YubiKey Complete Getting Started Guide!
Вставка
- Опубліковано 22 тра 2024
- Have you considered using a YubiKey? In this complete guide, you'll learn everything you need in order to get started with these awesome security keys. We'll go over the differences between the available models, which one you should buy, as well as how to set it up to protect local logon for Linux, macOS, and Windows. In addition, two methods for protecting OpenSSH via YubiKeys are also covered.
Note: Yubico, the makers of the YubiKey, did NOT sponsor this video or had any involvement whatsoever.
LPI Linux Essentials Course Available
Check out the new course on Udemy! ➜ learnlinux.link/lpi-course
➜ learnlinux.link/lpi-course
Check out the Linux Shop
In the official shop, you'll find Shirts, hats, stickers, bags and more!
➜ merch.learnlinux.tv
5% discount on LPI exam vouchers
After you finish Jay's new course, get 5% off an LPI exam voucher here:
➜ learnlinux.link/lpi-voucher
Become a Patron
Show your support for Learn Linux TV on Patreon and get access to exclusive perks!
➜ learnlinux.link/patron
Become a Channel Member
Show your support for Learn Linux TV here on UA-cam and get access to exclusive perks!
➜ learnlinux.link/member
Mastering Ubuntu Server: 4th Edition
Jay's latest book covers everything you need to know in order to master Ubuntu Server. It's available here:
➜ ubuntuserverbook.com
Linux Gear and Kits
Check out Jay's choice of hardware products, audio/video equipment, and more.
➜ learnlinux.link/amazon
Grab an awesome Pi-powered KVM
Support Learn Linux TV and grab yourself a TinyPilot KVM here:
➜ learnlinux.link/tinypilot
Note: Royalties and/or commission is earned from each of the above links
Individual Sections
00:00 - Intro
02:12 - Section 1: What is a Yubikey?
07:54 - Section 2: Which model should you buy?
13:19 - Section 3: Securing Online Accounts
16:14 - Section 4: Setting up a Yubikey with local macOS user accounts
22:05 - Section 5: Setting up a Yubikey with local Windows user accounts
29:14 - Section 6: Setting up a Yubikey with Desktop Linux
36:53 - Section 7: Securing OpenSSH with a Yubikey (Fido2 Method)
42:51 - Section 8: Securing OpenSSH with a Yubikey (Non-Fido2 Method)
Video Specific Links
- Official blog post for this video ➜ learnlinux.link/ybk-blog
- macOS local account documentation ➜ learnlinux.link/ybk-mac
- Windows local account documentation ➜ learnlinux.link/ybk-win
- YubiKey downloads ➜ learnlinux.link/ybk-downloads
- YubiKey "Works With" Catalog ➜ learnlinux.link/ybk-app-supp
Full Courses from Learn Linux TV
• Linux Essentials Certification Workshop ➜ learnlinux.link/lpi-course
• Linux Crash Course series ➜ linux.video/cc
• Learn how to use tmux ➜ linux.video/tmux
• Learn how to use vim ➜ linux.video/vim
• Bash Scripting Series ➜ linux.video/bash
• Proxmox VE Cluster Full Course ➜ linux.video/pve
• Learn Ansible ➜ linux.video/ansible
Linux-related Podcasts
• Enterprise Linux Security ➜ enterpriselinuxsecurity.show
• The Homelab Show ➜ thehomelab.show
Learn Linux TV on the Web
• Main site ➜ www.learnlinux.tv
• Community ➜ community.learnlinux.tv
• Enterprise Linux Security Podcast ➜ enterpriselinuxsecurity.show
• The Homelab Show Podcast ➜ thehomelab.show
• Content Ethics ➜ www.learnlinux.tv/content-ethics
• Request Assistance ➜ www.learnlinux.tv/request-ass...
Disclaimer
Learn Linux TV provides technical content that will hopefully be helpful to you and teach you something new. However, this content is provided without any warranty (expressed or implied). Learn Linux TV is not responsible for any damages that may arise from any use of this content. The person viewing Learn Linux TV's content is expected to follow their best judgement and to make their best decisions while working with any related technology. Always make sure you have written permission before working with any infrastructure. Also, be sure that you're compliant with all company rules, change control procedures, and local laws.
#Yubikey #Security #Linux - Наука та технологія
Great video on the yubikey, thanks for making it. I could do without the background music though, it's too loud.
I also found the music wearisome and annoying.
Agreed on both counts. Excellent video (as far as I watched). I gave up trying to watch as the music was too intrusive.
