YubiKey Complete Getting Started Guide!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello again everyone and welcome back one of my pet peeves when it comes to youtube is when some people out there sensationalize everything and they make claims that just aren't true for example i've seen some thumbnails that make the claim that a yubikey will make you completely unhackable well that's not true there's no such thing as unhackable but a yuva key what it will do is help you add a valuable second factor to your authentication to your accounts and that's definitely a great thing to have so what i'm going to do in this video the learn linux tv primer on the yubikey is i'm going to go over the yubikey and tell you all about it i'll let you know about all the various models that are available and the pros and cons of each i'll also let you know about some of the features that the yubikey supports and then i'll not only show you the process of using your yubikey to protect your linux laptop or desktop i'll also show you the process of protecting your windows computer as well as your mac because well some linux users out there use more than one operating system and i want to make sure that everyone is protected as much as possible i'll have time codes down below that'll help you get to the section that you're most interested in and then you can check out that section and learn about how to implement a security key the yubikey to help protect your accounts now before we get into the content at hand i want to give you guys a quick disclaimer yubico the makers of yuba key did not sponsor this content at all in fact they had no idea i was even going to be doing this video surprise anyway i use yuba keys myself and i wanted to go a little bit deeper in how they work and i figured if i was going to do that i may as well i don't know create a video about it i mean if i'm going to research something anyway i may as well help you guys learn something as well so in the next section what i'm going to do is give you an overview of the yubikey why you might want to consider one and then from there we'll get into other details about the yubikey and you'll see other scenarios of using a yubikey it's going to be a fun video so let's get started [Music] alright so in this section what i'm going to do is talk to you guys about what a yubikey is and why you might want to consider using one now let's get the name out of the way yubikey really what's next a yabba dabba doo key anyway yubikeys are really awesome and like i mentioned in the intro i've been using them for a while so i wanted to make this video to help you guys understand the various quirks and feature set of the yubikey but also it could be a little confusing as far as which one to buy there's several different models so which one do you go with well let's go ahead and explore that so what's a yuba key yubikeys are a security product developed by yubico and the yubikey line itself is the flagship product of that company they also make other solutions that are outside the scope of this video but the yuba key is what the company is best known for with the yubikey you can add a second factor to a service that you might authenticate to for example maybe your twitter account or your computer even your server but the main purpose of a yubikey is to provide a valuable second factor to an important account so that way you could better secure it when implemented you log into the account as normal and then the service will instruct you to press the button on your yubikey now in the intro i mentioned that some people out there just make these bold claims that yubikeys will make your accounts 100 unhackable well anyone that knows security they know that there's no such thing as 100 unhackable but the main point is that we should adjust our expectations accordingly as nothing in the it industry is ever 100 however the extra security that using a yubikey provides is absolutely worth the effort so what features are provided by yubikeys what i'm going to do right now is talk about the various features that are provided which will definitely help with the next section when we talk about the difference between individual models and each model supports different features so it's really important to understand what the potential features are first of all regardless of which yubikey you purchase you'll have access to second factor authentication that's what the yubikey does a yubikey is a fiscal second factor device so regardless of which one you buy that box is always checked even if you purchase the cheapest model available it doesn't matter with that in mind let's go over some of the various features that the platform provides first let's talk about fido fido u2f is supported by every yubikey model available fido itself stands for fast identity online and u2f stands for universal second factor this technology was originally developed by yubico themselves while working alongside google in short summary fido u2f is a universal standard for second factor authentication and every yubikey model supports this next there's fido 2. fido 2 is what yubiko refers to as the passwordless evolution of fido u2f and just like it sounds the idea behind fido 2 is to offer a replacement for passwords entirely i mean passwords are horrible no one likes them and personally i'm surprised we don't have a better method of authentication nowadays well actually we do fido 2 is that better method that can potentially replace passwords and the only reason why i say potentially is because no matter how good a solution is it has to be implemented in order to be useful but anyway every model of yubikey supports 502 so we're good to go on that the next feature that i'm going to discuss is nfc or near field communication for the most part yuba keys are usb devices that you plug into a usb port and they also have versions available with lightning