Setting up the YubiKey on Ubuntu (Desktop and Server)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome back to learn linux tv in today's video what i'm going to do is show you the process of setting up a yubikey if you don't already know what yuba keys are they are awesome little tools that could be used as second factor authentication that can help secure authentication on various devices they support multiple different devices but specific to us this is a linux channel after all i'm going to show you the process of using it to protect your authentication on your laptop or desktop as well as a remote server the way it works after you get it configured is once prompted you press the button and then it finishes the login process it's very easy to set up and i will show you each step along the way to get it going now before i do i want to mention real quick my sponsor lynode lynode is a sponsor because i love their service and they are actually the platform that i use for all of my remote servers it's very easy to set up a lynnode which is what they call servers on their platform and your linux can be anything from a web server a wordpress instance maybe you want to install nexcloud the sky's the limit if you want to check out the platform i have on the screen right now a url that you can visit that'll give you 100 yes 100 in credit towards your new lynnode account the link is also down below in the description if you want to give that a click and i highly recommend that you do because lynnote is awesome now in addition to that i want to mention real quick my new book mastering ubuntu server third edition which is due out in more than likely several weeks from now it's going to be awesome i put a lot of work into it and you could pre-order this book right now at ubuntuserverbook.com definitely check that out that'll really help me out without any further ado let's go ahead and check out the process of setting up the yubikey [Music] so here i am on my laptop and what i'm going to do is set up the ub key on this machine and i'll take you through all of the steps now full disclosure quite a few of the commands that i am about to run actually come from the yubico documentation for the yubikey i'll have a link to that page in the description below but i'll also have a link in the description for the wiki article for this video as well now it probably goes without saying but the first thing you want to make sure of is that you have all of the updates installed on your computer after all you know those updates contain security patches and the yubikey can't really protect you much if your security hygiene isn't very good you should always have all of the updated packages installed especially if there's security vulnerabilities out in the wild now i've already gone ahead and installed all of the updates on this machine but in my case what i did off camera was i ran sudo apt update and then sudo apt dist upgrade just like that and as you can see here there are no updates available now in my end i'm running popos that's my distribution of choice it's actually built on top of ubuntu so that means if you are using ubuntu itself then these instructions should still work now the first thing that we'll do is install a required package and the package is lib pam hyphen u2f just like that i'll press enter and then enter again it should be pretty quick and there you go now the next thing we'll do is run the mkdir command to create a new directory i will use the dash p option so under the dot config folder in my home directory i will create a directory called yubiko just like that with a capital y and the reason why i use the dash p option is because that creates the parent directory if it doesn't already exist if you are running popos like me or the desktop version of ubuntu then the config folder almost certainly exists but just in case you are running you know a server or something that's actually headless then the dash p option will ensure the dot config folder exists as well so now that's created so the next thing i'll do is insert the yubikey into my computer and then i will run pam pamu2f cfg the greater than symbol then tilde which represents the home directory if you didn't already know that and then that directory that we've created in the previous step and inside there we'll create a file called u2f underscore keys that's basically where the output of the pam u2f cfg command will go and then enter and now my yubikey is actually flashing so i could go ahead and touch the middle button and now that's actually all there is to associating the yubikey with my computer but right now my computer is not going to require the yubikey for anything because what we have to do is configure each of the things that we want the yubikey to control so now what i'm going to do is show you guys how to require the yubikey for the sudo command so in a text editor with sudo we will edit the slash etsy slash pam dot d slash sudo file and we're looking for this line right here include common hyphen off and we'll go to the end of that line press enter we'll type off and tab required tab pam underscore u2f dot so so we'll save the file with control o and then enter and then control x to exit out so what i'm going to do is remove the yubikey i'll open a new terminal and then as a test i will run sudo apt update i'll press enter and then my sudo password i'll type that in and then again i'll try that just to make sure i didn't mistype anything there and again i do often mess it up the first time around but i definitely didn't type the password wrong three times in a row and actually this is expected because i've removed the yubikey it's expecting to find a yuba key on the laptop so i'll go ahead and insert it and let's try that exercise again i'll type the password and my yuba key actually started flashing and as soon as i touched it the command continued so it actually paused the sudo command and then waited for me to press the middle button on the yubikey it would have been great if it gave me some kind of prompt maybe something that gives you a message similar to press the button under yubikey or whatever but it works just fine the yuba key started to flash so i guess i did have that visual indicator that i needed to press the button and then once i did the command continued so next what i'm going to do is show you the process of configuring the login manager to require the yubikey as well and by