Warning |
---|
This document is in progress! |
Summary
Passwords alone are no longer sufficient. To address this RIT has moved to Duo's MFA service for the majority of services. Admins and developers, however, have access to large amounts of information and have privileges on servers that can cause significant damage if their credentials are compromised. Because of those risks, stronger and more efficient MFA is required for certain accounts. To achieve this, ITS has historically used OATH (One Time Passwords) for SSH and sudo access on Linux servers and recently started requiring either certificates + PIN or Duo for Windows logons.
OATH is deprecated and all OATH users are being moved to certificate-based authentication. ITS is issuing YubiKeys that will be used to securely generate and store these certificates.
Requirements
- YubiKey 4 or newer (needs to mention PIV or smartcard)
- Security keys will not work. These are generally FIDO only keys.
- Yubico Security Keys (blue)
- GitHub-branded security keys
- Latest version of OS
- YubiKey Manager
Considerations
- These docs are not the only way to accomplish the goal nor are YubiKeys the only way to accomplish password-less authentication however the further you deviate from these docs the less knowledge ITS has to assist you.
- The OS requires a lock on the YubiKey. If using multiple computers, even if a computer is virtual, multiple devices will be needed – one device per instance of the OS.
- A YubiKey can be passed through RDP session(s) (Windows only)
- Each device will have a different certificate. A certificate can, however, be used for access to both Linux and Windows servers.
- Expert mode: While a YubiKey (i.e. a Yubico device) is not required, the docs and process are assuming a YubiKey is being used. Any device that can securely generate and store keys in a way that can be cryptographically verified will work.
Process Overview
I. Initialize/Configure YubiKey
II. Determine which certificate to use
III. Submit certificate for verification
IV. Configure clients to use certificates
V. Next steps
Include Page |
---|
| I. YubiKey New Setup/Initialization/Re-initialization |
---|
| I. YubiKey New Setup/Initialization/Re-initialization |
---|
|
II. Determine which certificate to use
Note |
---|
The following is a suggested determination of which certificate process to follow. If you feel comfortable deviating, feel free to do so. |
If you plan on utilizing your YubiKey to login into Windows workstations or Windows servers via RDP (from a Windows workstation) you need a Windows CA-issued certificated. Otherwise, a self-signed certificate is sufficient.
Expand |
---|
title | Windows CA-issued Certificate |
---|
|
Include Page |
---|
| II. YubiKey Smartcard Setup via Windows CA-issued Certificate (YubiKey Manager) |
---|
| II. YubiKey Smartcard Setup via Windows CA-issued Certificate (YubiKey Manager) |
---|
|
|
Expand |
---|
title | Self-Signed Certificate |
---|
|
Include Page |
---|
| II. YubiKey Smartcard Setup via Self-Signed Certificate (YubiKey Manager) |
---|
| II. YubiKey Smartcard Setup via Self-Signed Certificate (YubiKey Manager) |
---|
|
|
III. Submit certificate for verification
Expand |
---|
title | YubiKey Attestation and Submission |
---|
|
Include Page |
---|
| III. YubiKey Attestation |
---|
| III. YubiKey Attestation |
---|
|
|
Windows: IV. YubiKey Windows SSH Client Configuration
Mac: IV. YubiKey Mac SSH Client Configuration
Linux: IV. YubiKey Linux SSH Client Configuration
V. Next steps
YubiKey Duo Setup - start.rit.edu/Duo
Other uses for certificates
- Sign and encrypt emails
- Signing Gitlab commits and tags
- Code signing
Other uses of YubiKeys
Troubleshooting