and usbc connectors as well with nfc it doesn't matter if your device has a usb port at all if your device supports nfc then you can use the nfc feature with your yubikey of course whether or not you can utilize nfc as determined by the specific yubikey model that you're using not all of them support this in addition some yuva keys offer biometric protection as well meaning that your fingerprint can unlock your key only one yubikey model supports this though which we'll go over in the next section continuing i want to make sure that i mention otp or one-time password a one-time password is pretty much exactly what it sounds like it's a password that can only be used a single time literally once you use a one-time password you can't reuse it a one-time password is used in combination with your username and password in order to gain access to an account which utilizes otp in practice the way that this typically plays out is that you'll enter your username and password as normal and then your one-time password to finish the login process otp uses the counter that increments by one every time you log into a service and to log in a second time you'll need a new one-time password and the counter has to be at least one digit higher than the previous one this way if someone tries to execute a replay attack against you they won't be successful because they'd be replaying a password that was already used next let's talk about time-based one-time passwords or totp it's another term that i'd like to bring up totp is very similar to a one-time password but the actual password changes regularly throughout the day based on time typically the one-time password that you get from totp will change automatically every 30 seconds if you've ever used google authenticator or a similar solution such as authy then you've already seen totp in action now there's other features that yuba keys provide as well but the features that i've mentioned i consider those to be the most important and i don't want to overwhelm you with a bunch of information that you may or may not use let's switch gears right now and talk about which models are available and the differences between each [Music] so now that we know what a yubikey is and some of the features that they provide let's talk about the individual model so that way you know which one you should go with and there's quite a few to choose from and implementing a yubikey is actually not difficult at all you'll be surprised at how easy they are to get started with however as easy as they are to set up it can be a bit confusing when it comes to which one to buy part of the reason why there's many variations of the yubikey is due to the fact that each device you might own will have different ports perhaps you have a laptop with a usb type a port a phone with usb type c perhaps you have an iphone that only has a lightning connector or maybe you want to use nfc and not be forced to plug in anything at all this is the first thing to consider take a look at each device you want to use a yubikey with and which ports are available on those devices after that it's just a matter of choosing the right yubikey so what i'll do right now is go over the differences between the various models below in the description you'll find a product matrix that gives you a quick overview and that'll give you all the information about which model does what but what i'm going to do is go over those different models right now now when it comes to which models are available the different yuba keys generally fall into one of four main categories first we have the generically named security key series then we have the yubikey 5 series we also have the yubikey bio and finally the yubi hsm now we're not actually going to go over the uv hsm in this video so what we're going to do is stick to the first three categories let's start first with the security key series the security key is the least expensive model that yubico makes available and it starts at just 25 us dollars however with the lower price comes a trade-off the security key lacks otp nfc and they also lack a fingerprint reader as well but if all you need is u2f then well it's the least expensive way to get started the next category is the yubikey 5 series these keys start at a higher price point and give you access to additional features i counted like six variations of the yubikey 5 series but for the most part the main difference between the keys in this category is the port that they use to connect to your device variations exist for usb type a and c just like the security key category but there's also versions with lightning connectors as well as nfc which enables you to use the key without physically connecting anything at all however even with the expanded feature set of the 5 series none of the keys in this category have a fingerprint reader the third category of the yubikey is the yubikey bio as the name would imply the bio gives you access to biometric security and there's a fingerprint reader built in the bio keys actually have fewer features than the 5 series and even with a shorter feature set they start at the highest price point at around 80 us dollars having fewer features but starting at a higher price point might seem strange and actually it kind of is but the focus of the bio series is the fingerprint reader and it has a more specific target audience essentially these are typically keys that you would not actually carry around with you but instead attach to a desktop in a situation where you might want to add a biometric layer to your secured services the focus on desktop users also means that there's no version of the bio available with a lightning connector finally the fourth category is the uv hsm these are intended for infrastructure related use cases such as servers and i don't have any hsm keys in my possession so i won't be going over these today if yubico wants to send