Don't use passwords anymore! Teleport with YubiKey passwordless login
ฝัง
- เผยแพร่เมื่อ 6 ส.ค. 2024
- The best password is NO password! Let's add my new YubiKey as a passwordless authentication method in Teleport. That allows me to access all my Linux Servers, Kubernetes Clusters, Web Applications, Databases and RDP without remembering any password (but still is much more secure!) #Teleport #Passwordless #YubiKey
DOCS: github.com/christianlempa/vid...
Teleport-*: goteleport.com/thedigitallife
How I secure my Server Access with Teleport (for SSH, K8S, and Web): • How I secure my Server...
Follow me:
TWITTER: / christianlempa
INSTAGRAM: / christianlempa
DISCORD: / discord
GITHUB: github.com/christianlempa
PATREON: / christianlempa
MY EQUIPMENT: kit.co/christianlempa
Timestamps:
00:00 - Introduction
01:12 - Why passwords are bad
04:16 - Install and set up Teleport
13:11 - Add passwordless login
19:30 - Terminal Client
________________
All links with "*" are affiliate links.
![[ไฮไลต์] แบดมินตันชาย SHI Yu Qi (จีน) vs วิว กุลวุฒิ (ไทย) รอบ 8 คน | โอลิมปิก 2024](http://i.ytimg.com/vi/f7z7taforOM/mqdefault.jpg)
I've been using Yubikey for a while now, and I've always wanted to use it in my home lab. Thank you for putting this together. I love it. Can't wait to apply it
Thank you! Glad you enjoyed it :)
Great coverage! Been using Yubikeys for years now. Great physical defense.
Thanks! That’s awesome
Hey Christian, very well explained and punctual tutorial on MFA! 👌👌👌
Thank you so much 😊
Thank you for this great tutorial. After being unsuccessful setting up teleport behind Traefik proxy i used a CF tunnel to access the service. Passwordless sign in with fingerprint on the MacBook or FaceID on iPhone seems to be the most convenient way for me 🙂
I would love to see where else you could use passwordless/YubiKey in a homelab. Thank you for all the great videos that you have made!
Thank you! There’s something new coming out the next weeks :)
09:05 rather than using bin/sh as the entrypoint it needs to be dumb-init as sh isn't meant to be PID1 and can't deal with signals like SIGTERM without modification and traps. So just change /bin/sh to ../dumb-init you can leave the rest (teleport...) in command
Yubikeys are brilliant and uplift your security stance dramatically. I purchased keys for all my family members during the lockdowns to help us all avoid the elevated risks of working from home.
Awesome!
That's great. The question is what would happen if Yubikey no longer exist.
@@dobithezkiyy3504 backup / master key, emergency recover codes with alternative authentication
Thanks for the clear explanation. What online service supports passwordless login with a YubiKey and which would you recommend?
So great, thank you!
Christian - can you share the terminal colors you're using now that you've moved to macOS? I'd like to get my terminal looking like yours from this tutorial. Is there a script that can be used, or just match the macOS terminal color settings to yours?
I've been using Yubikeys for about 6 years now and I can honestly say they have changed my life! I use mine for everything from signing EFI shims to logging into AWS. If you care about security then get several yubikeys.
@2:20 you said Yubikey with NFS, I think you meant to say NFC. Great video!
Oh yeah, that was a mistake :D Thanks mate!
Your videos are great dude, you got a new sub.
I'm here for hairdo's and security/nerd BS, and we are are fresh outta hair my friends :)
thanks mate!
Danke für deine Videos - Top !
Gerne! Danke für das Lob ;)
Cool video like always, thank you for sharing
Thank you!
Extremely interesting tutorial as always, but thought I'd let you know that you have an *AWESOME* shirt !!! (wink wink - from a Canadian subscriber !!!) 🙂
Haha thank you 🙏☺️
I use these everywhere possible. Yubikeys are great. Make sure you have a few of them assigned to any accounts so if you lose it or it stops working.
That’s the most important. Always have a backup.
It’s always good to have a backup! :)
Great video! How did you customise your terminal like that?
There will be a new video coming out about mac terminal customization :) stay tuned
Great video and content Christian :-)
you really use google authenticator ? Then you have a single point of failure (your iphone), because with this app you have no automatic sync to other devices like authy.
I have Teleport running an a VPS for ssh and web-services and it works nice!
Yubikey in Teleport works with MS Edge too 🙂 Here you only have to type the PIN and then you have to touch the Yubikey (once). Very nice! I hope that someday it will work with firefox too.
Another tip: use at least 2 Yubikeys - one for at home, one for on the go. So you also have a direct backup.