Yes I agree, the video is good, but the music is tirring. The music should be quite a bit lower volume, and should pick music that is more suited to be backround music. That means they should not be in such a fast tempo, it gives a sense of urgency which is generally bad, but especially in such a long tutorial. And also some background music is composed in such a way the melody line is more "forgetful", so it doesn't take attention away from the tutorial.
Music is among the most subjective elements of a video. It's too fast. Too slow. Too loud. Too soft.
Personally, I like this one except that I cannot listen at 1.25x speed without making it sound crazy.
I can't remember ever watching a tutorial video that does not have bkg music and wishing it did.
Tough calls for creators.
I agree as well. It's an excellent, well produced video with great content which is why it's really important for the content to be the hero.
I found the music distracting throughout which diluted my enjoyment.
Easy fix for next time though! 😊👍🏻
Thanks for going to all the trouble of making such a thorough Yubikey primer. You ROCK my friend!!
If you use Linux Mint you need to edit the lightdm file as Linux Mint doesn't use gdm-password. Just follow the same method for making the change and it will work the exact same way. I have been looking for a guide to Yubikeys for over a year. How did I miss this back in April? I love this channel! Subscribed.
I think you saved me. No way this was getting done without your video. Much appreciated!
I've just subscribed & rang the notification bell.
I've read all the replies up to this point.
I, like most everyone else, wish there was no background music.
I've successfully "Smart-Cart Enabled" both of my YubiKeys to both of my Macs. The only way I can log into either computer is with my YubiKey/PIN. Login passwords no longer work.
It should be mentioned that High Sierra OS 10.13 is the oldest Mac OS that can be configured to use YubiKeys.
Warm Regards from Reno, Nevada
An additional application for these is PGP encrypted emails. You can load in your private key stubs and then when you send an encrypted email you just touch the key for the email to be encrypted and signed with your private key.
The trick is finding other people who are first of all nerdy enough, and second of all wise enough, to use PGP. I only know one person - me - and so I can only send encrypted emails to myself. But it's a very agreeable secret conversation.
Very funny :-) Yes, I've often wondered how many 'encrypted' individuals any one person knows. Probably different for companies who value security, and anyone in Russia who disagrees with... well anything.
Heh, I set up PGP for email, too. And so far, the only thing it has been good for is to encrypt facebook messages sent to my email account--not that I even really use facebook anymore 😜
I have 4 individuals that I use PGP with, and one financial institution. What's frustrating is that once it is setup it is so easy to use, and best of all I can be confident that the author of the email actually sent it.
I'm starting now! Glorious future.
The Best intro and workarounds about Yubikey!
Great video! I just would like to give my point of view as a user and also describe how I use my Yubikeys (not as you does).
I use Yubikeys, but the implantation of FIDO2 is lacking mon many websites, and sometimes you can only register one key... I hope the situation will improve in the future.
So, about the Yubikey 5 (the on that I use) OTP have a limit of 20 or 25, so if you have more them that you have to mange multiple Yubikey or really on tiger solutions. About the biometric Yubikey serie 5 potential user have to consider the longevity and reliability of the fingerprint reader, personally it's a concern for me maybe not for other people.
About my usage, I love the opengpg support of the Serie 5, generating your master keys and sub keys with a expriation date, and burning the subkeys on your Yubikeys.
The private subkeys are on your Yubikeys, and the private master key never touch a online computer and is store and backup in different and secure places.
Private subkeys can't be extract (beside some exploit...) You can configure your key as you want, for example can set a pasword, requiring the user to touch physically your key, set the number of try before the Yubikey destroy you subkeys.
Opengpg is very flexible, You can use this for a password manager, for encryp email, files, to log on you server using ssh ( SSH using opengpg is more convenient for me , the technique use in the video require openssh 8.2.. this version isn't yet on every LTS distro since it's quite recent. But FIDO2 is a more secure it's a fact)
I like the fact that I use one public key for everything, that the key never leave my Yubikeys but that I have the master key and that I can switch of other device or tools in the future that supports opengpg.
So my advice, chose your Yubikey accordingly to you need, and don't forget to setup you Yubikey, for sensitive use case setup your Yubikey in a airgape PC using a live distro like Tails who supports Yubikey out of the box.
Keep in mind that if you don't manage your keys, someone else does it for you..
Thank you for making the Mac login with Yubikey so easy to follow.
Thanks for the video. What was missing is a backup strategy.
