechanical process.
15:49Historically, there were two different types of computers.
15:55Originally, there were these things
15:57called fixed-program computers.
15:59And I'm old enough to have used something
16:02like this, where there's just numbers and plus, minus,
16:06multiplication, divide, and equal.
16:08But calculators these days are a lot more complicated.
16:11But way back then, an example of a fixed-program computer
16:15is this calculator.
16:16It only knows how to do addition, multiplication,
16:19subtraction, division.
16:20If you want to plot something, you can't.
16:22If you want to go on the internet, send email with it,
16:27you can't.
16:27It can only do this one thing.
16:31And if you wanted to create a machine that did another thing,
16:33then you'd have to create another fixed-program computer
16:37that did a completely separate test.
16:39That's not very great.
16:41That's when stored-program computers came into play.
16:45And these were machines that could store
16:47a sequence of instructions.
16:50And these machines could execute the sequence of instructions.
16:54And you could change the sequence of instructions
16:56and execute this different sequence of instructions.
17:00You could do different tasks in the same machine.
17:03And that's the computer as we know it these days.
17:07The central processing unit is where all of these decisions
17:11get made.
17:11And these are all the peripherals.
17:16The basic machine architecture-- at the heart of every computer
17:20there's just this basic architecture--
17:25and it contains, I guess, four main parts.
17:28The first is the memory.
17:31Input and output is the other one.
17:34The ALU is where all of the operations are done.
17:39And the operations that the ALU can do
17:41are really primitive operations, addition, subtraction,
17:44and so on.
17:46What the memory contains is a bunch of data
17:52and your sequence of instructions.
18:00Interacting with the Arithmetic Logic Unit is the Control Unit.
18:03And the Control Unit contains one program counter.
18:07When you load a sequence of instructions,
18:09the program counter starts at the first sequence.
18:15It starts at the sequence, at the first instruction.
18:18It gets what the instruction is, and it sends it to the ALU.
18:22The ALU asks, what are we doing operations on here?
18:25What's happening?
18:27It might get some data.
18:29If you're adding two numbers, it might get two numbers
18:31from memory.
18:33It might do some operations.
18:34And it might store data back into memory.
18:37And after it's done, the ALU is going to go back,
18:41and the program counter is going to increase
18:43by 1, which means that we're going
18:45to go to the next sequence in the instruction set.
18:50And it just goes linearly, instruction by instruction.
18:53There might be one particular instruction
18:56that does some sort of test.
18:58It's going to say, is this particular value
19:07greater or equal to or the same as this other particular value?
19:11That's a test, an example of a test.
19:13And the test is going to either return true or false.
19:17And depending on the result of that test,
19:20you might either go to the next instruction,
19:24or you might set the program counter
19:26to go all the way back to the beginning, and so on.
19:29You're not just linearly stepping
19:32through all the instructions.
19:33There might be some control flow involved,
19:35where you might skip an instruction,
19:36or start from the beginning, or so on.
19:39And after you're done, when you finished
19:42executing the last instruction, then you
19:44might output something.
19:47That's really the basic way that a computer works.
19:53Just to recap, you have the stored program computer
19:55that contains these sequences of instructions.
19:59The primitive operations that it can do
20:00are addition, subtraction, logic operations, tests--
20:06which are something equal to something else, something
20:08less than, and so on-- and moving data,
20:10so storing data, moving data around, and things like that.
20:14And the interpreter goes through every instruction
20:19and decides whether you're going to go to the next instruction,
20:22skip instructions, or repeat instructions, and so on.
20:28So we've talked about primitives.
20:30And in fact, Alan Turing, who was a really great computer
20:35scientist, he showed that you can compute anything
20:37using the six primitives.
20:38And the six primitives are move left, move right, read, write,
20:46scan, and do nothing.
20:49Using those six instructions and the piece of tape,
20:54he showed that you can compute anything.
20:57And using those six instructions,
21:00programming languages came about that
21:03created a more convenient set of primitives.
21:05You don't have to program in only these six commands.
21:11And one interesting thing, or one really important thing,
21:16that came about from these six primitives
21:19is that if you can compute something in Python,
21:22let's say-- if you write a program that computes something
21:25in Python, then, in theory, you can
21:28write a program that computes the exact same thing
21:31in any other language.
21:32And that's a really powerful statement.
21:36Think about that today when you review your slides.
21:39Think about that again.
21:40That's really powerful.
21:45Once you have your set of primitives
21:49for a particular language, you can start creating expressions.
21:53And these expressions are going to be
21:55combinations of the primitives in the programming language.
22:00And the expressions are going to have some value.
22:02And they're going up some meaning in the programming
22:05language.
22:08Let's do a little bit of a parallel with English
22:10just so you see what I mean.
22:14In English, the primitive constructs
22:15are going to be words.
22:17There's a lot of words in the English language.
22:19Programming languages-- in Python, there are primitives,
22:23but there aren't as many of them.
22:25There are floats, Booleans, these
22:28are numbers, strings, and simple operators,
22:31like addition, subtraction, and so on.
22:35So we have primitive constructs.
22:38Using these primitive constructs,
22:39we can start creating, in English, phrases, sentences,
22:48and the same in programming languages.
22:49In English, we can say something like, "cat, dog, boy.
22:54That, we say, is not syntactically valid.
22:58That's bad syntax.
23:00That's noun, noun, noun.
23:01That doesn't make sense.
23:05What does have good syntax in English is noun, verb, noun.
23:08So, "cat, hugs boy" is syntactically valid.
23:12Similarly, in a programming language,
23:14something like this-- in Python, in this case-- a word
23:18and then the number five doesn't really make sense.
23:20It's not syntactically valid.
23:22But something like operator, operand, operator is OK.
23:28So once you've created these phrases, or these expressions,
23:34that are syntactically valid, you
23:37have to think about the static semantics of your phrase,
23:41or of your expression.
23:45For example, in English, "I are hungry" is good syntax.
23:51But it's weird to say.
23:55We have a pronoun, a verb, and an adjective, which
23:58doesn't really make sense.
23:59"I am hungry" is better.
24:03This does not have good static semantics.
24:07Similarly, in programming languages--
24:09and you'll get the hang of this the more
24:11you do it-- something like this, "3.2 times 5, is OK.
24:15But what does it mean?
24:17What's the meaning to have a word added to a number?
24:22There's no meaning behind that.
24:25Its syntax is OK, because you have
24:28operator, operand, operator.
24:30But it doesn't really make sense to add a number to a word,
24:32for example.
24:36Once you have created these expressions that
24:39are syntactically correct and static, semantically correct,
24:44in English, for example, you think about the semantics.
24:48What's the meaning of the phrase?
24:50In English, you can actually have more than one
24:52meaning to an entire phrase.
24:56In this case, "flying planes can be dangerous"
25:01can have two meanings.
25:02It's the act of flying a plane is dangerous,
25:04or the plane that is in the air is dangerous.
25:08And this might be a cuter example.
25:10"This reading lamp hasn't uttered a word
25:12since I bought it.
25:13What's going on?"
25:15So that has two meanings.
25:16It's playing on the word "reading lamp."
25:21That's in English.
25:21In English, you can have a sentence
25:23that has more than one meaning, that's
25:25syntactically correct and static, semantically correct.
25:28But in programming languages, the program that you write,
25:31the set of instructions that you write, only has one meaning.
25:34Remember, we're coming back to the fact
25:35that the computer only does what you tell it to do.
25:40It's not going to suddenly decide
25:42to add another variable for some reason.
25:46It's just going to execute whatever statements you've
25:49put up.
25:50In programming languages, there's only one meaning.
25:52But the problem that comes into play in programming languages
25:58is it's not the meaning that you might have
25:59intended, as the programmer.
26:03That's where things can go wrong.
26:05And there's going to be a lecture
26:07on debugging a little bit later in the course.
26:10But this is here just to tell you
26:12that if you see an error pop up in your program,
26:16it's just some text that says, error.
26:21For example, if we do something like this,
26:28this is syntactically correct.
26:30Incorrect.
26:31Syntactically incorrect.
26:32See?
26:32There's some angry text right here.
26:36What is going on?
26:37The more you program, the more you'll
26:39get the hang of reading these errors.
26:41But this is basically telling me the line
26:43that I wrote is syntactically incorrect.
26:45And it's pointing to the exact line and says, this is wrong,
26:49so I can go back and fix it as a programmer.
26:55Syntax errors are actually really easily caught by Python.
27:00That was an example of a syntax error.
27:02Static semantic errors can also be
27:04caught by Python as long as, if your program has some decisions
27:09to make, as long as you've gone down the branch where
27:13the static semantic error happens.
27:18And this is probably going to be the most frustrating one,
27:22especially as you're starting out.
27:23The program might do something different than what
27:25you expected it to do.
27:27And that's not because the program suddenly-- for example,
27:32you expected the program to give you an output of 0
27:34for a certain test case, and the output that you got was 10.
27:37Well, the program didn't suddenly
27:39decide to change its answer to 10.
27:42It just executed the program that you wrote.
27:48That's the case where the program gave you
27:50a different answer than expected.
27:53Programs might crash, which means they stop running.
27:55That's OK.
27:57Just go back to your code and figure out what was wrong.
28:00And another example of a different meaning
28:03than what you intended was maybe the program won't stop.
28:06It's also OK.
28:07There are ways to stop it besides restarting
28:10the computer.
28:12So then Python programs are going
28:17to be sequences of definitions and commands.
28:20We're going to have expressions that are going to be evaluated
28:25and commands that tell the interpreter to do something.
28:33If you've done problem set 0, you'll
28:35see that you can type commands directly
28:37in the shell here, which is the part on the right where
28:40I did some really simple things, 2 plus 4.
28:44Or you can type commands up in here, on the left-hand side,
28:49and then run your program.
28:52Notice that, well, we'll talk about this-- I
28:54won't talk about this now.
28:55But these are-- on the right-hand side, typically,
28:59you write very simple commands just if you're
29:01testing something out.
29:03And on the left-hand side here in the editor,
29:04you write more lines and more complicated programs.
29:15Now we're going to start talking about Python.
29:18And in Python, we're going to come back to this,
29:20everything is an object.
29:23And Python programs manipulate these data objects.
29:27All objects in Python are going to have a type.
29:30And the type is going to tell Python the kinds of operations
29:34that you can do on these objects.
29:37If an object is the number five, for example,
29:39you can add the number to another number,
29:42subtract the number, take it to the power of something,
29:45and so on.
29:47As a more general example, for example, I am a human.
29:51So that's my type.
29:52And I can walk, speak English, et cetera.
29:55Chewbacca is going to be a type Wookie.
29:59He can walk, do that sound that I can't do.
30:02He can do that, but I can't.
30:04I'm not even going to try, and so on.
30:09Once you have these Python objects,
30:11everything is an object in Python.
30:14There are actually two types of objects.
30:16One are scalar objects.
30:18That means these are very basic objects in Python from which
30:21everything can be made.
30:24These are scalar objects.
30:26That can't be subdivided.
30:28The other type of object is a non-scalar object.
30:31And these are objects that have some internal structure.
30:33For example, the number five is a scalar
30:36object because it can't be subdivided.
30:39But a list of numbers, for example, 5, 6,
30:417,8, is going to be a non-scalar object
30:45because you can subdivide it.
30:46You can subdivide it into-- you can find parts to it.
30:53It's made up of a sequence of numbers.
30:58Here's the list of all of the scalar objects in Python.
31:01We have integers, for example, all of the whole numbers.
31:05Floats, which are all of the real numbers, anything
31:10with a decimal.
31:11Bools are Booleans.
31:13There's only two values to Booleans.
31:16That's True and False.
31:18Note the capitalization, capital T and capital F.
31:23And this other thing called NoneType.
31:24It's special.
31:26It has only one value called None.
31:28And it represents the absence of a type.
31:30And it sometimes comes in handy for some programs.
31:34If you want to find the type of an object,
31:36you can use this special command called type.
31:39And then in the parentheses, you put down
31:41what you want to find the type of.
31:44You can write into the shell "type of 5,"
31:47and the shell will tell you, that's an integer.
31:52If you happen to want to convert between two different types,
31:56Python allows you to do that.
31:58And to do that, you put the type that you
32:01want to convert to right before the object
32:03that you want to convert to.
32:05So float(3) will convert the integer 3 to the float 3.0.
32:12And similarly, you can convert any float into an integer.
32:16And converting to an integer just truncates.
32:20It just takes away the decimal and whatever's
32:22after it-- it does not round-- and keeps just the integer
32:26part.
32:30For this slide, I'm going to talk about it.
32:31But if you'd like if you have the slides up,
32:35go to go to this exercise.
32:37And after I'm done talking about the slide,
32:41we'll see what people think for that exercise.
32:45One of the most important things that you
32:47can do in basically any programming,
32:51in Python also, is to print things out.
32:55Printing out is how you interact with the user.
33:00To print things out, you use the print command.
33:04If you're in the shell, if you simply type "3 plus 2,"
33:07you do see a value here.
33:09Five, right?
33:11But that's not actually printing something out.
33:13And that becomes apparent when you actually
33:18type things into the editor.
33:19If you just do "3 plus 2," and you run the program-- that's
33:23the green button here-- you see on the right-hand side here,
33:26it ran my program.
33:27But it didn't actually print anything.
33:30If you type this into the console,
33:32it does show you this value, but that's
33:33just like peeking into the value for you as a programmer.
33:39It's not actually printing it out to anyone.
33:41If you want to print something out,
33:42you have to use the print statement like that.
33:47In this case, this is actually going to print this number
33:50five to the console.
33:58That's basically what it says.
33:59It just tells you it's an interaction within the shell
34:01only.
34:02It's not interacting with anyone else.
34:04And if you don't have any "Out," that
34:06means it got printed out to the console.
34:09All right.
34:09We talked a little bit about objects.
34:13Once you have objects, you can combine objects and operators
34:16to form these expressions.
34:17And each expression is going to have a value.
34:19So an expression evaluates to a value.
34:22The syntax for an expression is going
34:24to be object, operator, object, like that.
34:30And these are some operators you can do on ints and floats.
34:34There's the typical ones, addition, subtraction,
34:36multiplication, and division.
34:38If, for the first three, the answer
34:43that you get-- the type of the answer that you get--
34:45is going to depend on the type of your variables.
34:48If both of the variables of the operands are integers,
34:52then the result you're going to get is of type integer.
34:55But if at least one of them is a float, then
34:56the result you're going to get is a float.
34:58Division is a little bit special in that
35:02no matter what the operands are, the result
35:04is always going to be a float.
35:09The other operations you can do, and these are also useful,
35:14are the remainder, so the percent sign.
35:19If you use the percent sign between two operands,
35:22that's going to give you the remainder when you divide i
35:25by j.
35:28And raising something to the power of something else
35:30is using the star star operator.
35:32And i star stars j is going to take i to the power of j.
35:41These operations have the typical precedence
35:43that you might expect in math, for example.
35:47And if you'd like to put precedence
35:49toward some other operations, you
35:50can use parentheses to do that.
36:01All right.
36:03So we have ways of creating expressions.
36:07And we have operations we can do on objects.
36:13But what's going to be useful is to be able to save values
36:19to some name.
36:21And the name is going to be something that you pick.
36:24And it should be a descriptive name.
36:27And when you save the value to a name,
36:32you're going to be able to access that value later
36:36on in your program.
36:37And that's very useful.
36:40To save a value to a variable name, you use the equal sign.
36:49And the equal sign is an assignment.
36:51It assigns the right-hand side, which
36:53is a value, to the left-hand side, which
36:55is going to be a variable name.
36:59In this case, I assigned the float 3.14159
37:03to the variable pi.
37:05And in the second line, I'm going
37:08to take this expression, 22 divided by 7,
37:10I'm going to evaluate it.
37:13It's going to come up with some decimal number.
37:16And I'm going to save it into the variable pi_approx.
37:19values are stored in memory.
37:21And this assignment in Python, we
37:22say the assignment binds the name to the value.
37:26When you use that name later on in your program,
37:30you're going to be referring to the value in memory.
37:35And if you ever want to refer to the value
37:37later on in your code, you just simply type
37:39the name of the variable that you've assigned it to.
37:44So why do we want to give names to expressions?
37:48Well, you want to reuse the names instead of the values.
37:51And it makes your code look a lot nicer.
37:54This is a piece of code that calculates
37:56the area of a circle.
37:59And notice, I've assigned a variable pi to 3.14159.
38:03I've assigned another variable called radius to be 2.2.
38:07And then, later on in my code, I have another line
38:09that says area-- this is another variable-- is
38:12equal to-- this is an assignment--
38:15to this expression.
38:17And this expression is referring to these variable names, pi
38:23and radius.
38:24And it's going look up their values in memory.
38:26And it's going to replace these variable names
38:29with those values.
38:30And it's going to do the calculation for me.
38:32And in the end, this whole expression
38:34is going to be replaced by one number.
38:36And it's going to be the float.
38:40Here's another exercise, while I'm talking about the slide.
38:45I do want to make a note about programming versus math.
38:49In math, you're often presented with a problem
38:55that says, solve for x.
38:57x plus y is equal to something something.
39:00Solve for x, for example.
39:03That's coming back to the fact that computers don't
39:09know what to do with that.
39:10Computers need to be told what to do.
39:12In programming, if you want to solve for x,
39:14you need to tell the computer exactly how to solve for x.
39:18You need to figure out what formula
39:20you need to give the computer in order to be
39:22able to solve for x.
39:25That means always in programming the right-hand side is
39:29going to be an expression.
39:33It's something that's going to be evaluated to a value.
39:35And the left-hand side is always a variable.
39:39It's going to be an assignment.
39:40The equal sign is not like in math
39:43where you can have a lot of things to the left
39:45and a lot of things to the right of the equal sign.
39:47There's only one thing to the left of the equal sign.
39:49And that's going to be a variable.
39:50An equal sign stands for an assignment.
39:53Once we've created expressions, and we have these assignments,
39:57you can rebind variable names using new assignment
39:59statements.
40:03Let's look at an example for that.
40:05Let's say this is our memory.
40:07Let's type back in the example with finding the radius.
40:13Let's say, pi is equal to 3.14.
40:19In memory, we're going to create this value 3.14.
40:22We're going to bind it to the variable named pi.
40:28Next line, radius is equal to 2.2.
40:31In memory, we're creating this value 2.2.
40:35And we're going to bind it to the variable named radius.
40:40Then we have this expression here.
40:44It's going to substitute the values for pi
40:46from memory and the value for radius from memory.
40:49It's going to calculate the value that this expression
40:54evaluates to.
40:56It's going to pop that into the memory.
40:57And it's going to assign-- because we're
40:59using the equal sign-- it's going
41:01to assign that value to that variable area.
41:08Now, let's say we rebind radius to be something else.
41:14Radius i is bound to the value 2.2.
41:21But when we do this line, radius is equal to radius plus 1,
41:24we're going to take away the binding to 2.2.
41:27We're going to do this calculation.
41:29The new value is 3.2.
41:31And we're going to rebind that value to that same variable.
41:38In memory, notice we're still going
41:40to have this value, 2.2, floating around.
41:43But we've lost the handle for it.
41:46There's no way to get it back.
41:48It's just in memory sitting there.
41:52At some point, it might get collected by what
41:55we call the garbage collector.
41:56In Python, And it'll retrieve these lost values,
42:00and it'll reuse them for new values, and things like that.
42:05But radius now points to the new value.
42:08We can never get back 2.2.
42:13And that's it.
42:16The value of area-- notice, this is very important.
42:18The value of area did not change.
42:23And it did not change because these are all the instructions
42:26we told the computer to do.
42:28We just told it to change radius to be radius plus 1.
42:33We never told it to recalculate the value of area.
42:37If I copied that line down here, then the value of area
42:41would change.
42:42But we never told it to do that.
42:44The computer only does what we tell it to do.
42:46That's the last thing.
42:47Next lecture, we're going to talk about adding control
42:51flow to our programs, so how do you tell the computer
42:53to do one thing or another?
42:55All right.
</pre>
</div>
</div>

===Lecture Notes - lecture 1 py===
Source: https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/920cc911b6eb5747f2ccd431bbc4306b_lec1.py<br>
<div class="toccolours mw-collapsible mw-collapsed">
lecture 1 py
<div class="mw-collapsible-content">
<pre>
pi = 3.14159
radius = 2.2
# area of circle equation <- this is a comment
area = pi*(radius**2)
print(area)

# change values of radius <- another comment
# use comments to help others understand what you are doing in code
radius = radius + 1
print(area) # area doesn't change
area = pi*(radius**2)
print(area)

#############################
#### COMMENTING LINES #######
#############################
# to comment MANY lines at a time, highlight all of them then CTRL+1
# do CTRL+1 again to uncomment them
# try it on the next few lines below!

#area = pi*(radius**2)
#print(area)
#radius = radius + 1
#area = pi*(radius**2)
#print(area)

#############################
#### AUTOCOMPLETE #######
#############################
# Spyder can autocomplete names for you
# start typing a variable name defined in your program and hit tab
# before you finish typing -- try it below

# define a variable
a_very_long_variable_name_dont_name_them_this_long_pls = 0

# below, start typing a_ve then hit tab... cool, right!
# use autocomplete to change the value of that variable to 1

# use autocomplete to write a line that prints the value of that long variable
# notice that Spyder also automatically adds the closed parentheses for you!
</pre>
</div>
</div>

===pdf-Slides for Lecture 1===
Source:https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/resources/mit6_0001f16_lec1/<br>
IPFS:<code>QmemB25bVuN2fuiAq3JaDM4J5MYit6HfCCsU3EFTWL7wpF</code><br>

===Problem Set 1===
Source:https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/resources/mit6_0001f16_ps1/<br>
IPFS:<code>QmbxaDU9U4hquK4Dhb365nD5qG5eEFUM6NABqXRaux6tRB</code><br>

===Additional Python Resources ===
Source:https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/resources/mit6_0001f16_additional/<br>
IPFS:<code>QmYWPVdHEbhmdFXNR9R46ey5eykyFPeCZ1joXE6z28L1VB</code><br>

<div class="toccolours mw-collapsible mw-collapsed">
Additional Python Resources:
<div class="mw-collapsible-content">
If you're having trouble with a particular concept or simply want to have access to more
information, try one of the following links.

====DOCUMENTATION====
* [[https://docs.python.org/3/library/index.html Official Python 3 Documentation]] - "official"/technical explanation of what a particular function/operator
does, examples of correct syntax, what the various libraries are, etc.

====TEXTBOOKS/TUTORIALS====
* [[https://diveintopython3.net/ Dive Into Python]] - another survey of Python syntax, datatypes, etc.
* [[http://greenteapress.com/wp/think-python-2e/ Think Python by Allen Downey]] - a good general overview of the Python language. Includes exercises.
* [[https://docs.python.org/3/tutorial/ The Official Python Tutorial]] - self-explanatory
* [[https://learnpythonthehardway.org/book/ Learn Python the Hard Way]] - (note: for Python 2) another free online text
* [[https://docs.python.org/3.0/reference/lexical_analysis.html#id8 Reserved Keywords in Python]] - don't use these as variable names
* [[https://peps.python.org/pep-0008/ PEP 8 - Style Guide for Python Code]] - learn what is good and bad style in Python
* [[https://checkio.org/ CheckIO]] - learn Python by exploring a game world
* [[https://inventwithpython.com/ Invent with Python]] - develop your Python skills by making games or hacking ciphers
* [[https://www.codecademy.com/catalog Codecademy]] - (note: for Python 2) learn Python by building web apps and manipulating data; interactive
tutorial sequence
* [[https://pythontutor.com Python Tutor]] - interactive tutorial sequence of exercises

====DEBUGGING====
* [[https://pythontutor.com/ Python Tutor]] - an excellent way to actually visualize how the interpreter actually reads and executes
your code
* [[https://www.diffchecker.com/ DiffChecker]] - compares two sets of text and shows you which lines are different
* [[https://pythonconquerstheuniverse.wordpress.com/2009/09/10/debugging-in-python/ Debugging in Python]] - steps you can take to try to debug your program

====OTHER Q&A====
* [[https://stackoverflow.com/questions/tagged/python Stack Overflow]] - a large Q&A forum for programming concepts (not just Python). Try searching here
before you post on the edX forum, and you may find that someone has already answered your question.

====MORE PRACTICE PROBLEMS====
* [[http://www.pythonchallenge.com/ Python Challenge]] - a series of puzzles you can try to test your Python abilities
* [[https://projecteuler.net/ Project Euler]] - additional programming challenges you can try once your Python knowledge becomes
stronger; problems are sorted by increasing difficulty
* [[https://codingbat.com/python Coding Bat]] - problems you can solve within an online interpreter
* [[https://www.codewars.com/?language=python Codewars]] - improve your skills by training on real code challenges

MIT OpenCourseWare
https://ocw.mit.edu
6.0001 Introduction to Computer Science and Programming in Python
Fall 2016
For information about citing these materials or our Terms of Use, visit: https://ocw.mit.edu/terms.

</div>
</div>

==2==
mit-test-course/2/MIT6_0001F16_Lecture_02_300k.mp4<br>
https://ipfs.io/ipfs/QmTFdkMJnzUcwgs1hdoF7qtADE2NqTJVaF9CfgULbzSuA9<br>
<code>QmTFdkMJnzUcwgs1hdoF7qtADE2NqTJVaF9CfgULbzSuA9</code> <br>
<br>
mit-test-course/2/ba2947b25b1580e4a84df0ec5dbe5cdd_MIT6_0001F16_Lec2.pdf<br>
https://ipfs.io/ipfs/QmNiZvEh6UmpHLTxw4saN7WdojzBokp2JCbucYzrekoQBK<br>
<code>QmNiZvEh6UmpHLTxw4saN7WdojzBokp2JCbucYzrekoQBK</code><br>
<br>
mit-test-course/2/d6ee838ee4c85ace93a4e170cfd83c03_lec2_branch_loops.py<br>
https://ipfs.io/ipfs/QmPjEzEu56mqeE19Vth9AkDbAxz7wAWg9zMVvF9FZ1UBvK<br>
<code>QmPjEzEu56mqeE19Vth9AkDbAxz7wAWg9zMVvF9FZ1UBvK</code><br>
<br>

==3==

MIT6_0001F16_Lecture_03_300k.mp4<br>
<code>QmTTCsuhbnjXWuigZLSgKAt4DjFsm78MANo3KUMGcK98s1</code><br>
<br>
88de925a1fb925e46a08bc5f34d029bd_lec3_strings_algos.py<br>
<code>QmYppDgGMptihHA7ixFw2GHvspN8Bw1HY21HtUpQNxi23i</code><br>
<br>
b9b9a82a29e8746db1facfbd30c07940_MIT6_0001F16_Lec3.pdf<br>
<code>QmP2AZfUx8RTqCGamJtPyodFU8dHG8QrBHYKkP79YepEe9</code><br>

==4==

MIT6_0001F16_Lecture_04_300k.mp4<br>
<code>QmQuc5zpaJdMfRYxTLyZc5DQuota1FjuJiqgWf8ctGmRsU</code><br>
<br>
6ba59859535f1566dd57a7279aeba5d1_MIT6_0001F16_Lec4.pdf<br>
<code>QmP1p4h21ogMxWeeX2PiDibQbHqWer7ABCsMrfMxEx7QBW</code><br>
<br>
9e8439a27af18817e046ac37333d03f6_lec4_functions.py<br>
<code>QmNtPQncXMYNBnX4NoNfx2ifetrfvrATamdrsjx4u9iQ7c</code><br>

==5==
MIT6_0001F16_Lecture_05_300k.mp4<br>
<code>Qmco5sKKQfnWUNP9ZUxLkDhoV6jfjv8L4AdzES7En41AzP</code><br>
<br>
1776670e271578eeb99fc25975f20586_MIT6_0001F16_Lec5.pdf<br>
<code>QmSdxg2inPbK1FSynNdPUka6CUZtEGG6sdPZgxaAgb46GE</code><br>
<br>
cdf5f8e7f109952655f4d253ed955555_lec5_tuples_lists.py<br>
<code>QmThDori5ETa3U27DFpndU7RmsLgG7zjpqGVxAncCupSuc</code><br>

==6==
<br>MIT6_0001F16_Lecture_06_300k.mp4<br>
<code>QmVzK3PVETv69Y27UKDfaQQM5um8ByMdYQS3TzD2EkoR42</code><br>
<br>876348c652c5353daccc96e1b7d577bb_MIT6_0001F16_Lec6.pdf<br>
<code>QmQAqSGJAeoypUMyUnb7hRrziDyRAwymcTGdcaydT5i73s</code><br>
<br>706228e592761d9c7c1c073f8ba7a6cc_lec6_recursion_dictionaries.py<br>
<code>QmaGhNYnR5yUMYZf4q7qLsNwEW6B7pbLbgJokJBTNSA2FT</code><br>

==7==
<br>MIT6_0001F16_Lecture_07_300k.mp4<br>
<code>QmUyiqpAUA91w4Xm2Dz2wPr6kE6wTzA1apwJziTdBysRLw</code><br>
<br>
51bdde43dfd773ba20747ce5d89119ac_MIT6_0001F16_Lec7.pdf<br>
<code>QmcqZoeVrsfBv4Ri6M8KtiLdy3VpKnyznDFhX8zvfd3Qrs</code><br>
<br>
abdd1d61892ccce9be2ad84e52004e07_lec7_debug_except.py<br>
<code>QmeVKCB6ponYr4f72MuNwegukX9t42NTywNHpDPgyNi9ae</code><br>
<br>

==8==

<br>MIT6_0001F16_Lecture_08_300k.mp4
<br><code>QmZFSSPndvRfPT2vyehuyEQitfb8CzdYkA7orFAKyvhA4u</code><br>
<br>7a6f85d03f132dcd9d7592bc4643be1c_MIT6_0001F16_Lec8.pdf
<br><code>QmdccChFuYBCiLmufEmk6oXCHybaUQiPXajD3c3xMupiaC</code><br>
<br>0705ac9dcc7e637a0e8e9d97eb258a26_lec8_classes.py
<br><code>QmQCaZZA75UQ5pAKy8zhcz6Ci8yY13UVHUvsuXmid86GUH</code><br>
<br>

==9==

<br>MIT6_0001F16_Lecture_09_300k.mp4
<br><code>QmdENonCipE7TK99i7dFz9paqDUSefR4PFdveEmVi5oXAb</code><br>
<br>2dd6c75e7b4bd6bd135078e6f3701201_MIT6_0001F16_Lec9.pdf
<br><code>QmbaJFk4mFRmCbtQybK94etyfRA2LcM22Kfvjbvdf6X8Gw</code><br>
<br>bf8e8195044d5f6aefc1a455968e2f3e_lec9_inheritance.py
<br><code>QmQ7UB4PaGBRHvHfDshrASwynvansFVXrp3RNULwhThUsC</code><br>
<br>

==10==

<br>MIT6_0001F16_Lecture_10_300k.mp4
<br><code>QmQNooq1g25LFp1Fxj2tfpKKMKi8NbutkhuXNf5Ppo7t5f</code><br>
<br>066eba6ea6d56a88e56ae325940d4c4c_MIT6_0001F16_Lec10.pdf
<br><code>QmbyP59ttPKGe5ZNADsgqTsgBF3oYGzhZXFfBhszG2nuPm</code><br>
<br>bfa32fd241d88ae02cd3157aed232bac_lec10_complexity_part1.py
<br><code>QmUtgXQXjj2C3qb2UXFrPmKHkFdEjmehk4ZLQhcZ37rEmw</code><br>
<br>

==11==

<br>MIT6_0001F16_Lecture_11_300k.mp4
<br><code>QmR7Ned6iZytjpVHVN6W53EZ5Qg4Zd6EkEcXxn8DjYMgrd</code><br>
<br>bb953fb81d4afa3bc837c16eba613955_MIT6_0001F16_Lec11.pdf
<br><code>QmNPjN3616QdmEWLPokwuTkLL1vrzcLVRSFLWUcukqtxZL</code><br>
<br>bdf800867e6762c6758ecd2230178f41_lec11_complexity_part2.py
<br><code>QmdpwFTFkwnkqWW3CozBBAfeYHchDeVAV7ArkA1dUqbUZ4</code><br>
<br>

==12==

<br>MIT6_0001F16_Lecture_12_300k.mp4
<br><code>QmPWidAv5mBrgEcKDVqWe62JaAiwBWs8KZc1S8r3bbJsvY</code><br>
<br>6425d0dabb1cea1a076b8c46c0ae2da6_MIT6_0001F16_Lec12.pdf
<br><code>QmToP68Knz71euVuntRWtz6UshRoiRssELJNFMeP1f2sR5</code><br>
<br>310536cd5f5aa1fc0c11726ce13c565e_lec12_sorting.py
<br><code>QmbV8ct8DEQyRGRDSX4PaQBXk8r8ryYLDNwTa2buC7kcP5</code><br>
<br>

DEMONSTRATE-MIT Introduction to Computer Science and Programming in Python 6.0001 Fall 2016 Undergraduate

2023-12-03T18:31:26Z

Noob: Created page with "{{:LICENCE_HEADER_CC_BY-NC-SA_4.0}}  <b> NOTE: This page is for demonstration purposes Only, and is not meant to be hosted on CompleteNoobs.com which is not intended to contain CC_BY-NC-SA Licensed Content. <br> This page is CC_BY-NC-SA It is intended for a fork of "CompleteNoobs.com" called "CompleteNo..."

{{:LICENCE_HEADER_CC_BY-NC-SA_4.0}}


<b>
NOTE: This page is for demonstration purposes Only, and is not meant to be hosted on CompleteNoobs.com which is not intended to contain CC_BY-NC-SA Licensed Content.
<br>
This page is CC_BY-NC-SA It is intended for a fork of "CompleteNoobs.com" called "CompleteNoobz.com"
<br>
CompleteNoobz.com is a noncommercial mirror of CompleteNoobs.com Which can pullin CC_BY-NC-SA Licensed Content
<br>
This page is quickly put together to test and demonstrate hosting heavy data content on IPFS.
<br>
It is a first draft and required many more Reiterations, This content is first draft concept demonstration content.
</b>

==Course Information==
===Source===
https://ocw.mit.edu/MIT OPEN COURSEWARE - MASSACHUSETTS INSTITUTE OF TECHNOLOGY.<br>
Donations to support MIT Open Courseware <code>https://giving.mit.edu/give/to/ocw/</code><br>
<br>
https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/download/<br>
https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/pages/assignments/<br>
https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/resources/lecture-videos/<br>

==Syllabus==
<div class="toccolours mw-collapsible mw-collapsed">
Syllabus
<div class="mw-collapsible-content">

===Course Meeting Times===

Lectures: 2 sessions / week, 1 hour / session

Recitations: 1 sessions / week, 1 hour / session

===Course Information===

6.0001 Introduction to Computer Science and Programming in Python is intended for students with little or no programming experience. It aims to provide students with an understanding of the role computation can play in solving problems and to help students, regardless of their major, feel justifiably confident of their ability to write small programs that allow them to accomplish useful goals. The class will use the Python 3.5 programming language.

This is a half-semester course. Students who successfully complete 6.0001 may continue into 6.0002 Introduction to Computational Thinking and Data Science, which is taught in the second half of the semester.

===Goals===

*Provide an understanding of the role computation can play in solving problems.
*Help students, including those who do not plan to major in Computer Science and Electrical Engineering, feel confident of their ability to write small programs that allow them to accomplish useful goals.
*Position students so that they can compete for research projects and excel in subjects with programming components.

===Textbook===

The textbook is Buy at MIT Press Guttag, John. Introduction to Computation and Programming Using Python: With Application to Understanding Data Second Edition. MIT Press, 2016. ISBN: 9780262529624. The book and the course lectures parallel each other, though there is more detail in the book about some topics. It is available both in hard copy and as an e-book.

===Lecture and Recitation Attendance===

A significant portion of the material for this course will presented only in lecture, so students are expected to regularly attend lectures.

Recitations give students a chance to ask questions about the lecture material or the problem set for the given week. Sometimes, new material may be covered in recitation. Recitation attendance is encouraged but not required.

===Problem Sets and Quizzes===

Each problem set will involve programming in Python. There will be 6 problem sets in the course. There will be two quizzes. All quizzes will be closed-book, though you will be allowed to bring one page of notes to the first quiz and two pages of notes to the second quiz. Pages must be letter-sized, double-sided, either handwritten or typed.

===Grading Policy===

{| class="wikitable"
|+ Grades will be roughly computed as follows:
|-
|ACTIVITIES
|PERCENTAGES
|-
|Problem sets
|30%
|-
|Completion of mandatory finger exercises
|10%
|-
|Midterm Quiz
|20%
|-
|Final Quiz
|40%
|}

Problem sets will be graded out of 10 points. Submissions that do not run will receive at most 20% of the points. Please contact your Teaching Assistant if you have a problem understanding your problem set grade.

Note: Quizzes and finger exercises are not available on OpenCourseWare.

===Extension and Dropping Problem Sets Policy===
We do not grant any extensions. Instead, we offer late days and the option of rolling at most 2 problem set grades into the final quiz score.

===Late Days===

At the beginning of the term, students are given two late days that they can use on problem sets. Starting with Problem Set 1, additional late days can be accumulated for each assignment, one late day for each day the assignment is turned in ahead of the deadline. Up to three late days may be accumulated in this fashion in this course, i.e you can only have a maximum of 3 late days at any point in time. Late days are discrete (a student cannot use half a late day). The staff will keep track of late days and feedback for each problem set will include the number of late days the student has remaining. Any additional late work beyond these late days will not be accepted. To avoid surprises, we suggest that after you submit your problem set, you double check to make sure the submission was uploaded correctly.

===Rolling Over Problem Sets===

Before the final quiz, we will send out an announcement in which you can choose at most 2 problem sets that you can drop. If dropped, the percent that the problem sets are worth will be rolled into the final quiz score. We strongly urge you to see the late days and dropping the problem sets as backup in case of an emergency. Your best strategy is to do the problem sets early before work starts to pile up.

===Calendar===

{| class="wikitable"
|+ Calendar
|-
|SES #
|TOPICS
|ASSIGNMENTS
|-
|1
|What is computation?
|Pset 0 released
|-
|2
|Branching and Iteration
|Pset 1 released
|-
|3
|String Manipulation, Guess and Check, Approximations, Bisection
|Pset 0 due
|-
|4
|Decomposition, Abstractions, Functions
|Pset 2 released
|-
|5
|Tuples, Lists, Aliasing, Mutability, Cloning
|Pset 1 due
|-
|6
|Recursion, Dictionaries
|Pset 3 released
|-
|7
|Testing, Debugging, Exceptions, Assertions
|Pset 2 due; Quiz 1
|-
|8
|Object Oriented Programming
|
|-
|9
|Python Classes and Inheritance
|Pset 3 due; Pset 4 released
|-
|10
|Understanding Program Efficiency, Part 1
|Pset 4 due; Pset 5 released
|-
|11
|Understanding Program Efficiency, Part 2
|
|-
|12
|Searching and Sorting
|Pset 5 due; Final Quiz
|}

</div>
</div>

==Course Materials==

===Downloading Using IPFS===
<code>https://github.com/ipfs/ipfs-desktop/releases</code><br>
[[IPFS_Basics|PFS Basics]]

===Software===
This class is using python3 IDE <b>spyder</b> which is in Anaconda3<br>
https://www.anaconda.com/<br>
How to install is on Problem Set 0<br>

===MIT6_0001F16_Style Guide===
Source:https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/resources/mit6_0001f16_styleguide/<br>
IPFS:<code>QmUmtyNpSLr2fXwGY1gL2hNnpwbYe8Y7CP2rPwjSNXasxJ</code><br>

==Problem Set 0==
Source:https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/resources/ps0/<br>
IPFS:<code>QmRWpBvwUNiFRjSvgLjRoiCNXQBBL2aLg55PVfGWw7S1ns</code><br>

==Lecture 1: What is Computation?==

{{#evu:https://www.youtube.com/watch?v=4-CmQesbQvw
|alignment=inline
}}
<br>
Source:https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/resources/lecture-1-what-is-computation/<br>
IPFS:<code>QmaTdTMxWdz6ySLbx258zQU5McpJTo4ZEVJ63GSKmVEyeM</code><br>

===Glossary===
<div class="toccolours mw-collapsible mw-collapsed">
Glossary for lecture with timestamps:
<div class="mw-collapsible-content">
Time: data<br>
2:10 pset = problem set<br>
12:18 [[Square_root]]<br>
</div>
</div>

===Video transcript===

<div class="toccolours mw-collapsible mw-collapsed">
Video transcript
<div class="mw-collapsible-content">

<pre>
The following content is provided under a Creative
0:03Commons license.
0:04Your support will help MIT OpenCourseWare
0:07continue to offer high-quality, educational resources for free.
0:11To make a donation, or view additional materials
0:13from hundreds of MIT courses, visit MIT OpenCourseWare
0:17at ocw.mit.edu.
0:29ANA BELL: All right.
0:30Let's begin.
0:33As I mentioned before, this lecture
0:35will be recorded for OCW.
0:37Again, in future lectures, if you
0:39don't want to have the back of your head show up,
0:41just don't sit in this front area here.
0:44First of all, wow, what a crowd, you guys.
0:46We're finally in 26-100.
0:486.0001 made it big, huh?
0:52Good afternoon and welcome to the very first class of 6.0001,
0:55and also 600, this semester.
0:58My name is Ana Bell.
1:00First name, Ana.
1:01Last name, Bell.
1:03I'm a lecturer in the EECS Department.
1:06And I'll be giving some of the lectures for today,
1:08along with later on in the term, Professor Eric Grimson, who's
1:13sitting right down there, will be giving some of the lectures,
1:15as well.
1:17Today we're going to go over some basic administrivia,
1:21a little bit of course information.
1:23And then, we're going to talk a little bit
1:24about what is computation?
1:26We'll discuss at a very high level
1:27what computers do just to make sure we're all
1:29on the same page.
1:31And then, we're going to dive right into Python basics.
1:34We're going to talk a little bit about mathematical operations
1:36you can do with Python.
1:38And then, we're going to talk about Python variables
1:40and types.
1:42As I mentioned in my introductory email, all
1:43the slides and code that I'll talk about during lectures
1:46will be up before lecture, so I highly
1:48encourage you to download them and to have them open.
1:52We're going to go through some in-class exercises which will
1:56be available on those slides.
1:57And it's fun to do.
1:59And it's also great if could take notes about the code just
2:07for future reference.
2:09It's true.
2:10This is a really fast-paced course,
2:12and we ramp up really quickly.
2:14We do want to position you to succeed in this course.
2:17As I was writing this, I was trying
2:19to think about when I was first starting
2:21to program what helped me get through my very
2:24first programming course.
2:26And this is really a good list.
2:29The first thing was I just read the psets as soon
2:31as they came out, made sure that the terminology just sunk in.
2:37And then, during lectures, if the lecturer
2:39was talking about something that suddenly I remembered,
2:42oh, I saw that word in the pset and I didn't know what it was.
2:45Well, hey, now I know what it is.
2:46Right?
2:47So just give it a read.
2:48You don't need to start it.
2:51If you're new to programming, I think the key word is practice.
2:55It's like math or reading.
2:57The more you practice, the better you get at it.
3:00You're not going to absorb programming
3:01by watching me write programs because I already know how
3:04to program.
3:05You guys need to practice.
3:07Download the code before lecture.
3:09Follow along.
3:10Whatever I type, you guys can type.
3:12And I think, also, one of the big things
3:14is if you're new to programming, you're
3:16kind of afraid that you're going to break your computer.
3:19And you can't really do that just by running Anaconda
3:24and typing in some commands.
3:26So don't be afraid to just type some stuff in
3:28and see what it does.
3:29Worst case, you just restart the computer.
3:35Yeah.
3:36That's probably the big thing right there.
3:38I should have probably highlighted it,
3:39but don't be afraid.
3:40Great.
3:41So this is pretty much a roadmap of all of 6.0001 or 600
3:46as I've just explained it.
3:47There's three big things we want to get out of this course.
3:51The first thing is the knowledge of concepts,
3:54which is pretty much true of any class that you'll take.
3:56The class will teach you something through lectures.
3:59Exams will test how much you know.
4:02This is a class in programming.
4:05The other thing we want you to get out of it
4:08is programming skills.
4:10And the last thing, and I think this
4:12is what makes this class really great,
4:13is we teach you how to solve problems.
4:16And we do that through the psets.
4:18That's really how I feel the roadmap of this course
4:21looks like.
4:22And underlying all of these is just practice.
4:25You have to just type some stuff away and code a lot.
4:29And you'll succeed in this course, I think.
4:33OK.
4:35So what are the things we're going to learn in this class?
4:38I feel like the things we're going learn in this class
4:41can be divided into basically three different sections.
4:44The first one is related to these first two items here.
4:50It's really about learning how to program.
4:53Learning how to program, part of it
4:55is figuring out what objects to create.
4:58You'll learn about these later.
5:00How do you represent knowledge with data structures?
5:02That's sort of the broad term for that.
5:04And then, as you're writing programs,
5:06you need to-- programs aren't just linear.
5:08Sometimes programs jump around.
5:10They make decisions.
5:11There's some control flow to programs.
5:13That's what the second line is going to be about.
5:18The second big part of this course
5:20is a little bit more abstract, and it
5:24deals with how do you write good code, good style,
5:29code that's readable.
5:30When you write code, you want to write it such
5:33that-- you're in big company, other people will read it,
5:35other people will use it, so it has
5:37to be readable and understandable by others.
5:40To that end, you need to write code
5:41that's well organized, modular, easy to understand.
5:48And not only that, not only will your code
5:50be read by other people, but next year, maybe,
5:53you'll take another course, and you'll
5:55want to look back at some of the problems
5:56that you wrote in this class.
5:58You want to be able to reread your code.
6:00If it's a big mess, you might not be able to understand--
6:03or reunderstand-- what you were doing.
6:06So writing readable code and organizing code
6:08is also a big part.
6:10And the last section is going to deal with-- the first two
6:15are actually part of the programming in Introduction
6:19to Programming and Computer Science in Python.
6:21And the last one deals mostly with the computer science part
6:26in Introduction to Programming and Computer Science in Python.
6:29We're going to talk about, once you have learned
6:31how to write programs in Python, how do
6:33you compare programs in Python?
6:35How do you know that one program is better than the other?
6:38How do you know that one program is
6:39more efficient than the other?
6:41How do you know that one algorithm
6:42is better than the other?
6:45That's what we're going to talk about in the last part
6:47of the course.
6:48OK.
6:50That's all for the administrative part
6:52of the course.
6:54Let's start by talking at a high level what does a computer do.
6:59Fundamentally, it does two things.
7:03One, performs calculations.
7:05It performs a lot of calculations.
7:07Computers these days are really, really fast,
7:09a billion calculations per second is probably not far off.
7:15It performs these calculations and it
7:16has to store them somewhere.
7:18Right?
7:19Stores them in computer memory.
7:21So a computer also has to remember results.
7:24And these days, it's not uncommon to find computers
7:26with hundreds of gigabytes of storage.
7:30The kinds of calculations that computers do,
7:34there are two kinds.
7:35One are calculations that are built into the language.
7:37These are the very low level types
7:39of calculations, things like addition,
7:41subtraction, multiplication, and so on.
7:45And once you have a language that
7:47has these primitive calculation types, you, as a programmer,
7:53can put these types together and then define
7:55your own calculations.
7:57You can create new types of calculations.
8:00And the computer will be able to perform those, as well.
8:04I think, one thing I want to stress--
8:07and we're going to come back to this
8:09again during this entire lecture, actually--
8:12is computers only know what you tell them.
8:15Computers only do what you tell them to do.
8:18They're not magical.
8:19They don't have a mind.
8:22They just know how to perform calculations really,
8:24really quickly.
8:26But you have to tell them what calculations to do.
8:32Computers don't know anything.
8:34All right.
8:35We've come to that.
8:40Let's go into the types of knowledge.
8:44The first type of knowledge is declarative knowledge.
8:48And those are things like statements of fact.
8:50And this is where my email came into play.
8:53If you read it all the way to the bottom,
8:55you would have entered a raffle.
8:57So a statement of fact for today's lecture
8:59is, someone will win a prize before class ends.
9:03And the prize was a Google Cardboard.
9:06Google state-of-the-art virtual reality glasses.
9:09And I have them right here.
9:14Yea.
9:15I delivered on my promise.
9:18That's a statement of fact.
9:20So pretend I'm a machine.
9:22OK?
9:23I don't know anything except what you tell me.
9:26I don't know.
9:28I know that you tell me this statement.
9:30I'm like, OK.
9:31But how is someone going to win a Google Cardboard
9:33before class ends, right?
9:35That's where imperative knowledge comes in.
9:37Imperative knowledge is the recipe, or the how-to,
9:39or the sequence of steps.
9:42Sorry.
9:43That's just my funny for that one.
9:47So the sequence of steps is imperative knowledge.
9:53If I'm a machine, you need to tell me
9:57how someone will win a Google Cardboard before class.
10:00If I follow these steps, then technically,
10:02I should reach a conclusion.
10:06Step one, I think we've already done that.
10:08Whoever wanted to sign up has signed up.
10:11Now I'm going to open my IDE.
10:13I'm just basically being a machine
10:14and following the steps that you've told me.
10:17The IDE that we're using in this class is called Anaconda.
10:21I'm just scrolling down to the bottom.
10:25Hopefully, you've installed it in problem set zero.
10:28I've opened my IDE.
10:30I'm going to follow the next set of instructions.
10:34I'm going to choose a random number between the first
10:36and the nth responder.
10:39Now, I'm going to actually use Python to do this .
10:42And this is also an example of how just
10:44a really simple task in your life,
10:46you can use computers or programming to do that.
10:48Because if I chose a random number,
10:50I might be biased because, for example,
10:51I might like the number 8.
10:53To choose a random number, I'm going to go and say, OK,
10:57where's the list of responders?
10:58It starts at 15.
10:59Actually, it starts at 16 because that's me.
11:03We're going to choose a random number between 16
11:05and the end person 266.
11:09Oh, we just got-- oh.
11:11OK.
11:13OK.
11:13I'm going to cut it off right here.
11:15271.
11:15OK.
11:1616 and 271.
11:18Perfect.
11:19OK.
11:20I'm going to choose a random number.
11:21I'm going to go to my IDE.
11:22And you don't need to know how to do this yet,
11:24but by the end of this class, you will.
11:26I'm just going to use Python.
11:29I'm just going to get the random number package that's going
11:31to give me a random number.
11:32I'm going to say random.randint.
11:35And I'm going to choose a random number between 16 and 272,
11:40OK.
11:4175.
11:42OK.
11:43Great.
11:44I chose a random number.
11:45And I'm going to find the number in the responder's sheet.
11:48What was the number again?
11:49Sorry.
11:5175.
11:52OK.
11:54Up we go.
11:56There we go.
11:57Lauren Z-O-V. Yeah.
12:01Nice.
12:02You're here.
12:14Awesome.
12:16All right.
12:17That's an example of me being a machine and also,
12:21at the same time, using Python in my everyday life,
12:23just lecturing, to find a random number.
12:28Try to use Python wherever you can.
12:30And that just gives you practice.
12:34That was fun.
12:35But we're at MIT.
12:37We're MIT students.
12:39And we love numbers here at MIT.
12:41Here's a numerical example that shows
12:44the difference between declarative and imperative
12:46knowledge.
12:50An example of declarative knowledge
12:51is the square root of a number x is y such that y times y
12:54is equal to x.
12:57That's just a statement of fact It's true.
13:02Computers don't know what to do with that.
13:05They don't know what to do with that statement.
13:07But computers do know how to follow a recipe.
13:11Here's a well-known algorithm.
13:13To find the square root of a number x,
13:16let's say x is originally 16, if a computer follows
13:23this algorithm, it's going to start with a guess, g,
13:26let's say, 3.
13:28We're trying to find the square root of 16.
13:30We're going to calculate g times g is 9.
13:34And we're going to ask is if g times g
13:36is close enough to x, then stop and say, g is the answer.
13:39I'm not really happy with 9 being really close to 16.
13:42So I'm going to say, I'm not stopping here.
13:44I'm going to keep going.
13:47If it's not close enough, then I'm
13:48going to make a new guess by averaging g and x over g.
13:52That's x over g here.
13:54And that's the average over there.
13:57And the new average is going to be my new guess.
14:04And that's what it says.
14:05And then, the last step is using the new guess,
14:07repeat the process.
14:08Then we go back to the beginning and repeat the whole process
14:11over and over again.
14:13And that's what the rest of the rows do.
14:15And you keep doing this until you decide
14:16that you're close enough.
14:23What we saw for the imperative knowledge
14:25in the previous numerical example
14:26was the recipe for how to find the square root of x.
14:31What were the three parts of the recipe?
14:33One was a simple sequence of steps.
14:36There were four steps.
14:39The other was a flow of control, so there were
14:42parts where we made decisions.
14:45Are we close enough?
14:46There were parts where we repeated some steps.
14:49At the end, we said, repeat steps 1, 2, 3.
14:52That's the flow of control.
14:55And the last part of the recipe was a way to stop.
14:58You don't want a program that keeps going and going.
15:00Or for a recipe, you don't want to keep baking bread forever.
15:03You want to stop at some point.
15:05Like 10 breads is enough, right?
15:07So you have to have a way of stopping.
15:10In the previous example, the way of stopping
15:12was that we decided we were close enough.
15:15Close enough was maybe being within .01, .001,
15:20whatever you pick.
15:23This recipe is there for an algorithm.
15:26In computer science speak, it's going to be an algorithm.
15:29And that's what we're going to learn about in this class.
15:34We're dealing with computers.
15:35And we actually want to capture a recipe
15:37inside a computer, a computer being a mechanical process.
15:49Historically, there were two different types of computers.
15:55Originally, there were these things
15:57called fixed-program computers.
15:59And I'm old enough to have used something
16:02like this, where there's just numbers and plus, minus,
16:06multiplication, divide, and equal.
16:08But calculators these days are a lot more complicated.
16:11But way back then, an example of a fixed-program computer
16:15is this calculator.
16:16It only knows how to do addition, multiplication,
16:19subtraction, division.
16:20If you want to plot something, you can't.
16:22If you want to go on the internet, send email with it,
16:27you can't.
16:27It can only do this one thing.
16:31And if you wanted to create a machine that did another thing,
16:33then you'd have to create another fixed-program computer
16:37that did a completely separate test.
16:39That's not very great.
16:41That's when stored-program computers came into play.
16:45And these were machines that could store
16:47a sequence of instructions.
16:50And these machines could execute the sequence of instructions.
16:54And you could change the sequence of instructions
16:56and execute this different sequence of instructions.
17:00You could do different tasks in the same machine.
17:03And that's the computer as we know it these days.
17:07The central processing unit is where all of these decisions
17:11get made.
17:11And these are all the peripherals.
17:16The basic machine architecture-- at the heart of every computer
17:20there's just this basic architecture--
17:25and it contains, I guess, four main parts.
17:28The first is the memory.
17:31Input and output is the other one.
17:34The ALU is where all of the operations are done.
17:39And the operations that the ALU can do
17:41are really primitive operations, addition, subtraction,
17:44and so on.
17:46What the memory contains is a bunch of data
17:52and your sequence of instructions.
18:00Interacting with the Arithmetic Logic Unit is the Control Unit.
18:03And the Control Unit contains one program counter.
18:07When you load a sequence of instructions,
18:09the program counter starts at the first sequence.
18:15It starts at the sequence, at the first instruction.
18:18It gets what the instruction is, and it sends it to the ALU.
18:22The ALU asks, what are we doing operations on here?
18:25What's happening?
18:27It might get some data.
18:29If you're adding two numbers, it might get two numbers
18:31from memory.
18:33It might do some operations.
18:34And it might store data back into memory.
18:37And after it's done, the ALU is going to go back,
18:41and the program counter is going to increase
18:43by 1, which means that we're going
18:45to go to the next sequence in the instruction set.
18:50And it just goes linearly, instruction by instruction.
18:53There might be one particular instruction
18:56that does some sort of test.
18:58It's going to say, is this particular value
19:07greater or equal to or the same as this other particular value?
19:11That's a test, an example of a test.
19:13And the test is going to either return true or false.
19:17And depending on the result of that test,
19:20you might either go to the next instruction,
19:24or you might set the program counter
19:26to go all the way back to the beginning, and so on.
19:29You're not just linearly stepping
19:32through all the instructions.
19:33There might be some control flow involved,
19:35where you might skip an instruction,
19:36or start from the beginning, or so on.
19:39And after you're done, when you finished
19:42executing the last instruction, then you
19:44might output something.
19:47That's really the basic way that a computer works.
19:53Just to recap, you have the stored program computer
19:55that contains these sequences of instructions.
19:59The primitive operations that it can do
20:00are addition, subtraction, logic operations, tests--
20:06which are something equal to something else, something
20:08less than, and so on-- and moving data,
20:10so storing data, moving data around, and things like that.
20:14And the interpreter goes through every instruction
20:19and decides whether you're going to go to the next instruction,
20:22skip instructions, or repeat instructions, and so on.
20:28So we've talked about primitives.
20:30And in fact, Alan Turing, who was a really great computer
20:35scientist, he showed that you can compute anything
20:37using the six primitives.
20:38And the six primitives are move left, move right, read, write,
20:46scan, and do nothing.
20:49Using those six instructions and the piece of tape,
20:54he showed that you can compute anything.
20:57And using those six instructions,
21:00programming languages came about that
21:03created a more convenient set of primitives.
21:05You don't have to program in only these six commands.
21:11And one interesting thing, or one really important thing,
21:16that came about from these six primitives
21:19is that if you can compute something in Python,
21:22let's say-- if you write a program that computes something
21:25in Python, then, in theory, you can
21:28write a program that computes the exact same thing
21:31in any other language.
21:32And that's a really powerful statement.
21:36Think about that today when you review your slides.
21:39Think about that again.
21:40That's really powerful.
21:45Once you have your set of primitives
21:49for a particular language, you can start creating expressions.
21:53And these expressions are going to be
21:55combinations of the primitives in the programming language.
22:00And the expressions are going to have some value.
22:02And they're going up some meaning in the programming
22:05language.
22:08Let's do a little bit of a parallel with English
22:10just so you see what I mean.
22:14In English, the primitive constructs
22:15are going to be words.
22:17There's a lot of words in the English language.
22:19Programming languages-- in Python, there are primitives,
22:23but there aren't as many of them.
22:25There are floats, Booleans, these
22:28are numbers, strings, and simple operators,
22:31like addition, subtraction, and so on.
22:35So we have primitive constructs.
22:38Using these primitive constructs,
22:39we can start creating, in English, phrases, sentences,
22:48and the same in programming languages.
22:49In English, we can say something like, "cat, dog, boy.
22:54That, we say, is not syntactically valid.
22:58That's bad syntax.
23:00That's noun, noun, noun.
23:01That doesn't make sense.
23:05What does have good syntax in English is noun, verb, noun.
23:08So, "cat, hugs boy" is syntactically valid.
23:12Similarly, in a programming language,
23:14something like this-- in Python, in this case-- a word
23:18and then the number five doesn't really make sense.
23:20It's not syntactically valid.
23:22But something like operator, operand, operator is OK.
23:28So once you've created these phrases, or these expressions,
23:34that are syntactically valid, you
23:37have to think about the static semantics of your phrase,
23:41or of your expression.
23:45For example, in English, "I are hungry" is good syntax.
23:51But it's weird to say.
23:55We have a pronoun, a verb, and an adjective, which
23:58doesn't really make sense.
23:59"I am hungry" is better.
24:03This does not have good static semantics.
24:07Similarly, in programming languages--
24:09and you'll get the hang of this the more
24:11you do it-- something like this, "3.2 times 5, is OK.
24:15But what does it mean?
24:17What's the meaning to have a word added to a number?
24:22There's no meaning behind that.
24:25Its syntax is OK, because you have
24:28operator, operand, operator.
24:30But it doesn't really make sense to add a number to a word,
24:32for example.
24:36Once you have created these expressions that
24:39are syntactically correct and static, semantically correct,
24:44in English, for example, you think about the semantics.
24:48What's the meaning of the phrase?
24:50In English, you can actually have more than one
24:52meaning to an entire phrase.
24:56In this case, "flying planes can be dangerous"
25:01can have two meanings.
25:02It's the act of flying a plane is dangerous,
25:04or the plane that is in the air is dangerous.
25:08And this might be a cuter example.
25:10"This reading lamp hasn't uttered a word
25:12since I bought it.
25:13What's going on?"
25:15So that has two meanings.
25:16It's playing on the word "reading lamp."
25:21That's in English.
25:21In English, you can have a sentence
25:23that has more than one meaning, that's
25:25syntactically correct and static, semantically correct.
25:28But in programming languages, the program that you write,
25:31the set of instructions that you write, only has one meaning.
25:34Remember, we're coming back to the fact
25:35that the computer only does what you tell it to do.
25:40It's not going to suddenly decide
25:42to add another variable for some reason.
25:46It's just going to execute whatever statements you've
25:49put up.
25:50In programming languages, there's only one meaning.
25:52But the problem that comes into play in programming languages
25:58is it's not the meaning that you might have
25:59intended, as the programmer.
26:03That's where things can go wrong.
26:05And there's going to be a lecture
26:07on debugging a little bit later in the course.
26:10But this is here just to tell you
26:12that if you see an error pop up in your program,
26:16it's just some text that says, error.
26:21For example, if we do something like this,
26:28this is syntactically correct.
26:30Incorrect.
26:31Syntactically incorrect.
26:32See?
26:32There's some angry text right here.
26:36What is going on?
26:37The more you program, the more you'll
26:39get the hang of reading these errors.
26:41But this is basically telling me the line
26:43that I wrote is syntactically incorrect.
26:45And it's pointing to the exact line and says, this is wrong,
26:49so I can go back and fix it as a programmer.
26:55Syntax errors are actually really easily caught by Python.
27:00That was an example of a syntax error.
27:02Static semantic errors can also be
27:04caught by Python as long as, if your program has some decisions
27:09to make, as long as you've gone down the branch where
27:13the static semantic error happens.
27:18And this is probably going to be the most frustrating one,
27:22especially as you're starting out.
27:23The program might do something different than what
27:25you expected it to do.
27:27And that's not because the program suddenly-- for example,
27:32you expected the program to give you an output of 0
27:34for a certain test case, and the output that you got was 10.
27:37Well, the program didn't suddenly
27:39decide to change its answer to 10.
27:42It just executed the program that you wrote.
27:48That's the case where the program gave you
27:50a different answer than expected.
27:53Programs might crash, which means they stop running.
27:55That's OK.
27:57Just go back to your code and figure out what was wrong.
28:00And another example of a different meaning
28:03than what you intended was maybe the program won't stop.
28:06It's also OK.
28:07There are ways to stop it besides restarting
28:10the computer.
28:12So then Python programs are going
28:17to be sequences of definitions and commands.
28:20We're going to have expressions that are going to be evaluated
28:25and commands that tell the interpreter to do something.
28:33If you've done problem set 0, you'll
28:35see that you can type commands directly
28:37in the shell here, which is the part on the right where
28:40I did some really simple things, 2 plus 4.
28:44Or you can type commands up in here, on the left-hand side,
28:49and then run your program.
28:52Notice that, well, we'll talk about this-- I
28:54won't talk about this now.
28:55But these are-- on the right-hand side, typically,
28:59you write very simple commands just if you're
29:01testing something out.
29:03And on the left-hand side here in the editor,
29:04you write more lines and more complicated programs.
29:15Now we're going to start talking about Python.
29:18And in Python, we're going to come back to this,
29:20everything is an object.
29:23And Python programs manipulate these data objects.
29:27All objects in Python are going to have a type.
29:30And the type is going to tell Python the kinds of operations
29:34that you can do on these objects.
29:37If an object is the number five, for example,
29:39you can add the number to another number,
29:42subtract the number, take it to the power of something,
29:45and so on.
29:47As a more general example, for example, I am a human.
29:51So that's my type.
29:52And I can walk, speak English, et cetera.
29:55Chewbacca is going to be a type Wookie.
29:59He can walk, do that sound that I can't do.
30:02He can do that, but I can't.
30:04I'm not even going to try, and so on.
30:09Once you have these Python objects,
30:11everything is an object in Python.
30:14There are actually two types of objects.
30:16One are scalar objects.
30:18That means these are very basic objects in Python from which
30:21everything can be made.
30:24These are scalar objects.
30:26That can't be subdivided.
30:28The other type of object is a non-scalar object.
30:31And these are objects that have some internal structure.
30:33For example, the number five is a scalar
30:36object because it can't be subdivided.
30:39But a list of numbers, for example, 5, 6,
30:417,8, is going to be a non-scalar object
30:45because you can subdivide it.
30:46You can subdivide it into-- you can find parts to it.
30:53It's made up of a sequence of numbers.
30:58Here's the list of all of the scalar objects in Python.
31:01We have integers, for example, all of the whole numbers.
31:05Floats, which are all of the real numbers, anything
31:10with a decimal.
31:11Bools are Booleans.
31:13There's only two values to Booleans.
31:16That's True and False.
31:18Note the capitalization, capital T and capital F.
31:23And this other thing called NoneType.
31:24It's special.
31:26It has only one value called None.
31:28And it represents the absence of a type.
31:30And it sometimes comes in handy for some programs.
31:34If you want to find the type of an object,
31:36you can use this special command called type.
31:39And then in the parentheses, you put down
31:41what you want to find the type of.
31:44You can write into the shell "type of 5,"
31:47and the shell will tell you, that's an integer.
31:52If you happen to want to convert between two different types,
31:56Python allows you to do that.
31:58And to do that, you put the type that you
32:01want to convert to right before the object
32:03that you want to convert to.
32:05So float(3) will convert the integer 3 to the float 3.0.
32:12And similarly, you can convert any float into an integer.
32:16And converting to an integer just truncates.
32:20It just takes away the decimal and whatever's
32:22after it-- it does not round-- and keeps just the integer
32:26part.
32:30For this slide, I'm going to talk about it.
32:31But if you'd like if you have the slides up,
32:35go to go to this exercise.
32:37And after I'm done talking about the slide,
32:41we'll see what people think for that exercise.
32:45One of the most important things that you
32:47can do in basically any programming,
32:51in Python also, is to print things out.
32:55Printing out is how you interact with the user.
33:00To print things out, you use the print command.
33:04If you're in the shell, if you simply type "3 plus 2,"
33:07you do see a value here.
33:09Five, right?
33:11But that's not actually printing something out.
33:13And that becomes apparent when you actually
33:18type things into the editor.
33:19If you just do "3 plus 2," and you run the program-- that's
33:23the green button here-- you see on the right-hand side here,
33:26it ran my program.
33:27But it didn't actually print anything.
33:30If you type this into the console,
33:32it does show you this value, but that's
33:33just like peeking into the value for you as a programmer.
33:39It's not actually printing it out to anyone.
33:41If you want to print something out,
33:42you have to use the print statement like that.
33:47In this case, this is actually going to print this number
33:50five to the console.
33:58That's basically what it says.
33:59It just tells you it's an interaction within the shell
34:01only.
34:02It's not interacting with anyone else.
34:04And if you don't have any "Out," that
34:06means it got printed out to the console.
34:09All right.
34:09We talked a little bit about objects.
34:13Once you have objects, you can combine objects and operators
34:16to form these expressions.
34:17And each expression is going to have a value.
34:19So an expression evaluates to a value.
34:22The syntax for an expression is going
34:24to be object, operator, object, like that.
34:30And these are some operators you can do on ints and floats.
34:34There's the typical ones, addition, subtraction,
34:36multiplication, and division.
34:38If, for the first three, the answer
34:43that you get-- the type of the answer that you get--
34:45is going to depend on the type of your variables.
34:48If both of the variables of the operands are integers,
34:52then the result you're going to get is of type integer.
34:55But if at least one of them is a float, then
34:56the result you're going to get is a float.
34:58Division is a little bit special in that
35:02no matter what the operands are, the result
35:04is always going to be a float.
35:09The other operations you can do, and these are also useful,
35:14are the remainder, so the percent sign.
35:19If you use the percent sign between two operands,
35:22that's going to give you the remainder when you divide i
35:25by j.
35:28And raising something to the power of something else
35:30is using the star star operator.
35:32And i star stars j is going to take i to the power of j.
35:41These operations have the typical precedence
35:43that you might expect in math, for example.
35:47And if you'd like to put precedence
35:49toward some other operations, you
35:50can use parentheses to do that.
36:01All right.
36:03So we have ways of creating expressions.
36:07And we have operations we can do on objects.
36:13But what's going to be useful is to be able to save values
36:19to some name.
36:21And the name is going to be something that you pick.
36:24And it should be a descriptive name.
36:27And when you save the value to a name,
36:32you're going to be able to access that value later
36:36on in your program.
36:37And that's very useful.
36:40To save a value to a variable name, you use the equal sign.
36:49And the equal sign is an assignment.
36:51It assigns the right-hand side, which
36:53is a value, to the left-hand side, which
36:55is going to be a variable name.
36:59In this case, I assigned the float 3.14159
37:03to the variable pi.
37:05And in the second line, I'm going
37:08to take this expression, 22 divided by 7,
37:10I'm going to evaluate it.
37:13It's going to come up with some decimal number.
37:16And I'm going to save it into the variable pi_approx.
37:19values are stored in memory.
37:21And this assignment in Python, we
37:22say the assignment binds the name to the value.
37:26When you use that name later on in your program,
37:30you're going to be referring to the value in memory.
37:35And if you ever want to refer to the value
37:37later on in your code, you just simply type
37:39the name of the variable that you've assigned it to.
37:44So why do we want to give names to expressions?
37:48Well, you want to reuse the names instead of the values.
37:51And it makes your code look a lot nicer.
37:54This is a piece of code that calculates
37:56the area of a circle.
37:59And notice, I've assigned a variable pi to 3.14159.
38:03I've assigned another variable called radius to be 2.2.
38:07And then, later on in my code, I have another line
38:09that says area-- this is another variable-- is
38:12equal to-- this is an assignment--
38:15to this expression.
38:17And this expression is referring to these variable names, pi
38:23and radius.
38:24And it's going look up their values in memory.
38:26And it's going to replace these variable names
38:29with those values.
38:30And it's going to do the calculation for me.
38:32And in the end, this whole expression
38:34is going to be replaced by one number.
38:36And it's going to be the float.
38:40Here's another exercise, while I'm talking about the slide.
38:45I do want to make a note about programming versus math.
38:49In math, you're often presented with a problem
38:55that says, solve for x.
38:57x plus y is equal to something something.
39:00Solve for x, for example.
39:03That's coming back to the fact that computers don't
39:09know what to do with that.
39:10Computers need to be told what to do.
39:12In programming, if you want to solve for x,
39:14you need to tell the computer exactly how to solve for x.
39:18You need to figure out what formula
39:20you need to give the computer in order to be
39:22able to solve for x.
39:25That means always in programming the right-hand side is
39:29going to be an expression.
39:33It's something that's going to be evaluated to a value.
39:35And the left-hand side is always a variable.
39:39It's going to be an assignment.
39:40The equal sign is not like in math
39:43where you can have a lot of things to the left
39:45and a lot of things to the right of the equal sign.
39:47There's only one thing to the left of the equal sign.
39:49And that's going to be a variable.
39:50An equal sign stands for an assignment.
39:53Once we've created expressions, and we have these assignments,
39:57you can rebind variable names using new assignment
39:59statements.
40:03Let's look at an example for that.
40:05Let's say this is our memory.
40:07Let's type back in the example with finding the radius.
40:13Let's say, pi is equal to 3.14.
40:19In memory, we're going to create this value 3.14.
40:22We're going to bind it to the variable named pi.
40:28Next line, radius is equal to 2.2.
40:31In memory, we're creating this value 2.2.
40:35And we're going to bind it to the variable named radius.
40:40Then we have this expression here.
40:44It's going to substitute the values for pi
40:46from memory and the value for radius from memory.
40:49It's going to calculate the value that this expression
40:54evaluates to.
40:56It's going to pop that into the memory.
40:57And it's going to assign-- because we're
40:59using the equal sign-- it's going
41:01to assign that value to that variable area.
41:08Now, let's say we rebind radius to be something else.
41:14Radius i is bound to the value 2.2.
41:21But when we do this line, radius is equal to radius plus 1,
41:24we're going to take away the binding to 2.2.
41:27We're going to do this calculation.
41:29The new value is 3.2.
41:31And we're going to rebind that value to that same variable.
41:38In memory, notice we're still going
41:40to have this value, 2.2, floating around.
41:43But we've lost the handle for it.
41:46There's no way to get it back.
41:48It's just in memory sitting there.
41:52At some point, it might get collected by what
41:55we call the garbage collector.
41:56In Python, And it'll retrieve these lost values,
42:00and it'll reuse them for new values, and things like that.
42:05But radius now points to the new value.
42:08We can never get back 2.2.
42:13And that's it.
42:16The value of area-- notice, this is very important.
42:18The value of area did not change.
42:23And it did not change because these are all the instructions
42:26we told the computer to do.
42:28We just told it to change radius to be radius plus 1.
42:33We never told it to recalculate the value of area.
42:37If I copied that line down here, then the value of area
42:41would change.
42:42But we never told it to do that.
42:44The computer only does what we tell it to do.
42:46That's the last thing.
42:47Next lecture, we're going to talk about adding control
42:51flow to our programs, so how do you tell the computer
42:53to do one thing or another?
42:55All right.
</pre>
</div>
</div>

===Lecture Notes - lecture 1 py===
Source: https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/920cc911b6eb5747f2ccd431bbc4306b_lec1.py<br>
<div class="toccolours mw-collapsible mw-collapsed">
lecture 1 py
<div class="mw-collapsible-content">
<pre>
pi = 3.14159
radius = 2.2
# area of circle equation <- this is a comment
area = pi*(radius**2)
print(area)

# change values of radius <- another comment
# use comments to help others understand what you are doing in code
radius = radius + 1
print(area) # area doesn't change
area = pi*(radius**2)
print(area)

#############################
#### COMMENTING LINES #######
#############################
# to comment MANY lines at a time, highlight all of them then CTRL+1
# do CTRL+1 again to uncomment them
# try it on the next few lines below!