Thanks mate :) yeah maybe I should move from google auth to something better, I’ll take a look at Authy
Not adding a Yubikey without secondary protection of PIN or biometric is not a bug, it is a feature!
I don’t think it’s a bug, webauthn allows to declare if your token should have pin protection if used as single factor (for the reasons you mentioned).
Teleport is amazing. I really have to start with it for my infrastrcuture. What about a video about the Windows Remote Desktop stuff built into teleport? I definitely will use it.
That’s already planned :) but I will do a few other projects first so that needs to wait a little
@@christianlempa After reading the documentation for RDP with teleport i decided that this project can wait until your video for that is on TH-cam 🙂
Wow Yubikey so easy to use! All you have to do is log into DOS and type several hundred lines of machine code that no one knows !
Thanks for the video. What vscode theme is that? So with you not recommending using a reverse proxy, I guess that means we should have a fresh dedicated vm with its own public IP?
You're welcome! I'm using my own theme, you can find it in the marketplace "The Digital Life" ;) Revproxies would make the system more complex without adding any benefit.
make a video of how to setup a windows active directory Sams with yubikey/FIDO2 or password less.
Thanks for this interesting content. Do you know if you can use the Yubikey with an iPad? I‘d also would love to hear if this works with the RDP part towards a Windows server as well.
I think the NFC version should work on compatible NFC devices. Not sure if the iPad has it though
First Comment
If you think having a device dedicated for password management or secrets vault would stop someone giving out all the passwords at a gunpoint :D.
I believe having a phone with the password manager is enough, since the phone can be encrypted to a level that on gunpoint you will still spill the beans.
huh?
i got myself a Yubikey, but until now i have used 1password manager, what do i do?
Hey Christian, i saw the video you did on wireshark and i must say it wasn't clear at all!
Can you do a video on how to use wire shark to hunt for spyware/malware ?
Hey Christian
Is something like this possible. when using cloud flare zero trust tunnel?
What happens when you need to access your home infrastructure but you do not have an internet connection (during an outage)?
Hope it doesn’t xD well I Stil got SSH as backup
just buy a sec one as a backup... I have lost mine and I was screwed completely... well not completely but it was a some problem to login into the boxes.
So basically teleport replaces traefik and (authelia/authentik), right?
For me it does, yeah
Can't add host to teleport
Hey, can you make the font bigger next time? It is a little small on my device.
Okay 👍
Does teleport support DNS01 challenge? Can not find in docs
I don't think so, unfortunately, but I'm not sure, what does the teleport support say about that?
usb to micro usb adapter for smartphone can i use this key on galaxy s20?
It has NFC so it should work wireless with any phone
@@christianlempa I will buy yubiKey bio - FIDO Edition does not have NFC
how can i run this if i already have nginx manager running in 443?
You can change the port
When this is available via using a usb key (in place) instead of the yubikey across-the-board it will be a game-changer. The technology is already built into most browsers, extensive libraries are available for the signing modalities, yet its not widely used.
What can you do if you loose your YubiKey?
You can still use other keys or otp as a fallback and remove the lost yubikey from your account
Do you know how to integrate with traefik?
As I said in the video, I’d not do it and just use Teleport without a revproxy
Where do I find the teraform tutorial
Just search for terraform and the digital life, you'll find it ;)
Does this still work when you lose internet connectivity?
I guess it doesn't because i'm running teleport in the cloud.
@@christianlempa but you got a back way in right?
@@sylvaindecrom of course :D
How is a PIN not a password?
A PIN is a PIN, a password is a password ;)
@@christianlempa I respectfully disagree. A password is a secret (something you know). So a PIN is just a numeric password. For security purposes there a three option: something you know (e.g. passwords), something you have (e.g. Hardware), something you are (e.g. Retina scan). Sadly i haven't found a way to just rely on hardware without a secret. This video does not solve this either.
With so much complication and configuration is only a matter of time until someone makes a mistake and provokes a security breach.
so the solving is fiinding the first door. ok. good.
Wow, My comment got removed very quickly!
ich sehe mfa trotzdem immer noch als die bessere als das passwortlose login, weil dann braucht man 2 unterschiedliche arten für den Login das Passwott wo nur die Person weiß und den Stick.. Weil wenn man den Stick verliert und weiß für was der ist kann man sich dann einloggen.Sicherheit geht immer vor begquemlichkeit.
Nun ja dagegen gibts ja den PIN für den Stick.
How many times will they sponsor you 💀. At this point you can change your logo to Teleport's.
Dude, chill out. He has a very niche channel so it's very difficult to grow or getting sponsors, even more, the product is actually useful and relevant for most of the viewers of the channel so I don't really see the harm.