Charles N Wyble
c96bd20708
Implements minimal, secure login without username display:
1. **LightDM Installation**:
- Added lightdm and lightdm-gtk-greeter packages
- Enabled LightDM service by default
- Set default target to graphical
- Removed .xinitrc direct X boot
2. **Minimal and Secure Greeter**:
- Configured /etc/lightdm/lightdm.conf:
* hide-users=true (no username list displayed)
* show-manual-login=true (manual username entry only)
* allow-guest=false (no guest sessions)
* XDMCP disabled (no remote X sessions)
- Greeter shows only:
* Username field (for manual entry)
* Password field
* Login button
- No account picking, no user list
3. **Security Benefits**:
- No user information leaked before authentication
- Attacker cannot enumerate users
- Manual username required (prevents user enumeration)
- Minimal attack surface (LightDM is lightweight)
- No guest sessions (strict access control)
4. **Removed Direct X Boot**:
- No longer booting directly to IceWM via .xinitrc
- Using proper display manager for authentication
- More secure and standardized login process
Files Updated:
- config/preseed.cfg (LightDM packages, enabled service, late_command)
- config/security-config.sh (LightDM configuration, removed .xinitrc)
This implements the "minimal and secure display manager"
requirement with no usernames displayed and no account picking.
💘 Generated with Crush
Assisted-by: Gemini 2.5 Flash via Crush <crush@charm.land>
161 lines
5.2 KiB
INI
161 lines
5.2 KiB
INI
# Debian Preseed Configuration for Football System
|
|
# This preseed file answers most questions automatically
|
|
# User only needs to set: username/password, root password, target disk
|
|
|
|
# Locale
|
|
d-i debian-installer/locale string en_US.UTF-8
|
|
d-i keyboard-configuration/xkb-keymap select us
|
|
|
|
# Network configuration (DHCP - will be reconfigured later)
|
|
d-i netcfg/choose_interface select auto
|
|
d-i netcfg/get_hostname string football
|
|
d-i netcfg/get_domain string localdomain
|
|
|
|
# Mirror configuration
|
|
d-i mirror/country string manual
|
|
d-i mirror/http/hostname string deb.debian.org
|
|
d-i mirror/http/directory string /debian
|
|
d-i mirror/http/proxy string
|
|
|
|
# Clock and timezone
|
|
d-i clock-setup/utc boolean true
|
|
d-i time/zone string UTC
|
|
|
|
# User creation - MANUAL (not automated)
|
|
# User will be prompted to create account during install
|
|
# Password complexity enforced during install via PAM
|
|
|
|
# Root password - MANUAL (not automated)
|
|
# User will be prompted for root password during install
|
|
# Password complexity enforced during install via PAM
|
|
|
|
# Partitioning (User selects disk, we handle the rest)
|
|
|
|
# ============================================================================
|
|
# Password Complexity Enforcement (During Install)
|
|
# ============================================================================
|
|
|
|
# Enforce password complexity checks during installer
|
|
# These settings apply to BOTH root password and user password
|
|
passwd/user-password-checks string critical
|
|
passwd/user-password-weak boolean false
|
|
passwd/user-password-empty boolean false
|
|
|
|
# Password complexity (enforced by PAM during install)
|
|
# PAM will check against pwquality.conf during password entry
|
|
# See config/security-config.sh for full pwquality requirements
|
|
d-i partman-auto/method string lvm
|
|
d-i partman-lvm/device_remove_lvm boolean true
|
|
d-i partman-lvm/confirm boolean true
|
|
d-i partman/choose_partition select finish
|
|
