Don't use passwords anymore! Teleport with YubiKey passwordless login

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everybody this is Christian and in this video I want to explain how to securely dock into it infrastructure without remembering passwords anymore and no I'm not talking about password managers today we're talking about passwordless authentication which becomes a really important standard in it security all the magic is happening here in this small key also called a UB key and this allows me to access all my home lab infrastructure my Linux servers kubernetes clusters web interfaces and databases this video is sponsored by teleport a free and open source access proxy and we will take a look at the new password based feature that was introduced in the latest version I will walk you through the installation and configuration of teleport on a Linux server using Docker and we go over secure multi-factor authentication with OTP using my iPhone and later also add this UB key here to enable a true passwordless login all of this is based on free and open source software and Open Standards by the way so this could also work in a similar way with our services and applications and you can use it in your home lab completely for free I'm really excited about it and I hope you are too so let's do this and let's get rid of our passwords before we start as always I want to give you some more background about what we're doing and why passwords a week of course you might already know that when you're using a password like one two three four five or something similar that isn't a good idea but what if you're following best practices like choosing a random password with upper lower Keys digits and special keys isn't that secure enough you might think that but the major problem with passwords is that every password can get stolen and this happens every day phishing attacks are still one of the most common ways how cyber criminals gain access to accounts so if you get a phishing mail which takes it to a fake login page and you fall for it you enter your password it's over so what can we do against this problem a great way to harden your authentication is to use a so-called multi-factor authentication in this case you need a second factor in addition to your password to log in so this could be a random number that's constantly regenerated every few seconds and sent to your mobile phone this is also called TP and one time password or even better you can use a Hardware Key like this here I got this one the UB key 5 with NFS for example so you can even protect both biometric information like your fingerprint without this key here even if somebody steals your password he's not able to log in because he's missing the second Factor so this gives you a much better security than just using a password and it also allows you to even disable it because why should we use a potentially insecure Factor like a password if we already have a stronger way of authentication as I said this becomes more and more popular in it and is also called passwordless authentication it's usually using a strong Factor like this half a key here that you can protect with a pin or biometric information and this is the only thing you really need to authenticate no password to remember you just need this key and your PIN or fingerprint the software teleport that we are using to access our IIT infrastructure no also supports exactly this a true password as authentication with Hardware is and it's a very secure way to get access to all your infrastructure like Linux servers kubernetes web interfaces remote desktop and so on I've already covered this software in previous videos before but because there have been a few changes since my last tutorial I thought I will quickly walk you through the entire setup of a fresh teleport instance doesn't really take long and what you will need to follow this tutorial is a luduk server and a public DNS provider because we will also obtain trusted SSL certificates from let's encrypt that's all built into the teleport software so you don't need a reverse proxy or anything but you need at least a DNS record that points to the public IP address of your server otherwise it doesn't work and the Linux server should also have Docker and Docker compose installed if this is all entirely new to you and you're wondering what the hell is Docker I have done several videos on Docker and containerization if you want to have a getting started guide and of course you will also find other project files for this tutorial on my personal git repository videos on GitHub and if you enjoy tutorials like this please do me a favor like this video And subscribe subscribe to the channel That would be really cool it's really helping with the YouTube algorithm okay so I guess I've talked enough but I hope I got you excited about teleport and you want to try it out so let's get started and install the free community edition of teleport on my Linux server in the cloud I've already prepared this server using terraform and ansible so it's running an Ubuntu 22.05 LTS version with Docker and Docker compose already installed so everything is ready to go but before we connect to this server I like to create all the necessary project files here on my Mac because then I can better explain this to you how to configure teleport in much more detail and I believe it's easier to follow so I've already created a project folder called teleport password list this contains one config folder and one data folder the other two items you you can just ignore for now and first we need to generate a new config file for the teleport servers that we can place in the config folder and because I'm lazy I will use a simple template that we can easily gen generate with a Teleport binary so to do that you can just download teleport or simply run it in a container on your PC and just execute it with a specific command so this will generate a configuration file we can start with so here I'm using Docker desktop to run this teleport container on my Mac this is the full command that I've used to run a new container with the official teleport image in the version 10. the Double Dash RM parameter this will only run this container once so because we just needed once to generate a config file and then it can be removed because I'm also running it on my MacBook with a non-based chip I also needed to add this platform parameter amd64 also don't forget to set the entry point and pass a volume into this container so in this example I will use my current project folder why I want to write these conflict files too and I will mount it into the ETC teleport directory in the containers file system and we will also pass a command into this container so when I execute this one teleport configure if this will generate the teleport configuration template and output it to a file called teleport.yaml in this Etc folder and that I should have a new config file so don't worry when it doesn't generate any output it still did what it should so let's open this config file in vs code because we need to adjust a few parameters before deploying it onto my luduk server first I'm changing the note name from localhost to my public domain and the host name that I've used to register the server so this actually isn't necessary but if you're running multiple teleport servers you can differentiate them from each other the next steps are quite more important especially when you want to get a new SSL certificates from let's encrypt