#area = pi*(radius**2)
#print(area)
#radius = radius + 1
#area = pi*(radius**2)
#print(area)

#############################
#### AUTOCOMPLETE #######
#############################
# Spyder can autocomplete names for you
# start typing a variable name defined in your program and hit tab
# before you finish typing -- try it below

# define a variable
a_very_long_variable_name_dont_name_them_this_long_pls = 0

# below, start typing a_ve then hit tab... cool, right!
# use autocomplete to change the value of that variable to 1

# use autocomplete to write a line that prints the value of that long variable
# notice that Spyder also automatically adds the closed parentheses for you!
</pre>
</div>
</div>

===pdf-Slides for Lecture 1===
Source:https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/resources/mit6_0001f16_lec1/<br>
IPFS:<code>QmemB25bVuN2fuiAq3JaDM4J5MYit6HfCCsU3EFTWL7wpF</code><br>

===Problem Set 1===
Source:https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/resources/mit6_0001f16_ps1/<br>
IPFS:<code>QmbxaDU9U4hquK4Dhb365nD5qG5eEFUM6NABqXRaux6tRB</code><br>

===Additional Python Resources ===
Source:https://ocw.mit.edu/courses/6-0001-introduction-to-computer-science-and-programming-in-python-fall-2016/resources/mit6_0001f16_additional/<br>
IPFS:<code>QmYWPVdHEbhmdFXNR9R46ey5eykyFPeCZ1joXE6z28L1VB</code><br>

<div class="toccolours mw-collapsible mw-collapsed">
Additional Python Resources:
<div class="mw-collapsible-content">
If you're having trouble with a particular concept or simply want to have access to more
information, try one of the following links.

====DOCUMENTATION====
* [[https://docs.python.org/3/library/index.html Official Python 3 Documentation]] - "official"/technical explanation of what a particular function/operator
does, examples of correct syntax, what the various libraries are, etc.

====TEXTBOOKS/TUTORIALS====
* [[https://diveintopython3.net/ Dive Into Python]] - another survey of Python syntax, datatypes, etc.
* [[http://greenteapress.com/wp/think-python-2e/ Think Python by Allen Downey]] - a good general overview of the Python language. Includes exercises.
* [[https://docs.python.org/3/tutorial/ The Official Python Tutorial]] - self-explanatory
* [[https://learnpythonthehardway.org/book/ Learn Python the Hard Way]] - (note: for Python 2) another free online text
* [[https://docs.python.org/3.0/reference/lexical_analysis.html#id8 Reserved Keywords in Python]] - don't use these as variable names
* [[https://peps.python.org/pep-0008/ PEP 8 - Style Guide for Python Code]] - learn what is good and bad style in Python
* [[https://checkio.org/ CheckIO]] - learn Python by exploring a game world
* [[https://inventwithpython.com/ Invent with Python]] - develop your Python skills by making games or hacking ciphers
* [[https://www.codecademy.com/catalog Codecademy]] - (note: for Python 2) learn Python by building web apps and manipulating data; interactive
tutorial sequence
* [[https://pythontutor.com Python Tutor]] - interactive tutorial sequence of exercises

====DEBUGGING====
* [[https://pythontutor.com/ Python Tutor]] - an excellent way to actually visualize how the interpreter actually reads and executes
your code
* [[https://www.diffchecker.com/ DiffChecker]] - compares two sets of text and shows you which lines are different
* [[https://pythonconquerstheuniverse.wordpress.com/2009/09/10/debugging-in-python/ Debugging in Python]] - steps you can take to try to debug your program

====OTHER Q&A====
* [[https://stackoverflow.com/questions/tagged/python Stack Overflow]] - a large Q&A forum for programming concepts (not just Python). Try searching here
before you post on the edX forum, and you may find that someone has already answered your question.

====MORE PRACTICE PROBLEMS====
* [[http://www.pythonchallenge.com/ Python Challenge]] - a series of puzzles you can try to test your Python abilities
* [[https://projecteuler.net/ Project Euler]] - additional programming challenges you can try once your Python knowledge becomes
stronger; problems are sorted by increasing difficulty
* [[https://codingbat.com/python Coding Bat]] - problems you can solve within an online interpreter
* [[https://www.codewars.com/?language=python Codewars]] - improve your skills by training on real code challenges

MIT OpenCourseWare
https://ocw.mit.edu
6.0001 Introduction to Computer Science and Programming in Python
Fall 2016
For information about citing these materials or our Terms of Use, visit: https://ocw.mit.edu/terms.

</div>
</div>

==2==
mit-test-course/2/MIT6_0001F16_Lecture_02_300k.mp4<br>
https://ipfs.io/ipfs/QmTFdkMJnzUcwgs1hdoF7qtADE2NqTJVaF9CfgULbzSuA9<br>
<code>QmTFdkMJnzUcwgs1hdoF7qtADE2NqTJVaF9CfgULbzSuA9</code> <br>
<br>
mit-test-course/2/ba2947b25b1580e4a84df0ec5dbe5cdd_MIT6_0001F16_Lec2.pdf<br>
https://ipfs.io/ipfs/QmNiZvEh6UmpHLTxw4saN7WdojzBokp2JCbucYzrekoQBK<br>
<code>QmNiZvEh6UmpHLTxw4saN7WdojzBokp2JCbucYzrekoQBK</code><br>
<br>
mit-test-course/2/d6ee838ee4c85ace93a4e170cfd83c03_lec2_branch_loops.py<br>
https://ipfs.io/ipfs/QmPjEzEu56mqeE19Vth9AkDbAxz7wAWg9zMVvF9FZ1UBvK<br>
<code>QmPjEzEu56mqeE19Vth9AkDbAxz7wAWg9zMVvF9FZ1UBvK</code><br>
<br>

==3==

MIT6_0001F16_Lecture_03_300k.mp4<br>
<code>QmTTCsuhbnjXWuigZLSgKAt4DjFsm78MANo3KUMGcK98s1</code><br>
<br>
88de925a1fb925e46a08bc5f34d029bd_lec3_strings_algos.py<br>
<code>QmYppDgGMptihHA7ixFw2GHvspN8Bw1HY21HtUpQNxi23i</code><br>
<br>
b9b9a82a29e8746db1facfbd30c07940_MIT6_0001F16_Lec3.pdf<br>
<code>QmP2AZfUx8RTqCGamJtPyodFU8dHG8QrBHYKkP79YepEe9</code><br>

==4==

MIT6_0001F16_Lecture_04_300k.mp4<br>
<code>QmQuc5zpaJdMfRYxTLyZc5DQuota1FjuJiqgWf8ctGmRsU</code><br>
<br>
6ba59859535f1566dd57a7279aeba5d1_MIT6_0001F16_Lec4.pdf<br>
<code>QmP1p4h21ogMxWeeX2PiDibQbHqWer7ABCsMrfMxEx7QBW</code><br>
<br>
9e8439a27af18817e046ac37333d03f6_lec4_functions.py<br>
<code>QmNtPQncXMYNBnX4NoNfx2ifetrfvrATamdrsjx4u9iQ7c</code><br>

==5==
MIT6_0001F16_Lecture_05_300k.mp4<br>
<code>Qmco5sKKQfnWUNP9ZUxLkDhoV6jfjv8L4AdzES7En41AzP</code><br>
<br>
1776670e271578eeb99fc25975f20586_MIT6_0001F16_Lec5.pdf<br>
<code>QmSdxg2inPbK1FSynNdPUka6CUZtEGG6sdPZgxaAgb46GE</code><br>
<br>
cdf5f8e7f109952655f4d253ed955555_lec5_tuples_lists.py<br>
<code>QmThDori5ETa3U27DFpndU7RmsLgG7zjpqGVxAncCupSuc</code><br>

==6==
<br>MIT6_0001F16_Lecture_06_300k.mp4<br>
<code>QmVzK3PVETv69Y27UKDfaQQM5um8ByMdYQS3TzD2EkoR42</code><br>
<br>876348c652c5353daccc96e1b7d577bb_MIT6_0001F16_Lec6.pdf<br>
<code>QmQAqSGJAeoypUMyUnb7hRrziDyRAwymcTGdcaydT5i73s</code><br>
<br>706228e592761d9c7c1c073f8ba7a6cc_lec6_recursion_dictionaries.py<br>
<code>QmaGhNYnR5yUMYZf4q7qLsNwEW6B7pbLbgJokJBTNSA2FT</code><br>

==7==
<br>MIT6_0001F16_Lecture_07_300k.mp4<br>
<code>QmUyiqpAUA91w4Xm2Dz2wPr6kE6wTzA1apwJziTdBysRLw</code><br>
<br>
51bdde43dfd773ba20747ce5d89119ac_MIT6_0001F16_Lec7.pdf<br>
<code>QmcqZoeVrsfBv4Ri6M8KtiLdy3VpKnyznDFhX8zvfd3Qrs</code><br>
<br>
abdd1d61892ccce9be2ad84e52004e07_lec7_debug_except.py<br>
<code>QmeVKCB6ponYr4f72MuNwegukX9t42NTywNHpDPgyNi9ae</code><br>
<br>

==8==

<br>MIT6_0001F16_Lecture_08_300k.mp4
<br><code>QmZFSSPndvRfPT2vyehuyEQitfb8CzdYkA7orFAKyvhA4u</code><br>
<br>7a6f85d03f132dcd9d7592bc4643be1c_MIT6_0001F16_Lec8.pdf
<br><code>QmdccChFuYBCiLmufEmk6oXCHybaUQiPXajD3c3xMupiaC</code><br>
<br>0705ac9dcc7e637a0e8e9d97eb258a26_lec8_classes.py
<br><code>QmQCaZZA75UQ5pAKy8zhcz6Ci8yY13UVHUvsuXmid86GUH</code><br>
<br>

==9==

<br>MIT6_0001F16_Lecture_09_300k.mp4
<br><code>QmdENonCipE7TK99i7dFz9paqDUSefR4PFdveEmVi5oXAb</code><br>
<br>2dd6c75e7b4bd6bd135078e6f3701201_MIT6_0001F16_Lec9.pdf
<br><code>QmbaJFk4mFRmCbtQybK94etyfRA2LcM22Kfvjbvdf6X8Gw</code><br>
<br>bf8e8195044d5f6aefc1a455968e2f3e_lec9_inheritance.py
<br><code>QmQ7UB4PaGBRHvHfDshrASwynvansFVXrp3RNULwhThUsC</code><br>
<br>

==10==

<br>MIT6_0001F16_Lecture_10_300k.mp4
<br><code>QmQNooq1g25LFp1Fxj2tfpKKMKi8NbutkhuXNf5Ppo7t5f</code><br>
<br>066eba6ea6d56a88e56ae325940d4c4c_MIT6_0001F16_Lec10.pdf
<br><code>QmbyP59ttPKGe5ZNADsgqTsgBF3oYGzhZXFfBhszG2nuPm</code><br>
<br>bfa32fd241d88ae02cd3157aed232bac_lec10_complexity_part1.py
<br><code>QmUtgXQXjj2C3qb2UXFrPmKHkFdEjmehk4ZLQhcZ37rEmw</code><br>
<br>

==11==

<br>MIT6_0001F16_Lecture_11_300k.mp4
<br><code>QmR7Ned6iZytjpVHVN6W53EZ5Qg4Zd6EkEcXxn8DjYMgrd</code><br>
<br>bb953fb81d4afa3bc837c16eba613955_MIT6_0001F16_Lec11.pdf
<br><code>QmNPjN3616QdmEWLPokwuTkLL1vrzcLVRSFLWUcukqtxZL</code><br>
<br>bdf800867e6762c6758ecd2230178f41_lec11_complexity_part2.py
<br><code>QmdpwFTFkwnkqWW3CozBBAfeYHchDeVAV7ArkA1dUqbUZ4</code><br>
<br>

==12==

<br>MIT6_0001F16_Lecture_12_300k.mp4
<br><code>QmPWidAv5mBrgEcKDVqWe62JaAiwBWs8KZc1S8r3bbJsvY</code><br>
<br>6425d0dabb1cea1a076b8c46c0ae2da6_MIT6_0001F16_Lec12.pdf
<br><code>QmToP68Knz71euVuntRWtz6UshRoiRssELJNFMeP1f2sR5</code><br>
<br>310536cd5f5aa1fc0c11726ce13c565e_lec12_sorting.py
<br><code>QmbV8ct8DEQyRGRDSX4PaQBXk8r8ryYLDNwTa2buC7kcP5</code><br>
<br>

Nix Package Manager in an Ubuntu 22.04 LXC Container for Testing

2023-07-17T13:45:21Z

Noob: /* Remove/Uninstall a Package */

==prerequisite==

* LXD - Basic knowledge , install LXD and launch a container
* Terminal: will be using the terminal.

== Create a container ==

<code>lxc launch ubuntu:2204 nix</code>

<code>lxc exec nix bash</code>

<code>apt update && apt upgrade -y</code>

== Optional steps for the paranoid ==

The default Ubuntu containers come with a user named '''ubuntu'''. In a new container, this user does not have a password set and can run sudo without being prompted for a password. This configuration is not ideal from a security perspective.

=== Create a new user ===

Next, we will create a new user named '''nix''' and set a password for this user. This user will be used for the rest of the setup and general use of the container.

Create the new user:

<code>adduser nix</code>

Follow the prompts to set a password and provide any other requested information.

====Adding new user to '''sudoers''' file====

'''WARNING''': Be cautious while editing the sudoers file as errors could lead to some serious issues with the system. A syntax error in the sudoers file could potentially lock out all users from gaining superuser privileges.

* Note: by default in Ubuntu when you use '''visudo''' the default terminal editor is '''nano'''
<code>visudo</code>

Once you're in the editor, you can navigate using the arrow keys. Go down to the section that looks like this:

<pre>
# User privilege specification
root ALL=(ALL:ALL) ALL
</pre>

Below the root user line, add a similar line for the 'nix' user:

<pre>
nix ALL=(ALL:ALL) ALL
</pre>

press <code>CTRL O</code> to write to file and <code>CTRL X</code> to exit.

=== Delete the 'ubuntu' user ===

Now that we have a new, secure user set up, we can delete the default ubuntu user for added security.

Delete the ubuntu user:

<code>deluser --remove-home ubuntu</code>

Now, switch to the new nix user:

<code>su - nix</code>

You now have a container set up with the nix user. This user is more secure than the default ubuntu user because it requires a password for sudo operations. You can now proceed with the rest of your setup process.

==Download and install==
If you did not follow the '''Optional steps for the paranoid''' change user to '''ubuntu'''
* <code>su - ubuntu</code>

<code>wget https://nixos.org/nix/install</code>

* install using '''Single-user installation'''
<code>sh install --no-daemon</code>

Return Output:<br>
<pre>
ubuntu@nix:~$ sh install --no-daemon
downloading Nix 2.16.1 binary tarball for x86_64-linux from 'https://releases.nixos.org/nix/nix-2.16.1/nix-2.16.1-x86_64-linux.tar.xz' to '/tmp/nix-binary-tarball-unpack.g0HlgbTnoO'...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 21.0M 100 21.0M 0 0 5176k 0 0:00:04 0:00:04 --:--:-- 5178k
Note: a multi-user installation is possible. See https://nixos.org/manual/nix/stable/installation/installing-binary.html#multi-user-installation
performing a single-user installation of Nix...
directory /nix does not exist; creating it by running 'mkdir -m 0755 /nix && chown ubuntu /nix' using sudo
copying Nix to /nix/store.................................................
installing 'nix-2.16.1'
building '/nix/store/2bdqkggqrhiwrklp7y9sfrqdkrw9xihd-user-environment.drv'...
unpacking channels...
modifying /home/ubuntu/.profile...

Installation finished! To ensure that the necessary environment
variables are set, either log in again, or type

. /home/ubuntu/.nix-profile/etc/profile.d/nix.sh

in your shell.

</pre>

* set necessary environment variables
<code>. /home/ubuntu/.nix-profile/etc/profile.d/nix.sh</code>

<div class="toccolours mw-collapsible mw-collapsed">
Explanation: <code>. /home/ubuntu/.nix-profile/etc/profile.d/nix.sh</code>
<div class="mw-collapsible-content">
Let's break down the command <code>. /home/ubuntu/.nix-profile/etc/profile.d/nix.sh</code>:

: '''.''' (also known as source in bash): This is a shell built-in command which reads and executes commands from the file specified as its argument, in the current shell environment. So it is as if they were typed at the keyboard.

: <code>/home/ubuntu/.nix-profile/etc/profile.d/nix.sh</code> This is the full path of the script that is sourced.

When you execute the command <code>. /home/ubuntu/.nix-profile/etc/profile.d/nix.sh</code>, you are essentially telling your shell to execute the commands in the nix.sh file within the same shell you're currently running. This is done instead of starting a new shell process, which would be the case if you ran the script like a typical shell script with bash /path/to/script.sh or ./script.sh.

The nix.sh script contains environment variable settings and possibly other setup needed for using Nix packages. By running this script with ., these environment settings are preserved in your current shell.

The '''.''' command is often used in configuration and startup scripts where you want settings within a script to affect your current shell's environment.
</div>
</div>

== Channels ==

A channel in Nix is a collection of Nix expressions (the packages available for installation) that are versioned and updated together. In other words, a channel in Nix is similar to a repository in other types of package management systems.

===List channels===

<code>nix-channel --list</code>
* Output:
<pre>
nixpkgs https://nixos.org/channels/nixpkgs-unstable
</pre>

===Update channels===
When you update your channels (with the nix-channel --update command), you're downloading the latest set of package expressions from the channels you are subscribed to.

<code>nix-channel --update</code>

===Search a package===

Syntax: <code>nix search nixpkgs <PACKAGE_NAME></code>

<code>nix search nixpkgs bluefish</code>
* Return Output:
<pre>
ubuntu@nix:~$ nix search nixpkgs bluefish
error: experimental Nix feature 'nix-command' is disabled; use '--extra-experimental-features nix-command' to override
</pre>

FIX:<br>

<code>nix search nixpkgs bluefish --extra-experimental-features nix-command</code>
*Return Ouput:
<pre>
error: experimental Nix feature 'flakes' is disabled; use '--extra-experimental-features flakes' to override
</pre>

FIX:
<code>nix search nixpkgs bluefish --extra-experimental-features nix-command --extra-experimental-features flakes</code>
* Ruturn output:
<pre>
* legacyPackages.x86_64-linux.bluefish (2.2.12)
A powerful editor targeted towards programmers and webdevelopers
trace: warning: qt5 now uses makeScopeWithSplicing which does not have "overrideScope'", use "overrideScope".
</pre>

<div class="toccolours mw-collapsible mw-collapsed">
This warning is a developer-oriented message and doesn't directly impact you as an end-user:
<div class="mw-collapsible-content">
The trace: warning message is intended for the maintainers of the package you're trying to install (in this case, the bluefish package from nixpkgs).

Nix is telling us that the qt5 package (which bluefish may depend on) has switched to a different method for managing its internal dependencies. More specifically, it's switched to a method called makeScopeWithSplicing.

This is just a way that Nix organizes and overrides dependencies within packages. It seems like qt5 previously used something called overrideScope', but it now uses makeScopeWithSplicing.

The overrideScope' method is no longer available in this context, so the warning is instructing developers to use makeScopeWithSplicing instead when they're working on the qt5 package or packages that depend on it.

For you as an end-user, there is no action required unless the warning turns into an error or if the package does not work as expected. The package should still install and function normally. This warning is more of an FYI for people maintaining or developing with these packages.
</div>
</div>

Bluefish is a GUI program and we have not setup container for X forwarding so lets try cowsay.

<code>nix search nixpkgs cowsay --extra-experimental-features nix-command --extra-experimental-features flakes</code>
* Return output:
** Note: the package name is after <code>legacyPackages.x86_64-linux.</code>
** <code>legacyPackages.x86_64-linux.<PACKAGE_NAME></code>
<pre>
* legacyPackages.x86_64-linux.charasay (3.0.0)
The future of cowsay - Colorful characters saying something

* legacyPackages.x86_64-linux.cowsay (3.7.0)
A program which generates ASCII pictures of a cow with a message

* legacyPackages.x86_64-linux.emacsPackages.cowsay (20210510.1540)

* legacyPackages.x86_64-linux.neo-cowsay (2.0.1)
Cowsay reborn, written in Go

* legacyPackages.x86_64-linux.pokemonsay (1.0.0)
Print pokemon in the CLI! An adaptation of the classic cowsay

* legacyPackages.x86_64-linux.ponysay (2021-03-27)
Cowsay reimplemention for ponies

* legacyPackages.x86_64-linux.tewisay (2022-11-04)
Cowsay replacement with unicode and partial ansi escape support

* legacyPackages.x86_64-linux.xcowsay (1.6)
Tool to display a cute cow and messages
</pre>

===Install a package===

<code>nix-env -iA nixpkgs.pokemonsay</code>

<div class="toccolours mw-collapsible mw-collapsed">
Explanation: <code>nix-env -iA nixpkgs.pokemonsay</code>
<div class="mw-collapsible-content">
The command '''nix-env -iA nixpkgs.pokemonsay''' is used to install the pokemonsay package from the nixpkgs channel in Nix.

Here's a breakdown of the command:

: nix-env: This is the main command used for user environment management in Nix. It can install, upgrade, and remove software, among other tasks.

: -iA: This is a combination of two options. -i stands for install and -A stands for attribute. The -A option allows you to install a package using its attribute path (nixpkgs.pokemonsay in this case), which is often more reliable than using the package name.

: nixpkgs.pokemonsay: This is the attribute path of the package you want to install. nixpkgs is the name of the channel, and pokemonsay is the name of the package in that channel.

So, when you run nix-env -iA nixpkgs.pokemonsay, Nix will look for the pokemonsay package in the nixpkgs channel and install it into your user environment.
</div>
</div>

<div class="toccolours mw-collapsible mw-collapsed">
Understanding -A flag in Nix commands:
<div class="mw-collapsible-content">

The command '''nix-env -i <package>''' installs a package by its name rather than its attribute path. For example, '''nix-env -i firefox''' will install the Firefox browser.

This command can sometimes lead to ambiguity because multiple versions of the same package may be available in the channel, or there may be similarly-named packages. This is why it is often recommended to install packages using the -A flag and the package's attribute path, like '''nix-env -iA nixpkgs.firefox'''.

It's important to note that while the attribute path usually includes the package name, it might also include other information. For instance, a channel might have separate attributes for different versions of a package, or for the same package built with different options.

Here's a little more information on the difference between these two commands:

* '''nix-env -i <package>''': This command installs a package by its name. The name is a human-readable identifier for the package, like "firefox".

* '''nix-env -iA <attribute path>''': This command installs a package by its attribute path. The attribute path is a precise identifier for the package within a channel, like "nixpkgs.firefox". This command is more reliable because it is more specific.

If you're uncertain about the attribute path for a package, you can find it by searching the package in the [https://nixos.org/nixos/packages.html Nix Packages Search] page.
</div>
</div>
<div class="toccolours mw-collapsible mw-collapsed">
Where does Nix Package Manager install packages?
<div class="mw-collapsible-content">

When you install a package using Nix, the package's files are installed into a directory in the Nix store, which is typically located at '''/nix/store'''. Each package gets its own unique directory in the Nix store, which includes a hash of the package's dependencies to ensure isolation and reproducibility.

For example, if you install the '''pokemonsay''' package, you might end up with a directory like '''/nix/store/abcd1234-pokemonsay-0.0.1''' (the actual hash will be different).

The binary executables of a package are typically located in the '''bin''' subdirectory of the package's directory in the Nix store. For example, the '''pokemonsay''' executable might be located at '''/nix/store/abcd1234-pokemonsay-0.0.1/bin/pokemonsay'''.

When you install a package with '''nix-env -i''', Nix creates symlinks in your user profile (usually in '''/nix/var/nix/profiles''') to the package's files in the Nix store. When you run a command like '''pokemonsay''', your shell finds the '''pokemonsay''' executable through these symlinks.

The result is that each user can have their own set of installed packages, and packages can be installed, upgraded, and removed atomically and without interfering with each other.
</div>
</div>

====using pokemonsay====

'''pokemonsay''' is a fun little command line utility that generates an ASCII picture of a random Pokemon saying a message you provide. Here's how to use it:

<code>pokemonsay -p Pikachu "Greetings fellow Noob"</code>

<div class="toccolours mw-collapsible mw-collapsed">
Explain Syntax: <code>pokemonsay -p Pikachu "Greetings fellow Noob"</code>
<div class="mw-collapsible-content">
* '''pokemonsay''' is the main command. It's the name of the program you're running. It generates an ASCII art image of a Pokémon saying a message.

* '''-p Pikachu''' is an option given to the pokemonsay command. The -p flag specifies that the next argument will be the name of the Pokémon you want to use. In this case, you're asking for Pikachu.
** '''See list of Pokemon''' Use: <code>pokemonsay -l</code>

* '''"Greetings fellow Noob"''' is the message you're asking Pikachu to say. The quotes are used to group the words together into a single argument to the command. Without the quotes, each word would be treated as a separate argument, which is not what you want in this case.
</div>
</div>

<code>pokemonsay --help</code> for more info.

===Upgrade a package===

To upgrade a package installed with Nix, you can use the following command:

<code>nix-env -uA nixpkgs.pokemonsay</code>
<div class="toccolours mw-collapsible mw-collapsed">
Explanation: <code>nix-env -uA nixpkgs.pokemonsay</code>
<div class="mw-collapsible-content">
The command '''nix-env -uA nixpkgs.pokemonsay''' is used to upgrade the pokemonsay package from the nixpkgs channel in Nix.

Here's a breakdown of the command:

: nix-env: This is the main command used for user environment management in Nix. It can install, upgrade, and remove software, among other tasks.

: -uA: This is a combination of two options. -u stands for upgrade and -A stands for attribute. The -A option allows you to upgrade a package using its attribute path (nixpkgs.pokemonsay in this case), which is often more reliable than using the package name.

: nixpkgs.pokemonsay: This is the attribute path of the package you want to upgrade. nixpkgs is the name of the channel, and pokemonsay is the name of the package in that channel.

When you run '''nix-env -uA nixpkgs.pokemonsay''', Nix will look for the pokemonsay package in the nixpkgs channel and upgrade it in your user environment.

To upgrade all installed packages in your user environment, you can use the command <code>nix-env -u</code> without specifying a package.
</div>
</div>

===Check for updates===

To check for updates to the packages installed on your system without actually installing them, you can use the `nix-env -u` command in "dry run" mode by including the `--dry-run` option. The command would look like this:

<code>nix-env -u --dry-run</code>

<div class="toccolours mw-collapsible mw-collapsed">
Explanation: <code>nix-env -u --dry-run</code>
<div class="mw-collapsible-content">
The '''nix-env -u --dry-run''' command will list the updates available for the packages installed on your system without actually applying the updates.

: '''nix-env''' : This is the main command used for user environment management in Nix.

: '''-u''' : This flag stands for update. When used alone, it will update all installed packages to their latest versions.

: '''--dry-run''' : This option prevents the command from actually installing the updates. Instead, it just shows what updates would be installed if you ran the command without the --dry-run option.
</div>
</div>

===List installed packages===

To list the packages that you have installed using Nix, you can use the nix-env -q command. If you want to see more details, including the version number, you can use the --verbose flag:

<code>nix-env -q --verbose</code>
<div class="toccolours mw-collapsible mw-collapsed">
Explanation: <code>nix-env -q --verbose</code>
<div class="mw-collapsible-content">
The '''nix-env -q --verbose''' command lists all installed packages, showing their names and versions:

: '''nix-env''' : This is the main command used for user environment management in Nix. It can install, upgrade, and remove software, among other tasks.

: '''-q''' : This option stands for "query". It lists the installed packages.

: '''--verbose''' : This option shows more detailed information, including the version number of each installed package.
</div>
</div>

===Check for specific package version===

To check the version of a specific package available in the Nix packages channel, you can use the `nix-env -qaP` command with a regex pattern matching the package name:

<code>nix-env -qaP '.*pokemonsay.*'</code>

<div class="toccolours mw-collapsible mw-collapsed">
Explanation: <code>nix-env -qaP '.*pokemonsay.*'</code>
<div class="mw-collapsible-content">
The '''nix-env -qaP '.*pokemonsay.*''' command queries the Nix packages channel for available versions of 'pokemonsay', and shows the latest version that is available in the channel.

: '''nix-env''' : This is the main command used for user environment management in Nix.

: '''-qaP''' : These options stand for "query available --attr-path". It queries the available packages in the Nix packages channel and shows their attribute paths and versions.

: '''.*pokemonsay.*''' : This is a regex pattern matching the package name. It will match any package name that contains 'pokemonsay'.

::* '''.*''': This part of the pattern matches any number of any characters. The . means "any character", and the * means "zero or more times".

::* '''pokemonsay'''': This is the sequence of characters that you want to find.

::* '''.*''': This part of the pattern matches any number of any characters after 'pokemonsay'.

</div>
</div>

Certainly, here's the formatted wiki entry:

===Remove/Uninstall a Package===

To remove or uninstall a package that you have installed using Nix, you can use the nix-env -e command followed by the package name:

<code>nix-env -e pokemonsay</code>
<div class="toccolours mw-collapsible mw-collapsed">
Explanation: <code>nix-env -e pokemonsay</code>
<div class="mw-collapsible-content">
The '''nix-env -e pokemonsay''' command uninstalls the 'pokemonsay' package from your user environment in Nix.

Here's a breakdown of the command:

: '''nix-env''': This is the main command used for user environment management in Nix.

: '''-e''': This option stands for "erase", which is used to remove a package.

: '''pokemonsay''': This is the name of the package that you want to remove. You should use the same name format that nix-env -q uses when it lists your installed packages.

After running this command, the 'pokemonsay' package will be removed from your user environment.

To confirm the package has been removed successfully, you can run the nix-env -q command again and you should not see the uninstalled package in the list of installed packages.
</div>
</div>
<div class="toccolours mw-collapsible mw-collapsed">
Troubleshooting: Uninstalling a Package
<div class="mw-collapsible-content">
In case you encounter an error similar to the following:
<code>warning: selector 'nixpkgs.pokemonsay' matched no installed derivations</code>
This might mean that the package name you're trying to uninstall does not match exactly with the installed version. You should use the name format that appears when you list your installed packages with the `nix-env -q` command.
</div>
</div>

This command will only remove the package from your user environment. The package's files will remain in the Nix store (/nix/store) until you run a garbage collection operation, which you can do with the nix-collect-garbage command. This is because other users or profiles might still be using the package.

The garbage collector in Nix works by deleting any packages from the Nix store that are no longer referenced by any profiles or by the Nix packages channel. This ensures that it's safe to delete the package: it won't break anything else that depends on it.

===Using nix-shell for Temporary Environment===

Nix-shell is a command that creates a temporary environment in your shell with certain packages available. The -p option allows you to specify the packages you want to include. For example, if you want to have gcc (the GNU Compiler Collection) available in your shell, you would use:

<code>nix-shell -p gcc</code>
<div class="toccolours mw-collapsible mw-collapsed">
Explanation: <code>nix-shell -p gcc</code>
<div class="mw-collapsible-content">

The '''nix-shell -p gcc''' command creates a temporary environment with the specified packages available for use:

: '''nix-shell''' : This command creates a temporary shell environment. It's a feature of Nix that lets you create an isolated environment for your shell, where you can make certain packages available without affecting your global environment.

: '''-p gcc''' : The -p option specifies the packages you want to include in your temporary environment. In this case, 'gcc' is specified, so the GNU Compiler Collection will be available in the temporary environment.

This command doesn't affect your global environment or other shells. This feature is useful if you want to test a certain package or need to use different versions of packages for different projects. It can also help with scripting, since you can specify exactly which packages a script needs to run.
</div>
</div>

COMPLETENOOBS FUNDING

2023-06-21T12:09:00Z

Noob: /* PayPal */

'''Our Mission'''

At CompleteNoobs, we believe in making computer science education open, accessible, and free for everyone. Our goal is to create a comprehensive platform that provides resources, tutorials, and courseware to hobbyists, sysadmins, teachers, students, and anyone interested in the field.

'''How Your Support Helps'''

As a one-person team, working part-time to make ends meet while developing this project, your support means a lot. Your contributions will enable us to dedicate more time and resources to CompleteNoobs, ensuring that we can create a high-quality educational platform that benefits learners worldwide.

==Direct Bank transfer==

closed for now

==PayPal==

closed for now

==VPS services with affiliate link==
===Vultr.com===

If you're looking for a reliable VPS service, we've been using <b>Vultr</b> for years and have been very happy with their service. By signing up through our referral link, you can also support CompleteNoobs.

<br>A Referral link to Vultr's - Tell A Friend about Vultr and Earn up to $35 for referring clients!<br>
<code>https://www.vultr.com/?ref=9053528-8H</code><br>
* Duplicate accounts not eligible. Referred customer must link a valid credit card or Paypal method to be eligible for the $100 credit. Unused portion of $100 credit expires after 14 days.<br>
Note: you need account to view this page on vultr, sum up below:https://my.vultr.com/referral/special/<br>
1. $35 earned for every new unique paid user you refer.<br>
2. The users you refer receive $100 to test out our platform*.<br>
3. Referred users must be active for 14+ days and use at least $35 in payments to be counted as verified sales.<br>
4. Payouts are finalized and issued on the business day following the 1st and 15th of each month.<br>
5. Your referral link below uniquely identifies your account. Use this code when linking to Vultr.com and start earning today!<br>

COMPLETENOOBS FUNDING

2023-06-21T12:08:48Z

Noob: /* Direct Bank transfer */

'''Our Mission'''

At CompleteNoobs, we believe in making computer science education open, accessible, and free for everyone. Our goal is to create a comprehensive platform that provides resources, tutorials, and courseware to hobbyists, sysadmins, teachers, students, and anyone interested in the field.

'''How Your Support Helps'''

As a one-person team, working part-time to make ends meet while developing this project, your support means a lot. Your contributions will enable us to dedicate more time and resources to CompleteNoobs, ensuring that we can create a high-quality educational platform that benefits learners worldwide.

==Direct Bank transfer==

closed for now

==PayPal==

<code>https://paypal.me/completenoobs</code>

==VPS services with affiliate link==
===Vultr.com===

If you're looking for a reliable VPS service, we've been using <b>Vultr</b> for years and have been very happy with their service. By signing up through our referral link, you can also support CompleteNoobs.

<br>A Referral link to Vultr's - Tell A Friend about Vultr and Earn up to $35 for referring clients!<br>
<code>https://www.vultr.com/?ref=9053528-8H</code><br>
* Duplicate accounts not eligible. Referred customer must link a valid credit card or Paypal method to be eligible for the $100 credit. Unused portion of $100 credit expires after 14 days.<br>
Note: you need account to view this page on vultr, sum up below:https://my.vultr.com/referral/special/<br>
1. $35 earned for every new unique paid user you refer.<br>
2. The users you refer receive $100 to test out our platform*.<br>
3. Referred users must be active for 14+ days and use at least $35 in payments to be counted as verified sales.<br>
4. Payouts are finalized and issued on the business day following the 1st and 15th of each month.<br>
5. Your referral link below uniquely identifies your account. Use this code when linking to Vultr.com and start earning today!<br>

COMPLETENOOBS FUNDING

2023-06-13T09:55:05Z

Noob: /* GoFundMe */

'''Our Mission'''

At CompleteNoobs, we believe in making computer science education open, accessible, and free for everyone. Our goal is to create a comprehensive platform that provides resources, tutorials, and courseware to hobbyists, sysadmins, teachers, students, and anyone interested in the field.

'''How Your Support Helps'''

As a one-person team, working part-time to make ends meet while developing this project, your support means a lot. Your contributions will enable us to dedicate more time and resources to CompleteNoobs, ensuring that we can create a high-quality educational platform that benefits learners worldwide.

==Direct Bank transfer==

Noblemage LTD <br>
Account Number: <code>24243132</code><br>
Sort Code: <code>60 05 37</code><br>
BIC: <code>NWBKGB2L</code><br>
IBAN: <code>GB44NWBK60053724243132</code><br>

==PayPal==

<code>https://paypal.me/completenoobs</code>

==VPS services with affiliate link==
===Vultr.com===

If you're looking for a reliable VPS service, we've been using <b>Vultr</b> for years and have been very happy with their service. By signing up through our referral link, you can also support CompleteNoobs.

<br>A Referral link to Vultr's - Tell A Friend about Vultr and Earn up to $35 for referring clients!<br>
<code>https://www.vultr.com/?ref=9053528-8H</code><br>
* Duplicate accounts not eligible. Referred customer must link a valid credit card or Paypal method to be eligible for the $100 credit. Unused portion of $100 credit expires after 14 days.<br>
Note: you need account to view this page on vultr, sum up below:https://my.vultr.com/referral/special/<br>
1. $35 earned for every new unique paid user you refer.<br>
2. The users you refer receive $100 to test out our platform*.<br>
3. Referred users must be active for 14+ days and use at least $35 in payments to be counted as verified sales.<br>
4. Payouts are finalized and issued on the business day following the 1st and 15th of each month.<br>
5. Your referral link below uniquely identifies your account. Use this code when linking to Vultr.com and start earning today!<br>

Wiki Basic Syntax

2023-05-16T17:10:34Z

Noob: /* Line Brake */

==Headings==

Do Not use <code>=Level 1=</code> Level one is for Page titles<br \>

<nowiki>==Level 2 heading==</nowiki>

<nowiki>===Level 3 heading===</nowiki>

<nowiki>====level 4 heading====</nowiki>

<nowiki>=====level 5 heading=====</nowiki>

<nowiki>======level 6 heading======</nowiki>

==Info boxes==
===expanding content===

<div class="toccolours mw-collapsible mw-collapsed">
What you will like in title:
<div class="mw-collapsible-content">

and of course the content when expanded.<br \>
<code>print "hello content"</code>
</div>
</div>

<pre>
<div class="toccolours mw-collapsible mw-collapsed">
What you will like in title:
<div class="mw-collapsible-content">

and of course the content when expanded.<br \>
<code>print "hello content"</code>
</div>
</div>
</pre>

===Collapsing Content===

<div class="toccolours mw-collapsible" style="width:400px; overflow:auto;">
<div style="font-weight:bold;line-height:1.6;">
Content title here
</div>
<div class="mw-collapsible-content">
and here you place the content
<code>print("hello world");</code>
</div>
</div>

<pre>
<div class="toccolours mw-collapsible" style="width:400px; overflow:auto;">
<div style="font-weight:bold;line-height:1.6;">
Content title here
</div>
<div class="mw-collapsible-content">
and here you place the content
<code>print("hello world");</code>
</div>
</div>
</pre>

==Markup==

===Line Brake===
<nowiki><br></nowiki>

===Escape markup===
Escape wiki syntax markup<br \>
<nowiki><nowiki>escaped markup</nowiki></nowiki>

===Code markup===

<code>print "hello world"</code><br \>
<nowiki><code>print "hello world"</code></nowiki>

====Customized colour <code>code</code> text====
<nowiki><code style="color: blue">is this blue</code></nowiki><br>
<code style="color: blue">is this blue</code><br>

===Preforrmated context===
<pre>
Preformatted content
10 print "hello world"
20 goto 10
</pre><br \>
<nowiki>
<pre>
content
</pre>
</nowiki>

====Customized colour preformatted text====

<pre style="color: red">
Preformatted content
10 print "hello world"
20 goto 10
</pre>
<br>
<nowiki>
<pre style="color: red">
Preformatted content
10 print "hello world"
20 goto 10
</pre>
</nowiki>

===BlockQuotes===

<blockquote>
This is
a block quote
</blockquote>

<nowiki>
<blockquote>
This is
a block quote
</blockquote>
</nowiki>

<blockquote>
Many lined <br \>
block <br \>
quote <br \>
</blockquote>

<nowiki>
<blockquote>
Many lined <br \>
block <br \>
quote <br \>
</blockquote>
</nowiki>

===underlined===
<u>underlined</u><br \>
<nowiki><u>underlined</u></nowiki>

===bold===
<b>bold</b><br \>
<nowiki><b>bold</b></nowiki>

also three <code>'</code> on each side<br>
<nowiki>'''</nowiki><br>
<nowiki>'''bold'''</nowiki><br>
'''bold'''<br>

===Italic===
<nowiki>''italic''</nowiki><br \>
''italic''

===bold and italic===
Thats 5 ' each side

<nowiki>'''''Bold and italic'''''</nowiki><br \>
'''''Bold and italic'''''<br>
<nowiki>'''''</nowiki><br>

===Syntax highlighting===
<syntaxhighlight lang="python" line>
def quick_sort(arr):
less = []
pivot_list = []
more = []
if len(arr) <= 1:
return arr
else:
pass
</syntaxhighlight>

<pre>
<syntaxhighlight lang="python" line>
def quick_sort(arr):
less = []
pivot_list = []
more = []
if len(arr) <= 1:
return arr
else:
pass
</syntaxhighlight>
</pre>

* Quick copy/paste
<pre>
<syntaxhighlight lang="python" line>

</syntaxhighlight>
</pre>

===Tables===
https://www.mediawiki.org/wiki/Help:Tables

<pre>
{| class="wikitable"
|+ Dns
|-
|Type
|Host
|Ip address
|TTL
|-
|A record
|@
|12.34.56.78
|auto
|-
|A record
|www
|12.34.56.78
|auto
|}
</pre>

{| class="wikitable"
|+ Dns
|-
|Type
|Host
|Ip address
|TTL
|-
|A record
|@
|12.34.56.78
|auto
|-
|A record
|www
|12.34.56.78
|auto
|}

===Internal Links===
Link to Page:<br \>
<nowiki>[[PAGE_NAME]]</nowiki>

Link to section:<br \>
<nowiki>[SECTION_NAME]</nowiki>

Link to Section on another page:<br \>
<nowiki>[[PAGE_NAME#SECTION | NAME_TO_DISPLAY]]</nowiki>

===Align===
<div style='text-align: left;'>left aligned</div>
<pre><div style='text-align: left;'>left aligned</div></pre>
<div style='text-align: center;'>center aligned</div>
<pre><div style='text-align: center;'>center aligned</div></pre>
<div style='text-align: right;'>right aligned</div>
<pre><div style='text-align: right;'>right aligned</div></pre>

==Youtube extension - Embed Video==

* On wiki page
** https://www.youtube.com/watch?v=wB4gvSgYmfY
** After '''watch?v='''
** <nowiki><youtube>wB4gvSgYmfY</youtube></nowiki>
<youtube>wB4gvSgYmfY</youtube>

* Defaults '''width'''=640 pixels '''height'''=385 pixels
* Change defaults <nowiki><youtube width="800" height="400">wB4gvSgYmfY</youtube></nowiki>

<youtube width="800" height="400">wB4gvSgYmfY</youtube>

Ubuntu 22.04 SSH Guide

2023-05-16T12:14:21Z

Noob: /* Key-based Authentication */

==Understanding SSH==

'''SSH''' is a protocol that uses encryption to secure data transmitted between a client and a server. <br>
It enables users to execute commands, transfer files, and manage remote systems through an encrypted channel. <br>
SSH is widely used by system administrators for managing servers, network devices, and other remote systems.

==Installing SSH==

To start using SSH, you'll need to install and configure both the server and client components.

* OpenSSH-Server
** Is required to allow '''ssh''' connections
* OpenSSH-Client
** Is used to login/connect to OpenSSH-Server

If you are using Ubuntu Desktop, the '''openssh client''' will be preinstalled, allowing you to connect to a server which is running '''openssh-server'''

If you are using Ubuntu Server, both the '''ssh client''' and '''openssh server''' are preinstalled by default.

=== Installing OpenSSH Server===
On Ubuntu distributions, you can install the OpenSSH server by running:

<code>sudo apt install openssh-server</code><br>

Check the SSH server status with:

<code>systemctl status ssh</code>

===Installing OpenSSH Client===

The OpenSSH client is usually pre-installed on most Linux and macOS systems. <br>For Windows, you can install the OpenSSH client by following the instructions on the official website:<br> https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse

==Basic SSH Commands and Usage==
=== Connecting to a remote server===
Connecting to a remote server using SSH is a fundamental task when managing remote systems. Here's how to connect to a remote server using the command-line interface.

Install an SSH client: Ensure you have an SSH client installed on your local machine. Most Unix-based systems, including Linux and macOS, have an SSH client pre-installed. For Windows, you can use the built-in OpenSSH client (available in Windows 10 and later) or a third-party client like PuTTY.

====Gather connection information====
To connect to a remote server, you'll need the following information:
* The remote server's IP address or hostname
* The SSH port number (default is 22)
* Your username on the remote server
* The password for the user on remote server.

====Connect using SSH====
Open a terminal or command prompt on your local machine and use the following command to connect to the remote server:

<code>ssh username@hostname_or_IP</code>

Replace '''username''' with your username on the remote server, '''hostname_or_IP''' with the server's hostname or IP address.

If OpenSSH-Server is running/listening on a port other than the default port '''22''' include the port with the '''-p''' flag.

For example (If port 2222):

: <code>ssh john@example.com -p 2222</code>
Or
: <code>ssh -p 2222 john@example.com</code>

=====Connecting to a Remote Server =====

In this example, we connect to a remote Ubuntu VPS with the following credentials:
<pre>
Username: root
IP address: 12.34.56.78
Password: password2simple
</pre>
Use the following command to connect to the remote server:

<code>ssh root@12.34.56.78</code>

You will be prompted to enter the password. Type password2simple and press Enter. This demonstrates how simple it can be to log into a remote computer with root access.

* If your Server is hosting SSHD on a port other than default 'port 22' include port number with the '''-p''' flag
Example with port 2222:<br>
<code>ssh -p 2222 root@12.34.56.78</code>

====Authenticate====
When connecting for the first time, you'll see a prompt asking you to confirm the remote server's fingerprint. Verify the fingerprint and type "yes" to proceed. Next, you'll be prompted for your password. Enter your password to complete the authentication process.

Once authenticated, you'll have access to the remote server's command line. You can now execute commands and manage the remote server as if you were working on it directly.

Remember that you can use key-based authentication (with a private-public key pair) instead of a password for a more secure and convenient connection method.
== Using SSH config file==

An SSH config file allows you to define and manage multiple SSH connections, simplifying the process of connecting to remote servers. By creating an SSH config file, you can define custom options, such as port numbers, usernames, and key files, for each connection. The SSH config file is typically located in the '''~/.ssh''' directory and named config.

Here's how to create and use an SSH config file:

:* Create the SSH config file: If it doesn't exist, create the config file in the '''~/.ssh''' directory using a text editor:

<code>$EDITOR ~/.ssh/config</code>

:* Define a connection: To define a connection, you'll need to specify a Host entry followed by any options you want to apply to that connection. Here's an example:

<pre>
Host server1
HostName example.com
User your_username
Port 2222
IdentityFile ~/.ssh/id_rsa_server1
</pre>
In this example, we've defined a connection called server1 with the following options:

:* HostName: The hostname or IP address of the remote server (example.com in this case).
:* User: The username to use when connecting to the remote server (replace your_username with your actual username).
:* Port: The port number to use for the SSH connection (2222 in this example).
:* IdentityFile: The path to the private key file to use for authentication (replace ~/.ssh/id_rsa_server1 with the path to your private key file).

You can define multiple connections in the same config file by creating separate Host entries:

<pre>
Host server2
HostName 192.168.1.100
User another_username
Port 22
IdentityFile ~/.ssh/id_rsa_server2
</pre>
:* Save and exit the file: Save your changes and exit the text editor.

:* Connect using the SSH config file: To connect to a remote server using the defined connection, simply use the ssh command followed by the Host entry:

<code>ssh server1</code>

In this example, SSH will automatically use the options defined in the config file for server1, such as the hostname, username, port number, and identity file.

By using an SSH config file, you can simplify the process of managing multiple SSH connections and customize the options for each connection.

==Key-based Authentication==

Why use key-based authentication?
* Server1: 12.34.56.78
* Server2: 12.34.56.87

You are trying to login to Server1 (Your Server), but by mistake you enter your '''user''' and '''password''' to Server2 (Foo's Server), Can Server2 record the '''user''' and '''password''' you used?
[[Ubuntu_18.04_OpenSSH-Server_Capture_Failed_Passwords|YES, Yes it can]]

=== Generating SSH key pairs===

SSH key pairs consist of a private key and a public key. They provide a secure, passwordless authentication method for connecting to remote servers. The private key remains on your local machine, while the public key is added to the remote server's authorized keys. Here's how to generate an SSH key pair:

Open a terminal: On Unix-based systems (Linux and macOS), open a terminal. On Windows, open PowerShell or the Command Prompt.

Generate the key pair: Use the ssh-keygen command to create a new SSH key pair. The following command generates a 4096-bit RSA key pair:

<code>ssh-keygen -t rsa -b 4096</code>

You can also generate other types of keys, such as Ed25519, by changing the -t option:

<code>ssh-keygen -t ed25519</code>

Specify the key's location: When prompted, you can either accept the default location (~/.ssh/id_rsa for RSA keys, ~/.ssh/id_ed25519 for Ed25519 keys) or enter a custom path. It is recommended to use the default location unless you have a specific reason to change it.

Set a passphrase (optional): You can choose to protect your private key with a passphrase. If you do, you'll need to enter the passphrase every time you use the key. This adds an extra layer of security, but can be less convenient for automation or scripting. To set a passphrase, enter it when prompted; otherwise, leave the field blank

====Selecting file name and path for keys====

<code>ssh-keygen -t rsa -b 4096 -f .ssh/nuc</code>

The '''-f''' option in the '''ssh-keygen''' command is used to specify the output file for the generated key pair. In your example, '''ssh-keygen -t rsa -b 4096 -f .ssh/nuc''', the command is generating an RSA key pair with a key length of 4096 bits, and the output files will be saved in the '''.ssh''' directory with the base name '''nuc'''.

Here's a breakdown of the options used in this command:

:* '''-t rsa''': Specifies the key type, in this case, RSA.
:* '''-b 4096''': Specifies the key length, which is 4096 bits in this case. This length offers good security and is generally recommended.
:* '''-f .ssh/nuc''': Specifies the file where the key pair will be saved. The private key will be saved as '''.ssh/nuc''', and the public key will be saved as '''.ssh/nuc.pub'''.

After running this command, you'll have a new key pair with the private key in '''.ssh/nuc''' and the public key in '''.ssh/nuc.pub'''

====Create keys with no passphase====

<code>ssh-keygen -t rsa -b 4096 -N "" -C "MYSERVER" -f ~/.ssh/serverkey</code>

:* '''-t rsa''': Specifies the key type, in this case, RSA.
:* '''-b 4096''': Specifies the key length, which is 4096 bits in this case. This length offers good security and is generally recommended.
:* '''-N ""''': Specifies an empty passphrase for the key pair. This means that the private key will not be encrypted, and no passphrase will be required when using it. This can be less secure, but more convenient for automated processes.
:* '''-C "MYSERVER"''': Adds a comment to the generated key pair. In this case, the comment is "MYSERVER". Comments are useful for identifying keys when you have multiple keys in your ~/.ssh directory or on a remote server.
:* '''-f ~/.ssh/serverkey''': Specifies the file where the key pair will be saved. The private key will be saved as '''~/.ssh/serverkey''', and the public key will be saved as '''~/.ssh/serverkey.pub'''.

After running this command, you'll have a new key pair with the private key in '''~/.ssh/serverkey''' and the public key in '''~/.ssh/serverkey.pub'''. The private key will have an empty passphrase and a comment "MYSERVER" for easier identification.

====Remove the passphrase from an existing SSH private key====

To remove the passphrase from an existing SSH private key, you can use the '''ssh-keygen''' command with the '''-p''' option, which is used for changing the passphrase. Follow these steps:

:* Make a backup of your private key file, just in case something goes wrong during the process. You can do this by running the following command, replacing '''<your_private_key>''' with the filename of your private key:

<code>cp <your_private_key> <your_private_key>.backup</code>

:* Run the '''ssh-keygen''' command with the '''-p''' option, specifying the private key file using the '''-f''' option:
::** '''-p''': Indicates that you want to change the passphrase of an existing private key.
::** '''-f <your_private_key>''': Specifies the private key file whose passphrase you want to change.

<code>ssh-keygen -p -f <your_private_key></code>

:* You will be prompted to enter the old passphrase for the private key. Type it in and press Enter.

:* Next, you'll be prompted to enter a new passphrase. Since you want to remove the passphrase, leave this field empty and press Enter.

:* You'll be asked to confirm the empty passphrase. Press Enter again to confirm.

Your private key now has its passphrase removed. Keep in mind that this makes the private key less secure, as anyone with access to the file can use it without needing to know the passphrase.

====Add/Change a passphrase to an existing SSH Key====

To add a passphrase to an existing SSH private key that doesn't have one, you can use the '''ssh-keygen''' command with the '''-p''' option, just like when you change or remove a passphrase. Here are the steps:

:* '''Make a backup of your private key file''', just in case something goes wrong during the process. You can do this by running the following command, replacing <your_private_key> with the filename of your private key:

<code>cp <your_private_key> <your_private_key>.backup</code>

:* Run the '''ssh-keygen''' command with the -p option, specifying the private key file using the '''-f''' option:

<code>ssh-keygen -p -f <your_private_key></code>

:* You will be prompted to enter the old passphrase for the private key. Since your private key doesn't currently have a passphrase, just press Enter to proceed.

:* Next, you'll be prompted to enter a new passphrase. Type in the passphrase you want to set for the private key and press Enter.

:* You'll be asked to confirm the new passphrase. Type it again and press Enter to confirm.

Your private key now has a passphrase added to it. This provides an extra layer of security, as anyone using the key will need to know the passphrase to access it. Keep in mind that you should use a strong passphrase to ensure better security.

=== Copying public keys to the remote server===
After generating an SSH key pair, you'll need to copy the public key to the remote server to enable key-based authentication. Here's how to do it:

====Using ssh-copy-id====

Use the '''ssh-copy-id''' command (Linux and macOS): On Unix-based systems, you can use the ssh-copy-id command to copy your public key to the remote server:

<code>ssh-copy-id -i ~/.ssh/id_rsa.pub username@hostname_or_IP</code>

Replace ~/.ssh/id_rsa.pub with the path to your public key file (e.g., ~/.ssh/id_ed25519.pub for Ed25519 keys), username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

====Manually copy the public key====

Manually copy the public key (Windows and alternative method): If you don't have access to the ssh-copy-id command or prefer to do it manually, you can:

:* Open your public key file (e.g., id_rsa.pub or id_ed25519.pub) with a text editor and copy its content.>
:* Log in to the remote server via SSH.<br>
:* Create the ~/.ssh directory if it doesn't exist:

<code>mkdir -p ~/.ssh</code>

Edit or create the ~/.ssh/authorized_keys file using a text editor (e.g., nano, vim, or emacs), and paste the content of your public key at the end of the file. Save and close the file.

Set the correct file permissions: To ensure the security of your SSH setup, it's essential to set the proper file permissions on your local machine and the remote server:

:* On your local machine:
:** Private key (id_rsa or id_ed25519): -rw------- (600)
:** Public key (id_rsa.pub or id_ed25519.pub): -rw-r--r-- (644)

:* On the remote server:
:** ~/.ssh directory: drwx------ (700)
:** ~/.ssh/authorized_keys file: -rw------- (600)

To set the permissions on your local machine, use the chmod command:

<pre>
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
</pre>
On the remote server, use the following commands:

<pre>
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
</pre>
Once you've copied your public key to the remote server and set the correct file permissions, you should be able to connect using key-based authentication without the need for a password.

=== Disabling password authentication (optional)===
Disabling password authentication enhances the security of your SSH server by requiring key-based authentication for all connections. You can disable password authentication for specific users or for all users. To do so, follow these steps:

:* Connect to the remote server: Log in to the remote server via SSH using your username and the server's hostname or IP address.

