Yubikey to secure servers.. has anyone tried it?
-
I've been watching videos about Yubikeys last night and came across this
where Jay from "Learn Linux TV" adds a Yubikey to his hosted server at Linode. It got me curious as to whether this would play nice with Cloudron. Has anyone tried such a thing? -
I've been watching videos about Yubikeys last night and came across this
where Jay from "Learn Linux TV" adds a Yubikey to his hosted server at Linode. It got me curious as to whether this would play nice with Cloudron. Has anyone tried such a thing?@humptydumpty there recently was a promotion between Cloudflare and Yubikey where you could get keys for a greatly reduced price: https://www.reddit.com/r/yubikey/comments/xrcly7/cloudflare_deal_for_1011_keys/
I ordered a bunch back then (also replace one old Yubikey that only has usb-a), but in the past it wasn't really worth it for me to use it for ssh keys. For the Cloudron dashboard you cannot use it, since that does otp codes.
-
@humptydumpty there recently was a promotion between Cloudflare and Yubikey where you could get keys for a greatly reduced price: https://www.reddit.com/r/yubikey/comments/xrcly7/cloudflare_deal_for_1011_keys/
I ordered a bunch back then (also replace one old Yubikey that only has usb-a), but in the past it wasn't really worth it for me to use it for ssh keys. For the Cloudron dashboard you cannot use it, since that does otp codes.
@fbartels Wow, that was an amazing deal! I'm thinking of using Yubikey to secure Vaultwarden which hosts the passwords and 2fa codes so that should cover all sites that don't work with Yubikey directly. I saw that Yubikeys can be used to secure Windows machines too. I might use that on my laptop in case it gets stolen but I'm looking to see if full drive encryption can be enabled or not.
BTW, do you have the FIPS version? Is it worth it?
-
@humptydumpty there recently was a promotion between Cloudflare and Yubikey where you could get keys for a greatly reduced price: https://www.reddit.com/r/yubikey/comments/xrcly7/cloudflare_deal_for_1011_keys/
I ordered a bunch back then (also replace one old Yubikey that only has usb-a), but in the past it wasn't really worth it for me to use it for ssh keys. For the Cloudron dashboard you cannot use it, since that does otp codes.
@fbartels said in Yubikey to secure servers.. has anyone tried it?:
a promotion between Cloudflare and Yubikey where you could get keys for a greatly reduced price: https://www.reddit.com/r/yubikey/comments/xrcly7/cloudflare_deal_for_1011_keys/
That's an insanely good deal. I've never used Cloudflare (nor do I intend to do so) but seemingly just registering on their site was enough to click the "claim offer" button so hopefully in the next 1-3 business days I'll receive the email from Yubico...
-
@fbartels said in Yubikey to secure servers.. has anyone tried it?:
a promotion between Cloudflare and Yubikey where you could get keys for a greatly reduced price: https://www.reddit.com/r/yubikey/comments/xrcly7/cloudflare_deal_for_1011_keys/
That's an insanely good deal. I've never used Cloudflare (nor do I intend to do so) but seemingly just registering on their site was enough to click the "claim offer" button so hopefully in the next 1-3 business days I'll receive the email from Yubico...
@jdaviescoates Wait, you're able to still get the offer? I do have an account but don't see that button anywhere. Odd.
-
I found the original Cloudflare blog post about this collab and the direct link is:
https://dash.cloudflare.com/?to=/:account/yubico-promotion
Either create an account or log in and that link will take you to the button to claim the offer.
-
@fbartels Wow, that was an amazing deal! I'm thinking of using Yubikey to secure Vaultwarden which hosts the passwords and 2fa codes so that should cover all sites that don't work with Yubikey directly. I saw that Yubikeys can be used to secure Windows machines too. I might use that on my laptop in case it gets stolen but I'm looking to see if full drive encryption can be enabled or not.
BTW, do you have the FIPS version? Is it worth it?
@humptydumpty said in Yubikey to secure servers.. has anyone tried it?:
do you have the FIPS version?
No, the fips version was not part of the promotion.
Vaultwarden would indeed work with the Yubikey. Because of some certificate issue I never got it to work with my old key. But that is sadly the downside of them. you cannot update their firmware (which to be fair would make them potentially less secure).
The other thing that i liked to do was to store a long passphrase on it (it acts as a keyboard when plugged). Then you can just add a custom pre or suffix and press the button and have an easy to enter secure password.
