How do I turn a laptop into headless Ubuntu server?
Here are asked four questions/requirements and some of them are not compatible each other. If it will be a home server with public access (as it sounds like), I would just install Ubuntu Server and will close the lid of the laptop to make it headless.
Setup SSH
To install SSH server on Ubuntu execute the following commands (or tick Open SSH Server during Ubuntu Server's installation process; the openssh-client should be installed by default):
sudo apt update
sudo apt install openssh-server openssh-sftp-server
Now you should be able to connect to the SSH server through the loopback interface (from/to the server itself) by the command:
ssh <user>@localhost
Setup key based authentication to increase the security. First create the directory .ssh within your user's home directory: mkdir ~/.ssh
Then, from a remote instance (from your LAN), let's assume it is also Ubuntu, execute the following steps (source):
-
Generating RSA Keys (enter passphrase for more security in case someone steal your key, it should be different from your user's password):
mkdir ~/.ssh chmod 700 ~/.ssh ssh-keygen -t rsa -b 4096 chmod 600 ~/.ssh/id_rsa -
Transfer the Client Key to the Server (note):
ssh-copy-id <user>@<server-lan-ip> -
Now you should be able to connect to the SSH server with key authentication (you should enter your passphrase if you've setup it):
ssh <user>@<server-lan-ip>
Once this works, you could disable the password authentication of the Server by editing the file /etc/ssh/sshd_config in this way:
#PasswordAuthentication yes
PasswordAuthentication no
Don't forgot to restart the SSH server: sudo systemctl restart sshd.service
If you are planning to use encrypted home directory you should tweak your SSH configuration (on the server side) as it is described here: SSH is allowing remote connections only after a local login to the server.
No login prompt at reboot or How to prevent login with physical access
I wold say, in my opinion, this is not necessary. Within Ubuntu, the login with root is disabled by default. That means, as local Server's administrator, you should login with a user that could have a hard to guess (odd, meaningless) username and strong password. And, I think, this is enough in this case where you should guess the password by hand writing. If you want to add more security you can setup two factor authentication.
Actually, first, you should disable the Recovery mode in order to prevent login with physical access as root. It is accessible within the 'Advanced options' in the GRUB's menu, that can be reached through long press of the Shift key during the boot.
If you really want to disable the TTYs to prevent the login with physical access, within nowadays Ubuntu versions (15.04+) that uses systemd, you can edit the file /etc/systemd/logind.conf in the following way, that will disable the TTYs from 2 to 6 (source):
[Login]
NAutoVTs=0
TTY-1 is hard coded and will stay active. To disable TTY-1 use the following command that will symlink it to /dev/null (source):
sudo systemctl mask [email protected] # use `unmask` to remove the symlink
Now restart the system and the TTYs should be unavailable.
Deactivate Screen and Keyboard
The screen and the keyboard of a laptop could be deactivated through GRUB. For this purpose edit the file /etc/default/grub and modify the following line in the shown way (where <default parameters> are the parameters that already exists):
GRUB_CMDLINE_LINUX_DEFAULT="<default parameters> i8042.nokbd video=LVDS-1:d"
Then execute sudo update-grub and reboot the system. These additional kernel parameters will deactivate the keyboard and the screen of the laptop. My research shows that they will fit to almost every laptop brand/model.
You can override these parameters by pressing the e key within the GRUB menu. With these settings, if you plug in external keyboard and monitor (why not and mouse) they must work.
Full disk encryption
A short internet research shows that there are available few approaches how to make full disk encryption, for example:
The article Manual Full System Encryption on Ubuntu Documentation / Community Wiki.
Full disk encryption with Ubuntu installation (using MinimalCD) Video manual on YouTybe.
Please note! "A consequence of full system encryption is that you need to type in your system passphrase each time you power on your computer..."
So, if you setup full disk encryption and disable the keyboard and the display this will make impossible to run the system after reboot.
Here are few additional notes about the encryption: Using a VPS service, can I prevent my data from being accessible by the VPS host?
Think twice before setup full disk encryption!
This will add security only in a case your device is stolen and its HDD/SSD is attached to an another host. During the working process of your Server the disk will be decrypted in order to be accessible for the system. So this will not add extra network security.
In the same beginning - do you really need this additional headache? I would spend this time to learn about how to use LVM.
Maybe you would like to use encrypted home directory to prevent the other users of the system to access your personal files. In this case unless you are not logged-in your personal data will be encrypted.
Note if you are planning to be stand alone administrator of this Server you do not need to do that, because you can restrict the access to your files and folders effectively through the permissions.
While you are logged-in your home will be decrypted in order to be accessible for your user and if there is an another administrator - someone that can use the sudo command, - which is maliciously tuned (!?), he or she could access your files.
Maybe the most effective way to keep your sensitive data secure is to use encrypted folder (or just encrypted archive file). Thus, before decrypt the folder (file), you could check who is logged-in (as root).