YubiKey-Guide
YubiKey-Guide | google-authenticator-libpam | |
---|---|---|
112 | 17 | |
10,735 | 1,697 | |
- | 1.4% | |
8.3 | 3.1 | |
15 days ago | 11 days ago | |
HTML | C | |
MIT License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
YubiKey-Guide
-
Can I use Security Key C NFC as backup for 5C NFC if I use OpenPGP?
Instead, most people generate keypair(s) on an airgapped machine and write them to two Yubikeys. Or write subkeys to a single Yubikey and keep a backup in encrypted form. See https://github.com/drduh/YubiKey-Guide
-
Ask HN: Why does YubiCo need my private key?
I'd recommend using the Yubikey as a GPG smartcard[1]. The private key stays on the Yubikey. I also use it for ssh. But make sure you have a backup key or two, just in case the primary Yubikey gives out. FIDO2 and all other regular Yubikey functionality still works with it.
[1]: https://github.com/drduh/YubiKey-Guide
-
An Opinionated Yubikey Set-Up Guide
The excellent guide by drduh should be mentioned here: https://github.com/drduh/YubiKey-Guide — I've been using this approach for years to store my OpenPGP keys on Yubikeys and use them for SSH.
I don't generate my keys on devices. That lets me be flexible and keep backups, as well as use the same keys on multiple physical devices. Using a single yubikey is a bad idea, as you're bound to eventually lose it or break it. Hasn't happened to me yet in 5 years, but I expect it to happen.
-
How to use Yubikey to login into a server
I followed this guide to generate a master key and three subkey.
- Guide to Using Yubikey for GPG and SSH
-
GnuPG Private Key storage on YubiKey: Why are the private keys still present in my .gnupg/ folder?
See https://github.com/drduh/YubiKey-Guide . Also google for OpenPGP card specifications, they will answer your question
-
Got myself Yubikey and set it up for my password manager and email. What next?
Regarding GPG/SSH keys, there is a great howto: https://github.com/drduh/YubiKey-Guide
-
Some guidance from those who use their Yubikey to protect their SSH connections.
I'd be lying if I said I understood all of that. I'm definitely going to do some research ahaha. Someone else on this post sentence this like which they said was very good guide. https://github.com/drduh/YubiKey-Guide
-
When it comes to storing PGP keys what is the difference between a YubiKey and a standard USB key
When storing the key on a Yubikey, however, all you need is just the PIN in order to use the key. It can contain numbers, letters, symbols, etc. and can be quite long, so you can treat it as a passphrase for all intents and purposes. There are actually two PIN codes: one regular one, for a read access, and another administrative one, for write access for when you want to modify the gpg applet settings or the key on the Yubikey. There is also a limit to how many times in a row you can enter pins incorrectly, after which the gpg applet gets locked and the only thing you can do is reset it, erasing the PGP keys. See https://github.com/drduh/YubiKey-Guide for more information.
-
Issues moving OpenPGP encryption & authentication keys to YubiKey 5C
Try follow this guide from DrDuh https://github.com/drduh/YubiKey-Guide/blob/master/README.md
google-authenticator-libpam
-
Support HTTP over Unix domain sockets
Especially that nowadays password authentication may fade away soon.
Windows already supports password-less authentication quite well. It's just a matter of time until there are good solutions for Linux too.
I have already some systems set up in a way that they ask for a TOTP when doing username/password login via SSH: https://github.com/google/google-authenticator-libpam
-
Tailscale and configuring additional Google Workspace two-factor authentication for SSH connections
We also found out that Tailscale SSH, unlike e.g Cloudflare Zero, does not seem to work with google-authenticator PAM module which could be a workaround. Please correct me if I am wrong here.
-
YubiKey to secure an Ubuntu server
(Don't worry it has nothing really to do with Google other than the fact that they wrote and open sourced the 2FA library: https://github.com/google/google-authenticator-libpam ) All logic is done locally on the server you install the pam module on, it generates a QR which you can scan and then stores the secret information in a config file in your user profile.
-
Wag: An awesome self-hosted Wireguard 2FA solution
Out of the box, this is arguably less secure than most other remote access solutions. With OpenVPN, as well as the certificate's private key, you would usually require user credentials or a TOTP. With SSH, usually you would password-encrypt your key file, and there is the popular Google Authenticator 2FA PAM module to add TOTP support.
-
Using your SIM card for MFA when logging in to an SSH server
Using your SIM card for MFA when logging in to an SSH server (through paid API requests to a third party)
There are ways to use your phone's secure storage capabilities for key storage. I've dabbled with using Krypt.co [1] for this, though that's sadly been deprecated and will at some point be replaced by a paid-for cloud service from Akamai. I'm sure there are other options available as well.
