Versions Compared

Old Version 24

changes.mady.by.user Tony Lam

Saved on

compared with

New Version 25

changes.mady.by.user Tony Lam

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Warning

This document is in progress!


Table of Content Zone

Table of Contents

Summary

Passwords alone are no longer sufficient. To address this RIT has moved to Duo's MFA service for the majority of services. Admins and developers, however, have access to large amounts of information and have privileges on servers that can cause significant damage if their credentials are compromised. Because of those risks, stronger and more efficient MFA is required for certain accounts. To achieve this, ITS has historically used OATH (One Time Passwords) for SSH and sudo access on linux servers and recently started requiring either certificates + PIN or Duo for Windows logons.

OATH is deprecated and all OATH users are being moved to certificate-based authentication. ITS is issuing YubKeys that will be used to securely generate and store these certificates.

Requirements

Considerations

  • These docs are not the only way to accomplish the goal nor are YubiKeys required however the further you deviate from these docs the less knowledge ITS has to assist you.
  • The OS requires a lock on the YubiKey. If using multiple computers, even if a computer is virtual, multiple devices will be needed – one device per instance of the OS.
    • A YubiKey can be passed through RDP session(s)
  • Each device will have a different certificate. A certificate can, however, be used for access to both Linux and Windows servers.
  • Expert mode: While a YubiKey (i.e. a Yubico device) is not required the docs and process are built assuming a Yubikey is being used. Any device that can securely generate and store keys in a way that can be cryptographically verified will work.


Process Overview

  1. Initialize/Configure Yubikey
  2. Which Certificate Is Right For Me?
  3. Generate certificate
  4. Submit certificate for verification
  5. Configure clients to use certificates

Initialize/Configure Yubikey

Expand
titleFirst steps with Yubikey
  1. Run the Yubikey Manager application and insert your key

  2. Click on Applications and then click on PIV


  3. Change PIN if Yubikey is fresh out of the box or it's been defaulted

    Note

    skip to (Which Certificate Is Right For Me?) if Yubikey is already initialized

    1. Click on Configure PINs

    2. Click Change PIN and then check Use default (if it is default).
      Choose a PIN between 6 - 8 characters.
      Finish with changing PIN by clicking on Change PIN
    3. Click on Change PUK and then check Use default (if it is default).
      Choose a PUK between 6 - 8 characters.
      Finish with changing PUK by clicking on Change PUK

    4. Click on Change Management Key and then check Use default (if it is default).
      Click on Generate a few times to randomly create a new management key.
      Choose AES256 as Algorithm.
      Finish with changing the key by clicking on Finish

Which Certificate Is Right For Me?


Generate certificate


Submit certificate for verification


Configure clients to use certificates

Other uses of Yubikeys

==OLD==

Generating and distributing(?) certificates

Windows

Enroll certificates using the following Guide:

Configure Windows to automatically load certificates from the Yubikey for SSH use:



macOS

Note

If you plan on using your certificate with Windows and linux servers, you must generate the certificate using Windows. Once the certificate has been generated on Windows it can be used with any OS and with Windows and linux servers.


Linux

Note

If you plan on using your certificate with Windows and linux servers, you must generate the certificate using Windows. Once the certificate has been generated on Windows it can be used with any OS and with Windows and linux servers.

Using certificates