:* Edit the SSH configuration file: Open the SSH server configuration file (usually located at /etc/ssh/sshd_config) with a text editor such as nano, vim, or emacs:

<code>sudo nano /etc/ssh/sshd_config</code>

:* Disabling password authentication for all users: Find the line containing "PasswordAuthentication" and set its value to "no":

<code>PasswordAuthentication no</code>

If the line is commented out (i.e., it starts with a '#'), remove the '#' symbol.

:* Disabling password authentication for a specific user: To disable password authentication only for a particular user, you can use a "Match User" block at the end of the sshd_config file:
<pre>
Match User username
PasswordAuthentication no
</pre>
Replace username with the actual username for which you want to disable password authentication.

:* Save and exit the file: Save your changes and exit the text editor.

:* Restart the SSH server: Apply the changes by restarting the SSH server:

<code>sudo systemctl restart ssh</code>

Now, password authentication will be disabled for the specified user(s), and only key-based authentication will be allowed. Remember that if you disable password authentication, you must have a working SSH key pair set up to access the server, or you may be locked out.

== Configuring the SSH server==

Edit the SSH server configuration file located at <b>/etc/ssh/sshd_config</b> to set your desired settings. You can modify options like the listening port, allowing root login, and more.

===Common sshd_config Options===

The '''sshd_config''' file is located at '''/etc/ssh/sshd_config''' on most Linux systems. This file contains various options and settings that determine the behavior of the OpenSSH server. Each option is followed by its value, and lines starting with a <b>#</b> are considered comments.

Here's an overview of some common options in the sshd_config file:

===Port===

Specifies the port number that the SSH server listens on.<br>

<code>Port 22</code><br>

=== AddressFamily===

Determines the IP address family (IPv4, IPv6, or both) used by the SSH server.

* To specify that the SSH server should only listen for incoming IPv4 connections:
<code>AddressFamily inet</code>

* Or, if you want the SSH server to only listen for incoming IPv6 connections, set the 'AddressFamily' directive to 'inet6':
<code>AddressFamily inet6</code>

* If you want to allow both IPv4 and IPv6 connections, set the 'AddressFamily' directive to 'any':
<code>AddressFamily any</code>

=== ListenAddress===
Specifies the IP address(es) the SSH server listens on. By default, it listens on all available addresses.

<code>ListenAddress 192.168.1.10</code>

=== Protocol===
Defines the SSH protocol version. It's recommended to use only protocol 2.

<code>Protocol 2</code>

=== PermitRootLogin===
Controls whether root login is allowed. It's generally advised to disable root login or set it to "without-password" to allow only key-based authentication for root.

<code>PermitRootLogin no</code>

===PasswordAuthentication===

Enables or disables password-based authentication.

<code>PasswordAuthentication yes</code>

=== PubkeyAuthentication===

Enables or disables public key authentication.

<code>PubkeyAuthentication yes</code>

=== AuthorizedKeysFile===
Specifies the location of the authorized keys file for public key authentication.

<code>AuthorizedKeysFile .ssh/authorized_keys</code>

=== LogLevel===
Sets the logging level for the SSH server.

The LogLevel option in '''sshd_config''' controls the amount of information that SSH daemon (sshd) logs.

There are different log levels that can be set with this option, each providing a different level of detail:

* '''QUIET''': Disables all logging.

* '''FATAL''': Only logs fatal errors.

* '''ERROR''': Logs error messages.

* '''INFO''': Logs informational messages such as login attempts.

* '''VERBOSE''': Logs more detailed information than INFO, including shell commands executed.

* '''DEBUG''': Logs detailed debugging information, including raw protocol details.

The default log level is '''INFO''', which is usually sufficient for most purposes. However, if you need to troubleshoot SSH connections or monitor user activity, setting a higher log level may be helpful.

To change the '''LogLevel''' in '''sshd_config''', you can edit the file '''/etc/ssh/sshd_config''' (or the appropriate configuration file for your system), and add or modify the line:

<code>LogLevel <log_level></code>

Where <log_level> is one of the log levels listed above.

<code>LogLevel INFO</code>

=== LoginGraceTime===

Defines the time allowed for a user to successfully log in.

<code>LoginGraceTime 2m</code>

===MaxAuthTries===

Limits the number of authentication attempts allowed per connection.

<code>MaxAuthTries 6</code>

=== MaxSessions===

Specifies the maximum number of simultaneous sessions allowed per network connection.<br>

<code>MaxSessions 10</code>

=== AllowUsers, DenyUsers, AllowGroups, DenyGroups===

These options control which users and groups are allowed or denied access to the SSH server. They provide a way to manage access control based on usernames and group membership.

* '''AllowUsers''': Specifies a list of users allowed to access the SSH server. Other users will be denied access.
<code>AllowUsers user1 user2 user3</code><br>

* '''DenyUsers''': Specifies a list of users denied access to the SSH server. Other users will be allowed access.
<code>DenyUsers user4 user5</code>

* '''AllowGroups''': Specifies a list of groups whose members are allowed to access the SSH server. Users not belonging to these groups will be denied access.
<code>AllowGroups group1 group2</code>

* '''DenyGroups''': Specifies a list of groups whose members are denied access to the SSH server. Users not belonging to these groups will be allowed access.
<code>DenyGroups group3 group4</code>

Note that the order in which these options are applied is '''DenyUsers''', '''AllowUsers''', '''DenyGroups''', and finally '''AllowGroups'''.

===Banner===

The Banner option allows you to display a message or warning to users before they log in to the SSH server. This is often used to display legal notices, security warnings, or other important information.

To enable the banner, set the Banner option to the path of a text file containing the message you want to display:

<code>Banner /etc/ssh/banner.txt</code>

Create the /etc/ssh/banner.txt file and add your desired message. The content of this file will be displayed to users before they log in.

==Advanced sshd_config Options==
=== PermitTunnel===
The PermitTunnel option enables or disables the use of SSH tunneling. Tunnels can be used to forward ports or create VPN-like connections between the client and the server.
* There are four possible values for this option:

: '''"yes"''': Allows all types of tunnels.<br>
: '''"point-to-point"''': Allows only point-to-point (Layer 3) tunnels.<br>
: '''"ethernet"''': Allows only Ethernet (Layer 2) tunnels.<br>
: '''"no"''': Disables tunneling (default).<br>

To enable tunneling, set the PermitTunnel option in the sshd_config file:

<code>PermitTunnel yes</code>

Keep in mind that enabling tunnels may expose your server to additional security risks. Only enable this option if you understand the implications and have a specific use case that requires it.

=== ChrootDirectory===
The ChrootDirectory option allows you to restrict a user or a group to a specific directory (known as a chroot jail) when they log in via SSH. This can enhance security by isolating users and limiting their access to only the necessary parts of the filesystem.

To set up a chroot jail, follow these steps:

Create a directory that will serve as the chroot jail. For example, let's create a directory for user1:

<code>sudo mkdir /home/user1/chroot</code>

Change the ownership of the directory to the user and their primary group:

<code>sudo chown user1:user1 /home/user1/chroot</code>

In the sshd_config file, add a Match block at the end of the file to specify the ChrootDirectory for user1:
<pre>
Match User user1
ChrootDirectory /home/user1/chroot
</pre>

Restart the SSH server to apply the changes:

<code>sudo systemctl restart ssh</code>

Now, when user1 logs in via SSH, they will be restricted to the /home/user1/chroot directory and won't be able to access other parts of the filesystem.

Note that the chroot jail should be owned by root and not writable by the user. If you need to provide write access to specific directories, create subdirectories inside the chroot jail and set appropriate permissions for those. Also, some features like SFTP may require additional configuration within the chroot jail.

===ForceCommand===
The ForceCommand option allows you to specify a command that will be executed when a user logs in via SSH, regardless of the command requested by the user. This can be useful for limiting the actions a user can perform or for automatically running specific tasks upon login.

To use the ForceCommand option, follow these steps:

In the sshd_config file, add a Match block at the end of the file to specify the ForceCommand for a specific user or group. For example, to force user1 to execute the command /usr/bin/my-command upon login:

<pre>
Match User user1
ForceCommand /usr/bin/my-command
</pre>

Restart the SSH server to apply the changes:

<code>sudo systemctl restart ssh</code>

Now, when user1 logs in via SSH, the /usr/bin/my-command will be executed automatically, and they will not be able to run any other command.

Keep in mind that using ForceCommand may limit the user's ability to interact with the server or transfer files via SFTP. Make sure to test and verify the functionality for your specific use case.

=== Match Blocks===

Match blocks in the sshd_config file allow you to apply specific configuration options based on certain criteria, such as the user, group, address, or host. This enables you to create custom rules and settings for different users, groups, or connections.

Match block syntax:

<pre>
Match criteria
Option value
</pre>

Here are some examples of Match blocks and their usage:

Apply settings only for a specific user:
<pre>
Match User user1
PasswordAuthentication no
AllowTcpForwarding yes
</pre>

This configuration disables password authentication and enables TCP forwarding only for user1.

Apply settings for multiple users:
<pre>
Match User user1,user2
ChrootDirectory /home/%u/chroot
</pre>

This configuration sets the chroot directory for both user1 and user2.

Apply settings for a specific group:
<pre>
Match Group group1
PasswordAuthentication yes
</pre>

This configuration enables password authentication only for members of group1.

Apply settings based on the client's IP address:
<pre>
Match Address 192.168.1.0/24
PasswordAuthentication no
</pre>

This configuration disables password authentication for clients connecting from the 192.168.1.0/24 subnet.

Combine multiple criteria:
<pre>
Match User user1 Address 192.168.1.0/24
PasswordAuthentication yes
</pre>
This configuration enables password authentication only for user1 when they connect from the 192.168.1.0/24 subnet.

Remember to restart the SSH server after making changes to the sshd_config file:

<code>sudo systemctl restart ssh</code>

Match blocks offer flexibility in customizing your SSH server's configuration based on various criteria. Use them wisely to enhance security and optimize your server's settings.

==Best Practices and Tips '''sshd_config'''==
When configuring your '''sshd_config''' file, it's essential to follow best practices to ensure the security and stability of your SSH server. Here are some recommendations and tips:

:* Keep the server up-to-date: Always update your SSH server software and the underlying operating system to ensure you have the latest security patches and features.

:* Use strong authentication: Enable key-based authentication (PubkeyAuthentication) and consider disabling password authentication (PasswordAuthentication) to reduce the risk of brute-force attacks.

:* Limit root access: Set "PermitRootLogin" to "no" or "without-password" to prevent direct root login or require key-based authentication for root.

:* Use non-standard ports: Change the default SSH port (22) to a non-standard port to reduce the exposure to automated scans and attacks. Keep in mind this is security through obscurity and should be combined with other security measures.

'''Restrict user access''': Use "AllowUsers," "DenyUsers," "AllowGroups," and "DenyGroups" options to control which users and groups can access the SSH server.

'''Monitor logs''': Regularly check your SSH server logs for any suspicious activity or failed login attempts. Adjust the "LogLevel" setting in sshd_config as needed.
* Default Log Path Ubuntu 22.04: '''/var/log/auth.log'''

'''Use chroot jails''': Isolate users by creating chroot jails using the "ChrootDirectory" option, especially when providing SFTP access or when users don't require full access to the server.

'''Configure connection settings''': Set appropriate values for "LoginGraceTime" and "MaxAuthTries" to limit the time allowed for successful login and the number of authentication attempts per connection.

'''Use a strong firewall''': Configure your server's firewall to only allow SSH connections from trusted IP addresses or networks.

'''Regularly review and audit''': Periodically review your sshd_config settings and make adjustments as necessary. Keep up-to-date with SSH security best practices and recommendations.

By following these best practices and tips, you can enhance the security and performance of your SSH server, protecting it from unauthorized access and potential attacks.

===Troubleshooting sshd_config Issues===

When encountering problems with your SSH server configuration, it's important to know how to diagnose and resolve issues. Here are some common problems and troubleshooting steps:

Check syntax and configuration errors: If the SSH server is not starting or not functioning as expected, check the sshd_config file for any syntax or configuration errors. Use the following command to test the configuration file for errors:

<code>sudo sshd -t</code>

If there are any issues, the command will provide error messages with information on what needs to be fixed.

Review log files: Inspect the SSH server log files for any error messages or relevant information. The location of the log files may vary depending on your system, but common locations are /var/log/auth.log or /var/log/secure. Tail the log file while attempting to connect to get real-time information:

<code>sudo tail -f /var/log/auth.log</code>

Restart the SSH server

Check firewall settings: Ensure that the server's firewall is allowing SSH connections on the correct port. If you changed the default SSH port, update your firewall rules accordingly.

Verify user permissions: If a specific user is unable to connect, check the user's permissions, home directory, and the settings in the sshd_config file, such as "AllowUsers," "DenyUsers," "AllowGroups," or "DenyGroups."

SSH server from a client, use the verbose mode to get more detailed information about the connection process. This can help identify any issues with authentication or configuration. Run the following command to enable verbose mode:

<code>ssh -v user@example.com</code>

Replace "user@example.com" with the appropriate username and server address. You can increase the verbosity level by adding more "v" characters (e.g., -vv or -vvv) if needed.

Check file permissions: Ensure that the file permissions for the user's home directory, the .ssh directory, and the authorized_keys file are set correctly. The user's home directory should not be writable by other users, the .ssh directory should have permissions set to 700 (drwx------), and the authorized_keys file should have permissions set to 600 (-rw-------).

Test network connectivity: If you're unable to connect to the SSH server, verify that you can reach the server on the network. Use tools like ping, traceroute, or telnet to check the connection to the server and the specific SSH port.

By following these troubleshooting steps, you should be able to diagnose and resolve most issues related to the sshd_config file and the SSH server configuration. Remember to carefully review the settings in your sshd_config file and consult the server logs for additional information when encountering problems.

====After making changes, restart the SSH server:====
<code>sudo systemctl restart ssh</code><br>

== Running commands on a remote server==

Once you've connected to a remote server using SSH, you can execute commands on the remote machine just as you would on your local system. However, you can also run commands on a remote server without establishing an interactive SSH session.

This can be useful for automation, scripting, or quick tasks. Here's how to do it:

Use the SSH command: To run a command on a remote server without entering an interactive session, use the following syntax:

<code>ssh username@hostname_or_IP -p port 'command'</code>

Replace username with your username on the remote server, hostname_or_IP with the server's hostname or IP address, port with the SSH port number (if different from the default 22), and command with the command you want to execute.

For example, to list the contents of the remote server's home directory, you can use:

<code>ssh john@example.com -p 22 'ls -la'</code>

===Handling multiple commands===
If you need to execute multiple commands, you can chain them together using a '''semicolon''' or '''&&'''.

The semicolon allows you to run multiple commands sequentially, while the && operator runs the next command only if the previous command was successful.

For example, to update the package list and then upgrade the packages on a remote Ubuntu server:

<code>ssh john@example.com -p 2222 'sudo apt-get update; sudo apt-get upgrade -y'</code>

* Command output:
The output of the command will be displayed in your local terminal, just as if you were running the command on your local machine. Using key-based authentication

==Transferring files with SCP==

The Secure Copy Protocol (SCP) is a useful tool for transferring files between your local machine and a remote server using SSH. SCP ensures that the data is encrypted during transit, providing a secure and efficient way to transfer files.

===Install an SCP client===

Most Unix-based systems, including Linux and macOS, have an SCP client pre-installed. For Windows, you can use the built-in SCP client included with the OpenSSH package (available in Windows 10 and later) or a third-party client like WinSCP.

===Transfer a file from your local machine to a remote server===

To copy a file from your local machine to a remote server, use the following command:
* Note the use of the upper case '''-P''' for ports with '''scp'''
<code>scp -P port local_file_path username@hostname_or_IP:remote_file_path</code>

Replace port with the SSH port number (if different from the default 22), local_file_path with the path to the file on your local machine, username with your username on the remote server, hostname_or_IP with the server's hostname or IP address, and remote_file_path with the desired location on the remote server.

For example:

<code>scp -P 22 /home/john/documents/report.pdf john@example.com:/home/john/reports/</code>

This command will copy the "report.pdf" file from the local machine to the "reports" directory on the remote server.

===Transfer a file from a remote server to your local machine===
To copy a file from a remote server to your local machine, use the following command:

<code>scp -P port username@hostname_or_IP:remote_file_path local_file_path</code>

Replace port with the SSH port number (if different from the default 22), username with your username on the remote server, hostname_or_IP with the server's hostname or IP address, remote_file_path with the path to the file on the remote server, and local_file_path with the desired location on your local machine.

For example:

<code>scp -P 2222 john@example.com:/home/john/reports/report.pdf /home/john/documents/</code>
: Or
<code>scp john@example.com:/home/john/reports/report.pdf /home/john/documents/</code>-

This command will copy the "report.pdf" file from the remote server's "reports" directory to the "documents" directory on your local machine.

===Transferring directories===

To transfer an entire directory, use the '''-r''' flag:

<code>scp -r -P port local_directory_path username@hostname_or_IP:remote_directory_path</code>

Or, to copy a directory from the remote server to your local machine:

<code>scp -r -P port username@hostname_or_IP:remote_directory_path local_directory_path</code>

Using SCP is a convenient and secure way to transfer files between your local machine and a remote server. It leverages the security of the SSH protocol to ensure that your data remains encrypted during transit.

===Transferring from Remote Computer to Remote Computer===

Copy the file '''stuff.txt''' from remote host '''12.34.56.67''' to host '''11.22.33.44'''

<code>scp name@12.34.56.67:/home/user/Documents/stuff.txt name@11.22.33.44:/home/user/Documents/</code>

With the '''-3''' flag copies between two remote hosts "12.34.56.67" and "11.22.33.44" are transferred through the local host running the command.

<code>scp -3 name@12.34.56.67:/home/user/Documents/stuff.txt \ name@11.22.33.44:/home/user/Documents/ </code>

===Transferring multiple files===

Send files foo.txt and bar.txt to remote.

<code>scp foo.txt bar.txt user@12.34.56.78:~/Documents/</code>

Copy multiple files from remote "Documents" directory to local "Documents" directory.

<code>scp user@11.22.33.44:/home/user/Documents/\{todo_list.txt,links.txt,stuff.txt\} /home/$USER/Documents/</code>

Copy multiple files from the remote to local current directory.

<code>scp name@12.34.56.78:~/\{README.md,.bashrc\} . </code>

== Transferring files with SFTP==
The SSH File Transfer Protocol (SFTP) is another method for transferring files securely between your local machine and a remote server. Unlike SCP, SFTP provides an interactive interface that allows you to navigate, upload, and download files more easily.

Install an SFTP client: Most Unix-based systems, including Linux and macOS, have an SFTP client pre-installed. For Windows, you can use the built-in SFTP client included with the OpenSSH package (available in Windows 10 and later) or a third-party client like WinSCP or FileZilla.

Connect to a remote server: To start an SFTP session with a remote server, open a terminal or command prompt on your local machine and use the following command:

<code>sftp -P port username@hostname_or_IP</code>

Replace port with the SSH port number (if different from the default 22), username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

For example:

<code>sftp -P 22 john@example.com</code>

Navigate the remote filesystem: Once connected, you can use commands similar to those available in a Unix shell to navigate the remote server's filesystem. Some common SFTP commands include:

: '''ls''': List files and directories<br>
: '''cd''': Change the current directory<br>
: '''mkdir''': Create a new directory<br>
: '''rmdir''': Remove an empty directory<br>
: '''get''': Download a file from the remote server<br>
: '''put''': Upload a file to the remote server<br>
<br>
: '''rm''': Remove a file<br>
: '''rename''': Rename a file or directory<br>
: '''exit''': Exit the SFTP session<br>

Transfer files: To transfer files, use the put command to upload a file from your local machine to the remote server, and the get command to download a file from the remote server to your local machine. For example:

Upload a file:

<code>put local_file_path remote_file_path</code>

Download a file:

<code>get remote_file_path local_file_path</code>

Replace local_file_path and remote_file_path with the appropriate paths for the files you want to transfer.

Transferring directories: To transfer entire directories, use the -r flag with the put and get commands:

Upload a directory:

<code>put -r local_directory_path remote_directory_path</code>

Download a directory:

<code>get -r remote_directory_path local_directory_path</code>

Disconnect from the remote server: When you've finished transferring files, type exit to close the SFTP session.

SFTP offers a more user-friendly, interactive experience for transferring files compared to SCP. By utilizing the secure and encrypted SSH protocol, SFTP ensures that your data remains safe during transfer.

==Advanced SSH Techniques==
=== Port forwarding and tunneling===

SSH port forwarding and tunneling allow you to securely forward network traffic between your local machine and a remote server. This can be useful for accessing remote services, bypassing firewalls, or securely transmitting sensitive data.

Local Port Forwarding: Local port forwarding creates a secure tunnel between your local machine and a remote server, allowing you to access remote services as if they were running on your local machine. To set up local port forwarding, use the -L flag with the SSH command:

<code>ssh -L local_port:remote_host:remote_port username@hostname_or_IP</code>

Replace local_port with an available port on your local machine, remote_host with the hostname or IP address of the remote server hosting the service, remote_port with the port number of the remote service, username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

Remote Port Forwarding: Remote port forwarding enables you to expose a local service running on your machine to a remote network. To set up remote port forwarding, use the -R flag with the SSH command:

<code>ssh -R remote_port:local_host:local_port username@hostname_or_IP</code>

Replace remote_port with an available port on the remote server, local_host with the hostname or IP address of the local machine hosting the service, local_port with the port number of the local service, username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

:**Forwarding X, Sound, and Video on Ubuntu 22.04 with Ubuntu 22.04 LXC**: To forward X, sound, and video from a remote Ubuntu 22.04 server to your local Ubuntu 22.04 machine, you'll need to enable X11 forwarding and install the necessary packages.

:* Install required packages: On both your local machine and the remote server, install the x11-apps and pulseaudio packages:

<code>sudo apt update</code><br>
<code>sudo apt install x11-apps pulseaudio</code>

:* Enable X11 forwarding: To enable X11 forwarding, you'll need to edit the SSH server configuration file (/etc/ssh/sshd_config) on the remote server:

<code>sudo nano /etc/ssh/sshd_config</code>

Find the line containing "X11Forwarding" and set its value to "yes":

<code>X11Forwarding yes</code>

If the line is commented out (i.e., it starts with a '#'), remove the '#' symbol. Save your changes and exit the text editor.

:* Restart the SSH server: Apply the changes by restarting the SSH server:

<code>sudo systemctl restart ssh</code>

:* Connect with X11 forwarding: From your local machine, use the -X flag to enable X11 forwarding when connecting to the remote server:

<code>ssh -X username@hostname_or_IP</code>

:* Export PULSE_SERVER environment variable: On the remote server, export the PULSE_SERVER environment variable to forward sound:

<code>export PULSE_SERVER=tcp:localhost</code>

You can add this line to the remote user's ~/.bashrc or ~/.profile file to make the change permanent.

:* Run applications: Now, you can run graphical applications on the remote server, and they will be displayed on your local machine with sound and video forwarded.

Please note that forwarding X, sound, and video might cause increased latency and reduced performance compared to running the applications locally.

=== SSH agent forwarding===
SSH agent forwarding is a powerful feature that allows you to use your local SSH keys to authenticate with remote servers without having to copy your private keys to those servers. This is particularly useful when you need to access one remote server (Server B) through another remote server (Server A).

==== Start the SSH agent on your local machine ====

Before you enable SSH agent forwarding, you need to start the SSH agent on your local machine. Open a terminal and run the following command:

:* For Linux and macOS:

<code>eval "$(ssh-agent -s)"</code>

For Windows (Git Bash or Cygwin):

<code>eval $(ssh-agent)</code>

This command starts the SSH agent and sets the required environment variables.

====Add your SSH key to the agent====

Next, add your private key to the SSH agent with the following command:

<code>ssh-add ~/.ssh/your_private_key</code>

Replace '''your_private_key''' with the filename of your private key. This might be '''id_rsa''', '''id_ed25519''', or another key file depending on your setup.

====Configure SSH agent forwarding on your local machine====

Edit your SSH config file to enable agent forwarding. The config file is usually located at '''~/.ssh/config'''. If the file doesn't exist, create it.

Add the following lines to the config file:

<pre>
Host server_a_alias
HostName server_a_ip_or_hostname
User your_username_on_server_a
ForwardAgent yes

Host server_b_alias
HostName server_b_ip_or_hostname
User your_username_on_server_b
ForwardAgent yes
</pre>

Replace
:* '''server_a_alias'''
:* ''' server_a_ip_or_hostname'''
:* '''your_username_on_server_a'''
:* '''server_b_alias'''
:* '''server_b_ip_or_hostname'''
:* '''your_username_on_server_b'''
with the appropriate values.

====Make sure your public key is added to the remote servers====

Before you can use SSH agent forwarding, you need to add your public key to the '''~/.ssh/authorized_keys''' file on both Server A and Server B. If you haven't done this already, you can use the following command:

<code>ssh-copy-id -i ~/.ssh/your_public_key user@server_ip_or_hostname</code>

Replace '''your_public_key''', '''user''', and '''server_ip_or_hostname''' with the appropriate values.

====Test SSH agent forwarding====

First, SSH into Server A:

<code>ssh server_a_alias</code>

Then, from Server A, SSH into Server B:

<code>ssh server_b_alias</code>

If everything is set up correctly, you should be able to access Server B without being prompted for a password.

====Verify SSH agent forwarding====

To make sure that SSH agent forwarding is working, you can check the value of the '''SSH_AUTH_SOCK''' environment variable on Server B.

From Server B, run the following command:

<code>echo $SSH_AUTH_SOCK</code>

If SSH agent forwarding is working, this command should return a non-empty value.

That's it! You've successfully set up and tested SSH agent forwarding. Now you can use your local SSH keys to authenticate with remote servers without having to copy your private keys to those servers.

===Command Restriction===

The '''authorized_keys''' file can be used to restrict the commands that a specific SSH key can execute. This is especially useful for security purposes, to limit the potential damage that could be done if a key is compromised.

By including a '''command=''' directive in the '''authorized_keys''' file, you can specify the exact command that will be run when a client connects using the associated key. Any command provided by the client will be ignored, and the command specified in the authorized_keys file will be used instead.

Example:

<code>command="/usr/bin/scp -t /home/rscp/media/" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...</code>

is set up to always execute the '''scp''' command (used for secure copy of files over SSH) to the specified directory, no matter what command was originally issued by the client. This is a good way to create a "write-only" drop box, for instance.

However, the keyholder could potentially still execute arbitrary commands by carefully crafting the file names they upload, so additional precautions should be taken, such as using command= along with other directives like '''no-port-forwarding''', '''no-X11-forwarding''', and '''no-pty''' to further limit what can be done with the key.

<code>command="/usr/bin/scp -t /home/rscp/media/",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...</code>

This entry does the following:

:* The '''command=''' directive runs the specified command when a client connects using this key. In this case, the command is scp, which securely copies files to the /home/rscp/media/ directory.
:* The '''no-port-forwarding''' directive prevents the client from using SSH's port forwarding features, which could potentially be used to create a secure tunnel for other network traffic.
:* The '''no-X11-forwarding''' directive prevents the client from forwarding X11 graphical sessions, which could be used to run graphical applications over the SSH connection.
:* The '''no-pty''' directive prevents the allocation of a pseudo-terminal, which means the client can't interact with a shell or run interactive commands.

The '''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...''' part is the public key of the client. Replace this with the actual key.

This configuration significantly limits the operations that can be performed with this key, providing an additional layer of security.

====SCP Only====

Use Case Example: Have a Server hosting XML Dumps, and want to automate sending a file or directory from Server1 to Server2 using a script and ssh-key so i don't need to enter password.

=====Create Account on Server=====
Create user account you are going to use:<br>
<code>adduser rscp</code>

Make sure user has a '''.ssh''' directory to send public key to:<br>
<code>mkdir /home/rscp/.ssh</code>

Make a Directory to transfer files to:<br>
<code>mkdir /home/rscp/media</code>

Note: If you see error <code>scp: /home/rscp/media/test.txt: Permission denied</code> If you created directory '''media''' when logged in as '''root''' then check directory permissions and if need [[Linux_Users_and_Groups#File_Ownership_and_Permissions|assign ownership to '''user''' account.]]<br>
Example:<code>chown rscp:rscp /home/rscp/media</code>

[[Ubuntu_22.04_SSH_Guide#Copying_public_keys_to_the_remote_server|Send your public key to server]]

After public_key/authorized_key is on server, edit authorized_keys and at the start before ssh-rsa <KEY>
<pre>
command="/usr/bin/scp -t /home/rscp/media/" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...
</pre>

If from remote server you are sending a Directory include the '''-r''' flag in command:<br>

After public_key/authorized_key is on server, edit authorized_keys and at the start before ssh-rsa <KEY>
<pre>
command="/usr/bin/scp -t -r /home/rscp/media/" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...
</pre>

This entry in the authorized_keys file uses the command option to restrict the SSH command that can be run with the associated SSH key. The command option specifies that the scp command should be used to transfer files to the '''/home/rscp/media/''' directory on the server.

Here's a breakdown of the entry:

:* '''command="/usr/bin/scp -t /home/rscp/"''': This specifies that the scp command should be used as the SSH command for this key, with the '''-t''' option to specify that the remote end is a file (in this case, a directory), and the destination directory on the server is /home/rscp/. This means that the user can only use the SSH key to transfer files to the /home/rscp/ directory on the server.

:* '''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...''': This is the public key associated with the private key that is used for authentication.

By using the command option in this way, you can restrict the actions that the user can perform with the SSH key, which can help to improve security. In this case, the user can only transfer files to the specified directory on the server using the scp command.

======Tip - transfer file to a path your USER does not have permissions for======

You can write a shell script to check the '''/home/rscp/media''' directory every minute using a while loop and the sleep command. If any files are found in the directory, the script can move them to the '''/var/www/media''' directory using the mv command. Here's an example script:

<syntaxhighlight lang="bash" line>
#!/bin/bash

while true
do
if [ "$(ls -A /home/rscp/media/)" ]; then
mv /home/rscp/media/* /var/www/media/
fi
sleep 60
done
</syntaxhighlight>

In this script, the while loop runs indefinitely ('''while true''') and sleeps for 60 seconds at the end of each iteration ('''sleep 60''').

The '''if''' statement checks if the '''/home/rscp/media''' directory is not empty ('''[ "$(ls -A /home/rscp/media/)" ]'''). If it is not empty, the '''mv''' command is used to move all files and directories from the '''/home/rscp/media/''' directory to the '''/var/www/media/''' directory.

Save this script to a file (e.g. '''move-files.sh''') and make it executable using the '''chmod +x move-files.sh''' command. You can then run the script using '''./move-files.sh &''' to start it in the background and allow it to run indefinitely. The & symbol is used to run the script in the background so that you can continue using the terminal.

Note that running this script indefinitely can consume system resources, so you may want to consider setting up a scheduled task (e.g. using '''[[Cron_ubuntu_22.04|cron]]''') to run the script at a specific interval instead of running it indefinitely.

==Tilde '''~''' the escape character==

The tilde (~) character has a special meaning in the context of SSH. When using SSH, you can use the tilde character followed by a control sequence to perform certain actions. These are called "tilde escape sequences" or "tilde commands." They are useful for managing your SSH connections.

Here's how to use tilde escape sequences when connected to a remote server via SSH:

:* Make sure you are at the beginning of a new line in your terminal. Press '''Enter''' if you are not.

:* Type the tilde (~) character, followed by the appropriate control sequence. Note that you should not press '''Enter''' after typing the tilde character, but rather type the control sequence directly after it.

Here are some common tilde escape sequences:

: '''~.''' : Close the SSH connection. This can be helpful if the connection is frozen or unresponsive.
: '''~^Z''' : Suspend the SSH connection and return to your local shell. You can later resume the connection using the fg command.
: '''~#''' : List all forwarded connections (both local and remote) that are active in the current SSH session.
: '''~&''' : Run the SSH session in the background. This is useful if you want to perform other tasks on your local machine without closing the SSH connection.
: '''~~''' : Send a literal tilde character to the remote system. This is useful if you need to type a tilde character in the remote system without triggering an escape sequence.

Remember that these escape sequences only work if they are entered at the beginning of a new line in your terminal. If you're typing them in the middle of a command or text, they won't be recognized as special control sequences.

==Troubleshooting and Best Practices==

In this section, we'll cover some common issues and best practices related to SSH connections, including managing a large number of SSH keys.

===Too many authentication attempts===

When connecting to an SSH server, you might encounter the "Too many authentication attempts" error. This is often caused by having too many private keys in your ~/.ssh directory. By default, SSH tries each key until it finds the correct one, but many servers limit the number of authentication attempts.

'''Solution''': To resolve this issue, you can create a separate directory for your keys and configure the SSH config file to use the appropriate key for each connection.

:* Create a new directory for your keys:

<code>mkdir ~/.ssh/keys</code>

:* Move your private key files to the new directory:

<code>mv ~/.ssh/id_rsa_* ~/.ssh/keys/</code>

Update your SSH config file to specify the correct key for each connection:
<pre>
Host server1
...
IdentityFile ~/.ssh/keys/id_rsa_server1

Host server2
...
IdentityFile ~/.ssh/keys/id_rsa_server2
</pre>

===Permission issues===

SSH is very strict about file and directory permissions. Ensure that your ~/.ssh directory and its contents have the correct permissions:

:* The ~/.ssh directory should have permissions set to 700:

<code>chmod 700 ~/.ssh</code>

Private key files should have permissions set to 600:

<code>chmod 600 ~/.ssh/id_rsa</code>

The ~/.ssh/config file should have permissions set to 600:

<code>chmod 600 ~/.ssh/config</code>

:* <b>Best practices</b>: Follow these best practices to maintain secure and efficient SSH connections:

:* Use SSH key pairs instead of passwords for authentication, as they provide better security.
:* Regularly update your SSH keys to maintain their security.
:* Use strong, unique passphrases to protect your private keys.
:* Disable password authentication and root login on your SSH server to reduce the risk of brute-force attacks.
:* Regularly update your SSH server software to ensure you're running the latest security patches.
:* Use non-standard port numbers for your SSH server to make it less likely to be targeted by automated attacks.
:* Implement multi-factor authentication (MFA) for your SSH connections, if possible.
:* Regularly review and remove any unnecessary authorized keys from the ~/.ssh/authorized_keys file on your servers.
:* Use the Match directive in the sshd_config file to apply custom rules and settings for different users, groups, or connections.

Ubuntu 22.04 Host Your Own Mediawiki Online - LXC Ubuntu Container

2023-05-16T12:11:08Z

Noob: Noob moved page Host Your Own Mediawiki Online - Ubuntu to Ubuntu 22.04 Host Your Own Mediawiki Online - LXC Ubuntu Container without leaving a redirect

Installing MediaWiki on a container and exporting to the cloud.
Local OS used Ubuntu-Mate 20.04
Tested with ethernet.
Untested with wifi.

TODO's
* Remove 'index.php' from URL
* Find out more about 'DocBookExport' and test how it works
* Move MediaWiki Server to FreeBSD

Currently trying to solve the spambot problem, they got round the need to request to open an account somehow, will update once solved.

$EDITOR is used as a place holder for an editor of your choice.

==Installing LXD==

<code>sudo snap install lxd</code><br \>
<code>lxd init</code><br \>
Selecting all defaults, apart from "Size in GB of the new loop device (1GB minimum) [default=6GB]:" increasing to 30GB:

<div class="toccolours mw-collapsible mw-collapsed">
<code>lxd init</code> selected options:
<div class="mw-collapsible-content">
<pre>
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
Name of the storage backend to use (btrfs, dir, lvm, zfs, ceph) [default=zfs]:
Create a new ZFS pool? (yes/no) [default=yes]:
Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]:
Size in GB of the new loop device (1GB minimum) [default=6GB]:30GB
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
Would you like the LXD server to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
</pre>
</div>
</div>

==Create Ubuntu:22.04 Container for MediaWiki==

<code>lxc launch ubuntu:22.04 mediawiki</code><br>

<code>lxc list</code><br>
<pre>
+-----------+---------+--------------------+------+-----------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+-----------+---------+--------------------+------+-----------+-----------+
| mediawiki | RUNNING | 10.194.171.251(eth0) | | CONTAINER | 0 |
+-----------+---------+--------------------+------+-----------+-----------+
</pre>

===Login to Container===
<code>lxc exec mediawiki bash</code>

===Basic Firewall UFW for Container===

NOTE:Add Link to a UFW page for more info

Blocking IPv6<br \>
<code>$EDITOR /etc/default/ufw</code>

Change the line<br \>
<code>IPV6=yes</code><br \>
To<br \>
<code>IPV6=no</code><br \>
Save and Exit

Allow port 80<br \>
<code>ufw allow 80/tcp</code><br \>
Allow port 443<br \>
<code>ufw allow 443/tcp</code><br \>
Start/Enable UFW firewall<br \>
<code>ufw enable</code><br \>
Check UFW status<br \>
<code>ufw status</code>

<div class="toccolours mw-collapsible mw-collapsed">
If you Entered wrong port number and would like to change/delete rule:
<div class="mw-collapsible-content">

delete a UFW rule you made by mistake.<br \>
<code>ufw delete allow 433/tcp</code><br \>
Or you can use a numbered rule list.<br \>
<code>ufw status numbered</code><br \>
Will list rules by number.<br \>
<code>ufw delete <RULE_NUMBER></code><br \>
<code>ufw delete 2</code><br \>

Now re-enter rule to allow correct port number and protocol.
</div>
</div>

===Update system===

<code>apt update && apt upgrade -y</code>

===ssmtp setup===
NOTE: need link to ssmtp page - showing how to use other email providers that allow smtp
Link to ssmtp wiki page
<br \>
You can use a number of email providers for sending emails from server using ssmtp.<br \>
I am going to use <b>smtp2go.com</b> they do provide a free service if you wish to try.
<div class="toccolours mw-collapsible mw-collapsed">
smtp2go details:
<div class="mw-collapsible-content">
https://www.smtp2go.com/<br \>
Has a Free Plan
# 1000 emails per month
# 5 days of email reporting
# Ticket support only
<br \>
Do not use you username and password you used to sign up!<br \>
Go to https://app.smtp2go.com/sending/smtp_users/ <br \>
Or 'Sending' > 'SMTP Users'<br>
And create/add a SMTP User account.<br \>
The User created will be given a good password by default.<br \>
Use this username and password for ssmtp.<br \>
In this example i have the username "<b>noobwiki</b>" and the password "<b>N0tTelinu</b>"
</div>
</div>

====ssmtp====

<code>apt install ssmtp -y</code>

<code>$EDITOR /etc/ssmtp/ssmtp.conf</code>

<pre>
mailhub=mail.smtp2go.com:587
AuthUser=noobwiki
AuthPass=N0tTelinu
UseSTARTTLS=YES
FromLineOverride=YES
hostname=completenoobs.com
</pre>
<div class="toccolours mw-collapsible mw-collapsed">
Why use <code>hostname=completenoobs.com</code>
<div class="mw-collapsible-content">
"hostname" needed for ubuntu unattended upgrades to send email.<br \>
If missing: will get "(550 unable to verify sender address.)" <br \>
If using <code>hostname=localhost</code> "(550 "Localhost" unnaceptable, you must use a public domain-name.)"<br \>
If using <code>hostname=admin@completenoobs.com</code> "501 <root@admin@completenoobs.com>: malformed address: @completenoobs.com> may not follow <root@admin"
</div>
</div>
<br \>
Do not use user@smtp2go.com as the sender address! you need an email address that has an MX record(mail exchanger record) at its domain name.
<br \>
<code>$EDITOR /etc/ssmtp/revaliases</code><br \>
<pre>
root:admin@completenoobs.com:mail.smtp2go.com:587
</pre>

====usermod====

<br \>
usermod can be used to change the email senders name/address.<br \>
Instead of your mail coming from 'root' or 'ubuntu' or any other user account.<br \>
<b>usermod -c "emailSenderName" <account_sending></b><br \>
<code>usermod -c "completenoobslxc" root</code><br \>

Send Test eMail<br \>
Create a file and add subject header and some content.<br \>
<code>$EDITOR test-mail.txt</code><br \>
<pre>
Subject:test email

Hello You.
</pre><br \>
Save and Exit<br \>
Now send the email:<br \>
<code>sendmail email@address2receive.mail < test-mail.txt</code><br \>
Don't forget to check your spam folder if you don't see email<br \>
Once tested and email sent, you can delete <b>test-mail.txt</b>.<br \>
<code>rm test-mail.txt</code>

====sendmail notes====
<div class="toccolours mw-collapsible mw-collapsed">
If the sendmail command locks your terminal and CTRL+c does not work
<div class="mw-collapsible-content">
Use <code>CTRL+z</code> which will send a SIGTSTP signal which will put the process to sleep.<br \>
use jobs to see the sleeping process.<br \>
<code>jobs</code><br \>
and kill %<JOBNUMBER><br \>
<code>kill %1</code>
<br \>
you can also use <code>ps ax</code> to list processes running on your computer and <code>kill -9 <PROCESS-NUMBER></code> to kill process.
</div>
</div>

<div class="toccolours mw-collapsible mw-collapsed">
sendmail in verbose mode for more details:
<div class="mw-collapsible-content">
More info can be found in the man page <code>man sendmail</code><br \>
Use the verbose flag <b>-v</b><br \>
<code>sendmail -v email@address2receive.mail < test-mail.txt</code>
</div>
</div>

<div class="toccolours mw-collapsible mw-collapsed">
Check mail logs for errors:
<div class="mw-collapsible-content">
send mail error log can be found in<br \>
<code>/var/log/mail.err</code><br \>
and sendmail log can be found:<br \>
<code>/var/log/mail.log</code>
</div>
</div>

===auto update container config===

<code>$EDITOR /etc/apt/apt.conf.d/50unattended-upgrades</code>

Uncomment<br \>
<code>// "${distro_id}:${distro_codename}-updates";</code><br \>
<code>"${distro_id}:${distro_codename}-updates";</code>

Dont need auto reboot on container - no kernel - kernel shared with host.

====email on update====

<code>$EDITOR /etc/apt/apt.conf.d/50unattended-upgrades</code><br \>
Add email address to send email to:<br \>
<pre>//Unattended-Upgrade::Mail "";</pre>
<pre>Unattended-Upgrade::Mail "email@tosendto.com";</pre>
We are going to test are send mail, so for now change MailReport to "always"<br \>
<pre>//Unattended-Upgrade::MailReport "on-change";</pre>
<pre>Unattended-Upgrade::MailReport "always";</pre>

<div class="toccolours mw-collapsible mw-collapsed">
Once i needed 'apticron' to get emails working with unattended upgrades:<br \>
Notes here just incase<div class="mw-collapsible-content">
Install apticron<br \>
<code>apt install apticron -y</code>

Create apticron.conf file containing email to send email to:<br \>
If you dont then 'apticron' will by default sent to root@localhost.<br >
<code>echo 'EMAIL="email@tosendto.com"' > /etc/apticron/apticron.conf</code>

</div>
</div>

Test with debug flag -d<br \>
<code>unattended-upgrade -d</code>

Once email alerts from auto updates has been tested and working, change MailReport back from 'always' to 'on-change', unless you want to be emailed at every update.

===Install MediaWiki===

<code>apt install apache2 mysql-server php php-mysql libapache2-mod-php php-xml php-mbstring php-intl -y</code>

<code>wget https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.2.tar.gz</code>

<code>tar -xvf mediawiki-1.39.2.tar.gz</code>

<code>mv mediawiki-1.39.2 /var/www/html/mediawiki</code>

====Create Database====

Will be prompted to set a root password!<br \>
<code>mysql -u root -p</code><br \>


<code>CREATE USER 'green'@'localhost' IDENTIFIED BY 'THISpasswordSHOULDbeCHANGED';</code>

<code>CREATE DATABASE mywiki_database;</code>

<code>use mywiki_database;</code>

<code>GRANT ALL ON mywiki_database.* TO 'green'@'localhost';</code>

<code>quit;</code>

<div class="toccolours mw-collapsible mw-collapsed">
Make note of your: database name, username, userpassword
<div class="mw-collapsible-content">
<code>CREATE USER 'green'@'localhost' IDENTIFIED BY 'THISpasswordSHOULDbeCHANGED';</code><br \>
Database Username:<b>green</b><br \>
Database host/location:<b>localhost</b>
Database User Password:<b>THISpasswordSHOULDbeCHANGED</b><br \><br \>
<code>CREATE DATABASE mywiki_database;</code><br \>
Database Name:<b>mywiki_database</b><br \>
</div>
</div>

====Create self-signed https certs====

<code>openssl req -x509 -newkey rsa:4096 -keyout key.pem -nodes -out cert.pem -days 365</code><br>
Note: can leave blank; just press enter.<br><br>
<code>mv cert.pem /etc/ssl/certs/cn-selfsigned.crt</code><br>
<code>mv key.pem /etc/ssl/private/cn-selfsigned.key</code><br>

====Create ssl-params.conf====

<code>$EDITOR /etc/apache2/conf-available/ssl-params.conf</code>

Remember to turn stapling on after letsencrypt cert

<pre>
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
# May want to turn stapling off when using self-signed to avoid receiving errors in log
SSLUseStapling off
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
</pre>

====Create Apache2 config====

<code>cd /etc/apache2/sites-available/</code>

<code>rm 000-default.conf default-ssl.conf</code>

<code>$EDITOR /etc/apache2/sites-available/completenoobs.com.conf</code>

<div class="toccolours mw-collapsible mw-collapsed">
<b>Important Redirect note</b>:<div class="mw-collapsible-content">
<pre>
# Redirect Requests to SSL
Redirect permanent "/" "https://IPADDRESS"
</pre>
Change to your Container IP!<br \>
<code>Redirect permanent "/" "https://10.194.171.251"</code>
</div>
</div>
<pre>
<VirtualHost *:80>

ServerName completenoobs.com
ServerAdmin admin@

# Redirect Requests to SSL
Redirect permanent "/" "https://IPADDRESS"

ErrorLog ${APACHE_LOG_DIR}/completenoobs.com.error.log
CustomLog ${APACHE_LOG_DIR}/completenoobs.com.access.log combined

</VirtualHost>

<IfModule mod_ssl.c>

<VirtualHost _default_:443>

ServerName completenoobs.com
ServerAdmin admin@completenoobs.com
DocumentRoot /var/www/html/mediawiki
# According MWiki Manual:Security
php_flag register_globals off

ErrorLog ${APACHE_LOG_DIR}/completenoobs.com.error.log
CustomLog ${APACHE_LOG_DIR}/completenoobs.com.access.log combined

SSLEngine on
SSLCertificateFile /etc/ssl/certs/cn-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/cn-selfsigned.key
# need to find out what SSLCertificateChainFile is? explain is in the default-ssl.conf file.
#SSLCertificateChainFile /etc/ssl/certs/example.com.root-bundle.crt

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>

<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>

<Directory /var/www/html/wikimedia>
Options None FollowSymLinks
#Allow .htaccess
AllowOverride All
Require all granted
<IfModule security2_module>
SecRuleEngine Off
# or disable only problematic rules
</IfModule>
</Directory>

# According to MWiki Manual:Security
<Directory /var/www/html/wikimedia/images>
# Ignore .htaccess files
AllowOverride None
# Serve HTML as plaintext, don't execute SHTML
AddType text/plain .html .htm .shtml .php .phtml .php5
# Don't run arbitrary PHP code.
php_admin_flag engine off
# If you've other scripting languages, disable them too.
</Directory>

#According to MWiki Manual:Security
<Directory /var/www/html/wikimedia/images/deleted>
Deny from all
AllowOverride AuthConfig Limit
Require local
</Directory>

</VirtualHost>

</IfModule>
</pre>

====Reload Apache2====

<code>a2enmod ssl</code>

<code>a2enmod headers</code>

<code>a2ensite completenoobs.com</code>

<code>a2enconf ssl-params</code>

<code>apache2ctl configtest</code>

<code>systemctl restart apache2</code>

===MediaWiki Basic Setup===
====Landing page====

Open a web browser and go to your containers private ip address (you can get ip address by running <code>lxc list</code> on host).

<code>https://10.194.171.251</code>

Are certs are self-signed and you may/will get warning "your connection is not private"<br \>
Click "Advance" and "Proceed to 10.194.171.251 (unsafe)"<br \>

You will now find yourself on the mediawiki setup landing page.<br \>
<blockquote>
MediaWiki 1.35.0<br \>
LocalSettings.php not found.<br \>
Please <u>set up the wiki</u> first.<br \>
</blockquote>

Click <b>set up the wiki</b> to be taken to the "mw-config/index.php" page.

=====Basic Configure MediaWiki=====

<div class="toccolours mw-collapsible mw-collapsed">
Language Page
<div class="mw-collapsible-content">
Just pick a language mate
</div>
</div>

<div class="toccolours mw-collapsible mw-collapsed">
Welcome to MediaWiki!
<div class="mw-collapsible-content">
read and click Continue
</div>
</div>

<div class="toccolours mw-collapsible mw-collapsed">
Connect to database - going to need the details from when you created the database.
<div class="mw-collapsible-content">
Database host:localhost<br \>
Database name:mywiki_database<br \>
Database table prefix (no hyphens): <b>LEAVE BLANK</b><br \>
Database username:green<br \>
Database password:THISpasswordSHOULDbeCHANGED<br \>
</div>
</div>

<div class="toccolours mw-collapsible mw-collapsed">
Database Settings
<div class="mw-collapsible-content">
Database account for web access<br \>
[x]Use the same account as for installation<br \>
<b>Leave ticked</b>
</div>
</div>

<div class="toccolours mw-collapsible mw-collapsed">
Name
<div class="mw-collapsible-content">
<b>Name of wiki:</b>CompleteNoobs<br \>
<b>Project namespace:</b><br \>
[x]Same as the wiki name:<br \>
[ ]Project<br \>
[ ]Other (specify)<br \>
<b>Administrator account</b>
Will be the admin account on the wiki.
</div>
</div>

<div class="toccolours mw-collapsible mw-collapsed">
Options
<div class="mw-collapsible-content">
<b>User rights profile:</b> <br \>
[ ] Open wiki <br \>
[x] Account creation required<br \>
[ ] Authorised editors only <br \>
[ ] Private wiki<br \>
<br \>
<b>Copyright and licence:</b><br \>
[ ] Creative Commons Attribution<br \>
[ ] Creative Commons Attribution-ShareAlike<br \>
[ ] Creative Commons Attribution-NonCommercial-ShareAlike<br \>
[ ] Creative Commons Zero (Public Domain)<br \>
[ ] GNU Free Documentation Licence 1.3 or later<br \>
[x] No licence footer<br \>
[ ] Select a custom Creative Commons licence<br \>
<br \>
<br \>
<b>Email settings</b><br \>
[ ] Enable outbound email<br \>
<b>Return email address:</b>apache@🌻.invalid<br \>
[ ]Enable user-to-user email<br \>
[ ]Enable user talk page notification<br \>
[ ]Enable watchlist notification<br \>
[ ]Enable email authentication<br \>
<br \>
<br \>
<b>Skins</b> Pick a skin<br \>
<br \>
<br \>
<b>Extensions</b><br \>
<b><u>Special pages</u></b><br \>
[ ]CiteThisPage<br \>
[ ]Interwiki<br \>
[ ]Nuke<br \>
[ ]Renameuser<br \>
[ ]ReplaceText<br \>
<br \>
<b><u>Editors</u></b><br \>
[x]CodeEditor<br \>
[x]VisualEditor<br \>
[x]WikiEditor<br \>
<br \>
<b><u>Parser hooks</u></b><br \>
[ ]CategoryTree<br \>
[ ]Cite<br \>
[ ]ImageMap<br \>
[ ]InputBox<br \>
[ ]ParserFunctions<br \>
[ ]Poem<br \>
[ ]Scribunto<br \>
[x]SyntaxHighlight_GeSHi<br \>
[ ]TemplateData<br \>
<br \>
<b><u>Media handlers</u></b><br \>
[ ]PdfHandler<br \>
<br \>
<b><u>Spam prevention</u></b><br \>
[x]ConfirmEdit<br \>
[ ]SpamBlacklist<br \>
[ ]TitleBlacklist<br \>
<br \>
<b><u>API</u></b><br \>
[ ]PageImages<br \>
<br \>
<b><u>Other</u></b><br \>
[ ]Gadgets<br \>
[ ]LocalisationUpdate<br \>
[ ]MultimediaViewer<br \>
[ ]OATHAuth<br \>
[ ]SecureLinkFixer<br \>
[ ]TextExtracts<br \>
<br \>
<br \>
<b>Images and file uploads</b><br \>
[ ]Enable file uploads<br \>
<b>Logo URL:</b>$wgResourceBasePath/resources/assets/wiki.png<br \>
[ ]Enable Instant Commons<br \>
<br \>
<br \>
<b>Advanced configuration</b><br \>
<b>Settings for object caching:</b><br \>
[x] No caching (no functionality is removed, but speed may be impacted on larger wiki sites)<br \>
[ ] Use Memcached (requires additional setup and configuration)<br \>

</div>
</div>

====LocalSettings.php Launch Wiki====

When the Basic configuration of mediawiki is done on the webpage.<br \>
You will have a <b>LocalSettings.php</b> which will be downloaded from your browser.<br \>
You need to place the <b>LocalSettings.php</b> file into your containers <b>/var/www/html/mediawiki/</b> directory.<br \>
You can do this from host using the <b>lxc file push</b> command.<br \>
<code>lxc file push /home/$USER/Downloads/LocalSettings.php mediawiki/var/www/html/mediawiki/</code><br \>
<br>
Do not refresh browser it will download the LocalSettings.php again! go to the IP address of your container or just trim the <code>mw-config/index.php?page=Complete</code><br>
Now on your browser visit the page again https://10.194.171.251<br \>

And welcome to your wiki.<br \>

===Change Logo===

You need a 135px by 135px image, in this example its named 'completenoobs-logo.png'<br>
<code>lxc file push completenoobs-logo.png mediawiki/var/www/html/mediawiki/resources/assets/</code><br>
Back in container edit the <b>LocalSettings.php</b> file<br>
<pre>
## The URL paths to the logo. Make sure you change this from the default,
## or else you'll overwrite your logo when you upgrade!
$wgLogos = [
'1x' => "$wgResourceBasePath/resources/assets/change-your-logo.svg",
'icon' => "$wgResourceBasePath/resources/assets/change-your-logo.svg",
];

</pre>

Change to your new logo:<br>
<pre>
$wgLogos = [
'1x' => "$wgResourceBasePath/resources/assets/completenoobs-logo.png",
'icon' => "$wgResourceBasePath/resources/assets/completenoobs-logo.png",
];

</pre>

===Email Config===

Warning i did get loads of spam bots, using this to send naughty emails everywhere!<br>
Changed setting to block signups, requests only,and changed <b>$wgEnableUserEmail</b> to false and still the bots managed to send spam using my smtp account.<br>
How they done this? Is beyond my understanding and i removed email from the wiki till i have more info on how to stop the spamming.<br>
Was using mediawiki-1.35.0<br>

<code>$EDITOR /var/www/html/mediawiki/LocalSettings.php</code><br>

Make sure <b>$wgEnableEmail</b> is set to true.<br>
<code>$wgEnableEmail = true;</code><br>
https://www.mediawiki.org/wiki/Manual:$wgEnableEmail<br>

<pre>
$wgEmergencyContact = "";
$wgPasswordSender = "";
</pre>

<pre>
$wgEmergencyContact = "admin@completenoobs.com";
$wgPasswordSender = "admin@completenoobs.com";
</pre>

<pre>
$wgSMTP = [
'host' => 'ssl://mail.smtp2go.com', // outbox server of the email account
'IDHost' => 'completenoobs.com',
'port' => 465,
'username' => 'noobwiki', // user of the email account
'password' => 'N0tTelinu', // app password of the email account
'auth' => true
];
</pre>

===Request Account and Confirm Email to edit===

In LocalSettings change $wgEmailAuthentication = false; to true

https://www.mediawiki.org/wiki/Manual:$wgEmailAuthentication<br>
https://www.mediawiki.org/wiki/Extension:ConfirmAccount<br>

<code>wget https://extdist.wmflabs.org/dist/extensions/ConfirmAccount-REL1_39-2b96e90.tar.gz</code><br>
<code>tar xzf ConfirmAccount-REL1_39-2b96e90.tar.gz -C /var/www/html/mediawiki/extensions/</code><br>
<br>
In <b>LocalSettings.php</b> <br>
set <b>$wgEmailAuthentication</b> to true.<br>

<pre>
wfLoadExtension( 'ConfirmAccount' );
$wgConfirmAccountContact = 'admin@completenoobs.com';
</pre>

Run maintenance update<br>
<code>php /var/www/html/mediawiki/maintenance/update.php </code><br>
use <b>Special:ConfirmAccounts</b> to see if anyone requested a account.<br>
And yep, your gonna get spammed! Bots love a wiki.<br>

===CookieWarning Extension===
https://www.mediawiki.org/wiki/Extension:CookieWarning<br>
<code>wget https://extdist.wmflabs.org/dist/extensions/CookieWarning-REL1_39-778fe72.tar.gz</code><br>
<code>tar -xzf CookieWarning-REL1_39-778fe72.tar.gz -C /var/www/html/mediawiki/extensions/</code><br>
In <b>LocalSettings.php</b> add:<br>
<pre>
wfLoadExtension( 'CookieWarning' );
$wgCookieWarningEnabled = 'true';
# $wgCookieWarningMoreUrl allows to to select a link for your moreinfo button
$wgCookieWarningMoreUrl = 'https://www.completenoobs.com/link';
$wgCookieWarningEnabled = 'true';
</pre>

To change message sign in with admin account and visit these pages of your wiki and edit.<br>
<b>MediaWiki:Cookiewarning-info</b> Edit the display message.<br>
<code>https://10.194.171.251/index.php/MediaWiki:Cookiewarning-info</code><br>
<b>MediaWiki:Cookiewarning-moreinfo-label</b><br>
Edit and change display of the moreinfo button: link can be made/changed at LocalSettings with:<br>
<code>$wgCookieWarningMoreUrl = 'https://www.completenoobs.com/link'</code><br>
<code>https://10.194.171.251/index.php/MediaWiki:Cookiewarning-moreinfo-label</code><br>
<b>MediaWiki:Cookiewarning-ok-label</b> Edit and change the text on the OK button.<br>
<code>https://10.194.171.251/index.php/MediaWiki:Cookiewarning-ok-label</code><br>

===Contribution Scores Extension===

https://www.mediawiki.org/wiki/Extension:Contribution_Scores<br>
<code>wget https://extdist.wmflabs.org/dist/extensions/ContributionScores-REL1_39-0e7e99d.tar.gz</code><br>
<code>tar -xzf ContributionScores-REL1_39-0e7e99d.tar.gz -C /var/www/html/mediawiki/extensions</code><br>
In <b>LocalSettings.php</b> add:<br>
<pre>
wfLoadExtension( 'ContributionScores' );
// Exclude Bots from the reporting - Can be omitted.
$wgContribScoreIgnoreBots = true;
// Exclude Blocked Users from the reporting - Can be omitted.
$wgContribScoreIgnoreBlockedUsers = true;
// Use real user names when available - Can be omitted. Only for MediaWiki 1.19 and later.
$wgContribScoresUseRealName = true;
// Set to true to disable cache for parser function and inclusion of table.
$wgContribScoreDisableCache = false;
// Each array defines a report - 7,50 is "past 7 days" and "LIMIT 50" - Can be omitted.
$wgContribScoreReports = [
[ 7, 50 ],
[ 30, 50 ],
[ 0, 50 ]
];
</pre>
<br>
Add to Main Landing Page:<br>
<pre>{{Special:ContributionScores/10/5}}</pre><br>

===Place Notice at top of every new page created===

Using the <b>PageNotice</b> Extension.

https://www.mediawiki.org/wiki/Extension:PageNotice#Configuration

Download PageNotice and extract to extensions directory.

in LocalSettings.php add the lines:<br \>
<pre>
wfLoadExtension( 'PageNotice' );
$wgPageNoticeDisablePerPageNotices = 'true';
</pre>

To have message in every name space go to your wiki's page<br \>
<code>index.php/mediawiki:top-notice-ns-0</code><br \>
Only admin account can edit this page:<br \>
What you place in this page will be displayed at the top of every page created.

===Privacy Policy===
Holly $#$#$ this is a lot of work, looking into it<br \>
https://www.mediawiki.org/wiki/GDPR_(General_Data_Protection_Regulation)_and_MediaWiki_software<br \>

====NewSignupPage====
https://www.mediawiki.org/wiki/Extension:NewSignupPage<br \>
Big thanks to Shoutwiki.com or this would of been a very big pain.<br \>

Check for Latest link from the Download page https://www.mediawiki.org/wiki/Special:ExtensionDistributor/NewSignupPage<br \>
In mediawiki container:<br \>
<code>wget https://extdist.wmflabs.org/dist/extensions/NewSignupPage-REL1_35-ecf00aa.tar.gz</code><br \>

<code>tar xvf NewSignupPage-REL1_35-ecf00aa.tar.gz -C /var/www/html/mediawiki/extensions/</code><br \>

<code>$EDITOR /var/www/html/mediawiki/LocalSettings.php</code><br \>
Add the Line:<br \>
<code>wfLoadExtension( 'NewSignupPage' );</code><br \>
Change the Info given at signup at:<br \>
<code>index.php/MediaWiki:Newsignuppage-loginform-tos</code><br \>
Default page will be:<pre>
I am over 13 years of age and I have read, understood and agree to be bound by the Terms of Service and Privacy Policy
</pre>
"Terms of Service" and "Privacy Policy" are linked to there pages, so we need to create a few pages.

======Need <b>Privacy Policy</b> Page======

Create a 'Privacy_Policy' page and link on "MediaWiki:Newsignuppage-loginform-tos"<br>
<pre>[[CompleteNoobs:Privacy_policy | Privacy Policy]]</pre>

=====Need <b>Terms Of Service</b> page=====

https://www.completenoobs.com/index.php/Terms_of_Service<br \>

once done change link on "MediaWiki:Newsignuppage-loginform-tos"<br \>

=====Content Policy Page=====
https://10.194.171.251/index.php/Content_Policy<br \>
Contains link to https://www.completenoobs.com/index.php/CompleteNoobs_Staff_Admins<br \>

=====Staff and Admin Page=====

https://10.194.171.251/index.php/CompleteNoobs_Staff_Admins<br \>

Linked from Content Policy Page! a place to contact by email staff, admins

=====General Disclaimer page=====
https://10.194.171.251/index.php/CompleteNoobs:General_disclaimer<br \>
This page shows/linked at bottom of wiki<br \>

=====Copyright Policy=====
https://10.194.171.251/index.php/CompleteNoobs:Copyrights<br \>
Copyrights page that shows in info box when making a post.<br \>

==Fail2Ban==

This Will Ban an IP who incorrectly enters wrong login details, a (you can select) amount of times for a (you can select) amount of time.

===Fail2Log Extension===
https://www.mediawiki.org/wiki/Extension:Fail2Log<br>
====Create Log file====

Could not get PHP to create and set permissions for log file:
So for now doing manually!<br \>
<code>touch /var/log/Fail2Log.log</code><br \>
<code>chown www-data:www-data /var/log/Fail2Log.log</code><br \>
<code>chmod 0755 /var/log/Fail2Log.log</code><br \>
Failed login's with wrong user name and/or password should now be logged in:<b>/var/log/Fail2Log.log</b><br \>
<br \>
Log Format:<br \>
<code>Failed:<IP_ADDRESS> <DATE> <TIME> <USERNAME></code><br \>

====Download and install extension====
<code>wget https://github.com/greenhatmonkey/Fail2Log/blob/main/Fail2Log.tar.gz?raw=true</code><br>
<code>tar xzvf Fail2Log.tar.gz?raw=true -C /var/www/html/mediawiki/extensions/</code><br>
Add to your <b>LocalSettings.php</b><br>
<pre>
wfLoadExtension( 'Fail2Log' );
$wgFail2LogFile = '/var/log/Fail2Log.log';
</pre>

====Install and Setup Fail2Ban====

Fail2Ban works in a container. If using fail2ban on Host for container:<br/>
Just include log path: <code>/var/snap/lxd/common/mntns/var/snap/lxd/common/lxd/storage-pools/default/containers/<CONTAINER_NAME>/rootfs/var/log/Fail2Log.log</code>

<code>apt install fail2ban</code>

* Fail2ban will use file.local over file.conf if file.local exists:
* file.conf can be written over if file2ban gets updated.
* Make a file.local of the file you are working on.