the first thing we need to adjust here is in the auth service where we need to change the cluster name to the hostname in my public domain and you should also change the listing part of your proxy service because by default it's running 3080 I believe and that would mean every time we need to access the web interface we would need to enter this specific Port so here when I change the web listen address parameter I will change it to the listening address for zero so to listen on all IP addresses but on Port 4 for free which is the standard for https it's also important for the certificate validation process and then you also don't need to specify the port number when you open this teleport server in your browser I will also add the public address attribute so this should again point to the hostname in the public DNS record by the way in the past some people also asked me how to expose it with a reverse proxy something like traffic or nginx but honestly I don't believe this is a good idea as this makes the configuration far more complicated and teleport has also a built-in procedure to obtain trusted SSL certificates from let's encrypt and this is just using the agma protocol so it's a standardized way to do that and this can be configured by adding the agma parameter and enable it so let's just add my business email address here for the SSL certificate information and that is everything we need to do here okay cool so now that we have our teleport configuration file we can move on and create a darker compose file that will then run our container first I want to add a new service called teleporter this file so this is a one and only container that we need and it should run the latest version of the official teleport Docker image in my case this is 10.0.2 I also want to run this container as my default administrative user because I will later put this project in my personal home folder on the Linux server and I also want to specify the container's name and entry point and the container should start with this command here I've just taken it from the official teleport documentation so just copy and paste it but what it basically does is it just starts the teleport service with our specific configuration file that we've just created we also need to expose the ports 3023 24 25 and 443 so these ports are all needed for the teleport service to run correctly the main Port again is 443 for the web interface but for the connection between the managed service inside teleport so like the Linux servers we want to connect via SSH or any reverse shells we also should expose all the other parts above and of course we also need to mount our config folder we have prepared as a persistent volume into the containers file system so the left side again is the path on my Linux servers so where I will place the config file on the host and the right side is a path where it should be mounted into the containers file system the second volume here is the data directory so here teleport will store all the recordings the certificate so everything that is needed as a data source of course you could also put this in a in a named folder but I just decided to put it in the same project folder that that's up to you how you do it okay awesome so we now have prepared everything to run the container we have a config folder with a Teleport yaml contract file the data folder the compose file let's now upload them all to my Linux server and I'm just using sap to copy these files into the project folder teleport password list which is located in my personal home directory and when I open the shell on my remote server you can see all the project files are there now we can start up the container by just executing Docker compose up I'm running it in the foreground here because I want to know if teleport creates all the certificates successfully if there is an error you likely have any networking problem with your DNS provider or IP address because it's using an HTTP Challenge on the 443 Port by default and when you got no error here everything seems to be okay so the certificates are generated the data is generated so now I'm going to stop the container again and restart it in background mode with a Dash D parameter and everything seems to be good as well so the container is up and running and it's exposing all the ports we need it so let's try it and open a web interface in my browser then you should be able to reach the teleport interface via the public address of your server now and you should also have valid SSL certificates and this is the login page of teleport so we could sign in now with a user but because we haven't created one yet we need to do that first so let's go back to the terminal and execute the following command inside the teleports container the command is tctl users ad and this will create a new user to the system I'm going to give this a role editor so this is like an admin user role and I'm going to specify all the SSH login names that this user should be allowed to use so don't worry about this too much if you want to learn more about how to use teleport they have a great documentation about all these necessary commands of this tctl and TSH and how to use that now this is just a very short demonstration here so if that was a bit too fast to you just read it on the documentation you will also find the project files on my GitHub just take your time go through it and yeah then let's continue okay so the user has been created now but we need to set up logging credentials for this user first so let's copy this URL we see in the terminal and open it in my browser and so now we just need to type in username and password you want to set and then we also need to set up a two-factor authentication device and because I haven't configured any passwordless authenticator yet teleport is only offering me the OTP authentication using an authenticator app on my phone so this is always the default I'm going to use it now but don't worry we will set another authentication I just want to show how it's usually working so I will give this a name and scan this QR code with an authenticator app on my iPhone I'm using the Google Authenticator here that's my favorite but you can use any other OTP compatible app once your telepod server was added to your authenticator and it will show you a six digits long OTP code so that's always regenerated a few seconds just type it in the authenticator code of teleport and now the registration of of your user is successful we can now use it go to the dashboard and this is where we can log into our servers databases clusters everything that we have connected to this teleport service this might not be new to you if you already know teleport but I wanted to give you a brief introduction to it by default it already offers you this strong authentication with a one-time password that you can use on your phone but this authentication still requires on one insecure Factor the password and the second Factor the OTP honestly isn't really comfortable to use so I just don't like to pick up my phone every time and type in the OTP code as I said there is a much better and easier way of having a second Factor authentication in teleport which also offers password let's login and this is a hardware key so to demonstrate this I bought this UB key here the UB key 5 with a USB C port and NFC you can just plug it into your PC and it should work immediately however I would strongly recommend downloading the ubiki authenticator and manager because with these