Setting up the YubiKey on Ubuntu (Desktop and Server)
HTML-код
- Опубликовано: 31 окт 2020
- I've recently had a chance to check out some newer YubiKeys, and decided to make a video on it. In this video, I'll show you how to set up the YubiKey on Linux, with examples that include setting it up on your local laptop/desktop as well as using it to secure OpenSSH to a remote server.
*⏰ TIME CODES*:
02:11 - Securing local authentication
11:57 - Securing remote authentication
📖 Check out jay's latest book, Mastering Ubuntu Server 3rd Edition.
Available in the USA late December 2020, and in other countries early January 2021
➡️ ubuntuserverbook.com
🙌 Support me on Patreon and get early access to new content!
➡️ learnlinux.link/patron
☁️ Get $100 toward your own cloud server with Linode!
➡️ linode.com/learnlinuxtv
🛒 Affiliate store for Linux compatible hardware/accessories (commission earned):
➡️ learnlinux.link/amazon
💻 Check out the Tiny Pilot KVM for your Homelab (commission earned):
➡️ learnlinux.link/tinypilot
📖 Wiki article for this video:
➡️ www.learnlinux.tv/setting-up-...
📖 Yubico documentation for setting up the YubiKey:
➡️ support.yubico.com/hc/en-us/a...
🐦 Follow me on Twitter!
➡️ learnlinux.link/twitter
💬 Official LearnLinux.tv Community:
➡️ community.learnlinux.tv
👨 More about me:
➡️ www.jaylacroix.com
➡️ www.learnlinux.tv/about-me
💽 How to create a bootable flash drive for installing Linux:
➡️ linux.video/flash-usb
🐧 Which distro do I use?
➡️ learnlinux.link/mydistro
🔐 How to better secure OpenSSH:
➡️ linux.video/secure-ssh
☁️ How to create a cloud Linux server with Linode:
➡️ learnlinux.link/create-linode 
Наука
I love this. Encrypted hard drive, secure boot enabled, yubikey required for everything.... This laptop is going to be the most secure device I own with nothing but factorio on it.
This needs to be updated to include multiple keys. If you don't have a backup key and you lose your YubiKey, you're toast. Toast. I have 3.
Have a resource for adding additional keys? Agreed. The yubikey documentation doesn't say much about this.
If you lose your key, you could boot that computer entirely on USB or SD. Then mount the drive you secured with yubikey. Edit all the /etc/pam.d files and comment out these lines added here. Then on reboot the key will not be required.
If your hard drive uses yubikey with LUKS, then you will need to have a written backup password for the drive or all is lost.
In any case, the key is not much security unless you use it to lock the drive with luks. So everyone should do that. When done, write down a very long text password for a LUKS backup and store it in the bank vault. Otherwise, anyone can bypass the yubikey protections with little effort. I've lost systems to Luks and they never came back.
The addition of a second key is described below in comments and it worked for me.
Great video, Jay! Thank you for sharing!
Jay thank you for the video and info!!
Great video. Managed to make Yubikey runnig on debian 12. Thanks!!!
So easy and useful! Will try this tomorrow and see how I manage to screw this up 😂 just kidding, I believe I should be able to make it work with your video! Thank you!
Great instructional. You've got a great style - no bs, just necessary information. New sub.
Nicely explained. Thanks.
Liked this so much I subbed!
OMG thank you so much! This worked perfectly!
Hey Jay! this video is excellent
Thanks for your teach
My pleasure!
Thank you! This worked for me :)
I’m so thankful for your videos.
Would it be possible to have a video on how to manage gpg with yubikeys? I followed so many guides online. And I managed to upload the 3 subkeys to both of my yubikeys but I don’t know how to make it work with SSH.
Also what do you think is more secure, this approach or the one you showed on this video?
Thank you, Jay.
great vid! thanks a lot
Awesome video.
Hi, thanks so much for your video(s), always great content.
About your book, I have two questions:
1. is the book for persons with little knowledge in Linux, and
2. Can you purchase the book in Europ?
Hi,
With such setup which security function of the key is being used?
hi jay , thank fro this video , can we configure RSA token also as 2FA for ubuntu personal laptops?
Thanks Jay for this nice security-video - one more step to feel like Fort Knox :-) It would be helpful if you could explan how to install a second backup-yubikey, too. Personally, I feel better when I still have a spare key - and I bought 2 especially for backup reason.
