This chapter describes only the basics of system configuration through a command-line interface. Before reading this chapter you should read Debian System installation hints, Chapter 3.
If you are concerned about security then you should read the Securing Debian
Manual
which comes in the harden-doc
package.
Debian uses the System V init script system. See The init
program, Section
2.4.1 for an introduction.
The easiest way to control the behavior of an init script is by changing
environment variable assignments in the file named like the init script in the
/etc/default
directory. [40] For example, /etc/default/hotplug
can be used
to control how /etc/init.d/hotplug
works. The
/etc/default/rcS
file can be used to customize boot-time defaults
for motd
, sulogin
, etc.
If you cannot get the behavior you want by changing such variables then you can modify the init scripts themselves: they are all configuration files.
System log mode can be configured using /etc/syslog.conf
. Check
the colorize
package for a program to colorize system logfiles.
See also syslogd(8)
and syslog.conf(5)
.
There are a few hardware optimization configurations that Debian leaves to the sysadmin to take care of.
hdparm
hdparm(8)
first.
setcd
setcd(1)
.
setserial
scsitools
memtest86
hwtools
irqtune
: changes the IRQ priority of devices to allow devices that
require high priority and fast service (e.g. serial ports, modems) to have it.
3x speedup of serial/modem throughput is possible.
scanport
: scans I/O space from 0x100 to 0x3ff looking for
installed ISA devices.
inb
: a quick little hack that reads an I/O port and dumps the
value in hex and binary.
schedutils
taskset
, irqset
, lsrt
, and
rt
are included.
nice
and renice
(not included), they
allow full control of process scheduling parameters.
Mounting a filesystem with the noatime option is also very
effective in speeding up read access to the file. See fstab(5)
and mount(8)
.
Some hardware can be tuned directly by the Linux kernel itself through the proc filesystem. See Tuning the kernel through the proc filesystem, Section 7.3.
There are many hardware-specific configuration utilities in Debian. Many of them address needs specific to the laptop PC. Here are some interesting packages available in Debian:
tpconfig
- A program to configure touchpad devices
apmd
- Utilities for Advanced Power Management (APM)
acpi
- displays information on ACPI devices
acpid
- Utilities for using ACPI
lphdisk
- prepares hibernation partition for Phoenix NoteBIOS
sleepd
- puts a laptop to sleep during inactivity
noflushd
- allow idle hard disks to spin down
big-cursor
- larger mouse cursors for X
acme
- Enables the "multimedia buttons" found on laptops
tpctl
- IBM ThinkPad hardware configuration tools
mwavem
- Mwave/ACP modem support
toshset
- Access much of the Toshiba laptop hardware interface
toshutils
- Toshiba laptop utilities
sjog
- A program to use the "Jog Dial" on Sony Vaio
Laptops
spicctrl
- Sony Vaio controller program to set LCD backlight
brightness
Here, ACPI is a newer framework for the power management system than APM.
Some of these packages require special kernel modules. They are already included in the latest kernel source in many cases. In case of trouble, you may need to apply the latest patch to the kernel yourself.
PAM (Pluggable Authentication Modules) allow you to control how users log in.
/etc/pam.d/* # PAM control files /etc/pam.d/login # PAM control file for login /etc/security/* # PAM module parameters /etc/securetty # this controls root login by console (login) /etc/login.defs # this controls login behaviors (login)
Change the contents of /etc/pam.d/login
as follows, if you want
insecure but passwordless console terminals at your own risk.
#auth required pam_unix.so nullok auth required pam_permit.so
Similar tricks can be applied for xdm
, gdm
, ..., for
passwordless console X.
On the other hand, install cracklib2
and set
/etc/pam.d/passwd
as follows, if you want to enforce a good
password policy.
password required pam_cracklib.so retry=3 minlen=6 difok=3
A one-time login password for account activation may also help. For this, use
the passwd
command with the -e option. See
passwd(1)
.
The maximum number of processes can be set with ulimit -u 1000 in
a Bash shell or with settings in /etc/security/limits.conf
from
PAM. Other parameters such as core can be set similarly. The
initial value of PATH
can be set by /etc/login.defs
before the shell startup script.
The documentation for PAM is packaged in the libpam-doc
package.
The Linux-PAM System Administrator's Guide covers configuring PAM,
what modules are available, etc. The documentation also includes The
Linux-PAM Application Developers' Guide and The Linux-PAM Module
Writers' Guide.
su
does not support the wheel group"
This is the famous phrase at the bottom of the old info su page by
Richard M. Stallman. Not to worry: the current su
in Debian uses
PAM, so that one can restrict the ability to use su
to any group
using pam_wheel.so
in /etc/pam.d/su
. The following
will set the adm group in a Debian system as an equivalent of the
BSD wheel group and allow su
without a password for
its members.
# anti-RMS configuration in /etc/pam.d/su auth required pam_wheel.so group=adm # Wheel members to be able to su without a password auth sufficient pam_wheel.so trust group=adm
A few interesting groups:
su
if
pam_wheel.so
is used without the group= argument.
/usr/src
. It can be used locally to give a user the ability to
manage system source code.
/usr/local
and to create
directories in /home
.
For a complete list, see the "FAQ" section in the Securing Debian
Manual
, which can also be found as the harden-doc
package in Woody. Also the new base-passwd
(>3.4.6) contains
an authoritative list:
/usr/share/doc/base-passwd/users-and-groups.html
.
sudo
My usage of sudo
is mostly a protection from my own stupidity.
Personally, I consider using sudo
a better alternative to always
using the system as root.
Install sudo
and activate it by setting options in
. Also check out the
sudo group feature in /etc/sudoers
/usr/share/doc/sudo/OPTIONS
.
The sample configuration provides "staff" group members access to any
commands run as root under sudo
and also gives "src"
members access to selected commands run as root under sudo
.
The advantage of sudo
is that it only requires an ordinary user's
password to log in, and activity is monitored. This is a nice way to give some
authority to a junior administrator. For example:
$ sudo chown -R myself:mygrp .
Of course if you know the root password (as most home users do), any command can be run under root from a user account:
$ su -c "shutdown -h now" Password:
(I know I should tighten the admin account's sudo
privileges. But
since this is my home server, I have not bothered yet.)
For a different program that allows ordinary users to run commands with root
privileges, see the super
package.
The Internet super-server, inetd
, is started at boot time
by /etc/rc2.d/S20inetd
(for RUNLEVEL=2), which is a symlink to
/etc/init.d/inetd
. Essentially, inetd
allows one
running daemon to invoke several others, reducing load on the system.
Whenever a request for service arrives, its protocol and service are identified
by looking them up in the databases in /etc/protocols
and
/etc/services
. inetd
then looks up a normal Internet
service in the /etc/inetd.conf
database, or a Sun-RPC based
service in /etc/rpc.conf
.
For system security, make sure to disable unused services in
/etc/inetd.conf
. Sun-RPC services need to be active for NFS and
other RPC-based programs.
Sometimes, inetd
does not start the intended server directly but
starts the tcpd
TCP/IP daemon wrapper program with the intended
server name as its argument in /etc/inetd.conf
. In this case,
tcpd
runs the appropriate server program after logging the request
and doing some additional checks using /etc/hosts.deny
and
/etc/hosts.allow
.
If you have problems with remote access in a recent Debian system, comment out
"ALL: PARANOID" in /etc/hosts.deny
if it exists.
For details, see inetd(8)
, inetd.conf(5)
,
protocols(5)
, services(5)
, tcpd(8)
,
hosts_access(5)
, and hosts_options(5)
.
For more information on Sun-RPC, see rpcinfo(8)
,
portmap(8)
, and
/usr/share/doc/portmap/portmapper.txt.gz
.
