With version 38 just being released I decided to give Fedora a try again. From time to time I’d like to check out how things are going with other distributions. And sometimes it’s nice to have really current versions of your favorite applications. ;-) So I replaced my beloved Debian 11 with Fedora 38.
As Fedora’s installation image tends to be outdated pretty fast, I’d recommend running a complete update once the installation is done. For that I logoff and hit
Ctrl + Alt + F2 to drop out of GDM (or whatever display manager you have installed), login via the terminal and run:
That might take a while. Once done, reboot.
LUKS setup with YubiKey
I did not delete my LUKS encrypted LVM disk layout originally created by Debian’s installer, but just re-used it with Fedora. If you followed this post you probably know I was using a YubiKey to unlock the encrypted partition via challenge response. Having read about systemd now being able to natively support FIDO2 I wanted to go with this. So, still being on Debian I removed LUKS key slot 7 which was hosting the challenge response password. You can do that by:
MAKE SURE YOU STILL HAVE AN ACTIVE KEY SLOT AND A VALID PASSWORD FOR IT BEFORE REMOVING ONE!!!
Verify the result by executing:
There should be one slot less in use. So, from here on it required my really, really long password which matched key slot 0.
I then simply booted from Fedora’s Workstation USB stick and went through its Anaconda installer. I always felt that the partitioning part is not really well designed and beginners might have issues here. However, it will do the job and clicking on the encrypted partition will let you enter your encryption password and after a few seconds your logical volumes will become available. I reformated “/” and “/home” - both residing on logical volumes on the encrypted partition - and “/boot” with ext4. I also reformated “/boot/efi” with vfat. Of course, “/boot” and “/boot/efi” are separate, unencrypted partitions of their own. Once the installation succeeded and I rebooted the first time I had to enter my really, really long encryption password. So, let’s add the YubiKey again! This is quite easy with a current version of systemd.
I found these two posts very helpful when setting this up:
- https://curius.de/2022/05/linux-luks-mit-fido-yubikey-entsperren/ (German only)
Plug in your YubiKey and see if it’s detected:
If the above succeeds, add the YubiKey to the next free key slot:
You can verify by running luksDump command again. You should also see a Token now: systemd-fido2
fido2-device=auto to /etc/crypttab. It should look something like this then:
Upon next reboot you can unlock your encrypted drive by simply typing your YubiKey PIN and touching the key. If you should loose your YubiKey, just type anything when prompted for your PIN and wait. You will then be prompted for your regular LUKS password (so, don’t delete that LUKS key slot!).
YubiKey for gpg and ssh
I’m also using my YubiKey for storing my private GPG key and for logging into servers via ssh. That worked flawlessly with Debian - not so with Fedora 38. First,
ssh-add -l would not list my key and once I got that fixed it required to type my PIN on each use. I don’t really remember where I found the solution for that issue and I think I finally ended up applying a mixture of the solutions I came across. Basically all recommended to add some configuration options to
Usually that works quite well. In case ssh keys are not listed after first login, executing
will trigger it and all is fine.
Managing two or three servers via ssh is a lot easier when using ssh cluster shell. You can install it via:
However, it will not work:
cssh requires xserver… To make it work I created a desktop file which will automatically add my user via
Of course, replace “<YOUR_USER_NAME>” with your username.
Disabling graphical boot screen
I’m not really a friend of graphical boot screens. So, I tend to disable them. Just remove “rhgb” from “GRUB_CMDLINE_LINUX=” in
/etc/default/grub and then run:
Additional software repositories
To install for example vlc media player and/or replace ffmpeg-free by a fully functional ffmpeg package you can add RPM Fusion’s repositories - I’d recommend “free” one. They provide RPMs which will automatically add the repos. As Fedora 38 already comes with the correct GPG keys you can check the RPM before actually installing it.
- download the RPM:
- check GPG key and compare with key listed here (it should match!):
- import the key:
- check the downloaded RPM (watch our for a tailing “OK”!):
- finally, install it:
- update and install vlc:
Fedora 38 already comes with Flathub configured, but not enabled. You can enable it either by “Software” application or by command line:
Now you’re free to install whatever those repositories offer.
I do like Fedora for it’s current software versions and the fact that they do not provide any proprietary software by default (the latter is also true for Debian). However, from my experience you have to do some more tweaking and overcome some issues before you can run Fedora as you want it to.