me one though i might be able to take a look at them in a future video if you'd like to utilize yubikey to act as a second factor for logging into windows or os then there's some additional considerations the yubikey security series bioseries and ub hsm are not supported you'll need to purchase a yuba key from within the yubikey 5 series only so if that's your use case then that narrows down your selection quite a bit if you plan on using a yubikey with linux then in that case the yubikey bio is actually supported windows and mac os however they don't support the bio4 authentication but desktop linux does it is what it is overall take a look at the product matrix and also consider the devices that you intend to use with your yubikey and the available ports on those devices will help you narrow down your purchase in order to narrow down your selection even further be sure to take a look at the yubico support catalog which will also be linked below this catalog contains a search box that you can use to identify the services that are supported so you'll definitely want to make sure that you verify that the accounts you use actually support yuba keys before you purchase one also consider buying a second you the key this is very important actually reason being if you lose your yubikey you will also lose access to all the accounts that you've used with that yuba key your spare key would not be one that you'd carry around with you but you just put it in a locked box or a safety deposit box anyway just keep it safe once you have a yubikey in your possession how do you set it up in the intro i mentioned that you can use a yubikey with your online accounts as well as your computers and servers in the next section what i'm going to do is outline the process of using a yubikey with one or more of your online accounts and this is probably what most of you will be looking for so i'll see you over in that section [Music] yubikeys can be used for many different things there's all kinds of really cool use cases for yuba keys you can secure online accounts or even a computer operating system in fact you can even secure ssh as well all of which we will be going over in this video but in this section what i'm going to do is talk about the process of using a yubikey to secure one or more of your online accounts now the first thing for you to do is find out whether or not your online account whatever it is that you want to secure actually supports the yubikey you can go to the yubikey support site i'll have a link down below that'll help you understand whether or not a particular service is compatible with the yubikey if it is then you just go into the options for that particular service and follow the prompts to add your yubikey i'd love to show you a process that works on everything as i normally do but this process is actually going to be different from one service to the next so i can't give you a one tutorial to fit all now another thing that i want to talk about in this section is how much security a yubikey will actually add to one of your accounts and honestly that depends on the account itself now in the intro i was talking about how some people make the claim that yubikeys will make your accounts hack proof they might kind of but again there's no such thing as 100 security but sometimes it's a little worse than that imagine this you have an account and you use your yubikey to access that account you have that set up it's working and then you lose your yubikey if a site is doing it right if they're implementing this right then unfortunately you'll lose access to that account there should be no back door no other way in and that's it and that's why everyone recommends that you have at least two yubikeys so you have your primary as well as your backup but sometimes some sites out there they might actually have a link where you click i don't know something like i forgot my yubikey or i lost access to my yuba key and then it sent you a link to your email that you could click on to reset your password and then still get in at that point i mean how much is a yuba key actually protecting you because if there's a back door like that then in my opinion it's pretty much the same as not having a yubikey at all and that's one of the biggest reasons why a yuba key is not going to make you completely hack proof because some sites out there well they don't really do it right for the most part though a yubikey should actually add a lot of security so what you do is you just sign into one of your supported accounts go into the settings find an option to add a security key and if it supports the yubikey you should have the option to do so right there in that service now what about your computer what we're going to do in the next few sections is talk about several different operating systems linux mac os and windows on the desktop and we're going to take a look at the process of using a yubikey to protect your authentication on those operating systems so i'll meet you over in one of those other sections and we'll continue [Music] in the previous section i went over the process of setting up your yubikey for logging into a windows computer and in this section i'm going to show you the process of setting up your yubikey for authentication with mac os now in order for this to work you will specifically need a yuba key within the 5 series the security key series and the bioseries keys are not compatible with securing mac os logon anyway let's go ahead and get started so what i'm going to do is open up a web browser and here we're going to go to yubico.com and then we'll go to support and then downloads and we will scroll down and what we'll want to do is install the yubikey manager so we'll click on downloads for that let's go ahead and download it mac os download [Music] we can see the download process has begun and actually it's already finished so if i open that up we