Fedora 38
With version 38 just being released I decided to give Fedora a try again. From time to time I’d like to check out how things are going with other distributions. And sometimes it’s nice to have really current versions of your favorite applications. ;-) So I replaced my beloved Debian 11 with Fedora 38.
Update Fedora
As Fedora’s installation image tends to be outdated pretty fast, I’d recommend running a complete update once the installation is done. For that I logoff and hit Ctrl + Alt + F2
to drop out of GDM (or whatever display manager you have installed), login via the terminal and run:
1
$ sudo dnf update
That might take a while. Once done, reboot.
LUKS setup with YubiKey
I did not delete my LUKS encrypted LVM disk layout originally created by Debian’s installer, but just re-used it with Fedora. If you followed this post you probably know I was using a YubiKey to unlock the encrypted partition via challenge response. Having read about systemd now being able to natively support FIDO2 I wanted to go with this. So, still being on Debian I removed LUKS key slot 7 which was hosting the challenge response password. You can do that by:
1
$ sudo cryptsetup luksKillSlot /dev/<LUKS-DEVICE> <KEYSLOT_NUMBER>
MAKE SURE YOU STILL HAVE AN ACTIVE KEY SLOT AND A VALID PASSWORD FOR IT BEFORE REMOVING ONE!!!
Verify the result by executing:
1
$ sudo cryptsetup luksDump /dev/<LUKS-DEVICE>
There should be one slot less in use. So, from here on it required my really, really long password which matched key slot 0.
I then simply booted from Fedora’s Workstation USB stick and went through its Anaconda installer. I always felt that the partitioning part is not really well designed and beginners might have issues here. However, it will do the job and clicking on the encrypted partition will let you enter your encryption password and after a few seconds your logical volumes will become available. I reformated “/” and “/home” - both residing on logical volumes on the encrypted partition - and “/boot” with ext4. I also reformated “/boot/efi” with vfat. Of course, “/boot” and “/boot/efi” are separate, unencrypted partitions of their own. Once the installation succeeded and I rebooted the first time I had to enter my really, really long encryption password. So, let’s add the YubiKey again! This is quite easy with a current version of systemd.
I found these two posts very helpful when setting this up:
- https://curius.de/2022/05/linux-luks-mit-fido-yubikey-entsperren/ (German only)
- https://www.guyrutenberg.com/2022/02/17/unlock-luks-volume-with-a-yubikey/
Plug in your YubiKey and see if it’s detected:
1
$ systemd-cryptenroll --fido2-device=list
If the above succeeds, add the YubiKey to the next free key slot:
1
$ sudo systemd-cryptenroll --fido2-device=auto /dev/<LUKS-DEVICE>
You can verify by running luksDump command again. You should also see a Token now: systemd-fido2
Next, append fido2-device=auto
to /etc/crypttab. It should look something like this then:
1
luks-........ none fido2-device=auto
…and run
1
$ sudo dracut -f
Upon next reboot you can unlock your encrypted drive by simply typing your YubiKey PIN and touching the key. If you should loose your YubiKey, just type anything when prompted for your PIN and wait. You will then be prompted for your regular LUKS password (so, don’t delete that LUKS key slot!).
YubiKey for gpg and ssh
I’m also using my YubiKey for storing my private GPG key and for logging into servers via ssh. That worked flawlessly with Debian - not so with Fedora 38. First, ssh-add -l
would not list my key and once I got that fixed it required to type my PIN on each use. I don’t really remember where I found the solution for that issue and I think I finally ended up applying a mixture of the solutions I came across. Basically all recommended to add some configuration options to ~/.gnupg/scdaemon.conf
:
1
2
3
disable-ccid
pcsc-shared
disable-application piv
Usually that works quite well. In case ssh keys are not listed after first login, executing
1
$ gpg --card-status
will trigger it and all is fine. Of course, don’t forget to add export SSH_AUTH_SOCK=/run/user/$(id -u)/gnupg/S.gpg-agent.ssh
to your .bashrc
.
ssh clustershell
Managing two or three servers via ssh is a lot easier when using ssh cluster shell. You can install it via:
1
$ sudo dnf install clusterssh
However, it will not work:
1
2
3
4
$ cssh
Connection to server failed -- (version 11.0)
Authorization required, but no authorization protocol specified
at /usr/share/perl5/vendor_perl/App/ClusterSSH/Window/Tk.pm line 57.
It seems cssh
requires xserver… To make it work I created a desktop file which will automatically add my user via xhost
command:
1
2
3
4
5
6
7
8
$ cat ~/.config/autostart/xhost.desktop
[Desktop Entry]
Type=Application
Name=xhost
Exec=xhost +SI:localuser:<YOUR_USER_NAME>
StartupNotify=false
Terminal=false
Categories=System;
Of course, replace “<YOUR_USER_NAME>” with your username.
Disabling graphical boot screen
I’m not really a friend of graphical boot screens. So, I tend to disable them. Just remove “rhgb” from “GRUB_CMDLINE_LINUX=” in /etc/default/grub
and then run:
1
$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg
Additional software repositories
RPM Fusion
To install for example vlc media player and/or replace ffmpeg-free by a fully functional ffmpeg package you can add RPM Fusion’s repositories - I’d recommend “free” one. They provide RPMs which will automatically add the repos. As Fedora 38 already comes with the correct GPG keys you can check the RPM before actually installing it.
- download the RPM:
1
$ wget https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm
- check GPG key and compare with key listed here (it should match!):
1
$ gpg /usr/share/distribution-gpg-keys/rpmfusion/RPM-GPG-KEY-rpmfusion-free-fedora-$(rpm -E %fedora)
- import the key:
1
$ sudo rpm --import /usr/share/distribution-gpg-keys/rpmfusion/RPM-GPG-KEY-rpmfusion-free-fedora-$(rpm -E %fedora)
- check the downloaded RPM (watch our for a tailing “OK”!):
1
$ rpm -K rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm
- finally, install it:
1
$ sudo dnf --setopt=localpkg_gpgcheck=1 install rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm
- update and install vlc:
1
$ sudo dnf update && sudo dnf install vlc
Librewolf
You can add a repository for Librewolf - being one of my favorite browsers - very easily by following their instructions given here: https://librewolf.net/installation/fedora/
VSCodium
Since Atom is not maintained anymore I’m using the free and non-tracking version of Visual Studio Code VSCodium to write this blog. There is also a repository for Fedora available here.
Enable Flathub
Fedora 38 already comes with Flathub configured, but not enabled. You can enable it either by “Software” application or by command line:
1
$ sudo flatpak remote-modify --enable flathub
Now you’re free to install whatever those repositories offer.
I do like Fedora for it’s current software versions and the fact that they do not provide any proprietary software by default (the latter is also true for Debian). However, from my experience you have to do some more tweaking and overcome some issues before you can run Fedora as you want it to.