Configuring and using certificates to access ITS servers

This document is in progress!

Summary

Passwords alone are no longer sufficient. To address this RIT has moved to Duo's MFA service for the majority of services. Admins and developers, however, have access to large amounts of information and have privileges on servers that can cause significant damage if their credentials are compromised. Because of those risks, stronger and more efficient MFA is required for certain accounts. To achieve this, ITS has historically used OATH (One Time Passwords) for SSH and sudo access on linux servers and recently started requiring either certificates + PIN or Duo for Windows logons.

OATH is deprecated and all OATH users are being moved to certificate-based authentication. ITS is issuing YubKeys that will be used to securely generate and store these certificates.

Requirements

YubiKey 4.3 or later (Typically this is a YubiKey 4 or newer)
Latest version of OS
Yubikey Manager
- Download direct from Yubico: https://www.yubico.com/support/download/yubikey-manager/#h-downloads
- Windows
  - https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-win64.exe
  - SCCM Software Center
- Mac
  - https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-mac.pkg
- Linux
  - AppImage - https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-linux.AppImage
  - Src - https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest.tar.gz

Considerations

These docs are not the only way to accomplish the goal nor are YubiKeys required however the further you deviate from these docs the less knowledge ITS has to assist you.
The OS requires a lock on the YubiKey. If using multiple computers, even if a computer is virtual, multiple devices will be needed – one device per instance of the OS.
- A YubiKey can be passed through RDP session(s) (Windows only)
Each device will have a different certificate. A certificate can, however, be used for access to both Linux and Windows servers.
Expert mode: While a YubiKey (i.e. a Yubico device) is not required the docs and process are built assuming a Yubikey is being used. Any device that can securely generate and store keys in a way that can be cryptographically verified will work.

Process Overview

Initialize/Configure Yubikey
Which Certificate Is Right For Me?
Submit certificate for verification
Configure clients to use certificates

Initialize/Configure Yubikey

First steps with Yubikey

Unable to render {include} The included page could not be found.

Which Certificate Is Right For Me?

The following is a suggested determination of which certificate process to follow. If you feel comfortable deviating, feel free to do so.

If you primarily log into and work mainly with Windows machines, please follow the process below:

Windows CA issued Certificate

Unable to render {include} The included page could not be found.

Else, follow this process below:

Self-Signed Certificate

Unable to render {include} The included page could not be found.

Submit certificate for verification

Yubikey Attestation and Submission (Work in Progress)

Unable to render {include} The included page could not be found.

Configure clients to use certificates

Yubikey Windows SSH Client Configuration

Yubikey Mac SSH Client Configuration

Yubikey Linux SSH Client Configuration

Other uses of Yubikeys

Register the YubiKey as a security key within Duo by enrolling the device at start.rit.edu/Duo
Configure the YubiKey as a safe place to store OTP (one time passcodes) for non-RIT services instead of using a phone app
Register the Yubikey to provide passwordless authentication in Azure/M365 services