Using YubiKey to Secure Remote Servers in 10 minutes or less | Nextcloud 2FA

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone my name is wolfgang and today i'm going to show you how to set up a two-factor authentication with the csh and next cloud under the node cloud server and the best part is going to take less than 10 minutes so what is the fact authentication for those who don't know well basically you would normally log into services and websites with your login and password however that's not super great for security because both of those things can be leaked or somehow found out by a third party now two-factor authentication adds a second layer of security to that chain by either using an app on your phone an sms or a physical token key like this one now i wouldn't recommend using sms for two-factor authentication that method has been criticized by a lot of security experts because it's vulnerable to attacks like sim swapping so somebody can basically make a copy of your sim card and get all the authentication codes that are supposed to be addressed to you on their phone it's illegal in most countries but it's still doable so that leaves us with two methods either a physical key such as yubikey or an app on your phone that generates time-based one-time passwords but let's not waste any more time and let me show you exactly how to set up both of those methods under the node server so the first thing that we need to do is create alien node i want to talk about the us choice a little bit because it's kind of important if you want to use a physical token key for ssh login such as yubikey you'll need a linux district which has openssh 8.2 it is relatively new at the time of filming so not all distro supported yet debian 10 for example is one of those distributions that don't support it yet so we'll have to go with something newer like ubuntu 2004 then you need to choose a region i'll go with frankfurt germany since it's the closest one to me as of the plan i'm going to go with the cheapest nano plant and by the way if you want to get a hundred dollar credit for your node server check out the link in the video description next choose a label for your server i'm gonna call it next cloud then enter a password of your choice for the root user i would advise you to click on the show password button because you only get to enter it once and as you can see there is actually an option to upload your own ssh key but the note doesn't support the key cipher that works with yubikey yet don't worry though we'll just do it later and then finally tick the private ip box and click on create now while our server is starting up let's get ourselves a domain name this step isn't mandatory but i found that ubq authentication doesn't work in next cloud unless you're using https and as far as i know that's not possible without a valid domain plus it's convenient because you actually don't have to remember the ip address of your server to connect to it the main names are pretty cheap these days and you can get one for less than one dollar a year i'm going to use this domain name which i got for one of my personal projects so what we need to do essentially is point the domain name to our node's server the process may differ depending on your provider but basically you need to create an a type dns record choose a sub domain if you want and then copy and paste the ip address of your lenote server after that wait for a few minutes and try picking your domain name if it points to the node servers that means you're good to go keep in mind that in some rare cases it can actually take up to 24 hours for the dns record to activate now let's log into our server open a terminal window and type ssh root at your domain name type in your root password and there we go now we can start configuring our server first thing that i personally do is type touch dot hush login to disable this huge welcome text next we need to update our system and get all the newest packages type sudo apt update double ampersand sudo apt upgrade press enter and wait until all the updates are installed once that's done let's reboot our system type reboot and press enter another thing that i like to do is create a non-root user with suitor privileges let's log in back to the server and then type user ad dash m capital g sudo user name next create a password for your user by typing passwd username and after that type exit now let's generate this sh key if you don't have a ub key if you just want to know how to set up a two-factor authentication with your phone you can skip this section altogether starting with openssh 8.2 you can now use your yubikey as a hardware based ssh key there are two types of keys that support this one of them being ad25519sk which is the one we're going to use i don't know which one is better i just i just like the name first thing you need to do is plug in the ub key into your computer next open a terminal and type ssh dash keygen t ed25519 dash sk dash f and the path to which you want to save the key then when you see the text saying you may need to touch your authenticator to authorize key generation touch the token with your finger then enter your password of choice twice and that's it the key is now generated now we're going to copy the ssh key that we created earlier to the server open a terminal on the local machine and type this command ssh copy dash id dash i path to the key username add domain name then enter your password and after the key is copied let's try to log in with it after you enter the command your ub key should blink and when it does simply touch it with your finger and there we go now your association locking is protected by a physical token key now i'm going to change my shell to bash since i'm a dumb dumb and i forgot to specify while creating the user and then we need to put our domain name into files slash etc slash hostname and slash etc hosts i'm not sure if that's necessary but i guess it won't hurt if you also don't want to see localhost on the right side of your shell prompt you can use sudo hostname ctl set dash hostname to set it to anything you like i'm going to set mine to next cloud now yubikey is great but i definitely wouldn't recommend just using that as your second factor token keys are small and you can actually easily lose one and when you do you'll be locked out of your server forever plus sometimes you're just too lazy to get your butt off the computer chair i