<code>cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local</code>

<code>$EDITOR /etc/fail2ban/jail.local</code>


<div class="toccolours mw-collapsible mw-collapsed">
Default <code>/etc/fail2ban/jail.conf</code> file: Expand to view
<div class="mw-collapsible-content">

<pre>
#
# WARNING: heavily refactored in 0.9.0 release. Please review and
# customize settings for your setup.
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file,
# or separate .conf files under jail.d/ directory, e.g.:
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwritten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
#
# [DEFAULT]
# bantime = 1h
#
# [sshd]
# enabled = true
#
# See jail.conf(5) man page for more information

# Comments: use '#' for comment lines and ';' (following a space) for inline comments

[INCLUDES]

#before = paths-distro.conf
before = paths-debian.conf

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
#bantime.increment = true

# "bantime.rndtime" is the max number of seconds using for mixing with random time
# to prevent "clever" botnets calculate exact time IP can be unbanned again:
#bantime.rndtime =

# "bantime.maxtime" is the max number of seconds using the ban time can reach (don't grows further)
#bantime.maxtime =

# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
# default value of factor is 1 and with default value of formula, the ban time
# grows by 1, 2, 4, 8, 16 ...
#bantime.factor = 1

# "bantime.formula" used by default to calculate next value of ban time, default value bellow,
# the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32...
#bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor
#
# more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
#bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)

# "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding
# previously ban count and given "bantime.factor" (for multipliers default is 1);
# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count,
# always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
#bantime.multipliers = 1 2 4 8 16 32 64
# following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin,
# for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
#bantime.multipliers = 1 5 30 60 300 720 1440 2880

# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed
# cross over all jails, if false (dafault), only current jail of the ban IP will be searched
#bantime.overalljails = false

# --------------------

# "ignoreself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses.
#ignoreself = true

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
#ignoreip = 127.0.0.1/8 ::1

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime = 10m

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 10m

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

# "maxmatches" is the number of matches stored in ticket (resolvable via tag <matches> in actions).
maxmatches = %(maxretry)s

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
#
# Note: if systemd backend is chosen as the default but you enable a jail
# for which logs are present only in its own log files, specify some other
# backend for that jail (e.g. polling) and provide empty value for
# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user)
usedns = warn

# "logencoding" specifies the encoding of the log files handled by the jail
# This is used to decode the lines from the log file.
# Typical examples: "ascii", "utf-8"
#
# auto: will use the system locale setting
logencoding = auto

# "enabled" enables the jails.
# By default all jails are disabled, and it should stay this way.
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true: jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = false

# "mode" defines the mode of the filter (see corresponding filter implementation for more info).
mode = normal

# "filter" defines the filter to use by the jail.
# By default jails have names matching their filter name
#
filter = %(__name__)s[mode=%(mode)s]

#
# ACTIONS
#

# Some options used for actions

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost

# Sender email address used solely for some actions
sender = root@<fq-hostname>

# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

# Specify chain where jumps would need to be added in ban-actions expecting parameter chain
chain = <known/chain>

# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535

# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
fail2ban_agent = Fail2Ban/%(fail2ban_version)s

#
# Action shortcuts. To be used to define action parameter

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
#
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
# to the destemail.
action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]

# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
# to the destemail.
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

# Report block via blocklist.de fail2ban reporting service API
#
# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in
# corresponding jail.d/my-jail.local file).
#
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]

# Report ban via badips.com, and use as blacklist
#
# See BadIPsAction docstring in config/action.d/badips.py for
# documentation for this action.
#
# NOTE: This action relies on banaction being present on start and therefore
# should be last action defined for a jail.
#
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
#
# Report ban via badips.com (uses action.d/badips.conf for reporting only)
#
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]

# Report ban via abuseipdb.com.
#
# See action.d/abuseipdb.conf for usage example and details.
#
action_abuseipdb = abuseipdb

# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

#
# JAILS
#

#
# SSH servers
#

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

[dropbear]

port = ssh
logpath = %(dropbear_log)s
backend = %(dropbear_backend)s

[selinux-ssh]

port = ssh
logpath = %(auditd_log)s

#
# HTTP servers
#

[apache-auth]

port = http,https
logpath = %(apache_error_log)s

[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
port = http,https
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1

[apache-noscript]

port = http,https
logpath = %(apache_error_log)s

[apache-overflows]

port = http,https
logpath = %(apache_error_log)s
maxretry = 2

[apache-nohome]

port = http,https
logpath = %(apache_error_log)s
maxretry = 2

[apache-botsearch]

port = http,https
logpath = %(apache_error_log)s
maxretry = 2

[apache-fakegooglebot]

port = http,https
logpath = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>

[apache-modsecurity]

port = http,https
logpath = %(apache_error_log)s
maxretry = 2

[apache-shellshock]

port = http,https
logpath = %(apache_error_log)s
maxretry = 1

[openhab-auth]

filter = openhab
action = iptables-allports[name=NoAuthFailures]
logpath = /opt/openhab/logs/request.log

[nginx-http-auth]

port = http,https
logpath = %(nginx_error_log)s

# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module`
# and define `limit_req` and `limit_req_zone` as described in nginx documentation
# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
# or for example see in 'config/filter.d/nginx-limit-req.conf'
[nginx-limit-req]
port = http,https
logpath = %(nginx_error_log)s

[nginx-botsearch]

port = http,https
logpath = %(nginx_error_log)s
maxretry = 2

# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.

[php-url-fopen]

port = http,https
logpath = %(nginx_access_log)s
%(apache_access_log)s

[suhosin]

port = http,https
logpath = %(suhosin_log)s

[lighttpd-auth]
# Same as above for Apache's mod_auth
# It catches wrong authentifications
port = http,https
logpath = %(lighttpd_error_log)s

#
# Webmail and groupware servers
#

[roundcube-auth]

port = http,https
logpath = %(roundcube_errors_log)s
# Use following line in your jail.local if roundcube logs to journal.
#backend = %(syslog_backend)s

[openwebmail]

port = http,https
logpath = /var/log/openwebmail.log

[horde]

port = http,https
logpath = /var/log/horde/horde.log

[groupoffice]

port = http,https
logpath = /home/groupoffice/log/info.log

[sogo-auth]
# Monitor SOGo groupware server
# without proxy this would be:
# port = 20000
port = http,https
logpath = /var/log/sogo/sogo.log

[tine20]

logpath = /var/log/tine20/tine20.log
port = http,https

#
# Web Applications
#
#

[drupal-auth]

port = http,https
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s

[guacamole]

port = http,https
logpath = /var/log/tomcat*/catalina.out

[monit]
#Ban clients brute-forcing the monit gui login
port = 2812
logpath = /var/log/monit
/var/log/monit.log

[webmin-auth]

port = 10000
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s

[froxlor-auth]

port = http,https
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s

#
# HTTP Proxy servers
#
#

[squid]

port = 80,443,3128,8080
logpath = /var/log/squid/access.log

[3proxy]

port = 3128
logpath = /var/log/3proxy.log

#
# FTP servers
#

[proftpd]

port = ftp,ftp-data,ftps,ftps-data
logpath = %(proftpd_log)s
backend = %(proftpd_backend)s

[pure-ftpd]

port = ftp,ftp-data,ftps,ftps-data
logpath = %(pureftpd_log)s
backend = %(pureftpd_backend)s

[gssftpd]

port = ftp,ftp-data,ftps,ftps-data
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s

[wuftpd]

port = ftp,ftp-data,ftps,ftps-data
logpath = %(wuftpd_log)s
backend = %(wuftpd_backend)s

[vsftpd]
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s

#
# Mail servers
#

# ASSP SMTP Proxy Jail
[assp]

port = smtp,465,submission
logpath = /root/path/to/assp/logs/maillog.txt

[courier-smtp]

port = smtp,465,submission
logpath = %(syslog_mail)s
backend = %(syslog_backend)s

[postfix]
# To use another modes set filter parameter "mode" in jail.local:
mode = more
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s

[postfix-rbl]

filter = postfix[mode=rbl]
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 1

[sendmail-auth]

port = submission,465,smtp
logpath = %(syslog_mail)s
backend = %(syslog_backend)s

[sendmail-reject]
# To use more aggressive modes set filter parameter "mode" in jail.local:
# normal (default), extra or aggressive
# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
#mode = normal
port = smtp,465,submission
logpath = %(syslog_mail)s
backend = %(syslog_backend)s

[qmail-rbl]

filter = qmail
port = smtp,465,submission
logpath = /service/qmail/log/main/current

# dovecot defaults to logging to the mail syslog facility
# but can be set by syslog_facility in the dovecot configuration.
[dovecot]

port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s

[sieve]

port = smtp,465,submission
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s

[solid-pop3d]

port = pop3,pop3s
logpath = %(solidpop3d_log)s

[exim]
# see filter.d/exim.conf for further modes supported from filter:
#mode = normal
port = smtp,465,submission
logpath = %(exim_main_log)s

[exim-spam]

port = smtp,465,submission
logpath = %(exim_main_log)s

[kerio]

port = imap,smtp,imaps,465
logpath = /opt/kerio/mailserver/store/logs/security.log

#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courier-auth]

port = smtp,465,submission,imap,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s

[postfix-sasl]

filter = postfix[mode=auth]
port = smtp,465,submission,imap,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = %(postfix_log)s
backend = %(postfix_backend)s

[perdition]

port = imap,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s

[squirrelmail]

port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log

[cyrus-imap]

port = imap,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s

[uwimap-auth]

port = imap,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s

#
#
# DNS servers
#

# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks UDP traffic for DNS requests.
# [named-refused-udp]
#
# filter = named-refused
# port = domain,953
# protocol = udp
# logpath = /var/log/named/security.log

# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.

[named-refused]

port = domain,953
logpath = /var/log/named/security.log

[nsd]

port = 53
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/nsd.log

#
# Miscellaneous
#

[asterisk]

port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/messages
maxretry = 10

[freeswitch]

port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/freeswitch.log
maxretry = 10

# enable adminlog; it will log to a file inside znc's directory by default.
[znc-adminlog]

port = 6667
logpath = /var/lib/znc/moddata/adminlog/znc.log

# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
# equivalent section:
# log-warnings = 2
#
# for syslog (daemon facility)
# [mysqld_safe]
# syslog
#
# for own logfile
# [mysqld]
# log-error=/var/log/mysqld.log
[mysqld-auth]

port = 3306
logpath = %(mysql_log)s
backend = %(mysql_backend)s

# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
[mongodb-auth]
# change port when running with "--shardsvr" or "--configsvr" runtime operation
port = 27017
logpath = /var/log/mongodb/mongodb.log

# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
# to maintain entries for failed logins for sufficient amount of time
[recidive]

logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = 1w
findtime = 1d

# Generic filter for PAM. Has to be used with action which bans all
# ports such as iptables-allports, shorewall

[pam-generic]
# pam-generic filter can be customized to monitor specific subset of 'tty's
banaction = %(banaction_allports)s
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s

[xinetd-fail]

banaction = iptables-multiport-log
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
maxretry = 2

# stunnel - need to set port for this
[stunnel]

logpath = /var/log/stunnel4/stunnel.log

[ejabberd-auth]

port = 5222
logpath = /var/log/ejabberd/ejabberd.log

[counter-strike]

logpath = /opt/cstrike/logs/L[0-9]*.log
# Firewall: http://www.cstrike-planet.com/faq/6
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]

[bitwarden]
port = http,https
logpath = /home/*/bwdata/logs/identity/Identity/log.txt

[centreon]
port = http,https
logpath = /var/log/centreon/login.log

# consider low maxretry and a long bantime
# nobody except your own Nagios server should ever probe nrpe
[nagios]

logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility
backend = %(syslog_backend)s
maxretry = 1

[oracleims]
# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
logpath = /opt/sun/comms/messaging64/log/mail.log_current
banaction = %(banaction_allports)s

[directadmin]
logpath = /var/log/directadmin/login.log
port = 2222

[portsentry]
logpath = /var/lib/portsentry/portsentry.history
maxretry = 1

[pass2allow-ftp]
# this pass2allow example allows FTP traffic after successful HTTP authentication
port = ftp,ftp-data,ftps,ftps-data
# knocking_url variable must be overridden to some secret value in jail.local
knocking_url = /knocking/
filter = apache-pass[knocking_url="%(knocking_url)s"]
# access log of the website with HTTP auth
logpath = %(apache_access_log)s
blocktype = RETURN
returntype = DROP
action = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s,
actionstart_on_demand=false, actionrepair_on_unban=true]
bantime = 1h
maxretry = 1
findtime = 1

[murmur]
# AKA mumble-server
port = 64738
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/mumble-server/mumble-server.log

[screensharingd]
# For Mac OS Screen Sharing Service (VNC)
logpath = /var/log/system.log
logencoding = utf-8

[haproxy-http-auth]
# HAProxy by default doesn't log to file you'll need to set it up to forward
# logs to a syslog server which would then write them to disk.
# See "haproxy-http-auth" filter for a brief cautionary note when setting
# maxretry and findtime.
logpath = /var/log/haproxy.log

[slapd]
port = ldap,ldaps
logpath = /var/log/slapd.log

[domino-smtp]
port = smtp,ssmtp
logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log

[phpmyadmin-syslog]
port = http,https
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s

[zoneminder]
# Zoneminder HTTP/HTTPS web interface auth
# Logs auth failures to apache2 error log
port = http,https
logpath = %(apache_error_log)s

[traefik-auth]
# to use 'traefik-auth' filter you have to configure your Traefik instance,
# see `filter.d/traefik-auth.conf` for details and service example.
port = http,https
logpath = /var/log/traefik/access.log

</pre>

</div>
</div>

Default <code>/etc/fail2ban/jail.local</code> file with (almost all) comments removed:
<div class="toccolours mw-collapsible" style="width:400px; overflow:auto;">
<div style="font-weight:bold;line-height:1.6;">Default <code>/etc/fail2ban/jail.local</code> with (almost) comments removed:</div>
<div class="mw-collapsible-content">
<pre>
[INCLUDES]

before = paths-debian.conf

[DEFAULT]

ignorecommand =

bantime = 10m

findtime = 10m

maxretry = 5

maxmatches = %(maxretry)s

backend = auto

usedns = warn

logencoding = auto

enabled = false

mode = normal

filter = %(__name__)s[mode=%(mode)s]

#
# ACTIONS
#

destemail = root@localhost

sender = root@<fq-hostname>

mta = sendmail

protocol = tcp

chain = <known/chain>

port = 0:65535

fail2ban_agent = Fail2Ban/%(fail2ban_version)s

banaction = iptables-multiport
banaction_allports = iptables-allports

action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]

action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]

action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]

action_abuseipdb = abuseipdb

action = %(action_)s

#
# JAILS
#

#
# SSH servers
#

[sshd]

port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

</pre>
</div></div>

====Disconnect/kick and ban an ip from list====
<br \>
Just below we are going to append these lines to <b>/etc/fail2ban/jail.local</b><br>
<pre>
# Reject/Disconnect Connections that failed username password
_action_tcp_udp = %(banaction)s[name=%(__name__)s-tcp, protocol="tcp", port="%(port)s", blocktype="REJECT --reject-with tcp-reset", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, protocol="udp", port="%(port)s", blocktype="REJECT --reject-with icmp-port-unreachable", chain="%(chain)s", actname=%(banaction)s-udp]

actionx = %(_action_tcp_udp)s
</pre>
<div class="toccolours mw-collapsible mw-collapsed">
Before Changes:
<div class="mw-collapsible-content">
<pre>
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

#
# JAILS
#

#
# SSH servers
#

</pre>
</div>
</div>

<div class="toccolours mw-collapsible mw-collapsed">
After Changes:
<div class="mw-collapsible-content">
<pre>
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

# Reject/Disconnect Connections that failed username password
_action_tcp_udp = %(banaction)s[name=%(__name__)s-tcp, protocol="tcp", port="%(port)s", blocktype="REJECT --reject-with tcp-reset", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, protocol="udp", port="%(port)s", blocktype="REJECT --reject-with icmp-port-unreachable", chain="%(chain)s", actname=%(banaction)s-udp]

actionx = %(_action_tcp_udp)s

#
# JAILS
#

#
# SSH servers
#
</pre>
</div>
</div>

====Jail for MediaWiki - /etc/fail2ban/jail.local====

<pre>
[mediawiki]

enabled = true
filter = mediawiki
action = iptables-allports
bantime = 1m
maxretry = 2
logpath = /var/log/Fail2Log.log
</pre>

<div class="toccolours mw-collapsible mw-collapsed">
Before:
<div class="mw-collapsible-content">
<pre>
#
# JAILS
#

#
# SSH servers
#
</pre>
</div>
</div>
<div class="toccolours mw-collapsible mw-collapsed">
After:
<div class="mw-collapsible-content">
<pre>
#
# JAILS
#
[mediawiki]

enabled = true
filter = mediawiki
action = iptables-allports
bantime = 1h
maxretry = 20
logpath = /var/log/Fail2Log.log
#
# SSH servers
#

</pre>
</div>
</div>

====Filter for mediawiki====
<div class="toccolours mw-collapsible mw-collapsed">
Regex quick up and running tutorial: External Link:(youtube)
<div class="mw-collapsible-content">
This Is a link to a video made by "Corey Schafer".<br \>
The best no nonsense up and running regex tut there is.<br \>
https://www.youtube.com/watch?v=sa-TUpSx1JA
</div>
</div>
<code>$EDITOR /etc/fail2ban/filter.d/mediawiki.conf</code><br \>
<pre>
[Definition]

failregex = ^Failed:<HOST>

ignoreregex =
</pre>

=====Try out regex on log file=====
<code>fail2ban-regex --print-all-matched /var/log/Fail2Log.log /etc/fail2ban/filter.d/mediawiki.conf</code>

====Restart Fail2Ban====

<code>systemctl restart fail2ban</code>

<code>fail2ban-client status</code>

<code>fail2ban-client status mediawiki</code>

<b>Now test by trying to login to your wiki with wrong password three times.</b>

=====fail2ban regex and error checking=====

<div class="toccolours mw-collapsible mw-collapsed">
Check regex:
<div class="mw-collapsible-content">

* Syntax: <code>fail2ban-regex <logfile> <failregex> <ignoreregex></code>
** Example: <code>fail2ban-regex /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-correct-up.conf</code>
* If you want to test <code>ignoreregex</code> enter filter file twice:
** Example: <code>fail2ban-regex /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-correct-up.conf /etc/fail2ban/filter.d/nginx-correct-up.conf</code>
* Read <code>man fail2ban-regex</code> for some more opitions:
* Examples:
** <code>-v</code>, <code>--verbose</code>
*** Be verbose in output
** <code>--print-all-missed</code>
*** Print all missed lines
** <code>--print-all-ignored</code>
*** Print all ignored lines
** <code>--print-all-matched</code>
*** Print all matched lines

</div>
</div>

<div class="toccolours mw-collapsible mw-collapsed">
Debug Fail2Ban:
<div class="mw-collapsible-content">

* <code>-d</code> dump configuration. For debugging.<br \>
<code>fail2ban-client -d</code><br \>
* <code>--dp</code>, <code>--dump-pretty</code> dump the configuration using more human readable representation.<br \>
<code>fail2ban-client --dp</code><br \>
* will print the systemd log for Fail2Ban.<br \>
<code>journalctl -u fail2ban</code>

</div>
</div>

====Change ban time After testing====

<code>$EDITOR /etc/fail2ban/jail.local</code><br \>
<pre>
[mediawiki]

enabled = true
filter = mediawiki
action = iptables-allports
bantime = 1h
maxretry = 20
logpath = /var/log/Fail2Log.log
</pre>

===Unban IP's===
Get list of Jails:<br \>
<code>fail2ban-client status</code><br \>

See banned ips by that jail:<br \>
<code>fail2ban-client status <jailname></code><br \>

Unban IP from jail:<br \>
<code>fail2ban-client set <jailname> unbanip <ip_address></code><br \>
<br \>
Log File:<br \>
<code>/var/log/Fail2Log.log</code>

==Moving To VPS==

===Create ssh key pair on local host===
<code>ssh-keygen -t rsa -b 4096 -C "MYSERVER" -f ~/.ssh/serverkey</code><br \>
You will be prompted to Enter a passphase, you can just press <b>Enter</b> for no passphase.<br \>
You will now have a file called <b>serverkey</b> and <b>serverkey.pub</b> in your <b>/home/$USER/.ssh</b> directory.<br \>
Now lets setup are server and move public key to server.<br \>

<b>BACKUP YOUR PRIVATE KEY TO USB STICK OR SOMETHING!</b><br \>
<code>serverkey.pub</code><b>PUBLIC KEY</b><br \>
<code>serverkey</code><b>PRIVATE KEY</b><br \>

===Login to Server - ssh ===
Using <b>Vultr</b> i am going to deploy a <b>Ubuntu 20.04</b> Server.<br \>
$10, 1 cpu, 2048MB ram, 55GB ssd, 2000GB Bandwidth.<br \>
I have been given the IP:<b>192.248.145.129</b> and the Password:<b>1R?o.gPasdaLz1w</b> and with Vultr the default login/user is <b>root</b><br \>
Lets move over the public key so we don't need a password to login:<br \>
<code>ssh-copy-id -i ~/.ssh/serverkey root@192.248.145.129</code></br \>
Will be promted for server password, enter password: 1R?o.gPasdaLz1w<br \>
Now lets login with are private key.<br \>
<code>ssh -i .ssh/serverkey root@192.248.145.129</code>

===Update Server===

<code>apt update && apt upgrade -y</code><br \>
The Server may need a restart, you will see this after updates if it does<br \>
<b>*** System restart required ***</b><br \>
restart server and log back in after a minute.<br \>
<code>reboot</code>

===Change default ssh port and disable plain text passwords===
Log back into server<br \>
<code>ssh -i .ssh/serverkey root@192.248.145.129</code><br \>
<code>$EDITOR /etc/ssh/sshd_config</code><br \>

<pre>#Port 22</pre>
<pre>Port 7788</pre>

disable clear text passwords
<pre>#PasswordAuthentication yes</pre>
<pre>PasswordAuthentication no</pre>

restart sshd
<code>systemctl restart sshd</code><br \>
Exit server and re-login<br \>
<code>exit</code><br \>

Log back in with new port<br \>
<code>ssh -p 7788 -i .ssh/serverkey root@192.248.145.129</code>

<div class="toccolours mw-collapsible mw-collapsed">
Create ssh login shortcut:
<div class="mw-collapsible-content">
To be done on host:<br \>
<code>touch ~/.ssh/config</code><br \>
<code>chmod 600 ~/.ssh/config</code><br \>
<code>$EDITOR ~/.ssh/config</code><br \>
<pre>
Host mediawikiserver
HostName 192.248.145.129
User root
Port 7788
IdentityFile /home/$USER/.ssh/severkey
</pre>

You can now login to server from host with:<br \>
<code>ssh mediawikiserver</code><br \>
<div class="toccolours mw-collapsible mw-collapsed">
Syntax of config file:
<div class="mw-collapsible-content">
<pre>
#Syntax
#
#Host <ALIAS_NAME>
# HostName <ADDRESS_IP_OR_DOMAIN>
# User <USERNAME_LOGIN>
# Port <PORT_NUMBER_IF_NOT_DEFAULT>
# IdentityFile </PATH/TO/PRIVATE_KEY>
## Can now login with <code>ssh <ALIAS_NAME>
</pre>
</div>
</div>
</div>
</div>

===Enable Basic FireWall===
Block IPv6<br \>
<code>$EDITOR /etc/default/ufw</code><br \>
Change the line<br \>
<code>IPV6=yes</code><br \>
To<br \>
<code>IPV6=no</code><br \>
Save and Exit<br \>
<code>ufw allow 7788/tcp</code><br \>
<code>ufw enable</code><br \>

===Create Swap space on server===

====First check if you already have a swap space====
First check if you already have a swap space<br \>
<code>free -m</code><br \>
Returns:<br \>
<pre>
total used free shared buff/cache available
Mem: 1987 103 1655 2 228 1732
Swap: 0 0 0
</pre>

<div class="toccolours mw-collapsible mw-collapsed">
Other methods to check swap space
<div class="mw-collapsible-content">
<code>cat /proc/swaps</code><br \>
<code>swapon -s -v</code>
</div>
</div>

====Create SwapSpace====
preallocate a 2 gigabyte space to be used for swap.<br \>
Note: you can name swapfile to anything you want.

<code>fallocate -l 2G /swapfile</code>

Initialize the /swapfile file with zeros - see "Working out the count size" to see how to work out the count size.
<div class="toccolours mw-collapsible mw-collapsed">
Working out the count size:
<div class="mw-collapsible-content">
Working out count size to scale the swapsize.

1 kilobyte = 1024 bytes

1 megabyte = 1024 kilobyte

1 gigabyte = 1024 megabytes

bs=1024 = 1 megabyte

1 gigabyte = 1024 megabyte

to get count of 1 gigabyte 1024 * 1024

2 gigabyte (1024 * 2048 ) or 1048576 * 2 = 2,097,152

</div>
</div>

<code>dd if=/dev/zero of=/swapfile bs=1024 count=2097152</code>

<code>chmod 600 /swapfile</code>

<code>mkswap /swapfile</code>

<code>swapon /swapfile</code> <b>Or</b> <code>swapon -a</code> <b>Or</b> <code>mount -a</code>

append to <code>/etc/fstab</code> so its mounted after reboot.<br \>
<code>$EDITOR /etc/fstab</code><br \>
And enter this in a new line at the bottom:<br \>
<code>/swapfile swap swap defaults 0 0</code>

and thats it, you can check swap with(or same other methods as above):

<code>free -m</code><br \>
Returns:<br \>
<pre>
total used free shared buff/cache available
Mem: 1987 103 75 2 1808 1712
Swap: 2047 0 2047
</pre>

===ssmtp for email alerts===
<code>apt install ssmtp -y</code><br \>
<code>$EDITOR /etc/ssmtp/ssmtp.conf</code><br \>

<pre>
mailhub=mail.smtp2go.com:587
AuthUser=noobwiki
AuthPass=N0tTelinu
UseSTARTTLS=YES
FromLineOverride=YES
hostname=completenoobs.com
</pre>

<code>$EDITOR /etc/ssmtp/revaliases</code><br \>
<pre>
root:admin@completenoobs.com:mail.smtp2go.com:587
</pre>

<code>usermod -c "CNWikiVPS" root</code><br \>

Send Test eMail<br \>
Create a file and add subject header and some content.<br \>
<code>$EDITOR test-mail.txt</code><br \>
<pre>
Subject:test email

Hello You.
</pre><br \>
Save and Exit<br \>
Now send the email:<br \>
<code>sendmail email@address2receive.mail < test-mail.txt</code><br \>
Don't forget to check your spam folder if you don't see email<br \>
Once tested and email sent, you can delete <b>test-mail.txt</b>.<br \>
<code>rm test-mail.txt</code>

===auto update server===
<code>$EDITOR /etc/apt/apt.conf.d/50unattended-upgrades</code><br \>
Uncomment (by removing <b>//</b> at start of line)and amend the lines we want:<br \>
<code>// "${distro_id}:${distro_codename}-updates";</code><br \>
to<br \>
<code> "${distro_id}:${distro_codename}-updates";</code><br \>
Add email address to send email to:<br \>
<pre>//Unattended-Upgrade::Mail "";</pre>
<pre>Unattended-Upgrade::Mail "email@tosendto.com";</pre>
We are going to test are send mail, so for now change MailReport to "always"<br \>
<pre>//Unattended-Upgrade::MailReport "on-change";</pre>
<pre>Unattended-Upgrade::MailReport "always";</pre>

<pre>
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

// Do automatic removal of newly unused dependencies after the upgrade
//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";

// Automatically reboot *WITHOUT CONFIRMATION* if
// the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";

// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
</pre>
Changed to<br \>
<pre>
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Automatically reboot *WITHOUT CONFIRMATION* if
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "true";

// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "04:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
Acquire::http::Dl-Limit "500";
</pre>

Test with debug flag -d<br \>
<code>unattended-upgrade -d</code>

Once email alerts from auto updates has been tested and working, change MailReport back from 'always' to 'on-change', unless you want to be emailed at every update.

===Send Container to server===

From host<br \>
<code>scp -i ~/.ssh/serverkey -P 7788 mediawiki.lxc root@192.248.145.129:/root/</code><br \>
If you created a ssh shortcut in <b>.ssh/config</b> you can use:<br \>
<code>scp mediawiki.lxc mediawikiserver:/root/</code><br>
Once container transferred to server checksum to confirm<br>
Do on Local and Server<br>
<code>sha256sum mediawiki.lxc</code><br>
The checksum should be the same on both!<br>

===LXD setup on server===

Check if <b>lxd</b> already installed.<br \>
<code>lxd --version</code><br \>
<code>snap install lxd</code><br \>
Initialize LXD<br \>
<code>lxd init</code><br \>
all defaults<br \>
<pre>
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
Name of the storage backend to use (lvm, zfs, ceph, btrfs, dir) [default=zfs]:
Create a new ZFS pool? (yes/no) [default=yes]:
Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]:
Size in GB of the new loop device (1GB minimum) [default=10GB]:
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
Would you like the LXD server to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
</pre>

===Import Container===
Note: If version of LXD on server is older than the one you are exporting from, you may see error <code>Error: Failed importing backup: Failed creating instance record: Unknown configuration key: volatile.last_state.ready</code><br>
To Fix this update your LXD<br>
<code>snap remove lxd</code><br>
<code>snap install lxd</code><br>
<code>lxd --version</code><br>
<code>lxd init</code><br>
<br>
Import mediawiki container<br \>
<code>lxc import mediawiki.lxc mediawiki</code><br \>
<code>lxc list</code><br \>
<code>lxc start mediawiki</code><br \>
<code>lxc list</code><br \>
Returns:<br \>
<pre>
+-----------+---------+-----------------------+------+-----------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+-----------+---------+-----------------------+------+-----------+-----------+
| mediawiki | RUNNING | 10.207.119.233 (eth0) | | CONTAINER | 0 |
+-----------+---------+-----------------------+------+-----------+-----------+
</pre>
<b>Note the Change of IP</b><br \>
Are Containers IP is now:<b>10.207.119.233</b><br \>

Now for some reason changing the IP on <b>/var/www/html/mediawiki/LocalSettings.php</b> and the <b>/etc/apache2/sites-available/completenoobs.com.conf</b> does not really work on a VPS (Forgot how i fixed this last time, pretty sure i got it workin a few years back).<br \>

You need a DNS name:

===DNS===

Domain Name System: An index that connects an ip address with a more human readable name(website name):<br \>
Like a phone book would index a persons name with a phone number.<br \>
If you have a domain name for your wiki, point it to your server's ip address.<br \>
This will be required for a letsencrypt cert also.<br \>

I am using <b>namecheap.com</b> and on the <b>Advanced DNS</b> Page<br \>
Add two Type <b>A Records</b>:<br \>

{| class="wikitable"
|+ Dns
|-
|Type
|Host
|Ip address
|TTL
|-
|A record
|@
|192.248.145.129
|auto
|-
|A record
|www
|192.248.145.129
|auto
|}

===Change IP on config files===

Login to conatiner and change IP's to Domain Name<br \>
<code>lxc exec mediawiki bash</code>

<code>$EDITOR /etc/apache2/sites-available/completenoobs.com.conf</code><br \>
<pre> Redirect permanent "/" "https://10.3.45.233"</pre>
<pre> Redirect permanent "/" "https://www.completenoobs.com"</pre>
<code>$EDITOR /var/www/html/mediawiki/LocalSettings.php</code><br \>
<pre>$wgServer = "https://10.3.45.233";</pre>
<pre>$wgServer = "https://www.completenoobs.com";</pre>

<code>systemctl restart apache2</code>

===Use IPTables to forward traffic to container===

<div class="toccolours mw-collapsible mw-collapsed">
iptable syntax
<div class="mw-collapsible-content">
*CONTAINER_IP = place holder for your containers ip
*GLOBAL_IP = place holder for your servers public ip address
*ETH = network interface: enp1s0
** to be done/found on host VPS and NOT Container
** Find network interface:<code>ip route show default</code> or use <code>ip route show default | awk '{print $5}'</code>
<pre>iptables -t nat -I PREROUTING -i ETH -p TCP -d GLOBAL_IP --dport 80 -j DNAT --to-destination CONTAINER_IP:80 -m comment --comment "forward real ip to container"
</pre>
<pre>
iptables -t nat -I PREROUTING -i ETH -p TCP -d GLOBAL_IP --dport 443 -j DNAT --to-destination CONTAINER_IP:443 -m comment --comment "forward real ip to container"
</pre>
</div>
</div>

<b>These commands to be done on host VPS and NOT in container!</b><br \>
Get out of container <code>exit</code><br \>
Network interface=<b>enp1s0</b><br \>
<div class="toccolours mw-collapsible mw-collapsed">
Find you network interface name:
<div class="mw-collapsible-content">
To be run on VPS host and Not in Container:<br \>
<code>ip route show default | awk '{print $5}'</code>
</div>
</div>
VPS Global IP=<b>192.248.145.129</b><br \>
Container IP=<b>10.207.119.233</b><br \>
<code>iptables -t nat -I PREROUTING -i enp1s0 -p TCP -d 192.248.145.129 --dport 443 -j DNAT --to-destination 10.207.119.233:443 -m comment --comment "forward real ip to container"</code>
<br \>
<code>iptables -t nat -I PREROUTING -i enp1s0 -p TCP -d 192.248.145.129 --dport 80 -j DNAT --to-destination 10.207.119.233:80 -m comment --comment "forward real ip to container"</code>
<br \>

The new rules for your iptable will not persistent after a reboot.<br \>

Create systemd service to load firewall rules at startup:<br \>

<code>$EDITOR /usr/local/bin/lxc-mediawiki-rules</code>
<pre>
#!/bin/bash
iptables -t nat -I PREROUTING -i enp1s0 -p TCP -d 192.248.145.129 --dport 443 -j DNAT --to-destination 10.207.119.233:443 -m comment --comment "forward real ip to container"
iptables -t nat -I PREROUTING -i enp1s0 -p TCP -d 192.248.145.129 --dport 80 -j DNAT --to-destination 10.207.119.233:80 -m comment --comment "forward real ip to container"
</pre>

<code>chmod +x /usr/local/bin/lxc-mediawiki-rules</code>

<code>$EDITOR /etc/systemd/system/lxcip.service</code>
<pre>
[Unit]
Description = apply ip rules at startup

[Service]
Type=oneshot
ExecStart=/usr/local/bin/lxc-mediawiki-rules

[Install]
WantedBy=multi-user.target
</pre>

<code>systemctl enable lxcip</code>

<div class="toccolours mw-collapsible mw-collapsed">
LXC proxy method:
<div class="mw-collapsible-content">
<b>DO NOT USE This method!</b> placed here as a note:<br \>
LXC also has a way to forward proxy traffic, but it will show all visits to website, as coming from <b>127.0.0.1</b><br \>
When we install fail2ban, this would be very bad!<br \>
<br \>
<code>lxc config device add CONTAINER_NAME myport80 proxy listen=tcp:0.0.0.0:80 connect=tcp:127.0.0.1:80</code><br \>
<code>lxc config device add CONTAINER_NAME myport443 proxy listen=tcp:0.0.0.0:443 connect=tcp:127.0.0.1:443</code><br \>
To remove proxy:<br \>
<code>lxc config device remove CONTAINER_NAME myport80</code><br \>
<code>lxc config device remove CONTAINER_NAME myport443</code><br \>
</div>
</div>

===Visit webpage and check all working===

Visit the domain you selected<br \>
<code>www.completenoobs.com</code><br \>
Should be up and running.<br \>
NOTE: We did not need to allow port 443 or 80 on VPS host.<br \>
Check Iptables persist for restart, by rebooting server!<br \>
<code>reboot</code><br \>
Give it a minute or 2 and check website again.

===LetsEncrypt===

Log back into server<br \>
<code>ssh mediawikiserver</code><br \>
Log into container<br \>
<code>lxc exec mediawiki bash</code><br \>
Install certbot<br \>
<code>snap install certbot --classic</code><br \>
Backup Apache2 config file<br \>
<code>cp /etc/apache2/sites-available/completenoobs.com.conf /etc/apache2/sites-available/completenoobs.com.conf.bk</code><br \>
Create Cert<br \>
<code>certbot --apache -d www.completenoobs.com -d completenoobs.com</code><br \>
And Certbot broke are apache2 configs, and thats why we back up!<br \>
<code>ls /etc/letsencrypt/live/www.completenoobs.com/</code><br \>
<code>cp /etc/letsencrypt/live/www.completenoobs.com/fullchain.pem /etc/ssl/certs/cn-selfsigned.crt</code><br \>
<code>cp /etc/letsencrypt/live/www.completenoobs.com/privkey.pem /etc/ssl/private/cn-selfsigned.key</code><br \>
<code>rm /etc/apache2/sites-available/completenoobs.com-le-ssl.conf /etc/apache2/sites-available/completenoobs.com.conf
</code><br \>
<code>cp /etc/apache2/sites-available/completenoobs.com.conf.bk /etc/apache2/sites-available/completenoobs.com.conf</code><br \>
<br \>
Turn <b>SSLUseStapling</b> on<br \>
<code>$EDITOR /etc/apache2/conf-available/ssl-params.conf</code><br \>
<pre>SSLUseStapling off</pre><br \>
Change to:<br \>
<pre>SSLUseStapling on</pre><br \>
Restart apache<br \>
<code>systemctl restart apache2</code><br \>
Now check your site on browser.<br \>

==Useful Notes - tips==

===Forgot your Admin Password===
Can use for any user:<br \>
<code>php /var/www/html/mediawiki/maintenance/changePassword.php --user=admin --password=newpassword</code><br \>

===Make Wiki Read Only===
Add to LocalSettings.php:<br \>
<code>$wgReadOnly = 'Read Only';</code><br \>

===Restrict account creation on wiki===
Add to LocalSettings.php:<br \>
<code>$wgGroupPermissions['*']['createaccount'] = false;</code>

===Only Admin accounts can edit===
Add to LocalSettings.php:<br \>
<pre>
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['user']['edit'] = false;
$wgGroupPermissions['sysop']['edit'] = true;
</pre>

===Protect a page so only admin can edit===

At the top of the page when logged in with admin account, click <b>More</b>.<br \>
A drop down of three opitions: Delete, Move, Protect.<br \>
Clicking <b>Protect</b> will not allow any non admin from editing the page.

{| class="wikitable"
|+ When logged in as admin
|-
|Read
|Edit
|View history
|(STAR)
|<b>More</b>
|}

===Make User an Admin===
go to special pages

With Admin Account go to:<br \>
<code>index.php/Special:SpecialPages</code>

List of users can be found here:<br \>
<code>index.php/Special:ListUsers</code><br \>

Go to:<br \>
<code>index.php/Special:UserRights</code><br \>
And enter username:<br \>
<b>Groups you can change</b><br \>
And rest is self explanatory.

====Remove admin rights====
Same thing, just untick admin rights!

==Upgrading MediaWiki==
<b>BACK SURE YOU BACKUP FIRST!!!</b> just in case.<br \>

This example update 1.35 to 1.36 from 1.36 onwards php-intl is required.<br>

Download the wiki you are going to upgrade to.<br \>
<code>https://releases.wikimedia.org/mediawiki/1.36/</code><br \>
<code>cd /root</code><br \>
<code>wget https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.1.tar.gz</code><br \>

In LocalSettings.php put in readonly mode<br \>
<code>$EDITOR /var/www/html/mediawiki/LocalSettings.php</code><br \>
<code>$wgReadOnly = "Upgrading";</code><br \>

<code>tar xvzf mediawiki-1.36.1.tar.gz -C /var/www/html/mediawiki --strip-components=1</code><br \>
<code>php /var/www/html/mediawiki/maintenance/update.php</code><br \>
Returns:<pre>
Error: Missing one or more required components of PHP.
You are missing a required extension to PHP that MediaWiki needs.
Please install:
* intl <https://www.php.net/intl>
</pre>
<code>apt install php-intl</code><br \>
<code>php /var/www/html/mediawiki/maintenance/update.php</code><br \>
And thats it.
If you do get an error:<br \>
<blockquote>
MediaWiki 1.36 internal error
Installing some PHP extensions is required.

Required components
You are missing a required extension to PHP that MediaWiki requires to run. Please install:

intl (more information)
</blockquote>
Then <b>reboot</b> the container and its all fine after.

==Backup your Wiki==

===LXC Snapshots===
Easy way, backup the container using <b>snapshot</b><br \>
<code>lxc snapshot mediawiki beforeupgrade_11_12_2020</code><br \>
To see snapshots<br \>
<code>lxc info mediawiki</code><br \>
To restore container to snapshot<br \>
<code>lxc restore mediawiki beforeupgrade_11_12_2020</code><br \>
To delete a snapshot<br \>
<code>lxc delete mediawiki/beforeupgrade_11_12_2020</code><br \>

====Export a Snapshot====

<code>lxc snapshot mediawiki testsnap</code>

<code>lxc publish mediawiki/testsnap --alias mediawiki-backup-20-07-2021</code>

<code>lxc image export mediawiki-backup-20-07-2021</code>

you end up with a file named after the sha256sum
<code>a23ee82572e5f14aabd4b59d6c7bc7923fe88f30f83b776401871e237b554ceb.tar.gz</code><br \>

NOTE:You can change name from <code>a23ee82572e5f14aabd4b59d6c7bc7923fe88f30f83b776401871e237b554ceb.tar.gz</code><br \>
to something like <code>mediawiki-backup-20-07-2021.tar.gz</code> and restore will still work fine.<br \>

can now delete image
<code>lxc image delete mediawiki-backup-20-07-2021</code>

====Import Snapshot====
Move to another computer and install init lxd<br \>

<code>lxc image import a23ee82572e5f14aabd4b59d6c7bc7923fe88f30f83b776401871e237b554ceb.tar.gz --alias testrestore</code>

<code>lxc launch testrestore mediarestore</code>

<code>lxc list</code>

<code>lxc exec mediarestore bash</code>

Change IP in LocalSettings and apache config and restart apache.<br \>
And your up and running.<br \>
<br \>
you can also delete image on new restore computer:<br \>
<code>lxc image delete testrestore</code>

===Dump mediawiki database - xml===
Log into container root dir<br \>
<code>lxc exec NAME bash</code><br \>
In container of wiki:<br \>
<code>php /var/www/html/mediawiki/maintenance/dumpBackup.php --full > /root/dump_mediawiki.xml</code><br \>
Exit container<br \>
<code>exit</code>
Pull file to host<br \>
<code>lxc file pull NAME/root/dump_mediawiki.xml wiki-dump.xml</code>

====automate xml dumps to server====
TIP: [[Scp_only|Create an '''scp only''' account on server first]]<br>
<code>$EDITOR /usr/local/bin/auto-export.sh</code></br>
<syntaxhighlight lang="bash" line>
#!/bin/bash
set -x

time_stamp=$(date '+%d_%m_%y')
dumps_dir="/var/www/dumps"
noobs_dir="/var/www/html/noobs"
local_settings="$noobs_dir/LocalSettings.php"
wiki_dump_dir="$dumps_dir/$time_stamp.Noobs"
xmlkey="/root/.ssh/xmlkey"
remote_host="rscp@xml.completenoobs.com"
remote_path="/home/rscp/media/"

function ensure_read_only_line_exists {
if ! grep -q "wgReadOnly" "$local_settings"; then
cat <<EOF >> "$local_settings"
\$wgReadOnly = 'Dumping Database, Access will be restored shortly';
EOF
fi
}

function set_wiki_read_only {
sed -i 's/^#*$\$wgReadOnly$/\1/' "$local_settings"
}

function unset_wiki_read_only {
sed -i 's/^$\$wgReadOnly$/#\1/' "$local_settings"
}

function create_directories {
mkdir -p "$dumps_dir"
mkdir -p "$wiki_dump_dir"
}

function dump_wiki {
php "$noobs_dir/maintenance/dumpBackup.php" --full > "$wiki_dump_dir/$time_stamp.Noobs.xml"
}

function generate_checksums {
md5sum "$wiki_dump_dir/$time_stamp.Noobs.xml" > "$wiki_dump_dir/$time_stamp.md5sum.txt"
sha256sum "$wiki_dump_dir/$time_stamp.Noobs.xml" > "$wiki_dump_dir/$time_stamp.sha256sum.txt"
}

function push_to_remote {
scp -i /root/.ssh/xmlkey -r /var/www/dumps/$time_stamp.Noobs rscp@xml.completenoobs.com:/home/rscp/media/
#rsync -avz -e "ssh -i $xmlkey" "$wiki_dump_dir" "$remote_host:$remote_path"
}

# Main script
ensure_read_only_line_exists
create_directories
set_wiki_read_only
dump_wiki
generate_checksums
unset_wiki_read_only
push_to_remote
</syntaxhighlight>
<br>
<code>chmod +x /usr/local/bin/auto-export.sh</code><br>

=====add to cron to export every 5 days=====
<code>crontab -e</code><br>
<pre>
30 3 */5 * * /usr/local/bin/auto-export.sh
</pre>
Will export at 3:30 am every 5 days, check [[Cron_ubuntu_22.04|Ubuntu Cron Quick start for more info]]

===Import Dump===

====Create Quick local wiki====
[[Ubuntu_Local_Wiki_Import|localwiki]]

====Import dump====
<code>lxc file push wiki-dump.xml localwiki/root/</code><br \>
<code>lxc exec localwiki bash</code><br \>

=====Restore dump=====
<code>php /var/www/html/mediawiki/maintenance/importDump.php --conf /var/www/html/mediawiki/LocalSettings.php /root/wiki-dump.xml</code><br \>
<code>php /var/www/html/mediawiki/maintenance/rebuildrecentchanges.php</code><br \>
<code>php /var/www/html/mediawiki/maintenance/initSiteStats.php</code><br \>
<code>php /var/www/html/mediawiki/maintenance/rebuildall.php</code><br \>

Everything apart from <b>index.php/Main_Page</b> restored.

===Full Wiki Dump and Restore===

====Backing up====

====Making your wiki READ ONLY - will lock database====
<code>$EDITOR LocalSettings.php</code><br \>
<code>$wgReadOnly = 'Dumping Database, Access will be restored shortly';</code>

====Dump and gzip database for transport====

will be prompted for password:<br \>

<code>mysqldump -h localhost --default-character-set=binary --no-tablespaces -u green -p mywiki_database | gzip > /root/greenwiki.sql.gz</code><br \>
<div class="toccolours mw-collapsible mw-collapsed">
ALt method for dump(password in cmd):
<div class="mw-collapsible-content">
<code>mysqldump -h localhost --default-character-set=binary --no-tablespaces -u green --password=THISpasswordSHOULDbeCHANGED -p mywiki_database | gzip > /root/greenwiki.sql.gz</code>
</div>
</div>

<code>php /var/www/html/mediawiki/maintenance/dumpBackup.php --full > /root/dump_mediawiki.xml</code><br \>

Back mediawiki Root Directory.<br \>
<code>tar cvzhf /root/mediawiki-rootDir.tgz /var/www/html/mediawiki</code><br \>

All into one file for easy transport.<br \>
<code>cd /root/</code><br \>
<code>tar cvzhf mediawiki-transfer.tgz mediawiki-rootDir.tgz greenwiki.sql.gz dump_mediawiki.xml</code><br \>

All file in <b>mediawiki-transfer.tgz</b> for transfer to new server<br \>

exit Container<br \>
<code>exit</code><br \>
<code>lxc file pull mediawiki/root/mediawiki-transfer.tgz mediawiki.bk.tgz</code><br \>

====Restore wiki====

create container (backupwiki) and push file<br \>
<code>lxc file push mediawiki.bk.tgz backupwiki/root/</code><br \>

login to container<br \>
<code>apt update && apt upgrade -y</code><br \>
<code>apt install apache2 mysql-server php php-mysql libapache2-mod-php php-xml php-mbstring php-intl -y</code><br \>
<br \>
<code>tar xvf mediawiki.bk.tgz</code><br \>
<code>tar xvf mediawiki-rootDir.tgz -C /</code><br \>

Create basebase:<br \>
NOTE: If you use diff username, passwd, database_name, append/correct details on LocalSettings.<br \>
<code>mysql -u root</code>

<code>CREATE USER 'green'@'localhost' IDENTIFIED BY 'THISpasswordSHOULDbeCHANGED';</code>

<code>CREATE DATABASE mywiki_database;</code>

<code>use mywiki_database;</code>

<code>GRANT ALL ON mywiki_database.* TO 'green'@'localhost';</code>

<code>quit;</code>
<br \>

<code>gunzip -d greenwiki.sql.gz</code><br \>
<code>mysql -u green -p mywiki_database < greenwiki.sql</code><br \>

<code>php /var/www/html/mediawiki/maintenance/importDump.php --conf /var/www/html/mediawiki/LocalSettings.php /root/dump_mediawiki.xml</code><br \>
<code>php /var/www/html/mediawiki/maintenance/rebuildrecentchanges.php</code><br \>
<code>php /var/www/html/mediawiki/maintenance/initSiteStats.php</code><br \>
<code>php /var/www/html/mediawiki/maintenance/rebuildall.php</code><br \>

Config Apache2

<code>$EDITOR /etc/apache2/sites-available/000-default.conf</code>
<pre>
<VirtualHost *:80>
DocumentRoot /var/www/html/mediawiki
</VirtualHost>

</pre>

Reload Apache2

<code>
systemctl restart apache2
</code>

==EmbedVideo==
https://www.mediawiki.org/wiki/Extension:EmbedVideo<br>
<code>apt install unzip</code><br>
<code>wget https://gitlab.com/hydrawiki/extensions/EmbedVideo/-/archive/v2.9.0/EmbedVideo-v2.9.0.zip</code><br>
<code>unzip EmbedVideo-v2.9.0.zip -d /var/www/html/mediawiki/extensions/</code><br>
<br>
<code>mv /var/www/html/mediawiki/extensions/EmbedVideo-v2.9.0 /var/www/html/mediawiki/extensions/EmbedVideo</code><br>
<br>
<code>$EDITOR /var/www/html/mediawiki/LocalSettings.php</code><br>
<pre>
#Embed Video
wfLoadExtension( 'EmbedVideo' );
</pre>

==Remove <b>Index.php</b> From URL==
[[Mediawiki_Remove_index.php|How to remove the Index.php from URL]]

==SpamBot Wars==

Bit busy now, notes to look into later:

https://www.mediawiki.org/wiki/Extension:Nuke<br \>
https://www.mediawiki.org/wiki/Manual:Preventing_access<br \>
https://www.mediawiki.org/wiki/Extension:ConfirmAccount<br \>
https://www.mediawiki.org/wiki/Extension:InviteSignup<br \>

Well the bots won for now - Disable eMail function for all related options in LocalSettings.php<br \>
<code>$wgEnableEmail = false;</code><br \>
Or just stop users sending email with:<br \>
<code>$wgEnableUserEmail = false;</code>

==Notes==

==Syntax highlighting not working==
Install <b>pygments</b><br>
<code>apt install python3-pygments</code><br>

Add to LocalSettings:<br>
<code>wfLoadExtension( 'SyntaxHighlight_GeSHi' );</code><br>

Ubuntu 22.04 SSH Guide

2023-05-16T12:06:30Z

Noob: /* Key-based Authentication */

==Understanding SSH==

'''SSH''' is a protocol that uses encryption to secure data transmitted between a client and a server. <br>
It enables users to execute commands, transfer files, and manage remote systems through an encrypted channel. <br>
SSH is widely used by system administrators for managing servers, network devices, and other remote systems.

==Installing SSH==

To start using SSH, you'll need to install and configure both the server and client components.

* OpenSSH-Server
** Is required to allow '''ssh''' connections
* OpenSSH-Client
** Is used to login/connect to OpenSSH-Server

If you are using Ubuntu Desktop, the '''openssh client''' will be preinstalled, allowing you to connect to a server which is running '''openssh-server'''

If you are using Ubuntu Server, both the '''ssh client''' and '''openssh server''' are preinstalled by default.

=== Installing OpenSSH Server===
On Ubuntu distributions, you can install the OpenSSH server by running:

<code>sudo apt install openssh-server</code><br>

Check the SSH server status with:

<code>systemctl status ssh</code>

===Installing OpenSSH Client===

The OpenSSH client is usually pre-installed on most Linux and macOS systems. <br>For Windows, you can install the OpenSSH client by following the instructions on the official website:<br> https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse

==Basic SSH Commands and Usage==
=== Connecting to a remote server===
Connecting to a remote server using SSH is a fundamental task when managing remote systems. Here's how to connect to a remote server using the command-line interface.

Install an SSH client: Ensure you have an SSH client installed on your local machine. Most Unix-based systems, including Linux and macOS, have an SSH client pre-installed. For Windows, you can use the built-in OpenSSH client (available in Windows 10 and later) or a third-party client like PuTTY.

====Gather connection information====
To connect to a remote server, you'll need the following information:
* The remote server's IP address or hostname
* The SSH port number (default is 22)
* Your username on the remote server
* The password for the user on remote server.

====Connect using SSH====
Open a terminal or command prompt on your local machine and use the following command to connect to the remote server:

<code>ssh username@hostname_or_IP</code>

Replace '''username''' with your username on the remote server, '''hostname_or_IP''' with the server's hostname or IP address.

If OpenSSH-Server is running/listening on a port other than the default port '''22''' include the port with the '''-p''' flag.

For example (If port 2222):

: <code>ssh john@example.com -p 2222</code>
Or
: <code>ssh -p 2222 john@example.com</code>

=====Connecting to a Remote Server =====

In this example, we connect to a remote Ubuntu VPS with the following credentials:
<pre>
Username: root
IP address: 12.34.56.78
Password: password2simple
</pre>
Use the following command to connect to the remote server:

<code>ssh root@12.34.56.78</code>

You will be prompted to enter the password. Type password2simple and press Enter. This demonstrates how simple it can be to log into a remote computer with root access.

* If your Server is hosting SSHD on a port other than default 'port 22' include port number with the '''-p''' flag
Example with port 2222:<br>
<code>ssh -p 2222 root@12.34.56.78</code>

====Authenticate====
When connecting for the first time, you'll see a prompt asking you to confirm the remote server's fingerprint. Verify the fingerprint and type "yes" to proceed. Next, you'll be prompted for your password. Enter your password to complete the authentication process.

Once authenticated, you'll have access to the remote server's command line. You can now execute commands and manage the remote server as if you were working on it directly.

Remember that you can use key-based authentication (with a private-public key pair) instead of a password for a more secure and convenient connection method.
== Using SSH config file==

An SSH config file allows you to define and manage multiple SSH connections, simplifying the process of connecting to remote servers. By creating an SSH config file, you can define custom options, such as port numbers, usernames, and key files, for each connection. The SSH config file is typically located in the '''~/.ssh''' directory and named config.

Here's how to create and use an SSH config file:

:* Create the SSH config file: If it doesn't exist, create the config file in the '''~/.ssh''' directory using a text editor:

<code>$EDITOR ~/.ssh/config</code>

:* Define a connection: To define a connection, you'll need to specify a Host entry followed by any options you want to apply to that connection. Here's an example:

<pre>
Host server1
HostName example.com
User your_username
Port 2222
IdentityFile ~/.ssh/id_rsa_server1
</pre>
In this example, we've defined a connection called server1 with the following options:

:* HostName: The hostname or IP address of the remote server (example.com in this case).
:* User: The username to use when connecting to the remote server (replace your_username with your actual username).
:* Port: The port number to use for the SSH connection (2222 in this example).
:* IdentityFile: The path to the private key file to use for authentication (replace ~/.ssh/id_rsa_server1 with the path to your private key file).

You can define multiple connections in the same config file by creating separate Host entries:

<pre>
Host server2
HostName 192.168.1.100
User another_username
Port 22
IdentityFile ~/.ssh/id_rsa_server2
</pre>
:* Save and exit the file: Save your changes and exit the text editor.

:* Connect using the SSH config file: To connect to a remote server using the defined connection, simply use the ssh command followed by the Host entry:

<code>ssh server1</code>

In this example, SSH will automatically use the options defined in the config file for server1, such as the hostname, username, port number, and identity file.

By using an SSH config file, you can simplify the process of managing multiple SSH connections and customize the options for each connection.

==Key-based Authentication==

Why use key-based authentication?
* Server1: 12.34.56.78
* Server2: 12.34.56.87

You are trying to login to Server1, but by mistake you enter your '''user''' and '''password''' to Server2, Can Server2 record the '''user''' and '''password''' you used?
[[Ubuntu_18.04_OpenSSH-Server_Capture_Failed_Passwords|YES, Yes it can]]

=== Generating SSH key pairs===

SSH key pairs consist of a private key and a public key. They provide a secure, passwordless authentication method for connecting to remote servers. The private key remains on your local machine, while the public key is added to the remote server's authorized keys. Here's how to generate an SSH key pair:

Open a terminal: On Unix-based systems (Linux and macOS), open a terminal. On Windows, open PowerShell or the Command Prompt.

Generate the key pair: Use the ssh-keygen command to create a new SSH key pair. The following command generates a 4096-bit RSA key pair:

<code>ssh-keygen -t rsa -b 4096</code>

You can also generate other types of keys, such as Ed25519, by changing the -t option:

<code>ssh-keygen -t ed25519</code>

Specify the key's location: When prompted, you can either accept the default location (~/.ssh/id_rsa for RSA keys, ~/.ssh/id_ed25519 for Ed25519 keys) or enter a custom path. It is recommended to use the default location unless you have a specific reason to change it.

Set a passphrase (optional): You can choose to protect your private key with a passphrase. If you do, you'll need to enter the passphrase every time you use the key. This adds an extra layer of security, but can be less convenient for automation or scripting. To set a passphrase, enter it when prompted; otherwise, leave the field blank

====Selecting file name and path for keys====

<code>ssh-keygen -t rsa -b 4096 -f .ssh/nuc</code>

The '''-f''' option in the '''ssh-keygen''' command is used to specify the output file for the generated key pair. In your example, '''ssh-keygen -t rsa -b 4096 -f .ssh/nuc''', the command is generating an RSA key pair with a key length of 4096 bits, and the output files will be saved in the '''.ssh''' directory with the base name '''nuc'''.

Here's a breakdown of the options used in this command:

:* '''-t rsa''': Specifies the key type, in this case, RSA.
:* '''-b 4096''': Specifies the key length, which is 4096 bits in this case. This length offers good security and is generally recommended.
:* '''-f .ssh/nuc''': Specifies the file where the key pair will be saved. The private key will be saved as '''.ssh/nuc''', and the public key will be saved as '''.ssh/nuc.pub'''.

After running this command, you'll have a new key pair with the private key in '''.ssh/nuc''' and the public key in '''.ssh/nuc.pub'''

====Create keys with no passphase====

<code>ssh-keygen -t rsa -b 4096 -N "" -C "MYSERVER" -f ~/.ssh/serverkey</code>

:* '''-t rsa''': Specifies the key type, in this case, RSA.
:* '''-b 4096''': Specifies the key length, which is 4096 bits in this case. This length offers good security and is generally recommended.
:* '''-N ""''': Specifies an empty passphrase for the key pair. This means that the private key will not be encrypted, and no passphrase will be required when using it. This can be less secure, but more convenient for automated processes.
:* '''-C "MYSERVER"''': Adds a comment to the generated key pair. In this case, the comment is "MYSERVER". Comments are useful for identifying keys when you have multiple keys in your ~/.ssh directory or on a remote server.
:* '''-f ~/.ssh/serverkey''': Specifies the file where the key pair will be saved. The private key will be saved as '''~/.ssh/serverkey''', and the public key will be saved as '''~/.ssh/serverkey.pub'''.

After running this command, you'll have a new key pair with the private key in '''~/.ssh/serverkey''' and the public key in '''~/.ssh/serverkey.pub'''. The private key will have an empty passphrase and a comment "MYSERVER" for easier identification.

====Remove the passphrase from an existing SSH private key====

To remove the passphrase from an existing SSH private key, you can use the '''ssh-keygen''' command with the '''-p''' option, which is used for changing the passphrase. Follow these steps:

:* Make a backup of your private key file, just in case something goes wrong during the process. You can do this by running the following command, replacing '''<your_private_key>''' with the filename of your private key:

<code>cp <your_private_key> <your_private_key>.backup</code>

:* Run the '''ssh-keygen''' command with the '''-p''' option, specifying the private key file using the '''-f''' option:
::** '''-p''': Indicates that you want to change the passphrase of an existing private key.
::** '''-f <your_private_key>''': Specifies the private key file whose passphrase you want to change.

<code>ssh-keygen -p -f <your_private_key></code>

:* You will be prompted to enter the old passphrase for the private key. Type it in and press Enter.

:* Next, you'll be prompted to enter a new passphrase. Since you want to remove the passphrase, leave this field empty and press Enter.

:* You'll be asked to confirm the empty passphrase. Press Enter again to confirm.

Your private key now has its passphrase removed. Keep in mind that this makes the private key less secure, as anyone with access to the file can use it without needing to know the passphrase.

====Add/Change a passphrase to an existing SSH Key====

To add a passphrase to an existing SSH private key that doesn't have one, you can use the '''ssh-keygen''' command with the '''-p''' option, just like when you change or remove a passphrase. Here are the steps:

:* '''Make a backup of your private key file''', just in case something goes wrong during the process. You can do this by running the following command, replacing <your_private_key> with the filename of your private key:

<code>cp <your_private_key> <your_private_key>.backup</code>

:* Run the '''ssh-keygen''' command with the -p option, specifying the private key file using the '''-f''' option:

<code>ssh-keygen -p -f <your_private_key></code>

:* You will be prompted to enter the old passphrase for the private key. Since your private key doesn't currently have a passphrase, just press Enter to proceed.

:* Next, you'll be prompted to enter a new passphrase. Type in the passphrase you want to set for the private key and press Enter.

:* You'll be asked to confirm the new passphrase. Type it again and press Enter to confirm.

Your private key now has a passphrase added to it. This provides an extra layer of security, as anyone using the key will need to know the passphrase to access it. Keep in mind that you should use a strong passphrase to ensure better security.

=== Copying public keys to the remote server===
After generating an SSH key pair, you'll need to copy the public key to the remote server to enable key-based authentication. Here's how to do it:

====Using ssh-copy-id====

Use the '''ssh-copy-id''' command (Linux and macOS): On Unix-based systems, you can use the ssh-copy-id command to copy your public key to the remote server:

<code>ssh-copy-id -i ~/.ssh/id_rsa.pub username@hostname_or_IP</code>

Replace ~/.ssh/id_rsa.pub with the path to your public key file (e.g., ~/.ssh/id_ed25519.pub for Ed25519 keys), username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

====Manually copy the public key====

Manually copy the public key (Windows and alternative method): If you don't have access to the ssh-copy-id command or prefer to do it manually, you can:

:* Open your public key file (e.g., id_rsa.pub or id_ed25519.pub) with a text editor and copy its content.>
:* Log in to the remote server via SSH.<br>
:* Create the ~/.ssh directory if it doesn't exist:

<code>mkdir -p ~/.ssh</code>

Edit or create the ~/.ssh/authorized_keys file using a text editor (e.g., nano, vim, or emacs), and paste the content of your public key at the end of the file. Save and close the file.

Set the correct file permissions: To ensure the security of your SSH setup, it's essential to set the proper file permissions on your local machine and the remote server:

:* On your local machine:
:** Private key (id_rsa or id_ed25519): -rw------- (600)
:** Public key (id_rsa.pub or id_ed25519.pub): -rw-r--r-- (644)

:* On the remote server:
:** ~/.ssh directory: drwx------ (700)
:** ~/.ssh/authorized_keys file: -rw------- (600)

To set the permissions on your local machine, use the chmod command:

<pre>
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
</pre>
On the remote server, use the following commands:

<pre>
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
</pre>
Once you've copied your public key to the remote server and set the correct file permissions, you should be able to connect using key-based authentication without the need for a password.

=== Disabling password authentication (optional)===
Disabling password authentication enhances the security of your SSH server by requiring key-based authentication for all connections. You can disable password authentication for specific users or for all users. To do so, follow these steps:

:* Connect to the remote server: Log in to the remote server via SSH using your username and the server's hostname or IP address.

:* Edit the SSH configuration file: Open the SSH server configuration file (usually located at /etc/ssh/sshd_config) with a text editor such as nano, vim, or emacs:

<code>sudo nano /etc/ssh/sshd_config</code>

:* Disabling password authentication for all users: Find the line containing "PasswordAuthentication" and set its value to "no":

<code>PasswordAuthentication no</code>

If the line is commented out (i.e., it starts with a '#'), remove the '#' symbol.

:* Disabling password authentication for a specific user: To disable password authentication only for a particular user, you can use a "Match User" block at the end of the sshd_config file:
<pre>
Match User username
PasswordAuthentication no
</pre>
Replace username with the actual username for which you want to disable password authentication.

:* Save and exit the file: Save your changes and exit the text editor.

:* Restart the SSH server: Apply the changes by restarting the SSH server:

<code>sudo systemctl restart ssh</code>

Now, password authentication will be disabled for the specified user(s), and only key-based authentication will be allowed. Remember that if you disable password authentication, you must have a working SSH key pair set up to access the server, or you may be locked out.

== Configuring the SSH server==

Edit the SSH server configuration file located at <b>/etc/ssh/sshd_config</b> to set your desired settings. You can modify options like the listening port, allowing root login, and more.

