Yubikey: Powerful Security Made Painfully Simple

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Going to watch it now

👍︎︎ 1 👤︎︎ u/Uncle_B0B0 📅︎︎ Nov 01 2020 🗫︎ replies

Captions

we talk a lot about self-hosting here on this channel and taking control of the services you use by doing it yourself rather than trusting these big tech companies who are spying on you and selling your data but when it comes to self-hosting security is more important than ever because it's all up to you and you might be thinking hey don't talk talk to me about security i got key pairs i'm taking care of everything i got two factor i'm i'm set i'm super secure but you can never be secure against unrestricted physical access if someone can get to your machine you're in trouble and that's why we have to talk about the elephant in the room or should i say the elephant in your home so imagine if there was a threat that came up every time you went to sleep or went to the bathroom or just went to make some pizza rolls that's right i'm talking about the people in your house now you might be talking about a romantic partner or someone that you just share your housing with or god forbid children teenagers teenagers will sell you out to the russians for an xbox and a dime bag of weed and what are you what krista i'm feeling it sounds like you're suggesting people kill their family i'm suggesting people get serious about server security today it's all about dta that don't trust anybody we can't we can't be condoning that on this channel we'll be demonetizing do you have a better solution yes let's do something else a better solution if you're worried about your hardware is probably to use something like ub key uh ub key is basically just like a normal two-factor authentication but instead of having a phone as the device that you have to have with you when you log in it's just a little tiny hardware key the idea being that once you have this set up you have to have this key every time you go to log in and it'll be a lot more secure than just relying on a single password we're going to use the ubi key to generate a one-time password that we're going to use to secure our ssh connection and we're going to be using a server provided by our good friends at lenode you guys have heard on this channel before the great part about ubc as well is that every time it generates a password that password is unique so even if someone does manage to get hold of that particular password the ubc is going to know oh this was generated a while ago this isn't legit anymore the machine that we're going to test this on first and get it all registered and set up is going to be a debian machine but then from there we're going to take it onto our server on lenode so we're doing this with linux because this is kind of a nerdy channel but if you're running another major operating system this also works for that it also works for mobile so this can go across a whole spectrum of devices let's get started so the first thing we're going to do is add this repository and run update ubico stable is the repository that we're going to add and you can see here that that uh installed launchpad ppa for yubico that's what we're going to use to configure our one-time password and now we just need to install it the yubikey personalization gui i already had it installed but now i can check it out now using the otp application we're going to go to the top left option there the yubico otp and do a quick setup so what this is going to do is it's going to write these values as the identity into one of the slots now this ub key has two uh slot one is a touch slot two is a long press so we're gonna go into slot two you can have two identities for convenience here you click right configuration you'll get the message at the top that says it's been successfully configured next we're going to upload the configuration we just created to ubiko but basically it's going to fill in all the values for you except for the one-time passcode you click in that box you use your ub key either with a short touch or a long touch depending on which configuration slot you used to fill in that value and then you click to upload that's pretty basic next we're going to sign up for an api key now that we have our uh one-time passwords generating properly so you just provide your email address here on the ubico website and then you use your yubi key to generate a one-time passcode so you can associate that with your account and click and you're good to go it can take a while for this to go through so if you set this up and it doesn't work immediately you might have to wait a little bit longer you should record these values for the next phase of the setup we're going to set up a quickly node to test this on and to set this up in so we'll do something real simple we'll just do ubuntu and we'll do the cheapest of all of lethal nodes because we're just testing we'll do the georgia region and we'll do the nano plan shared cpu because we're just testing and it's cheap you set up a root password to get in for the first time and that is all we need give it a little time to boot and we'll be ready to log in and start preparing it for yubikey two factor after logging into our lenode instance we're gonna add a new user we want to test this on root so we're just going to add a user called ryan set them up i can't type i got the repeated password wrong that's why they make you type it in twice folks and we'll ignore all the contact details because this person isn't going to exist after a while and there we are we got our new user set up so now we're going to install the pam yubico on our host so this is the lenode that we created to test with first we'll add the repository and then once that is added update and finally lib pam yubico is what we want here 407 kilobytes we can spare it and there we go now we should have lib pam on our host which we are testing with the uh authentication so now we should be able to attempt to set up our ub key to authenticate two factor here so we want to make sure that the pam file that was created there is where it needs to be so we just want to look in lib security and there it is pamyubico.so that's what we want so now we can go forward with setting up our keys next up we want to create a file where we're going to store the ub ids with the usernames that are going to use them on the system and that is going to be under its ssh authorized ub keys so we'll go ahead and edit it it doesn't exist yet so we'll edit it and create it at the same time and the format here is the username colon the id from the ub key now you could have recorded this earlier if you didn't don't worry it's the first 12 characters from the output when you press the button or hold the button depending on which slot you put it in so you put that in there and that is going to tie the user on this system with that ubid next up we want to edit the x pam.d sshd file so we're going to add some directives for pam about our id key and to point it to that file that we just created that ties our users to the ub ids so i'm going to search for pam configuration there it is so you see right here uh pam configuration for security services the first line i'm going to put our line under that directly under that and here it is auth required pamubiko.so that's the file that we confirmed the existence of earlier after installing the the pam service client id secret key and pointing it to the auth file that we just created that ties the ryan user to the ub id now client id and secret key are the values you got when you registered with yubico so i happen to record mine here we'll grab those and pop them in here we should also note that uh the required uh command here if this the required means that it's going to force two factors one of which has to be the ub key if you change that to sufficient then the yubikey itself will be sufficient for login so if you want to be you know like super cool no password just touch it to log in you change that to sufficient next up we're going to edit sshd underscore config and we're going to set this up we are looking for these two lines challenge response authentication yes and use pam which is already on yes we want the both of those to be yes for to factor finally with all that completed we're going to restart sshd so that all our changes will take effect and now we are ready to test so you move to another system with which you'll ssh into your lenode now from another system we want to simply ssh to our tesla node server it prompts for the yubikey i gotta go over to it and it wants the password there's our two factors and we're in so i think we can both agree that is a much more sane option instead of you know murdering your family i mean sanity is so subjective but i will admit it's a pretty good solution although it does have some blind spots pro tip pro security tip when you're showering or sleeping or things like that you don't want to just leave this thing lying around because then you're in the exact same situation what you want to do get yourself a a watertight container a little bit of coconut oil right in the prison wallet every time who hurt you dta [Music] you

Info

Channel: Level1Techs

Views: 38,172

Rating: undefined out of 5

Keywords: technology, science, design, ux, computers, hardware, software, programming, level1, l1, level one

Id: 79DIu5wOBTY

Channel Id: undefined

Length: 11min 58sec (718 seconds)

Published: Sat Oct 31 2020