Use Lightweight Directory Access Protocol (LDAP). References:
OpenLDAP
openldap-guide
package
LDAP Linux
HOWTO
LDAP
Implementation HOWTO
OpenLDAP,
extensive use reports
Open LDAP
with Courier IMAP and Postfix
CD-writers with ATAPI/IDE interfaces have recently become a very popular
option. It is a nice medium for system backup and archiving for the home user
needing < 640MB capacity. For the most authoritative information, see the
LDP CD-Writing-HOWTO
.
First, any disruption of data sent to the CD-writer will cause irrecoverable damage to the CD. Get a CD-writer with as large a buffer as possible. If money is no object, do not bother with ATAPI/IDE, just get a SCSI version. If you have a choice of IDE interface to be connected, use the one on the PCI-bus (i.e., on the motherboard) rather than one on the ISA-bus (an SB16 card, etc.).
When a CD-writer is connected to IDE, it has to be driven by the IDE-SCSI driver instead of an ordinary IDE CD driver for Linux 2.2 and 2.4 kernels. Also, the SCSI generic driver needs to be activated. There are two possible approaches to doing this, assuming a kernel distributed with modern distributions (as of March 2001).
For Linux 2.6 kernel, you should use ordinary IDE driver and access CD-RW
device directly with device name such as /dev/hdx
instead. You can use DMA this way.
lilo
Add the following line to /etc/lilo.conf
if you are using a stock
Debian kernel. If multiple options are used, list them separated by spaces:
append="hdx=ide-scsi ignore=hdx"
Here the location of the CD-writer, which is accessed through the ide-scsi driver, is indicated by hdx, where x represents one of the following:
hda for a master on the first IDE port hdb for a slave on the first IDE port hdc for a master on the second IDE port hdd for a slave on the second IDE port hde ... hdh for a drive on an external IDE port or ATA66/100 IDE port
Type the following commands as root to activate after finishing all the configuration:
# lilo # shutdown -h now
Debian uses make-kpkg
to create a kernel. Use the new
--append_to_version with make-kpkg
to build multiple
kernel images. See The Linux kernel under Debian,
Chapter 7.
Use the following setup through make menuconfig:
Kernel support for the CD-writer can be activated during booting by the following:
# echo ide-scsi >>/etc/modules # echo sg >>/etc/modules # cd /dev; ln -sf scd0 cdrom
Manual activation can be done by:
# modprobe ide-scsi # modprobe sg
After reboot, you can check installation by:
$ dmesg|less # apt-get install cdrecord # cdrecord -scanbus
[Per Warren Dodge] Sometimes there may be conflicts between
ide-scsi and ide-cd if there are both CD-ROM and
CD-R/RW on the system. Try adding the following line to your
/etc/modutils/aliases
, running update-modules
, and
rebooting.
pre-install ide-scsi modprobe ide-cd
This causes the IDE driver to load before ide-scsi. The IDE driver ide-cd takes control of the ATAPI CD-ROM—anything that it hasn't been told to ignore. That leaves just the ignored devices for ide-scsi to control.
To create a CD-image of files under target-directory/
as
cd-image.raw
(bootable, Joliet TRANS.TBL-enabled format; if not
bootable, take out -b and -c options), insert a boot
floppy in the first floppy drive and
# dd if=/dev/fd0 target-directory/boot.img # mkisofs -r -V volume_id -b boot.img -c bootcatalog -J -T \ -o cd-image.raw target_directory/
One funny hack is to make a bootable DOS CD-ROM. If an ordinary DOS boot
floppy disk image is in the above boot.img
, the CD-ROM
will boot as if a DOS floppy were in the first floppy drive (A:). Doing this
with freeDOS may be more interesting.
This CD-image file can be inspected by mounting it on the loop device.
# mount -t iso9660 -o ro,loop cd-image.raw /cdrom # cd /cdrom # mc # umount /cdrom
First test with (assuming double speed)
# nice --10 cdrecord -dummy speed=2 dev=0,0 disk.img
Then if OK, write to CD-R with
# nice --10 cdrecord -v -eject speed=2 dev=0,0 disk.img
Or write to a CD-RW disk with
# nice --10 cdrecord -v -eject blank=fast speed=2 dev=0,0 disk.img
Some CD-RW drives work better with
# nice --10 cdrecord -v blank=all speed=2 dev=0,0 disk.img
followed by
# nice --10 cdrecord -v -eject speed=2 dev=0,0 disk.img
Two steps are needed to prevent SCSI timeouts during blanking from interfering
with the burning step. The argument value to nice
may require
some adjustments.
Some CD-Rs and commercial CDs have junk sectors at the end that make copying by
dd
impossible (the Windows 98 CD is one of them). The
cdrecord
package comes with the readcd
command. Use
this to copy any CD contents to an image file. If it is a data disk, mount it
and run df
to see its actual size. Divide the number shown in
blocks (1 block = 1024 bytes) by 2 to get the number of actual CD sectors (1
sector = 2048 bytes). Run readcd
with options and use this disk
image to burn the CD-R/RW.
# readcd dev=target,lun,scsibusno # select function 11
Here, set all three parameters to 0 for most cases. Usually the number of
sectors given by readcd
is excessive! Use the above number from
an actual mount for better results.
It should be noted that the use of dd
has a few problems if used
on CD-ROM. The first run of the dd
command may cause an error
message and may yield a shorter disk image with a lost tail-end. The second
run of dd
command may yield a larger disk image with garbage data
attached at the end on some systems if the data size is not specified. Only
the second run of the dd
command with the correct data size
specified, and without ejecting the CD after an error message, seems to avoid
these problems. If for example the image size displayed by df
is
46301184 blocks, use the following command twice to get the right
image (this is my empirical information):
# dd if=/dev/cdrom of=cd.img bs=2048 count=$((46301184/2))
To obtain the latest information on Debian CDs, visit the Debian CD site
.
If you have a fast Internet connection, think about installing over the network using:
floppy
images
.
minimal bootable CD
image
.
If you do not have a fast Internet connection, think about purchasing CDs from
a CD vendor
.
Please do not waste bandwidth by downloading standard CD images unless you are a CD image tester (even with the new jigdo method).
One noteworthy CD image is KNOPPIX - Live Linux
Filesystem On CD
. This CD will boot a functioning Debian system
without installing itself to the hard disk.
To copy key configuration files and data files to CD-R, use the example backup
script
. Also see Copy and archive a whole subdirectory,
Section 8.3 and Differential backup
and data synchronization, Section 8.4.
backup
Not tested by me:
# apt-get install cdrecord cdparanoia # cdparanoia -s -B # cdrecord dev=0,0,0 speed=2 -v -dao -eject defpregap=1 -audio *.wav
or,
# apt-get install cdrdao #disk at once # cdrdao read-cd --device /dev/cdrom --paranoia-mode 3 my_cd # read cd # cdrdao write --device /dev/cdrom --speed 8 my_cd # write a new CD
cdrdao
does a real copy (no gaps, etc...).
For DVD writing, you have 2 approaches:
growisofs
with mkisofs
.
cdrecord
with dvd option to create local package
following /usr/share/doc/cdrecord/README.DVD.Debian
.
The X Window System is provided by XFree86
. There are two major
versions of X server available on the Debian system: XFree86 Version 3.3 (XF3)
and XFree86 Version 4.x series (XF4) both based on X11R6 specifications by
X.Org
.
For the basics of X, refer to X(7)
, the LDP XWindow-User-HOWTO
,
and the Remote X Apps
mini-HOWTO
. For a Debian-specific user guide, read
/usr/share/doc/xfree86-common/FAQ.gz
provided in the
xfree86-common
package. This contains an interesting and
authoritative review of the key binding issues by Branden Robinson.
This reverses the ordinary use of "server" and "client" in other contexts.