===Common sshd_config Options===

The '''sshd_config''' file is located at '''/etc/ssh/sshd_config''' on most Linux systems. This file contains various options and settings that determine the behavior of the OpenSSH server. Each option is followed by its value, and lines starting with a <b>#</b> are considered comments.

Here's an overview of some common options in the sshd_config file:

===Port===

Specifies the port number that the SSH server listens on.<br>

<code>Port 22</code><br>

=== AddressFamily===

Determines the IP address family (IPv4, IPv6, or both) used by the SSH server.

* To specify that the SSH server should only listen for incoming IPv4 connections:
<code>AddressFamily inet</code>

* Or, if you want the SSH server to only listen for incoming IPv6 connections, set the 'AddressFamily' directive to 'inet6':
<code>AddressFamily inet6</code>

* If you want to allow both IPv4 and IPv6 connections, set the 'AddressFamily' directive to 'any':
<code>AddressFamily any</code>

=== ListenAddress===
Specifies the IP address(es) the SSH server listens on. By default, it listens on all available addresses.

<code>ListenAddress 192.168.1.10</code>

=== Protocol===
Defines the SSH protocol version. It's recommended to use only protocol 2.

<code>Protocol 2</code>

=== PermitRootLogin===
Controls whether root login is allowed. It's generally advised to disable root login or set it to "without-password" to allow only key-based authentication for root.

<code>PermitRootLogin no</code>

===PasswordAuthentication===

Enables or disables password-based authentication.

<code>PasswordAuthentication yes</code>

=== PubkeyAuthentication===

Enables or disables public key authentication.

<code>PubkeyAuthentication yes</code>

=== AuthorizedKeysFile===
Specifies the location of the authorized keys file for public key authentication.

<code>AuthorizedKeysFile .ssh/authorized_keys</code>

=== LogLevel===
Sets the logging level for the SSH server.

The LogLevel option in '''sshd_config''' controls the amount of information that SSH daemon (sshd) logs.

There are different log levels that can be set with this option, each providing a different level of detail:

* '''QUIET''': Disables all logging.

* '''FATAL''': Only logs fatal errors.

* '''ERROR''': Logs error messages.

* '''INFO''': Logs informational messages such as login attempts.

* '''VERBOSE''': Logs more detailed information than INFO, including shell commands executed.

* '''DEBUG''': Logs detailed debugging information, including raw protocol details.

The default log level is '''INFO''', which is usually sufficient for most purposes. However, if you need to troubleshoot SSH connections or monitor user activity, setting a higher log level may be helpful.

To change the '''LogLevel''' in '''sshd_config''', you can edit the file '''/etc/ssh/sshd_config''' (or the appropriate configuration file for your system), and add or modify the line:

<code>LogLevel <log_level></code>

Where <log_level> is one of the log levels listed above.

<code>LogLevel INFO</code>

=== LoginGraceTime===

Defines the time allowed for a user to successfully log in.

<code>LoginGraceTime 2m</code>

===MaxAuthTries===

Limits the number of authentication attempts allowed per connection.

<code>MaxAuthTries 6</code>

=== MaxSessions===

Specifies the maximum number of simultaneous sessions allowed per network connection.<br>

<code>MaxSessions 10</code>

=== AllowUsers, DenyUsers, AllowGroups, DenyGroups===

These options control which users and groups are allowed or denied access to the SSH server. They provide a way to manage access control based on usernames and group membership.

* '''AllowUsers''': Specifies a list of users allowed to access the SSH server. Other users will be denied access.
<code>AllowUsers user1 user2 user3</code><br>

* '''DenyUsers''': Specifies a list of users denied access to the SSH server. Other users will be allowed access.
<code>DenyUsers user4 user5</code>

* '''AllowGroups''': Specifies a list of groups whose members are allowed to access the SSH server. Users not belonging to these groups will be denied access.
<code>AllowGroups group1 group2</code>

* '''DenyGroups''': Specifies a list of groups whose members are denied access to the SSH server. Users not belonging to these groups will be allowed access.
<code>DenyGroups group3 group4</code>

Note that the order in which these options are applied is '''DenyUsers''', '''AllowUsers''', '''DenyGroups''', and finally '''AllowGroups'''.

===Banner===

The Banner option allows you to display a message or warning to users before they log in to the SSH server. This is often used to display legal notices, security warnings, or other important information.

To enable the banner, set the Banner option to the path of a text file containing the message you want to display:

<code>Banner /etc/ssh/banner.txt</code>

Create the /etc/ssh/banner.txt file and add your desired message. The content of this file will be displayed to users before they log in.

==Advanced sshd_config Options==
=== PermitTunnel===
The PermitTunnel option enables or disables the use of SSH tunneling. Tunnels can be used to forward ports or create VPN-like connections between the client and the server.
* There are four possible values for this option:

: '''"yes"''': Allows all types of tunnels.<br>
: '''"point-to-point"''': Allows only point-to-point (Layer 3) tunnels.<br>
: '''"ethernet"''': Allows only Ethernet (Layer 2) tunnels.<br>
: '''"no"''': Disables tunneling (default).<br>

To enable tunneling, set the PermitTunnel option in the sshd_config file:

<code>PermitTunnel yes</code>

Keep in mind that enabling tunnels may expose your server to additional security risks. Only enable this option if you understand the implications and have a specific use case that requires it.

=== ChrootDirectory===
The ChrootDirectory option allows you to restrict a user or a group to a specific directory (known as a chroot jail) when they log in via SSH. This can enhance security by isolating users and limiting their access to only the necessary parts of the filesystem.

To set up a chroot jail, follow these steps:

Create a directory that will serve as the chroot jail. For example, let's create a directory for user1:

<code>sudo mkdir /home/user1/chroot</code>

Change the ownership of the directory to the user and their primary group:

<code>sudo chown user1:user1 /home/user1/chroot</code>

In the sshd_config file, add a Match block at the end of the file to specify the ChrootDirectory for user1:
<pre>
Match User user1
ChrootDirectory /home/user1/chroot
</pre>

Restart the SSH server to apply the changes:

<code>sudo systemctl restart ssh</code>

Now, when user1 logs in via SSH, they will be restricted to the /home/user1/chroot directory and won't be able to access other parts of the filesystem.

Note that the chroot jail should be owned by root and not writable by the user. If you need to provide write access to specific directories, create subdirectories inside the chroot jail and set appropriate permissions for those. Also, some features like SFTP may require additional configuration within the chroot jail.

===ForceCommand===
The ForceCommand option allows you to specify a command that will be executed when a user logs in via SSH, regardless of the command requested by the user. This can be useful for limiting the actions a user can perform or for automatically running specific tasks upon login.

To use the ForceCommand option, follow these steps:

In the sshd_config file, add a Match block at the end of the file to specify the ForceCommand for a specific user or group. For example, to force user1 to execute the command /usr/bin/my-command upon login:

<pre>
Match User user1
ForceCommand /usr/bin/my-command
</pre>

Restart the SSH server to apply the changes:

<code>sudo systemctl restart ssh</code>

Now, when user1 logs in via SSH, the /usr/bin/my-command will be executed automatically, and they will not be able to run any other command.

Keep in mind that using ForceCommand may limit the user's ability to interact with the server or transfer files via SFTP. Make sure to test and verify the functionality for your specific use case.

=== Match Blocks===

Match blocks in the sshd_config file allow you to apply specific configuration options based on certain criteria, such as the user, group, address, or host. This enables you to create custom rules and settings for different users, groups, or connections.

Match block syntax:

<pre>
Match criteria
Option value
</pre>

Here are some examples of Match blocks and their usage:

Apply settings only for a specific user:
<pre>
Match User user1
PasswordAuthentication no
AllowTcpForwarding yes
</pre>

This configuration disables password authentication and enables TCP forwarding only for user1.

Apply settings for multiple users:
<pre>
Match User user1,user2
ChrootDirectory /home/%u/chroot
</pre>

This configuration sets the chroot directory for both user1 and user2.

Apply settings for a specific group:
<pre>
Match Group group1
PasswordAuthentication yes
</pre>

This configuration enables password authentication only for members of group1.

Apply settings based on the client's IP address:
<pre>
Match Address 192.168.1.0/24
PasswordAuthentication no
</pre>

This configuration disables password authentication for clients connecting from the 192.168.1.0/24 subnet.

Combine multiple criteria:
<pre>
Match User user1 Address 192.168.1.0/24
PasswordAuthentication yes
</pre>
This configuration enables password authentication only for user1 when they connect from the 192.168.1.0/24 subnet.

Remember to restart the SSH server after making changes to the sshd_config file:

<code>sudo systemctl restart ssh</code>

Match blocks offer flexibility in customizing your SSH server's configuration based on various criteria. Use them wisely to enhance security and optimize your server's settings.

==Best Practices and Tips '''sshd_config'''==
When configuring your '''sshd_config''' file, it's essential to follow best practices to ensure the security and stability of your SSH server. Here are some recommendations and tips:

:* Keep the server up-to-date: Always update your SSH server software and the underlying operating system to ensure you have the latest security patches and features.

:* Use strong authentication: Enable key-based authentication (PubkeyAuthentication) and consider disabling password authentication (PasswordAuthentication) to reduce the risk of brute-force attacks.

:* Limit root access: Set "PermitRootLogin" to "no" or "without-password" to prevent direct root login or require key-based authentication for root.

:* Use non-standard ports: Change the default SSH port (22) to a non-standard port to reduce the exposure to automated scans and attacks. Keep in mind this is security through obscurity and should be combined with other security measures.

'''Restrict user access''': Use "AllowUsers," "DenyUsers," "AllowGroups," and "DenyGroups" options to control which users and groups can access the SSH server.

'''Monitor logs''': Regularly check your SSH server logs for any suspicious activity or failed login attempts. Adjust the "LogLevel" setting in sshd_config as needed.
* Default Log Path Ubuntu 22.04: '''/var/log/auth.log'''

'''Use chroot jails''': Isolate users by creating chroot jails using the "ChrootDirectory" option, especially when providing SFTP access or when users don't require full access to the server.

'''Configure connection settings''': Set appropriate values for "LoginGraceTime" and "MaxAuthTries" to limit the time allowed for successful login and the number of authentication attempts per connection.

'''Use a strong firewall''': Configure your server's firewall to only allow SSH connections from trusted IP addresses or networks.

'''Regularly review and audit''': Periodically review your sshd_config settings and make adjustments as necessary. Keep up-to-date with SSH security best practices and recommendations.

By following these best practices and tips, you can enhance the security and performance of your SSH server, protecting it from unauthorized access and potential attacks.

===Troubleshooting sshd_config Issues===

When encountering problems with your SSH server configuration, it's important to know how to diagnose and resolve issues. Here are some common problems and troubleshooting steps:

Check syntax and configuration errors: If the SSH server is not starting or not functioning as expected, check the sshd_config file for any syntax or configuration errors. Use the following command to test the configuration file for errors:

<code>sudo sshd -t</code>

If there are any issues, the command will provide error messages with information on what needs to be fixed.

Review log files: Inspect the SSH server log files for any error messages or relevant information. The location of the log files may vary depending on your system, but common locations are /var/log/auth.log or /var/log/secure. Tail the log file while attempting to connect to get real-time information:

<code>sudo tail -f /var/log/auth.log</code>

Restart the SSH server

Check firewall settings: Ensure that the server's firewall is allowing SSH connections on the correct port. If you changed the default SSH port, update your firewall rules accordingly.

Verify user permissions: If a specific user is unable to connect, check the user's permissions, home directory, and the settings in the sshd_config file, such as "AllowUsers," "DenyUsers," "AllowGroups," or "DenyGroups."

SSH server from a client, use the verbose mode to get more detailed information about the connection process. This can help identify any issues with authentication or configuration. Run the following command to enable verbose mode:

<code>ssh -v user@example.com</code>

Replace "user@example.com" with the appropriate username and server address. You can increase the verbosity level by adding more "v" characters (e.g., -vv or -vvv) if needed.

Check file permissions: Ensure that the file permissions for the user's home directory, the .ssh directory, and the authorized_keys file are set correctly. The user's home directory should not be writable by other users, the .ssh directory should have permissions set to 700 (drwx------), and the authorized_keys file should have permissions set to 600 (-rw-------).

Test network connectivity: If you're unable to connect to the SSH server, verify that you can reach the server on the network. Use tools like ping, traceroute, or telnet to check the connection to the server and the specific SSH port.

By following these troubleshooting steps, you should be able to diagnose and resolve most issues related to the sshd_config file and the SSH server configuration. Remember to carefully review the settings in your sshd_config file and consult the server logs for additional information when encountering problems.

====After making changes, restart the SSH server:====
<code>sudo systemctl restart ssh</code><br>

== Running commands on a remote server==

Once you've connected to a remote server using SSH, you can execute commands on the remote machine just as you would on your local system. However, you can also run commands on a remote server without establishing an interactive SSH session.

This can be useful for automation, scripting, or quick tasks. Here's how to do it:

Use the SSH command: To run a command on a remote server without entering an interactive session, use the following syntax:

<code>ssh username@hostname_or_IP -p port 'command'</code>

Replace username with your username on the remote server, hostname_or_IP with the server's hostname or IP address, port with the SSH port number (if different from the default 22), and command with the command you want to execute.

For example, to list the contents of the remote server's home directory, you can use:

<code>ssh john@example.com -p 22 'ls -la'</code>

===Handling multiple commands===
If you need to execute multiple commands, you can chain them together using a '''semicolon''' or '''&&'''.

The semicolon allows you to run multiple commands sequentially, while the && operator runs the next command only if the previous command was successful.

For example, to update the package list and then upgrade the packages on a remote Ubuntu server:

<code>ssh john@example.com -p 2222 'sudo apt-get update; sudo apt-get upgrade -y'</code>

* Command output:
The output of the command will be displayed in your local terminal, just as if you were running the command on your local machine. Using key-based authentication

==Transferring files with SCP==

The Secure Copy Protocol (SCP) is a useful tool for transferring files between your local machine and a remote server using SSH. SCP ensures that the data is encrypted during transit, providing a secure and efficient way to transfer files.

===Install an SCP client===

Most Unix-based systems, including Linux and macOS, have an SCP client pre-installed. For Windows, you can use the built-in SCP client included with the OpenSSH package (available in Windows 10 and later) or a third-party client like WinSCP.

===Transfer a file from your local machine to a remote server===

To copy a file from your local machine to a remote server, use the following command:
* Note the use of the upper case '''-P''' for ports with '''scp'''
<code>scp -P port local_file_path username@hostname_or_IP:remote_file_path</code>

Replace port with the SSH port number (if different from the default 22), local_file_path with the path to the file on your local machine, username with your username on the remote server, hostname_or_IP with the server's hostname or IP address, and remote_file_path with the desired location on the remote server.

For example:

<code>scp -P 22 /home/john/documents/report.pdf john@example.com:/home/john/reports/</code>

This command will copy the "report.pdf" file from the local machine to the "reports" directory on the remote server.

===Transfer a file from a remote server to your local machine===
To copy a file from a remote server to your local machine, use the following command:

<code>scp -P port username@hostname_or_IP:remote_file_path local_file_path</code>

Replace port with the SSH port number (if different from the default 22), username with your username on the remote server, hostname_or_IP with the server's hostname or IP address, remote_file_path with the path to the file on the remote server, and local_file_path with the desired location on your local machine.

For example:

<code>scp -P 2222 john@example.com:/home/john/reports/report.pdf /home/john/documents/</code>
: Or
<code>scp john@example.com:/home/john/reports/report.pdf /home/john/documents/</code>-

This command will copy the "report.pdf" file from the remote server's "reports" directory to the "documents" directory on your local machine.

===Transferring directories===

To transfer an entire directory, use the '''-r''' flag:

<code>scp -r -P port local_directory_path username@hostname_or_IP:remote_directory_path</code>

Or, to copy a directory from the remote server to your local machine:

<code>scp -r -P port username@hostname_or_IP:remote_directory_path local_directory_path</code>

Using SCP is a convenient and secure way to transfer files between your local machine and a remote server. It leverages the security of the SSH protocol to ensure that your data remains encrypted during transit.

===Transferring from Remote Computer to Remote Computer===

Copy the file '''stuff.txt''' from remote host '''12.34.56.67''' to host '''11.22.33.44'''

<code>scp name@12.34.56.67:/home/user/Documents/stuff.txt name@11.22.33.44:/home/user/Documents/</code>

With the '''-3''' flag copies between two remote hosts "12.34.56.67" and "11.22.33.44" are transferred through the local host running the command.

<code>scp -3 name@12.34.56.67:/home/user/Documents/stuff.txt \ name@11.22.33.44:/home/user/Documents/ </code>

===Transferring multiple files===

Send files foo.txt and bar.txt to remote.

<code>scp foo.txt bar.txt user@12.34.56.78:~/Documents/</code>

Copy multiple files from remote "Documents" directory to local "Documents" directory.

<code>scp user@11.22.33.44:/home/user/Documents/\{todo_list.txt,links.txt,stuff.txt\} /home/$USER/Documents/</code>

Copy multiple files from the remote to local current directory.

<code>scp name@12.34.56.78:~/\{README.md,.bashrc\} . </code>

== Transferring files with SFTP==
The SSH File Transfer Protocol (SFTP) is another method for transferring files securely between your local machine and a remote server. Unlike SCP, SFTP provides an interactive interface that allows you to navigate, upload, and download files more easily.

Install an SFTP client: Most Unix-based systems, including Linux and macOS, have an SFTP client pre-installed. For Windows, you can use the built-in SFTP client included with the OpenSSH package (available in Windows 10 and later) or a third-party client like WinSCP or FileZilla.

Connect to a remote server: To start an SFTP session with a remote server, open a terminal or command prompt on your local machine and use the following command:

<code>sftp -P port username@hostname_or_IP</code>

Replace port with the SSH port number (if different from the default 22), username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

For example:

<code>sftp -P 22 john@example.com</code>

Navigate the remote filesystem: Once connected, you can use commands similar to those available in a Unix shell to navigate the remote server's filesystem. Some common SFTP commands include:

: '''ls''': List files and directories<br>
: '''cd''': Change the current directory<br>
: '''mkdir''': Create a new directory<br>
: '''rmdir''': Remove an empty directory<br>
: '''get''': Download a file from the remote server<br>
: '''put''': Upload a file to the remote server<br>
<br>
: '''rm''': Remove a file<br>
: '''rename''': Rename a file or directory<br>
: '''exit''': Exit the SFTP session<br>

Transfer files: To transfer files, use the put command to upload a file from your local machine to the remote server, and the get command to download a file from the remote server to your local machine. For example:

Upload a file:

<code>put local_file_path remote_file_path</code>

Download a file:

<code>get remote_file_path local_file_path</code>

Replace local_file_path and remote_file_path with the appropriate paths for the files you want to transfer.

Transferring directories: To transfer entire directories, use the -r flag with the put and get commands:

Upload a directory:

<code>put -r local_directory_path remote_directory_path</code>

Download a directory:

<code>get -r remote_directory_path local_directory_path</code>

Disconnect from the remote server: When you've finished transferring files, type exit to close the SFTP session.

SFTP offers a more user-friendly, interactive experience for transferring files compared to SCP. By utilizing the secure and encrypted SSH protocol, SFTP ensures that your data remains safe during transfer.

==Advanced SSH Techniques==
=== Port forwarding and tunneling===

SSH port forwarding and tunneling allow you to securely forward network traffic between your local machine and a remote server. This can be useful for accessing remote services, bypassing firewalls, or securely transmitting sensitive data.

Local Port Forwarding: Local port forwarding creates a secure tunnel between your local machine and a remote server, allowing you to access remote services as if they were running on your local machine. To set up local port forwarding, use the -L flag with the SSH command:

<code>ssh -L local_port:remote_host:remote_port username@hostname_or_IP</code>

Replace local_port with an available port on your local machine, remote_host with the hostname or IP address of the remote server hosting the service, remote_port with the port number of the remote service, username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

Remote Port Forwarding: Remote port forwarding enables you to expose a local service running on your machine to a remote network. To set up remote port forwarding, use the -R flag with the SSH command:

<code>ssh -R remote_port:local_host:local_port username@hostname_or_IP</code>

Replace remote_port with an available port on the remote server, local_host with the hostname or IP address of the local machine hosting the service, local_port with the port number of the local service, username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

:**Forwarding X, Sound, and Video on Ubuntu 22.04 with Ubuntu 22.04 LXC**: To forward X, sound, and video from a remote Ubuntu 22.04 server to your local Ubuntu 22.04 machine, you'll need to enable X11 forwarding and install the necessary packages.

:* Install required packages: On both your local machine and the remote server, install the x11-apps and pulseaudio packages:

<code>sudo apt update</code><br>
<code>sudo apt install x11-apps pulseaudio</code>

:* Enable X11 forwarding: To enable X11 forwarding, you'll need to edit the SSH server configuration file (/etc/ssh/sshd_config) on the remote server:

<code>sudo nano /etc/ssh/sshd_config</code>

Find the line containing "X11Forwarding" and set its value to "yes":

<code>X11Forwarding yes</code>

If the line is commented out (i.e., it starts with a '#'), remove the '#' symbol. Save your changes and exit the text editor.

:* Restart the SSH server: Apply the changes by restarting the SSH server:

<code>sudo systemctl restart ssh</code>

:* Connect with X11 forwarding: From your local machine, use the -X flag to enable X11 forwarding when connecting to the remote server:

<code>ssh -X username@hostname_or_IP</code>

:* Export PULSE_SERVER environment variable: On the remote server, export the PULSE_SERVER environment variable to forward sound:

<code>export PULSE_SERVER=tcp:localhost</code>

You can add this line to the remote user's ~/.bashrc or ~/.profile file to make the change permanent.

:* Run applications: Now, you can run graphical applications on the remote server, and they will be displayed on your local machine with sound and video forwarded.

Please note that forwarding X, sound, and video might cause increased latency and reduced performance compared to running the applications locally.

=== SSH agent forwarding===
SSH agent forwarding is a powerful feature that allows you to use your local SSH keys to authenticate with remote servers without having to copy your private keys to those servers. This is particularly useful when you need to access one remote server (Server B) through another remote server (Server A).

==== Start the SSH agent on your local machine ====

Before you enable SSH agent forwarding, you need to start the SSH agent on your local machine. Open a terminal and run the following command:

:* For Linux and macOS:

<code>eval "$(ssh-agent -s)"</code>

For Windows (Git Bash or Cygwin):

<code>eval $(ssh-agent)</code>

This command starts the SSH agent and sets the required environment variables.

====Add your SSH key to the agent====

Next, add your private key to the SSH agent with the following command:

<code>ssh-add ~/.ssh/your_private_key</code>

Replace '''your_private_key''' with the filename of your private key. This might be '''id_rsa''', '''id_ed25519''', or another key file depending on your setup.

====Configure SSH agent forwarding on your local machine====

Edit your SSH config file to enable agent forwarding. The config file is usually located at '''~/.ssh/config'''. If the file doesn't exist, create it.

Add the following lines to the config file:

<pre>
Host server_a_alias
HostName server_a_ip_or_hostname
User your_username_on_server_a
ForwardAgent yes

Host server_b_alias
HostName server_b_ip_or_hostname
User your_username_on_server_b
ForwardAgent yes
</pre>

Replace
:* '''server_a_alias'''
:* ''' server_a_ip_or_hostname'''
:* '''your_username_on_server_a'''
:* '''server_b_alias'''
:* '''server_b_ip_or_hostname'''
:* '''your_username_on_server_b'''
with the appropriate values.

====Make sure your public key is added to the remote servers====

Before you can use SSH agent forwarding, you need to add your public key to the '''~/.ssh/authorized_keys''' file on both Server A and Server B. If you haven't done this already, you can use the following command:

<code>ssh-copy-id -i ~/.ssh/your_public_key user@server_ip_or_hostname</code>

Replace '''your_public_key''', '''user''', and '''server_ip_or_hostname''' with the appropriate values.

====Test SSH agent forwarding====

First, SSH into Server A:

<code>ssh server_a_alias</code>

Then, from Server A, SSH into Server B:

<code>ssh server_b_alias</code>

If everything is set up correctly, you should be able to access Server B without being prompted for a password.

====Verify SSH agent forwarding====

To make sure that SSH agent forwarding is working, you can check the value of the '''SSH_AUTH_SOCK''' environment variable on Server B.

From Server B, run the following command:

<code>echo $SSH_AUTH_SOCK</code>

If SSH agent forwarding is working, this command should return a non-empty value.

That's it! You've successfully set up and tested SSH agent forwarding. Now you can use your local SSH keys to authenticate with remote servers without having to copy your private keys to those servers.

===Command Restriction===

The '''authorized_keys''' file can be used to restrict the commands that a specific SSH key can execute. This is especially useful for security purposes, to limit the potential damage that could be done if a key is compromised.

By including a '''command=''' directive in the '''authorized_keys''' file, you can specify the exact command that will be run when a client connects using the associated key. Any command provided by the client will be ignored, and the command specified in the authorized_keys file will be used instead.

Example:

<code>command="/usr/bin/scp -t /home/rscp/media/" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...</code>

is set up to always execute the '''scp''' command (used for secure copy of files over SSH) to the specified directory, no matter what command was originally issued by the client. This is a good way to create a "write-only" drop box, for instance.

However, the keyholder could potentially still execute arbitrary commands by carefully crafting the file names they upload, so additional precautions should be taken, such as using command= along with other directives like '''no-port-forwarding''', '''no-X11-forwarding''', and '''no-pty''' to further limit what can be done with the key.

<code>command="/usr/bin/scp -t /home/rscp/media/",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...</code>

This entry does the following:

:* The '''command=''' directive runs the specified command when a client connects using this key. In this case, the command is scp, which securely copies files to the /home/rscp/media/ directory.
:* The '''no-port-forwarding''' directive prevents the client from using SSH's port forwarding features, which could potentially be used to create a secure tunnel for other network traffic.
:* The '''no-X11-forwarding''' directive prevents the client from forwarding X11 graphical sessions, which could be used to run graphical applications over the SSH connection.
:* The '''no-pty''' directive prevents the allocation of a pseudo-terminal, which means the client can't interact with a shell or run interactive commands.

The '''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...''' part is the public key of the client. Replace this with the actual key.

This configuration significantly limits the operations that can be performed with this key, providing an additional layer of security.

====SCP Only====

Use Case Example: Have a Server hosting XML Dumps, and want to automate sending a file or directory from Server1 to Server2 using a script and ssh-key so i don't need to enter password.

=====Create Account on Server=====
Create user account you are going to use:<br>
<code>adduser rscp</code>

Make sure user has a '''.ssh''' directory to send public key to:<br>
<code>mkdir /home/rscp/.ssh</code>

Make a Directory to transfer files to:<br>
<code>mkdir /home/rscp/media</code>

Note: If you see error <code>scp: /home/rscp/media/test.txt: Permission denied</code> If you created directory '''media''' when logged in as '''root''' then check directory permissions and if need [[Linux_Users_and_Groups#File_Ownership_and_Permissions|assign ownership to '''user''' account.]]<br>
Example:<code>chown rscp:rscp /home/rscp/media</code>

[[Ubuntu_22.04_SSH_Guide#Copying_public_keys_to_the_remote_server|Send your public key to server]]

After public_key/authorized_key is on server, edit authorized_keys and at the start before ssh-rsa <KEY>
<pre>
command="/usr/bin/scp -t /home/rscp/media/" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...
</pre>

If from remote server you are sending a Directory include the '''-r''' flag in command:<br>

After public_key/authorized_key is on server, edit authorized_keys and at the start before ssh-rsa <KEY>
<pre>
command="/usr/bin/scp -t -r /home/rscp/media/" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...
</pre>

This entry in the authorized_keys file uses the command option to restrict the SSH command that can be run with the associated SSH key. The command option specifies that the scp command should be used to transfer files to the '''/home/rscp/media/''' directory on the server.

Here's a breakdown of the entry:

:* '''command="/usr/bin/scp -t /home/rscp/"''': This specifies that the scp command should be used as the SSH command for this key, with the '''-t''' option to specify that the remote end is a file (in this case, a directory), and the destination directory on the server is /home/rscp/. This means that the user can only use the SSH key to transfer files to the /home/rscp/ directory on the server.

:* '''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...''': This is the public key associated with the private key that is used for authentication.

By using the command option in this way, you can restrict the actions that the user can perform with the SSH key, which can help to improve security. In this case, the user can only transfer files to the specified directory on the server using the scp command.

======Tip - transfer file to a path your USER does not have permissions for======

You can write a shell script to check the '''/home/rscp/media''' directory every minute using a while loop and the sleep command. If any files are found in the directory, the script can move them to the '''/var/www/media''' directory using the mv command. Here's an example script:

<syntaxhighlight lang="bash" line>
#!/bin/bash

while true
do
if [ "$(ls -A /home/rscp/media/)" ]; then
mv /home/rscp/media/* /var/www/media/
fi
sleep 60
done
</syntaxhighlight>

In this script, the while loop runs indefinitely ('''while true''') and sleeps for 60 seconds at the end of each iteration ('''sleep 60''').

The '''if''' statement checks if the '''/home/rscp/media''' directory is not empty ('''[ "$(ls -A /home/rscp/media/)" ]'''). If it is not empty, the '''mv''' command is used to move all files and directories from the '''/home/rscp/media/''' directory to the '''/var/www/media/''' directory.

Save this script to a file (e.g. '''move-files.sh''') and make it executable using the '''chmod +x move-files.sh''' command. You can then run the script using '''./move-files.sh &''' to start it in the background and allow it to run indefinitely. The & symbol is used to run the script in the background so that you can continue using the terminal.

Note that running this script indefinitely can consume system resources, so you may want to consider setting up a scheduled task (e.g. using '''[[Cron_ubuntu_22.04|cron]]''') to run the script at a specific interval instead of running it indefinitely.

==Tilde '''~''' the escape character==

The tilde (~) character has a special meaning in the context of SSH. When using SSH, you can use the tilde character followed by a control sequence to perform certain actions. These are called "tilde escape sequences" or "tilde commands." They are useful for managing your SSH connections.

Here's how to use tilde escape sequences when connected to a remote server via SSH:

:* Make sure you are at the beginning of a new line in your terminal. Press '''Enter''' if you are not.

:* Type the tilde (~) character, followed by the appropriate control sequence. Note that you should not press '''Enter''' after typing the tilde character, but rather type the control sequence directly after it.

Here are some common tilde escape sequences:

: '''~.''' : Close the SSH connection. This can be helpful if the connection is frozen or unresponsive.
: '''~^Z''' : Suspend the SSH connection and return to your local shell. You can later resume the connection using the fg command.
: '''~#''' : List all forwarded connections (both local and remote) that are active in the current SSH session.
: '''~&''' : Run the SSH session in the background. This is useful if you want to perform other tasks on your local machine without closing the SSH connection.
: '''~~''' : Send a literal tilde character to the remote system. This is useful if you need to type a tilde character in the remote system without triggering an escape sequence.

Remember that these escape sequences only work if they are entered at the beginning of a new line in your terminal. If you're typing them in the middle of a command or text, they won't be recognized as special control sequences.

==Troubleshooting and Best Practices==

In this section, we'll cover some common issues and best practices related to SSH connections, including managing a large number of SSH keys.

===Too many authentication attempts===

When connecting to an SSH server, you might encounter the "Too many authentication attempts" error. This is often caused by having too many private keys in your ~/.ssh directory. By default, SSH tries each key until it finds the correct one, but many servers limit the number of authentication attempts.

'''Solution''': To resolve this issue, you can create a separate directory for your keys and configure the SSH config file to use the appropriate key for each connection.

:* Create a new directory for your keys:

<code>mkdir ~/.ssh/keys</code>

:* Move your private key files to the new directory:

<code>mv ~/.ssh/id_rsa_* ~/.ssh/keys/</code>

Update your SSH config file to specify the correct key for each connection:
<pre>
Host server1
...
IdentityFile ~/.ssh/keys/id_rsa_server1

Host server2
...
IdentityFile ~/.ssh/keys/id_rsa_server2
</pre>

===Permission issues===

SSH is very strict about file and directory permissions. Ensure that your ~/.ssh directory and its contents have the correct permissions:

:* The ~/.ssh directory should have permissions set to 700:

<code>chmod 700 ~/.ssh</code>

Private key files should have permissions set to 600:

<code>chmod 600 ~/.ssh/id_rsa</code>

The ~/.ssh/config file should have permissions set to 600:

<code>chmod 600 ~/.ssh/config</code>

:* <b>Best practices</b>: Follow these best practices to maintain secure and efficient SSH connections:

:* Use SSH key pairs instead of passwords for authentication, as they provide better security.
:* Regularly update your SSH keys to maintain their security.
:* Use strong, unique passphrases to protect your private keys.
:* Disable password authentication and root login on your SSH server to reduce the risk of brute-force attacks.
:* Regularly update your SSH server software to ensure you're running the latest security patches.
:* Use non-standard port numbers for your SSH server to make it less likely to be targeted by automated attacks.
:* Implement multi-factor authentication (MFA) for your SSH connections, if possible.
:* Regularly review and remove any unnecessary authorized keys from the ~/.ssh/authorized_keys file on your servers.
:* Use the Match directive in the sshd_config file to apply custom rules and settings for different users, groups, or connections.

Ubuntu 22.04 SSH Guide

2023-05-16T12:05:39Z

Noob: /* Key-based Authentication */

==Understanding SSH==

'''SSH''' is a protocol that uses encryption to secure data transmitted between a client and a server. <br>
It enables users to execute commands, transfer files, and manage remote systems through an encrypted channel. <br>
SSH is widely used by system administrators for managing servers, network devices, and other remote systems.

==Installing SSH==

To start using SSH, you'll need to install and configure both the server and client components.

* OpenSSH-Server
** Is required to allow '''ssh''' connections
* OpenSSH-Client
** Is used to login/connect to OpenSSH-Server

If you are using Ubuntu Desktop, the '''openssh client''' will be preinstalled, allowing you to connect to a server which is running '''openssh-server'''

If you are using Ubuntu Server, both the '''ssh client''' and '''openssh server''' are preinstalled by default.

=== Installing OpenSSH Server===
On Ubuntu distributions, you can install the OpenSSH server by running:

<code>sudo apt install openssh-server</code><br>

Check the SSH server status with:

<code>systemctl status ssh</code>

===Installing OpenSSH Client===

The OpenSSH client is usually pre-installed on most Linux and macOS systems. <br>For Windows, you can install the OpenSSH client by following the instructions on the official website:<br> https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse

==Basic SSH Commands and Usage==
=== Connecting to a remote server===
Connecting to a remote server using SSH is a fundamental task when managing remote systems. Here's how to connect to a remote server using the command-line interface.

Install an SSH client: Ensure you have an SSH client installed on your local machine. Most Unix-based systems, including Linux and macOS, have an SSH client pre-installed. For Windows, you can use the built-in OpenSSH client (available in Windows 10 and later) or a third-party client like PuTTY.

====Gather connection information====
To connect to a remote server, you'll need the following information:
* The remote server's IP address or hostname
* The SSH port number (default is 22)
* Your username on the remote server
* The password for the user on remote server.

====Connect using SSH====
Open a terminal or command prompt on your local machine and use the following command to connect to the remote server:

<code>ssh username@hostname_or_IP</code>

Replace '''username''' with your username on the remote server, '''hostname_or_IP''' with the server's hostname or IP address.

If OpenSSH-Server is running/listening on a port other than the default port '''22''' include the port with the '''-p''' flag.

For example (If port 2222):

: <code>ssh john@example.com -p 2222</code>
Or
: <code>ssh -p 2222 john@example.com</code>

=====Connecting to a Remote Server =====

In this example, we connect to a remote Ubuntu VPS with the following credentials:
<pre>
Username: root
IP address: 12.34.56.78
Password: password2simple
</pre>
Use the following command to connect to the remote server:

<code>ssh root@12.34.56.78</code>

You will be prompted to enter the password. Type password2simple and press Enter. This demonstrates how simple it can be to log into a remote computer with root access.

* If your Server is hosting SSHD on a port other than default 'port 22' include port number with the '''-p''' flag
Example with port 2222:<br>
<code>ssh -p 2222 root@12.34.56.78</code>

====Authenticate====
When connecting for the first time, you'll see a prompt asking you to confirm the remote server's fingerprint. Verify the fingerprint and type "yes" to proceed. Next, you'll be prompted for your password. Enter your password to complete the authentication process.

Once authenticated, you'll have access to the remote server's command line. You can now execute commands and manage the remote server as if you were working on it directly.

Remember that you can use key-based authentication (with a private-public key pair) instead of a password for a more secure and convenient connection method.
== Using SSH config file==

An SSH config file allows you to define and manage multiple SSH connections, simplifying the process of connecting to remote servers. By creating an SSH config file, you can define custom options, such as port numbers, usernames, and key files, for each connection. The SSH config file is typically located in the '''~/.ssh''' directory and named config.

Here's how to create and use an SSH config file:

:* Create the SSH config file: If it doesn't exist, create the config file in the '''~/.ssh''' directory using a text editor:

<code>$EDITOR ~/.ssh/config</code>

:* Define a connection: To define a connection, you'll need to specify a Host entry followed by any options you want to apply to that connection. Here's an example:

<pre>
Host server1
HostName example.com
User your_username
Port 2222
IdentityFile ~/.ssh/id_rsa_server1
</pre>
In this example, we've defined a connection called server1 with the following options:

:* HostName: The hostname or IP address of the remote server (example.com in this case).
:* User: The username to use when connecting to the remote server (replace your_username with your actual username).
:* Port: The port number to use for the SSH connection (2222 in this example).
:* IdentityFile: The path to the private key file to use for authentication (replace ~/.ssh/id_rsa_server1 with the path to your private key file).

You can define multiple connections in the same config file by creating separate Host entries:

<pre>
Host server2
HostName 192.168.1.100
User another_username
Port 22
IdentityFile ~/.ssh/id_rsa_server2
</pre>
:* Save and exit the file: Save your changes and exit the text editor.

:* Connect using the SSH config file: To connect to a remote server using the defined connection, simply use the ssh command followed by the Host entry:

<code>ssh server1</code>

In this example, SSH will automatically use the options defined in the config file for server1, such as the hostname, username, port number, and identity file.

By using an SSH config file, you can simplify the process of managing multiple SSH connections and customize the options for each connection.

==Key-based Authentication==

Why use key-based authentication?
* Server1: 12.34.56.78
* Server2: 12.34.56.87

You are trying to login to Server1, but by mistake you enter your '''user''' and '''password''' to Server2, Can Server2 record the '''user''' and '''password''' you used?
[[placeholder|YES, Yes it can]]

=== Generating SSH key pairs===

SSH key pairs consist of a private key and a public key. They provide a secure, passwordless authentication method for connecting to remote servers. The private key remains on your local machine, while the public key is added to the remote server's authorized keys. Here's how to generate an SSH key pair:

Open a terminal: On Unix-based systems (Linux and macOS), open a terminal. On Windows, open PowerShell or the Command Prompt.

Generate the key pair: Use the ssh-keygen command to create a new SSH key pair. The following command generates a 4096-bit RSA key pair:

<code>ssh-keygen -t rsa -b 4096</code>

You can also generate other types of keys, such as Ed25519, by changing the -t option:

<code>ssh-keygen -t ed25519</code>

Specify the key's location: When prompted, you can either accept the default location (~/.ssh/id_rsa for RSA keys, ~/.ssh/id_ed25519 for Ed25519 keys) or enter a custom path. It is recommended to use the default location unless you have a specific reason to change it.

Set a passphrase (optional): You can choose to protect your private key with a passphrase. If you do, you'll need to enter the passphrase every time you use the key. This adds an extra layer of security, but can be less convenient for automation or scripting. To set a passphrase, enter it when prompted; otherwise, leave the field blank

====Selecting file name and path for keys====

<code>ssh-keygen -t rsa -b 4096 -f .ssh/nuc</code>

The '''-f''' option in the '''ssh-keygen''' command is used to specify the output file for the generated key pair. In your example, '''ssh-keygen -t rsa -b 4096 -f .ssh/nuc''', the command is generating an RSA key pair with a key length of 4096 bits, and the output files will be saved in the '''.ssh''' directory with the base name '''nuc'''.

Here's a breakdown of the options used in this command:

:* '''-t rsa''': Specifies the key type, in this case, RSA.
:* '''-b 4096''': Specifies the key length, which is 4096 bits in this case. This length offers good security and is generally recommended.
:* '''-f .ssh/nuc''': Specifies the file where the key pair will be saved. The private key will be saved as '''.ssh/nuc''', and the public key will be saved as '''.ssh/nuc.pub'''.

After running this command, you'll have a new key pair with the private key in '''.ssh/nuc''' and the public key in '''.ssh/nuc.pub'''

====Create keys with no passphase====

<code>ssh-keygen -t rsa -b 4096 -N "" -C "MYSERVER" -f ~/.ssh/serverkey</code>

:* '''-t rsa''': Specifies the key type, in this case, RSA.
:* '''-b 4096''': Specifies the key length, which is 4096 bits in this case. This length offers good security and is generally recommended.
:* '''-N ""''': Specifies an empty passphrase for the key pair. This means that the private key will not be encrypted, and no passphrase will be required when using it. This can be less secure, but more convenient for automated processes.
:* '''-C "MYSERVER"''': Adds a comment to the generated key pair. In this case, the comment is "MYSERVER". Comments are useful for identifying keys when you have multiple keys in your ~/.ssh directory or on a remote server.
:* '''-f ~/.ssh/serverkey''': Specifies the file where the key pair will be saved. The private key will be saved as '''~/.ssh/serverkey''', and the public key will be saved as '''~/.ssh/serverkey.pub'''.

After running this command, you'll have a new key pair with the private key in '''~/.ssh/serverkey''' and the public key in '''~/.ssh/serverkey.pub'''. The private key will have an empty passphrase and a comment "MYSERVER" for easier identification.

====Remove the passphrase from an existing SSH private key====

To remove the passphrase from an existing SSH private key, you can use the '''ssh-keygen''' command with the '''-p''' option, which is used for changing the passphrase. Follow these steps:

:* Make a backup of your private key file, just in case something goes wrong during the process. You can do this by running the following command, replacing '''<your_private_key>''' with the filename of your private key:

<code>cp <your_private_key> <your_private_key>.backup</code>

:* Run the '''ssh-keygen''' command with the '''-p''' option, specifying the private key file using the '''-f''' option:
::** '''-p''': Indicates that you want to change the passphrase of an existing private key.
::** '''-f <your_private_key>''': Specifies the private key file whose passphrase you want to change.

<code>ssh-keygen -p -f <your_private_key></code>

:* You will be prompted to enter the old passphrase for the private key. Type it in and press Enter.

:* Next, you'll be prompted to enter a new passphrase. Since you want to remove the passphrase, leave this field empty and press Enter.

:* You'll be asked to confirm the empty passphrase. Press Enter again to confirm.

Your private key now has its passphrase removed. Keep in mind that this makes the private key less secure, as anyone with access to the file can use it without needing to know the passphrase.

====Add/Change a passphrase to an existing SSH Key====

To add a passphrase to an existing SSH private key that doesn't have one, you can use the '''ssh-keygen''' command with the '''-p''' option, just like when you change or remove a passphrase. Here are the steps:

:* '''Make a backup of your private key file''', just in case something goes wrong during the process. You can do this by running the following command, replacing <your_private_key> with the filename of your private key:

<code>cp <your_private_key> <your_private_key>.backup</code>

:* Run the '''ssh-keygen''' command with the -p option, specifying the private key file using the '''-f''' option:

<code>ssh-keygen -p -f <your_private_key></code>

:* You will be prompted to enter the old passphrase for the private key. Since your private key doesn't currently have a passphrase, just press Enter to proceed.

:* Next, you'll be prompted to enter a new passphrase. Type in the passphrase you want to set for the private key and press Enter.

:* You'll be asked to confirm the new passphrase. Type it again and press Enter to confirm.

Your private key now has a passphrase added to it. This provides an extra layer of security, as anyone using the key will need to know the passphrase to access it. Keep in mind that you should use a strong passphrase to ensure better security.

=== Copying public keys to the remote server===
After generating an SSH key pair, you'll need to copy the public key to the remote server to enable key-based authentication. Here's how to do it:

====Using ssh-copy-id====

Use the '''ssh-copy-id''' command (Linux and macOS): On Unix-based systems, you can use the ssh-copy-id command to copy your public key to the remote server:

<code>ssh-copy-id -i ~/.ssh/id_rsa.pub username@hostname_or_IP</code>

Replace ~/.ssh/id_rsa.pub with the path to your public key file (e.g., ~/.ssh/id_ed25519.pub for Ed25519 keys), username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

====Manually copy the public key====

Manually copy the public key (Windows and alternative method): If you don't have access to the ssh-copy-id command or prefer to do it manually, you can:

:* Open your public key file (e.g., id_rsa.pub or id_ed25519.pub) with a text editor and copy its content.>
:* Log in to the remote server via SSH.<br>
:* Create the ~/.ssh directory if it doesn't exist:

<code>mkdir -p ~/.ssh</code>

Edit or create the ~/.ssh/authorized_keys file using a text editor (e.g., nano, vim, or emacs), and paste the content of your public key at the end of the file. Save and close the file.

Set the correct file permissions: To ensure the security of your SSH setup, it's essential to set the proper file permissions on your local machine and the remote server:

:* On your local machine:
:** Private key (id_rsa or id_ed25519): -rw------- (600)
:** Public key (id_rsa.pub or id_ed25519.pub): -rw-r--r-- (644)

:* On the remote server:
:** ~/.ssh directory: drwx------ (700)
:** ~/.ssh/authorized_keys file: -rw------- (600)

To set the permissions on your local machine, use the chmod command:

<pre>
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
</pre>
On the remote server, use the following commands:

<pre>
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
</pre>
Once you've copied your public key to the remote server and set the correct file permissions, you should be able to connect using key-based authentication without the need for a password.

=== Disabling password authentication (optional)===
Disabling password authentication enhances the security of your SSH server by requiring key-based authentication for all connections. You can disable password authentication for specific users or for all users. To do so, follow these steps:

:* Connect to the remote server: Log in to the remote server via SSH using your username and the server's hostname or IP address.

:* Edit the SSH configuration file: Open the SSH server configuration file (usually located at /etc/ssh/sshd_config) with a text editor such as nano, vim, or emacs:

<code>sudo nano /etc/ssh/sshd_config</code>

:* Disabling password authentication for all users: Find the line containing "PasswordAuthentication" and set its value to "no":

<code>PasswordAuthentication no</code>

If the line is commented out (i.e., it starts with a '#'), remove the '#' symbol.

:* Disabling password authentication for a specific user: To disable password authentication only for a particular user, you can use a "Match User" block at the end of the sshd_config file:
<pre>
Match User username
PasswordAuthentication no
</pre>
Replace username with the actual username for which you want to disable password authentication.

:* Save and exit the file: Save your changes and exit the text editor.

:* Restart the SSH server: Apply the changes by restarting the SSH server:

<code>sudo systemctl restart ssh</code>

Now, password authentication will be disabled for the specified user(s), and only key-based authentication will be allowed. Remember that if you disable password authentication, you must have a working SSH key pair set up to access the server, or you may be locked out.

== Configuring the SSH server==

Edit the SSH server configuration file located at <b>/etc/ssh/sshd_config</b> to set your desired settings. You can modify options like the listening port, allowing root login, and more.

===Common sshd_config Options===

The '''sshd_config''' file is located at '''/etc/ssh/sshd_config''' on most Linux systems. This file contains various options and settings that determine the behavior of the OpenSSH server. Each option is followed by its value, and lines starting with a <b>#</b> are considered comments.

Here's an overview of some common options in the sshd_config file:

===Port===

Specifies the port number that the SSH server listens on.<br>

<code>Port 22</code><br>

=== AddressFamily===

Determines the IP address family (IPv4, IPv6, or both) used by the SSH server.

* To specify that the SSH server should only listen for incoming IPv4 connections:
<code>AddressFamily inet</code>

* Or, if you want the SSH server to only listen for incoming IPv6 connections, set the 'AddressFamily' directive to 'inet6':
<code>AddressFamily inet6</code>

* If you want to allow both IPv4 and IPv6 connections, set the 'AddressFamily' directive to 'any':
<code>AddressFamily any</code>

=== ListenAddress===
Specifies the IP address(es) the SSH server listens on. By default, it listens on all available addresses.

<code>ListenAddress 192.168.1.10</code>

=== Protocol===
Defines the SSH protocol version. It's recommended to use only protocol 2.

<code>Protocol 2</code>

=== PermitRootLogin===
Controls whether root login is allowed. It's generally advised to disable root login or set it to "without-password" to allow only key-based authentication for root.

<code>PermitRootLogin no</code>

===PasswordAuthentication===

Enables or disables password-based authentication.

<code>PasswordAuthentication yes</code>

=== PubkeyAuthentication===

Enables or disables public key authentication.

<code>PubkeyAuthentication yes</code>

=== AuthorizedKeysFile===
Specifies the location of the authorized keys file for public key authentication.

<code>AuthorizedKeysFile .ssh/authorized_keys</code>

=== LogLevel===
Sets the logging level for the SSH server.

The LogLevel option in '''sshd_config''' controls the amount of information that SSH daemon (sshd) logs.

There are different log levels that can be set with this option, each providing a different level of detail:

* '''QUIET''': Disables all logging.

* '''FATAL''': Only logs fatal errors.

* '''ERROR''': Logs error messages.

* '''INFO''': Logs informational messages such as login attempts.

* '''VERBOSE''': Logs more detailed information than INFO, including shell commands executed.

* '''DEBUG''': Logs detailed debugging information, including raw protocol details.

The default log level is '''INFO''', which is usually sufficient for most purposes. However, if you need to troubleshoot SSH connections or monitor user activity, setting a higher log level may be helpful.

To change the '''LogLevel''' in '''sshd_config''', you can edit the file '''/etc/ssh/sshd_config''' (or the appropriate configuration file for your system), and add or modify the line:

<code>LogLevel <log_level></code>

Where <log_level> is one of the log levels listed above.

<code>LogLevel INFO</code>

=== LoginGraceTime===

Defines the time allowed for a user to successfully log in.

<code>LoginGraceTime 2m</code>

===MaxAuthTries===

Limits the number of authentication attempts allowed per connection.

<code>MaxAuthTries 6</code>

=== MaxSessions===

Specifies the maximum number of simultaneous sessions allowed per network connection.<br>

<code>MaxSessions 10</code>

=== AllowUsers, DenyUsers, AllowGroups, DenyGroups===

These options control which users and groups are allowed or denied access to the SSH server. They provide a way to manage access control based on usernames and group membership.

* '''AllowUsers''': Specifies a list of users allowed to access the SSH server. Other users will be denied access.
<code>AllowUsers user1 user2 user3</code><br>

* '''DenyUsers''': Specifies a list of users denied access to the SSH server. Other users will be allowed access.
<code>DenyUsers user4 user5</code>

* '''AllowGroups''': Specifies a list of groups whose members are allowed to access the SSH server. Users not belonging to these groups will be denied access.
<code>AllowGroups group1 group2</code>

* '''DenyGroups''': Specifies a list of groups whose members are denied access to the SSH server. Users not belonging to these groups will be allowed access.
<code>DenyGroups group3 group4</code>

Note that the order in which these options are applied is '''DenyUsers''', '''AllowUsers''', '''DenyGroups''', and finally '''AllowGroups'''.

===Banner===

The Banner option allows you to display a message or warning to users before they log in to the SSH server. This is often used to display legal notices, security warnings, or other important information.

To enable the banner, set the Banner option to the path of a text file containing the message you want to display:

<code>Banner /etc/ssh/banner.txt</code>

Create the /etc/ssh/banner.txt file and add your desired message. The content of this file will be displayed to users before they log in.

==Advanced sshd_config Options==
=== PermitTunnel===
The PermitTunnel option enables or disables the use of SSH tunneling. Tunnels can be used to forward ports or create VPN-like connections between the client and the server.
* There are four possible values for this option:

: '''"yes"''': Allows all types of tunnels.<br>
: '''"point-to-point"''': Allows only point-to-point (Layer 3) tunnels.<br>
: '''"ethernet"''': Allows only Ethernet (Layer 2) tunnels.<br>
: '''"no"''': Disables tunneling (default).<br>

To enable tunneling, set the PermitTunnel option in the sshd_config file:

<code>PermitTunnel yes</code>

Keep in mind that enabling tunnels may expose your server to additional security risks. Only enable this option if you understand the implications and have a specific use case that requires it.

=== ChrootDirectory===
The ChrootDirectory option allows you to restrict a user or a group to a specific directory (known as a chroot jail) when they log in via SSH. This can enhance security by isolating users and limiting their access to only the necessary parts of the filesystem.

To set up a chroot jail, follow these steps:

Create a directory that will serve as the chroot jail. For example, let's create a directory for user1:

<code>sudo mkdir /home/user1/chroot</code>

Change the ownership of the directory to the user and their primary group:

<code>sudo chown user1:user1 /home/user1/chroot</code>

In the sshd_config file, add a Match block at the end of the file to specify the ChrootDirectory for user1:
<pre>
Match User user1
ChrootDirectory /home/user1/chroot
</pre>

Restart the SSH server to apply the changes:

<code>sudo systemctl restart ssh</code>

Now, when user1 logs in via SSH, they will be restricted to the /home/user1/chroot directory and won't be able to access other parts of the filesystem.

Note that the chroot jail should be owned by root and not writable by the user. If you need to provide write access to specific directories, create subdirectories inside the chroot jail and set appropriate permissions for those. Also, some features like SFTP may require additional configuration within the chroot jail.

===ForceCommand===
The ForceCommand option allows you to specify a command that will be executed when a user logs in via SSH, regardless of the command requested by the user. This can be useful for limiting the actions a user can perform or for automatically running specific tasks upon login.

To use the ForceCommand option, follow these steps:

In the sshd_config file, add a Match block at the end of the file to specify the ForceCommand for a specific user or group. For example, to force user1 to execute the command /usr/bin/my-command upon login:

<pre>
Match User user1
ForceCommand /usr/bin/my-command
</pre>

Restart the SSH server to apply the changes:

<code>sudo systemctl restart ssh</code>

Now, when user1 logs in via SSH, the /usr/bin/my-command will be executed automatically, and they will not be able to run any other command.

Keep in mind that using ForceCommand may limit the user's ability to interact with the server or transfer files via SFTP. Make sure to test and verify the functionality for your specific use case.

=== Match Blocks===

Match blocks in the sshd_config file allow you to apply specific configuration options based on certain criteria, such as the user, group, address, or host. This enables you to create custom rules and settings for different users, groups, or connections.

Match block syntax:

<pre>
Match criteria
Option value
</pre>

Here are some examples of Match blocks and their usage:

Apply settings only for a specific user:
<pre>
Match User user1
PasswordAuthentication no
AllowTcpForwarding yes
</pre>

This configuration disables password authentication and enables TCP forwarding only for user1.

Apply settings for multiple users:
<pre>
Match User user1,user2
ChrootDirectory /home/%u/chroot
</pre>

This configuration sets the chroot directory for both user1 and user2.

Apply settings for a specific group:
<pre>
Match Group group1
PasswordAuthentication yes
</pre>

This configuration enables password authentication only for members of group1.

Apply settings based on the client's IP address:
<pre>
Match Address 192.168.1.0/24
PasswordAuthentication no
</pre>

This configuration disables password authentication for clients connecting from the 192.168.1.0/24 subnet.

Combine multiple criteria:
<pre>
Match User user1 Address 192.168.1.0/24
PasswordAuthentication yes
</pre>
This configuration enables password authentication only for user1 when they connect from the 192.168.1.0/24 subnet.

Remember to restart the SSH server after making changes to the sshd_config file:

<code>sudo systemctl restart ssh</code>

Match blocks offer flexibility in customizing your SSH server's configuration based on various criteria. Use them wisely to enhance security and optimize your server's settings.

==Best Practices and Tips '''sshd_config'''==
When configuring your '''sshd_config''' file, it's essential to follow best practices to ensure the security and stability of your SSH server. Here are some recommendations and tips:

:* Keep the server up-to-date: Always update your SSH server software and the underlying operating system to ensure you have the latest security patches and features.

:* Use strong authentication: Enable key-based authentication (PubkeyAuthentication) and consider disabling password authentication (PasswordAuthentication) to reduce the risk of brute-force attacks.

:* Limit root access: Set "PermitRootLogin" to "no" or "without-password" to prevent direct root login or require key-based authentication for root.

:* Use non-standard ports: Change the default SSH port (22) to a non-standard port to reduce the exposure to automated scans and attacks. Keep in mind this is security through obscurity and should be combined with other security measures.

'''Restrict user access''': Use "AllowUsers," "DenyUsers," "AllowGroups," and "DenyGroups" options to control which users and groups can access the SSH server.

'''Monitor logs''': Regularly check your SSH server logs for any suspicious activity or failed login attempts. Adjust the "LogLevel" setting in sshd_config as needed.
* Default Log Path Ubuntu 22.04: '''/var/log/auth.log'''

'''Use chroot jails''': Isolate users by creating chroot jails using the "ChrootDirectory" option, especially when providing SFTP access or when users don't require full access to the server.

'''Configure connection settings''': Set appropriate values for "LoginGraceTime" and "MaxAuthTries" to limit the time allowed for successful login and the number of authentication attempts per connection.

'''Use a strong firewall''': Configure your server's firewall to only allow SSH connections from trusted IP addresses or networks.

'''Regularly review and audit''': Periodically review your sshd_config settings and make adjustments as necessary. Keep up-to-date with SSH security best practices and recommendations.

By following these best practices and tips, you can enhance the security and performance of your SSH server, protecting it from unauthorized access and potential attacks.

===Troubleshooting sshd_config Issues===

When encountering problems with your SSH server configuration, it's important to know how to diagnose and resolve issues. Here are some common problems and troubleshooting steps:

Check syntax and configuration errors: If the SSH server is not starting or not functioning as expected, check the sshd_config file for any syntax or configuration errors. Use the following command to test the configuration file for errors:

<code>sudo sshd -t</code>

If there are any issues, the command will provide error messages with information on what needs to be fixed.

Review log files: Inspect the SSH server log files for any error messages or relevant information. The location of the log files may vary depending on your system, but common locations are /var/log/auth.log or /var/log/secure. Tail the log file while attempting to connect to get real-time information:

<code>sudo tail -f /var/log/auth.log</code>

Restart the SSH server

Check firewall settings: Ensure that the server's firewall is allowing SSH connections on the correct port. If you changed the default SSH port, update your firewall rules accordingly.

Verify user permissions: If a specific user is unable to connect, check the user's permissions, home directory, and the settings in the sshd_config file, such as "AllowUsers," "DenyUsers," "AllowGroups," or "DenyGroups."

SSH server from a client, use the verbose mode to get more detailed information about the connection process. This can help identify any issues with authentication or configuration. Run the following command to enable verbose mode:

<code>ssh -v user@example.com</code>

Replace "user@example.com" with the appropriate username and server address. You can increase the verbosity level by adding more "v" characters (e.g., -vv or -vvv) if needed.

Check file permissions: Ensure that the file permissions for the user's home directory, the .ssh directory, and the authorized_keys file are set correctly. The user's home directory should not be writable by other users, the .ssh directory should have permissions set to 700 (drwx------), and the authorized_keys file should have permissions set to 600 (-rw-------).

Test network connectivity: If you're unable to connect to the SSH server, verify that you can reach the server on the network. Use tools like ping, traceroute, or telnet to check the connection to the server and the specific SSH port.

By following these troubleshooting steps, you should be able to diagnose and resolve most issues related to the sshd_config file and the SSH server configuration. Remember to carefully review the settings in your sshd_config file and consult the server logs for additional information when encountering problems.

====After making changes, restart the SSH server:====
<code>sudo systemctl restart ssh</code><br>

== Running commands on a remote server==

Once you've connected to a remote server using SSH, you can execute commands on the remote machine just as you would on your local system. However, you can also run commands on a remote server without establishing an interactive SSH session.

This can be useful for automation, scripting, or quick tasks. Here's how to do it:

Use the SSH command: To run a command on a remote server without entering an interactive session, use the following syntax:

<code>ssh username@hostname_or_IP -p port 'command'</code>

Replace username with your username on the remote server, hostname_or_IP with the server's hostname or IP address, port with the SSH port number (if different from the default 22), and command with the command you want to execute.

For example, to list the contents of the remote server's home directory, you can use:

<code>ssh john@example.com -p 22 'ls -la'</code>

===Handling multiple commands===
If you need to execute multiple commands, you can chain them together using a '''semicolon''' or '''&&'''.

The semicolon allows you to run multiple commands sequentially, while the && operator runs the next command only if the previous command was successful.

For example, to update the package list and then upgrade the packages on a remote Ubuntu server:

<code>ssh john@example.com -p 2222 'sudo apt-get update; sudo apt-get upgrade -y'</code>

* Command output:
The output of the command will be displayed in your local terminal, just as if you were running the command on your local machine. Using key-based authentication

==Transferring files with SCP==

The Secure Copy Protocol (SCP) is a useful tool for transferring files between your local machine and a remote server using SSH. SCP ensures that the data is encrypted during transit, providing a secure and efficient way to transfer files.

===Install an SCP client===

Most Unix-based systems, including Linux and macOS, have an SCP client pre-installed. For Windows, you can use the built-in SCP client included with the OpenSSH package (available in Windows 10 and later) or a third-party client like WinSCP.

===Transfer a file from your local machine to a remote server===

To copy a file from your local machine to a remote server, use the following command:
* Note the use of the upper case '''-P''' for ports with '''scp'''
<code>scp -P port local_file_path username@hostname_or_IP:remote_file_path</code>

Replace port with the SSH port number (if different from the default 22), local_file_path with the path to the file on your local machine, username with your username on the remote server, hostname_or_IP with the server's hostname or IP address, and remote_file_path with the desired location on the remote server.

For example:

<code>scp -P 22 /home/john/documents/report.pdf john@example.com:/home/john/reports/</code>

This command will copy the "report.pdf" file from the local machine to the "reports" directory on the remote server.

===Transfer a file from a remote server to your local machine===
To copy a file from a remote server to your local machine, use the following command:

<code>scp -P port username@hostname_or_IP:remote_file_path local_file_path</code>

Replace port with the SSH port number (if different from the default 22), username with your username on the remote server, hostname_or_IP with the server's hostname or IP address, remote_file_path with the path to the file on the remote server, and local_file_path with the desired location on your local machine.

For example:

<code>scp -P 2222 john@example.com:/home/john/reports/report.pdf /home/john/documents/</code>
: Or
<code>scp john@example.com:/home/john/reports/report.pdf /home/john/documents/</code>-

This command will copy the "report.pdf" file from the remote server's "reports" directory to the "documents" directory on your local machine.

===Transferring directories===

To transfer an entire directory, use the '''-r''' flag:

<code>scp -r -P port local_directory_path username@hostname_or_IP:remote_directory_path</code>

Or, to copy a directory from the remote server to your local machine:

<code>scp -r -P port username@hostname_or_IP:remote_directory_path local_directory_path</code>

Using SCP is a convenient and secure way to transfer files between your local machine and a remote server. It leverages the security of the SSH protocol to ensure that your data remains encrypted during transit.

===Transferring from Remote Computer to Remote Computer===

Copy the file '''stuff.txt''' from remote host '''12.34.56.67''' to host '''11.22.33.44'''

<code>scp name@12.34.56.67:/home/user/Documents/stuff.txt name@11.22.33.44:/home/user/Documents/</code>

With the '''-3''' flag copies between two remote hosts "12.34.56.67" and "11.22.33.44" are transferred through the local host running the command.

<code>scp -3 name@12.34.56.67:/home/user/Documents/stuff.txt \ name@11.22.33.44:/home/user/Documents/ </code>

===Transferring multiple files===

Send files foo.txt and bar.txt to remote.

<code>scp foo.txt bar.txt user@12.34.56.78:~/Documents/</code>

Copy multiple files from remote "Documents" directory to local "Documents" directory.

<code>scp user@11.22.33.44:/home/user/Documents/\{todo_list.txt,links.txt,stuff.txt\} /home/$USER/Documents/</code>

Copy multiple files from the remote to local current directory.

<code>scp name@12.34.56.78:~/\{README.md,.bashrc\} . </code>

== Transferring files with SFTP==
The SSH File Transfer Protocol (SFTP) is another method for transferring files securely between your local machine and a remote server. Unlike SCP, SFTP provides an interactive interface that allows you to navigate, upload, and download files more easily.

Install an SFTP client: Most Unix-based systems, including Linux and macOS, have an SFTP client pre-installed. For Windows, you can use the built-in SFTP client included with the OpenSSH package (available in Windows 10 and later) or a third-party client like WinSCP or FileZilla.

