Default security settings
The default settings are
- Automatically install security updates using unattended upgrades.
- Send alerts to the postmaster.
- Force root SSH login to use public key cryptography, and not a password.
- Disable the root password.
############################################################################### # Extra security values security_default: auto_update: true # Install security updates automatically, using unattended-upgrades ssh_disable_root_access_with_password: true # Force SSH authentication to use public / private key ssh_disable_root_access: false # At the end of the installation, completely disable remote # root access via SSH and force the use of sudo for the administrators lock_root_password: true # Disable console root access by locking root password. alerts_email: - 'admin@{{ network.domain }}' # various options when luks is installed luks: yubikey: false
Options details
Automatic security updates
By default, automatic security updates are installed, using the unattended-upgrades package.
The changes are sent to the postmaster by default, using the recipient(s) defined in alerts_email variable.
Defining administrators
This is done by setting a flag sudo: true
for the users you want to grant administrator’s rights, for instance:
# list of users users: - uid: john cn: John Doe first_name: John last_name: Doe mail: john.doe@example.com password: 'xIlm*uu7' sudo: true
Grant some users remote access
This is done by adding a public key to the user definition, for instance:
# list of users users: - uid: john cn: John Doe first_name: John last_name: Doe mail: john.doe@example.com password: 'xIlm*uu7' # Allow remote access using SSH ssh_key: type: ecdsa-sha2-nistp384 comment: john@homebox data: >- AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBE+E0hiYkPywn43g2J5s5t8mGq muUwObvFN05lCYpEQYv002lMeZEcD9rN80ZBGXJ49J0pfHmuRYScHIt3SjP7Eau3UrGebHvXSBzqPI xcLmuv8NO2siwhqWmZfvrXEWlQ==
Locking root access
The root account is locked by default, which means only SSH access is possible. However, if you have defined
administrators, you can now activate the sudo
command to become root for these accounts and completely disable root
SSH login:
# Security settings security: ssh_disable_root_access_with_password: true ssh_disable_root_access: true lock_root_password: true
Using a Yubikey to boot
If your system is encrypted with LUKS, you can use a Yubikey to decrypt the main disk. This will be the simplest and safest option to decrypt your main drive.
# Security settings security: … luks: yubikey: true
Once the system is installed, run the provided script to “enroll” your key:
root@osaka:~ # yubikey-enroll.sh This script will Register your Yubikey to decrypt the main drive. Plug your Yubikey that will be used to decrypt the hard drive. Continue (y/n) ? y Partition: /dev/sda5 Key Slot 0: ENABLED Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: ENABLED The key will be registered in the slot 1
The script will automatically choose a free slot.