It’s easy enough to start out with an Ubuntu Server machine and install the desktop packages, leaving you with an Ubuntu Desktop machine. Just run:

sudo aptitude install ubuntu-desktop

…and you’re done. Unfortunately, going the other way isn’t so easy. Just removing the ubuntu-desktop package doesn’t remove all the other packages for me, I had to list a whole bunch of packages (enough to trigger all the dependencies, and get all the other desktop packages autoremoved). Long story short, I just fired this (very long) command and it did what I was after:

sudo aptitude remove ubuntu-desktop gdm nautilus \
xserver-xorg libgtk2.0-common metacity x-session-manager \
gnome-session xorg capplets-data gedit-common \
gnome-panel gnome-orca gnome-control-center libgnome2-0 \
mousetweaks network-manager synaptic evolution \
gcalctool gconf2 software-center nautilus-data \
rhythmbox vino vlc update-manager firefox compiz-core \
network-manager-pptp openoffice.org-help-en-us \
gnome-media-common gnome-panel-data gnome-screensaver \
gnome-terminal-data gstreamer0.10-plugins-base \
indicator-me indicator-messages indicator-session \
update-notifier indicator-applet \
indicator-applet-session libappindicator1 \
libcanberra-gtk0 empathy-common evolution-common \
evolution-plugins gwibber-service ibus jockey-gtk \
libbrasero-media1 libpam-gnome-keyring \
nautilus-sendto-empathy rhythmbox-plugins \
xul-ext-ubufox empathy gnome-applets gnome-keyring

Warnings/disclaimers/tips:

• Make sure you’re not in a GNOME session while you’re doing this, or it could have unexpected results.
• It’ll remove a lot more packages than those listed above. Read the list of packages that are going to be removed CAREFULLY and be sure before you confirm the removal.
• You may not hold me responsible if you hose your system by blindly removing packages. You should know what you’re doing before attempting this, if you’re not sure what will happen, you should do some more research first.
• If you don’t have aptitude installed, just replace “aptitude” with “apt-get” in the commands above. I prefer aptitude, so that’s why it’s in the commands above.
• My scenario: I started off with an Ubuntu Server 10.10 (not a fresh install, I’d been using it a while, so forget this being a clean experiment!), then installed the Desktop, installed Chromium and Flash, then switched back to Ubuntu Server.
• This will almost certainly need some tweaks to work on earlier or later versions of Ubuntu than 10.10. If you do tweak the above command for another version and you feel like helping out, please comment with the relevant remove command that worked for you so it can be shared.

If this works for you, drop me a comment below!

PS: Nope, I don’t understand that photo either. :)

Just found an awesome guide from Mattias Kretschmann on how to create a perfect AFP file server for Mac clients that supports Time Machine backups over the network out of the box. It worked for me with a Mac OS X 10.6.3 client and an Ubuntu 10.04 server, with just one small change to the /etc/netatalk/afpd.conf file. The final line simply needed to read:

- -transall -advertise_ssh

Beautiful, thanks Mattias. :)

If you’re running a Linux, Mac OS X or Unix server of any description, SSH is an invaluable tool when it comes to taking control of the machine while you’re not infront of it.

In the world of web hosting, it’s also brings with it SFTP; a fantastic alternative to the very insecure FTP. Except it has one major flaw: by default on Ubuntu (and most Linux distros), one user can see all of another user’s files just by dropping up a directory to /home. Not exactly ideal if you’re providing a shared-hosting service.

So what we want is a chrooted version of SFTP. But this would also chroot SSH too, making it unusable for system administration. So we need to lock down SFTP only, but let SSH run free. We also want to be able to make some users SFTP-only (web hosting customers), and some users SFTP and SSH capable.

Luckily someone known as “The Minstrel”, came up with a pretty good solution to this. Back in November 2007, Mads Madsen also created a guide to this process for Debian/Ubuntu 7.04. This has been my favourite solution for some time now. The OpenSSH project has since created a version of this this idea internally, but annoyingly it’s got a major flaw: wherever you want to chroot the users to must be owned by root. In other words, users will not be able to create any files in the top level of their chroot jail.

Imagine that you have your users data stored in /home/username. You can’t chroot them to /home/username unless you create a directory inside there, and then let them own that. That gives them an ugly chrooted writable path like /htdocs (or whatever you choose to call it), and a / folder they can’t edit. The other option is to chroot them to /home, and let them own their homedir as normal, but then they can see every other user’s files. Again, not ideal.

So I stuck with The Minstrel’s version, but got tired of having to recompile and rebuild all this every time I wanted it on a new machine. Some people would have probably avoided this (actually quite good) solution altogether because it’s a bit too indepth. Well, it just got a bunch easier, because I created all the bits needed and am publishing them here for you to use.

Disclaimer: I make no promises that this won’t electrocute your cat, sleep with your girlfriend, make fun of your children, etc. Infact I make no promises about this at all. That said, for me, this has worked very well several times since Ubuntu 8.10′s release, on a whole variety of machines, and I’ve had no problems with it.

So from your Ubuntu machine, fire up a terminal (or SSH in, if you’re not sat infront of it) and paste this in:

wget http://unadopted.co.uk/openssh/openssh-server_5.1p1-3ubuntu1_i386.deb
sudo dpkg -i openssh-server_5.1p1-3ubuntu1_i386.deb
sudo aptitude hold openssh-server

This will download the modified package, install it, and tell Ubuntu not to replace it with new any of Ubuntu’s versions. Now bear in mind that you won’t get automatic security updates on OpenSSH anymore — you’ll need a new version of this package when OpenSSH 5.2 comes out, but when that comes out, it’ll be a pretty simple copy/paste job to upgrade, just like that was. The Minstrel notes that it’s worth signing up to the openssh-unix-announce mailing list to find out when this is necessary.

Now if this is the first time you’re doing this we need to do a couple extra steps (though you won’t need to do this if you’re just updating):

wget http://unadopted.co.uk/openssh/sftpsh
sudo cp sftpsh /bin/sftpsh
sudo chown root:root /bin/sftpsh
sudo chmod 755 /bin/sftpsh
sudo echo "/bin/sftpsh" >> /etc/shells 

This will download and install a special shell which you’ll need to set up as the login shell for the user accounts for whoever you want to lock down. This will kick them straight out if they try and SSH in, but will still let SFTP work. We also need to tell the system which directory to lock them into by adding a special tag into their home folder definition. Which all sounds a bit more complicated than it really is (it’s just one line to copy and paste).

So, let’s say our web user is called “mywebsite-sftp”. We’d just do this, if we wanted to lock them to their home directory:

sudo usermod -s /bin/sftpsh -d /home/mywebsite-sftp/./ mywebsite-sftp

Simple, right? The Minstrel has built up a pretty good set of FAQs incase you run into any problems.

If you ever change your mind, and want to go back to Ubuntu’s default OpenSSH server and undo all these changes, that’s dead simple too, just copy and paste this in (go-go-gadget uninstaller!):

sudo rm /bin/sftpsh
sudo aptitude remove openssh-server
sudo aptitude install openssh-server 

Warning: If you’re SSH’d in, don’t disconnect between the two aptitude commands, or you won’t have an SSH server to reconnect to (but it will stay alive until you disconnect). Also, you’ll need to remember that the sftpsh shell doesn’t exist anymore, though, and you’ll need to change any users back to a different shell using usermod.

Okay, so that’s that over with. Tell your friends, post it on Facebook, link to this in forum posts, Digg it, link to this from the Ubuntu Wiki, do whatever you feel you must do to share this with the world. :)