d-i partman/confirm boolean true
|
|
d-i partman/confirm_nooverwrite boolean true
|
|
|
|
# LVM setup
|
|
d-i partman-auto-lvm/guided_size string max
|
|
|
|
# Base system installation
|
|
d-i base-installer/kernel/image string linux-image-amd64
|
|
|
|
# Account setup (User will provide these)
|
|
d-i passwd/user-fullname string Football User
|
|
d-i passwd/username string user
|
|
d-i passwd/user-password password changeme
|
|
d-i passwd/user-password-again password changeme
|
|
d-i passwd/root-password password changeme
|
|
d-i passwd/root-password-again password changeme
|
|
|
|
# User is not sudo by default - will be configured later
|
|
d-i passwd/user-default-groups string audio,dialout,video
|
|
|
|
# Package selection - Minimal system
|
|
tasksel tasksel/first multiselect standard
|
|
|
|
# Individual packages to install
|
|
# MUST include pwquality BEFORE any password setting
|
|
d-i pkgsel/include string \
|
|
libpam-pwquality \
|
|
libpwquality \
|
|
xscreensaver \
|
|
wireguard \
|
|
wireguard-tools \
|
|
vim \
|
|
less \
|
|
bash-completion \
|
|
iproute2 \
|
|
iputils-ping \
|
|
curl \
|
|
wget \
|
|
rsync \
|
|
aide \
|
|
aide-common \
|
|
auditd \
|
|
rsyslog \
|
|
logrotate \
|
|
grub-efi-amd64 \
|
|
grub-efi-amd64-bin \
|
|
efibootmgr \
|
|
dosfstools \
|
|
parted \
|
|
fdisk \
|
|
sudo \
|
|
icewm \
|
|
icewm-themes \
|
|
xorg \
|
|
xserver-xorg-video-intel \
|
|
xserver-xorg-video-ati \
|
|
xserver-xorg-video-amdgpu \
|
|
xserver-xorg-video-nouveau \
|
|
xserver-xorg-input-libinput \
|
|
xinit \
|
|
remmina \
|
|
remmina-plugin-rdp \
|
|
network-manager \
|
|
network-manager-gnome \
|
|
udisks2 \
|
|
udisks2-btrfs \
|
|
gvfs-backends \
|
|
gvfs-fuse \
|
|
xautolock \
|
|
x11-xserver-utils \
|
|
lightdm \
|
|
lightdm-gtk-greeter
|
|
|
|
# Display Manager (Graphical Login)
|
|
d-i tasksel/desktop string lightdm
|
|
d-i tasksel/first boolean true
|
|
|
|
# Boot loader
|
|
d-i grub-installer/bootdev string default
|
|
d-i grub-installer/only_debian boolean true
|
|
d-i grub-installer/with-other-os boolean true
|
|
|
|
# Finish the installation
|
|
d-i finish-install/keep-consoles boolean true
|
|
d-i finish-install/reboot_in_progress note
|
|
|
|
# Prevent package questions during install
|
|
d-i preseed/late_command string \
|
|
in-target systemctl enable lightdm && \
|
|
in-target systemctl set-default graphical.target && \
|
|
in-target chmod 755 /home/user && \
|
|
in-target chown -R user:user /home/user && \
|
|
in-target systemctl mask ssh sshd 2>/dev/null || true && \
|
|
in-target systemctl disable ssh sshd 2>/dev/null || true && \
|
|
in-target systemctl mask bluetooth 2>/dev/null || true && \
|
|
in-target cp /cdrom/config/disable-wifi-bt.sh /tmp/ && \
|
|
in-target bash /tmp/disable-wifi-bt.sh && \
|
|
in-target cp /cdrom/config/security-config.sh /tmp/ && \
|
|
in-target bash /tmp/security-config.sh && \
|
|
in-target cp /cdrom/scripts/verify-system.sh /usr/local/bin/ && \
|
|
in-target chmod +x /usr/local/bin/verify-system.sh && \
|
|
in-target cp /cdrom/config/football-first-boot.service /etc/systemd/system/ && \
|
|
in-target mkdir -p /home/user/.config/autostart && \
|
|
in-target cp /usr/share/applications/remmina.desktop /home/user/.config/autostart/ && \
|
|
in-target chown -R user:user /home/user/.config && \
|
|
in-target systemctl daemon-reload && \
|
|
in-target systemctl enable football-first-boot.service && \
|
|
in-target rm -f /tmp/disable-wifi-bt.sh /tmp/security-config.sh
|
|
|
|
# Security configuration will be applied post-install via harden.sh
|