Configuring and using certificates to access ITS servers

This document is in progress!

Summary

Passwords alone are no longer sufficient. To address this RIT has moved to Duo's MFA service for the majority of services. Admins and developers, however, have access to large amounts of information and have privileges on servers that can cause significant damage if their credentials are compromised. Because of those risks, stronger and more efficient MFA is required for certain accounts. To achieve this, ITS has historically used OATH (One Time Passwords) for SSH and sudo access on Linux servers and recently started requiring either certificates + PIN or Duo for Windows logons.

OATH is deprecated and all OATH users are being moved to certificate-based authentication. ITS is issuing YubiKeys that will be used to securely generate and store these certificates.

Requirements

YubiKey 4 or newer (needs to mention PIV or smartcard)
- Security keys will not work. These are generally FIDO only keys.
  - Yubico Security Keys (blue)
  - GitHub-branded security keys
Latest version of OS
YubiKey Manager
- Download direct from Yubico: YubiKey-Manager
- Windows
  - SCCM Software Center (Preferred Method)
  - YubiKey-Manager - Windows x64 latest
- Mac
  - YubiKey-Manager - MacOS pkg latest
- Linux
  - AppImage - YubiKey-Manager - Linux AppImage latest
  - Src - YubiKey-Manager - Linux src latest

Requesting a YubiKey

Fill out the following Google form
round 2 Yubikey singnup sheet - Google Sheets
- Pick up at INS-1130

Considerations

These docs are not the only way to accomplish the goal nor are YubiKeys the only way to accomplish password-less authentication however the further you deviate from these docs the less knowledge ITS has to assist you.
The OS requires a lock on the YubiKey. If using multiple computers, even if a computer is virtual, multiple devices will be needed – one device per instance of the OS.
- A YubiKey can be passed through RDP session(s) (Windows only)
Each device will have a different certificate. A certificate can, however, be used for access to both Linux and Windows servers.
Expert mode: While a YubiKey (i.e. a Yubico device) is not required, the docs and process are assuming a YubiKey is being used. Any device that can securely generate and store keys in a way that can be cryptographically verified will work.

Process Overview

I. Certificate Enrollment
II. Submit certificate for verification
III. Configure clients to use certificates
IV. Next steps

I. Certificate Enrollment

Certificate Enrollment

Enrollment

Ensure YubiKey is plugged in.
Yubikey should be new or set back to defaults
Ensure Yubikey has default MGMT pin, if not run the following command:
ykman piv access change-management-key -m <MGMKEY> -n 010203040506070801020304050607080102030405060708

or https://support.yubico.com/hc/en-us/articles/360013645480-Resetting-the-Smart-Card-PIV-Application-on-Your-YubiKey
Remote desktop to enroll01.ad.rit.edu
1. Enter enroll01.ad.rit.edu into the Computer:
2. Select Show Options dropdown in the bottom left.
3. Select the Advanced tab.
4. Select Settings... from the Connect from anywhere.
5. Select Use these RD Gateway server settings: and enter "rdgateway.rit.edu" as the Server name.
6. Select OK.
7. Select Connect.
8. Enter RIT credentials with username MAIN\xxxxxx where "xxxxxx" is your username.
9. Enter credentials again.

Multi-factor with DUO (will do so automatically)
Double-click on the Autoenroll.bat
Enter PIN 123456 when prompted. When complete, the command prompt window will go away.
1. Note: 123456 is the default Yubikey PIN.
  
  Change PIN (if default)
Send Ctrl-Alt-Del through RDP (Ctrl-Alt-End) and click on Change a password
Click on Sign-in options and then Smart card
Enter the default PIN and your new PIN

II. Submit certificate for verification

YubiKey Attestation and Submission

Attestation

Insert YubiKey

Open a local Terminal (Linux/Mac) or PowerShell (Windows).