have the package right here so i'll click on it [Music] we shouldn't need this browser window anymore and then we'll go through the process of installing it now in my case the yubikey manager is already installed so there's nothing that i need to do here i should be good to go but if you haven't installed it yet on your end just go through the process right here click continue go through the prompts and you should be good to go once you have installed you should be able to go to the applications and i'll just start typing yubikey and we have it right here so i'll click on it and here's the yubikey manager and all its glory as it's instructing me to do right now it's asking me to insert my yuba key so i will do that and as you can see it's already detected it now before i actually pair the yubikey to my user account there's a couple of best practice things that we should do so we'll go to applications and then piv and the first thing we're going to do is click on pin management and the default pin for the yubikey is one two three four five six so we'll definitely want to change that so we'll click change pin and i'll click use default because i haven't changed it from its default just yet and what i'll do is add the new pin right here [Music] and then down here i will confirm it and we should be good to go to change the pin and that's done next what we're going to do is change the pin unlock code and that's the option right here for change puck and if you haven't ever set this before you can click use default which is similar to the first one it's one through eight sequentially right there so we definitely want to change that so what we'll do is add a new code right here and i'll do it again [Music] and we should be good to go and then the final thing we'll do for the setup process is change our management key so i've never done this before so i could safely use the default and i'll check this box right here and what that's going to do is protect the management key with a pin number that's definitely a good idea and rather than typing my own right here what i'm going to do is i'm going to generate a new one and there it is so far so good so i'll click finish and then i'll type in the pin number so right now our yubikey is set up and ready to go so now what we could do is set up our user account to use the yubikey for second factor authentication so the next thing we'll do is click on applications and again piv and we have an option here to set it up with mac os let's do that we'll click set up for mac os and now it's telling me to remove and reinsert the yubikey so that's exactly what i'll do i removed it and i will now reinsert it now what's supposed to happen actually is the pairing menu is supposed to come up automatically i've tried a couple of yubikeys and that doesn't actually happen so per the documentation there's a command that we can run to bring up the gui dialog that we're supposed to see anyway so we'll type sc underscore off pairing underscore ui and then dash f let's see what happens and here it is so this is the screen that's supposed to appear anyway for some reason it didn't so what i'll do is click pair and i just use touch id to answer the password prompt there and i will type in the pin number [Music] and click ok next what it wants me to do is enter the password for my user account which i'll do right now [Music] and that should be it and to test it out what we could do is lock the screen and unlock it so that way we can make sure that the yubikey is recognized and on mac we can hold ctrl command and press q and that's going to lock the screen now notice right here it's asking for the pin number so i'll type that in and let's see if it works and it did so i was able to unlock my mac with the yubikey how cool is that now i will have a link in the description down below to the official documentation from yubico and definitely check out that article if you want to make the yuba key a heart requirement for authentication but as you just saw we were able to pair the yubikey with mac os it works just fine so we're good to go [Music] in this section i'm going to show you the process of setting up ubico login for windows and this is going to enable you to protect your local windows user account with your yubikey the process that i'm going to outline here is specifically for local windows accounts active directory integration is not something that i'm covering in this video now one thing to keep in mind is that as soon as we enable our yubikey for our windows user account a few of the windows security features are going to be a bit different for example your username will not be automatically filled in anymore at the login screen if that's something that you had set up and not only that you will also lose access to password hints and you won't be able to reset your password either so just keep that in mind before you continue also while it's not required full disk encryption is highly recommended without full disk encryption in windows it's actually possible for someone to work around the requirement for your yubikey if they boot into safe mode setting up full disk encryption in windows is beyond the scope of this channel but it is recommended anyway let's go ahead and get started first of all you're going to need your yubikey but specifically your yubikey must be a model within the yubikey 5 series at this time you're not able to use the yubikey security key or the yubikey bio for this purpose yubikey series 4 is listed as compatible as well but i only have 5 series keys in my possession so that's what i'm going to be going over to show the process i'm going to follow the official documentation from the yubico support site i will have a link to the article listed below in the description and in addition i'll also have a link below to the yubico login app that's required for this to work now before we actually go ahead and