“Feel free to flame me in the comments for doing things as root” - now that’s a seasoned RUclipsr who knows their audience well! Great video once again, Tom!
Tom - thanks for the video. I think you will want to encourage viewers to use pass phrases with their hardware keys. It’s a lot easier to steal a hardware device than a passphrase, and if somebody has the device to get into your servers, they will be very glad that you did not protect it with a passphrase.
In fact it is better to key gen with option -O verify-required as per yubico ssh guide. So the pin code is ask everytime, the key is locked after 8 fault attempt
I really enjoy your videos, technical enough to make things happen with simple enough explanations that I can understand what is going on. I also appreciate the symbiotic relationship between you and Jay@LearnLunuxTV, most excellent and I find myself bouncing between your channels watching videos and soaking it all in. Thanks again!
Thanks for the info - this is very sensible and simple now days. only thing that stops me from using yubikey for constant auth is needing to plug in the device :P need to get a cable to move the USB ports closer to my keyboard
A good idea to get two keys since some sites that uses fido2 only supports another key as the backup login method. (or their other backup is "less than secure")
4:53 You are saying that you got the private key and the pub key on your server. PS your Yubikey private key NEVER leaves the Yubikey. Bytheway thanks for your videos.
Thank you for putting this video together. I do have one question about the ssh-keygen command. Does this command overwrite anything on the YubiKey? The reason for the question is that I have an existing YubiKey that I’m using for FIDO2 and I don’t want to break it.🙂
I am kind of late 😂…. But how do I configure multiple YubiKeys (main+backups)? I just have to generate one shh key for each u2f key with a different name and thats all?
Lawrence. Big fan of the content. Regarding the advice "get a second key and store it in a safe deposit box" how does that work? You can't enroll the second key as a backup for a service if its locked up at a remote location. To me the second key just becomes stale from the second you enroll the first key in another service. Am I missing something?
If you create a second ED15519 key pair with a backup FIDO U2F key and load the second public key on each system you can use that second key to access those systems if you lose the first.
It would be nice to have a way to do this with a USB drive in some way, but I know thats not possible because the electronics is required; maybe a raspberry pi zero or pico could do the job and then you would also have even more 'playing around' space for interesting 'active encryption response'. (just brainstorming ideas)
You could create a backup ssh-key and secure it with a password, for additional security you can encrypt the private key on the USB with a Vera crypt file.
This method is very effective for security devices and even web page. Personally I like to use Google Authentication or Microsoft Authentication app on my phone, this way I don't have to carry e, tea items. Lawrence, do you know any good software that can integrate Authentication app with ssh or OpenVPN?
Does this work with nested ssh sessions? I usually ssh from my windows machine into my pop-os vm, and from there I can run tmux and ssh into my other linux servers.
hello, indeed, is not possible to clone the yubikey. if you want a method with a way to backup, you can use gpg keys for ssh: you generate the key on a secured computer, then you can backup the keys to some storage, then you transfer the keys into the yubikey, then you delete the keys in the computer. the keys are only stored in the yubikey so you can use ssh on any computer, is not possible to extract the keys from the yubikey in case its lost and to be able to ssh you just need to provide the PIN. i know is a confusing explanation but ive read this somewhere i cant remember where, maybe on the yuikey documentation. Bye
Is there any practical difference between ecdsa-sk and ed25519-sk in this application? I can get ecdsa-sk to work with my hardware key but so far have been unsuccessful with ed25519-sk.
Yes with option : -O application="ssh:app1" replace app1 by what you want, depending on the key you will be able to register more app ( 25 I think on the yubikey fido2)
If I have ssh only logins and fail2ban active, is this necessary? Love my yubikeys just trying to find the right balance between security and convenience.
that is a matter of how many layers do you want to have between your server and the attacker attempting to gain access. so is having to remember and keep track of one more thing worth that extra layer of security it will provide?
