kratos: enabled: description: You can enable or disable Kratos. advanced: True helpLink: kratos.html config: session: lifespan: description: Defines the length of a login session. global: True helpLink: kratos.html whoami: required_aal: description: Sets the Authenticator Assurance Level. Leave as default to ensure proper security protections remain in place. global: True advanced: True helpLink: kratos.html selfservice: methods: password: enabled: description: Set to True to enable traditional password authentication. Leave as default to ensure proper security protections remain in place. global: True advanced: True helpLink: kratos.html config: haveibeenpwned_enabled: description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled. global: True helpLink: kratos.html totp: enabled: description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA). Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in. global: True helpLink: kratos.html config: issuer: description: The name to show in the MFA authenticator app. Useful for differentiating between installations that share the same user email address. global: True advanced: True helpLink: kratos.html webauthn: enabled: description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in. global: True helpLink: kratos.html config: passwordless: description: Set to True to utilize Security Keys (WebAuthn / PassKeys) for passwordless logins. Set to false to utilize Security Keys as a multi-factor authentication (MFA) method supplementing password logins. Be aware that changing this value, after users have already setup their accounts with the previous value, may prevent users from logging in. global: True helpLink: kratos.html rp: id: description: The internal identification used for registering new Security Keys. Leave as default to ensure Security Keys function properly. global: True advanced: True helpLink: kratos.html origin: description: The URL used to login to SOC. Leave as default to ensure Security Keys function properly. global: True advanced: True helpLink: kratos.html display_name: description: The name assigned to the security key. Note that URL_BASE is replaced with the hostname or IP address used to login to SOC, to help distinguish multiple Security Onion installations. global: True advanced: True helpLink: kratos.html flows: settings: privileged_session_max_age: description: The length of time after a successful authentication for a user's session to remain elevated to a privileged session. Privileged sessions are able to change passwords and other security settings for that user. If a session is no longer privileged then the user is redirected to the login form in order to confirm the security change. global: True helpLink: kratos.html ui_url: description: User accessible URL containing the user self-service profile and security settings. Leave as default to ensure proper operation. global: True advanced: True helpLink: kratos.html required_aal: description: Sets the Authenticator Assurance Level for accessing user self-service profile and security settings. Leave as default to ensure proper security enforcement remains in place. global: True advanced: True helpLink: kratos.html verification: ui_url: description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation. global: True advanced: True helpLink: kratos.html login: ui_url: description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation. global: True advanced: True helpLink: kratos.html error: ui_url: description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation. global: True advanced: True helpLink: kratos.html registration: ui_url: description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation. global: True advanced: True helpLink: kratos.html default_browser_return_url: description: Security Onion Console landing page URL. Leave as default to ensure proper operation. global: True advanced: True helpLink: kratos.html allowed_return_urls: description: Internal redirect URL. Leave as default to ensure proper operation. global: True advanced: True helpLink: kratos.html log: level: description: Log level to use for Kratos logs. global: True helpLink: kratos.html format: description: Log output format for Kratos logs. global: True helpLink: kratos.html secrets: default: description: Secret key used for protecting session cookie data. Generated during installation. global: True sensitive: True advanced: True helpLink: kratos.html serve: public: base_url: description: User accessible URL for authenticating to Kratos. Leave as default for proper operation. global: True advanced: True helpLink: kratos.html admin: base_url: description: User accessible URL for accessing Kratos administration API. Leave as default for proper operation. global: True advanced: True helpLink: kratos.html hashers: bcrypt: cost: description: Bcrypt hashing algorithm cost. Higher values consume more CPU and take longer to complete. Actual cost is computed as 2^X where X is the value in this setting. global: True advanced: True helpLink: kratos.html courier: smtp: connection_uri: description: SMTPS URL for sending outbound account-related emails. Not utilized with the standard Security Onion installation. global: True advanced: True helpLink: kratos.html