Default security settings

The default settings are

  • Automatically install security updates using unattended upgrades.
  • Send alerts to the postmaster.
  • Force root SSH login to use public key cryptography, and not a password.
  • Disable the root password.
###############################################################################
# Extra security values
security_default:
  auto_update: true                             # Install security updates automatically, using unattended-upgrades
  ssh_disable_root_access_with_password: true   # Force SSH authentication to use public / private key
  ssh_disable_root_access: false                # At the end of the installation, completely disable remote
                                                # root access via SSH and force the use of sudo for the administrators
  lock_root_password: true                      # Disable console root access by locking root password.
  alerts_email:
    - 'admin@{{ network.domain }}'
  # various options when luks is installed
  luks:
    yubikey: false

Options details

Automatic security updates

By default, automatic security updates are installed, using the unattended-upgrades package.

The changes are sent to the postmaster by default, using the recipient(s) defined in alerts_email variable.

Defining administrators

This is done by setting a flag sudo: true for the users you want to grant administrator’s rights, for instance:

# list of users
users:
- uid: john
  cn: John Doe
  first_name: John
  last_name: Doe
  mail: john.doe@example.com
  password: 'xIlm*uu7'
  sudo: true

Grant some users remote access

This is done by adding a public key to the user definition, for instance:

# list of users
users:
- uid: john
  cn: John Doe
  first_name: John
  last_name: Doe
  mail: john.doe@example.com
  password: 'xIlm*uu7'
  # Allow remote access using SSH
  ssh_key:
    type: ecdsa-sha2-nistp384
    comment: john@homebox
    data: >-
      AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBE+E0hiYkPywn43g2J5s5t8mGq
      muUwObvFN05lCYpEQYv002lMeZEcD9rN80ZBGXJ49J0pfHmuRYScHIt3SjP7Eau3UrGebHvXSBzqPI
      xcLmuv8NO2siwhqWmZfvrXEWlQ==

Locking root access

The root account is locked by default, which means only SSH access is possible. However, if you have defined administrators, you can now activate the sudo command to become root for these accounts and completely disable root SSH login:

# Security settings
security:
  ssh_disable_root_access_with_password: true
  ssh_disable_root_access: true
  lock_root_password: true

Using a Yubikey to boot

If your system is encrypted with LUKS, you can use a Yubikey to decrypt the main disk. This will be the simplest and safest option to decrypt your main drive.

# Security settings
security:
  
  luks:
    yubikey: true

Once the system is installed, run the provided script to “enroll” your key:

root@osaka:~ # yubikey-enroll.sh
This script will Register your Yubikey to decrypt the main drive.
Plug your Yubikey that will be used to decrypt the hard drive. Continue (y/n) ?
y
Partition: /dev/sda5
Key Slot 0: ENABLED
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: ENABLED
The key will be registered in the slot 1

The script will automatically choose a free slot.