There are several ways of getting the "X server" (display side) to accept remote connections from an "X client" (application side):
xhost
method
xhost
, Section 9.4.7 and xhost(1x)
.
xauth
method
xhost
).
ssh -X
.
xauth(1x)
.
xdm
, wdm
, gdm
, kdm
, ...
methods
xauth
).
xdm(1x)
and Xsecurity(7)
for the basics of X
display access control.
wdm(1x)
, gdm(8)
, and kdm.options(5)
for more information, if these are installed.
xdm
to gain a Linux console
upon boot without purging the xdm
package.
ssh -X
method
ssh
,
Section 9.4.8.
All remote connection methods, except ssh
, require TCP/IP
connection enabled on the X server. See Using X over TCP/IP,
Section 9.4.6.
There are a few (meta)packages provided to ease installation of the X system in Woody.
x-window-system-core
xserver-xfree86
), a set of fonts, and a group of basic X
clients and utilities.
x-window-system
x-window-system-core
, twm
, and xdm
,
i.e., no need to install x-window-system-core
if you install
this.)
xserver-common-v3
xserver-*
xserver-xfree86
) for whatever reason. Some old ATI
mach64 cards are not supported in XF4, other cards hang badly in the Woody
version of XF4, etc. (For available packages, use apt-cache search
xserver-|less. All of these XF3 servers depend on
xserver-common-v3
.)
For most cases, x-window-system
is the package to install. (If
you want console login, be sure to disable xdm
as described in "Let me disable X on boot!",
Section 8.1.4.)
To enable hardware detection during the X configuration stage, install the following packages prior to installing the X system:
discover
– hardware identification system.
mdetect
– mouse device autodetection tool.
read-edid
– hardware information-gathering tool for VESA PnP
monitors.
See XFree86(1x)
for X server information.
Invoke X server from a local console:
$ startx -- :<display> vtXX e.g.: $ startx -- :1 vt8 -bpp 16 ... start on vt8 connected to localhost:1 with 16 bpp mode
Arguments given after -- are for the X server.
Note, when using a ~/.xserverrc
script to customize the X server
startup process, be sure to exec the real X server. Failing to do
this can make the X server slow to start and exit. For example:
#!/bin/sh exec /usr/bin/X11/X -dpi 100 -nolisten tcp
To (re-)configure an XF4 server,
# dpkg-reconfigure --priority=low xserver-common # dpkg-reconfigure --priority=low xserver-xfree86
will generate /etc/X11/XF86Config-4
file and configure X using the
script dexconf
.
To (re-)configure an XF3 server, for example, for ATI mach64,
# dpkg-reconfigure --priority=low xserver-common-v3 # dpkg-reconfigure --priority=low xserver-mach64
will generate /etc/X11/XF86Config
file and configure X using the
script xf86config-v3
.
For Woody, to add user customizations to /etc/X11/XF86Config-4
file, do not edit the configuration file between the text:
### BEGIN DEBCONF SECTION [snip] ### END DEBCONF SECTION
Instead, add the customizations before the text. For example, to use a custom video device, add something resembling the following text to the top of the file:
Section "Device" Identifier "Custom Device" Driver "ati" Option "NoAccel" EndSection Section "Screen" Identifier "Custom Screen" Device "Custom Device" Monitor "Generic Monitor" DefaultDepth 24 Subsection "Display" Depth 8 Modes "1280x960" "1152x864" "1024x768" "800x600" "640x480" EndSubsection Subsection "Display" Depth 16 Modes "1280x960" "1152x864" "1024x768" "800x600" "640x480" EndSubsection Subsection "Display" Depth 24 Modes "1280x960" "1152x864" "1024x768" "800x600" "640x480" EndSubsection EndSection Section "ServerLayout" Identifier "Custom" Screen "Custom Screen" InputDevice "Generic Keyboard" "CoreKeyboard" InputDevice "Configured Mouse" "CorePointer" EndSection
For Sarge (testing at the time of writing), if you wish to retain
user customizations to /etc/X11/XF86Config
file through upgrade,
run the following commands as root:
# cp /etc/X11/XF86Config-4 /etc/X11/XF86Config-4.custom # md5sum /etc/X11/XF86Config-4 > /var/lib/xfree86/XF86Config-4.md5sum # dpkg-reconfigure xserver-xfree86
In order to achieve font de-uglification, you need to edit
/etc/X11/XF86Config-4
as described in TrueType
fonts in X, Section 9.4.13.
Please also check the other parts of your X configuration. Bad monitor settings can be even more of a headache than bad fonts, so make sure your refresh rate is as high as your monitor can handle (85 Hz is great, 75 Hz is OK, 60 Hz is painful).
Most X client programs can be started with a command like this:
client $ xterm -geometry 80x24+30+200 -fn 6x10 -display hostname:0 &
Here, the optional command-line arguments mean:
/tmp/.X11-unix/XD
(so it's only reachable from
host).
The default displayname for the X client program (application side) can be set by the DISPLAY environment variable. For example, prior to running an X client program, executing one of the following commands achieves this:
$ export DISPLAY=:0 # The default, local machine using the first X screen $ export DISPLAY=hostname.fulldomain.name:0.2 $ export DISPLAY=localhost:0
Its startup can be customized by ~/.xinitrc
. For example:
xrdb -load $HOME/.Xresources xsetroot -solid gray & xclock -g 50x50-0+0 -bw 0 & xload -g 50x50-50+0 -bw 0 & xterm -g 80x24+0+0 & xterm -g 80x24+0-0 & twm
As described in Custom X sessions, Section 9.4.5.1,
this overrides everything normal execution of Xsession
does when
started from startx
. Use ~/.xsession
instead and use
this approach only as the last resort. See xsetroot(1x)
,
xset(1x)
, and X resources, Section
9.4.10.
An X session (X server + X client) can be started by:
startx
: wrapper script command for xinit
to start an
X server and client from a Linux character console. If ~/.xinitrc
does not exist, /etc/X11/Xsession
is executed through
/etc/X11/xinit/xinitrc
.
xdm
, gdm
, kdm
, or wdm
: X
display manager daemons to start the X server and client, and to control login
via a GUI screen. /etc/X11/Xsession
is directly executed.
The console can be made available as in "Let me disable X on boot!", Section 8.1.4.
The default startup script /etc/X11/Xsession
is effectively a
combination of
/etc/X11/Xsession.d/50xfree86-common_determine-startup
and
/etc/X11/Xsession.d/99xfree86-common_start
.
Execution of /etc/X11/Xsession
is somewhat affected by
/etc/X11/Xsession.options
and is essentially an execution of a
program which was first found in the following order with the exec
command:
~/.xsession
or ~/.Xsession
, if it is defined.
/usr/bin/x-session-manager
, if it is defined.
/usr/bin/x-window-manager
, if it is defined.
/usr/bin/x-terminal-emulator
, if it is defined.
The exact meaning of these commands is determined by the Debian alternative system described in Alternative commands, Section 6.5.3. For example:
# update-alternatives --config x-session-manager ... or # update-alternatives --config x-window-manager
In order to make any X window manager a default while keeping GNOME and KDE
session managers installed, replace
/etc/X11/Xsession.d/50xfree86-common_determine-startup
with the
one attached in the second bug report at http://bugs.debian.org/168347
(I hope this will be included soon) and edit
/etc/X11/Xsession.options
as follows to disallow the X session
manager:
# /etc/X11/Xsession.options # # configuration options for /etc/X11/Xsession # See Xsession.options(5) for an explanation of the available options. # Default enabled allow-failsafe allow-user-resources allow-user-xsession use-ssh-agent # Default disabled (enable them by uncommenting) do-not-use-x-session-manager #do-not-use-x-window-manager
Without the above mentioned modification to the system,
gnome-session
and kdebase
are the packages containing
these X session managers. Removing them allows X window manager to be a
default. (Yack, any better idea?)