continue we should know what our windows username actually is if you're sure that you know what it is then you can skip this step but you want to make sure that you know what your username is because after you install this like i mentioned it's not going to actually have your username auto completed you will need to type it in and i'm not talking about the first and last name that displays there's a name field and a username field we need to know what the username is so i'll click on the files menu right here and i'll click inside the address bar and i will go to see colon backslash users [Music] and this folder right here is my user folder that's my username so in my case the username is just my first name that should be all you need to know for this step let's go ahead and download the yubico login app and get that installed so what i'll do is open up a web browser and what we're going to do is go to yubico.com slash products and then computer hyphen login hyphen tools or you can just click the link in the description and here we have the page so what i'll do is scroll down and right here we have a link to download yubico login for windows the 64-bit version and 64-bit windows is the majority nowadays so that's the one that i recommend you go with so more than likely this is going to be the one that you want right here so i'll go ahead and download it and it's already done it's actually not a big file it's only 5.1 megabytes so the download didn't take any time at all let's go ahead and open the folder that it was downloaded into and here we have it all right so let's go and close this and we will install yubico login accept the agreement shouldn't need this window anymore either so i'm going to keep the defaults whenever possible here and let's install it and it's already done that was a very fast installation it's recommended to reboot your system after you install this so i will say yes let's go ahead and reboot and i'll be back as soon as the reboot process is finished all right now we're booting back up almost there and here we are so notice here that the login screen has already changed now at this point i have yet to pair a yubikey to my account at all so what i'm going to do right now is just type in the username to my installation here and then i'll type in my password [Music] and that should be all i need to do and i will ignore this really annoying screen right here like i don't even know why this came up again but anyway i'll just click remind me later hopefully that won't come up for you but now i'm logged back into my computer and if we go to all apps we have a yubico folder right here and if i scroll down again we have the login configuration option right here so i'll click on that and then i'll say yes and let's go through the process and right now i'm just going to leave it at the default of slot 2 for this option up here now if you've configured something important to use slot 2 then you definitely want to make sure that you choose a different slot but again i'll just leave this at the default then i'll click next and then it's asking me which username i'd like to use well i only have this one anyway so i'll select that one and now it wants me to insert my yuba key which i have right here so let's do it and right here tells me that the yubikey has been detected it gives me my serial number it tells me that slot 1 has been configured slot 2 has not been configured so it should use slot 2 and set up the yuba key right there so let's go ahead and click on next so i'll remove it then it wants me to reinsert it [Music] and so far so good [Music] so we have this backup code right here i'm going to save this i'll save it into my documents directory you definitely want to make sure that you back this up to somewhere that's outside of your computer so i'll click next and it looks like we're good to go so what i'm going to do is log out so i'll click right here let's log out and now i'm back to the login screen so let's attempt to log in and just like before i will enter my username and password and this is a good sign right here because i didn't insert my yuba key yet so let's try again with the yubikey inserted i'll insert it right now and there we go i tested login without the yubikey and it didn't work as you would expect then i inserted the yuba key and as you can see i was able to log in so there you go that was the process of setting up the yubikey for use within windows we're all set [Music] all right so let's go ahead and see the process of setting up a desktop or laptop installation of linux to use a yubikey for authentication now specifically i'm running popos on my end but papaos is based on ubuntu so if you are running on ubuntu then the instructions should be the exact same if you're running on something like debian or something based on debian these instructions should work fine there as well if you are using a different distribution then all you really need is the pam module for universal second factor so the first step is to get that installed so what i'll do is run sudo apt update and then next what i'll do is run sudo apt install and then lib pam hyphen u2f just like that and i will have all of these commands in the blog article for this video check the description down below if you want to copy and paste the commands that i'm running today anyway i'll press enter i'll press enter again to confirm that i do indeed want to install that package you might see a password prompt if you do just go ahead and type that in anyway i'll press enter [Music] and now we have that installed next what we're going to do is make a new directory we're going to make it in our home directory so i'll use utility the shorthand for home then in the doc config directory what we want to do is create a yubico directory and unlike most folders in linux the y is capital the first letter is capital so just go ahead and enter this in exactly