login manager in this context i'm referring to gdm gdm is the default login manager for ubuntu popos and many distributions that ship the gnome desktop by default gdm actually stands for the gnome display manager that is the actual program that is accepting your authentication when you first log into your computer and that's what we're going to be modifying with this step now due to the fact that my screen recorder doesn't work until after i log in i won't be able to show you what the process of authenticating with the yubikey on the login screen actually looks like but i will show you the process of setting that up right now so just like before we will need to edit a file so again sudo nano or whatever your text editor happens to be and for gdm again which is the default on ubuntu and pop os the file is etsy pam.d hyphen password now if you're running something else like ubuntu mate for example that has the light dm login manager then the actual file that you will edit is light dm but again ubuntu and pop os use gdm so i'm going to edit the gdm password file as you see here what we're going to do is look for the line that reads include common off and well there it is that was easy to find what we're going to do is add a line directly underneath that and similar to the previous step i will type off and then tab required tab and then again pam underscore u2f dot so just like that and then ctrl o and then enter to save control x and that's all there is to it now again my screen recorder will not activate at the login screen but so long as you've typed everything properly the next time you log into your computer your yuba key should be required so one way that people might be able to bypass the yubikey login is via tty and that's if they have physical access to your machine now honestly when it comes to physical access if someone has physical access to your hardware then security kind of goes out the window because you know they can get a hammer and bash your computer and destroy it for all we know but it is a good idea to lock down tty login because that is legitimately something that someone could try to do is access a tty and then try to brute force your password so by requiring the yubikey for that as well that's just one more layer of security and it's easy to implement so we may as well go ahead and do that so we need to edit a file and the file we need to edit is slash etsy pam dot d and then log in i'll press enter so we will look for the line that has common off and here it is and just below that off tab required tab pam underscore u2f dot so as you can see a very similar process to what we've already done so basically i'll save the file and that should be all there is to it now my screen recorder will not be active on a tty login so for that reason i'm not going to be able to show you what that looks like but if it's working properly for you you should be able to do control alt and then one of the f keys to get to a tty you could go ahead and try your login and you should be asked to authenticate via the yubikey you should see it flash and then once it does you should be able to press it and then you'll be logged in and then to get back into your desktop session is typically ctrl alt f1 or ctrl alt f2 and i've seen it as ctrl alt f7 sometimes as well so you could just press one of those key combinations to get back to your graphical desktop [Music] so on my end off camera i went ahead and created a new server on linux to serve as the example for this section of the video now nothing i'm going to show you right now is actually specific to linode you should be able to go through the same process on whatever your server provider happens to be or even a physical machine if you want to secure ssh to a physical server but on my end i just decided to go with linode because you know i have the account it's easy and i wanted to get a server set up quickly and now that i do have it set up i could copy the ip address here i go back down here to my terminal and i should be able to ssh into that server as you just saw it logged me right in it didn't even ask me for a password and that's because i actually set up ssh keys on my local laptop and then i copied that key over to the server and then i disabled password authentication and for that i went through the same procedure that i've mentioned several times on several of my videos because disabling password authentication is a very important thing to do to secure ssh and with that out of the way we could go ahead and set up the yubikey to facilitate access to our remote server so on this ubuntu 2004 instance i'll need to add a special repository to be able to install the required software so for that i will run sudo add hyphen apt hyphen repository and that is ppa colon yubico slash stable then i'll type in the password for my user and it's basically giving me a confirmation i'll just say i just press enter to confirm that i do want to add that repository and notice right here it's actually updating my package index automatically and if it doesn't do that on your end you can just run sudo apt update and once that's done we can install a package by the name of libpam hyphen yubico and enter enter again and now we have the required package installed on our remote server so to continue we will need to edit a special file it doesn't actually exist yet so since the file that we need to edit actually in our case create is going to be outside of our home directory we will need sudo we could use whatever our text editor of choice happens to be and the file is going to be in the etsy ssh directory and we'll call the file authorized underscore yubikeys now in your case you might be the only user that'll ever access the server or maybe you actually work in an organization where you have a team of administrators that each need to access the server what we're going to do is create a line of configuration for each user that we want to be able to access the server now i'm the only user on this server so i'll just type j for my username because that's what it is and then a colon and then i'll touch the yuba key in a text editor and grab the first 12 characters and only the first 12 characters and i'll put those first 12 characters in this file and then on your end you'll basically do the exact same thing again type your username colon and then the first 12 characters when you press the yubikeys button if you have other users that want to