On a system where /etc/X11/Xsession.options
contains a line
allow-user-xsession without preceding characters, any user who
defines ~/.xsession
or ~/.Xsession
will be able to
customize the action of /etc/X11/Xsession
.
The last command in the ~/.xsession
file should use form of
exec some-window/session-manager to start your favorite
X window/session manager.
A good example of an ~/.xsession
script is given at
/usr/share/doc/xfree86-common/examples/xsession.gz
.
I use this to set the window manager, screen access, and language support for each user account. See Starting an X session for a user, Section 9.4.5.2, Getting root in X, Section 9.4.12, and Example for a multilingual X window system, Section 9.7.9.
If you wish to have several X client programs started automatically, see X clients, Section 9.4.4 examples and invoke them from
~/.xsession
instead of ~/.xinitrc
.
User-specific additional X resources can be stored in
~/.Xresources
. See X resources, Section
9.4.10.
User-customized keymaps and pointer button mappings in X can also be specified in the user's start up script. See Keymaps and pointer button mappings in X, Section 9.4.11.
Following the principle described at Custom X sessions,
Section 9.4.5.1, a user-specific X session/window manager can be activated
by installing the package indicated and setting the contents at the end of
~/.xsession
file as follows. (I like
blackbox
/fluxbox
for its simple style and fast
speed.):
gnome-session
kdebase
(or kdebase3
for KDE3)
blackbox
fluxbox
xfce
icewm
fvwm
wmaker
enlightenment
In order to setup full KDE or GNOME environment, the following metapackages are useful:
kde
package
gnome
package
Installing these packages with tools which handle Recommends, such
as dselect
and aptitude
, provides you with richer
choices of software than just installing these with apt-get
.
If you want console login, be sure to disable X display managers, such as
kdm
, gdm
, and wdm
, which may be pulled
in by the dependencies, as described in "Let me disable X on boot!",
Section 8.1.4.
If you want to have GNOME as the system default over KDE, make sure to
configure x-session-manager
as in Alternative commands, Section
6.5.3.
Because a remote TCP/IP socket connection without encryption is prone to an
eavesdropping attack, the default setting for X in recent Debian versions
disables the TCP/IP socket. Consider using ssh
for a remote X
connection (see Connecting to a remote X server –
ssh
, Section 9.4.8).
The method described here is not encouraged unless one is in a very secure environment behind a good firewall system with only trusted users present. Use the following command to verify your current X server setting for the TCP/IP socket:
# find /etc/X11 -type f -print0 | xargs -0 grep nolisten /etc/X11/xinit/xserverrc:exec /usr/bin/X11/X -dpi 100 -nolisten tcp
Remove -nolisten to restore TCP/IP listening on the X server.
xhost
xhost
allows access based on hostnames. This is very insecure.
The following will disable host checking and allow connections from anywhere if
a TCP/IP socket connection is allowed (see Using X over
TCP/IP, Section 9.4.6):
$ xhost +
You can re-enable host checking with:
$ xhost -
xhost
does not distinguish between different users on the remote
host. Also, hostnames (addresses actually) can be spoofed.
This method must be avoided even with more restrictive host criteria if you're
on an untrusted network (for instance with dial-up PPP access to the Internet).
See xhost(1x)
.
ssh
The use of ssh
enables a secure connection from a local X server
to a remote application server.
/etc/ssh/sshd_config
of the remote host, if
you want to avoid corresponding command-line options.
xterm
in the local host.
ssh
to establish a connection with the remote site.
localname @ localhost $ ssh -q -X -l loginname remotehost.domain Password: .....
loginname @ remotehost $ gimp &
This method allows the display of the remote X client output as if it were locally connected through a local UNIX domain socket.
xterm
Learn everything about xterm
at http://dickey.his.com/xterm/xterm.faq.html
.
Many older X programs, such as xterm
, use the X resource database
to configure their appearance. The file ~/.Xresources
is used to
store user resource specifications. This file is automatically merged into the
default X resources upon login. The system-wide defaults of X resources are
stored in /etc/X11/Xresources/*
and application defaults of them
are stored in /etc/X11/app-defaults/*
. Use these settings as the
starting points.
Here are some helpful settings to add to your ~/.Xresources
file:
! Set the font to a more readable 9x15 XTerm*font: 9x15 ! Display a scrollbar XTerm*scrollBar: true ! Set the size of the buffer to 1000 lines XTerm*saveLines: 1000 ! Large kterm screen KTerm*VT100*fontList: -*-fixed-medium-r-normal--24-*,\ -*-gothic-medium-r-normal--24-*,\ -*-mincho-medium-r-normal--24-*
To make these settings take effect immediately, merge them into the database using the command:
xrdb -merge ~/.Xresources
See xrdb(1x)
.
The xmodmap
program is used to edit and display the keyboard
modifier map and keymap table that are used by client applications to convert
event keycodes into keysyms in X.
$ xmodmap -pm ... display the current modifier map $ xmodmap -pk | pager ... display the current keymap table $ xmodmap -e "pointer = 3 2 1" # set mouse for the left hand. $ xmodmap ~/.xmodmaprc # set keyboard as in ~/.xmodmaprc
It is usually run from the user's session startup script,
~/.xsession
.
To get the keycode, run xev
in X and press keys. To
get the meaning of keysym, look into the MACRO definition in
/usr/include/X11/keysymdef.h
file. All the #define
statements in this file are named as XK_ prepended to the
keysym names.
See xmodmap(1x)
.
If a GUI program needs to be run with root privilege, use the following procedures to display program output on a user's X server. Never attempt to start an X server directly from the root account in order to avoid possible security risks.
Start the X server as a normal user and open an xterm
console.
Then:
$ XAUTHORITY=$HOME/.Xauthority $ export XAUTHORITY $ su root Password:***** # printtool &
When using this trick to su
to a non-root user, make sure
~/.Xauthority
is group readable by this non-root user.
To automate this command sequence, create a file ~/.xsession
from
the user's account, containing the following lines:
# This makes X work when I su to the root account. if [ -z "$XAUTHORITY" ]; then XAUTHORITY=$HOME/.Xauthority export XAUTHORITY fi unset XSTARTUP # If a particular window/session manager is desired, uncomment # the following and edit it to fit your needs. #XSTARTUP=/usr/bin/blackbox # This starts x-window/session-manager program if [ -z "$XSTARTUP" ]; then if [ -x /usr/bin/x-session-manager ]; then XSTARTUP=x-session-manager elif [ -x /usr/bin/x-window-manager ]; then XSTARTUP=x-window-manager elif [ -x /usr/bin/x-terminal-emulator ]; then XSTARTUP=x-terminal-emulator fi fi # execute auto selected X window/session manager exec $XSTARTUP
Then run su
(not su -) in an xterm
window of the user. Now GUI programs started from this xterm
can
display output on this user's X window while running with root privilege. This
trick works as long as the default /etc/X11/Xsession
is executed.
If a user set up his customization using ~/.xinitrc
or
~/.xsession
, the above mentioned environment variable
XAUTHORITY needs to be set similarly in those scripts.
Alternatively, sudo
can be used to automate the command sequence:
$ sudo xterm ... or $ sudo -H -s
Here /root/.bashrc
should contain:
if [ $SUDO_USER ]; then sudo -H -u $SUDO_USER xauth extract - $DISPLAY | xauth merge - fi
This works fine even with the home directory of the user on an NFS mount,
because root does not read the .Xauthority
file.
