Don't use passwords anymore! Teleport with YubiKey passwordless login

Поделиться
HTML-код
  • Опубликовано: 23 ноя 2024

Комментарии • 94

  • @BrianThomas
    @BrianThomas 2 года назад +3

    I've been using Yubikey for a while now, and I've always wanted to use it in my home lab. Thank you for putting this together. I love it. Can't wait to apply it

  • @drgr33nUK
    @drgr33nUK 2 года назад +1

    I've been using Yubikeys for about 6 years now and I can honestly say they have changed my life! I use mine for everything from signing EFI shims to logging into AWS. If you care about security then get several yubikeys.

  • @LampJustin
    @LampJustin 2 года назад +4

    09:05 rather than using bin/sh as the entrypoint it needs to be dumb-init as sh isn't meant to be PID1 and can't deal with signals like SIGTERM without modification and traps. So just change /bin/sh to ../dumb-init you can leave the rest (teleport...) in command

  • @phillipmelvin4756
    @phillipmelvin4756 2 года назад +17

    I use these everywhere possible. Yubikeys are great. Make sure you have a few of them assigned to any accounts so if you lose it or it stops working.

    • @bytecorner123
      @bytecorner123 2 года назад +4

      That’s the most important. Always have a backup.

    • @christianlempa
      @christianlempa  2 года назад +3

      It’s always good to have a backup! :)

  • @LarsBerntropBos
    @LarsBerntropBos 2 года назад +3

    Not adding a Yubikey without secondary protection of PIN or biometric is not a bug, it is a feature!

  • @TzaraDuchamp
    @TzaraDuchamp Год назад

    Thanks for the clear explanation. What online service supports passwordless login with a YubiKey and which would you recommend?

  • @MadChristianX
    @MadChristianX 2 года назад

    Thank you for this great tutorial. After being unsuccessful setting up teleport behind Traefik proxy i used a CF tunnel to access the service. Passwordless sign in with fingerprint on the MacBook or FaceID on iPhone seems to be the most convenient way for me 🙂

  • @brandenrae9803
    @brandenrae9803 Год назад

    I would love to see where else you could use passwordless/YubiKey in a homelab. Thank you for all the great videos that you have made!

    • @christianlempa
      @christianlempa  Год назад +1

      Thank you! There’s something new coming out the next weeks :)

  • @itsvrl1856
    @itsvrl1856 2 года назад +1

    Great coverage! Been using Yubikeys for years now. Great physical defense.

  • @mrd4233
    @mrd4233 2 года назад +5

    Hey Christian, very well explained and punctual tutorial on MFA! 👌👌👌

  • @joesweeney6262
    @joesweeney6262 2 года назад

    Yubikeys are brilliant and uplift your security stance dramatically. I purchased keys for all my family members during the lockdowns to help us all avoid the elevated risks of working from home.

    • @christianlempa
      @christianlempa  2 года назад

      Awesome!

    • @dobithezkiyy3504
      @dobithezkiyy3504 Год назад

      That's great. The question is what would happen if Yubikey no longer exist.

    • @joesweeney6262
      @joesweeney6262 Год назад

      @@dobithezkiyy3504 backup / master key, emergency recover codes with alternative authentication

  • @MikeFico998
    @MikeFico998 Год назад

    Wow Yubikey so easy to use! All you have to do is log into DOS and type several hundred lines of machine code that no one knows !

  • @berndeckenfels
    @berndeckenfels Год назад

    I don’t think it’s a bug, webauthn allows to declare if your token should have pin protection if used as single factor (for the reasons you mentioned).

  • @cempack
    @cempack 2 года назад +4

    Cool video like always, thank you for sharing

  • @DamjanDimitrioski
    @DamjanDimitrioski 2 года назад +1

    If you think having a device dedicated for password management or secrets vault would stop someone giving out all the passwords at a gunpoint :D.
    I believe having a phone with the password manager is enough, since the phone can be encrypted to a level that on gunpoint you will still spill the beans.

  • @nolanwatts110
    @nolanwatts110 2 года назад

    So great, thank you!
    Christian - can you share the terminal colors you're using now that you've moved to macOS? I'd like to get my terminal looking like yours from this tutorial. Is there a script that can be used, or just match the macOS terminal color settings to yours?

  • @alexlora6009
    @alexlora6009 Год назад

    make a video of how to setup a windows active directory Sams with yubikey/FIDO2 or password less.

