Versions Compared

Old Version 39

changes.mady.by.user Tony Lam

Saved on

compared with

New Version Current

changes.mady.by.user Tony Lam

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Passwords alone are no longer sufficient. To address this RIT has moved to Duo's MFA service for the majority of services. Admins and developers, however, have access to large amounts of information and have privileges on servers that can cause significant damage if their credentials are compromised. Because of those risks, stronger and more efficient MFA is required for certain accounts. To achieve this, ITS has historically used OATH (One Time Passwords) for SSH and sudo access on linux Linux servers and recently started requiring either certificates + PIN or Duo for Windows logons.

OATH is deprecated and all OATH users are being moved to certificate-based authentication. ITS is issuing YubKeys YubiKeys that will be used to securely generate and store these certificates.

Requirements

Requesting a YubiKey

Considerations

  • These docs are not the only way to accomplish the goal nor are YubiKeys required the only way to accomplish password-less authentication however the further you deviate from these docs the less knowledge ITS has to assist you.
  • The OS requires a lock on the YubiKey. If using multiple computers, even if a computer is virtual, multiple devices will be needed – one device per instance of the OS.
    • A YubiKey can be passed through RDP session(s) (Windows only)
  • Each device will have a different certificate. A certificate can, however, be used for access to both Linux and Windows servers.
  • Expert mode: While a YubiKey (i.e. a Yubico device) is not required, the docs and process are built assuming a Yubikey YubiKey is being used. Any device that can securely generate and store keys in a way that can be cryptographically verified will work.


Process Overview

...

I. Certificate Enrollment
II. Submit certificate for verification
III. Configure clients to use certificates

Initialize/Configure Yubikey

...

titleFirst steps with Yubikey

...

Which Certificate Is Right For Me?

Note

The following is a suggested determination of which certificate process to follow. If you feel comfortable deviating, feel free to do so.

If you primarily log into and work mainly with Windows machines, please follow the process below:

...

titleWindows CA issued Certificate

...

IV. Next steps

I. Certificate Enrollment


Expand
titleSelf-Signed Certificate Enrollment

Include Page
Yubikey Smartcard Setup via Self-Signed Certificate (Yubikey Manager)Yubikey Smartcard Setup via Self-Signed Certificate (Yubikey Manager)I. YubiKey Certificate Enrollment
I. YubiKey Certificate Enrollment

II. Submit certificate for verification


Expand
titleYubikey YubiKey Attestation and Submission (Work in Progress)

Include Page
Yubikey II. YubiKey AttestationYubikey
II. YubiKey Attestation

III. Configure clients to use certificates

Windows: Yubikey III. YubiKey Windows SSH Client Configuration


Mac: Yubikey III. YubiKey Mac SSH Client Configuration


Linux: Yubikey III. YubiKey Linux SSH Client Configuration


IV. Next steps

YubiKey Duo Setup - start.rit.edu/Duo

Other uses for certificates

Other uses of

...

YubiKeys

Troubleshooting