There are also several specialized packages for this purpose:
kdesu
, gksu
, gksudo
,
gnome-sudo
, and xsu
. Some other methods can be used
to achieve similar results: creating a symlink from
/root/.Xauthority
to the user's corresponding one; use of the
script sux
; or putting
"xauth merge ~USER_RUNNING_X/.Xauthority" in
the root initialization script.
See more on the debian-devel
mailing list
.
The standard xfs
in XFree86-4 works fine with TrueType fonts. You
have to install a third-party font server such as xfs-xtt
, if you
are using XFree86-3.
You just need to make sure that whatever applications you want to use the TrueType fonts are linked against libXft or libfreetype (you probably don't even have to worry about this if you're using pre-compiled .debs).
First set up font support infrastructure:
x-ttcidfont-conf
and defoma
packages. This
automates generation of the fonts.scale
and fonts.dir
files.
# apt-get install x-ttcidfont-conf
/etc/X11/XF86Config-4
in the Section
"Files" as:
Section "Files" FontPath "/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType" FontPath "/usr/share/fonts/truetype" FontPath "/usr/lib/X11/fonts/CID" FontPath "/usr/lib/X11/fonts/Speedo" FontPath "/usr/lib/X11/fonts/misc" FontPath "/usr/lib/X11/fonts/cyrillic" FontPath "/usr/lib/X11/fonts/100dpi:unscaled" FontPath "/usr/lib/X11/fonts/75dpi:unscaled" FontPath "/usr/lib/X11/fonts/Type1" EndSection
The first line will setup XFree86 to use any TrueType fonts you install from Debian packages. Type1 font entry is moved down since XFree86 does a rather poor job of rendering Type1 fonts. The :unscaled trick for bitmap fonts should not be needed for new XF4 anymore but I included it here just be sure.
In order to preserve manual changes of /etc/X11/XF86Config-4
follow instructions in Configuring the X server
manually, Section 9.4.3.3.
Then install DFSG font packages:
ttf-bitstream-vera
: A set of high-quality TrueType fonts created
by Bitstream, Inc. [41]
ttf-freefont
: A set of free high-quality TrueType fonts covering
the UCS character set.
ttf-thryomanes
: A TrueType Unicode font covering Latin, Greek,
Cyrillic, and IPA.
tfm-arphic-bsmi00lp
: Chinese Arphic "AR PL Mingti2L
Big5" TrueType font TeX font metric data
tfm-arphic-bkai00mp
: Chinese Arphic "AR PL KaitiM Big5"
TrueType font TeX font metric data
tfm-arphic-gbsn00lp
: Chinese Arphic "AR PL SungtiL GB"
TrueType font TeX font metric data
tfm-arphic-gkai00mp
: Chinese Arphic "AR PL KaitiM GB"
TrueType font TeX font metric data
ttf-baekmuk
: Korean Baekmuk series TrueType fonts
hbf-jfs56
: Chinese Jianti Fangsong 56x56 bitmap font (GB2312) for
CJK
hbf-cns40-b5
: Chinese Fanti Song 40x40 bitmap font (Big5) for CJK
hbf-kanji48
: Japanese Kanji 48x48 bitmap font (JIS X-0208) for CJK
Since Free fonts are sometimes limited, installing or sharing some commercial TrueType fonts is an option for a Debian users. In order to make this process easy for the user, some convenience packages have been created:
ttf-commercial
msttcorefonts (>1.1.0)
[42]
You'll have a really good selection of TrueType fonts at the expense of contaminating your Free system with non-Free fonts.
All these font packages in Debian should work without any efforts and appear available to all X programs that use the regular "core" font system. This includes things like Xterm, Emacs, and most other non-KDE and non-GNOME applications.
Now, run xfontsel
and select any TrueType fonts in the fndry menu,
you should be able to see many ungrayed out entries in the "fmly"
menu.
For KDE2.2 and GNOME1.4 (with libgdkxft0, which is a hack to get GTK 1.2 to do
anti-aliased font rendering), you need to setup Xft1, as well. Xft1 is highly
deprecated, and is basically only used by GNOME1.4 and KDE2.2. Edit
/etc/X11/XftConfig
and add a line like
dir "/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType"
before the other dir lines. [43]
For GNOME2 and KDE3 (post Sarge release), you need to setup
fontconfig
which Xft2 uses to find fonts. [44] You shouldn't need to install
anything extra for this because every package using fontconfig
Depends on it (indirectly) already.
First, look in /etc/fonts/fonts.conf
. There should be a line like
the one below. If not, open up /etc/fonts/local.conf
and add this
<dir>/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType</dir>
just after the <fontconfig> line.
Fontconfig
should pick these up immediately, and
"fc-list" should list your new fonts. Another neat feature of
fontconfig
is that you can just drop fonts in
~/.fonts/
and all your fontconfigified programs will have access
to them immediately.
If you manually install a new set of TrueType fonts while in X without using Debian package, run
# xset fp rehash
to get XFree86 to look at the contents of that directory again and to pickup new ones.
There are a few web browser packages with graphical display capabilities as of the Woody release:
mozilla
The Mozilla browser (new)
galeon
Mozilla-based browser with a Gnome UI (new)
konqueror
KDE browser
dillo
GTK browser
amaya-gtk
W3C reference browser
amaya-lesstif
W3C reference browser
netscape-...
(many, old)
communicator-...
(many, old)
The version of mozilla
must match the version that
galeon
requires. Although they differ in UI, these two programs
share the Gecko HTML rendering engine.
Plug-ins for browsers such as mozilla
and galeon
can
be enabled by installing "*.so" manually in the plug-in
directory and restarting the browsers.
Plug-in resources:
http://java.sun.com
.
http://www.macromedia.com/software/flashplayer/
.
freewrl
: VRML browser and Netscape plug-in
SSH (Secure SHell) is the secure way to connect over the Internet. A free
version of SSH called OpenSSH is available as the ssh
package in
Debian.
First install the OpenSSH server and client.
# apt-get update && apt-get install ssh
The non-US entry in the /etc/apt/source.list
is required.
/etc/ssh/sshd_not_to_be_run
must not be present if one wishes to
run the OpenSSH server.
SSH has two authentication protocols:
.rhosts
or /etc/hosts.equiv
authentication combined with public key client host authentication (disabled)
Be careful about these differences if you are migrating to Woody or using a non-Debian system.
See /usr/share/doc/ssh/README.Debian.gz
, ssh(1)
,
sshd(8)
, ssh-agent(1)
, and ssh-keygen(1)
for details.
Following are the key configuration files:
/etc/ssh/ssh_config
: SSH client defaults. See
ssh(1)
. Notable entries are:
/etc/ssh/sshd_config
: SSH server defaults. See
sshd(8)
. Notable entries are:
sshd
should listen on. Multiple options are permitted.
$HOME/.ssh/authorized_keys
: the lists of the default public keys
that clients use to connect to this account on this host. See
ssh-keygen(1)
.
$HOME/.ssh/identity
: See ssh-add(1)
and
ssh-agent(1)
.
The following will start an ssh
connection from a client.
$ ssh username@hostname.domain.ext $ ssh -1 username@hostname.domain.ext # Force SSH version 1 $ ssh -1 -o RSAAuthentication=no -l username foo.host # force password on SSH1 $ ssh -o PreferredAuthentications=password -l username foo.host # force password on SSH2
For the user, ssh
functions as a smarter and more secure
telnet
(will not bomb with ^]).
To establish a pipe to connect to port 25 of remote-server from port
4025 of localhost, and to port 110 of remote-server from port 4110
of localhost through ssh
, execute on the local machine:
# ssh -q -L 4025:remote-server:25 4110:remote-server:110 \ username@remote-server
This is a secure way to make connections to SMTP/POP3 servers over the
Internet. Set the AllowTcpForwarding entry to yes in
/etc/ssh/sshd_config
of the remote host.