don't judge i've been there so that's why we're going to set up another two-factor authentication method and that is an app on your phone for that we need to install a package called lib pam google dash authenticator don't worry you don't actually have to use the google authenticator app on your phone since the protocol is open source and compatible with a lot of third-party apps i'm going to use an app called and otp on android it's completely open source and you can download it from f droid once the package is installed type google dash authenticator and answer yes to all the questions except for the second one now scroll up and as you can see i actually have to make my text smaller so that the qr code fits but yeah now we need to open the app on the phone and find an option called scan aqr code it might be in a different spot depending on the app that you use but almost all of the tfa apps have this option just scan the code and that's it now your phone is going to generate one-time passwords for your node server finally the last thing that we need to do in order to set up a two-factor authentication for ssh server is make pam and sshd aware of our phone app first let's edit the file called slash atc slash pam dot d slash sshd we need to add just one line at the end of the file auth required pam underscore google underscore authenticator dot so save the file and quit now open this stage configuration file at slash etc ssh slash sshd underscore config let's change a few settings here first let's set permit root login to no we already have a non-root user with sudo access and there's no reason to expose root log into ssh then change challenge response authentication to yes you might have noticed that i didn't change password authentication to no like you usually do when you have a public key and you're going to see why in just a second for now save the file quit and then restart the ssh service by typing sudo systemctl restart sshd so if you log into the server with the ub key plugged in you'll need to touch it to login so that's all normal right but now i'm going to try logging into the server without the ub key and as you can see ssh throws an error but then it asks for my password and then a one-time password from the phone app which means you'll need either yubi key or phone app to log into your server so now you might want to ask me well wolfgang we got through ssh all right but what about nexcloud we only have a couple of minutes left in the video well let me introduce you to ansible ansible is an orchestration tool for linux systems which lets you write advanced scripts to set up software on your system so we're going to use a so-called ansible playbook to set up next cloud fail to ban and ufw the playbook will do everything for us and we'll just sit back and relax i'm going to be using this playbook by reiner knipes nippez i'm not sure it's pretty much the most popular ansible playbook to set up next cloud and with that you also have the possibility to set up next cloud talk collabora and only office which i'm not going to cover in this video but it's fairly easy to set up so the first thing that we're going to do is clone the git repository log into your server and type git clone the address of the git repository b next cloud dash reloaded then change to the next cloud directory and run prepare system.sh wait while the script installs ansible and all the required dependencies so once that's done we need to edit the inventory file here we need to set our domain name right here then comment out this line and uncomment this one we won't be using a self-signed certificate because that would set up the browser warnings then here you should also put your email for certificate expiration warnings and the rest of the file is fine i'm pretty much going to leave everything as it is and after you're finished save the file and quit now we're ready to launch the setup process just run nextcloud.yml and make yourself a coffee or a t the process will take a long time after the installation is finished let's open up a browser and enter our domain name and if you did everything correctly you're going to see the next cloud logging screen congratulations we're almost done here if you didn't set the admin password go back to the terminal and scroll up the script should have generated a random password for use to copy that and paste it into the next cloud screen now i need to install two apps click on the a in the top right corner click on apps and then search for u2f install the app called two-factor u2f and then search for totp and install that app as well those two apps are needed to set up two-factor authentication for next cloud now let's go to settings security and here you'll see the two-factor authentication section so let's set up the ubiq authentication first plug in your ub key and click on add u2f device you should get a notification from your browser u2f is supported in all the new versions of firefox and chrome touch the usb token and then set a name for it i'm going to call mine yubikey 5c nfc then we're going to set up the phone app tap on enable totp you're going to see the qr code on your screen and then it's pretty much the same as the first time scan the code with the app on your phone and then enter the one-time password that the app has generated right here and click on verify and now we're basically done with the tutorial let's look out and try to log in with our login and password as you can see you'll have two options here either a physical key or an app on your phone just like with ssh and there you go we have successfully set up two-factor authentication for both ssh and next cloud so that's gonna be it for this video and i hope you guys enjoyed it thank you for watching and i'll see you in the next one goodbye you

Info

Channel: Akamai Developer

Views: 37,937

Rating: undefined out of 5

Keywords: linode, linux server, yubikey, linux yubikey, usb security key, yubikey secure remote server, yubikey 2fa, linux server build, yubikey setup, linode vps, linux server setup, ubuntu yubikey, linux server security, yubikey linux server, ssh yubikey, yubikey ssh, security key, yubikey server setup, yubico security key, 2fa key, two factor authentification, 2fa, 2fa linux, 2fa linux server, yubico key setup, nextcloud, nextcloud 2fa, nextcloud yubikey, linode 2fa ssh

Id: 4lPvjON4-k8

Channel Id: undefined

Length: 10min 50sec (650 seconds)

Published: Wed Dec 16 2020