...
Requirements
- YubiKey 4 or newer (Blue security needs to mention PIV or smartcard)
- Security keys will not work. These are generally FIDO only keys.
- Yubico Security Keys (blue)
- GitHub-branded security keys
- Security keys will not work. These are generally FIDO only keys.
- Latest version of OS
- YubiKey Manager
- Download direct from Yubico: https://www.yubico.com/support/download/yubikey-manager/#h-downloadsWindowshttps://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-win64.exeYubiKey-Manager
- Windows
Expand title SCCM Software Center (Preferred Method) - YubiKey-Manager - Windows x64 latest
- Mac
- Linux
Requesting a YubiKey
- Fill out the following Google form
round 2 Yubikey singnup sheet - Google Sheets- Pick up at INS-1130
Considerations
- These docs are not the only way to accomplish the goal nor are YubiKeys the only way to accomplish password-less authentication however the further you deviate from these docs the less knowledge ITS has to assist you.
- The OS requires a lock on the YubiKey. If using multiple computers, even if a computer is virtual, multiple devices will be needed – one device per instance of the OS.
- A YubiKey can be passed through RDP session(s) (Windows only)
- Each device will have a different certificate. A certificate can, however, be used for access to both Linux and Windows servers.
- Expert mode: While a YubiKey (i.e. a Yubico device) is not required, the docs and process are assuming a YubiKey is being used. Any device that can securely generate and store keys in a way that can be cryptographically verified will work.
Process Overview
...
1. Initialize/Configure YubiKey
...
title | First steps with Yubikey |
---|
...
2. Determine which certificate to use
Note |
---|
The following is a suggested determination of which certificate process to follow. If you feel comfortable deviating, feel free to do so. |
If you plan on utilizing your YubiKey to login into Windows workstations or Windows servers via RDP you need a Windows CA-issued certificated. Otherwise a self-signed certificate is sufficient.
...
title | Windows CA-issued Certificate |
---|
...
I. Certificate Enrollment
II. Submit certificate for verification
III. Configure clients to use certificates
...
IV. Next steps
I. Certificate Enrollment
Expand | |||
---|---|---|---|
| |||
|
...
|
II. Submit certificate for verification
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
|
...
III. Configure clients to use certificates
Windows: III. YubiKey Windows SSH Client Configuration
Mac: III. YubiKey Mac SSH Client Configuration
Linux: III. YubiKey Linux SSH Client Configuration
...
IV.
...
Next steps
YubiKey Duo Setup
...
Adding Security Key (Duo Prompt)
...
Other uses for certificates
- Sign and encrypt emails
- Main benefit comes from a chained certificate
- Trust follows the chain
- via Windows CA-issued certificate - valid for all RIT Windows domain-bound machines
- via publicly signed certificate - valid for everyone
- Trust follows the chain
- Using Your YubiKey for Email Signing/Encrypting with Outlook on Windows
- Using Your YubiKey for Email Signing/Encrypting with Outlook on Mac
- Main benefit comes from a chained certificate
- Signing Gitlab commits and tagsTBD
- Code signing
- Current Windows CA-issued certs are not able to sign code (as of 3/23/2022)Request a code signing certificate
- Code Signing with the YubiKey on Windows
...
- Register the YubiKey as a security key within Duo by enrolling the device at start.rit.edu/DuoDuo - Add Security Keyfor various services.
- Configure the YubiKey as a safe place to store OTP (one time passcodes) for non-RIT services instead of using a phone app
- Register the YubiKey to provide password-less authentication in Azure/M365 services