how to install mwinit linux?

• Open Terminal.
• Run: sudo add-apt-repository ppa:yubico/stable && sudo apt-get update.
• When prompted, press Enter to confirm adding the PPA.

(Jump to the bottom to see the good stuff… Ubuntu Setup Instructions)

Over the last few years, there have been numerous stories in the news about companies and individuals getting hacked. From Sony to the Democratic National Committee, we’ve seen how devastating it can be for intruders to access your private data. To combat these attacks, it is essential to take security serious, both in our corporations as well as our personal lives.

In the security industry, there is a saying…

There is no silver bullet to protect us, and no matter what, an attacker with unlimited resources and unlimited time will eventually succeed at breaking into our digital fortresses. The only approach to combat this is through defense in depth.

In the same way that we try to protect our homes in the physical world, we need to try and protect our digital assets. For a house, you would install deadbolt locks, get a big mean dog, install a security alarm, build a fence around the property, pay an off duty police officer to patrol the neighborhood, and join a neighborhood watch to work together with your neighbors to prevent crime. Individually, none of these would prevent a burgler from stealing your TV, but combined together, it would maybe make the burgler go to the house next door or the neighborhood down the street for easier targets.

In our digital infrastucture, we need to do the same thing. When setting up a new server or application, we should think of all the ways we can make it a harder target for would be attackers. This would include strong passwords, firewalls, logging, alerting, intrusion detection, role based access control, least privileged user accounts, removing unnecessary services, vulnerability scanning, and patch management (among many others). Additionally, a growing popular method for securing user accounts is to use Two Factor Authentication.

Two Factor Authentication (2FA) has been around for quite a while and boils down to requiring more than one piece of evidence that your are authorized to use a service before you are granted access. These pieces of evidence are routinely decribed as something you know (a password), what you have (a hardware device), and what you are (your fingerprint).

A YubiKey is a popular tool for adding a second factor to authentication schemes. It is a physical USB drive that plugs into your computer and pretends to be a keyboard that types out a One Time Password (OTP) when you physically touch the device. This OTP can then be validated by a 3rd party service, in addition to your password, before authorizing you to log into the service. An attacker would have to hack into your computer to steal your password and also physically steal your YubiKey before they could log into an account as you. This is much safer than only using a password.

Also to note, many 2FA solutions have recently been using a phone number and text message as the second factor. When you log onto a service, it would send you a unique code in a text message for you to enter. By being able to produce this unique code, you can prove that you both have the password to the account and have the phone associated with the account. However, we have recently seen many phone porting attacks where someone uses social engineering to get the phone company to port a targets number to a different phone, thereby enabling them to bypass the 2FA (See here for an example). In fact, this is so easy to do that NIST (National Institute of Standards and Technology) no longer recommends using a phone number as part of a multi factor authentication scheme. Having a physical device that generates one time tokens is much safer than relying on text messaging.

In a recent project, I was charged with setting up some infrastructure on Amazon AWS and wanted to leverage 2FA with YubiKeys. By default, Amazon disables password based SSH access to the servers and instead requires public/private keypairs for authentication. This is more secure than using (often weak) passwords for login and would require an attacker to hack into your machine and get your private key. However, if you enable 2FA with a YubiKey, it would be much more secure and even if an attacker got hold of your private key, they still wouldn’t be able to log onto the server without your YubiKey token.

Our standard device templates are Ubuntu Server 16.04 LTS and requires some manual setup to allow 2FA with YubiKey. Fortunately, YubiKey provides a PAM (Pluggable Authentication Module) library to integrate with Linux. Below are the steps required for getting things up and running:

First, add the PPA and install the library:

Next, edit the pam settings for SSH.

Add the following line at the top to enable the module:

The Client ID and Client Key can be generated here for free:

Next, you need to create a mapping file to let the library know which YubiKey devices are associated with which user accounts on the system. The mapping file contains a user account, followed by a colon separated list of keys that are valid. To get the Token ID, you can just grab the first 12 characters of a generated token. The Yubico-Pam website has more details about this step.

For the mapping file, you can either create one mapping file for all users or have a separate mapping file for each user kept in their home directory. For our use case, we went with a combined mapping file (and instructions follow this setup).

Create the mapping file:

Add the mappings for each user:

Next, modify the SSH configuration to prompt for the YubiKey token and require both the public key authentication as well as the PAM authentication.

Edit the configuration file:

Enable challenge response authentication by changing this to “yes”.