Windows

Windows: Run the following to adding the Yubikey Manager cli tools to environment PATH

#User Level
$newPath = "$env:ProgramFiles\Yubico\Yubikey Manager;" + [Environment]::GetEnvironmentVariable("PATH", [EnvironmentVariableTarget]::User)
[Environment]::SetEnvironmentVariable("PATH", $newPath, [EnvironmentVariableTarget]::User)

Note: you must close and re-open your PowerShell for these to be picked up

Run the following command to attest the certificate in slot 9a (You will need to rerun for other slots, like 9d)

Linux users will need to locate the AppImage and execute ykman command as argument

ykman piv keys attest 9a <path to save attested certificate>
---
Example:
(Windows) ykman piv keys attest 9a $env:HOMEPATH\$env:USERNAME-attest.pem
(Linux) yubikey-manager-qt-***-linux.AppImage ykman piv keys attest 9a $HOME/$USER-attest.pem
(Mac) /Applications/YubiKey\ Manager.app/Contents/MacOS/ykman piv keys attest 9a $HOME/$USER-attest.pem

This step only needed if requested from cpu.rit.edu

Run the following to pull the intermediate certificate from slot f9

Linux users will need to locate the AppImage and execute ykman command as argument

ykman piv certificates export f9 <path to save attested certificate>
---
Example:
(Windows) ykman piv certificates export f9 %USERPROFILE%\yubico-intermediate-ca.pem
(Linux) yubikey-manager-qt-***-linux.AppImage ykman piv certificates export f9 $HOME/yubico-intermediate-ca.pem
(Mac) /Applications/YubiKey\ Manager.app/Contents/MacOS/ykman piv certificates export f9 $HOME/yubico-intermediate-ca.pem

Print the contents of the ($username-attest.pem).

(Windows) Get-Content $env:HOMEPATH\$env:USERNAME-attest.pem
(Linux/Mac) cat $HOME/$USER-attest.pem

This step is mainly required for access to Linux servers.
Paste all the contents of the file ($username-attest.pem), including the "BEGIN/END" statements, into the website below.

Students: Please log in with your student employee account.

This is still being tested, but we are using this for now.
Open in New Tab/Window: https://cpu.rit.edu/yubikey
Click here to expand...
3/18/2022 - (Used for testing only): Open in New Tab/Window: https://cpu.rit.edu/yubikey
Paste all the contents of the file, including the "BEGIN/END" statements
If submitting multiple certs, each certificate must be merged before new can be added (I believe this is true, needs verification)
Please inform someone from Operations (Infrastructure Apps/Networks/Systems) that you've uploaded a certificate.
This step may require a face-to-face meeting or camera-enabled Zoom meeting.
Operations (Infrastructure Apps/Networks/Systems)
The above process creates a merge request in System's ansible repo. The MR needs to be approved for the keys to be pushed out to systems.

Continue onto client configuration.

III. Configure clients to use certificates

Windows: III. YubiKey Windows SSH Client Configuration

Mac: III. YubiKey Mac SSH Client Configuration

Linux: III. YubiKey Linux SSH Client Configuration

IV. Next steps

YubiKey Duo Setup - start.rit.edu/Duo

Security Keys and Duo

Other uses for certificates

Sign and encrypt emails
- Main benefit comes from a chained certificate
  - Trust follows the chain
    - via Windows CA-issued certificate - valid for all RIT Windows domain-bound machines
    - via publicly signed certificate - valid for everyone
- Using Your YubiKey for Email Signing/Encrypting with Outlook on Windows
- Using Your YubiKey for Email Signing/Encrypting with Outlook on Mac
Signing Gitlab commits and tags
- Sign commits and tags with X.509 certificates
Code signing
- Request a code signing certificate
- Code Signing with the YubiKey on Windows

Other uses of YubiKeys

Register the YubiKey as a security key for various services.
- 2FA Directory
Configure the YubiKey as a safe place to store OTP (one time passcodes) for non-RIT services instead of using a phone app
- Using Your YubiKey with Authenticator Codes
Register the YubiKey to provide password-less authentication in Azure/M365 services

Troubleshooting

YubiKey Windows SmartCard Troubleshooting