  • @aleksanderbang-larsen7628
    @aleksanderbang-larsen7628 2 года назад

    Great video! How did you customise your terminal like that?

    • @christianlempa
      @christianlempa  2 года назад

      There will be a new video coming out about mac terminal customization :) stay tuned

  • @tidalwave76
    @tidalwave76 Год назад

    Thanks for this interesting content. Do you know if you can use the Yubikey with an iPad? I‘d also would love to hear if this works with the RDP part towards a Windows server as well.

    • @christianlempa
      @christianlempa  Год назад

      I think the NFC version should work on compatible NFC devices. Not sure if the iPad has it though

  • @Thylacine1
    @Thylacine1 2 года назад

    Your videos are great dude, you got a new sub.
    I'm here for hairdo's and security/nerd BS, and we are are fresh outta hair my friends :)

  • @ao4514
    @ao4514 2 года назад

    Hey Christian, i saw the video you did on wireshark and i must say it wasn't clear at all!
    Can you do a video on how to use wire shark to hunt for spyware/malware ?

  • @0x-003
    @0x-003 2 года назад

    i got myself a Yubikey, but until now i have used 1password manager, what do i do?

  • @biggyk87
    @biggyk87 2 года назад

    Thanks for the video. What vscode theme is that? So with you not recommending using a reverse proxy, I guess that means we should have a fresh dedicated vm with its own public IP?

    • @christianlempa
      @christianlempa  2 года назад

      You're welcome! I'm using my own theme, you can find it in the marketplace "The Digital Life" ;) Revproxies would make the system more complex without adding any benefit.

  • @kpwlek
    @kpwlek Год назад

    just buy a sec one as a backup... I have lost mine and I was screwed completely... well not completely but it was a some problem to login into the boxes.

  • @marcoroose9973
    @marcoroose9973 2 года назад

    Teleport is amazing. I really have to start with it for my infrastrcuture. What about a video about the Windows Remote Desktop stuff built into teleport? I definitely will use it.

    • @christianlempa
      @christianlempa  2 года назад +2

      That’s already planned :) but I will do a few other projects first so that needs to wait a little

    • @MadChristianX
      @MadChristianX 2 года назад

      @@christianlempa After reading the documentation for RDP with teleport i decided that this project can wait until your video for that is on RUclips 🙂

  • @gernhardreinholzen1448
    @gernhardreinholzen1448 2 года назад +1

    So basically teleport replaces traefik and (authelia/authentik), right?

  • @itHurtswhenIP
    @itHurtswhenIP Год назад

    Hey Christian
    Is something like this possible. when using cloud flare zero trust tunnel?

  • @jwspock1690
    @jwspock1690 2 года назад

    Danke für deine Videos - Top !

  • @Sc4rEye
    @Sc4rEye 2 года назад

    @2:20 you said Yubikey with NFS, I think you meant to say NFC. Great video!

    • @christianlempa
      @christianlempa  2 года назад

      Oh yeah, that was a mistake :D Thanks mate!

  • @eb3898
    @eb3898 2 года назад

    What happens when you need to access your home infrastructure but you do not have an internet connection (during an outage)?

    • @christianlempa
      @christianlempa  2 года назад

      Hope it doesn’t xD well I Stil got SSH as backup

  • @Glatze603
    @Glatze603 2 года назад

    Great video and content Christian :-)

    • @Glatze603
      @Glatze603 2 года назад

      you really use google authenticator ? Then you have a single point of failure (your iphone), because with this app you have no automatic sync to other devices like authy.

    • @Glatze603
      @Glatze603 2 года назад

      I have Teleport running an a VPS for ssh and web-services and it works nice!

    • @Glatze603
      @Glatze603 2 года назад

      Yubikey in Teleport works with MS Edge too 🙂 Here you only have to type the PIN and then you have to touch the Yubikey (once). Very nice! I hope that someday it will work with firefox too.

    • @Glatze603
      @Glatze603 2 года назад

      Another tip: use at least 2 Yubikeys - one for at home, one for on the go. So you also have a direct backup.

    • @christianlempa
      @christianlempa  2 года назад

      Thanks mate :) yeah maybe I should move from google auth to something better, I’ll take a look at Authy

  • @pbrigham
    @pbrigham 2 года назад +3

    With so much complication and configuration is only a matter of time until someone makes a mistake and provokes a security breach.