applications you can get more information about this device you can also see the credentials and the keys are stored you can reset it and you can also protect this with a pin and an additional protection of this key is really really important because let's assume you are enabling the password let's log in that doesn't require a password anymore you just need this key here without a PIN or any protection this would be a single Factor authentication again and not a pretty secure one because anyone who has this key can log in sure that might hold all the remote hackers back but I think it's not unrealistic if you're working for a big organization that somebody wouldn't be able to spoof your identity and find out where you're working and then just steal this key if you don't have a pin added to this this becomes a potential risk a fingerprint might be even better than a pin but you need to get a yubikey that supports biometric information with fingerprints to do that by the way if you're trying to add this Hardware Key in teleport without a PIN or fingerprint it's even not possible I guess this is a bug and teleport but given the fact it won't be secure anyway I think it's not a critical Buck here so that's basically just for your own protection but keep it in mind if you want to use a ubiqueen Teleport that supports passwordless you need to set up a pin first otherwise you'll see an error okay so to use the password as login on our teleport server we first need to enable this feature first so and to do that we just need to add another section in the teleport configuration file so here in the auth service section we just need to add another section called authentication and the authentication type in my example is local so that's because we're using locally created and managed users the second Factor should be turned on and here we need to add another section called Web often so this is a different authentication method than OTP because that's required to support these Hardware Keys you also need to set up an RP ID so that can be just your public DNS record and in the parents section you can add a connector name so just set it to the passwordless and this should be all so we just need to re-upload this config file to our server of course and restart the container to make it active and when that's done the password let's log in should be enabled on your telepod server when you go to the sign in page and refresh it you can see that the default login page changes to a passwordless sign in option this shows that all the settings have been applied of course we haven't configured any passwordless key or Hardware Key in my account yet so we still can't log in with other passwords but the good thing is you can always log in with other sign in option as well so that's something like a fallback in case you lost your key or whatever so let's just sign in with a configured option my account name my password and a one-time password from my phone I know when we are signed in we can now add this UB key to teleport let's do that to add a new hardware key to your account just open your account settings and two-factor devices and let's add a new key here first we need to verify with an existing two-factor authentication for security reasons so don't use that Hardware Key here that will not work we still need to use the OTP authenticator app but once we have verified we can add a new Hardware Key let's also enable the password let's log in for this key and give it a name something like ubikey and this will prompt a verification message by your browser note this will look different depending on what type of browser you're using so this is a default prompt that the Safari browser is presenting it will look different for Chrome for example so here this is an example how it would look like in a Chrome browser and as you can see Chrome also offers their own type of Hardware Key integration with Android and Safari is also kinda special because it allows you to use my macbook's touch ID function as a hardware key as well I just want to say at this point theoretically you can use other verification methods supported by your browsers as well so for example the MacBooks Touch ID authentication works also in teleport so that is why you see this prompt by default but I don't want to do that now of course I want to use my ubikey instead of the touch ID so I need to select use security key instead and then Safari is ready to connect to the UB key make sure it's inserted and tap it once so then you need to enter your configured pin and tap it again and that should be all so here it is we now have added this UB key as a valid authenticator device in teleport let's now sign out and test if we can log in the login is now very simple you just need to select passwordless switch to user key again and that asks us to authenticate with the UB key so tap it enter the pin tap it again and that's it we are logged in so it isn't that amazing sorry I'm very impressed by this because you don't even need to type in a username you just need to insert this key enter your PIN and that's it this is so easy but it's still much more secure than using a password and again you can use it with any hardware key you want you can even raise a security level higher get a ubiky with a fingerprint and you can use it on every device to securely log into your accounts if you're using a Mac with Touch ID you can by the way also add this as a second or a third key of course use different types of passwordless authentication devices or maybe you got a backup UB key you can add this as well there are many options how you can use this and I believe this will be the future in it I hope more and more services are starting to support passwordless authentication okay so one more thing before we close the video you have seen the login page of teleport via the browser but a Teleport also has this turbulent application the TSH client of course so how does it work here so well it's actually the same procedure like in your browser you just type in how you want to log in and where you want to log into and then again we are asked to use the UB key to log in tap it enter the pin and tap it again and now we are also logged into the TSH terminal client so now you can use that to log into all your infrastructure and services you have added to teleport as I said I'm not going over every single feature in teleport I've already done another video where I have explained how to log into Linux servers how you can add new servers or web services and kubernetes if you want to check out this video I've linked you this in the description down below and yeah maybe we will do more videos about teleport in the future because you can also use this to log into RDP that however requires you to set up a bit more complex server setup with an active directory and a Windows Server so this is another interesting topic we will dive into maybe a short teaser for my next video anyway I'm really excited about this and I guess I will set up this in my production teleport cluster in the cloud and use it to log in to everything in my homeland this is really amazing and I hope it was interesting for you as well and you could learn something as always thanks everybody for watching I will see you in my next video and take care of yourself have a nice day bye bye

Info

Channel: Christian Lempa

Views: 49,837

Rating: undefined out of 5

Keywords:

Id: I10mtZfVZ1Q

Channel Id: undefined

Length: 20min 59sec (1259 seconds)

Published: Tue Sep 13 2022