Configuring SSH FIDO U2F Authentication with YubiKey

Подписаться 333 тыс.

Просмотров 43 тыс.

50% 1

Forum post write up
forums.lawrencesystems.com/t/...
How To Generate Ed25519 SSH Keys, Install Them, and Configure Secure Passwordless Authentication
• How To Generate Ed2551...
LearnLinuxTV YubiKey Video
www.learnlinux.tv/setting-up-...
CVE-2021-3011
cve.mitre.org/cgi-bin/cvename...
ninjalab.io/a-side-journey-to...
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 5% off your order at
🛒 lawrence.video/techsupplydirect
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
⏱️ Timestamps ⏱️
00:00 FIDO2 SSH Yubikey
01:10 Check SSH Vestion & Yubikey Version
02:40 install libfido2-dev
03:18 Generating ed25519-sk keys
05:36 Installing & Using the Keys
07:00 Cloning Keys?
#FidoU2F #Yubikey #SSH

Наука

Опубликовано:

23 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 62

@LAWRENCESYSTEMS 2 года назад

Forum post write up forums.lawrencesystems.com/t/ssh-with-yubikey-fido-u2f-authentication/13024 LearnLinuxTV YubiKey Video www.learnlinux.tv/setting-up-the-yubikey-on-ubuntu/ CVE-2021-3011 cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3011 ninjalab.io/a-side-journey-to-titan/ ⏱ Timestamps ⏱ 00:00 FIDO2 SSH Yubikey 01:10 Check SSH Vestion & Yubikey Version 02:40 install libfido2-dev 03:18 Generating ed25519-sk keys 05:36 Installing & Using the Keys 07:00 Cloning Keys?

@cloudcultdev 2 года назад

“Feel free to flame me in the comments for doing things as root” - now that’s a seasoned RU-vidr who knows their audience well! Great video once again, Tom!

@AshtonClemens 10 месяцев назад

😂 I chuckled.

@JasonsLabVideos 2 года назад

Good video sir ! I use the UB-C version for my phone & laptops. These things are amazing & durable too !!

@sagarsriva 2 года назад

great video as always!

@daveemmons7312 2 года назад

I really enjoy your videos, technical enough to make things happen with simple enough explanations that I can understand what is going on. I also appreciate the symbiotic relationship between you and Jay@LearnLunuxTV, most excellent and I find myself bouncing between your channels watching videos and soaking it all in. Thanks again!

@RzVa317 2 года назад

Thanks for this tutorial, Tom

@evodefense Год назад

yubikeys rock! thx for write up

@NicholasOrr 2 года назад

Thanks for the info - this is very sensible and simple now days. only thing that stops me from using yubikey for constant auth is needing to plug in the device :P need to get a cable to move the USB ports closer to my keyboard

@SyberPrepper 2 года назад

Great video. Thanks Tom.

@filupmarley 2 года назад

Very cool Tom!

@WojciechMarusiak 2 года назад

Good stuff. Thanks a lot.

@evodefense 7 месяцев назад

Thanks!

@omfghai2u 2 года назад

A good idea to get two keys since some sites that uses fido2 only supports another key as the backup login method. (or their other backup is "less than secure")

@steinerviana 2 года назад

Thanks for the video. Can I use yubikey with Radius server in pfsense?

@bobtatar7972 Год назад

Tom - thanks for the video. I think you will want to encourage viewers to use pass phrases with their hardware keys. It’s a lot easier to steal a hardware device than a passphrase, and if somebody has the device to get into your servers, they will be very glad that you did not protect it with a passphrase.

@jp62200 7 месяцев назад

In fact it is better to key gen with option -O verify-required as per yubico ssh guide. So the pin code is ask everytime, the key is locked after 8 fault attempt

@BrianThomas 2 года назад

Fantastic video. Can you do the same thing with PF sense? You do a video that shows Just working with PFSENSE

@a6ustin666 Год назад

I am kind of late 😂…. But how do I configure multiple YubiKeys (main+backups)? I just have to generate one shh key for each u2f key with a different name and thats all?

@bardus_hobus 2 месяца назад

What if I lost the key on the client host? Is there a way to generate it back using just the hardware key?

@jacobhenriksen2324 19 дней назад

Does this work with nested ssh sessions? I usually ssh from my windows machine into my pop-os vm, and from there I can run tmux and ssh into my other linux servers.

@craigstone4051 2 года назад

Lawrence. Big fan of the content. Regarding the advice "get a second key and store it in a safe deposit box" how does that work? You can't enroll the second key as a backup for a service if its locked up at a remote location. To me the second key just becomes stale from the second you enroll the first key in another service. Am I missing something?

@LAWRENCESYSTEMS 2 года назад

If you create a second ED15519 key pair with a backup FIDO U2F key and load the second public key on each system you can use that second key to access those systems if you lose the first.

@jessedyson5919 2 года назад

Thank you for putting this video together. I do have one question about the ssh-keygen command. Does this command overwrite anything on the YubiKey? The reason for the question is that I have an existing YubiKey that I’m using for FIDO2 and I don’t want to break it.🙂

@rajilsaraswat9763 2 года назад

No, it doesn't.

@jessedyson5919 2 года назад

@@rajilsaraswat9763 Thank you!

@simons9167 2 года назад

This method is very effective for security devices and even web page. Personally I like to use Google Authentication or Microsoft Authentication app on my phone, this way I don't have to carry e, tea items. Lawrence, do you know any good software that can integrate Authentication app with ssh or OpenVPN?

