I've been using Yubikey for a while now, and I've always wanted to use it in my home lab. Thank you for putting this together. I love it. Can't wait to apply it
I've been using Yubikeys for about 6 years now and I can honestly say they have changed my life! I use mine for everything from signing EFI shims to logging into AWS. If you care about security then get several yubikeys.
09:05 rather than using bin/sh as the entrypoint it needs to be dumb-init as sh isn't meant to be PID1 and can't deal with signals like SIGTERM without modification and traps. So just change /bin/sh to ../dumb-init you can leave the rest (teleport...) in command
Thank you for this great tutorial. After being unsuccessful setting up teleport behind Traefik proxy i used a CF tunnel to access the service. Passwordless sign in with fingerprint on the MacBook or FaceID on iPhone seems to be the most convenient way for me 🙂
Yubikeys are brilliant and uplift your security stance dramatically. I purchased keys for all my family members during the lockdowns to help us all avoid the elevated risks of working from home.
I don’t think it’s a bug, webauthn allows to declare if your token should have pin protection if used as single factor (for the reasons you mentioned).
If you think having a device dedicated for password management or secrets vault would stop someone giving out all the passwords at a gunpoint :D. I believe having a phone with the password manager is enough, since the phone can be encrypted to a level that on gunpoint you will still spill the beans.
So great, thank you! Christian - can you share the terminal colors you're using now that you've moved to macOS? I'd like to get my terminal looking like yours from this tutorial. Is there a script that can be used, or just match the macOS terminal color settings to yours?
Thanks for this interesting content. Do you know if you can use the Yubikey with an iPad? I‘d also would love to hear if this works with the RDP part towards a Windows server as well.
Hey Christian, i saw the video you did on wireshark and i must say it wasn't clear at all! Can you do a video on how to use wire shark to hunt for spyware/malware ?
Thanks for the video. What vscode theme is that? So with you not recommending using a reverse proxy, I guess that means we should have a fresh dedicated vm with its own public IP?
You're welcome! I'm using my own theme, you can find it in the marketplace "The Digital Life" ;) Revproxies would make the system more complex without adding any benefit.
just buy a sec one as a backup... I have lost mine and I was screwed completely... well not completely but it was a some problem to login into the boxes.
Teleport is amazing. I really have to start with it for my infrastrcuture. What about a video about the Windows Remote Desktop stuff built into teleport? I definitely will use it.
you really use google authenticator ? Then you have a single point of failure (your iphone), because with this app you have no automatic sync to other devices like authy.
Yubikey in Teleport works with MS Edge too 🙂 Here you only have to type the PIN and then you have to touch the Yubikey (once). Very nice! I hope that someday it will work with firefox too.
When this is available via using a usb key (in place) instead of the yubikey across-the-board it will be a game-changer. The technology is already built into most browsers, extensive libraries are available for the signing modalities, yet its not widely used.
Extremely interesting tutorial as always, but thought I'd let you know that you have an *AWESOME* shirt !!! (wink wink - from a Canadian subscriber !!!) 🙂
@@christianlempa I respectfully disagree. A password is a secret (something you know). So a PIN is just a numeric password. For security purposes there a three option: something you know (e.g. passwords), something you have (e.g. Hardware), something you are (e.g. Retina scan). Sadly i haven't found a way to just rely on hardware without a secret. This video does not solve this either.
ich sehe mfa trotzdem immer noch als die bessere als das passwortlose login, weil dann braucht man 2 unterschiedliche arten für den Login das Passwott wo nur die Person weiß und den Stick.. Weil wenn man den Stick verliert und weiß für was der ist kann man sich dann einloggen.Sicherheit geht immer vor begquemlichkeit.
Dude, chill out. He has a very niche channel so it's very difficult to grow or getting sponsors, even more, the product is actually useful and relevant for most of the viewers of the channel so I don't really see the harm.