Local login for a single user with two keys can be done. It has some similarities to what is done to use two keys for ssh. Guido Serrano's replies to Sean Murray below describe what to do for ssh, but not logins to a local machine. For local logins we need to modify ~/.config/Yubico/u2f_keys. This file can have only one line, so we need to append the outputs from pamu2fcfg for each key. Include your username only once at the beginning of the line. The key information is in four fields separated by commas. Be sure there is a colon between the username and the first key and one between keys.
username:,,,:,,,
I tested this, you simply need to remove your primary yubikey and insert your backup and repeat the pamu2fcfg command but appending to the u2f_keys file as opposed to overwriting.
Specifically:
(1) Swap yubikeys
(2) pamu2fcfg >> ~/.config/Yubico/u2f_keys
That should be it
Awesome!!! Thanks.
Thank You!
hi @LearnLinuxTv I tried the pamu2fcfg >.. command but it says no u2f device detected. Is there anything I need to do prior to this step?
Is it also possible to protect the ssh keys with a yubikey?
Thanks dude
great, thank you!
What i would like is, a usb key i can put in a pc which give me a replica of my main pc, i have 5 diff pc at home and want 1 machine host and all the rest slave, either on harddrive (laptop 3) or small factor no hd, usb key only, sata problem... local os but with my home and / all sync up . running mint 20, any idea
Is it possible to require a yubikey for logging into your phone? I'd like to have this for initial login
Is this method better or generating sk keys and passing to server better ?
Really helpful! Can you make another one where you tie that yubikey to an IDM or FreeIPA user?
I know this is an older video but I was need to know what line I can change in the gdm-password and the sudo files that will allow me to just use my yubikey and not have an option for a password I have already set it to use the yubikey by it's self but I want to remove the password all together on my deskop version of ubuntu22.04 thanks
im using zorin but i custom installed KDE as my DE do i still use gmd-password or something else
love your videos and got this to work for te login on ubuntu. Wanted to know what the process is to add a second backup Yubikey for the login
15:23 how is a USB stick able to insert text in a text editor??? Did you load up some program first?
useful stuff, thanks
would be very interesting how to setup self-hosted Yubico OTP validation server and see how it works instead of Yubico cloud service. thanks
is that possible if you login like this :
plugin yubikey on your PC -> ssh to server A (with yubikey login) -> ssh to another server (with yubikey login) that plug-in on your PC
so there 2 step login (local PC -> remote server A -> remote server B)
all ssh user the yubikey on your PC
is that possible?
I'm at a point where I don't really know what to do next, it does not ask to touch the yubikey. It has worked on other systems. Any hints for me?
It for some reason does not work at all when the Yubikey already has a pin. It associates just fine with the device but if I add it to the Sudo, it just will keep asking me for password and refuse both the pin or touching it, and I am then locked out of the machine
Is it safe to do this with an encrypted OS install? And what about required minimum BIOS settings?
Good video -- if I want to associate multiple yubikeys to my computer for backup purposes... do I just append to the end of the file or does it need to be comma separated ?
I figured out that you separate with a colon. in your authfile you would have ::
For the desktop command pamu2fcfg > ~/.config/Yubico/u2f_keys, you would just use >> instead of > to append a second key.
@@LuisCaneSec Thanks man really helped me out here
is it possible to just turn an normal usb drive in to a "yubikey"?
Thanks to you I configured it correctly, but Linux starts without my permission when the key is not connected. Is that how it is supposed to be? Thanks anyway!
Ok, I've set it all up and it works great but now I'm wondering whether I can connect to ssh with only my yubikey, no ssh, no password. just a touch of the yubikey.
If you disabled password logins on the linode server why then after setting up the yubikey it uses the yubikey and a password?
I do not understand it either
This video is quite old. It is much simpler to use ssh now that fido2 is integrated in openssh, basically you just need to do a ssh-keygen -t ed25519 -O resident . When using the key on new pc, do a ssh-keygen -K to copy the pub key on the host.
Hi Jay with regards to a Linux workstation how to you manage more than on key per user?
I have been using Yubikey keys for a while now and love them but mostly for full disk encryption with one time password and the rest on online accounts, I tried to add both of my keys as you need a backup and PopOs only records the list key I registered, Is there a way to add as many keys as you like?
Would also like to know.
Here you have the answer for your question, looking for this sentence: "You may add multiple yubikeys to a user by separating the token IDs with a colon. For example, here we will allow the "root" yubikey to also authenticate "harry" " in this page: fedoraproject.org/wiki/Using_Yubikeys_with_Fedora
@@creonte38 Thank you Ayr very helpful :)
@@michealfinane4448 regards!