@OddWoz Год назад

I needed this video. Thank you 🙏

@philippe_demartin 2 года назад

Would it be possible to create a kind off security token from a standart thumb drive ? Shure, you can mont you thumb drive, who contain your key, on you ~/.ssh folder, but is there another trick to combine both "private key" and "thumb drive residente" part of the autentification?

@CaptZenPetabyte 2 года назад

It would be nice to have a way to do this with a USB drive in some way, but I know thats not possible because the electronics is required; maybe a raspberry pi zero or pico could do the job and then you would also have even more 'playing around' space for interesting 'active encryption response'. (just brainstorming ideas)

@michelangelop3923 2 года назад

You could create a backup ssh-key and secure it with a password, for additional security you can encrypt the private key on the USB with a Vera crypt file.

@danimoosakhan 7 месяцев назад

Can i use multiple ed25519-sk with same Yubikey. Will it override the previous keys?

@jp62200 7 месяцев назад

Yes with option : -O application="ssh:app1" replace app1 by what you want, depending on the key you will be able to register more app ( 25 I think on the yubikey fido2)

@shaung638 Год назад

Is there any practical difference between ecdsa-sk and ed25519-sk in this application? I can get ecdsa-sk to work with my hardware key but so far have been unsuccessful with ed25519-sk.

@Berieh Год назад

I recall there's been somebody saying on youtube that ecdsa-sk has a NSA backdoor. But you better do the research on your own.

@10a3asd 2 года назад

Don't these have to send a request to the Yubikey's servers each time an auth attempt is made?

@LAWRENCESYSTEMS 2 года назад

Not when using Fido u2f

@gordonzero 2 года назад

Any good solution for SSH U2F on Windows? my primary system is windows and most of my servers are Linux.

@LAWRENCESYSTEMS 2 года назад

That issue is being tracked here github.com/PowerShell/Win32-OpenSSH/issues/1804

@berndeckenfels 2 года назад

Solokeys still lag in the cert department, seems like the project is occupied with printing dices.

@sinenomine9143 2 года назад

4:53 You are saying that you got the private key and the pub key on your server. PS your Yubikey private key NEVER leaves the Yubikey. Bytheway thanks for your videos.

@DanielHaanpaa 2 года назад

how do you do this on a windows client connecting to a linux server?

@LAWRENCESYSTEMS 2 года назад

Might work using Windows subsystem for Linux. I didn't test.

@jaredbaur3725 2 года назад

Progress for fido2 support for openssh that comes with Windows is being tracked here: github.com/PowerShell/Win32-OpenSSH/issues/1804

@alpachino468 2 месяца назад

I identify as an SSH key

@fremenarrakis2616 2 года назад

hello, indeed, is not possible to clone the yubikey. if you want a method with a way to backup, you can use gpg keys for ssh: you generate the key on a secured computer, then you can backup the keys to some storage, then you transfer the keys into the yubikey, then you delete the keys in the computer. the keys are only stored in the yubikey so you can use ssh on any computer, is not possible to extract the keys from the yubikey in case its lost and to be able to ssh you just need to provide the PIN. i know is a confusing explanation but ive read this somewhere i cant remember where, maybe on the yuikey documentation. Bye

@DaHaiZhu 2 года назад

This is kinda a bummer: Windows ssh (8.1) is too old as a host, and Raspberry pi ssh (7.9) as a server.

@d00dEEE 2 года назад

I use cygwin and was pleased to see 8.8 on all my Windows boxes, but then was disappointed like when I saw 7.9 on the pis and 8.0 on my Alma server.

@enonu 2 года назад

Consider Ubuntu Server for your raspberry pis.

@emanuelpersson3168 Год назад

Would be nice to have a Windows SSH client that support Yubikey.

@jako265 Год назад

Putty with Kleopatra will do the trick. RSA keys

@jp62200 7 месяцев назад

Putty-cac has everything integrated

@emanuelpersson3168 7 месяцев назад

@@jp62200 i will check it out! Thank you!

@heavy1metal 2 года назад

Given the _id requires the YubiKey and is useless otherwise, would you think it's safe to store the _id on something like github?

@LAWRENCESYSTEMS 2 года назад

I would not want even half of my private key somewhere accessible, only the public one.

@wutzman 2 года назад

🙈

@TechySpeaking 2 года назад

First

@ikkuranus 2 года назад

If only this could be done with the putty client in windows

@CristianHeredia0 2 года назад

If I have ssh only logins and fail2ban active, is this necessary? Love my yubikeys just trying to find the right balance between security and convenience.

@tw3145wallenstein 2 года назад

that is a matter of how many layers do you want to have between your server and the attacker attempting to gain access. so is having to remember and keep track of one more thing worth that extra layer of security it will provide?

@kriansa 2 года назад

Adding up to Tyler's response, this kind of protection starts to make sense when you work on a team where not everybody is as tech-savvy or concerned about security. People might use SSH keys instead of passwords, but those are still vulnerable to getting stolen in several scenarios. Adding a physical token as part of the key adds an extra layer of security so that an attacker would need more than just disk access in order to compromise your key. In the end, you have to weigh in your pros/cons for each additional layer of security.

@CristianHeredia0 2 года назад

@@kriansa that scenario makes sense. thanks