One can avoid having to remember a password for each remote system by using RSAAuthentication (SSH1 protocol) or PubkeyAuthentication (SSH2 protocol).
On the remote system, set the respective entries, "RSAAuthentication
yes" or "PubkeyAuthentication yes", in
/etc/ssh/sshd_config
.
Then generate authentication keys locally and install the public key on the remote system:
$ ssh-keygen # RSAAuthentication: RSA1 key for SSH1 $ cat .ssh/identity.pub | ssh user1@remote \ "cat - >>.ssh/authorized_keys" ... $ ssh-keygen -t rsa # PubkeyAuthentication: RSA key for SSH2 $ cat .ssh/id_rsa.pub | ssh user1@remote \ "cat - >>.ssh/authorized_keys" ... $ ssh-keygen -t dsa # PubkeyAuthentication: DSA key for SSH2 $ cat .ssh/id_dsa.pub | ssh user1@remote \ "cat - >>.ssh/authorized_keys"
One can change the passphrase later with "ssh-keygen -p". Make sure to verify settings by testing the connection. In case of any problem, use "ssh -v".
You can add options to the entries in authorized_keys
to limit
hosts and to run specific commands. See sshd(8)
for details.
Note that SSH2 has HostbasedAuthentication. For this to work, you
must adjust the settings of HostbasedAuthentication to
yes in both /etc/ssh/sshd_config
on the server
machine and /etc/ssh/ssh_config
or $HOME/.ssh/config
on the client machine.
There are a few free SSH clients available for non-Unix-like platforms.
puTTY
(GPL)
cygwin
(GPL)
macSSH
(GPL) [Note that Mac
OS X includes OpenSSH; use ssh in the Terminal application]
See also SourceForge.net, site
documentation
, "6. CVS Instructions".
ssh-agent
It is safer to protect your SSH authentication key with a passphrase. If it was not set, use ssh-keygen -p to set it.
Place your public key (e.g. ~/.ssh/id_rsa.pub
) into
~/.ssh/authorized_keys
on a remote host using a password-based
connection to the remote host as described in Connecting
with fewer passwords – RSA, Section 9.5.3.
$ ssh-agent bash # or run zsh/tcsh/pdksh program instead. $ ssh-add ~/.ssh/id_rsa Enter passphrase for /home/osamu/.ssh/id_rsa: Identity added: /home/osamu/.ssh/id_rsa (/home/osamu/.ssh/id_rsa) $ scp foo user@remote.host:foo ... no passphrase needed from here on :-) $^D ... terminating ssh-agent session
For the X server, normal Debian startup scripts execute ssh-agent
as parent process. So you only need to execute ssh-add
once.
For more, read ssh-agent(1)
and ssh-add(1)
.
If you have problems, check the permissions of configuration files and run
ssh
with the "-v" option.
Use the "-P" option if you are root and have trouble with a firewall; this avoids the use of server ports 1–1023.
If ssh
connections to a remote site suddenly stop working, it may
be the result of tinkering by the sysadmin, most likely a change in
host_key
during system maintenance. After making sure this is the
case and nobody is trying to fake the remote host by some clever hack, one can
regain a connection by removing the host_key
entry from
$HOME/.ssh/known_hosts
on the local machine.
Mail configuration divides into three categories:
exim4
, exim
,
postfix
, sendmail
, qmail
,
ssmtp
, nullmailer
, ...
procmail
, fetchmail
,
mailx
, crm114
, ...
mutt
, emacs
+gnus
,
...
For a full-featured MTA, use exim
in Woody and use
exim4
in Sarge. [45] References:
exim-doc
and exim-doc-html
packages for
exim
exim4-doc-info
and exim4-doc-html
packages for
exim4
http://www.exim.org/
The only reasonable alternative MTA is postfix
if you care about
security. sendmail
and qmail
are available as Debian
packages but are not recommended.
If you do not need the relay capability of an MTA as in the case of a satellite system such as a laptop PC, you may consider using one of these lightweight packages:
ssmtp
: needs an SMTP connection and is alias-capable, or
nullmailer
: can spool but is not alias-capable.
At this moment, I find exim
to be more suitable even for my
personal workstation machine, which is a laptop PC.
You may need to remove exim
for the installation of these
conflicting packages:
# dpkg -P --force-depends exim # apt-get install nullmailer # or ssmtp
If you are running exim4
or exim
on a host which is
connected through the consumer grade services, please make sure to send
outgoing mail through a smarthost offered by your ISP or some others. [46] There are few good reasons:
The only conceivable exceptions are:
In order to use exim4
or exim
as your MTA, configure
the following:
/etc/exim/exim.conf "eximconfig" to create and edit (exim) /etc/exim4/* "dpkg-reconfigure exim4" to create and edit (exim4) /etc/inetd.conf comment out smtp to run exim as daemon /etc/email-addresses Add spoofed source address lists
check filters using exim4
or exim
with -brw,
-bf, -bF, -bV, ... etc.
In /etc/exim/exim.conf
(Woody or later), in the DIRECTORS part, at
the end (after the localuser: director) add a catch-all director that matches
all addresses that the previous directors couldn't resolve (per Miquel van
Smoorenburg):
catchall: driver = smartuser new_address = webmaster@mydomain.com
If one wants to have more a detailed recipe for each virtual domain, etc., add
the following at the end of /etc/exim/exim.conf
(per me, not well
tested):
*@yourdomain.com ${lookup{$1}lsearch*{/etc/email-addresses} \ {$value}fail} T
Then have an "*" entry in /etc/email-addresses
.
Selective address rewrite for outgoing mail to produce proper "From:"
headers can be done using exim
by configuring near the end of
/etc/exim/exim.conf
:
*@host1.something.dyndns.org \ "${if eq {${lookup{$1}lsearch{/etc/passwd}{1}{0}}} {1} \ {$0}{$1@something.dyndns.org}}" frFs
This rewrites all addresses matching *@host1.something.dyndns.org.
/etc/password
to see if the local part ($1) is
a local user or not.
Some SMTP services such as yahoo.com require SMTP auth. Configure
/etc/exim/exim.conf
as follows:
remote_smtp: driver = smtp authenticate_hosts = smtp.mail.yahoo.com ... smarthost: driver = domainlist transport = remote_smtp route_list = "* smtp.mail.yahoo.com bydns_a" ... plain: driver = plaintext public_name = PLAIN client_send = "^cmatheson3^this_is_my_password"
Do not forget double quotes in the last line.
fetchmail
is run in daemon mode to fetch mail from a POP3 account
with an ISP into the local mail system. Configure:
/etc/init.d/fetchmail /etc/rc?.d/???fetchmail run update-rc.d fetchmail default priority 30 /etc/fetchmailrc configuration file (chown 600, owned by fetchmail)
Information on how to start fetchmail
as a daemon from the
init.d
script for Potato is confusing (Woody fixed this). See the
sample /etc/init.d/fetchmail
and /etc/fetchmailrc
files in the example scripts
.
If your email headers are contaminated by ^M due to your ISP's mailer, add
"stripcr" to your options in $HOME/.fetchmailrc
:
options fetchall no keep stripcr
procmail
is a local mail delivery and filter program. One needs
to create $HOME/.procmailrc
for each account that uses it.
Example: _procmailrc
crm114
crm114
package provides
/usr/share/crm114/mailfilter.crm
script which is written in
CRM114. This script provides a very effective spam filter which can be trained
by feeding the spam and the ham.
CRM114 is a small language designed to write filters in; consider it to be a
version of grep with super powers. See crm(1)
.
