Page Comparison

...

Summary

Passwords alone are no longer sufficient. To address this RIT has moved to Duo's MFA service for the majority of services. Admins and developers, however, have access to large amounts of information and have privileges on servers that can cause significant damage if their credentials are compromised. Because of those risks, stronger and more efficient MFA is required for certain accounts. To achieve this, ITS has historically used OATH (One Time Passwords) for SSH and sudo access on linux Linux servers and recently started requiring either certificates + PIN or Duo for Windows logons.

OATH is deprecated and all OATH users are being moved to certificate-based authentication. ITS is issuing YubKeys YubiKeys that will be used to securely generate and store these certificates.

Requirements

• YubiKey 4 .3 or later (Typically this is a YubiKey 4 or newer)newer (needs to mention PIV or smartcard)
  • Security keys will not work. These are generally FIDO only keys.
    • Yubico Security Keys (blue)
    • GitHub-branded security keys
• Latest version of OS
• Yubikey YubiKey Manager
  • Download direct from Yubico: https://www.yubico.com/support/download/yubikey-manager/#h-downloadsWindowshttps://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-win64.exeYubiKey-Manager
  • Windows

    • 
      

      Expand
      title SCCM Software Center (Preferred Method)

      
      

    • YubiKey-Manager - Windows x64 latest
  • Mac
    • https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-mac.pkgYubiKey-Manager - MacOS pkg latest
  • Linux
    • AppImage - https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-linux.AppImageSrc - https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest.tar.gz YubiKey-Manager - Linux AppImage latest
    • Src - YubiKey-Manager - Linux src latest

Requesting a YubiKey

• Fill out the following Google form
  round 2 Yubikey singnup sheet - Google Sheets
  • Pick up at INS-1130

Considerations

• These docs are not the only way to accomplish the goal nor are YubiKeys required the only way to accomplish password-less authentication however the further you deviate from these docs the less knowledge ITS has to assist you.
• The OS requires a lock on the YubiKey. If using multiple computers, even if a computer is virtual, multiple devices will be needed – one device per instance of the OS.
  • A YubiKey can be passed through RDP session(s) (Windows only)
• Each device will have a different certificate. A certificate can, however, be used for access to both Linux and Windows servers.
• Expert mode: While a YubiKey (i.e. a Yubico device) is not required, the docs and process are built assuming a Yubikey YubiKey is being used. Any device that can securely generate and store keys in a way that can be cryptographically verified will work.

Process Overview

...

I. Certificate Enrollment
II. Submit certificate for verification
III. Configure clients to use certificates

...

IV. Next steps

I. Certificate Enrollment

II. Submit certificate for verification

Image Removed

1. Click on Configure PINs
   Image Removed
   
2. Click Change PIN and then check Use default (if it is default).
   Choose a PIN between 6 - 8 characters.
   Finish with changing PIN by clicking on Change PIN
   Image Removed
3. Click on Change PUK and then check Use default (if it is default).
   Choose a PUK between 6 - 8 characters.
   Finish with changing PUK by clicking on Change PUK
   Image Removed
   
4. Click on Change Management Key and then check Use default (if it is default).
   Click on Generate a few times to randomly create a new management key.
   Choose AES256 as Algorithm.
   Finish with changing the key by clicking on Finish
   Image Removed

Which Certificate Is Right For Me?

Generate certificate

Submit certificate for verification

Configure clients to use certificates

...

III. Configure clients to use certificates

Windows: III. YubiKey Windows SSH Client Configuration

Mac: III. YubiKey Mac SSH Client Configuration

Linux: III. YubiKey Linux SSH Client Configuration

IV. Next steps

YubiKey Duo Setup - start.rit.edu/Duo

• Security Keys and Duo

Other uses for certificates

• Sign and encrypt emails
  • Main benefit comes from a chained certificate
    • Trust follows the chain 
      • via Windows CA-issued certificate - valid for all RIT Windows domain-bound machines
      • via publicly signed certificate - valid for everyone
  • Using Your YubiKey for Email Signing/Encrypting with Outlook on Windows
  • Using Your YubiKey for Email Signing/Encrypting with Outlook on Mac
• Signing Gitlab commits and tags
  
  • Sign commits and tags with X.509 certificates
• Code signing
  • Request a code signing certificate
  • Code Signing with the YubiKey on Windows

Other uses of YubiKeys

• Register the YubiKey as a security key within Duo by enrolling the device at start.rit.edu/Duofor various services.
  • 2FA Directory
• Configure the YubiKey as a safe place to store OTP (one time passcodes) for non-RIT services instead of using a phone app
  • Using Your YubiKey with Authenticator Codes
• Register the Yubikey YubiKey to provide passwordless password-less authentication in Azure/M365 services

==OLD==

Generating and distributing(?) certificates

Windows

Enroll certificates using the following Guide:

• Yubikey Smartcard Setup via Windows CA-issued Certificate (Yubikey Manager) - ITS Operations - RIT Wiki

Configure Windows to automatically load certificates from the Yubikey for SSH use:

• Yubikey Windows SSH Agent Configuration - ITS Operations - RIT Wiki

macOS

Linux

...

Troubleshooting

• YubiKey Windows SmartCard Troubleshooting