also access the server then you could basically put their usernames here as well followed by whatever their key happens to be but again in my case i'm the only user of this server so for me i'm just going to have this one line right here so what i'm going to do is save this file and then close out but we're not done yet the next file that we're going to need to edit is etsy pam.d sshd i'll press enter and unlike the first file this one does already exist now what i'm going to do is add a new line of configuration i'm going to make sure that it's the first thing in this file and what i'm going to do is type out the actual line of configuration but there's going to be a few elements that we will need to replace so we will start it off with off and then required am underscore yubico dot so id equals and we will replace this value later we don't want to actually save this file until after we do replace this value then key equals this is another item that we will need to replace and then we will type auth file let's set that equal to etsy slash ssh and that's going to be the path to the file that we've edited in the previous step now before we go any further we will need to actually create an api key to use with this service and to do that we will actually do that through the web browser so again don't save the file we have it open we don't want to save it just yet but next we'll open up a web browser which i already have right here and in a new tab what i'm going to do is go to the following url upgrade.yubico slash get api key and then enter and what i'm going to do is actually enter my email address in the first field right here and then down here i'm going to actually touch the yubikey button i'll check this box and then i'll click get api key and now i actually have the values here that i need to put into the other file that i have open in my terminal window so i will grab the client id what i'm going to do is paste that right here and back in the browser i'm going to grab the secret key and i'm going to do the same thing and paste it right here so as you can see i have the line auth required pam underscore yubico dot so id equals and that id came from the api key that i've generated same with the key and then the auth file which is set to be equal to the file that we've edited in the previous step so i will save the file now i should have everything that i need and then i will exit out so next what we're going to do is edit yet another file and we'll edit etsy ssh sshd underscore config we're going to look for a line that begins with challenge and it's this one right here challenge response authentication it defaults to no we need to set that to yes next we're going to look for another line that's going to be use pam capital u capital p which is this one right here it's already set to yes so we're going to leave that as yes because that's what it should be and now i'll save the file and exit out but what i'll do is restart the ssh service so at this point we can go ahead and test the yubikey now i've restarted ssh but i'm still connected and the reason why is because when you restart the ssh service it doesn't actually disconnect you from any sessions that you currently have open but any changes that you make to the ssh configuration will take effect for any new connections but we want to keep this session open in case we run into any problems and then test ssh in another window i'll just open up a new tab and what i'm going to do is ssh and then i'll type in my username at just like before then the ip address now in my case the yubikey is not actually going to be used if i ssh into the server as you see here it just logged me right in i didn't actually press anything on the yubikey i promise and the reason why that's the case is because i'm using ssh keys i already had ssh keys set up on this server before if you recall i mentioned earlier in the video that i set up ssh key authentication what i'm actually going to do is use nano and then i'll use it against ssh and then there's an authorized keys file here and this is the file that actually contains the ssh keys that are allowed to connect what i'm going to do is just put a hash symbol here in front to comment that out and then i'll save the file and then i will disconnect now i still have my original ssh session open so what i'll do is just try to start another one i'll just press the up arrow here and try to ssh directly into the server i'll press enter and now you can see that the prompt has changed so i will press the button on my yuba key and then i will enter the password for my user and now i'm logged into the server as you can see the yubikey has been successfully set up for two-factor authentication on the remote server and now in order to connect to the server i need to first use the yubikey and then also type in the password for my user account but as you can see mission successful everything is good to go so there you go that was the process for setting up a yubikey to protect authentication on your linux installation whether that be a workstation like a laptop or desktop or even a remote server i hope that was helpful if you did find it helpful please click that like button because that lets youtube know that you want to see more linux content just like this and you can share this video with all of your friends or maybe even on your favorite social media network that would be pretty cool as well let me know what you thought of this video or what your opinions are of the yubikey itself in the comments down below i look forward to reading what you guys have to say and make sure you subscribe because i have some awesome content coming very soon in the meantime thanks for watching i really appreciate it and i'll see you again real soon do you

Info

Channel: LearnLinuxTV

Views: 22,344

Rating: undefined out of 5

Keywords: Linux, Tutorial, Review, Howto, Guide, Distribution, Distro, Learn Linux, operating system, os, open-source, open source, gnu/linux, LearnLinuxTV, LearnLinux.tv, Yubico, YubiKey, key, security key, linux hardening, linux security, ssh key, ssh, protect, two factor authentication, yubikey 5 nfc, yubico security key, yubico key, usb security key, yubikey 5, yubikey review, yubikey 2fa, fido u2f, yubikey setup, yubikey 5 review, yubikey authentication, cyber security, yubikey security key

Id: pfVhAtJt5_o

Channel Id: undefined

Length: 23min 30sec (1410 seconds)

Published: Sun Nov 01 2020