... | ... | @@ -15,6 +15,63 @@ USB form factor. |
|
|
|
|
|
# How to
|
|
|
|
|
|
## YubiKey training
|
|
|
|
|
|
This section holds the notes to the YubiKey training given in Costa
|
|
|
Rica in April 2023.
|
|
|
|
|
|
### Introduction
|
|
|
|
|
|
* what is a YubiKey? it's a 2FA token with extra capabilities
|
|
|
* why is it called a YubiKey? "Yubico's explanation of the name
|
|
|
"YubiKey" is that it derives from the phrase "your ubiquitous key",
|
|
|
and that "yubi" is the Japanese word for finger." ([Wikipedia](https://en.wikipedia.org/wiki/YubiKey#History),
|
|
|
[source](https://www.yubico.com/about/about-us/))
|
|
|
* what is 2FA? two-factor authentication
|
|
|
* why do we need 2FA? to make hacking your account more difficult,
|
|
|
and because people are not great at remembering good
|
|
|
passwords. also, it's required by GitHub and our Nextcloud instance
|
|
|
* why do we need a Yubikey? it's better than typical 2FA
|
|
|
* what are we going to do today? 2FA only
|
|
|
|
|
|
"There's all sorts of pitfalls and challenges in deploying 2FA and
|
|
|
YubiKeys (e.g. "I lost my YubiKey" or "OMG GnuPG is hell"), we're not
|
|
|
going to immediately solve all of those issues. We're going to get
|
|
|
hardware into people's hands and hopefully train them with U2F/FIDO2
|
|
|
web 2FA, and maybe be able to explore the SSH/OpenPGP side of things
|
|
|
as well."
|
|
|
|
|
|
### Unpacking and authenticating a YubiKey
|
|
|
|
|
|
* check blister packaging
|
|
|
* login to <https://www.yubico.com/genuine/>
|
|
|
|
|
|
### Setting up 2FA in Nextcloud
|
|
|
|
|
|
We can either follow the [upstream guide](https://docs.nextcloud.com/server/latest/user_manual/en/user_2fa.html) or [our own
|
|
|
tutorial](#signing-in-and-setting-up-two-factor-authentication). Here's a copy of the latter with only the U2F
|
|
|
instructions:
|
|
|
|
|
|
1. In NextCloud, select Settings -> Security. The link to your
|
|
|
settings can be found by clicking on your "user icon" in the top
|
|
|
right corner. Direct link: [Settings -> Security](https://nc.torproject.net/settings/user/security).
|
|
|
2. Pick either the [U2F device](https://en.wikipedia.org/wiki/Universal_2nd_Factor) as an "second factor".
|
|
|
3. Click the "Add U2F device" button under the "U2F device" section
|
|
|
4. Insert the token and press the button when prompted by your web
|
|
|
browser
|
|
|
5. Enter a name for the device and click "Add"
|
|
|
6. Click "Generate Backup codes" in the Two-Factor Authentication
|
|
|
section of that page.
|
|
|
7. Save your backup codes to a password manager of your choice. These
|
|
|
will be needed to regain access to your NextCloud account if you
|
|
|
ever lose your 2FA token/application.
|
|
|
8. Log out and log in again, to verify that you got two factor
|
|
|
authentication working.
|
|
|
|
|
|
### Setting up 2FA in GitLab
|
|
|
|
|
|
TODO
|
|
|
|
|
|
## SSH RSA authentication in PIV mode
|
|
|
|
|
|
### Token setup
|
... | ... | |