-
@fbartels said in Yubikey to secure servers.. has anyone tried it?:
a promotion between Cloudflare and Yubikey where you could get keys for a greatly reduced price: https://www.reddit.com/r/yubikey/comments/xrcly7/cloudflare_deal_for_1011_keys/
That's an insanely good deal. I've never used Cloudflare (nor do I intend to do so) but seemingly just registering on their site was enough to click the "claim offer" button so hopefully in the next 1-3 business days I'll receive the email from Yubico...
@jdaviescoates It seems you need to have an active zone or use zero trust.
Exclusive 'good for the Internet' pricing on security keys Cloudflare has partnered with Yubico to offer hardware authentication security keys at a promotional price to eligible Cloudflare customers. Select "Claim my offer" and Yubico will email the offer to the email address associated with your account if you are eligible. Eligible customers must have an active zone or actively use Cloudflare Zero Trust. You may not claim this offer multiple times from the same email and this offer may be restricted to one email per account. Cloudflare may modify, limit, or discontinue this promotion at any time. Offer is subject to Yubico's terms. Learn more about how Cloudflare Zero Trust makes it easy to activate and authenticate using your hardware security keys with any identity provider for more secure access to any self-hosted or SaaS application. By clicking "Claim my offer", you consent to Cloudflare sharing your email address with Yubico AB, Yubico GmbH, Yubico Inc. and Yubico Canada Inc. ("Yubico") solely for the purpose of you claiming this promotion from Yubico. Review the Yubico Privacy Notice to learn more. -
@humptydumpty said in Yubikey to secure servers.. has anyone tried it?:
do you have the FIPS version?
No, the fips version was not part of the promotion.
Vaultwarden would indeed work with the Yubikey. Because of some certificate issue I never got it to work with my old key. But that is sadly the downside of them. you cannot update their firmware (which to be fair would make them potentially less secure).
The other thing that i liked to do was to store a long passphrase on it (it acts as a keyboard when plugged). Then you can just add a custom pre or suffix and press the button and have an easy to enter secure password.
@fbartels I came across this Yubico page that lists which keys work with Bitwarden (includes the legacy keys) https://www.yubico.com/works-with-yubikey/catalog/bitwarden-premium/
-
@fbartels I came across this Yubico page that lists which keys work with Bitwarden (includes the legacy keys) https://www.yubico.com/works-with-yubikey/catalog/bitwarden-premium/
-
@fbartels I came across this Yubico page that lists which keys work with Bitwarden (includes the legacy keys) https://www.yubico.com/works-with-yubikey/catalog/bitwarden-premium/
@humptydumpty yes, I know them. the one I previously had is 9+ years old. I don't remember the details but some certificate on my stick was expired and therefore the setup with vaultwarden never worked. I wanted to upgrade to a stick that supports fido 2.0 for quite a while and the Cloudflare promotion was too good to miss.
-
@BrutalBirdie Thank @fbartels . We owe him a beer now.
-
@humptydumpty yes, I know them. the one I previously had is 9+ years old. I don't remember the details but some certificate on my stick was expired and therefore the setup with vaultwarden never worked. I wanted to upgrade to a stick that supports fido 2.0 for quite a while and the Cloudflare promotion was too good to miss.
@fbartels said in Yubikey to secure servers.. has anyone tried it?:
I wanted to upgrade to a stick that supports fido 2.0 for quite a while
I hear you. I looked into Yubikeys many times but the cost ramped up quickly since it's best if you have a backup key and with a handful of family members, the bill wasn't easy to swallow. This deal makes it possible. I wish they made a nano NFC version though. I could have it hidden inside a custom made wearable like a pendant, bracelet, or even toss it inside a watch.
-
@jdaviescoates It seems you need to have an active zone or use zero trust.
Exclusive 'good for the Internet' pricing on security keys Cloudflare has partnered with Yubico to offer hardware authentication security keys at a promotional price to eligible Cloudflare customers. Select "Claim my offer" and Yubico will email the offer to the email address associated with your account if you are eligible. Eligible customers must have an active zone or actively use Cloudflare Zero Trust. You may not claim this offer multiple times from the same email and this offer may be restricted to one email per account. Cloudflare may modify, limit, or discontinue this promotion at any time. Offer is subject to Yubico's terms. Learn more about how Cloudflare Zero Trust makes it easy to activate and authenticate using your hardware security keys with any identity provider for more secure access to any self-hosted or SaaS application. By clicking "Claim my offer", you consent to Cloudflare sharing your email address with Yubico AB, Yubico GmbH, Yubico Inc. and Yubico Canada Inc. ("Yubico") solely for the purpose of you claiming this promotion from Yubico. Review the Yubico Privacy Notice to learn more.@humptydumpty said in Yubikey to secure servers.. has anyone tried it?:
@jdaviescoates It seems you need to have an active zone or use zero trust.
thanks for the heads up, I guess I had better set something up then... hopefully I'm not too late (probably should've read that and done it before clicking on the claim offer button!)