Connect to a remote server: To start an SFTP session with a remote server, open a terminal or command prompt on your local machine and use the following command:

<code>sftp -P port username@hostname_or_IP</code>

Replace port with the SSH port number (if different from the default 22), username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

For example:

<code>sftp -P 22 john@example.com</code>

Navigate the remote filesystem: Once connected, you can use commands similar to those available in a Unix shell to navigate the remote server's filesystem. Some common SFTP commands include:

: '''ls''': List files and directories<br>
: '''cd''': Change the current directory<br>
: '''mkdir''': Create a new directory<br>
: '''rmdir''': Remove an empty directory<br>
: '''get''': Download a file from the remote server<br>
: '''put''': Upload a file to the remote server<br>
<br>
: '''rm''': Remove a file<br>
: '''rename''': Rename a file or directory<br>
: '''exit''': Exit the SFTP session<br>

Transfer files: To transfer files, use the put command to upload a file from your local machine to the remote server, and the get command to download a file from the remote server to your local machine. For example:

Upload a file:

<code>put local_file_path remote_file_path</code>

Download a file:

<code>get remote_file_path local_file_path</code>

Replace local_file_path and remote_file_path with the appropriate paths for the files you want to transfer.

Transferring directories: To transfer entire directories, use the -r flag with the put and get commands:

Upload a directory:

<code>put -r local_directory_path remote_directory_path</code>

Download a directory:

<code>get -r remote_directory_path local_directory_path</code>

Disconnect from the remote server: When you've finished transferring files, type exit to close the SFTP session.

SFTP offers a more user-friendly, interactive experience for transferring files compared to SCP. By utilizing the secure and encrypted SSH protocol, SFTP ensures that your data remains safe during transfer.

==Advanced SSH Techniques==
=== Port forwarding and tunneling===

SSH port forwarding and tunneling allow you to securely forward network traffic between your local machine and a remote server. This can be useful for accessing remote services, bypassing firewalls, or securely transmitting sensitive data.

Local Port Forwarding: Local port forwarding creates a secure tunnel between your local machine and a remote server, allowing you to access remote services as if they were running on your local machine. To set up local port forwarding, use the -L flag with the SSH command:

<code>ssh -L local_port:remote_host:remote_port username@hostname_or_IP</code>

Replace local_port with an available port on your local machine, remote_host with the hostname or IP address of the remote server hosting the service, remote_port with the port number of the remote service, username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

Remote Port Forwarding: Remote port forwarding enables you to expose a local service running on your machine to a remote network. To set up remote port forwarding, use the -R flag with the SSH command:

<code>ssh -R remote_port:local_host:local_port username@hostname_or_IP</code>

Replace remote_port with an available port on the remote server, local_host with the hostname or IP address of the local machine hosting the service, local_port with the port number of the local service, username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

:**Forwarding X, Sound, and Video on Ubuntu 22.04 with Ubuntu 22.04 LXC**: To forward X, sound, and video from a remote Ubuntu 22.04 server to your local Ubuntu 22.04 machine, you'll need to enable X11 forwarding and install the necessary packages.

:* Install required packages: On both your local machine and the remote server, install the x11-apps and pulseaudio packages:

<code>sudo apt update</code><br>
<code>sudo apt install x11-apps pulseaudio</code>

:* Enable X11 forwarding: To enable X11 forwarding, you'll need to edit the SSH server configuration file (/etc/ssh/sshd_config) on the remote server:

<code>sudo nano /etc/ssh/sshd_config</code>

Find the line containing "X11Forwarding" and set its value to "yes":

<code>X11Forwarding yes</code>

If the line is commented out (i.e., it starts with a '#'), remove the '#' symbol. Save your changes and exit the text editor.

:* Restart the SSH server: Apply the changes by restarting the SSH server:

<code>sudo systemctl restart ssh</code>

:* Connect with X11 forwarding: From your local machine, use the -X flag to enable X11 forwarding when connecting to the remote server:

<code>ssh -X username@hostname_or_IP</code>

:* Export PULSE_SERVER environment variable: On the remote server, export the PULSE_SERVER environment variable to forward sound:

<code>export PULSE_SERVER=tcp:localhost</code>

You can add this line to the remote user's ~/.bashrc or ~/.profile file to make the change permanent.

:* Run applications: Now, you can run graphical applications on the remote server, and they will be displayed on your local machine with sound and video forwarded.

Please note that forwarding X, sound, and video might cause increased latency and reduced performance compared to running the applications locally.

=== SSH agent forwarding===
SSH agent forwarding is a powerful feature that allows you to use your local SSH keys to authenticate with remote servers without having to copy your private keys to those servers. This is particularly useful when you need to access one remote server (Server B) through another remote server (Server A).

==== Start the SSH agent on your local machine ====

Before you enable SSH agent forwarding, you need to start the SSH agent on your local machine. Open a terminal and run the following command:

:* For Linux and macOS:

<code>eval "$(ssh-agent -s)"</code>

For Windows (Git Bash or Cygwin):

<code>eval $(ssh-agent)</code>

This command starts the SSH agent and sets the required environment variables.

====Add your SSH key to the agent====

Next, add your private key to the SSH agent with the following command:

<code>ssh-add ~/.ssh/your_private_key</code>

Replace '''your_private_key''' with the filename of your private key. This might be '''id_rsa''', '''id_ed25519''', or another key file depending on your setup.

====Configure SSH agent forwarding on your local machine====

Edit your SSH config file to enable agent forwarding. The config file is usually located at '''~/.ssh/config'''. If the file doesn't exist, create it.

Add the following lines to the config file:

<pre>
Host server_a_alias
HostName server_a_ip_or_hostname
User your_username_on_server_a
ForwardAgent yes

Host server_b_alias
HostName server_b_ip_or_hostname
User your_username_on_server_b
ForwardAgent yes
</pre>

Replace
:* '''server_a_alias'''
:* ''' server_a_ip_or_hostname'''
:* '''your_username_on_server_a'''
:* '''server_b_alias'''
:* '''server_b_ip_or_hostname'''
:* '''your_username_on_server_b'''
with the appropriate values.

====Make sure your public key is added to the remote servers====

Before you can use SSH agent forwarding, you need to add your public key to the '''~/.ssh/authorized_keys''' file on both Server A and Server B. If you haven't done this already, you can use the following command:

<code>ssh-copy-id -i ~/.ssh/your_public_key user@server_ip_or_hostname</code>

Replace '''your_public_key''', '''user''', and '''server_ip_or_hostname''' with the appropriate values.

====Test SSH agent forwarding====

First, SSH into Server A:

<code>ssh server_a_alias</code>

Then, from Server A, SSH into Server B:

<code>ssh server_b_alias</code>

If everything is set up correctly, you should be able to access Server B without being prompted for a password.

====Verify SSH agent forwarding====

To make sure that SSH agent forwarding is working, you can check the value of the '''SSH_AUTH_SOCK''' environment variable on Server B.

From Server B, run the following command:

<code>echo $SSH_AUTH_SOCK</code>

If SSH agent forwarding is working, this command should return a non-empty value.

That's it! You've successfully set up and tested SSH agent forwarding. Now you can use your local SSH keys to authenticate with remote servers without having to copy your private keys to those servers.

===Command Restriction===

The '''authorized_keys''' file can be used to restrict the commands that a specific SSH key can execute. This is especially useful for security purposes, to limit the potential damage that could be done if a key is compromised.

By including a '''command=''' directive in the '''authorized_keys''' file, you can specify the exact command that will be run when a client connects using the associated key. Any command provided by the client will be ignored, and the command specified in the authorized_keys file will be used instead.

Example:

<code>command="/usr/bin/scp -t /home/rscp/media/" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...</code>

is set up to always execute the '''scp''' command (used for secure copy of files over SSH) to the specified directory, no matter what command was originally issued by the client. This is a good way to create a "write-only" drop box, for instance.

However, the keyholder could potentially still execute arbitrary commands by carefully crafting the file names they upload, so additional precautions should be taken, such as using command= along with other directives like '''no-port-forwarding''', '''no-X11-forwarding''', and '''no-pty''' to further limit what can be done with the key.

<code>command="/usr/bin/scp -t /home/rscp/media/",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...</code>

This entry does the following:

:* The '''command=''' directive runs the specified command when a client connects using this key. In this case, the command is scp, which securely copies files to the /home/rscp/media/ directory.
:* The '''no-port-forwarding''' directive prevents the client from using SSH's port forwarding features, which could potentially be used to create a secure tunnel for other network traffic.
:* The '''no-X11-forwarding''' directive prevents the client from forwarding X11 graphical sessions, which could be used to run graphical applications over the SSH connection.
:* The '''no-pty''' directive prevents the allocation of a pseudo-terminal, which means the client can't interact with a shell or run interactive commands.

The '''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...''' part is the public key of the client. Replace this with the actual key.

This configuration significantly limits the operations that can be performed with this key, providing an additional layer of security.

====SCP Only====

Use Case Example: Have a Server hosting XML Dumps, and want to automate sending a file or directory from Server1 to Server2 using a script and ssh-key so i don't need to enter password.

=====Create Account on Server=====
Create user account you are going to use:<br>
<code>adduser rscp</code>

Make sure user has a '''.ssh''' directory to send public key to:<br>
<code>mkdir /home/rscp/.ssh</code>

Make a Directory to transfer files to:<br>
<code>mkdir /home/rscp/media</code>

Note: If you see error <code>scp: /home/rscp/media/test.txt: Permission denied</code> If you created directory '''media''' when logged in as '''root''' then check directory permissions and if need [[Linux_Users_and_Groups#File_Ownership_and_Permissions|assign ownership to '''user''' account.]]<br>
Example:<code>chown rscp:rscp /home/rscp/media</code>

[[Ubuntu_22.04_SSH_Guide#Copying_public_keys_to_the_remote_server|Send your public key to server]]

After public_key/authorized_key is on server, edit authorized_keys and at the start before ssh-rsa <KEY>
<pre>
command="/usr/bin/scp -t /home/rscp/media/" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...
</pre>

If from remote server you are sending a Directory include the '''-r''' flag in command:<br>

After public_key/authorized_key is on server, edit authorized_keys and at the start before ssh-rsa <KEY>
<pre>
command="/usr/bin/scp -t -r /home/rscp/media/" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...
</pre>

This entry in the authorized_keys file uses the command option to restrict the SSH command that can be run with the associated SSH key. The command option specifies that the scp command should be used to transfer files to the '''/home/rscp/media/''' directory on the server.

Here's a breakdown of the entry:

:* '''command="/usr/bin/scp -t /home/rscp/"''': This specifies that the scp command should be used as the SSH command for this key, with the '''-t''' option to specify that the remote end is a file (in this case, a directory), and the destination directory on the server is /home/rscp/. This means that the user can only use the SSH key to transfer files to the /home/rscp/ directory on the server.

:* '''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...''': This is the public key associated with the private key that is used for authentication.

By using the command option in this way, you can restrict the actions that the user can perform with the SSH key, which can help to improve security. In this case, the user can only transfer files to the specified directory on the server using the scp command.

======Tip - transfer file to a path your USER does not have permissions for======

You can write a shell script to check the '''/home/rscp/media''' directory every minute using a while loop and the sleep command. If any files are found in the directory, the script can move them to the '''/var/www/media''' directory using the mv command. Here's an example script:

<syntaxhighlight lang="bash" line>
#!/bin/bash

while true
do
if [ "$(ls -A /home/rscp/media/)" ]; then
mv /home/rscp/media/* /var/www/media/
fi
sleep 60
done
</syntaxhighlight>

In this script, the while loop runs indefinitely ('''while true''') and sleeps for 60 seconds at the end of each iteration ('''sleep 60''').

The '''if''' statement checks if the '''/home/rscp/media''' directory is not empty ('''[ "$(ls -A /home/rscp/media/)" ]'''). If it is not empty, the '''mv''' command is used to move all files and directories from the '''/home/rscp/media/''' directory to the '''/var/www/media/''' directory.

Save this script to a file (e.g. '''move-files.sh''') and make it executable using the '''chmod +x move-files.sh''' command. You can then run the script using '''./move-files.sh &''' to start it in the background and allow it to run indefinitely. The & symbol is used to run the script in the background so that you can continue using the terminal.

Note that running this script indefinitely can consume system resources, so you may want to consider setting up a scheduled task (e.g. using '''[[Cron_ubuntu_22.04|cron]]''') to run the script at a specific interval instead of running it indefinitely.

==Tilde '''~''' the escape character==

The tilde (~) character has a special meaning in the context of SSH. When using SSH, you can use the tilde character followed by a control sequence to perform certain actions. These are called "tilde escape sequences" or "tilde commands." They are useful for managing your SSH connections.

Here's how to use tilde escape sequences when connected to a remote server via SSH:

:* Make sure you are at the beginning of a new line in your terminal. Press '''Enter''' if you are not.

:* Type the tilde (~) character, followed by the appropriate control sequence. Note that you should not press '''Enter''' after typing the tilde character, but rather type the control sequence directly after it.

Here are some common tilde escape sequences:

: '''~.''' : Close the SSH connection. This can be helpful if the connection is frozen or unresponsive.
: '''~^Z''' : Suspend the SSH connection and return to your local shell. You can later resume the connection using the fg command.
: '''~#''' : List all forwarded connections (both local and remote) that are active in the current SSH session.
: '''~&''' : Run the SSH session in the background. This is useful if you want to perform other tasks on your local machine without closing the SSH connection.
: '''~~''' : Send a literal tilde character to the remote system. This is useful if you need to type a tilde character in the remote system without triggering an escape sequence.

Remember that these escape sequences only work if they are entered at the beginning of a new line in your terminal. If you're typing them in the middle of a command or text, they won't be recognized as special control sequences.

==Troubleshooting and Best Practices==

In this section, we'll cover some common issues and best practices related to SSH connections, including managing a large number of SSH keys.

===Too many authentication attempts===

When connecting to an SSH server, you might encounter the "Too many authentication attempts" error. This is often caused by having too many private keys in your ~/.ssh directory. By default, SSH tries each key until it finds the correct one, but many servers limit the number of authentication attempts.

'''Solution''': To resolve this issue, you can create a separate directory for your keys and configure the SSH config file to use the appropriate key for each connection.

:* Create a new directory for your keys:

<code>mkdir ~/.ssh/keys</code>

:* Move your private key files to the new directory:

<code>mv ~/.ssh/id_rsa_* ~/.ssh/keys/</code>

Update your SSH config file to specify the correct key for each connection:
<pre>
Host server1
...
IdentityFile ~/.ssh/keys/id_rsa_server1

Host server2
...
IdentityFile ~/.ssh/keys/id_rsa_server2
</pre>

===Permission issues===

SSH is very strict about file and directory permissions. Ensure that your ~/.ssh directory and its contents have the correct permissions:

:* The ~/.ssh directory should have permissions set to 700:

<code>chmod 700 ~/.ssh</code>

Private key files should have permissions set to 600:

<code>chmod 600 ~/.ssh/id_rsa</code>

The ~/.ssh/config file should have permissions set to 600:

<code>chmod 600 ~/.ssh/config</code>

:* <b>Best practices</b>: Follow these best practices to maintain secure and efficient SSH connections:

:* Use SSH key pairs instead of passwords for authentication, as they provide better security.
:* Regularly update your SSH keys to maintain their security.
:* Use strong, unique passphrases to protect your private keys.
:* Disable password authentication and root login on your SSH server to reduce the risk of brute-force attacks.
:* Regularly update your SSH server software to ensure you're running the latest security patches.
:* Use non-standard port numbers for your SSH server to make it less likely to be targeted by automated attacks.
:* Implement multi-factor authentication (MFA) for your SSH connections, if possible.
:* Regularly review and remove any unnecessary authorized keys from the ~/.ssh/authorized_keys file on your servers.
:* Use the Match directive in the sshd_config file to apply custom rules and settings for different users, groups, or connections.

Ubuntu 22.04 Man Pages

2023-05-16T12:01:09Z

Noob: Created page with "Man pages, short for manual pages, are the standard form of documentation on a Unix-like system like Ubuntu 22.04. They provide detailed information about commands, system calls, library routines, and other components of the system. Man pages serve as a comprehensive reference, explaining the function of these components, their syntax, options, return values, and more. ==Accessing Man Pages== To access a man page for a specific command or program, use the man command f..."

Man pages, short for manual pages, are the standard form of documentation on a Unix-like system like Ubuntu 22.04. They provide detailed information about commands, system calls, library routines, and other components of the system. Man pages serve as a comprehensive reference, explaining the function of these components, their syntax, options, return values, and more.

==Accessing Man Pages==

To access a man page for a specific command or program, use the man command followed by the name of the command or program. For example, to view the man page for the ls command, you would type:

<code>man ls</code>

This will bring up the man page for ls, which you can scroll through using the arrow keys. To exit, press '''q'''.

===Sections of Man Pages===

In Ubuntu 20.04 and other Linux distributions, man pages are typically stored in several directories under /usr/share/man. These directories are organized by sections, which are represented by numbers. The sections are as follows:

:* 1 '''User commands''' (Executable programs or shell commands)
:* 2 '''System calls''' (Functions provided by the kernel)
:* 3 '''Library calls''' (Functions within program libraries)
:* 4 '''Special files''' (Files found in /dev)
:* 5 '''File formats and conventions'''
:* 6 '''Games'''
:* 7 '''Miscellaneous''' (including macro packages and conventions)
:* 8 '''System administration commands''' (usually only for root)
:* 9 '''Kernel routines''' (Non-standard)

To access a man page in a specific section, you can specify the section number before the topic. For example, to access the system call read, you would type:

<code>man 2 read</code>

===Searching Man Pages===

If you're not sure what command or program you're looking for, you can search the man pages using the '''apropos''' command followed by a keyword. For example, to find commands related to "copy", you would type:

<code>apropos copy</code>

This will return a list of man pages related to the keyword "copy".
Conclusion

Man pages are a vital resource for users and administrators of Ubuntu 22.04, providing in-depth information on how to use and understand the system's various components. Understanding how to read and navigate man pages can greatly enhance your proficiency with the system.

Please note that man pages can sometimes be quite technical and may not be the easiest resource for beginners. Other resources, such as online tutorials, guides, and community forums, can often provide more accessible explanations and examples.

==Find the License of Man Pages==

The man pages in Ubuntu also use a variety of licenses, depending on the specific software and authors' preferences. As mentioned in my previous response, common licenses used for man pages in Ubuntu distributions include the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), BSD License, MIT License, and Apache License.

To find the specific license for a particular man page in Ubuntu 20.04, you can look at the copyright information typically found at the bottom of the man page or consult the package documentation. Additionally, you can check the '''/usr/share/doc/<package_name>/copyright''' file, where '''<package_name>''' is the name of the package you are interested in.

Please note that some man pages may use other licenses or have custom licensing terms specified by the authors. Always refer to the documentation and copyright information for the specific man page or software package to determine its licensing terms.

===find the location of a specific man page===

To find the location of a specific man page, you can use the '''manpath''' command to display the search path for man pages, and the '''man -w <command>''' command to find the location of a specific man page. Replace '''<command>''' with the command or topic you are looking for. For example:

:* The '''manpath''' command will show the directories where man pages are stored
<code>manpath</code>

:* The '''man -w <package>''' command will display the location of the '''<package>''' command's man page.

Example:
:<code>man -w ls</code>

Will display the location of the '''ls''' command's man page. The output will show the full path to the man page file, such as '''/usr/share/man/man1/ls.1.gz'''

Please note that man pages are usually compressed using gzip, so the file extensions will often be .gz. To read the man page, use the man command, as it automatically decompresses the file:

<code>man ls</code>

The License of the '''ls''' man page is '''GPLv3+''' <br>
The "GPL-3+" means that the man page is licensed under the GNU General Public License version 3 or any later version.
<pre>
COPYRIGHT
Copyright © 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

</pre>

==Example of finding the license of the '''mc''' man page==

: The '''mc''' "''midnight commander''" package is not installed on ubuntu by default:
<code>sudo apt install mc</code><br>

: Check the '''man mc''' page for license of the '''man''' for '''mc'''
<code>man mc</code>

<pre>
LICENSE
This program is distributed under the terms of the GNU General Public License as published by the Free Software Foundation. See the built-in help for details on the License and the lack of
warranty.
</pre>

The easiest way to find the license of a man page is to look for the license or copyright information within the man page itself, as you've done with the 'mc' man page. In some cases, the man page may not include the license information, and you will need to look for the copyright information in the package documentation instead.

To find the package documentation, you can check the '''/usr/share/doc/<package_name>/copyright''' file, where '''<package_name>''' is the name of the package you are interested in. For the 'mc' package, you can find the copyright file using the following command:

<code>cat /usr/share/doc/mc/copyright</code>

This command will display the copyright and license information for the 'mc' package, which should also cover the associated man page.

In the case of the 'mc' man page, the license information is already provided in the man page itself, stating that the program is distributed under the terms of the GNU General Public License.

===OutPut from <code>cat /usr/share/doc/mc/copyright</code>===

<pre>
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: Midnight Commander
Source: http://www.midnight-commander.org/downloads
Copyright: 1996-2021 Free Software Foundation
License: GPL-3+
Comment:
This package was debianized on Tue Apr 1 14:32:15 1997 by
Paul Seelig <pseelig@mail.uni-mainz.de>.

Files: *
Copyright: 1991-1992,1994-2021 Free Software Foundation
1996 andrey joukov <2:5020/337.13@fidonet.org>
2002 ARJ Software Russia
2003 Alexander Serkov <serkov@ukrpost.net>
1992-1998 Andrew Tridgell
1995 Ian Jackson <iwj10@cus.cam.ac.uk>
2008 Jacques Pelletier <jpelletier@ieee.org>
1996-1997 Joseph M. Hinkle <jhinkle@rockisland.com>
1998 John H Terpstra <jht@aquasoft.com.au>
1990-1998 Karl Auer
2005-2006 Leonard den Ottolander <leonard den ottolander nl>
1996-1998 Luke Kenneth Casson Leighton
1995-1996 Miguel de Icaza
2000-2001 Oskar Liljeblad <osk@hem.passagen.se>
1996 Paul Sheer
2003 Pavel Roskin
2002 Petr Kozelka <pkozelka@email.cz>
1999 Piotr Roszatycki <dexter@debian.org>
1995-1998 Samba-Team
2001 Walery Studennikov <despair@sama.ru>
1997-1998 the University of Minnesota
License: GPL-3+
Comment:
See list of authors and contributors in file AUTHORS
Note that all these authors assigned the copyright to FSF.

Files:
doc/doxygen-include.am
m4.include/dx_doxygen.m4
Copyright:
2004,2007 Oren Ben-Kiki
License: Apache-2.0

Files:
misc/syntax/nemerle.syntax
Copyright:
2004 the University of Wroclaw
License: BSD-3-Clause

Files:
misc/syntax/meson.syntax
Copyright:
2018 Vitold S
License: Expat

Files: debian/*
Copyright:
2002-2004 Adam Byrtek <alpha@debian.org>
2011 Andreas Tille <tille@debian.org>
2002 Colin Watson <cjwatson@debian.org>
2008-2015 Denis Briand <debian@denis-briand.fr>
2012-2021 Dmitry Smirnov <onlyjob@debian.org>
1997 Fernando Alegre <alegre@debian.org>
2004-2007 Ludovic Drolez <ldrolez@debian.org>
1999-2001 Martin Bialasinski <martinb@debian.org>
1999 Martin Bialasinski <mc@internet-treff.uni-koeln.de>
1998-1999 Michael Bramer <grisu@debian.org>
2008-2009 Patrick Winnertz <winnie@debian.org>
1998 Paul Seelig <pseelig@goofy.zdv.uni-mainz.de>
2004-2007 Stefano Melchior <stefano.melchior@openlabs.it>
1997 Vincent Renardias <vincent@waw.com>
2008-2010 Yury V. Zaytsev <yury@shurup.com>
License: GPL-2+

Files: src/vfs/smbfs/helpers/*
Copyright: 2011 Free Software Foundation
1992-1998 Andrew Tridgell
1995-1998 Samba-Team
1998 John H Terpstra <jht@aquasoft.com.au>
License: GPL-3+

Files:
m4.include/gnulib/fsusage.m4
m4.include/gnulib/sys_types_h.m4
m4.include/gnulib/windows-stat-inodes.m4
Copyright: 1997-2018 Free Software Foundation, Inc.
License: FSFULLR
This file is free software; the Free Software Foundation
gives unlimited permission to copy and/or distribute it,
with or without modifications, as long as this notice is preserved.

Files:
m4.include/ax_gcc_func_attribute.m4
Copyright: 2013 Gabriele Svelto <gabriele.svelto@gmail.com>
License: FSF-Install
Copying and distribution of this file, with or without modification, are
permitted in any medium without royalty provided the copyright notice and
this notice are preserved. This file is offered as-is, without any
warranty.

License: Apache-2.0
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
.
http://www.apache.org/licenses/LICENSE-2.0
.
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
․
On Debian systems, the complete text of the Apache License,
Version 2.0 can be found in "/usr/share/common-licenses/Apache-2.0".

License: BSD-3-Clause
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the University may not be used to endorse or promote
products derived from this software without specific prior
written permission.
.
THIS SOFTWARE IS PROVIDED BY THE UNIVERSITY ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
NO EVENT SHALL THE UNIVERSITY BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

License: Expat
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
․
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
․
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

License: GPL-2+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
․
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
․
On Debian systems, the complete text of the GNU General Public
License Version 2 can be found in "/usr/share/common-licenses/GPL-2".

License: GPL-3+
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
․
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
․
On Debian systems, the complete text of the GNU General Public
License Version 3 can be found in "/usr/share/common-licenses/GPL-3".
</pre>

Based on the information from the '''/usr/share/doc/mc/copyright''' file, the license for the Midnight Commander man page would be '''"GPL-3+"''', as indicated in the following section of the file:

<pre>
Files: *
Copyright: 1991-1992,1994-2021 Free Software Foundation
...
License: GPL-3+
</pre>

The "GPL-3+" means that the man page is licensed under the GNU General Public License version 3 or any later version.

==Export a 'man' page==

To export a man page in a readable format for copy and paste, you can use the man command with the '''-P''' flag to output the content to a specific pager, such as cat.

To export a man page in a readable format for copy and paste, you can use the man command with the -P flag to output the content to a specific pager, such as cat. Alternatively, you can use man with the col command to remove any formatting characters.

The '''-P''' flag in the man command allows you to specify a pager to view the manual page. A pager is a program that helps you read and navigate through text, such as less (default pager), more, or cat. To use the man command with the '''-P''' flag, follow this syntax:

<code>man -P <pager> <command></code>

Replace '''<pager>''' with the pager you want to use (e.g., cat, less, more) and '''<command>''' with the command you want to view the manual page for.

For example, if you want to view the ssh man page using the cat pager:

<code>man -P cat ssh</code>

This will output the ssh man page without any pagination, making it easy to copy and paste the content. Keep in mind that using cat as the pager will output the entire man page at once, which might be overwhelming for very long pages. To navigate through the content, you may want to use less or more instead.

'''Alternatively''', you can use man with the '''col''' command to remove any formatting characters.

For example, to view the ssh man page in a plain text format:

<code>man ssh | col -bx</code>

If you want to save the output to a file for easy copy and paste, you can redirect the output to a file:

<code>man ssh | col -bx > ssh_man_page.txt</code>

Now you can open the '''ssh_man_page.txt''' file with a text editor.

Ubuntu 22.04 Yacy

2023-05-16T11:44:06Z

Noob: Noob moved page Yacy to Ubuntu 22.04 Yacy without leaving a redirect

==Installing Yacy on Ubuntu 22.04 Vultr VPS Server==
* Spin up ubuntu 22.04 2 vCPUs 4096.00 MB RAM 80 GB SSD Storage
* login

<code>apt-get update && apt upgrade -y</code><br>
<code>apt-get install openjdk-8-jre-headless nginx -y</code><br>
<code>mkdir -pv /opt/yacy</code><br>
Find Latest version https://download.yacy.net/<br>
<code>wget https://download.yacy.net/yacy_v1.924_20210209_10069.tar.gz</code><br>
<code>tar xvf yacy_v1.924_20210209_10069.tar.gz -C /opt/yacy/</code><br>
<code>bash /opt/yacy/yacy/startYACY.sh</code><br>
<code>bash /opt/yacy/yacy/bin/passwd.sh $PASSWORD</code><br>
<code>ufw allow 80/tcp</code><br>
<code>ufw allow 443/tcp</code><br>
<code>ufw allow 8090/tcp</code><br>
<code>$EDITOR /etc/nginx/sites-available/default</code><br>
<pre>
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;

# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;

root /var/www/html;

# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;

server_name _;

location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
#try_files $uri $uri/ =404;
proxy_pass http://127.0.0.1:8090;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 3s;
proxy_send_timeout 10s;
proxy_read_timeout 10s;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}

# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
</pre>

Domain and https<br>
<code>snap install certbot --classic</code><br>
After DNS points to server<br>
<code>certbot --nginx -d yacy.completenoobs.com</code><br>
Now can visit https://yacy.completenoobs.com and site working :)<br>

===systemd===
Will start YACY at when server reboots.<br>
<code>$EDITOR /etc/systemd/system/yacy.service</code><br>
<pre>
[Unit]
Description =Start yacy

[Service]
Type=forking
ExecStartPre=/bin/sleep 15
ExecStart=/opt/yacy/yacy/startYACY.sh

[Install]
WantedBy=multi-user.target

</pre>
<br>
<code>systemctl enable yacy</code><br>
<code>reboot</code><br>

DICTIONARY Square root

2023-05-16T11:42:47Z

Noob: Noob moved page Square root to DICTIONARY Square root without leaving a redirect

The square root of a number is a value that, when multiplied by itself, gives the original number. In mathematical terms, the square root of a number x is denoted as √x or x^(1/2). For example, the square root of 9 is 3 because 3 * 3 = 9.

In this tutorial, we will cover the concept of square roots, different methods to find the square root of a number, examples, and exam-style questions with answers.
Methods to Find the Square Root

==1. Prime Factorization==

To find the square root of a number using prime factorization, follow these steps:

:* Find the prime factors of the given number.
:* Pair the prime factors in groups of two identical factors.
:* Multiply one factor from each pair to find the square root.

Example:

Find the square root of 36.

:* Prime factors of 36: 2 * 2 * 3 * 3
:* Pair the prime factors: (2 * 2) * (3 * 3)
:* Multiply one factor from each pair: 2 * 3 = 6

So, the square root of 36 is 6.

==2. Long Division Method==

The long division method is a technique used to find the square root of a number with decimal places.
Example:

Find the square root of 50.

:* Pair the digits from the right: (50)
:* Find the largest number whose square is less than or equal to 50: 7 (7 * 7 = 49)
:* Subtract the result from 50: 50 - 49 = 1
:* Bring down the next pair of digits (if any) and repeat the process.

So, the square root of 50 is approximately 7.

<div class="toccolours mw-collapsible mw-collapsed">
Finding the square root of 50 using the long division method:
<div class="mw-collapsible-content">
:* Step 1: Write the number 50 and separate the digits into pairs starting from the right. Since there are no decimal places, we only have one pair (50).
<pre>
50
</pre>
:* Step 2: Find the largest number whose square is less than or equal to the first pair (50). In this case, the largest number is 7, as 7 * 7 = 49, which is less than or equal to 50. Write 7 above the pair and write 49 below the pair.

<pre>
7
-------
| 50
49
-------
</pre>

:* Step 3: Subtract 49 from 50 and write the remainder below.

<pre>

7
-------
| 50
49
-------
1
</pre>

:* Step 4: Since there are no more digits to bring down, we can proceed to calculate the decimal places. Add a decimal point to the quotient (7), and add a pair of zeros to the remainder. Bring down the pair of zeros.

<pre>
7.
-------
| 50.00
49
-------
1 00
</pre>

:* Step 5: Double the quotient (7) and write it to the left of the remainder. Treat this doubled value as a single entity (in this case, 14). Find a digit (x) that, when combined with the doubled value (14), creates a number (14x) that can be multiplied by x to get a product less than or equal to the remainder (100). In this case, x = 1, as 141 * 1 = 141, which is less than or equal to 100. Write the 1 in the quotient after the decimal point and write 141 below the 100.

<pre>
7.1
-------
| 50.00
49
-------
1 00
141
-------
</pre>

:* Step 6: Subtract 141 from 100 and write the remainder below.

<pre>

7.1
-------
| 50.00
49
-------
1 00
141
-------
59
</pre>

:* Step 7: Bring down the next pair of zeros (if necessary) and continue the process to find more decimal places. In this example, we will stop at one decimal place.

So, the square root of 50 is approximately 7.1 using the long division method. You can continue this process to find more decimal places if needed.
</div>
</div>

<div class="toccolours mw-collapsible mw-collapsed">
Finding the square root of 33 using the long division method:
<div class="mw-collapsible-content">
:* Step 1: Write the number 33 and separate the digits into pairs starting from the right. Since there are no decimal places, we only have one pair (33).
<pre>
33
</pre>
:* Step 2: Find the largest number whose square is less than or equal to the first pair (33). In this case, the largest number is 5, as 5 * 5 = 25, which is less than or equal to 33. Write 5 above the pair and write 25 below the pair.

<pre>

5
-------
| 33
25
-------
</pre>
:* Step 3: Subtract 25 from 33 and write the remainder below.

<pre>

5
-------
| 33
25
-------
8
</pre>
:* Step 4: Since there are no more digits to bring down, we can proceed to calculate the decimal places. Add a decimal point to the quotient (5), and add a pair of zeros to the remainder. Bring down the pair of zeros.

<pre>

5.
-------
| 33.00
25
-------
8 00
</pre>
:* Step 5: Double the quotient (5) and write it to the left of the remainder. Treat this doubled value as a single entity (in this case, 10). Find a digit (x) that, when combined with the doubled value (10), creates a number (10x) that can be multiplied by x to get a product less than or equal to the remainder (800). In this case, x = 7, as 107 * 7 = 749, which is less than or equal to 800. Write the 7 in the quotient after the decimal point and write 749 below the 800.

<pre>

5.7
-------
| 33.00
25
-------
8 00
749
-------
</pre>
:* Step 6: Subtract 749 from 800 and write the remainder below.

<pre>

5.7
-------
| 33.00
25
-------
8 00
749
-------
51
</pre>
:* Step 7: Bring down the next pair of zeros and continue the process to find more decimal places. In this example, we will find 2 more decimal places.

<pre>

5.7
-------
| 33.00
25
-------
8 00
749
-------
51 00
</pre>
:* Step 8: Double the quotient without the decimal (57) and write it to the left of the remainder. Treat this doubled value as a single entity (in this case, 114). Find a digit (x) that, when combined with the doubled value (114), creates a number (114x) that can be multiplied by x to get a product less than or equal to the remainder (5100). In this case, x = 4, as 1144 * 4 = 4576, which is less than or equal to 5100. Write the 4 in the quotient after the 7 and write 4576 below the 5100.

<pre>

5.74
-------
| 33.00
25
-------
8 00
749
-------
51 00
4576
-------
</pre>
:* 9: Subtract 4576 from 5100 and write the remainder below.

<pre>

5.74
-------
| 33.00
25
-------
8 00
749
-------
51 00
4576
-------
524
</pre>
:* Step 10: Bring down the next pair of zeros and continue the process to find more decimal places. In this example, we will find 1 more decimal place.

<pre>

5.74
-------
| 33.00
25
-------
8 00
749
-------
51 00
4576
-------
524 00
</pre>
:* Step 11: Double the quotient without the decimal (574) and write it to the left of the remainder. Treat this doubled value as a single entity (in this case, 1148). Find a digit (x) that, when combined with the doubled value (1148), creates a number (1148x) that can be multiplied by x to get a product less than or equal to the remainder (52400). In this case, x = 4, as 11484 * 4 = 45936, which is less than or equal to 52400. Write the 4 in the quotient after the second 4 and write 45936 below the 52400.

<pre>

5.744
-------
| 33.00
25
-------
8 00
749
-------
51 00
4576
-------
524 00
45936
-------
</pre>
:* Step 12: Subtract 45936 from 52400 and write the remainder below.
<pre>

5.744
-------
| 33.00
25
-------
8 00
749
-------
51 00
4576
-------
524 00
45936
-------
6464
</pre>
Now we have calculated the square root of 33 with three decimal places (5.744).

</div>
</div>

MAN Ubuntu 22.04 ssh

2023-05-16T11:39:20Z

Noob: Created page with " {{:LICENCE_HEADER_BSD3}} The following content is pulled in from the '''man ssh''' in ubuntu 22.04, we believe it is under the BSD-3 License, if we are wrong, please correct us. ==SSH(1)== BSD General Commands Manual SSH(1) ===NAME=== : ssh — OpenSSH remote login client ===SYNOPSIS=== : '''ssh''' [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address] [-c cipher_spec]..."

{{:LICENCE_HEADER_BSD3}}

The following content is pulled in from the '''man ssh''' in ubuntu 22.04, we believe it is under the BSD-3 License, if we are wrong, please correct us.

==SSH(1)==
BSD General Commands Manual SSH(1)

===NAME===
: ssh — OpenSSH remote login client

===SYNOPSIS===
: '''ssh''' [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
[-J destination] [-L address] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
destination [command [argument ...]]

===DESCRIPTION===
: ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections, arbitrary TCP ports and UNIX-domain sockets can also be forwarded over the secure channel.

: ssh connects and logs into the specified destination, which may be specified as either [user@]hostname or a URI of the form ssh://[user@]hostname[:port]. The user must prove their identity to the remote machine using one of several methods (see below).

: If a command is specified, it will be executed on the remote host instead of a login shell. A complete command line may be specified as command, or it may have additional arguments. If supplied, the arguments will be appended to the command, separated by spaces, before it is sent to the server to be executed.

===Options===

The options are as follows:

: '''-4''' Forces ssh to use IPv4 addresses only.

: '''-6''' Forces ssh to use IPv6 addresses only.

: '''-A''' Enables forwarding of connections from an authentication agent such as ssh-agent(1). This can also be specified on a per-host basis in a configuration file.

: Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. A safer alternative may be to use a jump host (see -J).

: '''-a''' Disables forwarding of the authentication agent connection.

: '''-B bind_interface'''
: Bind to the address of bind_interface before attempting to connect to the destination host. This is only useful on systems with more than one address.

: '''-b bind_address'''
: Use bind_address on the local machine as the source address of the connection. Only useful on systems with more than one address.

: '''-C''' Requests compression of all data (including stdin, stdout, stderr, and data for forwarded X11, TCP and UNIX-domain connections). The compression algorithm is the same used by gzip(1).
: Compression is desirable on modem lines and other slow connections, but will only slow down things on fast networks. The default value can be set on a host-by-host basis in the configuration files; see the Compression option.

: '''-c cipher_spec'''
: Selects the cipher specification for encrypting the session. cipher_spec is a comma-separated list of ciphers listed in order of preference. See the Ciphers keyword in ssh_config(5)for more information.

: '''-D [bind_address:]port'''
: Specifies a local “dynamic” application-level port forwarding. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address.
: Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file.

: IPv6 addresses can be specified by enclosing the address in square brackets. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of “localhost” indicates that the listening port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces.

: '''-E log_file'''
: Append debug logs to log_file instead of standard error.

: '''-e escape_char'''
: Sets the escape character for sessions with a pty (default: ‘~’). The escape character is only recognized at the beginning of a line. The escape character followed by a dot (‘.’) closes the connection; followed by control-Z suspends the connection; and followed by itself sends the escape character once. Setting the character to “none” disables any escapes and makes the session fully transparent.

: '''-F configfile'''
: Specifies an alternative per-user configuration file. If a configuration file is given on the command line, the system-wide configuration file (/etc/ssh/ssh_config) will be ignored.
: The default for the per-user configuration file is '''~/.ssh/config'''. If set to “none”, no configuration files will be read.

: '''-f''' Requests ssh to go to background just before command execution. This is useful if ssh is going to ask for passwords or passphrases, but the user wants it in the background. This implies '''-n'''. The recommended way to start X11 programs at a remote site is with something like '''ssh -f host xterm'''.

: If the ExitOnForwardFailure configuration option is set to “yes”, then a client started with -f will wait for all remote port forwards to be successfully established before placing it self in the background. Refer to the description of forkAfterAuthentication in ssh_config(5) for details.

: '''-G''' Causes ssh to print its configuration after evaluating Host and Match blocks and exit.

: '''-g''' Allows remote hosts to connect to local forwarded ports. If used on a multiplexed connection, then this option must be specified on the master process.

: '''-I pkcs11'''
: Specify the PKCS#11 shared library ssh should use to communicate with a PKCS#11 token providing keys for user authentication.

: '''-i identity_file'''
: Selects a file from which the identity (private key) for public key authentication is read. You can also specify a public key file to use the corresponding private key that is loaded in ssh-agent(1) when the private key file is not present locally. The default is ~/.ssh/id_rsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, ~/.ssh/id_ed25519_sk and ~/.ssh/id_dsa. Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple identities specified in configuration files). If no certificates have been explicitly specified by the CertificateFile directive, ssh will also try to load certificate information from the filename obtained by appending -cert.pub to identity filenames.

: '''-J destination'''
: Connect to the target host by first making a ssh connection to the jump host described by destination and then establishing a TCP forwarding to the ultimate destination from there.
: Multiple jump hops may be specified separated by comma characters. This is a shortcut to specify a ProxyJump configuration directive. Note that configuration directives supplied on the command-line generally apply to the destination host and not any specified jump hosts. Use ~/.ssh/config to specify configuration for jump hosts.

: '''-K''' Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI credentials to the server.

: '''-k''' Disables forwarding (delegation) of GSSAPI credentials to the server.

: '''-L [bind_address:]port:host:hostport'''
: '''-L [bind_address:]port:remote_socket'''
: '''-L local_socket:host:hostport'''
: '''-L local_socket:remote_socket'''
: Specifies that connections to the given TCP port or Unix socket on the local (client) host are to be forwarded to the given host and port, or Unix socket, on the remote side. This works by allocating a socket to listen to either a TCP port on the local side, optionally bound to the specified bind_address, or to a Unix socket. Whenever a connection is made to the local port or socket, the connection is forwarded over the secure channel, and a connection is made to either host port hostport, or the Unix socket remote_socket, from the remote machine.

: Port forwardings can also be specified in the configuration file. Only the superuser can forward privileged ports. IPv6 addresses can be specified by enclosing the address in square brackets.

: By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of “localhost” indicates that the listening port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces.

: '''-l login_name'''
: Specifies the user to log in as on the remote machine. This also may be specified on a per-host basis in the configuration file.

: '''-M''' Places the ssh client into “master” mode for connection sharing. Multiple -M options places ssh into “master” mode but with confirmation required using ssh-askpass(1) before each operation that changes the multiplexing state (e.g. opening a new session). Refer to the description of ControlMaster in ssh_config(5) for details.

: '''-m mac_spec'''
: A comma-separated list of MAC (message authentication code) algorithms, specified in order of preference. See the MACs keyword for more information.

: '''-N''' Do not execute a remote command. This is useful for just forwarding ports. Refer to the description of SessionType in ssh_config(5) for details.

: '''-n''' Redirects stdin from /dev/null (actually, prevents reading from stdin). This must be used when ssh is run in the background. A common trick is to use this to run X11 programs on a remote machine. For example, ssh -n shadows.cs.hut.fi emacs & will start an emacs on shadows.cs.hut.fi, and the X11 connection will be automatically forwarded over an encrypted channel. The ssh program will be put in the background. (This does not work if ssh needs to ask for a password or passphrase; see also the -f option.) Refer to the description of StdinNull in ssh_config(5) for details.

: '''-O ctl_cmd'''
: Control an active connection multiplexing master process. When the -O option is specified, the ctl_cmd argument is interpreted and passed to the master process. Valid commands are:
:* “check” (check that the master process is running)
:* “forward” (request forwardings without command execution)
:* “cancel” (cancel forwardings), “exit” (request the master to exit)
:* “stop” (request the master to stop accepting further multiplexing requests).

: '''-o option'''
: Can be used to give options in the format used in the configuration file. This is useful for specifying options for which there is no separate command-line flag. For full details of the options listed below, and their possible values, see ssh_config(5).
<pre>
AddKeysToAgent
AddressFamily
BatchMode
BindAddress
CanonicalDomains
CanonicalizeFallbackLocal
CanonicalizeHostname
CanonicalizeMaxDots
CanonicalizePermittedCNAMEs
CASignatureAlgorithms
CertificateFile
CheckHostIP
Ciphers
ClearAllForwardings
Compression
ConnectionAttempts
ConnectTimeout
ControlMaster
ControlPath
ControlPersist
DynamicForward
EscapeChar
ExitOnForwardFailure
FingerprintHash
ForkAfterAuthentication
ForwardAgent
ForwardX11
ForwardX11Timeout
ForwardX11Trusted
GatewayPorts
GlobalKnownHostsFile
GSSAPIAuthentication
GSSAPIKeyExchange
GSSAPIClientIdentity
GSSAPIDelegateCredentials
GSSAPIKexAlgorithms
GSSAPIRenewalForcesRekey
GSSAPIServerIdentity
GSSAPITrustDns
HashKnownHosts
Host
HostbasedAcceptedAlgorithms
HostbasedAuthentication
HostKeyAlgorithms
HostKeyAlias
Hostname
IdentitiesOnly
IdentityAgent
IdentityFile
IPQoS
KbdInteractiveAuthentication
KbdInteractiveDevices
KexAlgorithms
KnownHostsCommand
LocalCommand
LocalForward
LogLevel
MACs
Match
NoHostAuthenticationForLocalhost
NumberOfPasswordPrompts
PasswordAuthentication
PermitLocalCommand
PermitRemoteOpen
PKCS11Provider
Port
PreferredAuthentications
ProxyCommand
ProxyJump
ProxyUseFdpass
PubkeyAcceptedAlgorithms
PubkeyAuthentication
RekeyLimit
RemoteCommand
RemoteForward
RequestTTY
SendEnv
ServerAliveInterval
ServerAliveCountMax
SessionType
SetEnv
StdinNull
StreamLocalBindMask
StreamLocalBindUnlink
StrictHostKeyChecking
TCPKeepAlive
Tunnel
TunnelDevice
UpdateHostKeys
User
UserKnownHostsFile
VerifyHostKeyDNS
VisualHostKey
XAuthLocation
</pre>
: '''-p port'''
: Port to connect to on the remote host. This can be specified on a per-host basis in the configuration file.

: '''-Q query_option'''
: Queries for the algorithms supported by one of the following features: cipher (supported symmetric ciphers), cipher-auth (supported symmetric ciphers that support authenticated encryption), help (supported query terms for use with the -Q flag), mac (supported message integrity codes), kex (key exchange algorithms), kex-gss (GSSAPI key exchange algorithms), key (key types), key-cert (certificate key types), key-plain (non-certificate key types), key-sig (all key types and signature algorithms), protocol-version (supported SSH protocol versions), and sig (supported signature algorithms). Alternatively, any keyword from ssh_config(5) or sshd_config(5) that takes an algorithm list may be used as an alias for the corresponding query_option.

: '''-q''' Quiet mode. Causes most warning and diagnostic messages to be suppressed.

: '''-R [bind_address:]port:host:hostport'''
: '''-R [bind_address:]port:local_socket'''
: '''-R remote_socket:host:hostport'''
: '''-R remote_socket:local_socket'''
: '''-R [bind_address:]port'''
: Specifies that connections to the given TCP port or Unix socket on the remote (server) host are to be forwarded to the local side.

: This works by allocating a socket to listen to either a TCP port or to a Unix socket on the remote side. Whenever a connection is made to this port or Unix socket, the connection is forwarded over the secure channel, and a connection is made from the local machine to either an explicit destination specified by host port hostport, or local_socket, or, if no explicit destination was specified, ssh will act as a SOCKS 4/5 proxy and forward connections to the destinations requested by the remote SOCKS client.

: Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote machine. IPv6 addresses can be specified by enclosing the address in square brackets.

: By default, TCP listening sockets on the server will be bound to the loopback interface only. This may be overridden by specifying a bind_address. An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces. Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)).

: If the port argument is ‘0’, the listen port will be dynamically allocated on the server and reported to the client at run time. When used together with -O forward the allocated port will be printed to the standard output.

: '''-S ctl_path'''
: Specifies the location of a control socket for connection sharing, or the string “none” to disable connection sharing. Refer to the description of ControlPath and ControlMaster in ssh_config(5) for details.

: '''-s''' May be used to request invocation of a subsystem on the remote system. Subsystems facilitate the use of SSH as a secure transport for other applications (e.g. sftp(1)). The subsystem is specified as the remote command. Refer to the description of SessionType in ssh_config(5) for details.

: '''-T''' Disable pseudo-terminal allocation.

: '''-t''' Force pseudo-terminal allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, e.g. when implementing menu services.
: Multiple '''-t''' options force tty allocation, even if ssh has no local tty.

: '''-V''' Display the version number and exit.

: '''-v''' Verbose mode. Causes ssh to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems. Multiple -v options increase the verbosity. The maximum is 3.

: '''-W host:port'''
: Requests that standard input and output on the client be forwarded to host on port over the secure channel. Implies -N, -T, ExitOnForwardFailure and ClearAllForwardings, though these can be overridden in the configuration file or using -o command line options.

: '''-w local_tun[:remote_tun]'''
: Requests tunnel device forwarding with the specified tun(4) devices between the client (local_tun) and the server (remote_tun).

: The devices may be specified by numerical ID or the keyword “any”, which uses the next available tunnel device. If remote_tun is not specified, it defaults to “any”. See also the Tunnel and TunnelDevice directives in ssh_config(5).

: If the Tunnel directive is unset, it will be set to the default tunnel mode, which is “point-to-point”. If a different Tunnel forwarding mode it desired, then it should be specified before -w.

: '''-X''' Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file.

: X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring.

: For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by default. Refer to the ssh -Y option and the ForwardX11Trusted directive in ssh_config(5) for more information.

: (Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension restrictions by default, because too many programs currently crash in this mode. Set the ForwardX11Trusted option to “no” to restore the upstream behaviour. This may change in future depending on client-side improvements.)

: '''-x''' Disables X11 forwarding.

: '''-Y''' Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls.

: (Debian-specific: In the default configuration, this option is equivalent to -X, since ForwardX11Trusted defaults to “yes” as described above. Set the ForwardX11Trusted option to “no” to restore the upstream behaviour. This may change in future depending on client-side improvements.)

: '''-y''' Send log information using the syslog(3) system module. By default this information is sent to stderr.

: ssh may additionally obtain configuration data from a per-user configuration file and a system-wide configuration file. The file format and configuration options are described in ssh_config(5).

===AUTHENTICATION===
: The OpenSSH SSH client supports SSH protocol 2.

: The methods available for authentication are: '''GSSAPI-based''' authentication, '''host-based''' authentication, '''public key''' authentication, '''keyboard-interactive''' authentication, and '''password''' authentication. Authentication methods are tried in the order specified above, though PreferredAuthentications can be used to change the default order.

: '''Host-based authentication''' works as follows: If the machine the user logs in from is listed in '''/etc/hosts.equiv''' or '''/etc/ssh/shosts.equiv''' on the remote machine, the user is non-root and the user names are the same on both sides, or if the files '''~/.rhosts''' or '''~/.shosts '''exist in the user's home directory on the remote machine and contain a line containing the name of the client machine and the name of the user on that machine, the user is considered for login. Additionally, the server must be able to verify the client's host key (see the description of '''/etc/ssh/ssh_known_hosts''' and '''~/.ssh/known_hosts''', below) for login to be permitted. This authentication method closes security holes due to IP spoofing, DNS spoofing, and routing spoofing.
: [Note to the administrator: '''/etc/hosts.equiv''', '''~/.rhosts''', and the '''rlogin/rsh''' protocol in general, are inherently insecure and should be disabled if security is desired.]

: '''Public key authentication''' works as follows: The scheme is based on public-key cryptography, using cryptosystems where encryption and decryption are done using separate keys, and it is unfeasible to derive the decryption key from the encryption key. The idea is that each user creates a '''public/private key pair''' for authentication purposes. The server knows the public key, and only the user knows the private key. ssh implements public key authentication protocol automatically, using one of the '''DSA''', '''ECDSA''', '''Ed25519''' or '''RSA''' algorithms. The HISTORY section of ssl(8) (on non-OpenBSD systems, see http://www.openbsd.org/cgi-bin/man.cgi?query=ssl&sektion=8#HISTORY) contains a brief discussion of the '''DSA''' and '''RSA''' algorithms.

: The file '''~/.ssh/authorized_keys''' lists the public keys that are permitted for logging in. When the user logs in, the ssh program tells the server which key pair it would like to use for authentication. The client proves that it has access to the private key and the server checks that the corresponding public key is authorized to accept the account.

: The server may inform the client of errors that prevented public key authentication from succeeding after authentication completes using a different method. These may be viewed by increasing the LogLevel to DEBUG or higher (e.g. by using the -v flag).

: The user creates their key pair by running ssh-keygen(1). This stores the private key in '''~/.ssh/id_dsa''' (DSA), '''~/.ssh/id_ecdsa''' (ECDSA), '''~/.ssh/id_ecdsa_sk''' (authenticator-hosted ECDSA), '''~/.ssh/id_ed25519''' (Ed25519), '''~/.ssh/id_ed25519_sk''' (authenticator-hosted Ed25519), or '''~/.ssh/id_rsa''' (RSA) and stores the public key in '''~/.ssh/id_dsa.pub''' (DSA), '''~/.ssh/id_ecdsa.pub''' (ECDSA), '''~/.ssh/id_ecdsa_sk.pub''' (authenticator-hosted ECDSA), '''~/.ssh/id_ed25519.pub''' (Ed25519), '''~/.ssh/id_ed25519_sk.pub''' (authenticator-hosted Ed25519), or '''~/.ssh/id_rsa.pub''' (RSA) in the user's home directory. The user should then copy the public key to '''~/.ssh/authorized_keys''' in their home directory on the remote machine. The authorized_keys file corresponds to the conventional '''~/.rhosts''' file, and has one key per line, though the lines can be very long. After this, the user can log in without giving the password.

: A variation on public key authentication is available in the form of certificate authentication: instead of a set of public/private keys, signed certificates are used. This has the advantage that a single trusted certification authority can be used in place of many public/private keys. See the CERTIFICATES section of ssh-keygen(1) for more information.

: The most convenient way to use public key or certificate authentication may be with an authentication agent. See ssh-agent(1) and (optionally) the AddKeysToAgent directive in ssh_config(5) for more information.

: '''Keyboard-interactive authentication''' works as follows: The server sends an arbitrary "challenge" text and prompts for a response, possibly multiple times. Examples of keyboard-interactive authentication include BSD Authentication (see login.conf(5)) and PAM (some non-OpenBSD systems).

: Finally, if other authentication methods fail, ssh prompts the user for a password. The password is sent to the remote host for checking; however, since all communications are encrypted, the password cannot be seen by someone listening on the network.

: ssh automatically maintains and checks a database containing identification for all hosts it has ever been used with. Host keys are stored in ~/.ssh/known_hosts in the user's home directory.
: Additionally, the file '''/etc/ssh/ssh_known_hosts''' is automatically checked for known hosts. Any new hosts are automatically added to the user's file. If a host's identification ever changes, ssh warns about this and disables password authentication to prevent server spoofing or man-in-the-middle attacks, which could otherwise be used to circumvent the encryption. The '''StrictHostKeyChecking''' option can be used to control logins to machines whose host key is not known or has changed.

: When the user's identity has been accepted by the server, the server either executes the given command in a non-interactive session or, if no command has been specified, logs into the machine and gives the user a normal shell as an interactive session. All communication with the remote command or shell will be automatically encrypted.

: If an interactive session is requested ssh by default will only request a pseudo-terminal (pty) for interactive sessions when the client has one. The flags '''-T''' and '''-t''' can be used to override this behaviour.

: If a pseudo-terminal has been allocated the user may use the escape characters noted below.

: If no pseudo-terminal has been allocated, the session is transparent and can be used to reliably transfer binary data. On most systems, setting the escape character to “none” will also make the session transparent even if a tty is used.

: The session terminates when the command or shell on the remote machine exits and all X11 and TCP connections have been closed.

===ESCAPE CHARACTERS===
: When a pseudo-terminal has been requested, ssh supports a number of functions through the use of an escape character.

: A single tilde character can be sent as ~~ or by following the tilde by a character other than those described below. The escape character must always follow a newline to be interpreted as special. The escape character can be changed in configuration files using the EscapeChar configuration directive or on the command line by the -e option.

: The supported escapes (assuming the default ‘~’) are:

: '''~.''' Disconnect.

: '''~^Z''' Background ssh.

: '''~#''' List forwarded connections.

: '''~&''' Background ssh at logout when waiting for forwarded connection / X11 sessions to terminate.

: '''~?''' Display a list of escape characters.

: '''~B''' Send a BREAK to the remote system (only useful if the peer supports it).

: '''~C''' Open command line. Currently this allows the addition of port forwardings using the -L, -R and -D options (see above). It also allows the cancellation of existing port-forwardings with -KL[bind_address:]port for local, -KR[bind_address:]port for remote and -KD[bind_address:]port for dynamic port-forwardings. !command allows the user to execute a local command if the '''PermitLocalCommand''' option is enabled in ssh_config(5). Basic help is available, using the -h option.

: '''~R''' Request rekeying of the connection (only useful if the peer supports it).

: '''~V''' Decrease the verbosity (LogLevel) when errors are being written to stderr.

: '''~v''' Increase the verbosity (LogLevel) when errors are being written to stderr.

===TCP FORWARDING===
: Forwarding of arbitrary TCP connections over a secure channel can be specified either on the command line or in a configuration file. One possible application of TCP forwarding is a secure connection to a mail server; another is going through firewalls.

: In the example below, we look at encrypting communication for an IRC client, even though the IRC server it connects to does not directly support encrypted communication. This works as follows: the user connects to the remote host using ssh, specifying the ports to be used to forward the connection. After that it is possible to start the program locally, and ssh will encrypt and forward the connection to the remote server.

: The following example tunnels an IRC session from the client to an IRC server at “server.example.com”, joining channel “#users”, nickname “pinky”, using the standard IRC port, 6667:

<code>ssh -f -L 6667:localhost:6667 server.example.com sleep 10</code>

<code>irc -c '#users' pinky IRC/127.0.0.1</code>

: The -f option backgrounds ssh and the remote command “sleep 10” is specified to allow an amount of time (10 seconds, in the example) to start the program which is going to use the tunnel. If no connections are made within the time specified, ssh will exit.

===X11 FORWARDING===
: If the ForwardX11 variable is set to “yes” (or see the description of the -X, -x, and -Y options above) and the user is using X11 (the DISPLAY environment variable is set), the connection to the X11 display is automatically forwarded to the remote side in such a way that any X11 programs started from the shell (or command) will go through the encrypted channel, and the connection to the real X server will be made from the local machine. The user should not manually set DISPLAY. Forwarding of X11 connections can be configured on the command line or in configuration files.

: The DISPLAY value set by ssh will point to the server machine, but with a display number greater than zero. This is normal, and happens because ssh creates a “proxy” X server on the server machine for forwarding the connections over the encrypted channel.

: ssh will also automatically set up '''Xauthority''' data on the server machine. For this purpose, it will generate a random authorization cookie, store it in Xauthority on the server, and verify that any forwarded connections carry this cookie and replace it by the real cookie when the connection is opened. The real authentication cookie is never sent to the server machine (and no cookies are sent in the plain).

: If the '''ForwardAgent''' variable is set to “yes” (or see the description of the -A and -a options above) and the user is using an authentication agent, the connection to the agent is automatically forwarded to the remote side.

===VERIFYING HOST KEYS===
: When connecting to a server for the first time, a fingerprint of the server's public key is presented to the user (unless the option '''StrictHostKeyChecking''' has been disabled). Fingerprints can be determined using ssh-keygen(1):

<code>ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key</code>

: If the fingerprint is already known, it can be matched and the key can be accepted or rejected. If only legacy (MD5) fingerprints for the server are available, the ssh-keygen(1) -E option may be used to downgrade the fingerprint algorithm to match.

: Because of the difficulty of comparing host keys just by looking at fingerprint strings, there is also support to compare host keys visually, using random art. By setting the '''VisualHostKey''' option to “yes”, a small ASCII graphic gets displayed on every login to a server, no matter if the session itself is interactive or not. By learning the pattern a known server produces, a user can easily find out that the host key has changed when a completely different pattern is displayed. Because these patterns are not unambiguous however, a pattern that looks similar to the pattern remembered only gives a good probability that the host key is the same, not guaranteed proof.

: To get a listing of the fingerprints along with their random art for all known hosts, the following command line can be used:

<code>ssh-keygen -lv -f ~/.ssh/known_hosts</code>

: If the fingerprint is unknown, an alternative method of verification is available: SSH fingerprints verified by DNS. An additional resource record (RR), SSHFP, is added to a zonefile and the connecting client is able to match the fingerprint with that of the key presented.

: In this example, we are connecting a client to a server, “host.example.com”. The SSHFP resource records should first be added to the zonefile for host.example.com:

<code>ssh-keygen -r host.example.com</code>

: The output lines will have to be added to the zonefile. To check that the zone is answering fingerprint queries:

<code>dig -t SSHFP host.example.com</code>

: Finally the client connects:
<pre>
$ ssh -o "VerifyHostKeyDNS ask" host.example.com
[...]
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?
</pre>

: See the VerifyHostKeyDNS option in ssh_config(5) for more information.

===SSH-BASED VIRTUAL PRIVATE NETWORKS===
: ssh contains support for Virtual Private Network (VPN) tunnelling using the tun(4) network pseudo-device, allowing two networks to be joined securely. The sshd_config(5) configuration option '''PermitTunnel''' controls whether the server supports this, and at what level (layer 2 or 3 traffic).

: The following example would connect client network 10.0.50.0/24 with remote network 10.0.99.0/24 using a point-to-point connection from 10.1.1.1 to 10.1.1.2, provided that the SSH server running on the gateway to the remote network, at 192.168.1.15, allows it.

: On the client:

<code>ssh -f -w 0:1 192.168.1.15 true</code>

<code>ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252</code>

<code>route add 10.0.99.0/24 10.1.1.2</code>

: On the server:

<code>ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252</code>

<code>route add 10.0.50.0/24 10.1.1.1</code>

: Client access may be more finely tuned via the /root/.ssh/authorized_keys file (see below) and the PermitRootLogin server option. The following entry would permit connections on tun(4) device 1 from user “jane” and on tun device 2 from user “john”, if '''PermitRootLogin''' is set to “forced-commands-only”:

<pre>
tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
</pre>

: Since an SSH-based setup entails a fair amount of overhead, it may be more suited to temporary setups, such as for wireless VPNs. More permanent VPNs are better provided by tools such as ipsecctl(8) and isakmpd(8).

===ENVIRONMENT===
: ssh will normally set the following environment variables:

: '''DISPLAY''' The DISPLAY variable indicates the location of the X11 server. It is automatically set by ssh to point to a value of the form “hostname:n”, where “hostname” indicates the host where the shell runs, and ‘n’ is an integer ≥ 1. ssh uses this special value to forward X11 connections over the secure channel. The user should normally not set DISPLAY explicitly, as that will render the X11 connection insecure (and will require the user to manually copy any required authorization cookies).

: '''HOME''' Set to the path of the user's home directory.

: '''LOGNAME''' Synonym for USER; set for compatibility with systems that use this variable.

: '''MAIL''' Set to the path of the user's mailbox.

: '''PATH''' Set to the default PATH, as specified when compiling ssh.

: '''SSH_ASKPASS''' If ssh needs a passphrase, it will read the passphrase from the current terminal if it was run from a terminal. If ssh does not have a terminal associated with it but DISPLAY and SSH_ASKPASS are set, it will execute the program specified by SSH_ASKPASS and open an X11 window to read the passphrase. This is particularly useful when calling ssh from a .xsession or related script. (Note that on some machines it may be necessary to redirect the input from /dev/null to make this work.)

: '''SSH_ASKPASS_REQUIRE''' Allows further control over the use of an askpass program. If this variable is set to “never” then ssh will never attempt to use one. If it is set to “prefer”, then ssh will prefer to use the askpass program instead of the TTY when requesting passwords. Finally, if the variable is set to “force”, then the askpass program will be used for all passphrase input regardless of whether DISPLAY is set.

: '''SSH_AUTH_SOCK''' Identifies the path of a UNIX-domain socket used to communicate with the agent.

: '''SSH_CONNECTION''' Identifies the client and server ends of the connection. The variable contains four space-separated values: client IP address, client port number, server IP address, and server port number.

: '''SSH_ORIGINAL_COMMAND''' This variable contains the original command line if a forced command is executed. It can be used to extract the original arguments.

: '''SSH_TTY''' This is set to the name of the tty (path to the device) associated with the current shell or command. If the current session has no tty, this variable is not set.

: '''SSH_TUNNEL''' Optionally set by sshd(8) to contain the interface names assigned if tunnel forwarding was requested by the client.

: '''SSH_USER_AUTH''' Optionally set by sshd(8), this variable may contain a pathname to a file that lists the authentication methods successfully used when the session was established, including any public keys that were used.