I've been using Yubikey for a while now, and I've always wanted to use it in my home lab. Thank you for putting this together. I love it. Can't wait to apply it
Thank you! Glad you enjoyed it :)
I've been using Yubikeys for about 6 years now and I can honestly say they have changed my life! I use mine for everything from signing EFI shims to logging into AWS. If you care about security then get several yubikeys.
09:05 rather than using bin/sh as the entrypoint it needs to be dumb-init as sh isn't meant to be PID1 and can't deal with signals like SIGTERM without modification and traps. So just change /bin/sh to ../dumb-init you can leave the rest (teleport...) in command
I use these everywhere possible. Yubikeys are great. Make sure you have a few of them assigned to any accounts so if you lose it or it stops working.
That’s the most important. Always have a backup.
It’s always good to have a backup! :)
Not adding a Yubikey without secondary protection of PIN or biometric is not a bug, it is a feature!
Thanks for the clear explanation. What online service supports passwordless login with a YubiKey and which would you recommend?
Thank you for this great tutorial. After being unsuccessful setting up teleport behind Traefik proxy i used a CF tunnel to access the service. Passwordless sign in with fingerprint on the MacBook or FaceID on iPhone seems to be the most convenient way for me 🙂
I would love to see where else you could use passwordless/YubiKey in a homelab. Thank you for all the great videos that you have made!
Thank you! There’s something new coming out the next weeks :)
Great coverage! Been using Yubikeys for years now. Great physical defense.
Thanks! That’s awesome
Hey Christian, very well explained and punctual tutorial on MFA! 👌👌👌
Thank you so much 😊
Yubikeys are brilliant and uplift your security stance dramatically. I purchased keys for all my family members during the lockdowns to help us all avoid the elevated risks of working from home.
Awesome!
That's great. The question is what would happen if Yubikey no longer exist.
@@dobithezkiyy3504 backup / master key, emergency recover codes with alternative authentication
Wow Yubikey so easy to use! All you have to do is log into DOS and type several hundred lines of machine code that no one knows !
I don’t think it’s a bug, webauthn allows to declare if your token should have pin protection if used as single factor (for the reasons you mentioned).
Cool video like always, thank you for sharing
Thank you!
If you think having a device dedicated for password management or secrets vault would stop someone giving out all the passwords at a gunpoint :D.
I believe having a phone with the password manager is enough, since the phone can be encrypted to a level that on gunpoint you will still spill the beans.
huh?
So great, thank you!
Christian - can you share the terminal colors you're using now that you've moved to macOS? I'd like to get my terminal looking like yours from this tutorial. Is there a script that can be used, or just match the macOS terminal color settings to yours?
make a video of how to setup a windows active directory Sams with yubikey/FIDO2 or password less.
Great video! How did you customise your terminal like that?
There will be a new video coming out about mac terminal customization :) stay tuned
Thanks for this interesting content. Do you know if you can use the Yubikey with an iPad? I‘d also would love to hear if this works with the RDP part towards a Windows server as well.
I think the NFC version should work on compatible NFC devices. Not sure if the iPad has it though
Your videos are great dude, you got a new sub.
I'm here for hairdo's and security/nerd BS, and we are are fresh outta hair my friends :)
thanks mate!
Hey Christian, i saw the video you did on wireshark and i must say it wasn't clear at all!
Can you do a video on how to use wire shark to hunt for spyware/malware ?
i got myself a Yubikey, but until now i have used 1password manager, what do i do?
Thanks for the video. What vscode theme is that? So with you not recommending using a reverse proxy, I guess that means we should have a fresh dedicated vm with its own public IP?
You're welcome! I'm using my own theme, you can find it in the marketplace "The Digital Life" ;) Revproxies would make the system more complex without adding any benefit.
just buy a sec one as a backup... I have lost mine and I was screwed completely... well not completely but it was a some problem to login into the boxes.
Teleport is amazing. I really have to start with it for my infrastrcuture. What about a video about the Windows Remote Desktop stuff built into teleport? I definitely will use it.