Great video, as always. One question though: what happens when an attacker with physical access to the laptop uses his own Yubikey? Is there a code inside the key which is also in the computer when setting it up, or are they all identical?
All keys are not identical. Yubikey has great docs you should look into to know if it's right for you.
Amazing video. Unfortunately I have 2 Yubikey standard not supported anymore. If you know how to flash the firmware to transform these in something valid to use I appreciate. I have one Yubikey neo and one Thetis too.
YubiKey firmware can not be flashed or updated for security reasons.
Dear all, Is there an official documentation for Securing remote authentication at 11:57 onwards.
Will I need Yubikey even if I auto login to my account?
Great video. Do you know if something like this works in Arch and Fedora as well?
Fedora and Arch both have the packages in their repos. Just search for 'yubikey fedora' or 'yubikey arch'
@@SamuelRaynor79 Thanks 👍 I will do that
How do you set up multiple yubikeys with regard to the /etc/pam.d/sshd file?
I'm also curious. I've tried adding both to the sshd file as well, but is not working. Did you figure it out?
I just managed to do it. You need to add the 12 first digits of the 1st Yubikey followed by “:” and the 12 digits of the second Yubikey. All in the same line.
Everything else as it shows on this guide. Hope it helps.
add a second key to ~/.config/Yubico/u2f_keys ?
Isn't it easier to do "ssh-keygen -t ed25519-sk" ? How is this method better?
Yes, but the video was done before the integration of fido2 directly in openssh
Where do you find that 12 digit key ?
I'm also not sure about this. Though ...I have the "Security Key" Series. I'm not sure if my Yubikey does this ...it seems like an OTP thing
At enabling TTY i am kicked out of my computer. And though I am given the chance to put my password as I normally do. It keeps thinking until it stops. Then I remembered I put the TTY as specified in the video. Ctrl + alt + f2 gives me terminal login. I put my username and password and it doesn't work.
Same here Ubuntu 22.04
@@jackporter6820 I solved it. The problem was that the I had my data in Home encrypted. There were my Yubuco keys found, so it couldn't work cuz of the info to allow through was encrypted.
Solution?
Go to Root and modify the files i modified in this video.
If you are not using dual boot better. Backup and encrypt your hard drive with LUSK2.
If using dual boot, you are fucked. Sooooo, get a new laptop or you wont be able to use encrypted home and keys
How to add 2 Yubi keys ?
This is a great idea for security but what happens if you lose your key?
Always have a backup Yubikey.
@@Runenaldo How do you add the backup key I tried it only works with the last one added?
@@michealfinane4448 Don't know unfortunately, wish it would be shown in this video as it should be standard practice IMO.
@@Runenaldo I checked Yubikey site as well and there is no mention of it other that a warning not to loose your key!
@@michealfinane4448 Strange.
with an SSH log in can I use a Yubi key and a ssh certificate (rather than Yubi and password)? I really just want to skip the password.
+1 .. really curious about that solution. (ssh into account with key then press yubi instead of password)
Did you find a solution for that? I want to know as well!
Yubi Yubi
Do you have any different from this video? Looks more cool and smoth. Thanks for the great content
Secrets not Secret anymore @18:38
Lol
yubikey should make better user friendly processs. so hard and intimidating
and i am a linux admin. +im using arch btw
Huh, watched the whole video for using against remove SSH sessions, and you didn't cover SSH keys + Yubikey. Oh well.
I like Linux but See how this need to be configure I say BIG NO. Yubikey and linux foundation or whatever, they need cooperate to create easy way to make this much easy to work in Linux OS.
this process will fail and lock you out of your own system, you will have to use a live version of your OS to go into your file system and remove the offending lines in your pam.d file to rescue your system, do not trust yubikey for login as it will fail on linux and windows
also there is no way to create a backup of the key, so your basically screwed all the way around with these useless devices
You just need to register 2 devices. When you loose one, you register a new one with backup one...
I'm running Lubuntu. Where is the desktopmanager file located in order to edit for youbikey login?
I think it might be /etc/pam.d/sddm
if you are using Lubuntu with the LXQT desktop. Same goes for Kubuntu or KDE Neon.
@@jawuku3885 Thank you! You helped me a lot! I have Kubuntu 20.04 and I was trying to find the solution endlessly!