Admin best practises + Yubikey
-
im a bit of a noob to pfsense...and i wanted to know what are the best things that i should do to secure the admin account and pfsense.
i have a yubikey to hand and wanted to know if this can be used in any way?
thanks in advance
Kais
-
@Kais_1 said in Admin best practises + Yubikey:
secure the admin account and pfsense.
Combine these tow methods : chose a good password and use LAN only for trusted devices - all other local users should be on a OPTx network that doesn't even allow GUI access (let the firewall protect itself).
-
tks for the info..
any ideas how to implement the yubikey?
-
@Kais_1 said in Admin best practises + Yubikey:
any ideas how to implement the yubikey?
noop. This Yubikey isn't known to pfSense. Check the manual ^^
But : this guy has all the knows answers and possibilities, as usual.
-
You might check out the user management hangout: https://youtu.be/5rj5ER_2xJE
I'm not aware of any specific way to use a Yubikey directly but you might be able to do something via an external radius server.
Steve
-
Yuibkey definitely supports anything via an external radius server, you could use that for 100% certain.
For your yubikeys, run an external RADIUS server;
FreeRADIUS on any Unix (external to pfSense) and and get the PAM (Pluggable Authentication Module)
https://developers.yubico.com/yubico-pam/YubiKey_and_FreeRADIUS_1FA_via_PAM.html
I've had good success with GreenRADIUS - paid software
https://www.greenrocketsecurity.com/greenradius/On pfSense, setup an external radius server pointing to your external radius server;
System / User Manager / Authentication Servers / Edit
Make a new authentication server using the RADIUS serverJob done!
-
Ooo nice.