Use mutt
as the mail user agent (MUA) in combination with
vim
. Customize with ~/.muttrc
; for example:
# use visual mode and "gq" to reformat quotes set editor="vim -c 'set tw=72 et ft=mail'" # # header weeding taken from the manual (Sven's Draconian header weeding) # ignore * unignore from: date subject to cc unignore user-agent x-mailer hdr_order from subject to cc date user-agent x-mailer auto_view application/msword ....
Add the following to /etc/mailcap
or $HOME/.mailcap
to display HTML mail and MS Word attachments inline:
text/html; lynx -force_html %s; needsterminal; application/msword; /usr/bin/antiword '%s'; copiousoutput; description="Microsoft Word Text"; nametemplate=%s.doc
Debian is internationalized, offering support for a growing number of languages and local usage conventions. The next subsection lists some of the forms of diversity that Debian currently supports, and the following subsections discuss localization, the process of customizing your working environment to allow current input and output of your chosen language(s) and conventions for dates, numeric and monetary formats, and other aspects of a system that differ according to your region.
There are several aspects to customizing for localization and national language support.
Debian is distributed with keymaps for nearly two dozen keyboards. In Woody, reconfigure the keyboard by:
The vast majority of Debian software packages support data handling of non-US-ASCII characters through the LC_CTYPE environment variable offered by the locale technology in glibc.
X can display any coding, including UTF-8, and supports all fonts. The list includes not only all the 8-bit fonts but also 16-bit fonts such as Chinese, Japanese, or Korean. Multibyte character input method is supported by the Alternative X input methods, Section 9.7.10 mechanism. See Example for a multilingual X window system, Section 9.7.9 and UTF-8 support for the X terminal emulator, Section 9.7.12.
Japanese EUC code display is also available in a (S)VGA graphics console
through the kon2
package. There is an alternative new Japanese
display, jfbterm
, which uses a frame-buffer console, too. In
these console environments, the Japanese input method must be supplied by the
application. Use egg
package for Emacs and use japanized
jvim
package for a Vim environment.
Installation of non Unicode fonts to X will help in displaying documents with any encoding in X. So do not worry too much about encoding of fonts.
Translations exist for many of the text messages and documents that are displayed in the Debian system, such as error messages, standard program output, menus, and manual pages. Currently, support for manual pages in German, Spanish, Finnish, French, Hungarian, Italian, Japanese, Korean, Polish, Portuguese, Chinese, and Russian is provided through the manpages-LANG packages (where LANG is a comma-separated list of two-letter ISO country codes. Use apt-cache search manpages-|less to get a list of available Unix manual pages.)
To access an NLS manual page, the user must set the environment variable
LC_MESSAGES to the appropriate string. For example, in the case of the
Italian-language manual pages, LC_MESSAGES needs to be set to it.
The man
program will then search for Italian manual pages under
/usr/share/man/it/
.
Debian supports locale technology. Locale is a mechanism that allows programs to provide suitable output and functionality according to local conventions such as character set, format for date and time, currency symbol, and so on. It uses environment variables to determine the appropriate behavior. For example, assuming you have both the American English and German locales installed on your system, the error messages of many programs can be multilingual:
$ LANG="en_US" cat foo cat: foo: No such file or directory $ LANG="de_DE" cat foo cat: foo: Datei oder Verzeichnis nicht gefunden
Glibc offers support for this functionality to programs as a library. See
locale(7)
.
Full locale description consists of 3 parts: xx_YY.ZZZZ.
For language codes and country codes, see pertinent description in the info gettext.
Please note this codeset part may be normalized internally to achieve cross platform compatibility by removing all - and by converting all characters into lower case. Typical codesets are:
As for the meaning of basic encoding system jargons:
ISO-8859-?, EUC, ISO-10646-1, UCS-2, UCS-4, and UTF-8 share the same code with ASCII for the 7 bit characters. EUC or Shift-JIS uses high-bit characters (0x80-0xff) to indicate that part of encoding is 16 bit. UTF-8 also uses high-bit characters (0x80-0xff) to indicate non 7 bit character sequence bytes and this is the most sane encoding system to handle non-ASCII characters.
Please note the byte order difference of Unicode implementation:
See Convert a text file with
recode
, Section 8.6.12 for conversion between various
character sets. For more see Introduction to
i18n
.
Debian does not come with all available locales pre-compiled.
Check /usr/lib/locale
to see which locales (besides the default
"C") are compiled for your system. If the one you need is not
present, you have two options:
/etc/locale.gen
to add the desired locale, then run
locale-gen
as root to compile it. See locale-gen(8)
and the manpages listed in its "SEE ALSO" section.
locales
package. Or if it is not already installed, installing
locales
will invoke the debconf interface to let you choose needed
locales and compile the database.
The following environment variables are evaluated in this order to provide particular locale values to programs:
LC_* variables are:
Note that some applications (e.g., Netscape 4) ignore LC_* settings.
The locale
program can display active locale settings and
available locales; see locale(1)
. (NOTE: locale -a
lists all the locales that your system knows about; this does not mean
that all of them are compiled! See Activating
locale support, Section 9.7.4.)
The locale support for the international date standard of
yyyy-mm-dd (ISO 8601 date format) is provided by the locale called
en_DK, "English in Denmark", which is a bit of joke :-)
This seems to work only in a console screen for ls
.
Add the following lines to ~/.bash_profile
:
LC_CTYPE=en_US.ISO-8859-1 export LC_CTYPE
Add the following lines to ~/.bash_profile
:
LANG=fr_FR@euro export LANG LC_CTYPE=fr_FR@euro export LC_CTYPE
Configure the keyboard for French "AZERTY" as described in Localizing the keyboard, Section 9.7.1.1; add French
manual pages by installing manpages-fr
. The Right-Alt key in the
US is called Alt-Gr in Europe. Pressing this together with other keys creates
numerous accented and special characters. For example, Alt-Gr+E creates a Euro
sign.
Most western European languages can be configured similarly.
See Debian Euro
HOWTO
for adding support for the new Euro currency and Utiliser et
configurer Debian pour le français
for more details in French.
Let us set up a multilingual X window system which simultaneously supports Japanese, English, German, and French with EUC, UTF-8, and ISO-8859-1 encodings in different consoles.
I will show you a customization using the Debian menu system. See the details
of Debian menu system in /usr/share/doc/menu/html/index.html
.
I also create a shortcut to the mozilla
web browser in this
example. [47]
canna
– Local server ("free-beer" license), or
freewnn-jserver
– Network-extensible server (Public Domain)
kinput2-canna
– for X, or
kinput2-canna-wnn
– for X, and
egg
– directly works with Emacsen even in console (optional)
xterm
– X (for ISO-8859-1 and UTF-8),
kterm
– X (for Japanese EUC), and
mlterm
– X (multilingual).
~/.xsession
that sets the user-specific X environment
as described in Custom X sessions, Section 9.4.5.1
(for all):
#!/bin/sh # This makes X work when I su to root. if [ -z "$XAUTHORITY" ]; then XAUTHORITY=$HOME/.Xauthority export XAUTHORITY fi # Set specific environment through debian menu system. # Reset locale unset LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES unset LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT unset LC_IDENTIFICATION LC_ALL LANG LANGUAGE PAGER # set locale default in X LANG=C # export locale export LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES export LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT export LC_IDENTIFICATION LC_ALL LANG LANGUAGE PAGER ### # activate input method for Japanese with kinput2 kinput2 & XMODIFIERS="@im=kinput2" export XMODIFIERS # How about blackbox window manager (lightweight) exec blackbox #exec xfwm #exec wmaker
~/.bash_profile
for Linux consoles (for all).
~/.bashrc
, if existed (for all).
/etc/menu/
(for all).