-
I found the original Cloudflare blog post about this collab and the direct link is:
https://dash.cloudflare.com/?to=/:account/yubico-promotion
Either create an account or log in and that link will take you to the button to claim the offer.
@humptydumpty do I understand correctly that in order to use Cloudflare on a domain, they have to be registrar for it, i.e. transfer the domain to them?
I am my own Nominet registrar, so if the above is true, I cannot use Cloudflare on domains currently with Nominet.
EDIT : should have looked a bit further.
They don't support registering .UK domains so the above cannot be true.
Doh !
Ignore me. -
@humptydumpty do I understand correctly that in order to use Cloudflare on a domain, they have to be registrar for it, i.e. transfer the domain to them?
I am my own Nominet registrar, so if the above is true, I cannot use Cloudflare on domains currently with Nominet.
EDIT : should have looked a bit further.
They don't support registering .UK domains so the above cannot be true.
Doh !
Ignore me.@timconsidine Yes
They started fronting/protecting domains before they became a registrar which is very recent.
-
@BrutalBirdie Thank @fbartels . We owe him a beer now.
@humptydumpty said in Yubikey to secure servers.. has anyone tried it?:
We owe him a beer now.
If the yubico e-mail ever arrives
I will sponsor a beer. -
@humptydumpty do I understand correctly that in order to use Cloudflare on a domain, they have to be registrar for it, i.e. transfer the domain to them?
I am my own Nominet registrar, so if the above is true, I cannot use Cloudflare on domains currently with Nominet.
EDIT : should have looked a bit further.
They don't support registering .UK domains so the above cannot be true.
Doh !
Ignore me.@timconsidine said in Yubikey to secure servers.. has anyone tried it?:
do I understand correctly that in order to use Cloudflare on a domain, they have to be registrar for it, i.e. transfer the domain to them?
No, you can also delegate single zones or the whole domain to another name server.
For example I have some domains registered at autodns, which cloudron does not have an auto config for.
So I can delegate either the whole domain or a zone to another name server.Example:
I have my
AwesomeDomain.tldand I want to have a cloudron onmy.dev.AwesomeDomain.tldand want the.*.devzone to be managed by DigitalOcean.
I can set 3xNSrecords fordevwithns[1-3].digitalocean.com.as value.Now the zone is delegated to DigitalOcean DNS Servers and can be managed over there.
Watch out tho! When configuring Cloudron you have to click
Advanced settingsfor the DNS setup and set theZone Name (Optional)todev.AwesomeDomain.tldwhich would be by defaultAwesomeDomain.tld -
@timconsidine said in Yubikey to secure servers.. has anyone tried it?:
do I understand correctly that in order to use Cloudflare on a domain, they have to be registrar for it, i.e. transfer the domain to them?
No, you can also delegate single zones or the whole domain to another name server.
For example I have some domains registered at autodns, which cloudron does not have an auto config for.
So I can delegate either the whole domain or a zone to another name server.Example:
I have my
AwesomeDomain.tldand I want to have a cloudron onmy.dev.AwesomeDomain.tldand want the.*.devzone to be managed by DigitalOcean.
I can set 3xNSrecords fordevwithns[1-3].digitalocean.com.as value.Now the zone is delegated to DigitalOcean DNS Servers and can be managed over there.
Watch out tho! When configuring Cloudron you have to click
Advanced settingsfor the DNS setup and set theZone Name (Optional)todev.AwesomeDomain.tldwhich would be by defaultAwesomeDomain.tld@BrutalBirdie thank you !
For some reason I struggle with Cloudflare.
Must try harder - I'm sure it's within my grasp
-
@BrutalBirdie thank you !
For some reason I struggle with Cloudflare.
Must try harder - I'm sure it's within my grasp@timconsidine if you need some help, let me know. I am happy to help.