as i have it i'll press enter and then next what we're going to do is associate the yubikey so what i'll do is run pamu2f cfg greater than we'll type in the path [Music] and the file name we will call it u2f underscore keys i'll press enter and it's telling me that my yuba key is not inserted well that's actually true so what i'll do is insert it right now and now it found it now the light on my yuba key is blinking so what i'll do is press it and we should be all set another thing that i'm going to do is enable the yuba key for use with sudo that's the next thing that we want to configure so what i'll do is run sudo and then nano etsy slash pam dot d slash sudo so we're going to find this line right here include common off and go to the end of that line and press enter and we're going to add a new line right here a uth then required pam underscore u2f dot so let's save the file and i'm not actually going to exit the text editor right now i'm going to leave that open and what i'll do is open up a new tab and then what i'll do is run any command that requires sudo an easy one is sudo apt update so i'll type in the password [Music] and notice how it's just like blinking right here it's not asking me for anything but it's also not continuing well my yubikey light is blinking so i'll press it [Music] and notice how it waited for the yuba key before it continued that means it's actually working so the next thing that i'm going to do is make it so that when i log into my computer itself it's going to require the yubikey this is for distributions that use gdm as the login manager which is basically most if not all of the gnome distributions of which popos is one as well as ubuntu so what we're going to do is run sudo and then nano slash etsy slash pam.d and then the file we want to edit is gdm hyphen password just like that so i'll press enter and then i'll type in my super secret password and then i'll touch the yuba key and we're in the file now what we're going to do is look for this line right here where it shows include common off so i've already found it then after that i'll press enter and add a new line and the line that i want to add is auth and then required pam underscore u2f dot s o control o and then enter to save the file and then control x to exit out so what i'm going to do right now is log out and then when i log in it should prompt me for the yubikey so let's see what happens all right so what i'll do is enter in my password right here and it's not actually prompting me verbally for the yubikey but the yubikey light is blinking which means that it wants me to press it so i'll do that right now and it worked we have successfully set up authentication with our linux laptop or desktop as you can see it worked just fine now one workaround that someone might be able to utilize is that if they have physical access to my machine they might be able to use a tty in order to get into the system and this is a tty login right here i just held ctrl alt and press f4 and i'm on a tty login now ttys are awesome you can effectively use them as additional terminals and then you can return to your gui by holding ctrl and alt and pressing f2 sometimes it could be a different f key depending on your distribution but as you can see i am back to my gui mode right here but what i want to do is protect the tty login so that one requires the yubikey as well let's go ahead and do it yet another text file to edit we're going to edit slash etsy pam dot d slash login and what we're going to do is look for the line that has common off inside of it so i'll just scroll down until i see it and here it is so directly underneath this line what we want to do is add another line specifically we'll type auth and then required then pam underscore u2f dot o let's save the file and we'll exit out and let's go ahead and give it a try i'm going to switch over to a tty and i'll attempt to log in and if it works my yuba key should be required and here i am on tty4 so i'll type in my username and then my password and my yuba key is blinking so i'll press the button and now i'm logged in so as you can see here i was able to protect my tty login with my yubikey as well and it's working just fine i'll hold ctrl and alt and press f2 to go back to my graphical mode and i'm back to my normal session so at least at this point i don't have to worry about somebody using a tty to bypass my yubikey and that's a good protection to have in place so for the purpose of protecting the tty login we're all set on that [Music] in the next section what i'm going to do is show you how to set this up for ssh login as well you can do that on your laptop if you actually ssh into your laptop but for the most part this is for those of you that want to secure your linux servers which is exactly what we're going to do in the next section [Music] so in this section what we're going to do is work through the process of securing ssh with our yubikey now the method that i'm going to be going over in this section actually requires fido 2. now if your yuba key doesn't have 502 support then you will not be able to use this method you will need to use the alternate method instead again i have time codes down below that you could use to get right to the section that you need and earlier in the video i went over which yuba key model supports which feature so you should know by now which features your yubikey supports but you will need 502 support to continue with this method and this method is actually preferred so if you do have fido 2 support then i recommend that you use this method if you don't have 502 support then you can go to the alternate method and use that instead now before we set this up though i want to give a special shout out to tom lawrence because without him i wouldn't even know that this method exists he actually created a video that goes over this method in probably greater detail that