Gday Jay, firstly I love your content👍🏻 You explain things simple and very easy to follow along. In regards to Yubikey, would you consider doing a tutorial install for Fedora? I have had no luck as the documentation is not easy to follow (for me anyway) or it’s not up to date. Thanks again for your work. 👍🏻
I just found about yubikeys through Tom's video... Did not give this a thought before since using an app to do the 2FA.. Going to order one and a backup one asap.. Seems invaluable these days! Thansk alot of this great video, very well explained!
I finally broke down and bought one. Re-watching this to see what I need to do to get this working. Of course this is the first place I go. 😀
Just bought one the other day. Great video. Thanks! 👍❤️
Great video. Informative and clear as always. I see plenty of feedback on the background music, but just one additional suggestion:
Consider testing the background music at different playback speeds ahead of time. For those of us who listen on fast playback, some music/tempos develop strange artifacts and become extra distracting at faster playback speed, which might contribute to why some found the music more distracting.
Just recieved the cheaper security key series ( blue one) and it does support NFC. I tested it with my phone. I also think it supports OTP. See the wifi symbol on the key.
Probably best Yubikey overview I've found, and I've been reviewing quite a bit of different instructional material. So, thank you for this.
Would be great if you can also create a Yubikey - Veracrypt instructional video as well.
I've done a little more investigation and going to /etc/pam.d and changing common-auth seems to cover all the login methods at once. Changing the individual files gives finer grained control but for a change that should be ubiquitous common-auth is probably a better place. I don't do ssh so I didn't test that.
If you do decide to change common-auth you will probably want to back out the changes to the specific files such as login, unless you like pressing the Yubikey more than once.
Apparently the name has two sources: 1) "Your UBIquitous KEY" and 2) Japanese word "yubi" (指 'finger') to represent touching your YubiKey with your finger to verify your physical present.
Dunno why but I got the automatic pairing message. Btw thank you for a video - so good and so informative.
Great video. No complaints here.
Thanks for the video, will those commands work on redhat or CentOS? If not can you include the required commands?
Thanks for the great instructions!
Although it doesn't carry the certifications of the HSM, the YubiKey 5 series can also act as a HSM, storing private keys in a way that can't be retrieved (so the YubiKey itself signs certificates, for example). SmallStep use this capability to build a Raspberry Pi-based local certificate authority.
Are the certificates made in this way still viewed by browsers ... as untrusted? This is something that annoys me with self-signed certificates.
@@drescherjm If you set up a local certificate authority--whether using Smallstep, as I have, or some other software--you'll still need to trust that CA cert on any client machines that would be relying on it. But that should be a one-time process; once you trust the CA cert, you'll trust any certs it issues.
Mr. Jay, This is just an idea for a future video. I would like to see someone deep-dive into the new LXQt 1.1 vs LXDE. What would be the reasons to continue to use LXDE ? Where does each excel in 2022 ? What are some of the major problems with either ? Is there any reason to use either on a new computer ?
What would be the difference between using LXQt, and just configuring a KDE Plasma session to use less
resources ?
What are you giving up in LXQt vs. KDE ?
Wonderful video, thank you!
I'd like to hear / see more elaborations on the various aspects of the yubico, like what are those slots that you where mentioning @27:26?
very useful on everything
Thanks for the Yubi-Key walk through. Is that a System 76 w/ Threadripper in the background?
Very good tutorial !!!
One question: where is the link to the blog post with the commands? I went to link you wrote on description but the blog post contains only the video .
Nice work, Jay. What happens on a Windows desktop if you use a Microsoft account to log in to it? Also, I administer linux servers using Putty for my ssh connection. Can Yubikey help in that use case?
Great video, plan to play with my metal install of Ubuntu soon. Is there a way to make a Yubikey work on a Proxmox Ubuntu VM? I can't seem to figure out how ro forward the port USB w Yubikey to VM....
Thanks for the content
very informative thank you
Thank you, very educational.
Glad you enjoyed it!
Great video but the music in the background is too distracting
It distracts and also steps all over the narration.
Hello Jay. Many thanks for a great video on setting up YubiKey. Just noticed at 39:17 where you create the SSH keypair you have a typo in your command. The keys where created however, the date subshell included a ')' in the name. Command should be: ssh-keygen -t ed25519-sk -C "$(hostname)-$(date +'%d-%m-%Y')-yubikey1"
Good job, but additional questions: how to use Yubikey Bio for Linux login & how to save more than one key on a linux machine
the back ground music sucks you talk too fast that sucks you are one smart man and I appreaciate your efforts to help people to understand yubikeys , correct those two things and you will be a winner , if I haven't pissed you off .
