This document is in progress!
Summary
Passwords alone are no longer sufficient. To address this RIT has moved to Duo's MFA service for the majority of services. Admins and developers, however, have access to large amounts of information and have privileges on servers that can cause significant damage if their credentials are compromised. Because of those risks, stronger and more efficient MFA is required for certain accounts. To achieve this, ITS has historically used OATH (One Time Passwords) for SSH and sudo access on Linux servers and recently started requiring either certificates + PIN or Duo for Windows logons.
OATH is deprecated and all OATH users are being moved to certificate-based authentication. ITS is issuing YubiKeys that will be used to securely generate and store these certificates.
Requirements
- YubiKey 4 or newer (needs to mention PIV or smartcard)
- Security keys will not work. These are generally FIDO only keys.
- Yubico Security Keys (blue)
- GitHub-branded security keys
- Security keys will not work. These are generally FIDO only keys.
- Latest version of OS
- YubiKey Manager
- Download direct from Yubico: YubiKey-Manager
- Windows
- Mac
- Linux
Requesting a YubiKey
- Fill out the following Google form
round 2 Yubikey singnup sheet - Google Sheets- Pick up at INS-1130
Considerations
- These docs are not the only way to accomplish the goal nor are YubiKeys the only way to accomplish password-less authentication however the further you deviate from these docs the less knowledge ITS has to assist you.
- The OS requires a lock on the YubiKey. If using multiple computers, even if a computer is virtual, multiple devices will be needed – one device per instance of the OS.
- A YubiKey can be passed through RDP session(s) (Windows only)
- Each device will have a different certificate. A certificate can, however, be used for access to both Linux and Windows servers.
- Expert mode: While a YubiKey (i.e. a Yubico device) is not required, the docs and process are assuming a YubiKey is being used. Any device that can securely generate and store keys in a way that can be cryptographically verified will work.
Process Overview
I. Initialize/Configure YubiKey
II. Certificate Enrollment
III. Submit certificate for verification
IV. Configure clients to use certificates
V. Next steps
I. Initialize/Configure YubiKey
New Setup
- Run the YubiKey Manager application and insert your key
- Click on Applications and then click on PIV
Change PIN if YubiKey is fresh out of the box or it's been defaulted
skip to (II. Determine Which Certificate to Use) if YubiKey is already initialized
- Click on Configure PINs
The PIN used to unlock and utilize the certificates on the YubiKey. You will have 3 tries to input the correct PIN.
Click Change PIN and then check Use default (if it is default).
Choose a PIN between 6 - 8 characters.
Finish with changing PIN by clicking on Change PINThe PUK is used to unblock the PIN if it becomes locked. You will have 3 tries to unblock the PIN.
Click on Change PUK and then check Use default (if it is default).
Choose a PUK between 6 - 8 characters.
Finish with changing PUK by clicking on Change PUKThe Management Key is utilized for all PIV operations on the YubiKey. This will be needed when generating new certificates.
This will be needed in the next section.
You should store this in a secure repository.The Management Key is needed in creating a certificate.
The Management Key is longer than what is visible. It should be 64 characters long.
You need to store this in a secure repository.
Click on Change Management Key and then check Use default (if it is default).
Click on Generate a few times to randomly create a new management key.
Choose AES256 as Algorithm.
Finish with changing the key by clicking on Finish
- Click on Configure PINs
II. Certificate Enrollment
III. Submit certificate for verification
IV. Configure clients to use certificates
Windows: IV. YubiKey Windows SSH Client Configuration
Mac: IV. YubiKey Mac SSH Client Configuration
Linux: IV. YubiKey Linux SSH Client Configuration
V. Next steps
YubiKey Duo Setup - start.rit.edu/Duo
Other uses for certificates
- Sign and encrypt emails
- Main benefit comes from a chained certificate
- Trust follows the chain
- via Windows CA-issued certificate - valid for all RIT Windows domain-bound machines
- via publicly signed certificate - valid for everyone
- Trust follows the chain
- Using Your YubiKey for Email Signing/Encrypting with Outlook on Windows
- Using Your YubiKey for Email Signing/Encrypting with Outlook on Mac
- Main benefit comes from a chained certificate
- Signing Gitlab commits and tags
- Code signing
Other uses of YubiKeys
- Register the YubiKey as a security key for various services.
- Configure the YubiKey as a safe place to store OTP (one time passcodes) for non-RIT services instead of using a phone app
- Register the YubiKey to provide password-less authentication in Azure/M365 services