That’s already planned :) but I will do a few other projects first so that needs to wait a little
@@christianlempa After reading the documentation for RDP with teleport i decided that this project can wait until your video for that is on RUclips 🙂
So basically teleport replaces traefik and (authelia/authentik), right?
For me it does, yeah
Hey Christian
Is something like this possible. when using cloud flare zero trust tunnel?
Danke für deine Videos - Top !
Gerne! Danke für das Lob ;)
@2:20 you said Yubikey with NFS, I think you meant to say NFC. Great video!
Oh yeah, that was a mistake :D Thanks mate!
What happens when you need to access your home infrastructure but you do not have an internet connection (during an outage)?
Hope it doesn’t xD well I Stil got SSH as backup
Great video and content Christian :-)
you really use google authenticator ? Then you have a single point of failure (your iphone), because with this app you have no automatic sync to other devices like authy.
I have Teleport running an a VPS for ssh and web-services and it works nice!
Yubikey in Teleport works with MS Edge too 🙂 Here you only have to type the PIN and then you have to touch the Yubikey (once). Very nice! I hope that someday it will work with firefox too.
Another tip: use at least 2 Yubikeys - one for at home, one for on the go. So you also have a direct backup.
Thanks mate :) yeah maybe I should move from google auth to something better, I’ll take a look at Authy
With so much complication and configuration is only a matter of time until someone makes a mistake and provokes a security breach.
When this is available via using a usb key (in place) instead of the yubikey across-the-board it will be a game-changer. The technology is already built into most browsers, extensive libraries are available for the signing modalities, yet its not widely used.
Hey, can you make the font bigger next time? It is a little small on my device.
Okay 👍
Extremely interesting tutorial as always, but thought I'd let you know that you have an *AWESOME* shirt !!! (wink wink - from a Canadian subscriber !!!) 🙂
Haha thank you 🙏☺️
Does teleport support DNS01 challenge? Can not find in docs
I don't think so, unfortunately, but I'm not sure, what does the teleport support say about that?
how can i run this if i already have nginx manager running in 443?
You can change the port
usb to micro usb adapter for smartphone can i use this key on galaxy s20?
It has NFC so it should work wireless with any phone
@@christianlempa I will buy yubiKey bio - FIDO Edition does not have NFC
Can't add host to teleport
so the solving is fiinding the first door. ok. good.
What can you do if you loose your YubiKey?
You can still use other keys or otp as a fallback and remove the lost yubikey from your account
Does this still work when you lose internet connectivity?
I guess it doesn't because i'm running teleport in the cloud.
@@christianlempa but you got a back way in right?
@@sylvaindecrom of course :D
How is a PIN not a password?
A PIN is a PIN, a password is a password ;)
@@christianlempa I respectfully disagree. A password is a secret (something you know). So a PIN is just a numeric password. For security purposes there a three option: something you know (e.g. passwords), something you have (e.g. Hardware), something you are (e.g. Retina scan). Sadly i haven't found a way to just rely on hardware without a secret. This video does not solve this either.
Wow, My comment got removed very quickly!
Do you know how to integrate with traefik?
As I said in the video, I’d not do it and just use Teleport without a revproxy
Where do I find the teraform tutorial
Just search for terraform and the digital life, you'll find it ;)
ich sehe mfa trotzdem immer noch als die bessere als das passwortlose login, weil dann braucht man 2 unterschiedliche arten für den Login das Passwott wo nur die Person weiß und den Stick.. Weil wenn man den Stick verliert und weiß für was der ist kann man sich dann einloggen.Sicherheit geht immer vor begquemlichkeit.
Nun ja dagegen gibts ja den PIN für den Stick.
First Comment
How many times will they sponsor you 💀. At this point you can change your logo to Teleport's.
Dude, chill out. He has a very niche channel so it's very difficult to grow or getting sponsors, even more, the product is actually useful and relevant for most of the viewers of the channel so I don't really see the harm.