i'm going to go over in this section i'm going to show you how to set it up but i do recommend you check out his video i'll leave a card for his video right about here and you can click that link to go over to his video and check that out tell him i sent you so thanks to tom for letting me know about this method let's take a look so let's get the process started and set up our computer to authenticate to our remote server via ssh and make the yubikey required for that now notice that i'm not connected to a remote server at this time as you can see i'm on my studio laptop my local computer because we need to start this process from our local computer what we'll do is generate a key right here and then we'll copy that key over to the server but first we need a special package installed in order for this to work so what i'll do is run sudo apt update i want to make sure that my package sources are up to date and this should go by pretty quickly in fact it's already done and next i'll run sudo apt install and what we want to do is install a special package and the package that we want to install is lib 502 dash dev i'll press enter enter again and now we have that installed the package size was pretty small so it didn't take all that much time to complete and there's the command that i copied from tom's site i'll press enter and now the yuba key is actually blinking i'll press the button [Music] and then it's giving me a default path right here so if i don't give it a custom path this is actually where it's going to save this particular key to and that's okay with me i'll just press enter and the passphrase i'll leave blank i do recommend that you do create a passphrase though i just press enter in my case since this is just a quick tutorial if you did enter a passphrase it would ask you for that passphrase to unlock the key but anyway i'll press enter enter again and we have the key so what we could do right now is go ahead and proceed and copy this key over to the server so there's the command that i pasted in and then what i'll do is paste in the ip address to the server that i want to protect with this key so i will paste that right here and there it is so press enter [Music] and now it's asking me for my password this is the password for ssh to the remote server not the local password but the remote password i'll type that in and press enter now it's telling me that the number of keys that were added is one so if this works then i should be able to use the yuba key to log into the server let's find out so now i'll just use ssh and then the ip address i'm not including the username here because that's the same on both ends i'll just press enter and my yuba key is actually blinking right now it's not asking me for the password it wants me to press the button on the yubikey so i'll do that right now and i'm logged in it actually works so what i recommend that we do right now is disable password authentication and to do that i will run sudo and then nano etsy ssh we're going to edit sshd underscore config i'll type in my super secret password and i'll press enter so what we'll do is we will scroll down here and we are looking for password authentication see if we can find it here it is password authentication yes we're going to set that equal to no so i'll save the file close out and let's restart ssh [Music] now notice that i'm connected to the server via ssh and i've restarted ssh this will not drop you out and the reason for that is because if you have a connection via ssh and restart ssh the restarting of ssh doesn't disrupt currently connected sessions so we still have our session now what we want to do is open another tab and we're going to leave the original terminal open just in case we made a mistake that way we could use the existing connection to actually fix the problem but what i should be able to do is run ssh type the ip address it should actually work just the same as you just saw it i'll press enter and my yuba key is blinking and i'll press the button and check that out i'm actually logged into the server as you can see right here for more information definitely check out tom's video so thanks to him for letting me know about this method right here i really appreciate that also subscribe to his channel if you haven't already done so you have some really awesome content over there at lawrence systems but as far as we're concerned for this particular section we have successfully set up the yuba key for use with ssh [Music] all right so in this section what we're going to do is set up our linux server to use the yubikey for authentication specifically what we're going to do is protect ssh login i'm going to show you the process on ubuntu right now but this process should also work on debian as well i'll leave a link down below to a blog article that'll have more information there if you want to use a different distribution but what we're going to do is install the special yubikey repository and you could prefix that command with sudo if you are not logged in as root like i am but since i am logged in as root i won't need that what i'm going to run is add hyphen apt and then repository and the repository that i want to add is ppa colon then yubico slash stable i'll press enter to confirm that i do indeed want to add this repository and it's refreshing the package sources it's doing that automatically which is great and since it automatically updated my package sources i won't need to run sudo apt update which would have been the next command but if yours didn't automatically update then you can run that manually by well running sudo apt update next what we want to do is run sudo apt install and the package that we're going to install is lib pam hyphen yubico so i'll press enter [Music] and to continue what we'll need to do is edit a special file so i use nano again use sudo if you need to and what we're going to do is edit