...
Passwords alone are no longer sufficient. To address this RIT has moved to Duo's MFA service for the majority of services. Admins and developers, however, have access to large amounts of information and have privileges on servers that can cause significant damage if their credentials are compromised. Because of those risks, stronger and more efficient MFA is required for certain accounts. To achieve this, ITS has historically used OATH (One Time Passwords) for SSH and sudo access on linux Linux servers and recently started requiring either certificates + PIN or Duo for Windows logons.
OATH is deprecated and all OATH users are being moved to certificate-based authentication. ITS is issuing Yubikeys YubiKeys that will be used to securely generate and store these certificates.
Requirements
- Yubikey YubiKey 4 or newer (Blue security keys will not work)
- Latest version of OS
- Yubikey YubiKey Manager
- Download direct from Yubico: https://www.yubico.com/support/download/yubikey-manager/#h-downloads
- Windows
https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-win64.exe
Expand title SCCM Software Center
- Mac
- Linux
...
- These docs are not the only way to accomplish the goal nor are Yubikeys YubiKeys required however the further you deviate from these docs the less knowledge ITS has to assist you.
- The OS requires a lock on the YubikeyYubiKey. If using multiple computers, even if a computer is virtual, multiple devices will be needed – one device per instance of the OS.
- A Yubikey YubiKey can be passed through RDP session(s) (Windows only)
- Each device will have a different certificate. A certificate can, however, be used for access to both Linux and Windows servers.
- Expert mode: While a Yubikey YubiKey (i.e. a Yubico device) is not required, the docs and process are assuming a Yubikey YubiKey is being used. Any device that can securely generate and store keys in a way that can be cryptographically verified will work.
...
Process Overview
- Initialize/Configure YubikeyYubiKey
- Which Certificate Is Right For Me?
- Submit certificate for verification
- Configure clients to use certificates
Initialize/Configure
...
YubiKey
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
|
...
If you plan on utilizing your Yubikey YubiKey to login into Windows workstations or Windows servers via RDP you need a Windows CA-issued certificated. Otherwise a self-signed certificate is sufficient.
...
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
|
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
|
Submit certificate for verification
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
|
Configure clients to use certificates
Windows: Yubikey YubiKey Windows SSH Client Configuration
Mac: Yubikey YubiKey Mac SSH Client Configuration
Linux: Yubikey YubiKey Linux SSH Client Configuration
Other uses of Yubikeys
- Register the Yubikey YubiKey as a security key within Duo by enrolling the device at start.rit.edu/Duo
- Configure the Yubikey YubiKey as a safe place to store OTP (one time passcodes) for non-RIT services instead of using a phone app
- Register the Yubikey YubiKey to provide passwordless authentication in Azure/M365 services
...