A far superior method for SSH security would be a physical U2F key or even a smart card. It's also possible to set up TOTP as a second factor ([2], works with any TOTP solution, not just Google Authenticator). I don't see a need for this paid-for third party service unless you're already using their services for some kind of verification mechanism.
[1]: https://krypt.co/
[2]: https://github.com/google/google-authenticator-libpam
-
SSH Key Passphrase
dont think you can since the passphrase is client side. you could require mfa on top of the login via sshkey. eg. https://github.com/google/google-authenticator-libpam
-
Configure PAM to use Google Authenticator / TOTP instead of password authentication
Have a look at https://github.com/google/google-authenticator-libpam
-
How to SSH Properly
The google-authenticator module has many options you can set which are documented here. In the interest of saving time, we are going to use some sane defaults in this example: disallow reuse of the same token twice, issue time-based rather than counter-based codes, and limit the user to a maximum of three logins every 30 seconds. To set up Google 2-factor authentication with these settings, a user should run this command:
-
Looking for reliable open-source 2FA self hosted server
Install Active Directory servers, one for each site. Both need to be DNS servers and Global Catalogs.Add users to be authenticated as normal, the users PIN will be their domain password.(You can skip the above), just use your existing users.Install Centos 7 Use static IP address(es) and point the DNS to the domain controller(s) Configure the hostname and FQDN to an appropriate value. Note this will be visible in Google Authenticator.Patch the OS yum -y updateStop and disble SELinux and the firewall systemctl stop firewalld.service systemctl disable firewalld.service vi /etc/selinux/config Change SELINUX=enforcing to SELINUX=disabled Save and exit then reboot.Install and configure FreeRADIUS yum -y install freeradius freeradius-utils vi /etc/raddb/radiusd.conf Change #user = radiusd to user = root Change #group = radiusd to group = root vi /etc/raddb/sites-enabled/default Change # pam to pam ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam vi /etc/raddb/clients.conf - The client IP and/or subnet need to match where the requests are coming from Add to the end client 192.168.0.0 { ipaddr = 192.168.0.0/24 secret = password - Whatever secret you configure here must match where the requests are coming from require_message_authenticator = no nas_type = other } vi /etc/raddb/users Change #DEFAULT Group == "disabled",Auth-Type:=Reject # Reply-Message = "Your account has been disabled." to DEFAULT Group == "disabled",Auth-Type:=Reject Reply-Message = "Your account has been disabled." DEFAULT Auth-Type := PAMInstall and configure SSSD yum -y install sssd realmd adcli yum -y install oddjob oddjob-mkhomedir sssd samba-common-tools realm join gatest.local - This is the domain name that holds the accounts for Google Authenticator vi /etc/sssd/sssd.conf Change use_fully_qualified_name = True to use_fully_qualified_name = False chmod 400 /etc/sssd/sssd.confInstall and configure Google Authenticator yum -y install pam-devel make gcc-c++ git yum -y install automake autoconf libtool cd ~ git clone https://github.com/google/google-authenticator-libpam.git cd ~/google-authenticator-libpam/ ./bootstrap.sh ./configure make make installConfigure PAM vi /etc/pam.d/radiusd Comment out the existing entries and then add the following at the end auth requisite /usr/local/lib/security/pam_google_authenticator.so forward_pass auth required pam_sss.so use_first_pass account required pam_nologin.so account include password-auth session include password-authEnable FreeRADIUS Service systemctl enable radiusd systemctl start radiusdInstall google authenticator yum install google-authenticatorSetup Google Authenticator for a user su - username - This is the user account created in Active Directory cd ~ - Make certain you're now in their /home/username directory google-authenticator - Answer the following questions with Y, Y (take a screenshot of the QR code), -1, Y, N, Y The user should now be able to authenticate using their domain name as the account name, their domain password as their PIN and their token code.
-
Linux terminal noob zoom question
For QR codes in particular, pam_google_authenticator does this.
What are some alternatives?
solo1 - Solo 1 firmware in C
authelia - The Single Sign-On Multi-Factor portal for web apps
wsl2-ssh-pageant - bridge between windows pageant and wsl2
GoogleAuthenticator - PHP class to generate and verify Google Authenticator 2-factor authentication
sops - Simple and flexible tool for managing secrets
headscale - An open source, self-hosted implementation of the Tailscale control server
wsl-ssh-pageant - A Pageant -> TCP bridge for use with WSL, allowing for Pageant to be used as an ssh-ageant within the WSL environment.
ip2unix - Turn IP sockets into Unix domain sockets
secretive - Store SSH keys in the Secure Enclave
wag - Simple Wireguard 2FA
IsoApplet - A Java Card PKI Applet aiming to be ISO 7816 compliant
url - URL Standard