Nice nice! Does YubiKey work with Metamask, can we secure it with it!?
I have the orignal Yubikey, is it still able to be used in 2022?
Thanks!
Are you able to use your local Yubikey to do sudo on the remote server?
For the implementation of FIDO2 for OpenSSH, how is it possible to use two different Yubikeys?
If one yubikey is lost, there would be a backup for login.
How can you add RFID/NFC to a PC that doesn't have it?
I am just about to add Yubikey to my systems and I have a NFC Yubikey for use with my Android phone and would like to use use NFC on my desktop as well.
I also agree with others about the background music and it's default volume.
Also are the step for installing Yubikey on MS Windows the same for both Win10 & Win11?
Is the process for setting up a Yubikey and a backup Yubikey at the same time different?
I wonder if this works on a linux laptop when you have disk-encryption. Would it work than, get you to the encryption passhrase and from there login with the key? As prior to that it wouldn't be able to read the /home. Wonder if it interferes though or just works as well. For online accounts it's recommended to have at least 2 keys. How to deal with that when you use it for login? Nice video though!
For the setting of the yubikey pin, What if all we have is an iphone, No desktop ?
For some future person having problems setting this up for a Debian device (Raspi 4 in my case): if you can't login after setting this up this will likely be due to a PAM Module error (at leas this was for me, you can check by ooening a second terminal and trying to ssh in. After that check the debug by typing in "sudo journal -u ssh -e). If thats the case edit the /etc/pam.d/sshd file and delete the key=.... part and replace it with "debug". This is the right way according to the recent documentations.
Regarding the last segment for SSH: How do I add a second Yubikey?
I didnt want to enter a pin at all just the yubikey as an authenticator, can that be done?
Hi Jay: Question for you. I followed your instructions to set up Yubikey with local macOS user account. It works to unlock using the Yubikey code when the key is plugged in the USB C as you demonstrated. However when the key is not plugged in, it does not prompt me to insert the Yubikey to complete the log in process. It's just using my Macbook log in. Am I supposed to disable my Macbook log in? Kindly advise...
If someone forgets the yobico device then what step can we take ???? Plz answer
Is there a way to set the Yubikey to factory defaults?
how do we integrate with SSL , great if you can showcase
usb to micro usb adapter for smartphone can i use this key on galaxy s20?
Great video. However, many of the Security Key series have NFC capability. This is clear on the Amazon listing.
Thank you, i was wondering if you can run an ansible playbook against a yubikey configured host? It gets hung at the beginning and I don't know how to make it prompt for a yubikey password?
Hi there. How do I configure yubikey on mac so it will allow another local user to login to MAC
Thanks
I know there is another method for SSH by YubiKey is via OpenPGP. Any tips for that? I have been screwed up on that
What were the 3 pins for?
This was a great video for setting up the Yubikey, however, what is the process to add your backup key(s) to each system?? Do they not have to be somehow sync'd to each computer individually as well? Secondly, I have major hearing issues and I would appreciate it if you discontinued ANY background music in videos, your videos are great learning tools and the music makes it almost impossible for me to actually make out what you are saying. Thank you
I 2nd the motion
Keys are independent. You use a second key in the sense that whatever you set up for the first key (TOTP/OTP/etc. for your website/service logins.), you also do with a 2nd key in tandem, so that both keys are registered with the site/service/password app/etc.
To find your username in windows run cmd (Winkey = r)(type cmd in the run box) and type whoami in the cmd window
Can you compare this to the solokey v2 next?
Thank you for the in-depth video. Unfortunately, I have yet to start setting mine up because the directions do not match what I see on my end. I purchased two 5ci that are useless to me because I can't find directions that match my laptop setup, and the downloads do not do anything on my phone. I am running all up-to-date current software on both relatively new devices. I wish I could just pay someone to help me. Better than being out $150 for nothing.
😭😡
What's the Best yubikey 5 NFC or yubikey NFC?
Can you use the key with multiple devices?
Have you ever listened to your videos before airing them, DH. Maybe you should try that once!
Does it work the same on Fedora? Apparently the Fedora Wiki is super outdated about Yubikeys
Hi Jay
please can you do a video how to setup pam_passwdqc from source code on Debian?
Is there a version of this video without the background music?