Adding up to Tyler's response, this kind of protection starts to make sense when you work on a team where not everybody is as tech-savvy or concerned about security. People might use SSH keys instead of passwords, but those are still vulnerable to getting stolen in several scenarios. Adding a physical token as part of the key adds an extra layer of security so that an attacker would need more than just disk access in order to compromise your key. In the end, you have to weigh in your pros/cons for each additional layer of security.
Would it be possible to create a kind off security token from a standart thumb drive ? Shure, you can mont you thumb drive, who contain your key, on you ~/.ssh folder, but is there another trick to combine both "private key" and "thumb drive residente" part of the autentification?
Forum post write up
forums.lawrencesystems.com/t/ssh-with-yubikey-fido-u2f-authentication/13024
LearnLinuxTV YubiKey Video
www.learnlinux.tv/setting-up-the-yubikey-on-ubuntu/
CVE-2021-3011
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3011
ninjalab.io/a-side-journey-to-titan/
⏱ Timestamps ⏱
00:00 FIDO2 SSH Yubikey
01:10 Check SSH Vestion & Yubikey Version
02:40 install libfido2-dev
03:18 Generating ed25519-sk keys
05:36 Installing & Using the Keys
07:00 Cloning Keys?
“Feel free to flame me in the comments for doing things as root” - now that’s a seasoned RUclipsr who knows their audience well! Great video once again, Tom!
😂 I chuckled.
Good video sir ! I use the UB-C version for my phone & laptops. These things are amazing & durable too !!
Tom - thanks for the video. I think you will want to encourage viewers to use pass phrases with their hardware keys. It’s a lot easier to steal a hardware device than a passphrase, and if somebody has the device to get into your servers, they will be very glad that you did not protect it with a passphrase.
In fact it is better to key gen with option -O verify-required as per yubico ssh guide. So the pin code is ask everytime, the key is locked after 8 fault attempt
I really enjoy your videos, technical enough to make things happen with simple enough explanations that I can understand what is going on.
I also appreciate the symbiotic relationship between you and Jay@LearnLunuxTV, most excellent and I find myself bouncing between your channels watching videos and soaking it all in.
Thanks again!
yubikeys rock! thx for write up
Thanks for the info - this is very sensible and simple now days.
only thing that stops me from using yubikey for constant auth is needing to plug in the device :P
need to get a cable to move the USB ports closer to my keyboard
Don't these have to send a request to the Yubikey's servers each time an auth attempt is made?
Not when using Fido u2f
Thanks for this tutorial, Tom
Great video. Thanks Tom.
A good idea to get two keys since some sites that uses fido2 only supports another key as the backup login method. (or their other backup is "less than secure")
4:53 You are saying that you got the private key and the pub key on your server. PS your Yubikey private key NEVER leaves the Yubikey. Bytheway thanks for your videos.
Good stuff. Thanks a lot.
Thank you for putting this video together. I do have one question about the ssh-keygen command. Does this command overwrite anything on the YubiKey? The reason for the question is that I have an existing YubiKey that I’m using for FIDO2 and I don’t want to break it.🙂
No, it doesn't.
@@rajilsaraswat9763 Thank you!
great video as always!
I am kind of late 😂…. But how do I configure multiple YubiKeys (main+backups)? I just have to generate one shh key for each u2f key with a different name and thats all?
Lawrence. Big fan of the content. Regarding the advice "get a second key and store it in a safe deposit box" how does that work? You can't enroll the second key as a backup for a service if its locked up at a remote location. To me the second key just becomes stale from the second you enroll the first key in another service. Am I missing something?
If you create a second ED15519 key pair with a backup FIDO U2F key and load the second public key on each system you can use that second key to access those systems if you lose the first.
Thanks!
Fantastic video. Can you do the same thing with PF sense? You do a video that shows Just working with PFSENSE
What if I lost the key on the client host? Is there a way to generate it back using just the hardware key?