Add a new line that sets the Authentication Methods to require first the public key to be valid and then the YubiKey token for each user.

Finally restart the sshd service to pick up the new settings:

Before testing this out, make sure to keep your existing SSH session alive in case something went wrong. Otherwise you may get locked out of your server.

In another terminal session try to log in without using the key parameter (it should be rejected):

Next, try again with the key parameter to satisfy the first part of the 2FA, and you should then be able to validate the YubiKey token (the token is not displayed on the terminal window):

Above you will see that the certificate was validated and it prompted for the YubiKey. Once the YubiKey is touched, it will automatically type in the One Time Password and continue to the welcome screen. You have now been validated through 2FA.

As mentioned earlier, this is not the end-all-be-all of security, but is just another level of defense to protect your environments. Other research and implementation of security hardening and security methods should be investigated and included to make secure as possible while still being usable.

Supporting Links:

In some cases, such as Ubuntu, you can install the latest rolling release with an official image. In others, we turn to the WSL community for assistance, and that's exactly the case for anyone looking to install Linux Mint right now.

Thanks to a project hosted on GitHub, installing Linux Mint onto WSL is a breeze, and furthermore, it's already on the latest version, Linux Mint 20.3.

Linux Mint is an Ubuntu-based Linux distribution and is certainly one of the more mainstream options out there, often praised as a perfect place for Windows converts to begin. Of course, using Linux in WSL is a little different from just loading it up on a PC, but if you need it or just want it, you can have it.

So, if you want to use it on WSL, you'll be needing to use an excellent community project simply called LinuxmintWSL. It's hosted at GitHub, so the first port of call is to load up its repository. It's also only built for WSL 2, so if you aren't using that yet, check out our full guide to get ready. It does, however, support both Intel/AMD and ARM machines, so Windows on ARM users aren't left out.

On the GitHub repository, hit the releases page and download the latest package. Once downloaded, extract the zip file to the directory you want to run it from, then simply run Mint.exe. Unlike installing Ubuntu's latest releases from one of the official images, this has been bundled up to resemble more the distros you would download from the Microsoft Store.

It'll take a few seconds (or longer depending on your hardware) to run its installation, but the installer doesn't require any interaction from you. It'll open a terminal window and when it's complete you'll be asked to press Enter. The terminal window will then close.

If you use Windows Terminal, Mint will now show in the dropdown menu to launch the next time you load it up. If you don't, you can launch it through PowerShell the same as any other Linux distro with this command:

By default you'll only have root access, so you'll need to do some basic setup before you get rolling.

Enter Mint in your terminal using one of the methods described above. You'll be presented with a basic prompt that begins with

. As with any other Linux distro on WSL, you'll want to add a user to Mint with the right permissions before doing anything. You don't have a password, either, so you'll need to add one of those before beginning.

In the terminal enter:

Follow the prompts to set a root password. Next, we'll add a user with:

And then we'll follow that up with a password for the user with:

Again, follow the prompts to add your password. These commands have added a root password, a user, and a user password.

The next step is to add the right permissions to your user to be able to use the sudo command, otherwise you'll be met with an error. We can do this by entering:

You can then switch to your user with:

The next thing to do is to ensure that when you launch Mint if you want to be user and not root (which is advisable), you configure it so you don't have to manually do it every time. There are two ways to do this, the first is with the wsl.conf file and the second is by configuring Windows Terminal if you use that.

You won't have a wsl.conf file when you first set up Linux Mint, so we'll need to create that and enter the right settings. As we're going to be inside the /etc/ directory it's easiest to be root for this one. In the terminal as root enter:

The Nano text editor will now open with a new blank file. Enter this block into the file:

Hit Ctrl + X followed by Y and then Enter to save and exit. Close down your Linux Mint instance, wait a few seconds (eight is the official line from Microsoft), and then when you relaunch you should be ready to go, already logged in as user.

Alternatively, if you're using Windows Terminal, open the Settings, find your Linux Mint install in the sidebar, and then in the command line box ensure this command is stored:

This will have the same effect once closed down and restarted. Setting up a wsl.conf file is preferable, though, as it ensures you're always entering as user. If you use the Windows Terminal settings and you load up Linux Mint via PowerShell, you'll be taken in as root.

That's all there is to it. Linux Mint is now set up on WSL for you to use just like any other you would install through the Microsoft Store. You may find some GUI apps have appeared in your Start menu as well that come with the standard installation of Linux Mint, but those can all be removed if you don't want them (and the chances are you don't).