etsy ssh and the file that we want to create inside that directory is authorized underscore yubikeys now what we're going to do in this file is add one line for every user that we want to allow access via ssh in my case this is the only user right here that i have on the server so what i'm going to do is just type j that's the username for me and then colon and then next what i'm going to do is press the yubikey button and notice how it added all of this gibberish right here well we don't want the entire thing so what we're going to do is ensure that we have only the first 12 characters so we'll just count from the first character all the way to the right and then when we hit 12 we'll delete everything after that so i'll just delete everything i don't need right here [Music] and then i'll save the file i'll hold ctrl and press o and then press enter and then i'll press ctrl x to exit out of the text editor well let's take a quick detour and what i'm going to do is show you how to grab an api key and the api key is what you'll use to pair your yubikey with your server and what we'll do is go to https and what i'll do is record this url in the blog post for this article again check the description but we want to navigate to upgrade.yubico.com [Music] get api e just like that so what we're going to do is add an ip address right here so i'll type in mine [Music] i'm going to press the yubikey button right here and then i'll click the box that says that i've read and agreed to these terms and i'll click get api key and now that i have my api key i could go ahead and finish the configuration and i'll edit another file this time it's going to be slash etsy pam.d then sshd i'll press enter and what we're going to do is add a new line to this file and it must be the very first thing in this file or at least the first thing that isn't commented out type author required pam underscore yubico dot so id equals and we're going to set the id equal to the client id which is this one right here so i'll just copy that i'll paste it right here and then we'll type in key equals and next we need the secret key [Music] which we have right here and you should never show this key to the public ever so just make sure that this never leaks out that should go without saying i just want to make sure anyway we'll paste it right here and then we'll type auth file we'll set that equal to slash etsy slash ssh slash authorized underscore yubikeys let's save the file control o and then enter and control x to exit out so we shouldn't need this anymore i'll just minimize that and then next we're going to edit another file and that's going to be etsy ssh sshd underscore config we're going to look for the challenge response line so i'll just scroll down until i see it [Music] and here it is challenge response authentication is currently set to no so what we're going to do as you could probably guess we're going to change that to yes and then we're going to look for use pam and i'll just do ctrl w to search [Music] and here it is we want to make sure that it's set to yes and it is so we'll save the file ctrl o and enter and then ctrl x to exit out next let's restart ssh now what we're going to do is we're going to leave this window open and open a new window and the reason for that is if we made a mistake we might get locked out of the server but i'm already logged into the server in this window so if anything went wrong if i test it and it doesn't work then i still have a connection open that i can use to fix the problem so what i'll do is open a new tab and what i'll do is log in with my user account so i'll just type ssh and then there's the ip address of the server that i'm working with today i'll press enter and it's actually asking me to press the button for the yubikey so i'll do that right now and now i'll type in the password [Music] and as you can see it works i was able to log in via the yubikey as you can see here and from this point forward i have additional security on my ssh account which is awesome and that also means that i no longer need to keep my other terminal window open i still have this one open again if i made a mistake and everything is working for me if you did make a mistake then you could use this particular terminal window to fix that mistake then open a new tab or a new terminal and then you could use that terminal to test it out and make sure the problem's fixed but for me it looks like everything worked out just fine so i'm good to go so as you can see yubikeys are awesome it's my preferred security key and in this video i've gone over as much as i can and if there's anything else that i should go over i'll consider doing so in another video now if there is something else that you'd like me to cover on this channel let me know in the comments down below if this video helped you out please click that like button because that lets youtube know that other people should benefit from this knowledge as well make sure you also subscribe to learn linux tv in addition because i have some awesome content coming if i do say so myself very soon and i can't wait for you guys to see that so definitely subscribe and i will see you in the next video thank you so much for watching [Music] you

Info

Channel: Learn Linux TV

Views: 114,552

Rating: undefined out of 5

Keywords: Linux, Tutorial, Howto, Guide, Learn Linux, gnu/linux, LearnLinuxTV, yubikey, yubico, windows, linux, macos, gdm, ssh, openssh, tty, protect account, security key, yubikey tutorial, howto, yubikey howto, yubikey 5 nfc, yubikey 5, yubikey review, yubico security key, how to, two factor authentication, yubikey setup, yubikey 2fa, yubikey 5ci, yubikey security key, fido u2f, yubikey nfc, yubikey 5c, usb security key, yubico key, hardware security key, security key usb, how to use yubikey

Id: INi-xKpYjbE

Channel Id: undefined

Length: 51min 19sec (3079 seconds)

Published: Wed Apr 13 2022