It would be nice to have a way to do this with a USB drive in some way, but I know thats not possible because the electronics is required; maybe a raspberry pi zero or pico could do the job and then you would also have even more 'playing around' space for interesting 'active encryption response'. (just brainstorming ideas)
You could create a backup ssh-key and secure it with a password, for additional security you can encrypt the private key on the USB with a Vera crypt file.
Solokeys still lag in the cert department, seems like the project is occupied with printing dices.
Very cool Tom!
Thanks for the video. Can I use yubikey with Radius server in pfsense?
This method is very effective for security devices and even web page. Personally I like to use Google Authentication or Microsoft Authentication app on my phone, this way I don't have to carry e, tea items. Lawrence, do you know any good software that can integrate Authentication app with ssh or OpenVPN?
I needed this video. Thank you 🙏
Does this work with nested ssh sessions? I usually ssh from my windows machine into my pop-os vm, and from there I can run tmux and ssh into my other linux servers.
hello, indeed, is not possible to clone the yubikey. if you want a method with a way to backup, you can use gpg keys for ssh: you generate the key on a secured computer, then you can backup the keys to some storage, then you transfer the keys into the yubikey, then you delete the keys in the computer. the keys are only stored in the yubikey so you can use ssh on any computer, is not possible to extract the keys from the yubikey in case its lost and to be able to ssh you just need to provide the PIN. i know is a confusing explanation but ive read this somewhere i cant remember where, maybe on the yuikey documentation. Bye
Is there any practical difference between ecdsa-sk and ed25519-sk in this application? I can get ecdsa-sk to work with my hardware key but so far have been unsuccessful with ed25519-sk.
I recall there's been somebody saying on youtube that ecdsa-sk has a NSA backdoor. But you better do the research on your own.
Can i use multiple ed25519-sk with same Yubikey. Will it override the previous keys?
Yes with option : -O application="ssh:app1" replace app1 by what you want, depending on the key you will be able to register more app ( 25 I think on the yubikey fido2)
I identify as an SSH key
This is kinda a bummer: Windows ssh (8.1) is too old as a host, and Raspberry pi ssh (7.9) as a server.
I use cygwin and was pleased to see 8.8 on all my Windows boxes, but then was disappointed like when I saw 7.9 on the pis and 8.0 on my Alma server.
Consider Ubuntu Server for your raspberry pis.
If I have ssh only logins and fail2ban active, is this necessary? Love my yubikeys just trying to find the right balance between security and convenience.
that is a matter of how many layers do you want to have between your server and the attacker attempting to gain access. so is having to remember and keep track of one more thing worth that extra layer of security it will provide?
Adding up to Tyler's response, this kind of protection starts to make sense when you work on a team where not everybody is as tech-savvy or concerned about security. People might use SSH keys instead of passwords, but those are still vulnerable to getting stolen in several scenarios. Adding a physical token as part of the key adds an extra layer of security so that an attacker would need more than just disk access in order to compromise your key. In the end, you have to weigh in your pros/cons for each additional layer of security.
@@kriansa that scenario makes sense. thanks
how do you do this on a windows client connecting to a linux server?
Might work using Windows subsystem for Linux. I didn't test.
Progress for fido2 support for openssh that comes with Windows is being tracked here: github.com/PowerShell/Win32-OpenSSH/issues/1804
Would be nice to have a Windows SSH client that support Yubikey.
Putty with Kleopatra will do the trick. RSA keys
Putty-cac has everything integrated
@@jpp_vh i will check it out! Thank you!
Any good solution for SSH U2F on Windows? my primary system is windows and most of my servers are Linux.
That issue is being tracked here github.com/PowerShell/Win32-OpenSSH/issues/1804
Would it be possible to create a kind off security token from a standart thumb drive ?
Shure, you can mont you thumb drive, who contain your key, on you ~/.ssh folder, but is there another trick to combine both "private key" and "thumb drive residente" part of the autentification?
Given the _id requires the YubiKey and is useless otherwise, would you think it's safe to store the _id on something like github?
I would not want even half of my private key somewhere accessible, only the public one.
🙈
If only this could be done with the putty client in windows
First