For some reason the login with the yubikey doesn't work in Linux mint if it's after a reboot or a system shutdown, i followed all the steps and i can't figure out what have i done wrong.
Do you have any suggestions?
I'm using mint 21 xfce
How would you access your account of you only had one key and it breaks or lose it ? Like 1 password says click cancell then enter for. Authenticator app. What would be the point in having a yubi key at that point.
HI, Do you guys recommend to get 2 keys to have one for backup?
Yes, Yubico recommends that you purchase two keys, one for a backup.
i setup my keys on one gmail account and the second pc allowed me to access my email without any key. So it only works on 1 machine?
Does YubiKeys work with ARM PC's?
Is there any risk on windows or mac of the program being deleted would it affect logging in? Or does it revert to old standard password.
1 thing you can do in mac is in settings make it so you have to allow USB devices. So a prompt comes up before it can be used.
I'm a novice at this. Is there any key or device that enables complete lockdown of a PC -- not just a lockdown of user accounts?
What if in the descriptions it says it can act as FIDO ASM may access authentication devices, create & delete FIDO registrations on behalf of other apps?! Is this good or bad???
what exactly is the change management key?
I mean if I have 2 yubikey can I copy the management key of the first yubikey to my 2nd? if so .. what will happen?
for what purpose is the management key exactly? is this the key to somehow clone the other one?
A really good informative video but the music choice is distracting, too loud and not sure why its there.
It is weird Jay added background music in this one. His other videos do not have it.
thx
I bought mine today, got it home and... nothing. No lights come on when I plug it in and I have tried on multiple devices. Checked every setting. Looks like mine was faulty. I've already spoke to the store and I'm good for an exchange. Hopefully, the next one works fine.
Is there any way I can use my yubikey from home and secure a remote server? the setup is: proxmox host with pfsense router VM, I connect via openvpn and then ip connect to the vm with windows 2022 server. Can I use my yubikey from my home pc and secure my admin user in my vm in the remote location somehow?
Great video but the music is WAY TO LOUD!
11:48 Doesn't this mean that if the device is plugged in to your PC anyone can login (because it does not have biometrics) or do you still have the password entry?? Edit: 21:37 I see now you have a pin to remember instead of a password.
I'm pretty new to Linux but have 25+ years of Win support, I was able to complete this and it worked great when logging out and testing but then I restarted the laptop and I couldn't log back in, it kept saying password was incorrect. Had to restore from snapshot from yesterday. Any ideas what could have happened, running Mint 21.3 cinnamon and had recently updated the kernel to 5.15.0-102.112. all is good after the restore but I wanted this to work and I'd love to understand how to get it to stay working. I also had to use the fix from the comment that says to edit the lightdm file as Linux Mint doesn't use gdm-password and that worked.. thanks
Is there a risk to carrying a yubikey with you along with your phone? Eg could it allow access to the phone? That worries me when I see videos on UA-cam such as Payette Forward
The background music volume changing is kinda jarring. I think it would be better if lower volume and consistent.
Even better would be NO music.
Yes, it’s loud.
excuse me please but how come in your set up you only set up a piv pin what about the fido2 pin thanks
At 27:34, The computer doesn't detect my Yubikey, does anyone know why?
Running Windows
Got Yubikey 5 NFC
Also my NFC when it ap it on a phone doesn't work?
The personalization program finds it, but OTP is greyed out?
Can anyone help me? Has anyone else been through the same programs?
it doesn't block all sudo commands and you can still use gui apps like synaptic
Great
This video is only 9 months old but your Yubikey Windows GUI isn't at all like mine that I just downloaded and installed from Yubikey. I guess they revamped the GUI since you posted this.
When logging in to your OS, why do you have to supply a password when using Yubikey? I thought Yubikey eliminated passwords? Thanks!!
you will have to supply a pin to unlock the yubikey
Would I be about to use a Security Key C NFC The YubiKey 5 C NFC to create passkeys for my APPs and Websites? Or do I need to get The YubiKey 5 C NFC. What would be the reason way I would want to get The YubiKey 5 C NFC over the Security Key C NFC
We need a 3 factor authentication!
Why isn’t nobody making this, maybe they have and I don’t know.
It’ll be nice to put your password in, then the security code, and then a different security code. That’ll be sweet.
Overkill and will cause loads of account lockouts
Thanks Jay, this video is a big help! Just wondering... Do we need to setup PIN, PUK and Management Key for each additional Yubikey we want to use as backup? Thx 🙂