: '''TZ''' This variable is set to indicate the present time zone if it was set when the daemon was started (i.e. the daemon passes the value on to new connections).

: '''USER''' Set to the name of the user logging in.

: Additionally, ssh reads '''~/.ssh/environment''', and adds lines of the format “VARNAME=value” to the environment if the file exists and users are allowed to change their environment. For more information, see the '''PermitUserEnvironment''' option in sshd_config(5).

===FILES===
: '''~/.rhosts'''
: This file is used for host-based authentication (see above). On some machines this file may need to be world-readable if the user's home directory is on an NFS partition, because sshd(8) reads it as root. Additionally, this file must be owned by the user, and must not have write permissions for anyone else. The recommended permission for most machines is read/write for the user, and not accessible by others.

: '''~/.shosts'''
: This file is used in exactly the same way as .rhosts, but allows host-based authentication without permitting login with rlogin/rsh.

: '''~/.ssh/'''
: This directory is the default location for all user-specific configuration and authentication information. There is no general requirement to keep the entire contents of this directory secret, but the recommended permissions are read/write/execute for the user, and not accessible by others.

: '''~/.ssh/authorized_keys'''
: Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used for logging in as this user. The format of this file is described in the sshd(8) manual page. This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others.

: '''~/.ssh/config'''
: This is the per-user configuration file. The file format and configuration options are described in ssh_config(5). Because of the potential for abuse, this file must have strict permissions: read/write for the user, and not writable by others. It may be group-writable provided that the group in question contains only the user.

: '''~/.ssh/environment'''
: Contains additional definitions for environment variables; see ENVIRONMENT, above.

: '''~/.ssh/id_dsa'''
: '''~/.ssh/id_ecdsa'''
: '''~/.ssh/id_ecdsa_sk'''
: '''~/.ssh/id_ed25519'''
: '''~/.ssh/id_ed25519_sk'''
: '''~/.ssh/id_rsa'''
: Contains the private key for authentication. These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute). ssh will simply ignore a private key file if it is accessible by others. It is possible to specify a passphrase when generating the key which will be used to encrypt the sensitive part of this file using AES-128.

: '''~/.ssh/id_dsa.pub'''
: '''~/.ssh/id_ecdsa.pub'''
: '''~/.ssh/id_ecdsa_sk.pub'''
: '''~/.ssh/id_ed25519.pub'''
: '''~/.ssh/id_ed25519_sk.pub'''
: '''~/.ssh/id_rsa.pub'''
: Contains the public key for authentication. These files are not sensitive and can (but need not) be readable by anyone.

: '''~/.ssh/known_hosts'''
: Contains a list of host keys for all hosts the user has logged into that are not already in the systemwide list of known host keys. See sshd(8) for further details of the format of this file.

: '''~/.ssh/rc'''
: Commands in this file are executed by ssh when the user logs in, just before the user's shell (or command) is started. See the sshd(8) manual page for more information.

: '''/etc/hosts.equiv'''
: This file is for host-based authentication (see above). It should only be writable by root.

: '''/etc/ssh/shosts.equiv'''
: This file is used in exactly the same way as hosts.equiv, but allows host-based authentication without permitting login with rlogin/rsh.

: '''/etc/ssh/ssh_config'''
: Systemwide configuration file. The file format and configuration options are described in ssh_config(5).

: '''/etc/ssh/ssh_host_key'''
: '''/etc/ssh/ssh_host_dsa_key'''
: '''/etc/ssh/ssh_host_ecdsa_key'''
: '''/etc/ssh/ssh_host_ed25519_key'''
: '''/etc/ssh/ssh_host_rsa_key'''
: These files contain the private parts of the host keys and are used for host-based authentication.

: '''/etc/ssh/ssh_known_hosts'''
: Systemwide list of known host keys. This file should be prepared by the system administrator to contain the public host keys of all machines in the organization. It should be world-readable. See sshd(8) for further details of the format of this file.

: '''/etc/ssh/sshrc'''
: Commands in this file are executed by ssh when the user logs in, just before the user's shell (or command) is started. See the sshd(8) manual page for more information.

===EXIT STATUS===
: ssh exits with the exit status of the remote command or with 255 if an error occurred.

===SEE ALSO===
: scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-argv0(1), ssh-keygen(1), ssh-keyscan(1), tun(4), ssh_config(5), ssh-keysign(8), sshd(8)

===STANDARDS===
* S. Lehtinen and C. Lonvick, The Secure Shell (SSH) Protocol Assigned Numbers, RFC 4250, January 2006.

* T. Ylonen and C. Lonvick, The Secure Shell (SSH) Protocol Architecture, RFC 4251, January 2006.

* T. Ylonen and C. Lonvick, The Secure Shell (SSH) Authentication Protocol, RFC 4252, January 2006.

* T. Ylonen and C. Lonvick, The Secure Shell (SSH) Transport Layer Protocol, RFC 4253, January 2006.

* T. Ylonen and C. Lonvick, The Secure Shell (SSH) Connection Protocol, RFC 4254, January 2006.

* J. Schlyter and W. Griffin, Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, RFC 4255, January 2006.

* F. Cusack and M. Forssen, Generic Message Exchange Authentication for the Secure Shell Protocol (SSH), RFC 4256, January 2006.

* J. Galbraith and P. Remaker, The Secure Shell (SSH) Session Channel Break Extension, RFC 4335, January 2006.

* M. Bellare, T. Kohno, and C. Namprempre, The Secure Shell (SSH) Transport Layer Encryption Modes, RFC 4344, January 2006.

* B. Harris, Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol, RFC 4345, January 2006.

* M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006.

* J. Galbraith and R. Thayer, The Secure Shell (SSH) Public Key File Format, RFC 4716, November 2006.

* D. Stebila and J. Green, Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer, RFC 5656, December 2009.

* A. Perrig and D. Song, Hash Visualization: a New Technique to improve Real-World Security, 1999, International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99).

===AUTHORS===
: OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer features and created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0.

BSD February 6, 2022 BSD

Ubuntu 22.04 SSH Guide

2023-05-16T11:38:05Z

Noob: Created page with "==Understanding SSH== '''SSH''' is a protocol that uses encryption to secure data transmitted between a client and a server. <br> It enables users to execute commands, transfer files, and manage remote systems through an encrypted channel. <br> SSH is widely used by system administrators for managing servers, network devices, and other remote systems. ==Installing SSH== To start using SSH, you'll need to install and configure both the server and client components. *..."

==Understanding SSH==

'''SSH''' is a protocol that uses encryption to secure data transmitted between a client and a server. <br>
It enables users to execute commands, transfer files, and manage remote systems through an encrypted channel. <br>
SSH is widely used by system administrators for managing servers, network devices, and other remote systems.

==Installing SSH==

To start using SSH, you'll need to install and configure both the server and client components.

* OpenSSH-Server
** Is required to allow '''ssh''' connections
* OpenSSH-Client
** Is used to login/connect to OpenSSH-Server

If you are using Ubuntu Desktop, the '''openssh client''' will be preinstalled, allowing you to connect to a server which is running '''openssh-server'''

If you are using Ubuntu Server, both the '''ssh client''' and '''openssh server''' are preinstalled by default.

=== Installing OpenSSH Server===
On Ubuntu distributions, you can install the OpenSSH server by running:

<code>sudo apt install openssh-server</code><br>

Check the SSH server status with:

<code>systemctl status ssh</code>

===Installing OpenSSH Client===

The OpenSSH client is usually pre-installed on most Linux and macOS systems. <br>For Windows, you can install the OpenSSH client by following the instructions on the official website:<br> https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse

==Basic SSH Commands and Usage==
=== Connecting to a remote server===
Connecting to a remote server using SSH is a fundamental task when managing remote systems. Here's how to connect to a remote server using the command-line interface.

Install an SSH client: Ensure you have an SSH client installed on your local machine. Most Unix-based systems, including Linux and macOS, have an SSH client pre-installed. For Windows, you can use the built-in OpenSSH client (available in Windows 10 and later) or a third-party client like PuTTY.

====Gather connection information====
To connect to a remote server, you'll need the following information:
* The remote server's IP address or hostname
* The SSH port number (default is 22)
* Your username on the remote server
* The password for the user on remote server.

====Connect using SSH====
Open a terminal or command prompt on your local machine and use the following command to connect to the remote server:

<code>ssh username@hostname_or_IP</code>

Replace '''username''' with your username on the remote server, '''hostname_or_IP''' with the server's hostname or IP address.

If OpenSSH-Server is running/listening on a port other than the default port '''22''' include the port with the '''-p''' flag.

For example (If port 2222):

: <code>ssh john@example.com -p 2222</code>
Or
: <code>ssh -p 2222 john@example.com</code>

=====Connecting to a Remote Server =====

In this example, we connect to a remote Ubuntu VPS with the following credentials:
<pre>
Username: root
IP address: 12.34.56.78
Password: password2simple
</pre>
Use the following command to connect to the remote server:

<code>ssh root@12.34.56.78</code>

You will be prompted to enter the password. Type password2simple and press Enter. This demonstrates how simple it can be to log into a remote computer with root access.

* If your Server is hosting SSHD on a port other than default 'port 22' include port number with the '''-p''' flag
Example with port 2222:<br>
<code>ssh -p 2222 root@12.34.56.78</code>

====Authenticate====
When connecting for the first time, you'll see a prompt asking you to confirm the remote server's fingerprint. Verify the fingerprint and type "yes" to proceed. Next, you'll be prompted for your password. Enter your password to complete the authentication process.

Once authenticated, you'll have access to the remote server's command line. You can now execute commands and manage the remote server as if you were working on it directly.

Remember that you can use key-based authentication (with a private-public key pair) instead of a password for a more secure and convenient connection method.
== Using SSH config file==

An SSH config file allows you to define and manage multiple SSH connections, simplifying the process of connecting to remote servers. By creating an SSH config file, you can define custom options, such as port numbers, usernames, and key files, for each connection. The SSH config file is typically located in the '''~/.ssh''' directory and named config.

Here's how to create and use an SSH config file:

:* Create the SSH config file: If it doesn't exist, create the config file in the '''~/.ssh''' directory using a text editor:

<code>$EDITOR ~/.ssh/config</code>

:* Define a connection: To define a connection, you'll need to specify a Host entry followed by any options you want to apply to that connection. Here's an example:

<pre>
Host server1
HostName example.com
User your_username
Port 2222
IdentityFile ~/.ssh/id_rsa_server1
</pre>
In this example, we've defined a connection called server1 with the following options:

:* HostName: The hostname or IP address of the remote server (example.com in this case).
:* User: The username to use when connecting to the remote server (replace your_username with your actual username).
:* Port: The port number to use for the SSH connection (2222 in this example).
:* IdentityFile: The path to the private key file to use for authentication (replace ~/.ssh/id_rsa_server1 with the path to your private key file).

You can define multiple connections in the same config file by creating separate Host entries:

<pre>
Host server2
HostName 192.168.1.100
User another_username
Port 22
IdentityFile ~/.ssh/id_rsa_server2
</pre>
:* Save and exit the file: Save your changes and exit the text editor.

:* Connect using the SSH config file: To connect to a remote server using the defined connection, simply use the ssh command followed by the Host entry:

<code>ssh server1</code>

In this example, SSH will automatically use the options defined in the config file for server1, such as the hostname, username, port number, and identity file.

By using an SSH config file, you can simplify the process of managing multiple SSH connections and customize the options for each connection.

==Key-based Authentication==
=== Generating SSH key pairs===

SSH key pairs consist of a private key and a public key. They provide a secure, passwordless authentication method for connecting to remote servers. The private key remains on your local machine, while the public key is added to the remote server's authorized keys. Here's how to generate an SSH key pair:

Open a terminal: On Unix-based systems (Linux and macOS), open a terminal. On Windows, open PowerShell or the Command Prompt.

Generate the key pair: Use the ssh-keygen command to create a new SSH key pair. The following command generates a 4096-bit RSA key pair:

<code>ssh-keygen -t rsa -b 4096</code>

You can also generate other types of keys, such as Ed25519, by changing the -t option:

<code>ssh-keygen -t ed25519</code>

Specify the key's location: When prompted, you can either accept the default location (~/.ssh/id_rsa for RSA keys, ~/.ssh/id_ed25519 for Ed25519 keys) or enter a custom path. It is recommended to use the default location unless you have a specific reason to change it.

Set a passphrase (optional): You can choose to protect your private key with a passphrase. If you do, you'll need to enter the passphrase every time you use the key. This adds an extra layer of security, but can be less convenient for automation or scripting. To set a passphrase, enter it when prompted; otherwise, leave the field blank

====Selecting file name and path for keys====

<code>ssh-keygen -t rsa -b 4096 -f .ssh/nuc</code>

The '''-f''' option in the '''ssh-keygen''' command is used to specify the output file for the generated key pair. In your example, '''ssh-keygen -t rsa -b 4096 -f .ssh/nuc''', the command is generating an RSA key pair with a key length of 4096 bits, and the output files will be saved in the '''.ssh''' directory with the base name '''nuc'''.

Here's a breakdown of the options used in this command:

:* '''-t rsa''': Specifies the key type, in this case, RSA.
:* '''-b 4096''': Specifies the key length, which is 4096 bits in this case. This length offers good security and is generally recommended.
:* '''-f .ssh/nuc''': Specifies the file where the key pair will be saved. The private key will be saved as '''.ssh/nuc''', and the public key will be saved as '''.ssh/nuc.pub'''.

After running this command, you'll have a new key pair with the private key in '''.ssh/nuc''' and the public key in '''.ssh/nuc.pub'''

====Create keys with no passphase====

<code>ssh-keygen -t rsa -b 4096 -N "" -C "MYSERVER" -f ~/.ssh/serverkey</code>

:* '''-t rsa''': Specifies the key type, in this case, RSA.
:* '''-b 4096''': Specifies the key length, which is 4096 bits in this case. This length offers good security and is generally recommended.
:* '''-N ""''': Specifies an empty passphrase for the key pair. This means that the private key will not be encrypted, and no passphrase will be required when using it. This can be less secure, but more convenient for automated processes.
:* '''-C "MYSERVER"''': Adds a comment to the generated key pair. In this case, the comment is "MYSERVER". Comments are useful for identifying keys when you have multiple keys in your ~/.ssh directory or on a remote server.
:* '''-f ~/.ssh/serverkey''': Specifies the file where the key pair will be saved. The private key will be saved as '''~/.ssh/serverkey''', and the public key will be saved as '''~/.ssh/serverkey.pub'''.

After running this command, you'll have a new key pair with the private key in '''~/.ssh/serverkey''' and the public key in '''~/.ssh/serverkey.pub'''. The private key will have an empty passphrase and a comment "MYSERVER" for easier identification.

====Remove the passphrase from an existing SSH private key====

To remove the passphrase from an existing SSH private key, you can use the '''ssh-keygen''' command with the '''-p''' option, which is used for changing the passphrase. Follow these steps:

:* Make a backup of your private key file, just in case something goes wrong during the process. You can do this by running the following command, replacing '''<your_private_key>''' with the filename of your private key:

<code>cp <your_private_key> <your_private_key>.backup</code>

:* Run the '''ssh-keygen''' command with the '''-p''' option, specifying the private key file using the '''-f''' option:
::** '''-p''': Indicates that you want to change the passphrase of an existing private key.
::** '''-f <your_private_key>''': Specifies the private key file whose passphrase you want to change.

<code>ssh-keygen -p -f <your_private_key></code>

:* You will be prompted to enter the old passphrase for the private key. Type it in and press Enter.

:* Next, you'll be prompted to enter a new passphrase. Since you want to remove the passphrase, leave this field empty and press Enter.

:* You'll be asked to confirm the empty passphrase. Press Enter again to confirm.

Your private key now has its passphrase removed. Keep in mind that this makes the private key less secure, as anyone with access to the file can use it without needing to know the passphrase.

====Add/Change a passphrase to an existing SSH Key====

To add a passphrase to an existing SSH private key that doesn't have one, you can use the '''ssh-keygen''' command with the '''-p''' option, just like when you change or remove a passphrase. Here are the steps:

:* '''Make a backup of your private key file''', just in case something goes wrong during the process. You can do this by running the following command, replacing <your_private_key> with the filename of your private key:

<code>cp <your_private_key> <your_private_key>.backup</code>

:* Run the '''ssh-keygen''' command with the -p option, specifying the private key file using the '''-f''' option:

<code>ssh-keygen -p -f <your_private_key></code>

:* You will be prompted to enter the old passphrase for the private key. Since your private key doesn't currently have a passphrase, just press Enter to proceed.

:* Next, you'll be prompted to enter a new passphrase. Type in the passphrase you want to set for the private key and press Enter.

:* You'll be asked to confirm the new passphrase. Type it again and press Enter to confirm.

Your private key now has a passphrase added to it. This provides an extra layer of security, as anyone using the key will need to know the passphrase to access it. Keep in mind that you should use a strong passphrase to ensure better security.

=== Copying public keys to the remote server===
After generating an SSH key pair, you'll need to copy the public key to the remote server to enable key-based authentication. Here's how to do it:

====Using ssh-copy-id====

Use the '''ssh-copy-id''' command (Linux and macOS): On Unix-based systems, you can use the ssh-copy-id command to copy your public key to the remote server:

<code>ssh-copy-id -i ~/.ssh/id_rsa.pub username@hostname_or_IP</code>

Replace ~/.ssh/id_rsa.pub with the path to your public key file (e.g., ~/.ssh/id_ed25519.pub for Ed25519 keys), username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

====Manually copy the public key====

Manually copy the public key (Windows and alternative method): If you don't have access to the ssh-copy-id command or prefer to do it manually, you can:

:* Open your public key file (e.g., id_rsa.pub or id_ed25519.pub) with a text editor and copy its content.>
:* Log in to the remote server via SSH.<br>
:* Create the ~/.ssh directory if it doesn't exist:

<code>mkdir -p ~/.ssh</code>

Edit or create the ~/.ssh/authorized_keys file using a text editor (e.g., nano, vim, or emacs), and paste the content of your public key at the end of the file. Save and close the file.

Set the correct file permissions: To ensure the security of your SSH setup, it's essential to set the proper file permissions on your local machine and the remote server:

:* On your local machine:
:** Private key (id_rsa or id_ed25519): -rw------- (600)
:** Public key (id_rsa.pub or id_ed25519.pub): -rw-r--r-- (644)

:* On the remote server:
:** ~/.ssh directory: drwx------ (700)
:** ~/.ssh/authorized_keys file: -rw------- (600)

To set the permissions on your local machine, use the chmod command:

<pre>
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
</pre>
On the remote server, use the following commands:

<pre>
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
</pre>
Once you've copied your public key to the remote server and set the correct file permissions, you should be able to connect using key-based authentication without the need for a password.

=== Disabling password authentication (optional)===
Disabling password authentication enhances the security of your SSH server by requiring key-based authentication for all connections. You can disable password authentication for specific users or for all users. To do so, follow these steps:

:* Connect to the remote server: Log in to the remote server via SSH using your username and the server's hostname or IP address.

:* Edit the SSH configuration file: Open the SSH server configuration file (usually located at /etc/ssh/sshd_config) with a text editor such as nano, vim, or emacs:

<code>sudo nano /etc/ssh/sshd_config</code>

:* Disabling password authentication for all users: Find the line containing "PasswordAuthentication" and set its value to "no":

<code>PasswordAuthentication no</code>

If the line is commented out (i.e., it starts with a '#'), remove the '#' symbol.

:* Disabling password authentication for a specific user: To disable password authentication only for a particular user, you can use a "Match User" block at the end of the sshd_config file:
<pre>
Match User username
PasswordAuthentication no
</pre>
Replace username with the actual username for which you want to disable password authentication.

:* Save and exit the file: Save your changes and exit the text editor.

:* Restart the SSH server: Apply the changes by restarting the SSH server:

<code>sudo systemctl restart ssh</code>

Now, password authentication will be disabled for the specified user(s), and only key-based authentication will be allowed. Remember that if you disable password authentication, you must have a working SSH key pair set up to access the server, or you may be locked out.

== Configuring the SSH server==

Edit the SSH server configuration file located at <b>/etc/ssh/sshd_config</b> to set your desired settings. You can modify options like the listening port, allowing root login, and more.

===Common sshd_config Options===

The '''sshd_config''' file is located at '''/etc/ssh/sshd_config''' on most Linux systems. This file contains various options and settings that determine the behavior of the OpenSSH server. Each option is followed by its value, and lines starting with a <b>#</b> are considered comments.

Here's an overview of some common options in the sshd_config file:

===Port===

Specifies the port number that the SSH server listens on.<br>

<code>Port 22</code><br>

=== AddressFamily===

Determines the IP address family (IPv4, IPv6, or both) used by the SSH server.

* To specify that the SSH server should only listen for incoming IPv4 connections:
<code>AddressFamily inet</code>

* Or, if you want the SSH server to only listen for incoming IPv6 connections, set the 'AddressFamily' directive to 'inet6':
<code>AddressFamily inet6</code>

* If you want to allow both IPv4 and IPv6 connections, set the 'AddressFamily' directive to 'any':
<code>AddressFamily any</code>

=== ListenAddress===
Specifies the IP address(es) the SSH server listens on. By default, it listens on all available addresses.

<code>ListenAddress 192.168.1.10</code>

=== Protocol===
Defines the SSH protocol version. It's recommended to use only protocol 2.

<code>Protocol 2</code>

=== PermitRootLogin===
Controls whether root login is allowed. It's generally advised to disable root login or set it to "without-password" to allow only key-based authentication for root.

<code>PermitRootLogin no</code>

===PasswordAuthentication===

Enables or disables password-based authentication.

<code>PasswordAuthentication yes</code>

=== PubkeyAuthentication===

Enables or disables public key authentication.

<code>PubkeyAuthentication yes</code>

=== AuthorizedKeysFile===
Specifies the location of the authorized keys file for public key authentication.

<code>AuthorizedKeysFile .ssh/authorized_keys</code>

=== LogLevel===
Sets the logging level for the SSH server.

The LogLevel option in '''sshd_config''' controls the amount of information that SSH daemon (sshd) logs.

There are different log levels that can be set with this option, each providing a different level of detail:

* '''QUIET''': Disables all logging.

* '''FATAL''': Only logs fatal errors.

* '''ERROR''': Logs error messages.

* '''INFO''': Logs informational messages such as login attempts.

* '''VERBOSE''': Logs more detailed information than INFO, including shell commands executed.

* '''DEBUG''': Logs detailed debugging information, including raw protocol details.

The default log level is '''INFO''', which is usually sufficient for most purposes. However, if you need to troubleshoot SSH connections or monitor user activity, setting a higher log level may be helpful.

To change the '''LogLevel''' in '''sshd_config''', you can edit the file '''/etc/ssh/sshd_config''' (or the appropriate configuration file for your system), and add or modify the line:

<code>LogLevel <log_level></code>

Where <log_level> is one of the log levels listed above.

<code>LogLevel INFO</code>

=== LoginGraceTime===

Defines the time allowed for a user to successfully log in.

<code>LoginGraceTime 2m</code>

===MaxAuthTries===

Limits the number of authentication attempts allowed per connection.

<code>MaxAuthTries 6</code>

=== MaxSessions===

Specifies the maximum number of simultaneous sessions allowed per network connection.<br>

<code>MaxSessions 10</code>

=== AllowUsers, DenyUsers, AllowGroups, DenyGroups===

These options control which users and groups are allowed or denied access to the SSH server. They provide a way to manage access control based on usernames and group membership.

* '''AllowUsers''': Specifies a list of users allowed to access the SSH server. Other users will be denied access.
<code>AllowUsers user1 user2 user3</code><br>

* '''DenyUsers''': Specifies a list of users denied access to the SSH server. Other users will be allowed access.
<code>DenyUsers user4 user5</code>

* '''AllowGroups''': Specifies a list of groups whose members are allowed to access the SSH server. Users not belonging to these groups will be denied access.
<code>AllowGroups group1 group2</code>

* '''DenyGroups''': Specifies a list of groups whose members are denied access to the SSH server. Users not belonging to these groups will be allowed access.
<code>DenyGroups group3 group4</code>

Note that the order in which these options are applied is '''DenyUsers''', '''AllowUsers''', '''DenyGroups''', and finally '''AllowGroups'''.

===Banner===

The Banner option allows you to display a message or warning to users before they log in to the SSH server. This is often used to display legal notices, security warnings, or other important information.

To enable the banner, set the Banner option to the path of a text file containing the message you want to display:

<code>Banner /etc/ssh/banner.txt</code>

Create the /etc/ssh/banner.txt file and add your desired message. The content of this file will be displayed to users before they log in.

==Advanced sshd_config Options==
=== PermitTunnel===
The PermitTunnel option enables or disables the use of SSH tunneling. Tunnels can be used to forward ports or create VPN-like connections between the client and the server.
* There are four possible values for this option:

: '''"yes"''': Allows all types of tunnels.<br>
: '''"point-to-point"''': Allows only point-to-point (Layer 3) tunnels.<br>
: '''"ethernet"''': Allows only Ethernet (Layer 2) tunnels.<br>
: '''"no"''': Disables tunneling (default).<br>

To enable tunneling, set the PermitTunnel option in the sshd_config file:

<code>PermitTunnel yes</code>

Keep in mind that enabling tunnels may expose your server to additional security risks. Only enable this option if you understand the implications and have a specific use case that requires it.

=== ChrootDirectory===
The ChrootDirectory option allows you to restrict a user or a group to a specific directory (known as a chroot jail) when they log in via SSH. This can enhance security by isolating users and limiting their access to only the necessary parts of the filesystem.

To set up a chroot jail, follow these steps:

Create a directory that will serve as the chroot jail. For example, let's create a directory for user1:

<code>sudo mkdir /home/user1/chroot</code>

Change the ownership of the directory to the user and their primary group:

<code>sudo chown user1:user1 /home/user1/chroot</code>

In the sshd_config file, add a Match block at the end of the file to specify the ChrootDirectory for user1:
<pre>
Match User user1
ChrootDirectory /home/user1/chroot
</pre>

Restart the SSH server to apply the changes:

<code>sudo systemctl restart ssh</code>

Now, when user1 logs in via SSH, they will be restricted to the /home/user1/chroot directory and won't be able to access other parts of the filesystem.

Note that the chroot jail should be owned by root and not writable by the user. If you need to provide write access to specific directories, create subdirectories inside the chroot jail and set appropriate permissions for those. Also, some features like SFTP may require additional configuration within the chroot jail.

===ForceCommand===
The ForceCommand option allows you to specify a command that will be executed when a user logs in via SSH, regardless of the command requested by the user. This can be useful for limiting the actions a user can perform or for automatically running specific tasks upon login.

To use the ForceCommand option, follow these steps:

In the sshd_config file, add a Match block at the end of the file to specify the ForceCommand for a specific user or group. For example, to force user1 to execute the command /usr/bin/my-command upon login:

<pre>
Match User user1
ForceCommand /usr/bin/my-command
</pre>

Restart the SSH server to apply the changes:

<code>sudo systemctl restart ssh</code>

Now, when user1 logs in via SSH, the /usr/bin/my-command will be executed automatically, and they will not be able to run any other command.

Keep in mind that using ForceCommand may limit the user's ability to interact with the server or transfer files via SFTP. Make sure to test and verify the functionality for your specific use case.

=== Match Blocks===

Match blocks in the sshd_config file allow you to apply specific configuration options based on certain criteria, such as the user, group, address, or host. This enables you to create custom rules and settings for different users, groups, or connections.

Match block syntax:

<pre>
Match criteria
Option value
</pre>

Here are some examples of Match blocks and their usage:

Apply settings only for a specific user:
<pre>
Match User user1
PasswordAuthentication no
AllowTcpForwarding yes
</pre>

This configuration disables password authentication and enables TCP forwarding only for user1.

Apply settings for multiple users:
<pre>
Match User user1,user2
ChrootDirectory /home/%u/chroot
</pre>

This configuration sets the chroot directory for both user1 and user2.

Apply settings for a specific group:
<pre>
Match Group group1
PasswordAuthentication yes
</pre>

This configuration enables password authentication only for members of group1.

Apply settings based on the client's IP address:
<pre>
Match Address 192.168.1.0/24
PasswordAuthentication no
</pre>

This configuration disables password authentication for clients connecting from the 192.168.1.0/24 subnet.

Combine multiple criteria:
<pre>
Match User user1 Address 192.168.1.0/24
PasswordAuthentication yes
</pre>
This configuration enables password authentication only for user1 when they connect from the 192.168.1.0/24 subnet.

Remember to restart the SSH server after making changes to the sshd_config file:

<code>sudo systemctl restart ssh</code>

Match blocks offer flexibility in customizing your SSH server's configuration based on various criteria. Use them wisely to enhance security and optimize your server's settings.

==Best Practices and Tips '''sshd_config'''==
When configuring your '''sshd_config''' file, it's essential to follow best practices to ensure the security and stability of your SSH server. Here are some recommendations and tips:

:* Keep the server up-to-date: Always update your SSH server software and the underlying operating system to ensure you have the latest security patches and features.

:* Use strong authentication: Enable key-based authentication (PubkeyAuthentication) and consider disabling password authentication (PasswordAuthentication) to reduce the risk of brute-force attacks.

:* Limit root access: Set "PermitRootLogin" to "no" or "without-password" to prevent direct root login or require key-based authentication for root.

:* Use non-standard ports: Change the default SSH port (22) to a non-standard port to reduce the exposure to automated scans and attacks. Keep in mind this is security through obscurity and should be combined with other security measures.

'''Restrict user access''': Use "AllowUsers," "DenyUsers," "AllowGroups," and "DenyGroups" options to control which users and groups can access the SSH server.

'''Monitor logs''': Regularly check your SSH server logs for any suspicious activity or failed login attempts. Adjust the "LogLevel" setting in sshd_config as needed.
* Default Log Path Ubuntu 22.04: '''/var/log/auth.log'''

'''Use chroot jails''': Isolate users by creating chroot jails using the "ChrootDirectory" option, especially when providing SFTP access or when users don't require full access to the server.

'''Configure connection settings''': Set appropriate values for "LoginGraceTime" and "MaxAuthTries" to limit the time allowed for successful login and the number of authentication attempts per connection.

'''Use a strong firewall''': Configure your server's firewall to only allow SSH connections from trusted IP addresses or networks.

'''Regularly review and audit''': Periodically review your sshd_config settings and make adjustments as necessary. Keep up-to-date with SSH security best practices and recommendations.

By following these best practices and tips, you can enhance the security and performance of your SSH server, protecting it from unauthorized access and potential attacks.

===Troubleshooting sshd_config Issues===

When encountering problems with your SSH server configuration, it's important to know how to diagnose and resolve issues. Here are some common problems and troubleshooting steps:

Check syntax and configuration errors: If the SSH server is not starting or not functioning as expected, check the sshd_config file for any syntax or configuration errors. Use the following command to test the configuration file for errors:

<code>sudo sshd -t</code>

If there are any issues, the command will provide error messages with information on what needs to be fixed.

Review log files: Inspect the SSH server log files for any error messages or relevant information. The location of the log files may vary depending on your system, but common locations are /var/log/auth.log or /var/log/secure. Tail the log file while attempting to connect to get real-time information:

<code>sudo tail -f /var/log/auth.log</code>

Restart the SSH server

Check firewall settings: Ensure that the server's firewall is allowing SSH connections on the correct port. If you changed the default SSH port, update your firewall rules accordingly.

Verify user permissions: If a specific user is unable to connect, check the user's permissions, home directory, and the settings in the sshd_config file, such as "AllowUsers," "DenyUsers," "AllowGroups," or "DenyGroups."

SSH server from a client, use the verbose mode to get more detailed information about the connection process. This can help identify any issues with authentication or configuration. Run the following command to enable verbose mode:

<code>ssh -v user@example.com</code>

Replace "user@example.com" with the appropriate username and server address. You can increase the verbosity level by adding more "v" characters (e.g., -vv or -vvv) if needed.

Check file permissions: Ensure that the file permissions for the user's home directory, the .ssh directory, and the authorized_keys file are set correctly. The user's home directory should not be writable by other users, the .ssh directory should have permissions set to 700 (drwx------), and the authorized_keys file should have permissions set to 600 (-rw-------).

Test network connectivity: If you're unable to connect to the SSH server, verify that you can reach the server on the network. Use tools like ping, traceroute, or telnet to check the connection to the server and the specific SSH port.

By following these troubleshooting steps, you should be able to diagnose and resolve most issues related to the sshd_config file and the SSH server configuration. Remember to carefully review the settings in your sshd_config file and consult the server logs for additional information when encountering problems.

====After making changes, restart the SSH server:====
<code>sudo systemctl restart ssh</code><br>

== Running commands on a remote server==

Once you've connected to a remote server using SSH, you can execute commands on the remote machine just as you would on your local system. However, you can also run commands on a remote server without establishing an interactive SSH session.

This can be useful for automation, scripting, or quick tasks. Here's how to do it:

Use the SSH command: To run a command on a remote server without entering an interactive session, use the following syntax:

<code>ssh username@hostname_or_IP -p port 'command'</code>

Replace username with your username on the remote server, hostname_or_IP with the server's hostname or IP address, port with the SSH port number (if different from the default 22), and command with the command you want to execute.

For example, to list the contents of the remote server's home directory, you can use:

<code>ssh john@example.com -p 22 'ls -la'</code>

===Handling multiple commands===
If you need to execute multiple commands, you can chain them together using a '''semicolon''' or '''&&'''.

The semicolon allows you to run multiple commands sequentially, while the && operator runs the next command only if the previous command was successful.

For example, to update the package list and then upgrade the packages on a remote Ubuntu server:

<code>ssh john@example.com -p 2222 'sudo apt-get update; sudo apt-get upgrade -y'</code>

* Command output:
The output of the command will be displayed in your local terminal, just as if you were running the command on your local machine. Using key-based authentication

==Transferring files with SCP==

The Secure Copy Protocol (SCP) is a useful tool for transferring files between your local machine and a remote server using SSH. SCP ensures that the data is encrypted during transit, providing a secure and efficient way to transfer files.

===Install an SCP client===

Most Unix-based systems, including Linux and macOS, have an SCP client pre-installed. For Windows, you can use the built-in SCP client included with the OpenSSH package (available in Windows 10 and later) or a third-party client like WinSCP.

===Transfer a file from your local machine to a remote server===

To copy a file from your local machine to a remote server, use the following command:
* Note the use of the upper case '''-P''' for ports with '''scp'''
<code>scp -P port local_file_path username@hostname_or_IP:remote_file_path</code>

Replace port with the SSH port number (if different from the default 22), local_file_path with the path to the file on your local machine, username with your username on the remote server, hostname_or_IP with the server's hostname or IP address, and remote_file_path with the desired location on the remote server.

For example:

<code>scp -P 22 /home/john/documents/report.pdf john@example.com:/home/john/reports/</code>

This command will copy the "report.pdf" file from the local machine to the "reports" directory on the remote server.

===Transfer a file from a remote server to your local machine===
To copy a file from a remote server to your local machine, use the following command:

<code>scp -P port username@hostname_or_IP:remote_file_path local_file_path</code>

Replace port with the SSH port number (if different from the default 22), username with your username on the remote server, hostname_or_IP with the server's hostname or IP address, remote_file_path with the path to the file on the remote server, and local_file_path with the desired location on your local machine.

For example:

<code>scp -P 2222 john@example.com:/home/john/reports/report.pdf /home/john/documents/</code>
: Or
<code>scp john@example.com:/home/john/reports/report.pdf /home/john/documents/</code>-

This command will copy the "report.pdf" file from the remote server's "reports" directory to the "documents" directory on your local machine.

===Transferring directories===

To transfer an entire directory, use the '''-r''' flag:

<code>scp -r -P port local_directory_path username@hostname_or_IP:remote_directory_path</code>

Or, to copy a directory from the remote server to your local machine:

<code>scp -r -P port username@hostname_or_IP:remote_directory_path local_directory_path</code>

Using SCP is a convenient and secure way to transfer files between your local machine and a remote server. It leverages the security of the SSH protocol to ensure that your data remains encrypted during transit.

===Transferring from Remote Computer to Remote Computer===

Copy the file '''stuff.txt''' from remote host '''12.34.56.67''' to host '''11.22.33.44'''

<code>scp name@12.34.56.67:/home/user/Documents/stuff.txt name@11.22.33.44:/home/user/Documents/</code>

With the '''-3''' flag copies between two remote hosts "12.34.56.67" and "11.22.33.44" are transferred through the local host running the command.

<code>scp -3 name@12.34.56.67:/home/user/Documents/stuff.txt \ name@11.22.33.44:/home/user/Documents/ </code>

===Transferring multiple files===

Send files foo.txt and bar.txt to remote.

<code>scp foo.txt bar.txt user@12.34.56.78:~/Documents/</code>

Copy multiple files from remote "Documents" directory to local "Documents" directory.

<code>scp user@11.22.33.44:/home/user/Documents/\{todo_list.txt,links.txt,stuff.txt\} /home/$USER/Documents/</code>

Copy multiple files from the remote to local current directory.

<code>scp name@12.34.56.78:~/\{README.md,.bashrc\} . </code>

== Transferring files with SFTP==
The SSH File Transfer Protocol (SFTP) is another method for transferring files securely between your local machine and a remote server. Unlike SCP, SFTP provides an interactive interface that allows you to navigate, upload, and download files more easily.

Install an SFTP client: Most Unix-based systems, including Linux and macOS, have an SFTP client pre-installed. For Windows, you can use the built-in SFTP client included with the OpenSSH package (available in Windows 10 and later) or a third-party client like WinSCP or FileZilla.

Connect to a remote server: To start an SFTP session with a remote server, open a terminal or command prompt on your local machine and use the following command:

<code>sftp -P port username@hostname_or_IP</code>

Replace port with the SSH port number (if different from the default 22), username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

For example:

<code>sftp -P 22 john@example.com</code>

Navigate the remote filesystem: Once connected, you can use commands similar to those available in a Unix shell to navigate the remote server's filesystem. Some common SFTP commands include:

: '''ls''': List files and directories<br>
: '''cd''': Change the current directory<br>
: '''mkdir''': Create a new directory<br>
: '''rmdir''': Remove an empty directory<br>
: '''get''': Download a file from the remote server<br>
: '''put''': Upload a file to the remote server<br>
<br>
: '''rm''': Remove a file<br>
: '''rename''': Rename a file or directory<br>
: '''exit''': Exit the SFTP session<br>

Transfer files: To transfer files, use the put command to upload a file from your local machine to the remote server, and the get command to download a file from the remote server to your local machine. For example:

Upload a file:

<code>put local_file_path remote_file_path</code>

Download a file:

<code>get remote_file_path local_file_path</code>

Replace local_file_path and remote_file_path with the appropriate paths for the files you want to transfer.

Transferring directories: To transfer entire directories, use the -r flag with the put and get commands:

Upload a directory:

<code>put -r local_directory_path remote_directory_path</code>

Download a directory:

<code>get -r remote_directory_path local_directory_path</code>

Disconnect from the remote server: When you've finished transferring files, type exit to close the SFTP session.

SFTP offers a more user-friendly, interactive experience for transferring files compared to SCP. By utilizing the secure and encrypted SSH protocol, SFTP ensures that your data remains safe during transfer.

==Advanced SSH Techniques==
=== Port forwarding and tunneling===

SSH port forwarding and tunneling allow you to securely forward network traffic between your local machine and a remote server. This can be useful for accessing remote services, bypassing firewalls, or securely transmitting sensitive data.

Local Port Forwarding: Local port forwarding creates a secure tunnel between your local machine and a remote server, allowing you to access remote services as if they were running on your local machine. To set up local port forwarding, use the -L flag with the SSH command:

<code>ssh -L local_port:remote_host:remote_port username@hostname_or_IP</code>

Replace local_port with an available port on your local machine, remote_host with the hostname or IP address of the remote server hosting the service, remote_port with the port number of the remote service, username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

Remote Port Forwarding: Remote port forwarding enables you to expose a local service running on your machine to a remote network. To set up remote port forwarding, use the -R flag with the SSH command:

<code>ssh -R remote_port:local_host:local_port username@hostname_or_IP</code>

Replace remote_port with an available port on the remote server, local_host with the hostname or IP address of the local machine hosting the service, local_port with the port number of the local service, username with your username on the remote server, and hostname_or_IP with the server's hostname or IP address.

:**Forwarding X, Sound, and Video on Ubuntu 22.04 with Ubuntu 22.04 LXC**: To forward X, sound, and video from a remote Ubuntu 22.04 server to your local Ubuntu 22.04 machine, you'll need to enable X11 forwarding and install the necessary packages.

:* Install required packages: On both your local machine and the remote server, install the x11-apps and pulseaudio packages:

<code>sudo apt update</code><br>
<code>sudo apt install x11-apps pulseaudio</code>

:* Enable X11 forwarding: To enable X11 forwarding, you'll need to edit the SSH server configuration file (/etc/ssh/sshd_config) on the remote server:

<code>sudo nano /etc/ssh/sshd_config</code>

Find the line containing "X11Forwarding" and set its value to "yes":

<code>X11Forwarding yes</code>

If the line is commented out (i.e., it starts with a '#'), remove the '#' symbol. Save your changes and exit the text editor.

:* Restart the SSH server: Apply the changes by restarting the SSH server:

<code>sudo systemctl restart ssh</code>

:* Connect with X11 forwarding: From your local machine, use the -X flag to enable X11 forwarding when connecting to the remote server:

<code>ssh -X username@hostname_or_IP</code>

:* Export PULSE_SERVER environment variable: On the remote server, export the PULSE_SERVER environment variable to forward sound:

<code>export PULSE_SERVER=tcp:localhost</code>

You can add this line to the remote user's ~/.bashrc or ~/.profile file to make the change permanent.

:* Run applications: Now, you can run graphical applications on the remote server, and they will be displayed on your local machine with sound and video forwarded.

Please note that forwarding X, sound, and video might cause increased latency and reduced performance compared to running the applications locally.

=== SSH agent forwarding===
SSH agent forwarding is a powerful feature that allows you to use your local SSH keys to authenticate with remote servers without having to copy your private keys to those servers. This is particularly useful when you need to access one remote server (Server B) through another remote server (Server A).

==== Start the SSH agent on your local machine ====

Before you enable SSH agent forwarding, you need to start the SSH agent on your local machine. Open a terminal and run the following command:

:* For Linux and macOS:

<code>eval "$(ssh-agent -s)"</code>

For Windows (Git Bash or Cygwin):

<code>eval $(ssh-agent)</code>

This command starts the SSH agent and sets the required environment variables.

====Add your SSH key to the agent====

Next, add your private key to the SSH agent with the following command:

<code>ssh-add ~/.ssh/your_private_key</code>

Replace '''your_private_key''' with the filename of your private key. This might be '''id_rsa''', '''id_ed25519''', or another key file depending on your setup.

====Configure SSH agent forwarding on your local machine====

Edit your SSH config file to enable agent forwarding. The config file is usually located at '''~/.ssh/config'''. If the file doesn't exist, create it.

Add the following lines to the config file:

<pre>
Host server_a_alias
HostName server_a_ip_or_hostname
User your_username_on_server_a
ForwardAgent yes

Host server_b_alias
HostName server_b_ip_or_hostname
User your_username_on_server_b
ForwardAgent yes
</pre>

Replace
:* '''server_a_alias'''
:* ''' server_a_ip_or_hostname'''
:* '''your_username_on_server_a'''
:* '''server_b_alias'''
:* '''server_b_ip_or_hostname'''
:* '''your_username_on_server_b'''
with the appropriate values.

====Make sure your public key is added to the remote servers====

Before you can use SSH agent forwarding, you need to add your public key to the '''~/.ssh/authorized_keys''' file on both Server A and Server B. If you haven't done this already, you can use the following command:

<code>ssh-copy-id -i ~/.ssh/your_public_key user@server_ip_or_hostname</code>

Replace '''your_public_key''', '''user''', and '''server_ip_or_hostname''' with the appropriate values.

====Test SSH agent forwarding====

First, SSH into Server A:

<code>ssh server_a_alias</code>

Then, from Server A, SSH into Server B:

<code>ssh server_b_alias</code>

If everything is set up correctly, you should be able to access Server B without being prompted for a password.

====Verify SSH agent forwarding====

To make sure that SSH agent forwarding is working, you can check the value of the '''SSH_AUTH_SOCK''' environment variable on Server B.

From Server B, run the following command:

<code>echo $SSH_AUTH_SOCK</code>

If SSH agent forwarding is working, this command should return a non-empty value.

That's it! You've successfully set up and tested SSH agent forwarding. Now you can use your local SSH keys to authenticate with remote servers without having to copy your private keys to those servers.

===Command Restriction===

The '''authorized_keys''' file can be used to restrict the commands that a specific SSH key can execute. This is especially useful for security purposes, to limit the potential damage that could be done if a key is compromised.

By including a '''command=''' directive in the '''authorized_keys''' file, you can specify the exact command that will be run when a client connects using the associated key. Any command provided by the client will be ignored, and the command specified in the authorized_keys file will be used instead.

Example:

<code>command="/usr/bin/scp -t /home/rscp/media/" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...</code>

is set up to always execute the '''scp''' command (used for secure copy of files over SSH) to the specified directory, no matter what command was originally issued by the client. This is a good way to create a "write-only" drop box, for instance.

However, the keyholder could potentially still execute arbitrary commands by carefully crafting the file names they upload, so additional precautions should be taken, such as using command= along with other directives like '''no-port-forwarding''', '''no-X11-forwarding''', and '''no-pty''' to further limit what can be done with the key.

<code>command="/usr/bin/scp -t /home/rscp/media/",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...</code>

This entry does the following:

:* The '''command=''' directive runs the specified command when a client connects using this key. In this case, the command is scp, which securely copies files to the /home/rscp/media/ directory.
:* The '''no-port-forwarding''' directive prevents the client from using SSH's port forwarding features, which could potentially be used to create a secure tunnel for other network traffic.
:* The '''no-X11-forwarding''' directive prevents the client from forwarding X11 graphical sessions, which could be used to run graphical applications over the SSH connection.
:* The '''no-pty''' directive prevents the allocation of a pseudo-terminal, which means the client can't interact with a shell or run interactive commands.

The '''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...''' part is the public key of the client. Replace this with the actual key.

This configuration significantly limits the operations that can be performed with this key, providing an additional layer of security.

====SCP Only====

Use Case Example: Have a Server hosting XML Dumps, and want to automate sending a file or directory from Server1 to Server2 using a script and ssh-key so i don't need to enter password.

=====Create Account on Server=====
Create user account you are going to use:<br>
<code>adduser rscp</code>

Make sure user has a '''.ssh''' directory to send public key to:<br>
<code>mkdir /home/rscp/.ssh</code>

Make a Directory to transfer files to:<br>
<code>mkdir /home/rscp/media</code>

Note: If you see error <code>scp: /home/rscp/media/test.txt: Permission denied</code> If you created directory '''media''' when logged in as '''root''' then check directory permissions and if need [[Linux_Users_and_Groups#File_Ownership_and_Permissions|assign ownership to '''user''' account.]]<br>
Example:<code>chown rscp:rscp /home/rscp/media</code>

[[Ubuntu_22.04_SSH_Guide#Copying_public_keys_to_the_remote_server|Send your public key to server]]

After public_key/authorized_key is on server, edit authorized_keys and at the start before ssh-rsa <KEY>
<pre>
command="/usr/bin/scp -t /home/rscp/media/" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...
</pre>

If from remote server you are sending a Directory include the '''-r''' flag in command:<br>

After public_key/authorized_key is on server, edit authorized_keys and at the start before ssh-rsa <KEY>
<pre>
command="/usr/bin/scp -t -r /home/rscp/media/" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...
</pre>

This entry in the authorized_keys file uses the command option to restrict the SSH command that can be run with the associated SSH key. The command option specifies that the scp command should be used to transfer files to the '''/home/rscp/media/''' directory on the server.

Here's a breakdown of the entry:

:* '''command="/usr/bin/scp -t /home/rscp/"''': This specifies that the scp command should be used as the SSH command for this key, with the '''-t''' option to specify that the remote end is a file (in this case, a directory), and the destination directory on the server is /home/rscp/. This means that the user can only use the SSH key to transfer files to the /home/rscp/ directory on the server.

:* '''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...''': This is the public key associated with the private key that is used for authentication.

By using the command option in this way, you can restrict the actions that the user can perform with the SSH key, which can help to improve security. In this case, the user can only transfer files to the specified directory on the server using the scp command.

======Tip - transfer file to a path your USER does not have permissions for======

You can write a shell script to check the '''/home/rscp/media''' directory every minute using a while loop and the sleep command. If any files are found in the directory, the script can move them to the '''/var/www/media''' directory using the mv command. Here's an example script:

<syntaxhighlight lang="bash" line>
#!/bin/bash

while true
do
if [ "$(ls -A /home/rscp/media/)" ]; then
mv /home/rscp/media/* /var/www/media/
fi
sleep 60
done
</syntaxhighlight>

In this script, the while loop runs indefinitely ('''while true''') and sleeps for 60 seconds at the end of each iteration ('''sleep 60''').

The '''if''' statement checks if the '''/home/rscp/media''' directory is not empty ('''[ "$(ls -A /home/rscp/media/)" ]'''). If it is not empty, the '''mv''' command is used to move all files and directories from the '''/home/rscp/media/''' directory to the '''/var/www/media/''' directory.

Save this script to a file (e.g. '''move-files.sh''') and make it executable using the '''chmod +x move-files.sh''' command. You can then run the script using '''./move-files.sh &''' to start it in the background and allow it to run indefinitely. The & symbol is used to run the script in the background so that you can continue using the terminal.

Note that running this script indefinitely can consume system resources, so you may want to consider setting up a scheduled task (e.g. using '''[[Cron_ubuntu_22.04|cron]]''') to run the script at a specific interval instead of running it indefinitely.

==Tilde '''~''' the escape character==

The tilde (~) character has a special meaning in the context of SSH. When using SSH, you can use the tilde character followed by a control sequence to perform certain actions. These are called "tilde escape sequences" or "tilde commands." They are useful for managing your SSH connections.

Here's how to use tilde escape sequences when connected to a remote server via SSH:

:* Make sure you are at the beginning of a new line in your terminal. Press '''Enter''' if you are not.

:* Type the tilde (~) character, followed by the appropriate control sequence. Note that you should not press '''Enter''' after typing the tilde character, but rather type the control sequence directly after it.

Here are some common tilde escape sequences:

: '''~.''' : Close the SSH connection. This can be helpful if the connection is frozen or unresponsive.
: '''~^Z''' : Suspend the SSH connection and return to your local shell. You can later resume the connection using the fg command.
: '''~#''' : List all forwarded connections (both local and remote) that are active in the current SSH session.
: '''~&''' : Run the SSH session in the background. This is useful if you want to perform other tasks on your local machine without closing the SSH connection.
: '''~~''' : Send a literal tilde character to the remote system. This is useful if you need to type a tilde character in the remote system without triggering an escape sequence.

Remember that these escape sequences only work if they are entered at the beginning of a new line in your terminal. If you're typing them in the middle of a command or text, they won't be recognized as special control sequences.

==Troubleshooting and Best Practices==

In this section, we'll cover some common issues and best practices related to SSH connections, including managing a large number of SSH keys.

===Too many authentication attempts===

When connecting to an SSH server, you might encounter the "Too many authentication attempts" error. This is often caused by having too many private keys in your ~/.ssh directory. By default, SSH tries each key until it finds the correct one, but many servers limit the number of authentication attempts.

'''Solution''': To resolve this issue, you can create a separate directory for your keys and configure the SSH config file to use the appropriate key for each connection.

:* Create a new directory for your keys:

<code>mkdir ~/.ssh/keys</code>

:* Move your private key files to the new directory:

<code>mv ~/.ssh/id_rsa_* ~/.ssh/keys/</code>

Update your SSH config file to specify the correct key for each connection:
<pre>
Host server1
...
IdentityFile ~/.ssh/keys/id_rsa_server1

Host server2
...
IdentityFile ~/.ssh/keys/id_rsa_server2
</pre>

===Permission issues===

SSH is very strict about file and directory permissions. Ensure that your ~/.ssh directory and its contents have the correct permissions:

:* The ~/.ssh directory should have permissions set to 700:

<code>chmod 700 ~/.ssh</code>

Private key files should have permissions set to 600:

<code>chmod 600 ~/.ssh/id_rsa</code>

The ~/.ssh/config file should have permissions set to 600:

<code>chmod 600 ~/.ssh/config</code>

:* <b>Best practices</b>: Follow these best practices to maintain secure and efficient SSH connections:

:* Use SSH key pairs instead of passwords for authentication, as they provide better security.
:* Regularly update your SSH keys to maintain their security.
:* Use strong, unique passphrases to protect your private keys.
:* Disable password authentication and root login on your SSH server to reduce the risk of brute-force attacks.
:* Regularly update your SSH server software to ensure you're running the latest security patches.
:* Use non-standard port numbers for your SSH server to make it less likely to be targeted by automated attacks.
:* Implement multi-factor authentication (MFA) for your SSH connections, if possible.
:* Regularly review and remove any unnecessary authorized keys from the ~/.ssh/authorized_keys file on your servers.
:* Use the Match directive in the sshd_config file to apply custom rules and settings for different users, groups, or connections.

Main Page

2023-05-11T20:11:31Z

Noob:

=In Concept Mode=

'''Site is Currently under going some changes'''<br>
Page links might be broken while we restructure page titles and content, before carrying on with content creation.

<div class="toccolours mw-collapsible mw-collapsed">
'''''DISCLAIMER:'''''
<div class="mw-collapsible-content">
he content provided on completenoobs.com is for general informational and educational purposes only. The website owner and authors make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

In no event will the website owner or authors be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.

Through this website you are able to link to other websites which are not under the control of completenoobs.com. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.

Every effort is made to keep the website up and running smoothly. However, completenoobs.com takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

</div>
</div>

=Welcome to CompleteNoobs=
''A community-driven resource for computer science enthusiasts''

'''Note''': At present, direct signups are disabled due to bot activity. To create an account on the wiki, please request an account and message user CompleteNoobs on Reddit. Your patience is appreciated as we may not be online all the time.

==We All Start as Noobs==

''Greetings, fellow Noobs.''

CompleteNoobs is currently in its concept stage, and we are learning as we go. Use the resources provided at your own risk.

Our mission is to make computer science free, open, and reproducible for hobbyists, sysadmins, teachers, students, and anyone interested in the field. CompleteNoobs is a platform to share tutorials, documentation, walkthroughs, computer science courses, notes, and tips acquired along the way, under a Libre License that ensures the following freedoms:

:* Read
:* Edit/Modify
:* Copy
:* Share freely

'''Note''': Content licensed under '''CC BY-NC-SA''' can be hosted on the non-commercial fork: https://www.completenoobz.com

The only proprietary aspects of this site are the domain and the trademark 'CompleteNoobs'. All content is available for download as an XML file at https://xml.completenoobs.com and is Libre licensed for everyone to use.

https://ipfs.io/ipfs/QmPyUVTQa7gk8kueAnjNDtEReKZ8NnwvFLWv66aCVrq4dy

==Get Involved==

We encourage users to fork this project, download it, and keep a copy on their desktop and/or server.

:* [[Host_Your_Own_Mediawiki_Online|Host Your Own Mediawiki Online]]

:* [[Local_CompleteNoobs_Wiki|Download CompleteNoobs Wiki to your personal computer]]

===Feed Back Received===

* Clearly indicate the terminal where commands should be entered
* Break down content into smaller sections or modules
* Provide timestamps in videos for each executed command or step
* Organize steps/modules using numbers, and sub-steps within modules using letters (a, b, c, etc.)
* Create shorter, focused videos for each step to avoid excessive scrolling
* Clarify the use of terminal editors and how to set the $EDITOR variable
* Place the EDITOR section at the top of the page and link to nano and vi guide pages
* Include instructions on how to verify the completion of each step correctly
<div class="toccolours mw-collapsible mw-collapsed">
Title Syntax: Title Re-structuring for Enhanced Clarity
<div class="mw-collapsible-content">

Title Re-structuring for Enhanced Clarity

Due to varying configurations and builds of apps/programs across different OS versions, step-by-step tutorials can be challenging to follow. To improve navigation, adjust page titles to include both the OS version/name and the software used. This will account for changes across different versions.

Example of a re-structured title: "Windows 10 Pro - Adobe Photoshop CC 2021 Tutorial"

If its a small change from each version, fork page to version and make small change.<br>
If no change, still fork page to new title!
</div>
</div>

==Essential Links==
:* [[Ubuntu_Cert_Draft|Ubuntu Cert Course '''DRAFTING''']]
:* [[Command_Line_Editors#Set_$EDITOR|Set $EDITOR]]
:* [[Main_Index | Main Index Page]]
:* [[Special:AllPages | All Pages]]
:* [[Wiki_Basic_Syntax|Basic Wiki Syntax]]
:* [[COMPLETENOOBS_FUNDING | Support us by using affiliate links or by giving us donations.]]

==Data-Heavy Content==
To maintain a lightweight XML file, data-heavy content such as pictures, audio, and video can be linked using IPFS and/or Zeronet hashes.

[[IPFS_Basics|IPFS Basics]]

'''IPFS Browser Extensions''':

'''Firefox''': https://addons.mozilla.org/en-GB/firefox/addon/ipfs-companion/<br>
'''Brave''': brave://settings/ipfs and toggle on "IPFS Companion"

[[Wiki_Basic_Syntax#Youtube_extension_-_Embed_Video|Youtube Embedded Videos also work.]]

==Licenses==

[[LICENCE_HEADERS | Add a license to each page, as long as it adheres to the principles of free copying, modification, and distribution.]]
<pre>{{:LICENCE_HEADER_CC0}}</pre>
{{:LICENCE_HEADER_CC0}}

{{Special:ContributionScores/10/5}}

Main Page

2023-05-11T19:57:50Z

Noob: /* Feed Back Received */

=In Concept Mode=

<div class="toccolours mw-collapsible mw-collapsed">
'''''DISCLAIMER:'''''
<div class="mw-collapsible-content">
he content provided on completenoobs.com is for general informational and educational purposes only. The website owner and authors make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

In no event will the website owner or authors be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.

Through this website you are able to link to other websites which are not under the control of completenoobs.com. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.

Every effort is made to keep the website up and running smoothly. However, completenoobs.com takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

</div>
</div>

=Welcome to CompleteNoobs=
''A community-driven resource for computer science enthusiasts''

'''Note''': At present, direct signups are disabled due to bot activity. To create an account on the wiki, please request an account and message user CompleteNoobs on Reddit. Your patience is appreciated as we may not be online all the time.

==We All Start as Noobs==

''Greetings, fellow Noobs.''

CompleteNoobs is currently in its concept stage, and we are learning as we go. Use the resources provided at your own risk.

Our mission is to make computer science free, open, and reproducible for hobbyists, sysadmins, teachers, students, and anyone interested in the field. CompleteNoobs is a platform to share tutorials, documentation, walkthroughs, computer science courses, notes, and tips acquired along the way, under a Libre License that ensures the following freedoms:

:* Read
:* Edit/Modify
:* Copy
:* Share freely

'''Note''': Content licensed under '''CC BY-NC-SA''' can be hosted on the non-commercial fork: https://www.completenoobz.com

The only proprietary aspects of this site are the domain and the trademark 'CompleteNoobs'. All content is available for download as an XML file at https://xml.completenoobs.com and is Libre licensed for everyone to use.

https://ipfs.io/ipfs/QmPyUVTQa7gk8kueAnjNDtEReKZ8NnwvFLWv66aCVrq4dy

==Get Involved==

We encourage users to fork this project, download it, and keep a copy on their desktop and/or server.

:* [[Host_Your_Own_Mediawiki_Online|Host Your Own Mediawiki Online]]

:* [[Local_CompleteNoobs_Wiki|Download CompleteNoobs Wiki to your personal computer]]

===Feed Back Received===

* Clearly indicate the terminal where commands should be entered
* Break down content into smaller sections or modules
* Provide timestamps in videos for each executed command or step
* Organize steps/modules using numbers, and sub-steps within modules using letters (a, b, c, etc.)
* Create shorter, focused videos for each step to avoid excessive scrolling
* Clarify the use of terminal editors and how to set the $EDITOR variable
* Place the EDITOR section at the top of the page and link to nano and vi guide pages
* Include instructions on how to verify the completion of each step correctly
<div class="toccolours mw-collapsible mw-collapsed">
Title Syntax: Title Re-structuring for Enhanced Clarity
<div class="mw-collapsible-content">

Title Re-structuring for Enhanced Clarity

Due to varying configurations and builds of apps/programs across different OS versions, step-by-step tutorials can be challenging to follow. To improve navigation, adjust page titles to include both the OS version/name and the software used. This will account for changes across different versions.

Example of a re-structured title: "Windows 10 Pro - Adobe Photoshop CC 2021 Tutorial"

If its a small change from each version, fork page to version and make small change.<br>
If no change, still fork page to new title!
</div>
</div>

==Essential Links==
:* [[Ubuntu_Cert_Draft|Ubuntu Cert Course '''DRAFTING''']]
:* [[Command_Line_Editors#Set_$EDITOR|Set $EDITOR]]
:* [[Main_Index | Main Index Page]]
:* [[Special:AllPages | All Pages]]
:* [[Wiki_Basic_Syntax|Basic Wiki Syntax]]
:* [[COMPLETENOOBS_FUNDING | Support us by using affiliate links or by giving us donations.]]

==Data-Heavy Content==
To maintain a lightweight XML file, data-heavy content such as pictures, audio, and video can be linked using IPFS and/or Zeronet hashes.

[[IPFS_Basics|IPFS Basics]]

'''IPFS Browser Extensions''':

'''Firefox''': https://addons.mozilla.org/en-GB/firefox/addon/ipfs-companion/<br>
'''Brave''': brave://settings/ipfs and toggle on "IPFS Companion"

[[Wiki_Basic_Syntax#Youtube_extension_-_Embed_Video|Youtube Embedded Videos also work.]]

==Licenses==

[[LICENCE_HEADERS | Add a license to each page, as long as it adheres to the principles of free copying, modification, and distribution.]]
<pre>{{:LICENCE_HEADER_CC0}}</pre>
{{:LICENCE_HEADER_CC0}}

{{Special:ContributionScores/10/5}}

Ubuntu 22.04 SSHFS

2023-05-11T19:48:47Z

Noob: Created page with "==Introduction== SSHFS (Secure SHell FileSystem) is a file system that allows you to mount a remote file system over a secure SSH connection. This allows you to access files and directories on a remote server as if they were local files on your own machine. This guide will walk you through the process of installing SSHFS on Ubuntu and using it to mount a remote file system. ==Install SSHFS== <code>sudo apt-get install sshfs</code> ==Create a mount point== You will n..."

==Introduction==

SSHFS (Secure SHell FileSystem) is a file system that allows you to mount a remote file system over a secure SSH connection. This allows you to access files and directories on a remote server as if they were local files on your own machine. This guide will walk you through the process of installing SSHFS on Ubuntu and using it to mount a remote file system.

==Install SSHFS==
<code>sudo apt-get install sshfs</code>

==Create a mount point==

You will need to create a directory on your local machine that will be used as the mount point for the remote file system. You can create a directory in your home directory using the following command:<br>
<code>mkdir ~/remote_mount</code>

==Mount the remote file system==

To mount the remote file system, you will need to use the '''sshfs''' command in the following format:<br>
<code>sshfs <username>@<remote_server>:<remote_directory> <local_mount_point></code>

Replace <username> with your username on the remote server, <remote_server> with the IP address or hostname of the remote server, <remote_directory> with the directory you want to mount on the remote server, and <local_mount_point> with the local mount point you created in the previous step.

For example, if you want to mount the directory /home/user/files on the remote server with the IP address 192.168.1.100 using your username user and the local mount point ~/remote_mount, you would run the following command:

<code>sshfs user@192.168.1.100:/home/user/files ~/remote_mount</code>

You will be prompted for the password for the remote server.

==Access the remote files==
Once you have mounted the remote file system, you can access the files and directories on the remote server as if they were local files on your own machine. You can use your file manager to browse the files, or you can use the terminal to navigate to the mount point and use standard command-line tools to work with the files.

==IdentityFile - aka ssh-key==

To use the IdentityFile option with SSHFS, you can add it to the command when you mount the remote file system.

The IdentityFile option allows you to specify the path to the private key file that you want to use for authentication. This can be useful if you have multiple SSH keys, or if you want to use a specific key for a particular connection.

Here's an example of how you can use the IdentityFile option with SSHFS:

<code>sshfs -o IdentityFile=/path/to/private/key <username>@<remote_server>:<remote_directory> <local_mount_point></code>

Replace /path/to/private/key with the path to the private key file that you want to use, <username> with your username on the remote server, <remote_server> with the IP address or hostname of the remote server, <remote_directory> with the directory you want to mount on the remote server, and <local_mount_point> with the local mount point you created in the previous step.