/etc/menu/xterm-local
: (add new entries to menu) [48]
?package(xterm):\ needs=x11\ section=XShells\ longtitle="XTerm: terminal emulator (en_US.ISO-8859-1)"\ title="XTerm (en_US.ISO-8859-1)"\ command="sh -c 'LC_ALL=en_US.ISO-8859-1 xterm'" ?package(xterm):\ needs=x11\ section=XShells\ longtitle="XTerm: terminal emulator (de_DE.ISO-8859-1)"\ title="XTerm (de_DE.ISO-8859-1)"\ command="sh -c 'LC_ALL=de_DE.ISO-8859-1 xterm -T xterm-de'" ?package(xterm):\ needs=x11\ section=XShells\ longtitle="XTerm: terminal emulator for X with Unicode support (Japanese)"\ title="UXTerm (ja_JP.UTF-8)"\ command="sh -c 'LC_ALL=ja_JP.UTF-8 uxterm'"
/etc/menu/kterm
: (override the system default) [49]
?package(kterm):\ needs="x11"\ section="XShells"\ command="sh -c 'LC_ALL=ja_JP.eucJP PAGER=w3m /usr/X11R6/bin/kterm -xim'" \ title="Kanji Terminal" ?package(kterm):\ needs="x11"\ section="XShells"\ command="sh -c 'LANG=ja_JP.eucJP \ LC_MESSAGES=en_US.ISO-8859-1 PAGER=w3m /usr/X11R6/bin/kterm -xim'" \ title="Kanji Terminal (bilingal)"
/etc/menu/mozilla-local
: (add a new shortcut) [50]
?package(mozilla-browser):needs="x11" section="/" \ title=" Mozilla Navigator" command="mozilla-1.5" hints="Web browsers" \ icon=/usr/share/pixmaps/mozilla.xpm
update-menus
from the root account.
~/.muttrc
(for Japanese):
# UTF-8 support is not popular in popular Japanese EMACS environment # 7-bit encoding of iso-2022-jp is easier for everyone. # default encoding order = us-ascii --> iso-8859-1 --> iso-2022-jp set send_charset="us-ascii:iso-8859-1:iso-2022-jp" set allow_8bit=no
kinput2
for X applications (for Japanese):
~/.Xresources
(it looks like
Debian takes care of this automatically somehow).
mlterm
) also allow you to set up
*inputMethod: and other information dynamically at runtime (press
Ctrl-MouseButton-3 in mlterm
).
xdm
, gdm
, kdm
, wdm
, ...)
(for all).
kterm
(for Japanese). (Emacs seems to be the
most popular platform, though I do not use it.)
For other CJK language supports, see the following sections and SuSE pages for
CJK
.
There are many alternative X input methods support packages available:
Language LC_CTYPE XIM server XMODIFIERS Start key Japanese ja_JP* kinput2 "@im=kinput2" Shift-Space Korean ko_KR* ami "@im=Ami" Shift-Space Chinese(T) zh_TW.Big5 xcin "@im=xcin-zh_TW.big5" Ctrl-Space Chinese(S) zh_CN.GB2312 xcin "@im=xcin-zh_CN.GB2312" Ctrl-Space
Japanese input method kinput2
is offered by the packages such as
kinput2-canna-wnn
, kinput2-canna
, and
kinput2-wnn
. Japanese needs dictionary server such as
canna
and freewnn-jserver
to be practical.
There are many X consoles which support simple 8 bit encodings when pertinent font packages are installed:
xterm
– The X terminal emulator
gnome-terminal
– xterm
for Gnome
konsole
– xterm
for KDE
rxvt
– VT102 terminal (lighter)
aterm
– VT102 for Afterstep WM
eterm
– VT102 for Enlightment WM
wterm
– VT102 for WindowMaker WM
Multi-byte encoding supports of X console are provided by xterm
through UTF-8 encoding (UTF-8 support for the X terminal
emulator, Section 9.7.12). Other traditional encoding supports are in
progress (as of 2003). Following packages offer traditional encoding supports:
aterm-ml
– Multi-lingual
kterm
– Multi-lingual (Japanese, ...)
rxvt-ml
– Multi-lingual
wterm-ml
– Multi-lingual
cxterm-big5
– Chinese (Trad., Big5)
cxterm-gb
– Chinese (Simp., GB)
cxterm-ks
– Chinese (KS)
cxterm-jis
– Japanese
hanterm-classic
– Korean (Hangul)
hanterm-xf
– Korean (Hangul)
hztty
– Chinese (GB, Big5, zW/HZ)
For kterm
(and possibly others), you may want to activate XIM
through menu after Ctrl-middle-click mouse action.
UTF-8 support for X terminal emulator is provided by the uxterm
program in the xterm
package for XFree86 4.x. It enables support
for all languages. It is a wrapper around the xterm(1)
program
that invokes the latter program with the "UXTerm" X resource class
set.
For example, to enable nice large display of English, Russian, Japanese,
Chinese, and Korean characters, add following to your
~/.Xresources
after installing all the pertinent fonts:
! set large font UXTerm*font: -misc-fixed-medium-r-normal-*-18-120-100-100-c-90-iso10646-1 ! Use XIM for Japanese *inputMethod: kinput2
Then run xrdb -merge ~/.Xresources to update X resources as described in X resources, Section 9.4.10.
Although most of the popular console program packages such as vim
,
mutt
, and emacs
have been made compatible with UTF-8
recently (Woody-Sarge). Program such as mc
still is not UTF-8
compatible but simply 8-bit clean. If you are editing 7 bit ASCII part of
unknown or mixed encoding file, it is safer to use the locale unaware 8-bit
clean editor.
See The Unicode
HOWTO
.
UTF-8 support on a FB console is provided by bterm
used in the
debian-installer
.
When you are first setting the system up for a national language
environment, please consider using tasksel
or
aptitude
to find out what packages are selected by choosing the
corresponding language environment task. The package choice made is useful
even for a multilingual setup. If you encounter any package dependency
conflicts during the install to your carefully configured system, avoid
installing any software that conflicts with the existing system. You may have
to use update-alternative
to regain the original state for some
commands since a newly installed one may have higher priority than existing
ones.
Newer major programs are using glibc 2.2 and are mostly internationalized. So
a specially localized version such as jvim
for Vim may not be
needed as its functionality is offered by vim
version 6.0 in X.
In reality, it is still somewhat rough-edged. Since jvim
has a
version compiled with direct Japanese input method (canna
) support
even in the console and addresses many other Japanese-specific issues maturely,
you may still want it :-)
Programs may need to be configured beyond locale configuration to
enable a comfortable working environment. The language-env
package and its command set-language-env
greatly eases this
process.
Also see the internationalization document, Introduction to
i18n
. It is aimed at developers but is also useful for system
administrators.
Localization (l10n), Section 9.7 enabled by
language-env
package and alike are aimed to achieve monolingual
localization. These packages also use traditional encodings as the choice for
the text encoding. You cannot mix French and Japanese text in such environment
since they use incompatible ISO-8859-1 and EUC-JP encodings respectively.
You can obtain multilingualized UTF-8 Desktop using Gnome and KDE programs started under one of the available UTF-8 locales. (Sarge) In such environment, you can mix English, Chinese, Russian, and Japanese characters under UTF-8 compliant softwares.
m17n-env
is a helper script to set up such environment. The
multilingualized UTF-8 environment is configured by running
set-m17n-env
command from the root and the user account. [51]
Under such environment, new multilingualized input method (IM) using
scim
is preferred. IM offered by the scim
is turned
on and off by typing Ctrl-Space together. The input conversion engine can be
switched by clicking small SCIM panel.
You can still have easy access to the traditional encoding environment through
the custom locale consoles created by m17n-env
. This comes handy
when you need to edit old EUC-JP or ISO-8859-1 encoded files.
Debian Reference
1.08-3, Sun May 1 07:45:18 UTC 2005osamu@debian.org
dsewell@virginia.edu