  • @CaptZenPetabyte
    @CaptZenPetabyte 2 года назад

    When this is available via using a usb key (in place) instead of the yubikey across-the-board it will be a game-changer. The technology is already built into most browsers, extensive libraries are available for the signing modalities, yet its not widely used.

  • @alexsalois5372
    @alexsalois5372 2 года назад

    Hey, can you make the font bigger next time? It is a little small on my device.

  • @danielsauriol
    @danielsauriol 2 года назад

    Extremely interesting tutorial as always, but thought I'd let you know that you have an *AWESOME* shirt !!! (wink wink - from a Canadian subscriber !!!) 🙂

  • @cyber-paul
    @cyber-paul Год назад

    Does teleport support DNS01 challenge? Can not find in docs

    • @christianlempa
      @christianlempa  Год назад

      I don't think so, unfortunately, but I'm not sure, what does the teleport support say about that?

  • @s6yx
    @s6yx 2 года назад

    how can i run this if i already have nginx manager running in 443?

  • @smith2074
    @smith2074 2 года назад

    usb to micro usb adapter for smartphone can i use this key on galaxy s20?

    • @christianlempa
      @christianlempa  2 года назад

      It has NFC so it should work wireless with any phone

    • @smith2074
      @smith2074 2 года назад

      @@christianlempa I will buy yubiKey bio - FIDO Edition does not have NFC

  • @xiaxiao7567
    @xiaxiao7567 2 года назад

    Can't add host to teleport

  • @racghineering
    @racghineering 2 года назад

    so the solving is fiinding the first door. ok. good.

  • @cbbcbb6803
    @cbbcbb6803 2 года назад

    What can you do if you loose your YubiKey?

    • @christianlempa
      @christianlempa  2 года назад

      You can still use other keys or otp as a fallback and remove the lost yubikey from your account

  • @sylvaindecrom
    @sylvaindecrom 2 года назад

    Does this still work when you lose internet connectivity?

    • @christianlempa
      @christianlempa  2 года назад +1

      I guess it doesn't because i'm running teleport in the cloud.

    • @sylvaindecrom
      @sylvaindecrom 2 года назад

      @@christianlempa but you got a back way in right?

    • @christianlempa
      @christianlempa  2 года назад +1

      @@sylvaindecrom of course :D

  • @saschaweinmann
    @saschaweinmann 2 года назад +1

    How is a PIN not a password?

    • @christianlempa
      @christianlempa  2 года назад

      A PIN is a PIN, a password is a password ;)

    • @saschaweinmann
      @saschaweinmann 2 года назад +1

      @@christianlempa I respectfully disagree. A password is a secret (something you know). So a PIN is just a numeric password. For security purposes there a three option: something you know (e.g. passwords), something you have (e.g. Hardware), something you are (e.g. Retina scan). Sadly i haven't found a way to just rely on hardware without a secret. This video does not solve this either.

  • @infocus-media
    @infocus-media 2 года назад

    Wow, My comment got removed very quickly!

  • @JerryWoo96
    @JerryWoo96 2 года назад

    Do you know how to integrate with traefik?

    • @christianlempa
      @christianlempa  2 года назад

      As I said in the video, I’d not do it and just use Teleport without a revproxy

  • @PatipanWongkleaw
    @PatipanWongkleaw 2 года назад

    Where do I find the teraform tutorial

    • @christianlempa
      @christianlempa  2 года назад

      Just search for terraform and the digital life, you'll find it ;)

  • @chris23tr
    @chris23tr 2 года назад

    ich sehe mfa trotzdem immer noch als die bessere als das passwortlose login, weil dann braucht man 2 unterschiedliche arten für den Login das Passwott wo nur die Person weiß und den Stick.. Weil wenn man den Stick verliert und weiß für was der ist kann man sich dann einloggen.Sicherheit geht immer vor begquemlichkeit.

    • @MadChristianX
      @MadChristianX 2 года назад

      Nun ja dagegen gibts ja den PIN für den Stick.

  • @csmithDevCove
    @csmithDevCove 2 года назад +1

    First Comment

  • @patrikgrguric535
    @patrikgrguric535 2 года назад +1

    How many times will they sponsor you 💀. At this point you can change your logo to Teleport's.

    • @jayp9158
      @jayp9158 Год назад

      Dude, chill out. He has a very niche channel so it's very difficult to grow or getting sponsors, even more, the product is actually useful and relevant for most of the viewers of the channel so I don't really see the harm.