For example, if you have a private key file called mykey.pem in your home directory, and you want to use it to mount the directory /home/user/files on the remote server with the IP address 192.168.1.100 using your username user and the local mount point ~/remote_mount, you would run the following command:

<code>sshfs -o IdentityFile=$HOME/mykey.pem user@192.168.1.100:/home/user/files ~/remote_mount</code>

This will mount the remote file system using the specified private key file for authentication.

==Options to customize sshfs behavior==

:* allow_other: This option allows other users to access the mounted file system. By default, only the user who mounted the file system can access it. You can use this option by adding -o allow_other to the sshfs command.

:* default_permissions: This option enables the use of default file permissions when accessing the mounted file system. By default, all files and directories on the mounted file system are owned by the user who mounted it, and are not accessible by other users. You can use this option by adding -o default_permissions to the sshfs command.

:* reconnect: This option enables automatic reconnection to the remote server if the connection is lost. You can use this option by adding -o reconnect to the sshfs command.

:* cache: This option enables caching of file attributes and directory entries, which can improve performance. You can use this option by adding -o cache=yes to the sshfs command.

:* transform_symlinks: This option allows you to specify whether symbolic links should be resolved on the local or remote machine. You can use this option by adding -o transform_symlinks to the sshfs command.

:* ssh_command: This option allows you to specify a custom SSH command to use for the connection. You can use this option by adding -o ssh_command="<command>" to the sshfs command, where <command> is the custom SSH command you want to use.

Here's an example of how you can use some of these options with SSHFS:

<code>sshfs -o allow_other,default_permissions,reconnect,cache=yes,transform_symlinks,ssh_command="ssh -p 2222" <username>@<remote_server>:<remote_directory> <local_mount_point></code>

This command will mount the remote file system with the specified options, including allowing other users to access it, using default permissions, enabling automatic reconnection, caching file attributes and directory entries, transforming symbolic links, and using a custom SSH command to connect to the remote server on port 2222.

==Unmount the remote file system==

When you are finished working with the remote files, you can unmount the remote file system using the following command:<br>

<code>fusermount -u <local_mount_point></code><br>

Replace <local_mount_point> with the local mount point you used to mount the remote file system.

For example, to unmount the remote file system mounted at ~/remote_mount, you would run the following command:<br>

<code>fusermount -u ~/remote_mount</code>

Ubuntu 22.04 Nginx File Sharing without DNS

2023-05-11T19:47:01Z

Noob: Created page with "==No DNS using IP and SelfSigned Certs== ===Update system=== <code>apt update && apt upgrade -y</code><br \> ===Install NGINX=== <code>apt install nginx -y</code><br> You should now be able to see the <b>Welcome to nginx!</b> site on your subdomain (or just use server ip address).<br> Only <b>http</b> will work as we have not yet setup are <b>https</b><br> ===Create keys for encrypted https connection=== Note: If you are just building a quick website to test this..."

==No DNS using IP and SelfSigned Certs==

===Update system===
<code>apt update && apt upgrade -y</code><br \>

===Install NGINX===
<code>apt install nginx -y</code><br>

You should now be able to see the <b>Welcome to nginx!</b> site on your subdomain (or just use server ip address).<br>
Only <b>http</b> will work as we have not yet setup are <b>https</b><br>

===Create keys for encrypted https connection===

Note: If you are just building a quick website to test this out you can use <b>Blank</b> (just press enter) for all fields and it will still work.<br \>

<code>openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt</code><br \>

<div class="toccolours mw-collapsible mw-collapsed">
quick explanation:
<div class="mw-collapsible-content">
:* '''openssl''': This command invokes the OpenSSL tool, which is a software library that provides a variety of cryptographic functions and utilities.
:* '''req''': This is a subcommand of OpenSSL that is used for creating and managing X.509 certificate signing requests (CSRs) and self-signed certificates.
:* -'''x509''': This option specifies that the output should be a self-signed X.509 certificate rather than a CSR.
:* '''-nodes''': This option specifies that the private key should not be encrypted with a password, allowing for automatic startup of services that use SSL/TLS.
:* -days 365: This option specifies the number of days that the certificate will be valid for before it expires.
:* '''-newkey rsa:4096''': This option generates a new RSA private key with a key length of 4096 bits, which provides a higher level of security than shorter key lengths.
:* '''-keyout /etc/ssl/private/nginx-selfsigned.key''': This option specifies the path and filename of the private key file that will be generated by OpenSSL.
:* '''-out /etc/ssl/certs/nginx-selfsigned.crt''': This option specifies the path and filename of the self-signed certificate file that will be generated by OpenSSL.

Overall, this command generates a self-signed SSL/TLS certificate and private key that can be used to secure an Nginx web server. The certificate and key are saved to the specified locations for use in the Nginx server configuration. It's important to note that while self-signed certificates can provide some level of encryption for your web traffic, they do not provide any form of authentication or verification of identity, and should not be used in production environments where security is a top priority.
</div>
</div>
/etc/ssl/private/nginx-selfsigned.key<br>
/etc/ssl/certs/nginx-selfsigned.crt

===Create diffhelman===

<code>openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048</code><br \>
You can upgrade from 2048 to 4096 but it might take a while.<br \>

<code>$EDITOR /etc/nginx/snippets/ssl-params.conf</code><br>
Nginx configuration directives related to SSL/TLS:
<pre>
ssl_protocols TLSv1.2;
#This directive specifies the SSL/TLS protocols that the server will use for secure connections. In this case, only TLS version 1.2 is allowed.

ssl_prefer_server_ciphers on;
#This directive tells the server to prefer the ciphers specified by the server over those requested by the client.

ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL !LOW !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED';
#This directive specifies the SSL/TLS ciphers that the server will use for secure connections. These ciphers prioritize the use of elliptic curve cryptography (ECDHE) for key exchange and advanced encryption algorithms such as AES256 and CHACHA20-POLY1305 for encryption.

ssl_ecdh_curve secp384r1;
#This directive specifies the elliptic curve Diffie-Hellman (ECDH) curve that the server will use for key exchange. In this case, the secp384r1 curve is used.

ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
#These directives configure SSL session caching, which can improve performance by allowing the server to reuse SSL session parameters for multiple connections. The ssl_session_cache directive specifies the type of session cache to use, and the ssl_session_tickets directive specifies whether session tickets should be used.

# need to turn ssl_stapling off for selfsigned or will get errors in /var/log/nginx/error.log
ssl_stapling off;
ssl_stapling_verify off;
#These directives configure OCSP stapling, which can improve security by allowing the server to provide proof of the SSL/TLS certificate's validity without requiring the client to contact the certificate authority. The ssl_stapling directive specifies whether stapling should be used, and the ssl_stapling_verify directive specifies whether the server should verify the OCSP response from the certificate authority.

resolver 8.8.8.8 80.80.80.80 valid=300s;
resolver_timeout 5s;
#These directives configure DNS resolution for OCSP stapling. The resolver directive specifies the DNS servers to use for resolving OCSP requests, and the valid parameter specifies the duration for which DNS responses will be cached. The resolver_timeout directive specifies the timeout value for DNS resolution.

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
#These directives add security-related HTTP headers to responses sent by the server. The Strict-Transport-Security header specifies that SSL/TLS should always be used for connections to the server, and the X-Frame-Options and X-Content-Type-Options headers help protect against clickjacking and MIME sniffing attacks, respectively.

ssl_dhparam /etc/ssl/certs/dhparam.pem;
#This directive specifies the location of the Diffie-Hellman parameters file used for SSL/TLS key exchange. The ssl_dhparam directive is used to specify the path to the file that contains the Diffie-Hellman parameters.

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
# self-signed certificate file

ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
# private key file
</pre>

====Nginx====
<code>$EDITOR /etc/nginx/sites-available/default</code><br \>
<b>MAKE SURE TO CHANGE IP 12.34.56.78 to YOUR servers Public IP address</b><br \>
<pre>
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name 12.34.56.78; ## change ip to match your server ip
return 302 https://$server_name$request_uri;
}
server {

# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;

include snippets/ssl-params.conf;

root /var/www/html;

# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;

server_name _;

location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# To allow browsing of directory
autoindex on;
}
}
</pre>

====Restart Nginx====
<code> systemctl restart nginx</code><br \>

====Allow Nginx pass firewall====
<code>ufw allow 80/tcp</code><br \>
<code>ufw allow 443/tcp</code><br \>

====Create a Directory to share store files====
<code>mkdir /var/www/html/files</code><br \>

====Create an html file====
<code>$EDITOR /var/www/html/index.html</code><br \>
<pre>
<!DOCTYPE html>
<html>
<head>
<title>Files For Download</title>
</head>
<body>

<a href="files">Click here for are latest files</a>.</p>

</body>
</html>
</pre>

==Transfer Files to Sharing Directory==
NOTE: [[Scp_only|If you are receiving file from another server (setup server to send with script and ssh-keys), you may wish to create another account which can only receive '''scp''' to path]]

===scp===
Check [[SCP_Examples|SCP_Examples]] for more examples:<br>
To send direct from MediaWiki server (Example file 'xmlDump-03-03-2023')<br>
Will be prompted to enter password:<br>
<code>scp /path/to/file2send <user>@<server_address>:/var/www/html/files/</code><br>
Example:<code>scp /path/to/file2send ubuntu@111.222.33.444:/var/www/html/files/</code><br>

===sshfs===
[[Sshfs_ubuntu|Read the sshfs page for more info]]<br>
Can be useful if you are transferring a large number of files from your computer to server and want to use the GUI file explorer.<br>
<br>
NOTE:replace $USER with your user account (Example: mine is 'ubunix' so i will replace '$USER' with 'ubunix') <br>
Install sshfs on your computer<br>
<code>sudo apt install sshfs</code><br>
Create a Directory you are going to mount remote server directory to:<br>
<code>mkdir /home/$USER/ServerMount</code><br>
<br>
<code>sudo sshfs -o allow_other,default_permissions <user>@<server_address>:/var/www/html/files/ /home/$USER/ServerMount/</code><br>
To umount use:<br>
<code>sudo umount /home/$USER/ServerMount</code><br>

===sftp===

===Rsync===

===syncthing===

===FreeFileSync===

===Seafile===

==Require Username and Password to view website/files (Optional - Placed here for educational reasons)==
<code>apt install apache2-utils</code><br>
In your <code>/etc/nginx/sites-available/default</code><br>
Append the lines(see before and after files to see where):<br>
<pre>
auth_basic "Hello Please Login";
auth_basic_user_file /etc/nginx/.htpasswd;
</pre>
<div class="toccolours mw-collapsible mw-collapsed">
<code>/etc/nginx/sites-available/default</code>: Before
<div class="mw-collapsible-content">
<pre>
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;

# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;

root /var/www/html;

# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;

server_name _;

location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}

# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}

server {

# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;

root /var/www/html;

# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name xml.completenoobs.com; # managed by Certbot

location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}

# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}

listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/xml.completenoobs.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/xml.completenoobs.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
if ($host = xml.completenoobs.com) {
return 301 https://$host$request_uri;
} # managed by Certbot

listen 80 ;
listen [::]:80 ;
server_name xml.completenoobs.com;
return 404; # managed by Certbot

}
</pre>
</div>
</div>

<div class="toccolours mw-collapsible mw-collapsed">
<code>/etc/nginx/sites-available/default</code>: After
<div class="mw-collapsible-content">
<pre>
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;

# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;

root /var/www/html;

# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;

server_name _;

location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}

# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}

server {

# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;

root /var/www/html;

# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name xml.completenoobs.com; # managed by Certbot

location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# To allow browsing of directory
autoindex on;
auth_basic "Hello Please Login";
auth_basic_user_file /etc/nginx/.htpasswd;
}

# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}

listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/xml.completenoobs.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/xml.completenoobs.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
if ($host = xml.completenoobs.com) {
return 301 https://$host$request_uri;
} # managed by Certbot

listen 80 ;
listen [::]:80 ;
server_name xml.completenoobs.com;
return 404; # managed by Certbot

}
</pre>
</div>
</div>

===Create a login Username and Password to view your website===

Add user; change <b>user1</b> to username of your choice; you will be prompted for password.<br \>
<code>htpasswd -c /etc/nginx/.htpasswd user1</code><br \>

The <b>-c</b> flag is only needed the first time to create the file <b>/etc/nginx/.htpasswd</b><br \>

Add second user; the same method is used to add has many users has you want.<br \>
<code>htpasswd /etc/nginx/.htpasswd user2</code>
<br \>
To update or change passwd for user, repeat command with username of account you wish to change; enter new password.<br \>
<code>htpasswd /etc/nginx/.htpasswd user1</code><br>
Restart Nginx:<br>
<code>systemctl restart nginx</code><br>
And try site.

===Fail2Ban to Block IP's Which Enter Incorrect Username and/or Password===
Install Fail2Ban:<br>
<code>apt install fail2ban</code><br>

<code>cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local</code><br>
<code>$EDITOR /etc/fail2ban/jail.local</code><br>
Note: Can append to the very bottom of the page.<br>
<pre>
# Reject Connections that failed username password
_action_tcp_udp = %(banaction)s[name=%(__name__)s-tcp, protocol="tcp", port="%(port)s", blocktype="REJECT --reject-with tcp-reset", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, protocol="udp", port="%(port)s", blocktype="REJECT --reject-with icmp-port-unreachable", chain="%(chain)s", actname=%(banaction)s-udp]

actionx = %(_action_tcp_udp)s

[nginx-cup]
#the name in brackets above is what you use for status
# fail2ban-client status nginx-cup
enabled = true
filter = nginx-correct-up
port = http,https
logpath = /var/log/nginx/error.log
findtime = 3m
bantime = 3m
maxretry = 3
#ignoreip = <your-ipaddress>
#Note: Can find your ipaddress using `curl ifconfig.me` or visit `whatismyip.com`
</pre>
<br \>

<code>$EDITOR /etc/fail2ban/filter.d/nginx-correct-up.conf</code><br \>
<pre>
[Definition]
failregex = client:\s<HOST>
ignoreregex =
</pre>

===Check Fail2Ban for errors===
<code>fail2ban-client -d</code><br \>

===restart nginx and fail2ban so updated setting can take effect===
<code>systemctl restart fail2ban.service</code><br \>
<code>systemctl restart nginx.service</code><br \>
And test.

===Remove need for username and password===
Comment out (or delete) the following lines from your nginx config file:<br>
<code>$EDITOR /etc/nginx/sites-available/default</code><br>
<pre>
auth_basic "Hello Please Login";
auth_basic_user_file /etc/nginx/.htpasswd;
</pre>
<br>
Can comment out lines by placing a '#' in front.<br>
<pre>
#auth_basic "Hello Please Login";
#auth_basic_user_file /etc/nginx/.htpasswd;
</pre>
<br>
Restart Nginx:<br>
<code>systemctl restart nginx</code><br>

==Script for Server==

<syntaxhighlight lang="bash" line>
#!/bin/bash

# Update and upgrade packages
apt update && apt upgrade -y

# Install nginx and apache2-utils
apt install nginx apache2-utils -y

# Set up UFW rules
ufw allow 80/tcp
ufw allow 443/tcp

# Create self-signed SSL certificate
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

# Generate Diffie-Hellman parameters
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

# Get server IP address
server_ip=$(curl -s ifconfig.me)

# Create an SSL configuration snippet
cat > /etc/nginx/snippets/ssl-params.conf <<EOL
ssl_protocols TLSv1.2;

ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL !LOW !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED';

ssl_ecdh_curve secp384r1;

ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

ssl_stapling off;
ssl_stapling_verify off;

resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
EOL

# Get username and password for basic authentication
read -p "Enter a username for basic authentication: " username
read -sp "Enter a password for basic authentication: " password
echo

# Create .htpasswd file
htpasswd -cb /etc/nginx/.htpasswd "$username" "$password"

# Replace the default Nginx server configuration
cat > /etc/nginx/sites-available/default <<EOL
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name $server_ip;
return 302 https://\$server_name\$request_uri;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;

include snippets/ssl-params.conf;

root /var/www/html;

index index.html index.htm index.nginx-debian.html;

server_name _;

auth_basic "Hello Please Login";
auth_basic_user_file /etc/nginx/.htpasswd;

location / {
try_files \$uri \$uri/ =404;
autoindex on;
}
}
EOL

# Update the server_name directive with the server_ip obtained from ifconfig.me
sed -i "s/\$server_ip/$server_ip/g" /etc/nginx/sites-available/default

# Restart Nginx
systemctl restart nginx

# Create directory for files
mkdir /var/www/html/files

# Create index.html file
cat > /var/www/html/index.html <<EOL
<!DOCTYPE html>
<html>
<head>
<title>Files For Download</title>
</head>
<body>

<a href="files">Click here for our latest files</a>.</p>

</body>
</html>
EOL

# Inform the user of the server IP address
echo "You can visit your server at https://$server_ip"
echo "Transfer files to $server_ip:/var/www/html/files"
</syntaxhighlight>

Ubuntu 22.04 Compression

2023-05-11T19:42:15Z

Noob:

==Tar==
Tar is not a compression tool, but rather a file archiving utility commonly used on Linux systems. The tar command is used to create an archive of one or more files and directories, which can then be compressed using a compression tool like gzip, bzip2, xz, or zstd to reduce its size for storage or transfer purposes. Tar can also be used to extract files from an archive, or to list the contents of an archive without extracting it.

There are several types of compression available on Linux, including:

:* '''gzip''': This is a widely used compression tool that uses the Lempel-Ziv algorithm. It is commonly used to compress individual files and is often used in combination with the tar command to create compressed archives.

:* '''bzip2''': This is another popular compression tool that uses the Burrows-Wheeler algorithm. It is often used for compressing larger files, as it typically achieves higher compression ratios than gzip.

:* '''xz''': This is a newer compression tool that uses the LZMA algorithm. It is often used to compress large files, as it can achieve very high compression ratios.

:* '''lz4''': This is a high-speed compression tool that is designed for use in real-time systems. It is often used for compressing data in network communications and storage systems.

:* '''zstd''': This is a relatively new compression tool that uses the Zstandard compression algorithm. It is designed to offer high compression ratios and fast compression and decompression speeds.

In addition to these tools, there are also several other compression tools available on Linux, including compress, pack, and rar, among others.

===Gzip tar compression===

The tar command is a utility used on Linux systems to create and manage archives of files and directories. The -zcvf options are used to create a compressed archive of one or more files or directories using gzip compression.

'''Syntax''' <br>
<code>tar -zcvf archive_name.tar.gz file_or_directory</code><br>

<code>tar -zcvf /path/store/archive.tar.gz /home/$USER/Documents/testDIR</code><br>

Options

The '''-z''' option is used to compress the archive using gzip. Without this option, the archive will not be compressed.

The '''-c''' option is used to create a new archive. Without this option, the command will attempt to extract files from an existing archive.

The '''-v''' option is used to display the progress of the archive creation. Without this option, the command will run silently.

The '''-f''' option is used to specify the filename of the archive.

===Compressing a single file===

To create a compressed archive of a single file, you can use the following command:

<code>tar -zcvf file_name.tar.gz file_name</code>

This will create a new compressed archive called file_name.tar.gz in the current directory, and include the contents of file_name in the archive.

===Compressing a directory===

To create a compressed archive of a directory and its contents, you can use the following command:

<code>tar -zcvf directory_name.tar.gz directory_name</code>

This will create a new compressed archive called directory_name.tar.gz in the current directory, and include the contents of directory_name and its subdirectories in the archive.

===Compressing multiple files and directories===

To create a compressed archive of multiple files and directories, you can list them all as arguments to the tar command:

<code>tar -zcvf archive_name.tar.gz file_or_directory_1 file_or_directory_2 ...</code>

This will create a new compressed archive called archive_name.tar.gz in the current directory, and include the contents of all specified files and directories in the archive.

===Compressing and excluding files or directories===
You can use the --exclude option to exclude specific files or directories from the archive. For example, to exclude a directory named exclude_dir from an archive, you can use the following command:

<code>tar -zcvf archive_name.tar.gz --exclude=exclude_dir file_or_directory</code>

This will create a new compressed archive called archive_name.tar.gz in the current directory, and include the contents of file_or_directory in the archive while excluding the exclude_dir directory.

To exclude multiple files or directories using the --exclude option with the tar command, you can separate them with a space character. For example, to exclude two directories named exclude_dir1 and exclude_dir2 from an archive, you can use the following command:

<code>tar -zcvf archive_name.tar.gz --exclude=exclude_dir1 --exclude=exclude_dir2 file_or_directory</code>

This will create a new compressed archive called archive_name.tar.gz in the current directory, and include the contents of file_or_directory in the archive while excluding the exclude_dir1 and exclude_dir2 directories.

===Preserve file permissions===

To preserve file permissions when creating a compressed archive with tar, you can use the -p option. The -p option stands for "preserve permissions", and it tells tar to include the file permissions (ownership, group, and mode) in the archive.

So, to create a compressed archive of a file or directory and preserve its permissions, you can use the following command:

<code>tar -zcvpf archive_name.tar.gz file_or_directory</code>

Note that the -p option should be used with caution, as it can potentially create security vulnerabilities if you are extracting the archive as a privileged user. It's generally recommended to use the -p option only when necessary and with a clear understanding of its implications.

Also note that if you are extracting the archive on a different system or with a different user account, the file permissions may not be preserved exactly as they were in the original system, depending on the destination file system and user account settings.

===Gzip Tar Extraction===

The basic syntax for extracting a tar archive compressed with gzip is as follows:

<code>tar -zxvf archive_name.tar.gz</code>

Options:

The -z option is used to decompress the archive using gzip.

The -x option is used to extract the contents of the archive.

The -v option is used to display the progress of the extraction.

The -f option is used to specify the filename of the archive.

====View the contents of a '''gzip''' archive without extracting it using '''zcat'''====

The zcat command is similar to the cat command, but it is used specifically for viewing the contents of gzip compressed files.

Here's an example command to view the contents of a gzip archive without extracting it:

<code>zcat archive_name.tar.gz | less</code>

This command will display the contents of the gzip archive in the less pager, allowing you to scroll through the contents of the archive without extracting it.

If you want to search for a specific file or pattern within the archive, you can pipe the output of zcat to the grep command. Here's an example command to search for a file named file.txt within a gzip archive:

<code>zcat archive_name.tar.gz | grep file.txt</code>

This command will display any lines within the gzip archive that contain the string "file.txt".

Note that the zcat command is only used for viewing the contents of gzip compressed files. If you are working with a tar archive that has been compressed with gzip, you will need to use the tar command in conjunction with zcat to view the contents of the archive. Here's an example command to view the contents of a tar archive compressed with gzip without extracting it:

<code>zcat archive_name.tar.gz | tar tvf -</code>

This command will display a listing of the files and directories within the tar archive, allowing you to see its contents without extracting it.

===Extracting a single file===

To extract a single file from a compressed tar archive, you can use the following command:

<code>tar -zxvf archive_name.tar.gz path/to/file</code>

This will extract the specified file from the compressed archive.

===Extracting a directory===

To extract a directory and its contents from a compressed tar archive, you can use the following command:

<code>tar -zxvf archive_name.tar.gz path/to/directory</code>

This will extract the specified directory and its contents from the compressed archive.

===Extracting multiple files and directories===

To extract multiple files and directories from a compressed tar archive, you can list them all as arguments to the tar command:

<code>tar -zxvf archive_name.tar.gz file_or_directory_1 file_or_directory_2 ...</code>

This will extract the specified files and directories from the compressed archive.

===Extracting to a specific directory===

To extract the contents of a compressed tar archive to a specific directory, you can use the -C option followed by the directory path. For example:

<code>tar -zxvf archive_name.tar.gz -C /path/to/directory</code>

This will extract the contents of the compressed archive to the specified directory.

Ubuntu 22.04 Compression

2023-05-11T19:41:22Z

Noob: Created page with "Tar is not a compression tool, but rather a file archiving utility commonly used on Linux systems. The tar command is used to create an archive of one or more files and directories, which can then be compressed using a compression tool like gzip, bzip2, xz, or zstd to reduce its size for storage or transfer purposes. Tar can also be used to extract files from an archive, or to list the contents of an archive without extracting it. There are several types of compression..."

Tar is not a compression tool, but rather a file archiving utility commonly used on Linux systems. The tar command is used to create an archive of one or more files and directories, which can then be compressed using a compression tool like gzip, bzip2, xz, or zstd to reduce its size for storage or transfer purposes. Tar can also be used to extract files from an archive, or to list the contents of an archive without extracting it.

There are several types of compression available on Linux, including:

:* '''gzip''': This is a widely used compression tool that uses the Lempel-Ziv algorithm. It is commonly used to compress individual files and is often used in combination with the tar command to create compressed archives.

:* '''bzip2''': This is another popular compression tool that uses the Burrows-Wheeler algorithm. It is often used for compressing larger files, as it typically achieves higher compression ratios than gzip.

:* '''xz''': This is a newer compression tool that uses the LZMA algorithm. It is often used to compress large files, as it can achieve very high compression ratios.

:* '''lz4''': This is a high-speed compression tool that is designed for use in real-time systems. It is often used for compressing data in network communications and storage systems.

:* '''zstd''': This is a relatively new compression tool that uses the Zstandard compression algorithm. It is designed to offer high compression ratios and fast compression and decompression speeds.

In addition to these tools, there are also several other compression tools available on Linux, including compress, pack, and rar, among others.

==Gzip tar compression==

The tar command is a utility used on Linux systems to create and manage archives of files and directories. The -zcvf options are used to create a compressed archive of one or more files or directories using gzip compression.

'''Syntax''' <br>
<code>tar -zcvf archive_name.tar.gz file_or_directory</code><br>

<code>tar -zcvf /path/store/archive.tar.gz /home/$USER/Documents/testDIR</code><br>

Options

The '''-z''' option is used to compress the archive using gzip. Without this option, the archive will not be compressed.

The '''-c''' option is used to create a new archive. Without this option, the command will attempt to extract files from an existing archive.

The '''-v''' option is used to display the progress of the archive creation. Without this option, the command will run silently.

The '''-f''' option is used to specify the filename of the archive.

===Compressing a single file===

To create a compressed archive of a single file, you can use the following command:

<code>tar -zcvf file_name.tar.gz file_name</code>

This will create a new compressed archive called file_name.tar.gz in the current directory, and include the contents of file_name in the archive.

===Compressing a directory===

To create a compressed archive of a directory and its contents, you can use the following command:

<code>tar -zcvf directory_name.tar.gz directory_name</code>

This will create a new compressed archive called directory_name.tar.gz in the current directory, and include the contents of directory_name and its subdirectories in the archive.

===Compressing multiple files and directories===

To create a compressed archive of multiple files and directories, you can list them all as arguments to the tar command:

<code>tar -zcvf archive_name.tar.gz file_or_directory_1 file_or_directory_2 ...</code>

This will create a new compressed archive called archive_name.tar.gz in the current directory, and include the contents of all specified files and directories in the archive.

===Compressing and excluding files or directories===
You can use the --exclude option to exclude specific files or directories from the archive. For example, to exclude a directory named exclude_dir from an archive, you can use the following command:

<code>tar -zcvf archive_name.tar.gz --exclude=exclude_dir file_or_directory</code>

This will create a new compressed archive called archive_name.tar.gz in the current directory, and include the contents of file_or_directory in the archive while excluding the exclude_dir directory.

To exclude multiple files or directories using the --exclude option with the tar command, you can separate them with a space character. For example, to exclude two directories named exclude_dir1 and exclude_dir2 from an archive, you can use the following command:

<code>tar -zcvf archive_name.tar.gz --exclude=exclude_dir1 --exclude=exclude_dir2 file_or_directory</code>

This will create a new compressed archive called archive_name.tar.gz in the current directory, and include the contents of file_or_directory in the archive while excluding the exclude_dir1 and exclude_dir2 directories.

===Preserve file permissions===

To preserve file permissions when creating a compressed archive with tar, you can use the -p option. The -p option stands for "preserve permissions", and it tells tar to include the file permissions (ownership, group, and mode) in the archive.

So, to create a compressed archive of a file or directory and preserve its permissions, you can use the following command:

<code>tar -zcvpf archive_name.tar.gz file_or_directory</code>

Note that the -p option should be used with caution, as it can potentially create security vulnerabilities if you are extracting the archive as a privileged user. It's generally recommended to use the -p option only when necessary and with a clear understanding of its implications.

Also note that if you are extracting the archive on a different system or with a different user account, the file permissions may not be preserved exactly as they were in the original system, depending on the destination file system and user account settings.

==Gzip Tar Extraction==

The basic syntax for extracting a tar archive compressed with gzip is as follows:

<code>tar -zxvf archive_name.tar.gz</code>

Options:

The -z option is used to decompress the archive using gzip.

The -x option is used to extract the contents of the archive.

The -v option is used to display the progress of the extraction.

The -f option is used to specify the filename of the archive.

====View the contents of a '''gzip''' archive without extracting it using '''zcat'''====

The zcat command is similar to the cat command, but it is used specifically for viewing the contents of gzip compressed files.

Here's an example command to view the contents of a gzip archive without extracting it:

<code>zcat archive_name.tar.gz | less</code>

This command will display the contents of the gzip archive in the less pager, allowing you to scroll through the contents of the archive without extracting it.

If you want to search for a specific file or pattern within the archive, you can pipe the output of zcat to the grep command. Here's an example command to search for a file named file.txt within a gzip archive:

<code>zcat archive_name.tar.gz | grep file.txt</code>

This command will display any lines within the gzip archive that contain the string "file.txt".

Note that the zcat command is only used for viewing the contents of gzip compressed files. If you are working with a tar archive that has been compressed with gzip, you will need to use the tar command in conjunction with zcat to view the contents of the archive. Here's an example command to view the contents of a tar archive compressed with gzip without extracting it:

<code>zcat archive_name.tar.gz | tar tvf -</code>

This command will display a listing of the files and directories within the tar archive, allowing you to see its contents without extracting it.

===Extracting a single file===

To extract a single file from a compressed tar archive, you can use the following command:

<code>tar -zxvf archive_name.tar.gz path/to/file</code>

This will extract the specified file from the compressed archive.

===Extracting a directory===

To extract a directory and its contents from a compressed tar archive, you can use the following command:

<code>tar -zxvf archive_name.tar.gz path/to/directory</code>

This will extract the specified directory and its contents from the compressed archive.

===Extracting multiple files and directories===

To extract multiple files and directories from a compressed tar archive, you can list them all as arguments to the tar command:

<code>tar -zxvf archive_name.tar.gz file_or_directory_1 file_or_directory_2 ...</code>

This will extract the specified files and directories from the compressed archive.

===Extracting to a specific directory===

To extract the contents of a compressed tar archive to a specific directory, you can use the -C option followed by the directory path. For example:

<code>tar -zxvf archive_name.tar.gz -C /path/to/directory</code>

This will extract the contents of the compressed archive to the specified directory.

Ubuntu 22.04 IPFS

2023-05-11T19:13:00Z

Noob: Created page with "Moved from 'IPFS Basics' This page is going to be just about IPFS on/for Ubuntu 22.04 Redo from scratch, below is for notes and placeholder from old page. ==Introduction to IPFS== Note that this guide was unsuccessful on a home network but worked on a Vultr VPS. IPFS requires ports 4001 TCP and UDP to be open on the router. Tested on an Ubuntu 22.04 server. Download Linux Binary from https://dist.ipfs.tech/#go-ipfs Assuming you already have LXD set up (it doesn't ha..."

Moved from 'IPFS Basics' This page is going to be just about IPFS on/for Ubuntu 22.04 Redo from scratch, below is for notes and placeholder from old page.

==Introduction to IPFS==

Note that this guide was unsuccessful on a home network but worked on a Vultr VPS.
IPFS requires ports 4001 TCP and UDP to be open on the router.

Tested on an Ubuntu 22.04 server.

Download Linux Binary from https://dist.ipfs.tech/#go-ipfs

Assuming you already have LXD set up (it doesn't have to be in a container):
Check https://dist.ipfs.tech/kubo/ for the latest version.

<pre>
apt update && apt upgrade -y
wget https://dist.ipfs.tech/kubo/v0.18.1/kubo_v0.18.1_linux-amd64.tar.gz
tar xvf kubo_v0.18.1_linux-amd64.tar.gz
bash kubo/install.sh
ipfs init
</pre>

You may encounter an error that looks like this:
<pre>
ERROR provider.queue queue/queue.go:125 Failed to enqueue cid: leveldb: closed
</pre>
This error does not impact the installation.

Now, create a simple text file. Replace '''$EDITOR''' with your preferred terminal text editor.

<code>$EDITOR helloworld.txt</code>

Add the following content to the file:
<pre>
Hello there, I wonder how many devices I can see this on.
</pre>

To share the file, you need to add and pin it:

<code>ipfs add helloworld.txt</code>

The command will return a CID, which looks like this:<br>
'''QmQTnvc5eV7NdPfQ8zLVCr6gBrXaDAUKUd1SGDAfsPFnoh.'''<br>
Now, pin the file:

<code>ipfs pin add QmQTnvc5eV7NdPfQ8zLVCr6gBrXaDAUKUd1SGDAfsPFnoh</code>

Connect to the network:

<code>ipfs daemon</code>

You can use '''CTRL+z''' to send the IPFS daemon to the background and run '''ipfs swarm peers''' to see connections.
To bring the IPFS daemon back to the foreground, use '''bg''' to see background processes and then '''fg 1'''.

Note: '''ipfs.io''' is a third-party service and cannot handle data-heavy content. For heavy content, such as videos, download using IPFS to view.

To view the file in a web browser, simply add '''https://ipfs.io/ipfs/''' to the beginning of the CID:

https://ipfs.io/ipfs/QmQTnvc5eV7NdPfQ8zLVCr6gBrXaDAUKUd1SGDAfsPFnoh

==IPFS Desktop==
<code>https://github.com/ipfs/ipfs-desktop/releases</code><br>

==Download and share==
<b>$HASH</b> is placeholder for the hash of the ipfs file.<br>
To download a file:<br>
<code>ipfs get $HASH</code><br>
To share/host you need to pin:<br>
<code>ipfs pin $HASH</code><br>
To view pinned items<br>
<code>ipfs pin ls</code><br>
or<br>
<code>ipfs pin ls --type=recursive</code><br>
===add directory===
<code>ipfs add --recursive /path/to/directory</code><br>
each file in directory (recursive) will be uploaded and each given a hash.<br>

===unpin===
<code>ipfs pin rm $HASH</code><br>
===Clear cache===
<code>ipfs repo gc</code><br>

===View on web browser===
Note: ipfs.io is a third party service, and can not handle data heavy content. For heavy content such as videos, download using ipfs to view.<br>
Use web site/service ipfs.io<br>
<code>https://ipfs.io/ipfs/$HASH</code><br>

==Host on Server==
<code>wget https://dist.ipfs.tech/kubo/v0.18.1/kubo_v0.18.1_linux-amd64.tar.gz</code><br>
<code>tar xvf kubo_v0.18.1_linux-amd64.tar.gz</code><br>
<code>bash kubo/install.sh</code><br>
<code>ipfs init --profile server</code><br>

===systemd===
<code>$EDITOR /etc/systemd/system/ipfs.service</code><br>
<pre>
[Unit]
Description =Start ipfs daemon

[Service]
Type=simple
ExecStart=/usr/local/bin/ipfs daemon

[Install]
WantedBy=multi-user.target
</pre>

<code>systemctl enable ipfs.service</code><br>
<code>systemctl start ipfs</code><br>

==Note: will tidy later ==

NOTE: should of checked the licence first,The MIT open course ware is <b>CC BY-NC-SA 4.0</b> and can not be used on this website! deleteing, leaving this here for note on how to pin mass of files.<br>
In this example i will be uploading an MIT cc-by course to ipfs.

files in a directory called <b>mit-test-course</b><br>
<code>ipfs add --recursive /path/to/directory</code><br> will add all the files but not pin them.<br>

<pre>
root@ipfs-test:~# tree mit-test-course/
mit-test-course/
├── 1
│   ├── 920cc911b6eb5747f2ccd431bbc4306b_lec1.py
│   ├── MIT6_0001F16_Lecture_01_300k.mp4
│   └── e921a690079369751bcce3e34da6c6ee_MIT6_0001F16_Lec1.pdf
├── 10
│   ├── 066eba6ea6d56a88e56ae325940d4c4c_MIT6_0001F16_Lec10.pdf
│   ├── MIT6_0001F16_Lecture_10_300k.mp4
│   └── bfa32fd241d88ae02cd3157aed232bac_lec10_complexity_part1.py
├── 11
│   ├── MIT6_0001F16_Lecture_11_300k.mp4
│   ├── bb953fb81d4afa3bc837c16eba613955_MIT6_0001F16_Lec11.pdf
│   └── bdf800867e6762c6758ecd2230178f41_lec11_complexity_part2.py
├── 12
│   ├── 310536cd5f5aa1fc0c11726ce13c565e_lec12_sorting.py
│   ├── 6425d0dabb1cea1a076b8c46c0ae2da6_MIT6_0001F16_Lec12.pdf
│   └── MIT6_0001F16_Lecture_12_300k.mp4
├── 2
│   ├── MIT6_0001F16_Lecture_02_300k.mp4
│   ├── ba2947b25b1580e4a84df0ec5dbe5cdd_MIT6_0001F16_Lec2.pdf
│   └── d6ee838ee4c85ace93a4e170cfd83c03_lec2_branch_loops.py
├── 3
│   ├── 88de925a1fb925e46a08bc5f34d029bd_lec3_strings_algos.py
│   ├── MIT6_0001F16_Lecture_03_300k.mp4
│   └── b9b9a82a29e8746db1facfbd30c07940_MIT6_0001F16_Lec3.pdf
├── 4
│   ├── 6ba59859535f1566dd57a7279aeba5d1_MIT6_0001F16_Lec4.pdf
│   ├── 9e8439a27af18817e046ac37333d03f6_lec4_functions.py
│   └── MIT6_0001F16_Lecture_04_300k.mp4
├── 5
│   ├── 1776670e271578eeb99fc25975f20586_MIT6_0001F16_Lec5.pdf
│   ├── MIT6_0001F16_Lecture_05_300k.mp4
│   └── cdf5f8e7f109952655f4d253ed955555_lec5_tuples_lists.py
├── 6
│   ├── 706228e592761d9c7c1c073f8ba7a6cc_lec6_recursion_dictionaries.py
│   ├── 876348c652c5353daccc96e1b7d577bb_MIT6_0001F16_Lec6.pdf
│   └── MIT6_0001F16_Lecture_06_300k.mp4
├── 7
│   ├── 51bdde43dfd773ba20747ce5d89119ac_MIT6_0001F16_Lec7.pdf
│   ├── MIT6_0001F16_Lecture_07_300k.mp4
│   └── abdd1d61892ccce9be2ad84e52004e07_lec7_debug_except.py
├── 8
│   ├── 0705ac9dcc7e637a0e8e9d97eb258a26_lec8_classes.py
│   ├── 7a6f85d03f132dcd9d7592bc4643be1c_MIT6_0001F16_Lec8.pdf
│   └── MIT6_0001F16_Lecture_08_300k.mp4
├── 9
│   ├── 2dd6c75e7b4bd6bd135078e6f3701201_MIT6_0001F16_Lec9.pdf
│   ├── MIT6_0001F16_Lecture_09_300k.mp4
│   └── bf8e8195044d5f6aefc1a455968e2f3e_lec9_inheritance.py
└── Introduction to Computer Science and Programming in Python.txt

12 directories, 37 files

</pre>

<code>ipfs add --recursive /path/to/mit-test-course > mit.txt</code><br> will upload and create a file called mit.txt with the following output:<br>
<pre>
root@ipfs-test:~# cat mit.txt
added QmengUgSy9oY9qMXJC6ujKy7mMpunb5sG5Uo8RpFX4G5g9 mit-test-course/1/920cc911b6eb5747f2ccd431bbc4306b_lec1.py
added QmaTdTMxWdz6ySLbx258zQU5McpJTo4ZEVJ63GSKmVEyeM mit-test-course/1/MIT6_0001F16_Lecture_01_300k.mp4
added QmemB25bVuN2fuiAq3JaDM4J5MYit6HfCCsU3EFTWL7wpF mit-test-course/1/e921a690079369751bcce3e34da6c6ee_MIT6_0001F16_Lec1.pdf
added QmbyP59ttPKGe5ZNADsgqTsgBF3oYGzhZXFfBhszG2nuPm mit-test-course/10/066eba6ea6d56a88e56ae325940d4c4c_MIT6_0001F16_Lec10.pdf
added QmQNooq1g25LFp1Fxj2tfpKKMKi8NbutkhuXNf5Ppo7t5f mit-test-course/10/MIT6_0001F16_Lecture_10_300k.mp4
added QmUtgXQXjj2C3qb2UXFrPmKHkFdEjmehk4ZLQhcZ37rEmw mit-test-course/10/bfa32fd241d88ae02cd3157aed232bac_lec10_complexity_part1.py
added QmR7Ned6iZytjpVHVN6W53EZ5Qg4Zd6EkEcXxn8DjYMgrd mit-test-course/11/MIT6_0001F16_Lecture_11_300k.mp4
added QmNPjN3616QdmEWLPokwuTkLL1vrzcLVRSFLWUcukqtxZL mit-test-course/11/bb953fb81d4afa3bc837c16eba613955_MIT6_0001F16_Lec11.pdf
added QmdpwFTFkwnkqWW3CozBBAfeYHchDeVAV7ArkA1dUqbUZ4 mit-test-course/11/bdf800867e6762c6758ecd2230178f41_lec11_complexity_part2.py
added QmbV8ct8DEQyRGRDSX4PaQBXk8r8ryYLDNwTa2buC7kcP5 mit-test-course/12/310536cd5f5aa1fc0c11726ce13c565e_lec12_sorting.py
added QmToP68Knz71euVuntRWtz6UshRoiRssELJNFMeP1f2sR5 mit-test-course/12/6425d0dabb1cea1a076b8c46c0ae2da6_MIT6_0001F16_Lec12.pdf
added QmPWidAv5mBrgEcKDVqWe62JaAiwBWs8KZc1S8r3bbJsvY mit-test-course/12/MIT6_0001F16_Lecture_12_300k.mp4
added QmTFdkMJnzUcwgs1hdoF7qtADE2NqTJVaF9CfgULbzSuA9 mit-test-course/2/MIT6_0001F16_Lecture_02_300k.mp4
added QmNiZvEh6UmpHLTxw4saN7WdojzBokp2JCbucYzrekoQBK mit-test-course/2/ba2947b25b1580e4a84df0ec5dbe5cdd_MIT6_0001F16_Lec2.pdf
added QmPjEzEu56mqeE19Vth9AkDbAxz7wAWg9zMVvF9FZ1UBvK mit-test-course/2/d6ee838ee4c85ace93a4e170cfd83c03_lec2_branch_loops.py
added QmYppDgGMptihHA7ixFw2GHvspN8Bw1HY21HtUpQNxi23i mit-test-course/3/88de925a1fb925e46a08bc5f34d029bd_lec3_strings_algos.py
added QmTTCsuhbnjXWuigZLSgKAt4DjFsm78MANo3KUMGcK98s1 mit-test-course/3/MIT6_0001F16_Lecture_03_300k.mp4
added QmP2AZfUx8RTqCGamJtPyodFU8dHG8QrBHYKkP79YepEe9 mit-test-course/3/b9b9a82a29e8746db1facfbd30c07940_MIT6_0001F16_Lec3.pdf
added QmP1p4h21ogMxWeeX2PiDibQbHqWer7ABCsMrfMxEx7QBW mit-test-course/4/6ba59859535f1566dd57a7279aeba5d1_MIT6_0001F16_Lec4.pdf
added QmNtPQncXMYNBnX4NoNfx2ifetrfvrATamdrsjx4u9iQ7c mit-test-course/4/9e8439a27af18817e046ac37333d03f6_lec4_functions.py
added QmQuc5zpaJdMfRYxTLyZc5DQuota1FjuJiqgWf8ctGmRsU mit-test-course/4/MIT6_0001F16_Lecture_04_300k.mp4
added QmSdxg2inPbK1FSynNdPUka6CUZtEGG6sdPZgxaAgb46GE mit-test-course/5/1776670e271578eeb99fc25975f20586_MIT6_0001F16_Lec5.pdf
added Qmco5sKKQfnWUNP9ZUxLkDhoV6jfjv8L4AdzES7En41AzP mit-test-course/5/MIT6_0001F16_Lecture_05_300k.mp4
added QmThDori5ETa3U27DFpndU7RmsLgG7zjpqGVxAncCupSuc mit-test-course/5/cdf5f8e7f109952655f4d253ed955555_lec5_tuples_lists.py
added QmaGhNYnR5yUMYZf4q7qLsNwEW6B7pbLbgJokJBTNSA2FT mit-test-course/6/706228e592761d9c7c1c073f8ba7a6cc_lec6_recursion_dictionaries.py
added QmQAqSGJAeoypUMyUnb7hRrziDyRAwymcTGdcaydT5i73s mit-test-course/6/876348c652c5353daccc96e1b7d577bb_MIT6_0001F16_Lec6.pdf
added QmVzK3PVETv69Y27UKDfaQQM5um8ByMdYQS3TzD2EkoR42 mit-test-course/6/MIT6_0001F16_Lecture_06_300k.mp4
added QmcqZoeVrsfBv4Ri6M8KtiLdy3VpKnyznDFhX8zvfd3Qrs mit-test-course/7/51bdde43dfd773ba20747ce5d89119ac_MIT6_0001F16_Lec7.pdf
added QmUyiqpAUA91w4Xm2Dz2wPr6kE6wTzA1apwJziTdBysRLw mit-test-course/7/MIT6_0001F16_Lecture_07_300k.mp4
added QmeVKCB6ponYr4f72MuNwegukX9t42NTywNHpDPgyNi9ae mit-test-course/7/abdd1d61892ccce9be2ad84e52004e07_lec7_debug_except.py
added QmQCaZZA75UQ5pAKy8zhcz6Ci8yY13UVHUvsuXmid86GUH mit-test-course/8/0705ac9dcc7e637a0e8e9d97eb258a26_lec8_classes.py
added QmdccChFuYBCiLmufEmk6oXCHybaUQiPXajD3c3xMupiaC mit-test-course/8/7a6f85d03f132dcd9d7592bc4643be1c_MIT6_0001F16_Lec8.pdf
added QmZFSSPndvRfPT2vyehuyEQitfb8CzdYkA7orFAKyvhA4u mit-test-course/8/MIT6_0001F16_Lecture_08_300k.mp4
added QmbaJFk4mFRmCbtQybK94etyfRA2LcM22Kfvjbvdf6X8Gw mit-test-course/9/2dd6c75e7b4bd6bd135078e6f3701201_MIT6_0001F16_Lec9.pdf
added QmdENonCipE7TK99i7dFz9paqDUSefR4PFdveEmVi5oXAb mit-test-course/9/MIT6_0001F16_Lecture_09_300k.mp4
added QmQ7UB4PaGBRHvHfDshrASwynvansFVXrp3RNULwhThUsC mit-test-course/9/bf8e8195044d5f6aefc1a455968e2f3e_lec9_inheritance.py
added Qmdw2XaaX99t7eNzRNXdHEHYzwiH5qhg1iBLDpekCXj5am mit-test-course/Introduction to Computer Science and Programming in Python.txt
added QmQM6QEJK9kJGzxe1ntDKrE7nLtB9CPqupjQZvsEze6rkK mit-test-course/1
added QmX7ZEHg2WipkSbwani5iSwxtBPgghajtGP1QqJQ6jQAAE mit-test-course/10
added QmaUyBU3M5zFpeHrMdZbapSLf73SUHZaookrCRCRm87Jwb mit-test-course/11
added QmP3Xx9cUp9Ly44bP1TXQHziVpLpNuZDnH7nRhdQTJPk5w mit-test-course/12
added QmYQQLN4pEdKi7S8GJJLFtw4LCEiZPkUzRjyNJqNcrU7kS mit-test-course/2
added QmZvUavbLwZ5PjiadoGSvB8nURGaeDiTyNivZq9tsPN1dD mit-test-course/3
added QmWf7uJtJmBhLB4sAsWUDWGwPyz24yboHYqxZGpEAwP4Gx mit-test-course/4
added QmPAApNSDbgZnr1tVe77zPx8bz3USsP4UZxA6nCCSMEbRx mit-test-course/5
added QmPMEUkViQsT7XwfPxwque3EfmPs1kaVJCU5Bc8AujYfej mit-test-course/6
added QmWnzp23vzhx8rX5z7W9WZVWGq2H8j18GmqddbHRa79jX1 mit-test-course/7
added QmRnosvcFPgEZSGMyRw9uuTyDzcQf6Q2ffEXADYEFvqtsN mit-test-course/8
added QmeUE3L3gwNvK3BvcutttWxSJPn7RusxNZHzTQeYUNGzjw mit-test-course/9
added QmY965P9FuqBum5Ppy7QWUf1HBRVdqDbMFVDStBdjNnjqk mit-test-course
</pre>
Now we are going to use awk to just print out the hashes.<br>
<code>cat mit.txt | awk '{print $2}' >hash.txt</code><br>
<code>cat hash.txt</code> will return:
<pre>
root@ipfs-test:~# cat hash.txt
QmengUgSy9oY9qMXJC6ujKy7mMpunb5sG5Uo8RpFX4G5g9
QmaTdTMxWdz6ySLbx258zQU5McpJTo4ZEVJ63GSKmVEyeM
QmemB25bVuN2fuiAq3JaDM4J5MYit6HfCCsU3EFTWL7wpF
QmbyP59ttPKGe5ZNADsgqTsgBF3oYGzhZXFfBhszG2nuPm
QmQNooq1g25LFp1Fxj2tfpKKMKi8NbutkhuXNf5Ppo7t5f
QmUtgXQXjj2C3qb2UXFrPmKHkFdEjmehk4ZLQhcZ37rEmw
QmR7Ned6iZytjpVHVN6W53EZ5Qg4Zd6EkEcXxn8DjYMgrd
QmNPjN3616QdmEWLPokwuTkLL1vrzcLVRSFLWUcukqtxZL
QmdpwFTFkwnkqWW3CozBBAfeYHchDeVAV7ArkA1dUqbUZ4
QmbV8ct8DEQyRGRDSX4PaQBXk8r8ryYLDNwTa2buC7kcP5
QmToP68Knz71euVuntRWtz6UshRoiRssELJNFMeP1f2sR5
QmPWidAv5mBrgEcKDVqWe62JaAiwBWs8KZc1S8r3bbJsvY
QmTFdkMJnzUcwgs1hdoF7qtADE2NqTJVaF9CfgULbzSuA9
QmNiZvEh6UmpHLTxw4saN7WdojzBokp2JCbucYzrekoQBK
QmPjEzEu56mqeE19Vth9AkDbAxz7wAWg9zMVvF9FZ1UBvK
QmYppDgGMptihHA7ixFw2GHvspN8Bw1HY21HtUpQNxi23i
QmTTCsuhbnjXWuigZLSgKAt4DjFsm78MANo3KUMGcK98s1
QmP2AZfUx8RTqCGamJtPyodFU8dHG8QrBHYKkP79YepEe9
QmP1p4h21ogMxWeeX2PiDibQbHqWer7ABCsMrfMxEx7QBW
QmNtPQncXMYNBnX4NoNfx2ifetrfvrATamdrsjx4u9iQ7c
QmQuc5zpaJdMfRYxTLyZc5DQuota1FjuJiqgWf8ctGmRsU
QmSdxg2inPbK1FSynNdPUka6CUZtEGG6sdPZgxaAgb46GE
Qmco5sKKQfnWUNP9ZUxLkDhoV6jfjv8L4AdzES7En41AzP
QmThDori5ETa3U27DFpndU7RmsLgG7zjpqGVxAncCupSuc
QmaGhNYnR5yUMYZf4q7qLsNwEW6B7pbLbgJokJBTNSA2FT
QmQAqSGJAeoypUMyUnb7hRrziDyRAwymcTGdcaydT5i73s
QmVzK3PVETv69Y27UKDfaQQM5um8ByMdYQS3TzD2EkoR42
QmcqZoeVrsfBv4Ri6M8KtiLdy3VpKnyznDFhX8zvfd3Qrs
QmUyiqpAUA91w4Xm2Dz2wPr6kE6wTzA1apwJziTdBysRLw
QmeVKCB6ponYr4f72MuNwegukX9t42NTywNHpDPgyNi9ae
QmQCaZZA75UQ5pAKy8zhcz6Ci8yY13UVHUvsuXmid86GUH
QmdccChFuYBCiLmufEmk6oXCHybaUQiPXajD3c3xMupiaC
QmZFSSPndvRfPT2vyehuyEQitfb8CzdYkA7orFAKyvhA4u
QmbaJFk4mFRmCbtQybK94etyfRA2LcM22Kfvjbvdf6X8Gw
QmdENonCipE7TK99i7dFz9paqDUSefR4PFdveEmVi5oXAb
QmQ7UB4PaGBRHvHfDshrASwynvansFVXrp3RNULwhThUsC
Qmdw2XaaX99t7eNzRNXdHEHYzwiH5qhg1iBLDpekCXj5am
QmQM6QEJK9kJGzxe1ntDKrE7nLtB9CPqupjQZvsEze6rkK
QmX7ZEHg2WipkSbwani5iSwxtBPgghajtGP1QqJQ6jQAAE
QmaUyBU3M5zFpeHrMdZbapSLf73SUHZaookrCRCRm87Jwb
QmP3Xx9cUp9Ly44bP1TXQHziVpLpNuZDnH7nRhdQTJPk5w
QmYQQLN4pEdKi7S8GJJLFtw4LCEiZPkUzRjyNJqNcrU7kS
QmZvUavbLwZ5PjiadoGSvB8nURGaeDiTyNivZq9tsPN1dD
QmWf7uJtJmBhLB4sAsWUDWGwPyz24yboHYqxZGpEAwP4Gx
QmPAApNSDbgZnr1tVe77zPx8bz3USsP4UZxA6nCCSMEbRx
QmPMEUkViQsT7XwfPxwque3EfmPs1kaVJCU5Bc8AujYfej
QmWnzp23vzhx8rX5z7W9WZVWGq2H8j18GmqddbHRa79jX1
QmRnosvcFPgEZSGMyRw9uuTyDzcQf6Q2ffEXADYEFvqtsN
QmeUE3L3gwNvK3BvcutttWxSJPn7RusxNZHzTQeYUNGzjw
QmY965P9FuqBum5Ppy7QWUf1HBRVdqDbMFVDStBdjNnjqk
</pre>

Can do in terminal but will make bash script.<br>
<code>$EDITOR pin-hash.sh</code>

<pre>
#!/bin/bash
while read p; do
ipfs pin add $p
done <hash.txt
</pre>

<code>bash pin-hash.sh</code><br>
<pre>
root@ipfs-test:~# bash pin-hash.sh
pinned QmengUgSy9oY9qMXJC6ujKy7mMpunb5sG5Uo8RpFX4G5g9 recursively
pinned QmaTdTMxWdz6ySLbx258zQU5McpJTo4ZEVJ63GSKmVEyeM recursively
pinned QmemB25bVuN2fuiAq3JaDM4J5MYit6HfCCsU3EFTWL7wpF recursively
pinned QmbyP59ttPKGe5ZNADsgqTsgBF3oYGzhZXFfBhszG2nuPm recursively
pinned QmQNooq1g25LFp1Fxj2tfpKKMKi8NbutkhuXNf5Ppo7t5f recursively
pinned QmUtgXQXjj2C3qb2UXFrPmKHkFdEjmehk4ZLQhcZ37rEmw recursively
pinned QmR7Ned6iZytjpVHVN6W53EZ5Qg4Zd6EkEcXxn8DjYMgrd recursively
pinned QmNPjN3616QdmEWLPokwuTkLL1vrzcLVRSFLWUcukqtxZL recursively
pinned QmdpwFTFkwnkqWW3CozBBAfeYHchDeVAV7ArkA1dUqbUZ4 recursively
pinned QmbV8ct8DEQyRGRDSX4PaQBXk8r8ryYLDNwTa2buC7kcP5 recursively
pinned QmToP68Knz71euVuntRWtz6UshRoiRssELJNFMeP1f2sR5 recursively
pinned QmPWidAv5mBrgEcKDVqWe62JaAiwBWs8KZc1S8r3bbJsvY recursively
pinned QmTFdkMJnzUcwgs1hdoF7qtADE2NqTJVaF9CfgULbzSuA9 recursively
pinned QmNiZvEh6UmpHLTxw4saN7WdojzBokp2JCbucYzrekoQBK recursively
pinned QmPjEzEu56mqeE19Vth9AkDbAxz7wAWg9zMVvF9FZ1UBvK recursively
pinned QmYppDgGMptihHA7ixFw2GHvspN8Bw1HY21HtUpQNxi23i recursively
pinned QmTTCsuhbnjXWuigZLSgKAt4DjFsm78MANo3KUMGcK98s1 recursively
pinned QmP2AZfUx8RTqCGamJtPyodFU8dHG8QrBHYKkP79YepEe9 recursively
pinned QmP1p4h21ogMxWeeX2PiDibQbHqWer7ABCsMrfMxEx7QBW recursively
pinned QmNtPQncXMYNBnX4NoNfx2ifetrfvrATamdrsjx4u9iQ7c recursively
pinned QmQuc5zpaJdMfRYxTLyZc5DQuota1FjuJiqgWf8ctGmRsU recursively
pinned QmSdxg2inPbK1FSynNdPUka6CUZtEGG6sdPZgxaAgb46GE recursively
pinned Qmco5sKKQfnWUNP9ZUxLkDhoV6jfjv8L4AdzES7En41AzP recursively
pinned QmThDori5ETa3U27DFpndU7RmsLgG7zjpqGVxAncCupSuc recursively
pinned QmaGhNYnR5yUMYZf4q7qLsNwEW6B7pbLbgJokJBTNSA2FT recursively
pinned QmQAqSGJAeoypUMyUnb7hRrziDyRAwymcTGdcaydT5i73s recursively
pinned QmVzK3PVETv69Y27UKDfaQQM5um8ByMdYQS3TzD2EkoR42 recursively
pinned QmcqZoeVrsfBv4Ri6M8KtiLdy3VpKnyznDFhX8zvfd3Qrs recursively
pinned QmUyiqpAUA91w4Xm2Dz2wPr6kE6wTzA1apwJziTdBysRLw recursively
pinned QmeVKCB6ponYr4f72MuNwegukX9t42NTywNHpDPgyNi9ae recursively
pinned QmQCaZZA75UQ5pAKy8zhcz6Ci8yY13UVHUvsuXmid86GUH recursively
pinned QmdccChFuYBCiLmufEmk6oXCHybaUQiPXajD3c3xMupiaC recursively
pinned QmZFSSPndvRfPT2vyehuyEQitfb8CzdYkA7orFAKyvhA4u recursively
pinned QmbaJFk4mFRmCbtQybK94etyfRA2LcM22Kfvjbvdf6X8Gw recursively
pinned QmdENonCipE7TK99i7dFz9paqDUSefR4PFdveEmVi5oXAb recursively
pinned QmQ7UB4PaGBRHvHfDshrASwynvansFVXrp3RNULwhThUsC recursively
pinned Qmdw2XaaX99t7eNzRNXdHEHYzwiH5qhg1iBLDpekCXj5am recursively
pinned QmQM6QEJK9kJGzxe1ntDKrE7nLtB9CPqupjQZvsEze6rkK recursively
pinned QmX7ZEHg2WipkSbwani5iSwxtBPgghajtGP1QqJQ6jQAAE recursively
pinned QmaUyBU3M5zFpeHrMdZbapSLf73SUHZaookrCRCRm87Jwb recursively
pinned QmP3Xx9cUp9Ly44bP1TXQHziVpLpNuZDnH7nRhdQTJPk5w recursively
pinned QmYQQLN4pEdKi7S8GJJLFtw4LCEiZPkUzRjyNJqNcrU7kS recursively
pinned QmZvUavbLwZ5PjiadoGSvB8nURGaeDiTyNivZq9tsPN1dD recursively
pinned QmWf7uJtJmBhLB4sAsWUDWGwPyz24yboHYqxZGpEAwP4Gx recursively
pinned QmPAApNSDbgZnr1tVe77zPx8bz3USsP4UZxA6nCCSMEbRx recursively
pinned QmPMEUkViQsT7XwfPxwque3EfmPs1kaVJCU5Bc8AujYfej recursively
pinned QmWnzp23vzhx8rX5z7W9WZVWGq2H8j18GmqddbHRa79jX1 recursively
pinned QmRnosvcFPgEZSGMyRw9uuTyDzcQf6Q2ffEXADYEFvqtsN recursively
pinned QmeUE3L3gwNvK3BvcutttWxSJPn7RusxNZHzTQeYUNGzjw recursively
pinned QmY965P9FuqBum5Ppy7QWUf1HBRVdqDbMFVDStBdjNnjqk recursively
</pre>

==bash script to pin recursive directory to IPFS==

to use <code>script.sh /path/to/directory</code><br>

<syntaxhighlight lang="bash" line>
#!/bin/bash

# Check if directory argument is provided
if [ -z "$1" ]; then
echo "Usage: script.sh /path/to/directory"
exit 1
fi

# Check if IPFS is installed
if ! command -v ipfs &> /dev/null; then
echo "IPFS is not installed. Please install it first."
exit 1
fi

# Set directory path and filenames
dir_path="$1"
ipfs_list="/tmp/ipfs_$(date +'%Y%m%d%H%M%S').list"
ipfs_hash="/tmp/ipfs_$(date +'%Y%m%d%H%M%S').hash"

# Add directory to IPFS and save output to temporary file
ipfs add --recursive "$dir_path" > "$ipfs_list"

# Extract IPFS hashes from list and save to temporary file
cat "$ipfs_list" | awk '{print $2}' > "$ipfs_hash"

# Pin each hash from temporary file
while read -r hash; do
ipfs pin add "$hash"
done < "$ipfs_hash"

# Clean up temporary files
rm "$ipfs_list" "$ipfs_hash"
</syntaxhighlight>

Here's how the script works:

: It first checks if a directory path argument is provided. If not, it prints the usage instructions and exits.

: It checks if IPFS is installed by checking if the ipfs command is available. If not, it prints an error message and exits.

: It sets the directory path and temporary filenames for the IPFS list and hash.

: It adds the specified directory to IPFS recursively using the ipfs add command and saves the output to the temporary IPFS list file.

: It extracts the IPFS hashes from the list file and saves them to the temporary IPFS hash file.

: It loops through each hash in the temporary hash file and pins it using the ipfs pin add command.

: Finally, it cleans up the temporary files.

Note that this script will create new temporary files with a timestamp appended to the filename each time it is run. This is to avoid overwriting any existing temporary files with the same name.

DICTIONARY SIGHUP

2023-05-11T19:08:00Z

Noob: Noob moved page SIGHUP to DICTIONARY SIGHUP

'''SIGHUP''', or '''Signal Hangup''', is a signal used in Unix and Unix-like operating systems to indicate that a controlling terminal or process has been disconnected. The term "hangup" comes from the days of dial-up modems when a user would physically hang up the phone to disconnect from a remote system. In the context of modern operating systems, SIGHUP is used for various purposes, including process control, configuration updates, and the proper termination of processes when the controlling terminal is closed.

When a process receives a SIGHUP signal, it usually indicates that the controlling terminal or parent process has been closed or terminated. By default, when a process receives a SIGHUP signal, it will terminate itself. However, processes can be programmed to catch and handle the SIGHUP signal in a specific way, such as re-reading their configuration files or performing a graceful shutdown. This allows developers to ensure that important data is saved, resources are released, or any other necessary cleanup is performed before the process exits.

For example, many Unix daemons (background processes) use SIGHUP to trigger a reload of their configuration files. When the daemon receives a SIGHUP signal, it reads the updated configuration without needing to be restarted. This is useful for making changes to a running system without disrupting its operation.

To send a SIGHUP signal to a process, you can use the '''kill''' command with the '''-HUP''' or '''-1''' option, followed by the process ID (PID) of the target process:

<code>kill -HUP <PID></code>

In summary, SIGHUP is a signal in Unix and Unix-like operating systems used to notify a process that its controlling terminal or parent process has been disconnected. It can be used for process control, configuration updates, and proper termination of processes. While the default behavior is to terminate the process upon receiving a SIGHUP signal, developers can program processes to handle the signal in a custom manner.

DICTIONARY SIGHUP

2023-05-11T19:07:36Z

Noob:

DICTIONARY concatenate

2023-05-11T19:06:55Z

Noob: Noob moved page Dictionary concatenate to DICTIONARY concatenate without leaving a redirect

To concatenate means to join two or more strings, arrays, or other data structures together to form a single, combined unit. This action is frequently employed in programming languages and software applications when working with text or data.

For example, consider the two strings "Hello" and "World". When concatenated, they form a new string: "HelloWorld". In many programming languages, the '+' operator or specific functions are used to concatenate strings or arrays.